Responding to Privacy Assessments from your clients or prospective clients For technology vendors, data privacy and security questionnaires are increasingly common. But they are also becoming longer, more complex, and more of a burden for the companies receiving them.
We’ve helped companies answer hundreds of security questions for their enterprise customers — sometimes as many as 400 in a single questionnaire. Here we will break down this topic for SaaS companies, starting with the basics in case this is the first one you’ve seen.
We can help and support you to work through these assessments to avoid any issues with your clients so that you jump the hurdles. You may have received a TrustArc Privacy Risk Assessment or a Assessment from OneTrust. Contact us and we can get it done for you at short notice.
How to Respond to a Privacy Risk Assessment Questionnaire
Okay, so you have the questionnaire. What now? Don’t panic. We’ve helped many vendors answer these security questionnaires. So. How do you tackle this? How much time do you need? What resources do you need to respond to?
Below we’ll cover these five topics:
- What should you do first?
- What should you do if your company lacks certain security controls?
- Can you fill out a security questionnaire and reuse that for other customers?
- Can you use certification or compliance with a known framework in place of answering a security questionnaire?
- What tips and advice can prepare you for future questionnaires?
First, Break Down the Questionnaire (And Then the Questions)
Before you try to answer anything, scan down the list of questions. How many questions are there? Does anything seem vague or need clarification? Do you know when they are expecting your response? Are there “not applicable” topics you can immediately identify? If you can narrow down the number of questions and mark some with N/A right away, that will help you out. As a result, you might find some easy answers for topics that aren’t relevant to your product or service. If you say N/A, they’ll likely want you to justify that and ask for further clarification.Reference Your Risk Assessment
If possible, your company should have completed a risk assessment before you even answer any vendor security questionnaires. This will help you understand the risks that may be involved for you as a vendor or your clients, setting the scope for what you need to answer in security questionnaires and what isn’t applicable. Initially, you want to see if you can reduce the scope of the questionnaire. You may be able to identify specific areas that would affect your customer’s data, ruling out multiple questions. Perhaps you don’t store data locally. Or there might be reasons that physical or network security doesn’t apply to this engagement. Then you may be able to answer “NO” or “N/A” and offer a logical reason that you don’t have this policy.Clarify the Questions
After weeding out any that are not applicable, you’ll need to turn your attention to the rest of the questions. If something seems vague, mark it and ask the customer for clarification. While answering these questions, you’ll want to break them down. Let’s take this example security question that you might see as a vendor: “Is there a Network Policy that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy?” Yes (please attach the policy) No N/A The question may look simple. But there are actually FIVE parts to this question: Is there a policy? Was it approved by management? Was is communicated to your staff? Who is responsible for maintaining and reviewing the policy? Can they see a copy of this policy? If you don’t answer or don’t answer to their satisfaction, that can jeopardize your relationship with the customer or disqualify you from their list of software vendors. But breaking down a question into parts will help you to see which parts you have and identify any gaps.What To Do If Your Company Lacks Specific Controls
You might be able to answer “YES” to everything. You might have comprehensive policies, procedures, a training program for employees, and a robust InfoSec program. But you may have to answer “NO” to items that you do not have covered. If you only have a handful of policies that don’t cover all these topics, you should look into updating your security policies. If your company needs to upgrade to your Privacy, then DataOlogie can support you and get in touch with us for a chat.Remediation Plans
You may be able to show a remediation plan which will bring your product or service up to your customers’ privacy and security standards within a set timeframe or by the time a new engagement starts. This is especially important if you can’t reduce the scope of the questionnaire or complete a risk assessment ahead of time. Your remediation plan should show that you have a process to work through any gaps exposed by the questionnaire. This shows you are doing your due diligence and taking their concerns seriously. You want to keep your customers in the loop about your security compliance. This open communication about how you plan on implementing data privacy and security upgrades can go a long way to building trust. It also shows you are taking responsibility and moving in a positive direction. Don’t be dismissive. Take responsibility for any gaps. And DON’T say any of these things that will set off alarm bells in the Privacy Risk team assessing you. If you are in the process of creating new policies and implementing security controls, ask the customer if you can complete the questionnaire after those new controls are in place.How to Recycle Answers from Security Questionnaires
Typically, you can’t reuse a security questionnaire. But that will depend on the customer. If it seems like it might be an option, you may want to ask first. In most cases, they will have a customised questionnaire. If you offer the customer a generic, completed security questionnaire, you should expect that they will have additional follow-up questions. They may still ask you to answer the original questionnaire if it is a requirement of their own policies and procedures. However, you should certainly keep any of your completed questionnaires on file. This will allow you to reference past answers and reuse the relevant parts for a new customer’s questionnaire. Companies will often find that answers change, so you will want to make sure you are offering the most updated information about any recent security upgrades. Questionnaires will often have topics that overlap. Keep track of what privacy risk questions you’ve answered. You may even want to create a central repository of your responses to different questions about your policies and procedures for later.How Certification or Compliance with a Known Framework Helps with Security Questionnaires
Whether you can use a certification of compliance in place of a questionnaire will also depend on the customer and their questionnaire. Although holding a certification or proof of compliance will definitely show you are taking security procedures seriously. However, they may still have questions that are not addressed by a certain framework or relate specifically to their business. Compliance with a popular security framework will ultimately help you to answer the questionnaire. Many of the topics required for certification or compliance will be covered in the questionnaire, preparing you to address those sections. If you have documentation about compliance with SOC 2, ISO27K, NIST, or CIS, that will give you an advantage while you respond to the questionnaire. These also provide outside support about your security measures. Tips and Advice To Prepare For Future Questionnaires Keep it simple. If the question is straightforward and can be answered in a single sentence or a short paragraph, do that.
Only provide the information required by the question. If the customer doesn’t ask, don’t overload them with information. More information can also create issues during the review process. The customer is responsible for asking for more details if they need them.
Be self-aware of both your strengths and weaknesses. Don’t lie. Don’t overstate your security controls. And don’t give them excessive justifications or excuses for why you lack specific security controls.
Involve the right people. Assign people from your team who know the answers to these questions. In some cases, this means taking time from a lead engineer or even a CTO. If you need to, divide the questions and spread the responsibility across several people.
Take your time. It might take 8 hours. It might take 20 hours. We’ve heard stories about questionnaires that take days to complete. Or drag out for weeks while a vendor and customer go back and forth clarifying questions. You want to get it right, so don’t rush it.
Keep the lines of communication open. Confirm you received the questionnaire. Share security documentation you have, such as policies. Request more time to complete it if you sense it will be challenging for your team. Ask for clarification. And also look for outside resources to address lacking policies or increase your compliance.
We have extensive experience helping clients design, improve and manage PIA processes, tailored to match each organisation’s requirements.
PIA process design and improvement
- Configure a PIA framework based on an organisation’s risk appetite, available resources, and compliance maturity;
- Integrate with existing risk, compliance or operational processes, and incorporate privacy technology and automated compliance solutions;
- Improve existing risk management processes (like hand-offs between the business and risk assessors, effective triaging of risk, and/or remediation tracking); and
- Refine assessments and/or add specific modules to address particular issues, such as data ethics or AI governance, or to update assessments of evolving risks like cross-border data processing or legitimate interest tests.Supporting implementation
- Supporting implementation
- Deliver training, workshops and awareness sessions to key groups;
- Test and pilot assessment materials and workflows with targeted user groups; and
- Integrate with relevant risk and compliance reporting, document management, record-keeping and case management tools.