by Michael Kleck, Director of Compliance and Information Security at Alchemer, and Brett Gedvilas, Information Security Analyst at Alchemer
Running security risk assessments is one of the most thankless jobs in information security. Yet it’s necessary to keep your InfoSec process strong. So, you send out a standard form to a vendor or to your internal team and then hound them to return it. People leave sections blank or don’t get the right information because they don’t know how to share the spreadsheet or answer the questions. Completing the assessment takes weeks, not to mention the days of your time because you must go back and forth with people to get the answers you need.
And when it all takes longer than everybody hoped, Information Security is seen as a pinch point in the purchasing process. Which isn’t half as bad as getting blamed when something goes horribly wrong because somebody didn’t follow protocol and identify then mitigate risks.
This is why risk assessments are a critical component of your Security Program, as well as any security standards you want to tout, including ISO-27001 or SOC compliance. So how do you perform risk assessments quickly and painlessly while still doing everything else on your list?
Manage Risk, Not Questionnaires
Given our own struggles with completing internal risk assessments as well as external ones for vendors, Alchemer developed the Risk Assessment Solution to be a flexible and automated process for conducting vendor and enterprise risk assessments. We even made it easy to break out the questions so the right person within any organization can answer them and to only ask the questions relevant to that vendor type instead of one-size-fits-all. And we automated the notifications, so you know when the survey is complete.
In short, it gives InfoSec teams more time for managing and mitigating risks rather than trying to track down fifty questions on a spreadsheet. The solution includes a complete suite of pre-configured surveys, workflows, and risk reports, so information security can focus on acting on their data, rather than collecting it.
Focus on Information Security, not Irrelevant Questions
We’ve all received a form or spreadsheet that had more questions that were irrelevant than were relevant simply because it’s easier to ask all the questions than miss one. You can create custom surveys for software vendors that will store customer data, independent contractors, and web-based applications that help people manage their calendars or the like.
Because you can send over only the questions that matter, people are more likely to complete the survey. And you don’t have to wade through unanswered questions wondering if they missed it or it wasn’t relevant. Stop passing spreadsheets around like a game of telephone and get the right answers from the right SME the first time. This allows your security team to make accurate and informed decisions early in the process.
Make Your Life Easier
With the Alchemer Risk Assessment Solution, your InfoSec team selects the type of vendor, automatically adjusting the questions and default risk level, and sends a link to the assessment. The vendor can assign specific sections of the assessment to be completed by different team members and attach copies of requested policies. When the assessment is complete, the InfoSec team is notified, the raw scores are compiled automatically, and any raw score can be adjusted.
At Alchemer, we took our vendor risk assessment process and incorporated it into our PO request workflow. If an employee submits a purchase order that requires an InfoSec review, the internal vendor risk assessment is automatically sent to the employee. Only once the employee completes the internal vendor request and it’s approved can the PO move forward in the process.
In the end, you have a stronger information security program because manually collecting risks is no longer a problem. To strengthen your InfoSec program, learn how the Alchemer Risk Assessment Solution can save you time and help you build a strong InfoSec process.