Reviewing Security Questionnaires



How to pass a #vendor #assessment test?

During my time at #warnerbros, I would review the security controls of many small and medium-sized businesses that wanted to do business with Warner.

We'd have an elaborate security questionnaire that we'd send out to vendors to fill up and submit. Having reviewed countless of these questionnaires, I developed a process to help me quickly identify the gaps and recommend remediation for these gaps.

Now that I am on the other side of the fence, helping smaller companies pass security audits required by bigger companies, here are the top 5 things, I'd recommend for anyone to look good and feel secure.

#authentication - How do you provide access to your users? Do you have #MFA and/or #SSO enabled?

#datasecurity - Are you using a strong #encryption algorithm to encrypt data at rest and in transit? Are you rotating your keys at least on an annual basis?

#penetrationtesting - When was the last time you ran a pen-test on your application? Please note that a manual pen-test is not the same as an automated #vulnerability scan.

#incidentresponse - Are you collecting all your logs in a centralized secure location and more importantly do you have a team to review the alerts generated by suspicious activities.

#patching - The simplest but often the most ignored one. Needs no explanation, hackers love. it when you have unpatched vulnerabilities from the 2010s.