TEST to main content First level navigation Menu
Photo of a man working on a computer in the dark.

IT security questionnaire conundrums

When security leaders are asked to assess their company's security and governance the process that can sometimes involve reviewing a 400-question assessment that looks suspiciously like an entire security governance framework dropped into a locked spreadsheet with the only options for answers being “yes” or “no” are most certainly not the way to gather critical information. Yet, tactics such as this are used often -- and sometimes completely void of the information you need to accurately answer the questionnaire.

When used correctly, questionnaires and assessments can be valuable. David Levine, Vice President of Information Security & CISO for Ricoh USA, Inc. wrote about this topic and provides advice in an article for CSO1, a source of news, analysis and research on security and risk management.

He says that while some vendors have developed tools that try to solve this puzzle, as of yet, there's no silver bullet. Some strategies Levine recommends:
  • Implement a process, automated if possible, that documents requests and associated training that helps ensure you receive the questionnaires as soon as possible
  • Require all employees, or requestors, to share all of the relevant information (scope, data types, etc.) upfront
  • Catalog the answers you are providing to help ensure consistent information is provided, review that information on a regular basis and add new answers as you see new questions
The article discusses more strategies that can help improve your IT security and governance using questionnaires and assessments. Bottom line: a comprehensive questionnaire with the right context is much more efficient and ultimately more relevant.

Streamlining and improving the relevance of IT security questionnaires

A comprehensive security questionnaire with the right context and relevant questions can help strengthen your IT security and governance. But how do you get there?
1 "The security questionnaire conundrum." Originally published on CSOonline. https://www.csoonline.com/article/3257227/data-protection/the-security-questionnaire-conundrum