Security questionnaires

If you speak to my wife, she'll tell you that responding to security questionnaires is pretty much all I do.  While it's not quite that bad, there is rarely a week that goes by that I don't have a new security questionnaire passed to me.  Once the questionnaire is answered that's sadly not the end - there's often follow on questions, requests for clarification, or challenges by the client when they don't like your answers.

Let's look at what security questionnaires are, how they're used, and the impact they have.

What's a security questionnaire?

Best to start at the beginning, so let's investigate what a security questionnaire is.  At their most basic, these are a set of questions that ask how an organisation approaches Information Security.  Often there are sections relating to personnel, access control, system design, and vulnerability management but questionnaires can vary massively.

An organisation will use a questionnaire as part of their due diligence phase on a prospective supplier.  Organisations don't want to use suppliers that work in an insecure way, so the questionnaire allows the requester to make an informed assessment of risk.

Unfortunately, there's no standard for security questionnaires.  While there are common themes, there are rarely two identical questionnaires - even from the same requester.

Completion times & challenges

In my experience it's rare for a questionnaire of 25 - 75 questions to take less than four hours to complete.  You'd think that having done so many questionnaires since joining my employer that I'd have all the answers, but remember I said there was no standard!  Two customers might want the same detail for an answer, but because they've asked the question differently it takes time to come to that conclusion.  Longer questionnaires can take a day, and the longest that I worked on took over a working week (37.5 hours) [1].

Some of the time is spent identifying if I already have the answer, and if I don't I have to take time working out who to ask.  It's highly unusual for me to be able to complete a questionnaire in one sitting, simply because I have to ask others for information.  Quite correctly, I don't have access to all of our systems (and I have no access to any of our customer's systems), so if I need to know something about the environment I need to speak to someone.

Language is another challenge that can cause delays.  My native language is English.  I know technical terms in English, and am used to English idioms and colloquialisms.  My employer has customers all over the world, and often I'll be dealing with a questionnaire in English that's clearly a translation from another language.  The quality of the translation varies, but what I cannot do is make an assumption - these answers could cause my employer problems if they turn out to be wrong and there's an incident.  I have to get clarifications on questions to find out what the customer really means.

File formats and portals

Generally I receive a questionnaire as a Microsoft Excel file.  There's some logic to this - different sections (personnel, architecture, policies, etc.) can be placed on different worksheets so it's clearer which teams need to answer them.  Validation rules can also be added to the cells to help restrict responses - if the answers are "yes" or "no", don't let me write something else.

There's a problem with this though - Excel sadly isn't designed for this work.  Rows have a maximum height, and if the requester has restricted the sheet to prevent resizing it's possible you can't see part of the question or answer.

To get around this problem some companies offer a web portal where questions are asked with a space for an answer and the ability to add an attachment.  This can be useful, but even where two companies use the same portal provider I've never been able to import my answers.  The platform keeps the answers completely separate.  I'd much rather the platform had a set of questions, I added my answers, and then when a requester submitted a question I could choose to submit my existing answer.

A problem of scale

Put bluntly - security questionnaires don't scale.  Given the challenges I've discussed it's clear that I cannot simply send my previous answers on to a second customer.  At the very least I need to copy and paste the answers under the correct question.

Add to this the fact that questionnaires can vary massively in length and the problem only gets worse.  If every one of our customers sent in a different 250 question set it'd be a full time job just responding to questionnaires.

A risk to the responder: leaking answers

Once the client / requester has your answers you're then entirely at their mercy.  As a rule, we'll only send completed questionnaires to companies that we have confidentiality clauses or non disclosure agreements with.  That should give us some assurances that the information will be kept securely, but that's not always the case.

There have been two instances that I'm aware of where information has been mishandled - in both my company was sent someone else's answers or action plans.  This leads me to assume that likely my information has also been shared when it shouldn't have been.  Accidents happen, but given there can be a lot of sensitive information in the responses everyone needs to look after them properly.

I'm a big fan of only keeping other people's data as long as it's needed.  If you receive a security questionnaire from my company please handle it properly and securely delete it when you're done with it (once the due diligence phase completes ideally) [2].  After all, you've just asked me to confirm on a questionnaire that my company will treat your data which the same level of care...

Revalidating answers

Remember that a questionnaire gives point-in-time answers.  Things should get better than the answers you've received, or at the very least stay the same.  Some of our customers send us a questionnaire every year (often with slightly different questions), but others seem to ask once and then I don't hear from them again.  If the questionnaire is going to be a one-time exercise it does make you wonder what benefit the customer actually gets!

Tips

This post is already quite long, so I'm going to summarise some tips as bullet points:

  • Make sure you understand the question
    There's no point making an assumption, giving an answer, and then ending up spending longer in a back and forth discussion.
  • Ask for clarification / an explanation of why a question is being asked
    If a question doesn't seem relevant, it's possible you've misunderstood it or that the customer has a desired answer or outcome that doesn't match the question.  Finding out what they're really after can lead to providing the right answer (this ties in with the first point).
  • Provide evidence
    It'll take longer, but I've provided text only (including yes / no) answers before only to be asked to prove it.  Providing the evidence up front can save time in the long run and the client will have a better feeling that you take security seriously.
  • Maintain a question & answer bank
    While the customer's questions will differ, there are often themes.  Making a question & answer bank that you can search by theme, with a rough question, can save time and allow you to copy and paste the answer.  As a bonus, you won't annoy your colleagues by having to ask them each time.  Just make sure you update the answers periodically as things change.

What's the solution?

Personally I'm of the opinion that we need a single standard where a large batch of questions is produced, translated correctly into numerous languages, and then shared openly.  This would then mean that if all our customers used "version 1" of the standard I could send back the answers I've already completed, obviously making sure I have a process to keep those up to date.  Requesters can then select a subset of the questions that matter to them, and submit for responses.

There's potential for vendors to write a platform around the question set, and what we don't then want are multiple platforms that each handle the data differently.  The standard should define an export format, so I can take my answers, export them, and these can be imported to the customer's platform of choice.  Obviously, any platform would need to store the answers securely!!

Any time there's a question set version update it'd be necessary to make that clear, which guidance on how to migrate.  That shouldn't be difficult to achieve though.

I can dream...[3]


Banner image: Remix of Survey by Khanke, and Cyber Security Lock Gold by GDJ, both from OpenClipart.org

[1] That particular customer had numerous follow up questions after every submission, including questions that didn't seem relevant (e.g. "how many S3 buckets do you have?")

[2] I suspect some companies like to hold on to the answers, so in the event of a problem they can say "but wait - you told us this...".  There's no easy solution.

[3] Although I really hope I don't actually start dreaming about security questionnaires!