Ask HN: InfoSec questionnaire – what to do when customer wants one completed?

4 points by telesilla ↗ HN
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I'm stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system.

Example questions:

"Are you able to detect and protect accounts that may have been compromised?"

"Do you allow users to change their passwords more than once in a 24-hour time period?"

Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board?

6 comments

[ 2.9 ms ] story [ 38.0 ms ] thread
In my experience you won't need to answer yes to every question in order to "pass" the info sec, but their team will want to be able to understand the risk of doing business with you. Depending on exactly what it is you'll be doing together, will determine how much risk they are willing to take on.
Most of the questions should not be answered, in my opinion - if the document got into the hands of a bad-actor it could be abused. I'll recommend they liberally use the N/A option and try and have a discussion with the customer security team.
Based on the example questions you posted, you are being paranoid. Neither one of those questions are terribly sensitive and it doesn't matter if the answers fall into the wrong hands. Your company isn't that special - many companies want to know the same things before they work with someone.

Three things:

1.) Security through obscurity never works.

2.) Based on the examples you posted, they aren't asking for anything special. In fact, they both seem like about the base level of security I would expect an enterprise ready company to provide. If you want to liberally enter n/a to cover up that you aren't big enough/don't have enough people/haven't implemented what they ask, that is dishonest.

3.) If questions like this cause you so much trouble, you need to seriously ask yourself whether working for a startup is for you. Due diligence processes (either initiated by an investor who wants to fund you, or a body that wants to acquire you) should be expected to go much deeper.

It's too late to edit this response, but I wanted to add something.

In my original, I said that security through obscurity never works. That isn't entirely true, because it might work great. The problem is that it makes it much harder to defend yourself after a breach has happened.

Properly constructed information security questionnaires enable a business partner to conduct a high-level, non-intrusive assessment of your organization. You have a right to be concerned about the sensitivity of the data, but if you distrust your business partner that much, then don't do business with them. Your org is not a special snowflake and this is a very common practice by organizations of all shapes and sizes with organizations of all shapes and sizes. They are not the be-all/end-all of information sources (orgs regularly fib on these forms) and you do have a similar right to ask the inquisitors how they will protect your form data (that will also partoy show them you at least give lip-service to data security). It's also far more likely that your organization is going to get pwnd via phishing that is completely unrelated to the potential loss of confidentiality of this document. I say that as someone who has formally studied cybersecurity breaches for years.

Also, as cyberinsurance increasingly becomes "a thing", you're going to see this questionnaire situation increase in frequency. Your org should consider creating a pre-composed (and regularly updated) SSAE 16 (https://en.wikipedia.org/wiki/SSAE_16) to avoid having to fill out unique assessment questionnaires for every request that comes in. It'll save you time and — unless you "go N/A crazy" on the SSAE 16 — should be accepted by any firm worth doing business with.

>Completely valid but how many small businesses without a security expert on board, have these in place?

Sorry to say this, but none of your examples require a security expert to implement. And frankly, they are both what I would consider low hanging security fruit. If you balk at implementing these, I question whether your product is ready for the enterprise.

>And why would it be beneficial to tell a customer about this?

This is risk management and honestly, if you don't understand risk management, you'll have a lot of trouble serving enterprise customers.

It's beneficial because in the company's mind, a legal action is a big enough risk that they want to invest resources in showing they were diligent before picking a partner.

>How could a small business deny completing this questionnaire but still get the customer on board?

There is almost no chance unless you have strong political ties to a major decision maker at that company. And, even if you do have that kind of connection, this form isn't asking for the keys to the castle.

Can your company provide a decent level of data security? How do you know?

If the answer to question #1 is not a resounding yes, you have no business trying to serve an enterprise.