Be Involved in the Security Audit Process – Answers Matter
Many of the companies that are sending out these information security assessments have thousands of third parties in which they are sending them to. As a result, they generally employ a red-flag model to have assessments of interest bubble to the top of the pack. In reality, this model actually is not really valid in terms of the most security risk, but it is still what most companies do.
Red-Flags Are Associated With How You Respond To Customer Security Audit
With that said, the majority of these red-flags are associated with how you respond and not what you are responding with.
- Responding non-applicable (N/A) for all or many of the answers in an assessment that is provided. Unless you support a non-applicable (N/A) response with a very clear description why it is almost never a good idea to use it.
- Responding you are compliant for all of the answers without completing the detail section of the assessment.
- Having the responses written by a person that does not have a security background. Further, if there is an on-site or phone interview portion of the assessment, not having someone present that has a strong security background and is an effective communicator to explain situations.
- Ensure that all of the required documentation your delivery is sharp and in an organized manner. This includes making sure it is on the right letterhead, has current last modified dates that is no older than one year and is customized to your organization.
- Do not provide more information than what is being asked for.