Do you have a security questionnaire for all third parties you partner with? How long is it?
Sort By:
Oldest
Director in Manufacturing2 years ago
Our CISO has about a two page security document that our vendors need to complete as part of our RFP process. Procurement actually deliverers it as part of the requirements to bid.CISO in Governmenta year ago
We do have a set of questions we call the External Dependency Matrix, derived from CIS Critical Security Controls. I recommend starting with that. Depending on the solution, sensitivity of data, and what level of compliances you are required to follow, you can demand different levels of control (1, 2, or 3). Executive Director of Technology in Healthcare and Biotecha year ago
Yes, we have a pretty comprehensive security questionnaire that covers just about every topic that vendors must fill out before purchasing can be considered. It basically covers everything and is pretty time intensive. We do not have levels of control built into the document, but I think that is a great idea for the future. Information Security Director in Mediaa year ago
We have a security questionnaire for 3rd party vendors, but depending how they interact with our infrastructure, access to certain types of data (PII, Confidential etc.) or if their processes/systems have been audit from a ISO or SOC2 perspective the quantity of questions differ as questions would be added/excluded accordingly.