Be Involved with Customer Security Audits — Answers Matter
Many companies that send out information security assessments have thousands of third parties that they're sending them to.
Because of this, they generally employ a red-flag model to identify any assessments that aren't up to par. This isn't necessarily a valid model to assess the security of another company, but it's still the methodology that many organizations employ, so here are a few of our tips to help you answer these assessments more accurately.
Red Flags Are Associated With How You Respond To Customer Security Audit
It's important to note that the majority of these red-flags are associated with how you respond, rather than the actual content of your responses.
Red flags include:
- Responding non-applicable (N/A) for all or many of the answers in an assessment that is provided. Unless you support a non-applicable (N/A) response with a very clear description, it's never a good way to answer a question.
- Responding that you are compliant for all of the answers without providing more details in the appropriate sections of thee assessment. Complete compliance would require a lot of documentation and detail that your assessment would have to support.
- Having the responses written by a person that doesn't have a security background. If there is an on-site or phone interview portion of the assessment, send someone with a strong background in security that can accurately communicate and explain the background of your existing program.
- Disorganized documentation. Make sure everything is sharp and presentable, which includes making sure it's on the right letterhead, customizing it to your organization, and making sure the current "last modified dates" are no more than a year old.
- Providing more information than is asked for. Only answer the questions to the level of detail that the assessment asks for.