ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
VSA Questionnaire 2019 Final
2
Why Audit Vendors?
3
When we do business with a vendor, it is not safe to assume we are doing business just with the party under contract. Vendors rely on other parties. If we are to rely on a chain, then all the links must be tested, not just the first link. We must also apply the same standard of testing to all the links, which is why we created this questionnaire.
4
5
Approaches Taken
6
1) Data-Risk Based: Not all vendors should be held to the same standard. The risk is proprtionate to the sensitivity of the data they are accessing (and the volume of data). The controls vendors should have in place must be proprtionate to their risk.
7
2) Integrated Security: Great security is not achieved by purchasing a product. It is achieved by thinking about security from the start; how a product is designed, how a product is tested, how it is patched and maintained, what steps have been taken to minimise a breach and what happens during a security incident. All of these and more are covered in this questionnaire.
8
3) Service oriented. Many companies have multiple offerings of services and products. Rather than audit the company, we focus on just the services that are being delivered. Only the security policies and controls in the scope of the service under review are relevant. Vendors should fill the questionnaire out for each specific product or package that is being evaluated.
9
10
How should a non-VSA member use this questionnaire?
11
a) Send this questionnaire to your vendors to assess their cybersecurity risk. They will return it directly to you, and you can assess their risk, and
12
b) Use this questionnaire to benchmark the cybersecurity risk of services you provide, and find areas to improve
13
14
How should a VSA member use this questionnaire?
15
(i) You have the same options as non-VSA members, or
16
(ii) You can leverage VSA to have independent third party auditors carry out your third party audits. This will greatly shorten the time and cost to vendor approval or rejection decisions.
17
18
How can I become a VSA member?
19
Email us at membership@vendorsecurityalliance.org
20
21
What is the VSA?
22
The VSA is a coalition of companies focused on measuring and reducing vendor risk, with the goal of making the internet safer for everyone. The VSA is a non-profit entity.
23
24
FAQs
25
Scope: If a question is ambiguous regarding scope, answer it within the scope of delivery of the service under audit.
26
What does 'O', 'C' and 'D' mean? 'O' is an open question. If creating a form this would be the equivalent of a free-form text box. 'C' is a closed question, with the answer generally being Yes, No, or Not Applicable. 'D' requires documentation to be uploaded/attached.
27
What is the definition of 'X': Please see the final tab in this document
28
29
Special thanks to the Working Group that created this document:
30
Ken Baylor https://www.linkedin.com/in/kenbaylor
31
Gary Miller https://www.linkedin.com/in/gary-miller-56a2111
32
Dane Stuckey https://www.linkedin.com/in/danestuckey/
33
Karim Adib https://www.linkedin.com/in/karim-adib-24120b8b/
34
Paresh Amin https://www.linkedin.com/in/pareshamin/
35
Nick Sorensen https://www.linkedin.com/in/nicksorensen/
36
Joe Camilleri https://www.linkedin.com/in/joe-camilleri-4392a24/
37
Nate Jones https://www.linkedin.com/in/nathanjones/
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100