Whether your company has a Chief Security Officer (CISO) or not, you can play a role in protecting your business online today. Cybersecurity, information management, and handling of personally identifiable information (PII) is now essential for protecting against fraud and even data handling compliance. We know that doing due diligence is hard, so we have outlined questions that form the foundation of a vendor risk management framework. This helps you vet companies for their security posture.
Passbase’s identity verification engine powers startups to global companies that handles one of the most sensitive types of information: digital identities. We speak regularly to security departments that do vendor security assessments and in this post we aim to share questions to ask and answers to look for considering third-party providers for identity verification.
Before you start
Before you begin asking questions, you can also take a few steps to better prepare. Do the following:
- Use checklists and frameworks as jumpstarts: PII compliance checklists, vendor security assessment questionnaires, vendor risk management framework or security assessments
- Prepare a template for your company: Based on your data handling and compliance requirements, prepare a table with a column for questions and another column for their answers so you can quickly compare.
- Ask for information and materials: Do not be shy. If your vendor takes security seriously, they will happily fill out your questionnaire and provide available materials because they know this is part of your due diligence.
- Pay attention to how vendors respond: Take note of the attitude that vendors respond with both to your questionnaire and to in-person meetings. Do they care about issues such as privacy, data handling and cyber hygiene? Are they relying heavily on certifications without explanations?
- Educate yourself and do some digging. If there is a term you do not understand, ask for clarification from your vendor’s security expert and do a quick search as a lot of information is publicly available online. A good dictionary source is the open-source non-profit dictionary, Open Measure.
A vendor security assessment questionnaire and checklist
It is important to understand that there will always be risk. This is why large enterprises have a risk management framework to understand what are the types of acceptable risk what are the ways attack surfaces can be reduced.
The questions provided below may not cover your specific cases, but it provides you with questions to ask and approaches to assessing answers. The key areas to answer are what types of information are being handled and are there security features; what types of organizational controls and staff training do they have; an do they have their own security measures and intrusion responses in place.
IT security overview questions
Get started with a few overview questions so that anyone reading the responses and comparing companies has context about what the provider does and their baseline setup.
- Can they describe the services you will provide for our company. What is the business problem will this solution address? As many vendors have overlapping services, a vendor’s main focus might suggest whether certain features are available to support your business needs.
- Can they describe the data you will keep for our company? Will the data be personally identifiable information (PII), credit card information (PCI), or healthcare information (HIPAA in the US) or competitive data? This information is important for compliance.
- Can they provide an overview of their cybersecurity setup? For example, who is responsible for cybersecurity. What is the person’s title? Do they have IT security policies or a security program? How do they continually assess and address their organization’s cyber vulnerabilities?
- Please describe what data interfaces they will have with your company (if any). For this question, find out what data is being exchanged, the frequency, and whether data is being sent or extracted from your own system. You can also ask about exchange protocols and documentation. For example, data push and modifications on Passbase are made through HTTPS POST (REST based) and all data retrieval are HTTPS GET (GraphQL based). We have extensive developer documentation for our API, server-side SDKs and client-side SDKs.
- What is the Service Level Agreement (SLA)? While this seems standard, it is important to know what a company is offering you explicitly and what they may not.
Data security and handling questions
You also want to understand how data is being handled. Even if you do not have to meet data security compliance, following these best practices can help you protect your data. You should learn if customer data resides in your vendor’s infrastructure and where it is hosted. You should know if third party service providers are used by your potential vendor and whether any data is sent outside of the organization. You can approach data this way:
- Data storage: Where will the data be stored? Will there be communication if the data changes locations? Some countries and industries have requirements for data residency, data localization, or data sovereignty. For example, Passbase customer data resides on the Passbase infrastructure and never leaves this infrastructure and clients can ask us for further details.
- Data protection: Is there data encryption and whether it is both at rest (when stored) or in transit (being sent). Does the vendor have Data Leakage Protection (DLP) capabilities and if yes, can it detect unauthorized access to data?
- Data retention and export capabilities: Can your vendor destroy data in accordance with your policies? How are backups kept (if at all) and are data archives? Also understand if your vendor holds logs and data, should they be necessary for any legal proceedings, such as for payment fraud.
- Is any data sent outside the organization? For example, is any information sent outside of your vendor to a third-party, such as for payment processing?
User account management and administrative access questions
Cyber hygiene is only as good as the precautions people take. Understand how your vendor approaches user account access management, such as whether there are limits or permissions (such as admin accounts) that can be set. You can also ask about how end users, versus your own internal team, can access the service.
If convenience matters, you can ask about single-sign-on or Oauth support. You can ask about VPNs and whether they allow for two-factor authentication (2FA) to integrate with your own security infrastructure.
Finally, understanding how they approach account management internally also gives you an indication of risk exposure. For example, do they have separate permissions for infrastructure teams? How do they handle background checks on employees or terminated accounts?
Questions for security, monitoring, and disaster recovery
Finally, companies that are serious about security will be honest about the practices that they have in place. No system is 100% secure. As such, it is more important to understand what sort of penetration testing, detection systems, and response plans they have in place. Below are some types of questions you can ask:
- Can you describe your network security capabilities at a high level? While vendors will not expose their full security features, you can still ask them about security capabilities generally. They might address some measures such as segregating environments, monitors for malware, application-aware firewalls and DDoS protection.
- Can you describe your OS/Platform security controls? Ask about password policies and how secrets are stored. You can also ask about vulnerability scans and anti-virus or host-based intrusion detection systems (IDS).
- How do you perform security monitoring and IT security incidence responses? Find out generally whether there are 24/7 security operations, how they monitor network, systems, or applications or even database administrators. What are their capabilities to detect suspicious events within their own environment? Some teams may be willing to generally describe recent security incidences and how were they addressed.
- What are the high availability, backup, disaster recovery capabilities for services your vendor is offering? As there is no way to absolutely mitigate risk, understanding how disasters are addressed will be important for understanding how breaches will affect you. An answer might include an RPO and RTO and usually availability should be above 99% and close to 99.9%.
Application security and outsourcing
In addition to security measures, you can ask about secure coding practices, security reviews or threat modelling practices. For example, Passbase conducts regular security reviews and uses STRIDE threat modeling practices. You can also ask vendors about scans for web vulnerabilities and firewalls.
Finally, it is important to know if your potential vendor outsources any IT or IT security functions to third-party service providers. Where are those third-parties located and what access would they potentially have to your systems? Are those service providers audited?
Certifications and compliance requirements
Do they have industry security certifications or external-facing security documentation and reports?
Industry certifications can include SOC 2 Certification, ISO 27001, PCI Attestation of Compliance if handling financial information, and other certifications. Companies that have these credentials usually have badges or an information page.
In some instances, companies may also also ask for external security assessments.
Companies with data security compliance considerations may only seek vendors with certain certifications, such as SOC 2 or ISO 27001. However, it is important to understand what certifications reflect, such as SOC 2 Type II versus Type I. Passbase has sought a SOC 2 Type II certification to demonstrate over a period that we are compliant with best practices in data handling and information security.
Which relevant security and privacy laws and industry standards are they compliant for?
Knowing whether your service provider can grow with you is important. If you serve different markets or are considering expanding, ask if your vendor is already compliant with regulations in those places. Some examples include:
- 🌎 Payment Card Identity Data Security Standard (PCI DSS) 3.0
- 🇺🇸 Corporate and Auditing Accountability, Responsibility, and Transparency Act (Sarbanes Oxley Act) of 2002 - for public entities
- 🇺🇸 Health and Insurance Portability and Accountability Act of 1996 (HIPAA)
- 🇺🇸 California Consumer Privacy Act 2018 (CCPA)
- 🇪🇺 General Data Protection Regulation (GDPR)
That’s it! To get started on setting up your vendor questionnaire, you can take a look at the FINRA Cybersecurity Checklist.