Ask HN: How do you respond to security questionnaires?
A software company we are integrating with wants their 100 question security assessment questionnaire completed. Any advice?
We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.
These questionnaires are time consuming and redundant. It seems insecure to produce something that details our security too. Does a /security page with some details suffice? Am I just being lazy?
7 comments
[ 3.0 ms ] story [ 30.6 ms ] thread>These questionnaires are time consuming and redundant.
This is how data breaches happen. You should be willing to jump through a few, usually reasonable, hoops if you're storing medical and financial data.
Instead of looking for a quick-fix that will "suffice", you may consider actually securing the sensitive data you hold on other people.
Edit: After a little googling, I'm genuinely concerned about the product you are offering, at a firm of your size, with no compliance. Yikes from me.
Just, for example, your comment "Work on security for a week and then submit". What does that even mean? Security is a going concern, not a one-and-done. What do you expect to accomplish in a week?
You mentioned you have no 3rd party pentest, nor SOC compliance. Regardless if they are required by law, not having a rudimentary pentest (which are fairly inexpensive) speaks volumes about your companies posture on security.
I hope you let the people that are trusting you with their extremely private medical and financial data that you are tired of answering security questionnaires, and aren't too concerned about having a 3rd party validate your security.
Some questions you won't agree with, e.g. I've been asked how often we change our wifi passwords. Better to be honest and let them assess the risk than overpromising.