Case study: Vendor response
CASE STUDY |
A small software-as-a-service (SaaS) company recently approached RSM with a problem. The company provides SaaS solutions largely to Fortune 500 corporations with a large retail presence. The SaaS product is designed to conduct various surveys on behalf of these companies, as well as to aggregate and analyze their results. The only information entered into the tool is an email address, and the gathered data is anonymized as it is returned. Because the product does not collect credit card numbers or other sensitive information, it has largely been ignored by these organizations’ security departments in the past.
However, within the last year, an increasing number of these customers have begun sending security questionnaires demanding to know the company’s security practices. With a small IT staff and no one in an information security role, the questions being asked have been confusing and difficult for the company to answer. Even worse, potential clients are starting to send these questionnaires, with the answers determining whether they will do business with our client or not. RSM was engaged to help the company manage and respond to these questionnaires and to keep the company from losing any existing or potential clients.
This problem is part of an overall trend that we have seen: regulations like PCI, HIPAA and GLBA are pushing more and more companies to assess their third-party vendors. Because the process tends to be understaffed and inefficient, these companies rarely have the ability to properly sort their high-risk vendors from the low-risk ones, and as a result all of their vendors are bombarded with the same security questions regardless of what service they provide. There is also rarely a knowledgeable resource with the time to explain what these questions mean and why they are being asked. As a result, service providers are left to sort the process out on their own and answer as best as they can.
RSM’s vendor response service was developed with this exact problem in mind based on over 10 years of experience in developing, reviewing and responding to these types of questionnaires. We helped this particular client by reviewing existing questionnaires, assessing the client’s current security state and filling out the questionnaires on the client’s behalf while providing guidance on which items the client needed to remediate.
The process began by obtaining copies of three of the recent security questionnaires which they had received. RSM reviewed these, and was able to identify that customers were interested in controls from ISO 27002, CFR Part 11 and HIPAA. RSM crafted a set of interview questions based on our INFOSEC control framework, designed to provide the answers these customers were looking for. Next came a round of onsite assessments by security consultants.
During these interviews, RSM consultants met with a wide variety of client personnel, including the head of human resources, the chief financial officer, the IT systems administrator and the facilities manager for the company from which the client leases its offices. Phone interviews were also conducted with the company to which the client outsources its web development and hosting. Finally, while on site, RSM reviewed physical security controls covered by these questionnaires, as well as observing the IT processes followed by employees.
The first result from RSM’s process was an accurately completed questionnaire filled out on the client’s behalf. Rather than the client blindly answering questions to the best of its limited ability, RSM answered each question in the most defensible way possible from a security perspective. Rather than saying “we have no data destruction program,” the consultant answered “because the client collects no sensitive information from its customers, and maintains no PII or cardholder data, a risk decision has been made not to implement any formal data destruction program.”
The second result was a list of “red flag” items that the client did not have in place and would be difficult to defend to customers. This included the lack of penetration testing, lack of an incident response plan and the lack of an employee responsible for information security. RSM assisted the client in drafting plans for how each would be implemented to share with their customers. Finally, we were able to perform the needed penetration testing, codevelop an incident response plan with the client, and develop roles and responsibilities for their chief information officer to take on as their new security officer.
As a result, the client’s security program (as judged through the completed vendor response questionnaire) was determined to meet the standards of the vendor management program of a Fortune 500 bank, and make it through the last round of their approval process, so that the client could take on a $1 million/year contract providing software services.
Before engaging RSM, the client was confused by the security questionnaires and was wasting a significant amount of time attempting to answer them. We were able to quickly assess the client’s security controls to get the correct answers to these questions and provide the appropriate information to a large customer to gain a big new sale. Additionally, we helped the client develop and implement a program to manage future security questions.