Ask HN: InfoSec questionnaire – what to do when customer wants one completed?
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I'm stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the
correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system.
Example questions:
"Are you able to detect and protect accounts that may have been compromised?"
"Do you allow users to change their passwords more than once in a 24-hour time period?"
Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board?
6 comments
[ 2.9 ms ] story [ 38.0 ms ] threadThree things:
1.) Security through obscurity never works.
2.) Based on the examples you posted, they aren't asking for anything special. In fact, they both seem like about the base level of security I would expect an enterprise ready company to provide. If you want to liberally enter n/a to cover up that you aren't big enough/don't have enough people/haven't implemented what they ask, that is dishonest.
3.) If questions like this cause you so much trouble, you need to seriously ask yourself whether working for a startup is for you. Due diligence processes (either initiated by an investor who wants to fund you, or a body that wants to acquire you) should be expected to go much deeper.
In my original, I said that security through obscurity never works. That isn't entirely true, because it might work great. The problem is that it makes it much harder to defend yourself after a breach has happened.
Also, as cyberinsurance increasingly becomes "a thing", you're going to see this questionnaire situation increase in frequency. Your org should consider creating a pre-composed (and regularly updated) SSAE 16 (https://en.wikipedia.org/wiki/SSAE_16) to avoid having to fill out unique assessment questionnaires for every request that comes in. It'll save you time and — unless you "go N/A crazy" on the SSAE 16 — should be accepted by any firm worth doing business with.
Sorry to say this, but none of your examples require a security expert to implement. And frankly, they are both what I would consider low hanging security fruit. If you balk at implementing these, I question whether your product is ready for the enterprise.
>And why would it be beneficial to tell a customer about this?
This is risk management and honestly, if you don't understand risk management, you'll have a lot of trouble serving enterprise customers.
It's beneficial because in the company's mind, a legal action is a big enough risk that they want to invest resources in showing they were diligent before picking a partner.
>How could a small business deny completing this questionnaire but still get the customer on board?
There is almost no chance unless you have strong political ties to a major decision maker at that company. And, even if you do have that kind of connection, this form isn't asking for the keys to the castle.
Can your company provide a decent level of data security? How do you know?
If the answer to question #1 is not a resounding yes, you have no business trying to serve an enterprise.