Information Security

 View Only

  • 1.  risk rating questions

    This message was posted by a user wishing to remain anonymous
    Posted 01-24-2025 01:45 PM
    This message was posted by a user wishing to remain anonymous

    Are the questions you ask your third parties in questionnaires pre-risk rated or do you risk rate them after the fact? Use the following small set of questions as an example, where the third party can respond with yes/no.

    1. Do you have a cyber security function and assigned a cyber security leader for the enterprise?
    2. Do you capture and securely store desktop and laptop logs?
    3. Do you conduct penetration testing to identify security vulnerabilities (e.g. staff, systems, and facilities)?

    You could pre-risk rate all the questions you have on a questionnaire and have it set to maybe have question 1 be medium, question 2 be low, and question 3 be medium or do you figure it out after it's completed by the third party?

    Lets say the third party responded to question 3 with a no, but your organization requires it. What do you do?



  • 2.  RE: risk rating questions

    Posted 01-28-2025 02:29 AM

    The questions we asked are predetermined based on the level of risk the supplier presents which is determine by the type of activities they do. For example, if they process personal data we will ask then a set of GDPR related questions etc. 

    We try to make as many of the questions simple yes/no or multiple choice options as possible to simplify the process but we still have a pretty low rate of return.

    Im wondering if after several prompts what action do you take when due diligence is not getting done?


    Original Message


  • 3.  RE: risk rating questions

    This message was posted by a user wishing to remain anonymous
    Posted 01-28-2025 10:03 AM
    This message was posted by a user wishing to remain anonymous

    To answer your question, I make a few attempts to have them complete it. After several attempts, after the due date, I mark the vendor as rejected until they want to complete it.

    Lets say your predetermined question includes asking if they encrypt data at rest and in transit. Is this question risk rating predetermined? If the vendor says Yes, great. If they say No, then you know what the risk it poses to your organization already if predetermined. What happens next though? Risk treatment or risk acceptance? If risk acceptance, does the calculation include question risk rating, question risk likelihood, vendor risk, etc or are risk acceptances simply the vendor risk calculated with the inherent risk?


    Original Message