Management, compliance & auditing

Top 7 Questions to Ask Your Vendors about Their Security Policies

Irfan Shakeel
March 30, 2017 by
Irfan Shakeel

Cyber security is one of the most critical issues the U.S. faces today. The threats are real, and the need is pressing. The cyber security status is unstable, especially when considering the enormous and growing scope of these threats. So, cyberspace's dynamic nature must be acknowledged and addressed by policies that are equally dynamic.

As many breaches happened previously via targeting vendors first, so there is a need to address cyber threats associated with the vendors. Evaluating vendor's security policies is the potential way to assure the data security at vendor's end. A security policy is a company's best weapon in defending against a possible breach or helping to restore a network and information if a breach has happened. Having a security policy is a must for any organization because it defines what should be done in the event that users abuse the network, or if there is a network outage due to a natural disaster or an attack on the network.

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer. Moreover, the details of more than 70m customers of the food-to-clothes chain were compromised, including the accounts of more 40m credit card holders, snatched by a criminal who entered the system using access granted to a refrigeration and air conditioning supplier.

With so many breaches worldwide, regardless of industry, organizations are moving towards adopting security services to secure their communication and data. However, to find the best and secure vendor is hard to find nowadays. To make sure that your company stays ahead of the threat, consider the following security questions to ask your vendors:

Have you achieved any data protection standards?

There are some security standards that a company should follow to meet the market competition. Whether your organization prefers certified from ISO 27001, SSAE16 or Safe Harbor, those security standards are doubly important in your vendors as you have much less control over entities outside of your company, and ostensibly, the data you share with those vendors. Certification and implementation of ISO 27001 and other standards that are defined by the vendors, provide the company with a strategic information security framework that can help to win business and educate staff on key measures for protecting valuable data.

How do you assess employees' security understandings?

This question will help you to get an idea of how seriously they take security. If they answer with a detailed established process for their security awareness program, then it's good to go. If not, you should remind yourself that human error accounts for nearly all major security breaches.

A vendor that does not provide enough reliable security awareness training is not worth your time to ask further questions, drop that vendor and look for another.


Do you separate customer data from the main infrastructure?

If your vendors are giving you detailed feedback about their practices, such as their methods of encrypting data and its secure transmission, then they are doing well. The same thing can be said about the segmentation of client data and critical infrastructure, because many breaches could have been easily avoided, or at least its impact could have reduced, by storing sensitive customer data in a different place than where their vendor portal resided.

Not separating the database and web server would be the worst mistake by any vendor as it makes it easier for a hacker to access it. So, a database should reside on a separate database server located behind a firewall, not in the DMZ with the web server. While this makes for a more complicated setup, the security benefits are well worth the effort.

What training does your development and testing teams receive specific to application security?

This question is for the software solution providing vendors and has its own weightage in assessing the vendor's position in securing your organization's data. Many vendors neglect to perform secure programming that creates a huge loophole in security infrastructure when it comes to defending from rapidly growing attacking vectors and automated attacks. So it is essential to acquire the security related training that they provide to their employees to practice and accomplish their task securely.

What is your disaster recovery plan?

Asking this question is highly recommended and essential because they tend to reveal how proactive a vendor is in keeping up with their own data security and disaster planning. Their answers also indicate how vigilant they are likely to be when things hit the fan. An active and dedicated information security team is a plus that can make a huge difference when it comes to sharing relevant threat data and detailing exact plans for technology outages to minimize financial loss to both your business and theirs.

If the vendor does not have any recovery plan, then it is risky to rely on them. In many cases, the attacker targets the vendor first to gain organization's detail. So, associating with the vendor that doesn't pose an effective security posture with recovery plan is not worth it.

However, these are not the only questions that can help you to make the final decision to choose a vendor, but these are essential questions that should not be skipped. Moreover, these questions will create a broader picture of what you are getting and how reliable the vendor will be for your organization and its market growth.

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.