Every organization—and every vendor—is unique. From your data center provider to your company’s wireless network, customized security questionnaires may be needed to assess specific IT security vulnerabilities. However, we suggest relying on the expertise of industry-accepted institutes as a starting point for your assessment.
There are two industry-standard IT security assessment methodologies you can start with:
- The System Administration, Networking, and Security Institute (SANS) – Top 20 Critical Security Controls – controls developed by security experts based on effective practices to reduce risk.
- The National Institute of Standards and Technology (NIST) – Framework for Improving Critical Infrastructure Cybersecurity – combines cybersecurity standards and best practices in a comprehensive, straightforward format.
The checklist below is intended to give you an idea of the high-level questions you should consider asking your vendors to ensure your data is secure – an important step in reducing your overall vulnerability to IT security threats.
Have you participated in a cybersecurity exercise with your senior staff? Running drills can help an organization with response times.
How do you protect customer information? You want to ask specifically how your data is being protected – i.e. encryption, access control, etc.
When was last time you had an internal assessment performed by a third-party auditor? What were the results of the report?
What types of IT security policies do you have in place in your organization today? It’s important to have acceptable use, remote access as well as privacy and security policies in place to define the organization’s expectations.
How frequently are your employees trained on your IT security policies? Employees are much more likely to avoid downloading malware that could affect your data if they have been properly trained.
How do you train for a security incident? What processes do you have in place to respond to an incident? Do you regularly practice? This should provide you with insight into what may happen in your vendor’s organization should there be any security issues.
How do you manage remote access to your network? Remote access has become one of the most abused IT vulnerabilities, so you’ll want to evaluate how your vendor controls and secures access.
Describe the tools you use to reduce and control administrative privileges. Reducing privileges is key to creating a secure infrastructure.
How do you monitor privileged accounts? Escalating privileges is a technique for external attackers. Insider threats can also be an issue. Make sure staff has someone looking at the most sensitive accounts.
What processes do you have to prevent the exploitation of sensitive data? When configuring a data loss prevention tool, make sure it is programmed to prevent your sensitive data from leaving the environment.
Do you have a removable media policy and controls to implement the policy? It’s easy it is to walk out of most organizations with a USB full of data; does your vendor allow its employees to do this?
Have you ever experienced a significant IT security incident? Please describe it. Pay close attention to how, and how quickly, the matter was resolved.
How are IT security incidents reported? You’ll likely want to see the incident escalation document showing how incidents are classified/prioritized and how staff becomes involved as an incident escalates.
Do you have automated tools that continuously monitor to ensure malicious software is not deployed?
From whom do you receive cyber threat and cyber vulnerability information? Threat intelligence is an important defense tool, organizations need to handle it well.
Describe the process to communicate IT security incidents affecting our data. You want to clearly understand when and how your vendor will communicate to you a security incident affecting their network and your data.
IT Security: Infrastructure Controls
Do you outsource any IT security functions to third-party service providers? You’ll want to know this information so you can do your due diligence on any sources that may be able to gain access to your sensitive information.
How do you assess authorized and unauthorized devices and software? Organizations that have a process for evaluating what’s running on their systems will have greater visibility into security incidents.
Have you developed secure configurations for hardware and software? Make sure your IT department is involved in checking these configurations.
Do you have a data recovery capability? This may be the difference between your data being recovered or not.
Do you have a disaster recovery plan? You’ll want to know whether your vendor has the proper protocols in place to protect your data or assets in case of an emergency.
How do you securely configure your network infrastructure? Involve your IT team to ensure that it meets their recommendations and requirements.
Do you blacklist or whitelist communications? This process shows the vendor is taking initiative toward categorizing internet communications.
What types of physical protection do you have in place to prevent unauthorized access to data? With so much emphasis on cyber threats, always remember – physical access can be an entry point for threats.
How do you employ network segregation? Is sensitive data walled off from other networks?
If you work with, or are on an IT security team, you know how difficult it is to create an IT program that will protect your organization. Most companies spend a number of years training staff, purchasing security technologies, and finding innovative ways to keep the company’s data assets safe from those who should not have access to it.