This Wisdom of the Crowd, compiled from responses posted on the Small Law Department and IT, Privacy & eCommerce eGroups,* addresses the reasonableness of shared assessment questionnaires.
*(Permission was received from the ACC members quoted below prior to publishing their eGroup comments in this Wisdom of the Crowd resource.)
Question:
We've been asked by one of our larger customers to complete a "Shared Assessments" questionnaire created by the Santa Fe Group. http://santa-fe-group.com/capabilities/shared-assessments/. We've had several employees working on it for days and we're still not done. It's a spreadsheet with about 20 tabs and approximately 1,400 questions that require a response. In addition, it asks us to provide copies of pretty much every internal policy and procedure document we have that has anything to do with security or IT. We're going to have to spend thousands or tens of thousands of dollars worth of internal time to respond to this, including a fair amount of my time. I understand why customers have to do a certain amount of due diligence, but is this just a "check the box" exercise? I have my doubts about whether anyone at the customer will actually look at all this information once we provide it.
It seems to me that it's too easy for a company to send a standard questionnaire like this to all of its vendors, and it seems that every company uses a different questionnaire, so the work we do responding to one request isn't generally usable for the next request. Here's a link to an RFP questionnaire provided by an ACC member that "only" has about 265 questions. Does anyone else think it's unreasonable for a customer to expect a vendor to do this without compensation? If this were an industry standard questionnaire that we could provide to all of our customers that would be one thing, but this appears to be a proprietary and copyrighted document that you have to pay to use.
As a vendor, it's hard to say no to your best customers when they say they are requiring this of all their vendors, but where do you draw the line on responding to these kinds of demands? I can imagine the response I'd get if I tried to put something into our contracts that says we don't have to comply unless the customer agrees to compensate us for the time we spend responding, so I don't think that's the answer. Also, these sorts of questionnaires often come with RFPs, which is even worse because there's a good chance you won't even get the business.
As a customer, does your company make demands like this on your vendors or prospective vendors? Is there anything we can do as counsel to encourage some reasonableness from our IT security people in vendor due diligence? Is anyone aware of any kind of non-proprietary or open-source standard approach to vendor due diligence that might ease the burden on vendors?
Wisdom of the Crowd
Response #1: 1. It is very unreasonable. 2. If only 1/2 your answers were provided, would it make it easier to hack your systems? I was counsel for a third party provider of claim processing and reporting. We often had clients' requests for details as to our security and disaster recovery plans. Our IT people provided a general summary which outlined what kind of systems we had without revealing enough details to give Anthony Snowden a chance at system penetration. We refused to allow on-site visits and refused to allow or share penetration tests. We provided information on ISO1 compliance, that we had (then) SAS2 70 audits.
In order to process the answers to 1400 questions, it would take several people to review and grade the answers. You've now revealed your internal security systems to total strangers.3
Response #2: This is going to be an ever-growing problem. Some of it stems from regulation and such that the other party is subject to. So before one figures out a response, it might be good first to understand the source of the other party's angst, as it might guide the reaction. That said, even then, it may continue to be unreasonable to respond blindly to what, based on the poster's description, appears to be a poorly designed way to address an actual need. (That said, there may be some circumstances where that level of diligence is called for-the poster doesn't tell us enough to gauge that. If I were going to be the primary outsourced provider of an IT-intensive service to a health-care institution for example, I would not be offended at the kind of diligence being asked here-although, presumably, if I were in that business I'd be plenty ready to respond to all of those kinds of questions!)
I'm not aware of any settled way to respond yet-industry is still struggling with this, and it will be some time (if ever) before we have a one-size fits all way to address the need. And, in many ways, it's a result of a decade or more of connections and such being created at hyper-speed without any management or legal oversight, which leads to the explosion of breaches of today, which leads to over-reaction such as the poster described.
To negotiate out of a burdensome request, I think this would usually require some very hands-on and delicate work by the upper management of the targeted company to get in touch with the people at the top at the customer side who made the request, and try to understand true needs and negotiate something that makes sense. Then again, one best have a better answer than "Trust me" before you make that call.
Some things to consider (which barely scratch the surface):
1) Negotiate whether or not the security issue is present at all by negotiating whether and how your company has any ability to access the other side's secured assets. The underlying premise of any of these requests is that they're being asked to put you in a position where you can do harm to their secured assets. So, question if that's true or not in the first place, or whether you can change the facts a little to avoid the potential to cause harm (since if you can show you have no capacity to do them harm their underlying need to understand your security regime goes away or at least gets mitigated). I've seen too many cases where the ‘right to access' was, at its heart, a ‘nice to have' that ended up creating a huge security exposure (for both sides!) that had no real justification given the minimal value the access right gave to the parties. So, one tactic is to just agree that you'll never need to touch their stuff (and maybe agree to a less efficient way to pass data like via email versus having an account on the other guy's system) (or at least draw some serious lines around the less-dangerous things) and you might convince them to back off.
2) Have a pre-prepared security statement that is comprehensive and full, and which appears to cover the bulk of what a reasonable person might ask for from a person who is asking to gain access to the other side's secured IT assets (or whatever the situation might be). Many end up answering the long questionnaires simply because they admit to themselves they don't really have a response that shows what they do have to offer. But, if you do have a good answer in hand it might convince them to accept that in lieu of creating one by proxy through their questionnaire.
3) Consider obtaining certification and the like from a system that the other side might respect. That typically involves doing almost all of the same things that are discussed in the 1400-question survey, but you do it just for yourself. (And, let's be fair: doing that is very expensive, very time consuming, may not get done in time to deal with the problem of the moment, and may end up causing you to have to amend and invest in your own company before you can get certified. But, at least then you're only doing it once, and it benefits you even more than it benefits your third-party relationships.) Then, the certifying organization would issue an opinion of whether your organization has set up its system to comply with that standard. You give the other party the certification, but not the underlying description of your own system (which, as somebody else has already aptly pointed out, is plain silly to do! Never tell any outsiders how you operate your own security at its deepest levels!). Once you have that in hand, it's typical to respond to demands such as the poster faces with "we won't do any of this, but here's our certification from the respected security authority, and we'll contract to maintain that through the term of our engagement and keep you up to date on our certification. But, we won't give you our own security details, as doing so would compromise OUR security." Or such...(choosing a certification and a certifying body, a consultant that will get you there, and all of that detail is far too much to discuss in this email).
4) Remember always that the basic premise-expecting those who ask to be given access to secured assets to prove their ability to protect those assets-has high merit (and each of us should be expecting exactly the same respect from those who we would allow into our own systems-this goes both ways and on all sides of our businesses).
5) Remember as well that many of us have a statutory or regulatory obligation to do some type of diligence (but get incredibly slim advice from those statutes or regulations on exactly how to do that, and we're all often shooting from the hip, so it's not surprising that we see no ‘gel' of a particular way to do this yet). Knowing the regulatory climate of the other party, and how to get them comfortable that the regulator they're afraid of won't call them out, is very helpful before entering into these negotiations.
6) And, let's face it, many of us simply don't have the negotiating leverage in some situations to do any of what I suggest above. It's time to start considering responding to these sorts of requests, for some of us at least, as part of the cost of business. At the same time, invest as much as you can in building secure systems, put much of this in the hands of a senior executive who has umbrella control over the whole answer and don't let responsibility be spread to too many places in the organization, know thyself and what one's strengths and weaknesses are, and you'll have an easier time dealing with these questionnaires.
7) Finally, remember that data security is about 10% an IT problem, and 90% a ‘people and policy and governance' problem. Do not ship all of these requests down to the IT Department and expect them to deal with it. They buy the machines, but they can't control how they get used. That's got to come from the top down (and while more and more CEOs and Boards are beginning to realize their responsibility to "own" data security, it's still hardly ubiquitous in the upper floors of most companies).4
Response #3: A "questionnaire" that is 1400 questions long sounds like an ISO-27001 certification wannabe. Could it be that Santa Fe Group are ISO wannabes who have gotten a few companies to drink their KoolAid? "oooh look at how we are helping to ensure your supply chain is strong! Look at all of your weak link vendors who can't even complete a simple form..." And then of course Santa Fe Group will gladly provide consulting services to you, the weak link vendor, to help ensure you can now meet these rigorous standards.5
Response #4: We have not received this particular questionnaire but have become inundated with similar requests, to the point where I am working with our admin to create a library of typical questions and corresponding responses. I fear my efforts to automate and delegate will prove futile.
I suspect this is due to a trend of enlightened product sourcing (and in your case, IT security), which seeks to ensure they are dealing with responsible suppliers. To promote this lofty objective, I think there are many new businesses seeking to persuade corporate procurement function to outsource this activity. The outsourced service provider introduces itself as being authorized by our mutual customer to assess our compliance/policies/outreach/commitment, etc., and offers to provide their good housekeeping seal of approval. They go on to ask if we want to join their membership (and pay a small fee). For the unenlightened, they offer the option of letting us fill out their questionnaire. They then evaluate our responses and determine a rating (usually accompanied by a really cool graphic), which they then provide to us and to our mutual customer. So how does this outsourced service demonstrate its value? We know the answer to that question-by designing large, comprehensive, and artistic questionnaires, more is better.
I take these requests seriously and I try to provide complete and meaningful responses, particularly in the context of responding a request for proposal and establishing ourselves as a qualified supplier. But, to David's point, does anybody look at your response? Nobody has ever come back to me with a question or request for clarification.
This takes me to the question of the connection to the customer relationship? I expect most customers simply view this as a binary matter of whether we completed the form. I conclude that I need to provide a reasonable response but that I shouldn't lose too much sleep over not responding to inapplicable and unreasonable questions. I typically populate our responses with many N/A's and claims of proprietary information. I happily provide summary financials and applicable procedures but often note that we don't have a procedure or initiative in areas that don't have a direct bearing on our qualifications to perform the work. If somebody actually cared and asked us to improve our approach to any given concern, I'd be happy to take on the challenge.
I hope the market for these outsourced services will adjust to account for our reasonable concerns.6
Response #5: In my experience this seems to be more common for public companies, especially in data-driven industries like financial and healthcare. My personal take is that being able to tell a regulator or anyone else that you asked 1400 questions gets you past the assumption that you do not have a satisfactory vendor compliance program in place, without actually expending a whole lot of effort. Vendors bear the brunt. While of course it's up to the business folks to determine whether the value of the relationship against the cost of compliance, I think the more reasonable way to look at it is as a means of doing your own security internal audit at the same time, and once you prepare one of these, the cost of doing another one goes way down since you have most of the questions answered. A review and update for any subsequent request is far less onerous. Also, if you do an SSAE7-16 audit, presenting your report (under NDA) as evidence of your security controls, with a request to let you know after review, if any additional information is needed, may help to reduce the number of responses you need to make.8
Response #6: As a company that uses a questionnaire much like the one described (due to regulatory and oversight requirements), and has also been required to respond to similar questionnaires (and is therefore super-sympathetic to what a giant pain they are), I can tell you that we would be very receptive to a discussion with a supplier about narrowing scope. I do know that not everyone; is we have found that when trying to tell entities requesting our "feedback" on the form that it was totally inapplicable to the services we provided, some were really easy to work with and with some it was like talking to a brick wall. I would contact the requester and ask to speak about scoping issues.9
1 International Organization for Standardization
2 Statement on Auditing Standards
3 Response from: Stuart Senescu, Attorney at Law, Independent Counsel, Highland Park, Illinois (Small Law Department eGroup, Aug. 20, 2013)
4 Response from: Michael Fleming, Senior Legal Counsel, Cray Inc., Saint Paul, Minnesota (Small Law Department eGroup, Aug. 21, 2013)
5 Response from: Laura Vogel, Assistant General Counsel, The Auto Club Group, Dearborn, Michigan (Small Law Department eGroup, Aug. 22, 2013)
6 Response from: Donald Utley, Corporate Counsel, Western Services, Frederick, Maryland (Small Law Department eGroup, Aug. 22, 2013)
7 Statement on Standards for Attestation Engagement
8 Response from: Paul Verberne, Business Development & General Counsel, Tango Health, Inc., Austin, Texas (IT, Privacy & eCommerce eGroup, Aug. 22, 2013)
9 Response from: Kerry Childe, Senior Privacy and Regulatory Counsel, TG, Round Rock, Texas (IT, Privacy & eCommerce eGroup, Aug. 23, 2013)