If vendor governance at your organization works as it does at most businesses, the phrases "information security...
questionnaire" and "third-party review" are probably enough to make you cringe, or at least develop a nervous twitch.
From an efficiency standpoint, staff time can be reclaimed if you leverage third-party vendor reviews to support your vetting process.
That's probably true no matter what side of the vendor governance table you're on. If your business heavily leverages third parties (i.e. vendors and business partners), much of your staff's time is probably spent assessing security and compliance aspects of those parties through questionnaires or direct onsite assessments. If you're a service provider that stores, processes or transmits data on behalf of your clients, chances are the other end of that same process impacts you: responding to those questionnaires and vectoring audits and assessments.
Creating and responding to such queries are equally time-consuming tasks, but efforts to create cross-industry standards have been slow to gain traction. There are a few reasons for this, but the crux of it is that many organizations have been reluctant to trust reviews they don't perform themselves. Service providers, on the other hand, have been hesitant to give away too much inside information and eschew providing process data for which customers haven't explicitly asked.
This stilted type of vendor governance perpetuates an unfortunate cycle, one where each reviewing organization maintains a custom evaluation processes and service providers deliver ad hoc responses. Fortunately, those barriers are starting to fall and standardization is becoming more viable – a trend your organization can leverage to help get off the vendor governance treadmill.
For example, there's no shortage of available independent accreditation options. There's the Standards for Attestation Engagements No. 16, Shared Assessments and ISO/IEC 27001:2005, along with more limited-scope reviews like the Payment Card Industry (PCI) Report of Compliance, just to name a few. When examining these possibilities, you'll encounter a diverse range of security audits from third-party vendors that purport to demonstrate controls and control implementation within that organization.
From an efficiency standpoint, staff time can be reclaimed if you leverage such third-party vendor reviews to support your vetting process. This requires, however, that you understand what each accreditation involves and how it should be applied. It's helpful to document this process and share it with potential review targets. By explicitly documenting it, you ensure consistency across all reviewing personnel. By sharing acceptable options with providers, you also give them the opportunity to streamline your workload (and theirs). Also, you may review this same entity again during periodic reevaluation, or if the business relationship changes; if providers take the hint, you might just receive an "acceptable" accreditation the next time you review them.
For service providers, the same principle holds. Independent attestations are expensive and time-consuming and can be detrimental to the business. Picking the most efficient, cost-effective approach is important. Organizations should canvas their customer base to determine what options are acceptable and select an evaluation based on these opinions. It seems simple enough, but it's surprising how many organizations don't make such upfront efforts and end up spending money on certifications their customers can't -- or don't want to -- use.
Questionnaires: Don't reinvent the wheel
There is no shortage of stock review questionnaires. The Shared Assessments SIG (standardized information gathering) questionnaire, as well as more specialized questionnaires like the Cloud Security Alliance's Consensus Assessments Initiative Questionnaire, can be useful, depending on your context. For the reviewing organization, the use of a standard questionnaire is at least some work it doesn't have to do for itself
The more acceptance these standardized review methodologies get, the more IT governance, risk and compliance (GRC) support tools adapt to them. For example, platforms like RSA Archer eGRC, Symantec Control Compliance Suite (CCS), Modulo Risk Manager and Rsam's GRC solutions directly incorporate the Shared Assessments SIG to drive third-party reviews.
More on GRC vendor relationships
There is also an emerging market of turnkey solutions built around the automation of questionnaire responses and evidence collection using standardized methodologies, such as CTG's Risk Profile Manager and Prevalent's Vendor Risk Manager. Automated methodologies for reviews give staff more time to invest in critical pursuits – a business impact analysis, for example -- rather than spending that time filling out evaluation responses. Service providers that automate components can help keep track of what responses have been given to individual customers, enabling notification of partners when parameters change or when a particular process, service offering or control implementation is modified.
The review process is an important aspect of ensuring appropriate due diligence, and in many cases these reviews directly support regulatory compliance objectives. But just because the reviews are required doesn't mean they have to be painful. Leverage today's increased acceptance of standard review processes to make the most of your staff's time, and to make them more proactive.
Ed Moyle is a founding partner at New Hampshire-based information security and compliance consulting firm SecurityCurve. Moyle previously worked as a senior manager with Computer Task Group Inc.'s global security practice, and prior to that served as a vice president and information security officer at Merrill Lynch Investment Managers.