Qualys Blog

www.qualys.com
Juan C. Perez

Save Time by Streamlining Vendor Risk Assessments in the Cloud

As your organization enthusiastically adopts cloud and mobile services from multiple new vendors, are your already-busy security and compliance teams scrambling to assess the risks of using these new providers’ products?

Are you still using a manual process for conducting these vendor evaluations, even though you’re being asked to do more of them, and to complete them more quickly?

This is an increasingly common scenario in enterprises globally, and it creates a challenge for InfoSec teams: How to do more vendor risk assessments, and faster, so that business units can deploy these new cloud and mobile services quickly and gain the desired competitive edge?

Pekin Insurance, a provider of life, business, auto, home and health coverage, found itself in this position last year: Using a manual process that taxed its InfoSec team members and didn’t scale.

“Our team struggled keeping up with the pace of vendor assessments, and we needed a better method,” said Jonathan Osmolski, Manager of Enterprise Records & Information Governance at the Illinois-based company, which has about 900 employees and $2 billion in combined assets.

It’s a situation that’s occurring at an industry-wide level, Osmolski said during a recent webcast.

“The security department is there managing the wall, saying: ‘Wait a second, you want to go the cloud, but we need to look at this: We need to understand what this vendor is all about, what its security controls are.’ And you have the business on the other side saying: ‘Hey, we need to go faster.’”

Osmolski said this trend is being driven by the “digital supply chain” which is extending the enterprise’s borders through the accelerated establishment of many new relationships with vendors that get entrusted with organizations’ critical operations and data.

Hariom Singh, a Qualys Director of Product Management who co-hosted the webcast, concurred. “InfoSec teams today are under the gun to perform these assessments faster, and at the same time the list of vendors is growing,” Singh said.

As has been well documented in recent years, a misstep by a trusted third party with access to your IT system and data — vendors, partners, contractors, service providers, suppliers — can be catastrophic even for large organizations with plenty of InfoSec resources.

In this webcast, Osmolski and Singh discuss how Pekin Insurance, a Qualys customer, quickly remade its vendor risk assessment process to fit the company’s needs in this new world of fast cloud computing and mobility adoption.

In a short time, Pekin Insurance ditched its manual, labor-intensive and time-consuming process and replaced it with a streamlined and automated system, which consolidates all of its vendor data in a central dashboard and lets it conduct assessments quickly, efficiently, and economically.

Among the topics Singh and Osmolski discussed are:

  • The limitations and disadvantages of the traditional vendor risk assessment process, based on sending out questionnaires via email and tracking responses on spreadsheets
  • Useful criteria for deciding what set of features you need in a vendor risk assessment solution, including the pros and cons of full-fledged GRC (Governance, Risk Management and Compliance) systems
  • Best practices for gaining support and adoption from your business users for a new vendor risk assessment system
  • How Pekin Insurance streamlined, automated and sharpened its process with Security Assessment Questionnaire, Qualys’ centralized, cloud-based, highly-scalable and turnkey solution, which offers:

Intuitive campaign design: Using a wizard and its drag-and-drop UI, SAQ lets you create campaign questionnaires with due dates, notifications, assigned reviewers, various answer formats, question criticality, answer scores, evidence requirements and varying workflows. You can also use SAQ’s rich library of out-of-the-box templates covering common compliance standards

Simplified questionnaire distribution: There’s no need to set up user accounts, since SAQ auto-provisions the surveys, which respondents complete on browser-based form, with the ability to delegate questions they can’t answer. Administrators can trigger reminder emails to respondents, and set up recurring campaigns.

Automated campaign tracking: SAQ captures responses in real time and aggregates them in one central dashboard, so administrators can see multiple campaigns’ progress, with charts that are updated live. They can drill down to details in individual questionnaires, and slice and dice results.

Comprehensive, customizable reports: SAQ generates proof of compliance with detailed reports and caters to a variety of users, including upper management via executive-level dashboards, as well as auditors and compliance officers with more granular views of the data. SAQ can also be used for polling your employees and managers in internal audits and documenting compliance.

  • The benefits of being able to port SAQ data to other Qualys modules and use it for other cyber risk activities, such as vulnerability management, PCI compliance and malware detection

“We needed a solution that could address our needs today, and grow with us as we matured,” Osmolski says. “We found that in Qualys SAQ.”


For a free trial of Qualys Security Assessment Questionnaire, visit qualys.com/assessrisk.

Leave a Reply