Best Practice – Completing Security Surveys and Questionnaires
In our recent Security Update Series blog post, New Security Demands & Requirements for Small and Midsize Businesses, we discussed three drivers for increased business security. We noted that expectations will often be expressed in security surveys and questionnaires you are asked to complete. Providing incorrect, incomplete, or misleading answers, whether intentional or not, can impact premiums and your available coverage.
To minimize the risks and potential pitfalls, here are five best practices to follow:
1 Know the Process
Before starting your response, have the broker or agent walk you through the process in detail. What role do the security surveys or questionnaires play in the underwriting process? While some carriers only use a single survey, others will ask for follow-up information and/or request evidence supporting your answers.
Understanding the process will guide how you answer questions and the nature and amount of information you provide.
2 Follow the Rule of Absolutes
Following the “Rule of Absolutes,” answering “yes” or “no” to a question means “yes” or “no” everywhere and in every instance.
For example, if you answer “yes” to the question, “Do you require multi-factor authentication for user login?”, you are stating that MFA is in place for every possible user login for every system or service. Answering “yes” if this is not the case will be considered a misleading or deceptive response.
The better approach is to answer with commentary that accurately responds to the intended questions without absolutes. Using the above example, provide a list of systems for which MFA is required, optional but recommended, and/or not available. In addition to being a more accurate response, the information will better inform the underwriting risk assessment.
3 Understand the Questions
Not all questions may be clear. Some questions will focus on technology. Others will focus on policies, processes, and procedures. Still others will focus on outcomes.
For example, these three questions:
- What security incident and event management (SIEM) system is in place?
- Do you have security incident and event management?
- Do you monitor, save, and analyze security event logs to identify alerts and conditions that require responsive action?
Question 1 appears to be asking about specific software or tools. The second Question asks about capability; the software tools and operational resources may be implied or assumed with a “yes” answer. Question 3 probes procedures, possibly independent of the supporting technology and/or existence or use of a security operations center (SOC).
If you are not sure how to best answer the questions, consult with the broker or agent for guidance.
4 Pause and Implement
In reviewing the security surveys or questionnaires, you may notice an emphasis on certain aspects of your security systems, solutions, policies, and processes.
If your answers appear to indicate weakness in these areas, consult with the broker or agent for guidance. You may benefit from pausing the effort until you can update or implement expected services and solutions.
In some cases, indicating that an improvement is in process may be sufficient to move forward.
5 Get Legal Advice
You own and are legally bound by the survey and questionnaire responses you provided. This holds true even if IT providers, vendors, and others have drafted portions of your response.
Before submitting your responses, review the surveys or questionnaires and your responses with qualified legal counsel familiar with cyber security. Understand if answers provided by third parties may create issues or liabilities. Understand any and all commitments expressed and implied in your responses.
What to Do:
The best course of action is to assess and, if appropriate, adjust your security services before you face a survey, questionnaire, or audit. Our Rapid Security Assessment provides a quick review of core security services. Our Cloud Advisors are ready to assist with any questions or concerns.
Contact us or schedule time with one of our Cloud Advisors.
About the Author
Bill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.