Companies can send out hundreds or even thousands of third-party risk assessments at a given time.
To keep up with all the responses they receive, organizations often use a red flag model to quickly identify assessments that aren’t up to par. This may not be the best way to assess a third party’s environment, but it’s still a common methodology.
So here are a few of our tips to help you answer these assessments accurately.
Red Flags Are Associated with How You Respond to a Customer Security Audit
It’s important to note that the majority of these red-flags are associated with how you respond, rather than the actual content of your responses.
Red flags include:
- Responding non-applicable (N/A) for all or many of the answers in an assessment. Unless you support an N/A answer with a very clear description and reasons, it’s never a good way to answer a question.
- Responding that you are compliant for all of the answers without providing more details in appropriate sections of the assessments. Complete compliance would require a lot of documentation and detail, and you’d have to be able to support it during the assessment.
- Having the responses written by a person that doesn’t have a security background. If there is an on-site or phone interview during the assessment, send someone with a strong background in security that can accurately communicate and explain the background of your existing program.
- Disorganized documentation. Make sure everything is sharp and presentable, which includes making sure it’s on the right letterhead, customizing it to your organization, and making sure the current “last modified dates” are no more than a year old.
- Providing more information than necessary. Only answer the questions to the level of detail that the assessment asks for.