Assessing Vendor Security Risks (with SimpleRisk)
by Josh Sokol (Creator & CEO of SimpleRisk)
As a CISO for a large enterprise, many times my first engagement with members of our internal teams was when they approached my team for assistance with evaluating the security of a vendor they were considering. They worried that if they didn't involve us early enough, they would reach a point where a tool had been selected, but the security team wouldn't sign-off on it, resulting in many wasted hours of effort. The challenge on my side was always that often times the team had multiple vendors they were evaluating at that point, and performing these risk assessments was a fairly time-intensive process. I didn't want to take the time to do it if there was a high likelihood they wouldn't be moving forward with a given vendor regardless.
I spent a lot of time pondering what this process should look like. Eventually, I decided that when our internal team had narrowed the scope to the top 2 or 3 vendors, that was the right time to do the security assessment. Rather than creating my own set of questions, I decided to use a standard set of questions that would be re-usable for those vendors in the future. Eventually, I came across the Shared Assessments Standardized Information Gather (SIG) questionnaire. The SIG was a standard created by the banking industry because they got sick of being sent different risk assessment forms from every company they interacted with. The idea was that they could come up with a standard list of questions and answers and provide that back to anyone who asked.
There were two versions of the SIG document. There was a lite version, which was only 68 Yes/No questions and didn't cover any topic in much depth. Then there was the regular SIG which went into far more detail on the various risks. When I first came across it, the SIG was a free download from their website, but as of my writing this post, it looks like they are asking $7k to get a copy of it. They've gotten a lot of traction over the years and, while we don't pay for the SIG at SimpleRisk since we don't evaluate a lot of vendors, we are routinely asked to fill them out for other prospective customers.
The SIG is a great document and provided the information that I needed to help our teams make informed risk-based decisions. If you don't want to pay for it, the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) may be a viable alternative. The challenge, however, isn't the questions, it's in capturing the answers and documenting the risks associated with them. This is where SimpleRisk can help with our Risk Assessment Extra.
The SimpleRisk Risk Assessment Extra originally came from a custom development effort funded by a large university customer on the East coast and a large manufacturing customer on the West coast. The manufacturing company wanted to do something similar to what we've talked about thus far, but on a scale that wasn't really reasonable using the spreadsheet format of the SIG. The university, however, had a bunch of internal teams who were doing custom development and their Security Team was responsible for ensuring that data security and privacy standards were upheld. Both essentially wanted to be able to send a list of questions to a contact, receive a response back, use the response to document new risks, and compare results over time. SimpleRisk helped to create a specification that both organizations agreed to and integrated it alongside the existing SimpleRisk functionality that they were already using.
The SimpleRisk Risk Assessment Extra expands upon the "Assessments" functionality in SimpleRisk. With the SimpleRisk Core you have four available stock assessments (CIS Critical Security Controls, HIPAA, NIST 800-171, and PCI DSS 3.2). Users can take these assessments and answer the questions posed to them:
The resulting answers then become pending risks that the user can choose to add as a risk into SimpleRisk or delete:
But when the Risk Assessment Extra is enabled, administrative users in SimpleRisk will see new options available under their Assessments menu:
Under "Assessment Contacts", you can define who you would want to send your assessments to. These could be either internal users or external vendors. SimpleRisk primarily uses the e-mail field here, but you can use it as a bit of a rolodex, as well, to keep track of your contacts:
Once your contacts have been created, the next step would be to create the questions that you would like to ask them. We provide you with a catalog of around 650 different questions based on the PCI, HIPAA, NIST, and Critical Security control assessments, but it is quite simple to add in your own. SimpleRisk can even handle sub-questions based on logical answers to the original question. So, let's say you want to build out a questionnaire asking how someone handles credit card information. The first thing we want to know is whether the application stores or processes credit card information. If no, we don't have a risk. If yes, then we want to find out if the credit card information is encrypted and if not, submit a risk. For simplicity, we'll start with the sub-question first:
For this question, we have two answers, Yes or No, but we can easily add additional options by clicking on the "+" button in the lower right corner. The "Submit Risk" box for the "Yes" answer is unchecked, meaning that we won't submit a risk for that answer, but it is checked for "No". If that option is selected, it will create a new pending risk with a subject of "Sensitive data exposure due to unencrypted card data", assign it to me as the owner, and set a custom risk score of 9.
Now, let's create the first question we want to ask before it to check if they even store or process card data in the first place:
Creating this question looks similar to the first. We still have a "Yes" or "No" answer, but with a Yes, instead of submitting a risk, we tag a sub-question:
Now that our question is created, the next step is to create a Questionnaire Template. Think of a template as a re-usable list of one or more questions grouped together. For example, you could create a "SaaS Questionnaire Template" for all of the questions you'd want to ask a SaaS provider. Or, you could create a "Data Privacy Questionnaire Template" to ask questions relevant to data privacy regulations such as GDPR. For our example, I created a questionnaire template with a single question:
Note that if you had more than one question, they'd be displayed in rows with one underneath another. The interface is drag-and-drop to make re-ordering questions as intuitive as possible.
Believe it or not, you're almost done. The last step is to turn your template into a questionnaire and send it out. Under "Questionnaires", I've added a new questionnaire that I named "Josh Sokol Credit Card Questionnaire". I provided some initial instructions for the user taking it. Then, I assigned my previously created "Credit Card Data" questionnaire template and assigned a contact who I want to send it to:
Now, I just go back to my list of questionnaires and click on "Send" on the questionnaire that I would like to send to the contact:
Almost immediately, as the questionnaire recipient, I've received an e-mail with a link to complete the questionnaire:
Meanwhile, SimpleRisk is tracking the status of all of the questionnaires that you have sent:
The contact can complete the questionnaire and submit it or mark it as draft and pass along for a review:
Once they mark it as "Complete", the contact's manager will receive an e-mail notification of the completion and the status will be updated to show it as completed:
Now, we can view the questionnaire answers and compare their results over time:
We can view any pending risks and add them into SimpleRisk:
And we can even add and review comments on the results:
There you have it! With the SimpleRisk Risk Assessment Extra, assessing vendor security, tracking and reviewing the results, and turning them into risks is a breeze. Want to try it for yourself? Request a free 30 day trial of SimpleRisk today!