Be Involved with Customer Security Audits — Answers Matter
Many companies that send out information security assessments have thousands of third parties that they’re sending them to.
Because of this, they generally employ a red-flag model to have assessments of interest bubble to the top of the pack. This isn’t necessarily a valid model to assess the security of another company, but it’s still the methodology that many organizations employ.
Red Flags Are Associated With How You Respond To Customer Security Audit
With that in mind, the majority of these red-flags are associated with how you respond and not what you are responding with.
Red flags include:
– Responding non-applicable (N/A) for all or many of the answers in an assessment that is provided. Unless you support a non-applicable (N/A) response with a very clear description, it’s almost never a good idea to answer this way.
– Responding you are compliant for all of the answers without completing the detailed sections of the assessment.
– Having the responses written by a person that does not have a security background. If there is an on-site or phone interview portion of the assessment, you should send someone with a strong background in security that can communicate and explain the situation.
– Disorganized documentation. You need to make sure everything is sharp and presentable, which includes making sure it’s on the right letterhead, has current last modified dates that is no older than one year and is customized to your organization.
– Providing more information than is asked for.