Over the past few years there have been several notable breaches with software vendors such as SolarWinds and Kaseya that have affected significant amounts of customers. As a result, many enterprises are now beginning to conduct deeper due diligence on third party vendors to reduce the risk of another breach impacting them in a serious way. In most cases they require vendors to fill out customized security questionnaires with hundreds, or sometimes thousands, of questions. This has quickly proven to be a pain point for security teams that are usually already understaffed.
In an effort to reduce the time spent on long, custom questionnaires, companies have adopted a few different strategies. Some undergo third party security audits such as a SOC 2 Type 2 or ISO 27001 that cover many common security controls. Others provide key prospects with previously completed standardized questionnaires that answer routine questions that security teams are typically interested in. Many of these standardized questionnaires have overlap with custom ones, so security teams are often able to reuse answers instead of writing them from scratch. In addition, some customers may occasionally accept these in lieu of custom ones. In addition to saving time, providing these questionnaires proactively can also help build trust with prospects by demonstrating transparency.
While these standardized questionnaires are certainly helpful, it is worth noting that they are not without their drawbacks. First of all, no standardized questionnaire can possibly account for all possible questions that a prospect might ask. Companies vary wildly in terms of risk appetite and data sensitivity, so there is always a chance that a prospect may ask follow up questions despite receiving a highly detailed set of answers. Second, some customers have very strict internal processes and still require vendors to fill out custom questionnaires as a part of their review process, no matter how much overlap there is. Finally, standardized questionnaires do not always get updated frequently, meaning new trends in security may mean certain important topics do not get accounted for until the organization overseeing the standard provides an update.
With that being said, standardized questionnaires are still quite popular. Let's take a look at some of the most popular questionnaire standards that SaaS vendors like to use.
The Standardized Information Gathering (SIG) Questionnaire is a fairly common questionnaire that vendors use to assess third party risk. The SIG's questions cover 18 risk domains including Risk Management, Organizational Security, Access Control, and more. The SIG Core has about 850 questions, while the shorter SIG Lite has closer to 330. One thing to note about the SIG, is that while it is quite popular, it does require organizations who use it to purchase a license or membership, which can make it pricey for startups. OneTrust acquired Shared Assessments, the creator the SIG, in May of 2021.
The Consensus Assessment Initiative Questionnaire was created by the Cloud Security Alliance (CSA) in an effort to help companies assess cloud providers and to manage third party risk. The CAIQ contains about 260 questions across 17 domains, including Encryption, Audit & Assurance, and Data Privacy by Design. Companies are encouraged to be transparent and to upload their completed CAIQ to the CSA's STAR Registry for public access. Well known companies such as Adobe, VMWare, and Microsoft have submitted to this registry. Vendors also have the option to obtain a level 2 certification by completing a third-party audit with a CSA-affiliated audit firm. The CAIQ is usually the most common questionnaire that vendors share with customers and prospects.
You can download and view SafeBase's latest CAIQ on our Security Status Page at https://security.safebase.io.
The Higher Education Community Vendor Assessment Toolkit was designed by American higher education organizations to measure vendor risk. Due to understaffing, many IT and security teams in the education space frequently collaborate and share information with peers at fellow schools when it comes to security. One of the points of the HECVAT is so that a vendor should only need to fill out a questionnaire once since many of these schools have similar risk appetites and security requirements.
The HECVAT comes in two main versions for SaaS vendors, the Full and the Lite. The HECVAT Full contains roughly 300 questions and covers a variety of topics such as Physical Security, Business Continuity, and Change Management. The HECVAT Lite is shorter and has approximately 90 questions. University IT teams may find the HECVAT Lite to be sufficient for vendors that do not process highly sensitive data. Vendors who intend to sell to top American colleges and universities should probably consider having a HECVAT Full or Lite completed proactively to streamline the sales process. Both the Full and the Lite are freely available to download and use here.
The Vendor Security Alliance (VSA) was formed by several leading technology companies such as Dropbox and Atlassian in an effort to improve the third-party security risk assessment process. The VSA questionnaires are notable in that they also include questions that directly pertain to the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), two of the most common privacy regulations that SaaS companies are expected to comply with. The VSA-Full has a few hundred questions in categories ranging from Software Supply Chain, Compliance, and Customer Facing Application Security. The VSA-Core is much shorter and has fewer than 100 and focuses on the most critical controls. The VSA also has a unique service in which member companies may have a VSA-affiliated auditor verify questionnaire responses from prospective vendors. Vendors are allowed to download both the VSA-Full and the VSA-Core for free.
You can download and view SafeBase's VSA responses on our Security Status Page at https://security.safebase.io.
In this post we discussed four of the most common types of standardized security questionnaires. Here at SafeBase we recommend completing at least the VSA and the CAIQ, as they are freely available, and are used by many leading technology companies during the vendor due diligence process.
Are you interested in an easy and transparent way to share completed questionnaires with prospects and existing customers? Sign up for a free trial of SafeBase today at https://safebase.io.