Every day we talk with small businesses struggling with enterprise security questionnaires, and it's a hot topic on this blog. And every day we hear some of the same underlying anxieties... What if I don't have everything the enterprise asked for? What if I don't have SOC 2? Should I elaborate on this answer? Should I attach supporting evidence for that question? For ventures that haven't been through the enterprise security questionnaire process before, the process can feel arbitrary, cumbersome, and ambiguous. This article has five of our top "easy wins" for saving time and frustration when filling out an enterprise security questionnaire.
Let's role play for a minute. Say you are a CTO feeling uneasy about the fact that you have been through a SOC 2 Type I audit but no through a SOC 2 Type II audit. Now, suppose you encounter enterprise security questionnaires that ask "Are you SOC 2 compliant?" -- and that you have a Yes/No dropdown and a notes field to work with.
Do you:
Your answer should absolutely be the first response. Never the second response. Never the third response. When you have a truthful way to answer favorably to any enterprise security answer, answer favorably and move on. Don't ruin a favorable response with notes that reveal nuanced details that raise additional questions, none of which were asked for in the question.
Let's say that you get asked if you "forbid employees to connect their devices to networks not managed by the company" -- and that (duh!) you have employees that sometimes/always work from home and connect to their home network. What do you do?
DON'T say that you always forbid employees from connecting to networks outside of the company. Enterprise security questionnaires are no time to lie. Serious liability and indemnification responsibilities await those who take the shortcut of knowingly providing a false answer.
So, what do you do? Well, if you don't have a VPN, you might need to hurry up and get one. And if your Acceptable Use Policy doesn't instruct employees that they are required to connect to the VPN anytime they are handling company information, you might need to quickly make that amendment. Then, although your answer to the direct question is "No" (if you are forced into a Yes/No due to the format), your notes/explanation should say something like this:
"Although we do allow employees to connect to other networks, such as a remote employee connecting to their home network, our Acceptable Use Policy requires all employees to connect to our VPN anytime they are accessing company resources from another network."
That's what's called a compensating control. You don't have precisely what the question asked, but you have some really substantial controls that compensate for that shortcoming. And your response makes it extremely clear that you understand the underlying motivation in the question, and that you've simply chosen to manage that security need through a different control than the one envisioned by the enterprise.
There are still some stodgy enterprise security questionnaires out there that are written as if you self-host your servers in some server closet in your office. I sincerely hope that you don't. So, when you encounter a question that is written to probe your server-hosting practices, you should be able to heavily lean on your highly-credible hosting provider. For example, suppose that you encounter the question "If your primary datacenter suffers an outage, do you have the ability to restore service from a secondary site?"
You should be able to knock this question out of the ballpark. Although it depends very much on your particular setup, an answer like the following (if truthful) should put the topic to bed permanently:
"We rely on AWS, a SOC 2 Type II and ISO 27001 compliant provider, and we use their Multi-AZ feature to ensure that our customer data is automatically replicated to multiple datacenters, and that our webservers automatically failover to the secondary site in 60-120 seconds in case of a data center outage."
Sounds pretty good, right? If you are using a credible hosting provider like AWS, Azure, Google Cloud, or similar, you should be able to craft a similarly-compelling answer that is truthful for your particular setup.
Does the enterprise security questionnaire ask you to disclose your trailing three years of audited financials? Does it ask you to disclose sensitive information from your capitalization table? We've seen questions of this nature, and not just occasionally. We've seen them plenty of times.
Although we understand an enterprise's desire to determine the financial fitness of your firm -- after all, they don't want to work with you if you might go out of business tomorrow -- there is almost never a reason to disclose internal information as sensitive as this. For the questions mentioned in this section, and some others that we'll cover in a future post, you are absolutely safe to respond with something along the lines of "undisclosed" or "confidential" -- and to stand your ground if pressed. There are many other reasonable mechanisms that the enterprise can use to achieve an understanding of your financial fitness. Perhaps a D&B report. Perhaps a Reg D disclosure. But not your trailing three years of audited financials, and not intimate information from your capitalization table. That's not fair game for enterprise security questionnaires.
Sometimes, I'm sorry to say, you'll get caught in a direct question that you don't have a good answer to. Maybe you don't even have reasonable compensating controls. Enterprise security questionnaires are often so lengthy that it's hard to avoid running into questions that are really tough topics for your company.
When we are advising our customers, we talk about there being occasional questions where you need to "spend a token". Don't spend a token on not being able to provide a straight answer to a question about whether you have companywide antivirus or companywide security training -- ace those ones. That way, if you get stuck on some other question, you can be in a spot where you've done really well on the rest of the questionnaire and just need a little bit of sympathy on one or two questions.
As an example, what if you are asked if you've ever had a data breach? And, suppose that you have indeed have a data breach. You handled it reasonably, all of the impacted parties are satisfied with your response, but yet the fact remains -- you did have a data breach. If everything else in the questionnaire has gone smoothly, and it comes down to a conversation where you talk the enterprise through the five-years-ago incident that occurred, it's limited scope, the extensive remediations put into place, and the clean track record ever since then... well, then you are "spending a token" on the right question. And we'd say you have a good chance at successfully gaining security questionnaire approval (although likely after some additional conversations and disclosures).
As we wrap up, let us leave you with one final thought. When it comes to enterprise security questionnaires, nobody is perfect. I don't believe in my entire career, that I've ever seen a Fortune 100 enterprise security questionnaire where the respondent was able to favorably (and honestly) answer every question perfectly. It just doesn't happen. Whatever happens in the one you are working on, apply the above five strategies and you'll be well on your way to a strong response that will represent your organization well.