I see these a lot as well and have wondered the same thing. 250+ questions are pain to deal with, notably when you need to sync up answers between product, security, ops, dev, qa, legal, and sales teams. Having a consistent template to have our sales team pull from to respond to an RFP with would be very handy.
Yes SOC Group 2, ISO27001, and SSAE16 all have these as checkboxes, but just having the paperwork be easier to deal with would be a huge time saver. The last one I did actually came with some boilerplate that led back to http://sharedassessments.org/ which seems to at least be A source of these types of assessment lists. I haven't inquired what, as a vendor, it woud take to get access to a copy to use as an RFP template. HTH, -n On Wed, Oct 30, 2013 at 10:46 AM, Edward Ned Harvey (lopser) <[email protected]> wrote: > At a 3rd party communication service vendor where I work, we occasionally > (borderline regularly) see 3rd party security questionnaires from > prospective customers, which are almost identical. Questions like: > > > > Has an information security policy been implemented? > > Is there an access control policy based on the principle of least privilege > that has been implemented and communicated to all employees? > > Are procedures in place to register and revoke individuals from resource > access control lists? > > Are controls in place to provide access for authorized users based on > business need and least privilage? > > > > And so on, for pages and pages. > > > > My question is - there's so much similarity in these questionnaires, I'd > like to know where they come from. We'd like to prepare our "standard" one > of these questionnaires, and when customers request one to be completed, > we'd like to give them our standard generic version, to hopefully cut out a > lot of the work necessary to complete them. > > > > If I can't find a source of a "generic" one, I'm going to have to create one > from scratch, based on a difficult hand-merge of customer specific versions > of these questionnaires we've received from customers. > > > > Do any of you use such questionnaires? (I'm sure some do.) Where did you > get it from originally? > > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ > -- ------------------------------------------- nathan hruby <[email protected]> metaphysically wrinkle-free ------------------------------------------- _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
