I'm actually a fan of create your own. (Shameless plug, I gave a talk on this topic at lopsa etenn in August). No vendor's list is going to properly recreate your particular security concerns properly, and the list serves more than one role.
Due diligence isn't enough. You need to know what security concerns exist that require you to document a deviation from your own policy should your organization acquire the software. That means summarizing everything a vendor needs to know about your policy into a checklist. The yes/no nature is specifically to reduce confusion and minimize "answering a different question." It also serves as a point for vendors, many of whom want to know your security policies to influence their future product design. Sometimes, it's the little changes that make a big difference. Most of the questionnaires I've seen floating around are too generic/high level to be of any value, and often they ask questions that imply requirements that I specifically do not want the vendor to do. Almost never do they cover points I need to worry about like individual accountability of their product. (What do I care about the vendor's internal individual accountability? I care about their product.) For that reason, I recommend making your own vendor security requirements checklist. It's not a short process, but it is very much worthwhile. On Wed, Oct 30, 2013 at 1:46 PM, Edward Ned Harvey (lopser) <[email protected]> wrote: At a 3rd party communication service vendor where I work, we occasionally (borderline regularly) see 3rd party security questionnaires from prospective customers, which are almost identical. Questions like: Has an information security policy been implemented? Is there an access control policy based on the principle of least privilege that has been implemented and communicated to all employees? Are procedures in place to register and revoke individuals from resource access control lists? Are controls in place to provide access for authorized users based on business need and least privilage? And so on, for pages and pages. My question is - there's so much similarity in these questionnaires, I'd like to know where they come from. We'd like to prepare our "standard" one of these questionnaires, and when customers request one to be completed, we'd like to give them our standard generic version, to hopefully cut out a lot of the work necessary to complete them. If I can't find a source of a "generic" one, I'm going to have to create one from scratch, based on a difficult hand-merge of customer specific versions of these questionnaires we've received from customers. Do any of you use such questionnaires? (I'm sure some do.) Where did you get it from originally? ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected]
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
