Do you have a security questionnaire for all third parties you partner with? How long is it?

PartnershipsThird Party Risk Management (TPRM)
1.8k views1 Upvote4 Comments
Sort By:
Oldest
Director in Manufacturing2 years ago
Our CISO has about a two page security document that our vendors need to complete as part of our RFP process. Procurement actually deliverers it as part of the requirements to bid.
1
CISO in Governmenta year ago
We do have a set of questions we call the External Dependency Matrix, derived from CIS Critical Security Controls. I recommend starting with that. Depending on the solution, sensitivity of data, and what level of compliances you are required to follow, you can demand different levels of control (1, 2, or 3). 
Executive Director of Technology in Healthcare and Biotecha year ago
Yes, we have a pretty comprehensive security questionnaire that covers just about every topic that vendors must fill out before purchasing can be considered. It basically covers everything and is pretty time intensive. We do not have levels of control built into the document, but I think that is a great idea for the future. 
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Information Security Director in Mediaa year ago
We have a security questionnaire for 3rd party vendors, but depending how they interact with our infrastructure, access to certain types of data (PII, Confidential etc.) or if their processes/systems have been audit from a ISO or SOC2 perspective the quantity of questions differ as questions would be added/excluded accordingly.

Content you might like

How do you ask your third parties to notify you if they have had a cyber incident? Does your process work efficiently?

IT Strategy & RoadmapSecurity Strategy & RoadmapThird Party Risk Management (TPRM)
Director of IT in Softwarea month ago
To ensure third parties notify you of cyber incidents, include specific notification requirements in your contracts, detailing the timeframe and method of communication. Define clear incident response procedures within the ...read more
1
Read More Comments
1.8k views3 Comments

Single sign-on (SSO) increases the chance of a major network security breach.

Single Sign-On (SSO/SAML)Identity & Access Management (IAM)Third Party Risk Management (TPRM)

Strongly agree4%

Agreee59%

Neutral23%

Disagree12%

Strongly disagree1%

View Results
3.8k views2 Upvotes3 Comments

Are organizations managing IT security internally, or are they outsourcing to specialized security companies? If they are outsourcing, how do they ensure the security vendor can handle all potential threats and vulnerabilities?

Applications & PlatformsSecurityData Protection & Encryption+8 more
Director of IT in Education2 months ago
We do a combination of both.
931 views1 Comment

What role do you play, or plan to play, in your organization's sustainability efforts?

IT Strategy & RoadmapPartnerships
CTO3 months ago
E-scraping and obtain green certificate
582 views1 Comment

When picking a digital agency, how important is it to you that their team and client projects include the notion of "innovation"?

PartnershipsConsulting & Professional ServicesOutsourcing & Managed Services

Very important. I want to work with an innovative partner.39%

Nice to have, but not a deal-breaker.57%

Innovation is not something I'm looking for in a partner.3%

View Results
2.7k views1 Upvote