HELP: I have my first security questionnaire – now what?

Don’t panic. We’re here to help!

In this post you’ll get the quick rundown on the first steps to take on how to respond to a security questionnaire when bidding for IT work from a large company and also insight into the process. While the security questionnaire may look intimidating, we’re here to break it down in easy to digest pieces.

But wait – why are these questionnaires even necessary and what is the company really hoping for? While best practices recommend tech founders to consider information security and compliance when writing their business plan – we know it’s not always possible. Large companies know that security is at the heart of trust and good business. Security matters to the customers, but also to the investors, employees, and partners.

What do security questionnaires ask?
The length of security questionnaires will differ – but some can be up to 300 pages long. They will ask for an in-depth description of your security controls, business continuity, change management and security policies.

Here are some sample questions:

  • Is there an enterprise level system in place to detect and remove malware, and what is the regular schedule of operating system and application patching on all equivalent systems?
  • There is a report structure in place that can be generated that can cross-reference authorized staff and physical access permissions so that Company can be assured that only properly authorized persons have direct contact with data, systems or other information.
  • Vendor provides a multi-level backup process that provides Company with redundant systems for business continuity and disaster recovery. These are included in the incident discovery and response plan that measures the mean time to recovery (MTTR).
  • Security awareness training is applied to all Vendor personnel working for, with, or on behalf of Vendor on a regular basis (at least yearly and upon hire).

To top it off, it’s not enough to just answer these questions – a lot of them will require you to take action and fix the gaps in your security protocols. Yet, you’re working on getting your startup off the ground and start selling product.

At Practical Assurance we know that it’s not always possible to have a dedicated security person on staff who is knowledgeable and can navigate through the security process. It’s not enough to just identify and fix the security gaps – you need someone who can preempt future ones.