Be Involved in the Security Audit Process – Answers Matter
Many companies that are sending out these information security assessments have thousands of third parties in which they are sending them to.
Because of this, they generally employ a red-flag model to have assessments of interest bubble to the top of the pack. In reality, this model actually is not really valid in terms of the most security risk, but it is still what most companies do.
Red-Flags Are Associated With How You Respond To Customer Security Audit
With that said, the majority of these red-flags are associated with how you respond and not what you are responding with.
- Responding non-applicable (N/A) for all or many of the answers in an assessment that is provided. Unless you support a non-applicable (N/A) response with a very clear description why it is almost never a good idea to use it.
- Responding you are compliant for all of the answers without completing the detail section of the assessment.
- Having the responses written by a person that does not have a security background. Further, if there is an on-site or phone interview portion of the assessment, not having someone present that has a strong security background and is an effective communicator to explain situations.
- Ensure that all of the required documentation your delivery is sharp and in an organized manner. This includes making sure it is on the right letterhead, has current last modified dates that is no older than one year and is customized to your organization.
- Do not provide more information than what is being asked for.
CISOSHARE’s President and CEO
Mike Gentile has been helping organizations build Information Security Programs for more than 20 years. He has written multiple recognized books on the subject, provided hundreds of presentations, and built many Security Programs in both internal and external consulting roles