Top 10 Questions in Vendor Cybersecurity Questionnaires

Vendor data breaches can be costly, both in terms of money and your organization’s reputation. When you partner with a vendor, you want to ensure that their cybersecurity practices are effective at preventing, detecting, and responding to incidents. A good place to start is with a vendor cybersecurity questionnaire.

But what questions should you ask? And what should you do if you have concerns about the vendor’s answers? Let’s review the top 10 questions you should consider in a questionnaire and some tips on next steps if you have concerns.

The Top 10 Vendor Cybersecurity Questions

Here are the top 10 cybersecurity questions to consider in your vendor questionnaires and why you should ask them:

1. Is there a formal information security program in place?
   
   A formal program provides the framework for keeping the vendor at a desired security level. The program should outline specific details, such as how the vendor assesses risks, how they decide to mitigate those risks, and how they plan to keep security practices current. Be sure to review a formally documented information security policy. 
2. What type of security testing is performed and how often?
   
   The vendor should have evidence of regularly scheduled vulnerability and penetration testing performed by a qualified third party. Evaluate social engineering testing that includes simulated phishing emails and employee awareness. Verify the details about how often testing is performed and the last testing date. These testing results reveal whether the vendor is prepared to identify weaknesses and secure them before they’re exploited by an attacker.
3. Is there a formal process to review user access?  
   
   One of the top reasons for exceptions in SOC reports is a failure in logical access review procedures. Ensure the vendor has a process in place to verify who should and shouldn’t have access to their system.
4. Is the principle of least privilege and multi-factor authentication (MFA) implemented for remote access?  
   
   Ensure the vendor has implemented role-based access privileges, which determine what type of data is needed for certain employees to perform specified duties. The vendor should also confirm the presence of MFA for remote access, which helps protect against compromised credentials.  
5. How is data protected in transit and at rest between your vendor’s system, your organization’s system, and the end user?  
   
   Your vendor should always protect your organization’s data and your customers' data. Methods like data encryption during both in-transit and at-rest will help keep it safe from unauthorized access.  
6. How is expired media disposed of?  
   
   Physical and electronic data can exist in multiple environments, such as hard drives, flash drives, CDs, paper documents, the cloud, and more. Data is especially vulnerable to theft and other compromises because of the widespread use of public cloud services — where it can live on shared resources and move across multiple systems. Wherever it’s stored, ensure the vendor has a process for secure disposal. This may include the completion of a data destruction certificate when the expired media is disposed.
7. Are employees and contractors required to attend security training?  
   
   Whoever uses the vendor’s systems should be properly educated on security awareness. This reduces the likelihood of human errors that harm the vendor’s IT infrastructure and ultimately put your data at risk.
8. What due diligence is performed on third parties before and after the contract stage?  
   
   Understand how your vendor is performing due diligence on its subcontractors (your fourth parties), especially if they have access to your data. Although you don’t have a contractual relationship with these fourth parties, you should still confirm they’ll protect your data in a secure environment.
9. Is there a formal incident management program in place?  
   
   Proper incident management and response procedures should include details on analyzing, prioritizing, and responding to cyber incidents and other security events. Breach notifications are an important part of incident management. Regulations and regulators, like the Interagency Guidance on Third-Party Relationships: Risk Management and the SEC emphasize this requirement in vendor reporting. Review the vendor's incident response plans to verify its effectiveness. Consider whether the vendor has cybersecurity insurance coverage.  
10. What types of technical prevention measures are in place?  
    
    Your vendor should actively use security tools such as firewalls, anti-virus products, and intrusion detection and prevention systems to secure their network. This ensures proper measures are in place to protect your data.

4 Next Steps with Vendor Cybersecurity Concerns

Asking your vendor all these essential cybersecurity questions is a good first step and reveals the thoroughness of their practices. But what if the vendor cybersecurity questionnaire leaves you with concerns about your vendor’s program?

Here are next steps to consider:

• Request additional information. Some concerns might be resolved simply by asking the vendor for clarification. Maybe the issue is related to outdated employee training. Asking for additional information might reveal the vendor is currently in the process of scheduling another training session.
• Require further controls and testing. If your concern is about the vendor's weak or ineffective controls, consider obligating the vendor to strengthen those controls and provide evidence of further testing. This is especially important to do before you sign or renew the vendor contract.
• Increase the monitoring frequency. Perform ongoing monitoring regardless of the information you learn from a cybersecurity questionnaire. Some concerns require a more frequent monitoring schedule to ensure the controls are effective and that any new risks are immediately identified and addressed. Base this monitoring schedule on your organization’s risk appetite and the risk of the vendor.
• Reconsider the relationship. As you review the vendor's cybersecurity questionnaire and gather more information throughout due diligence, you might decide that the relationship isn’t worth the risk. Always make sure to document your concerns and report to senior management or the board so they can determine the next steps.

The next time you’re developing a vendor’s cybersecurity questionnaire, keep these questions in mind to use as a foundation for further review and discussion. Building or reviewing a questionnaire will take some time, but it’s well worth the effort to keep your organization safe from vendor risk.