Q&A: Conducting Cloud-Based Vendor Risk Audits With Qualys SAQ
Last updated on: December 18, 2020
Third-party security assessments drastically reduce your organization’s risk of suffering a data breach. When carried out properly, these assessments identify poor InfoSec and privacy practices among your vendors, partners, contractors, and other third parties with access to your IT systems and data. Unfortunately, many businesses conduct these assessments manually, using email and spreadsheets, which makes them labor-intensive, slow and imprecise. This manual approach strains InfoSec teams and creates a backlog of security evaluations.
In a recent webcast, “Streamlining Third Party Risk Assessments in the Cloud,” a Qualys customer discussed how his organization tackled this challenge in a way that improved productivity, efficiency, visibility, and risk analysis. Below are the answers to the questions asked by participants during the Q&A portion of the presentation, provided by speakers Jonathan Osmolski, Manager of Enterprise Records and Information Governance at Pekin Insurance, and Hariom Singh, Director of Product Management for Qualys Security Assessment Questionnaire (SAQ).
- Do you have to be using the entire Qualys suite in order to access SAQ?
No, SAQ is a standalone product.
- On what standards/templates (e.g., ISO 27001) are the assessment questions based? Can the questions be customized?
Assessment questions are developed in-house and we also leverage questions from our partnership with SIG (Standardized Information Gathering).
- What standards do you support? What types of control framework baselines come out of the box?
We support a variety of standards, frameworks, and regulations — both national and international — and provide out-of-the-box templates. This list is constantly growing as new regulations and frameworks get introduced or updated. Here is a sample list: PCI, HIPAA, FFIEC, NERC (CIP), COSO, COBIT, RBI, GDPR, IT-Grundschutz, ADSIC, ISM, ANNSI, NIST 800-53 rev4, NIST CSF, CSA, ITIL, SIG, and others.
- Does SAQ provide a report based on the outcome of the assessment?
Reports are provided for every phase of the assessment, including for complete ones.
- How could a cyber consultant use SAQ? What about a consultant using it for multiple companies?
We provide consulting licenses for SAQ. Please reach out to Qualys sales for details.
- Other than third party risk assessments, can SAQ be used to do usual security, threat, and risk assessments? Does SAQ provide assistance with threat modeling? What kind of reporting is available?
Yes, SAQ can certainly help with usual security, threat and risk assessments along with internal audits. It can be used to complement other Qualys apps, such as Vulnerability Management (VM), ThreatPROTECT (TP), Policy Compliance (PC), or other security applications to gather and assess risk from procedural controls, or the lack thereof.
- How will you know that a data breach is due to vendors?
If the due diligence is done to identify all vendors an organization is doing business with, along with all of the data involved in the relationship, one can ensure that their vendors are properly securing their data. If a data breach does occur then it will be easier to identify whether the data breach occurred due to a vendor, or the organization itself. Knowing where the data is, and how it’s secured, is the key to identifying how and where the breach occurred.
- Is this product intelligent enough to dynamically weight questions based on type of engagement with vendors?
Not today. This is on the roadmap for the later part of this year or early next year. Today one must assign the weights to the questions manually.
- In order to take advantage of the system, do all parties (i.e., the person sending out the assessment questionnaire and the vendor being assessed) need to have access to Qualys?
There are different levels of access. The person sending out the questions will have access based on their role, and the vendor being assessed will get auto-provisioned with limited access to simply complete the assessment.
- Where are the artifacts used for testing stored? Can they be downloaded or do they stay in the cloud? Can you automate workflow?
Yes. The artifacts are stored in your subscription and can be downloaded as well. The workflow is automated.
- Can different assessments be linked (for dependencies) to trigger automatic reassessments when one of the linked assessments changes?
Yes. Dynamic questions/gating can be used to define this logic in the questionnaire template.
- How is access to SAQ managed? What is the account administration/administration model?
Access is managed via roles and subscription. Vendor access auto-provisioned.
- How easily can a vendor allow more than one contributor to answer our questionnaire?
There is a delegate option to easily select another contributor who is better suited to respond specific questions or sections.
- Was no server required for SAQ because Pekin Insurance already had Qualys purchased and deployed on-site?
There’s no software to deploy or infrastructure to maintain. You can purchase standalone applications or subscribe to the entire suite, which are all delivered via the cloud.
We hope this answers some of the questions you may have about SAQ, cloud-based vendor and third-party risk assessments, and whether they are right for your organization.
Click here if you wish to listen to the entire webcast.
To learn more about Pekin Insurance’s experience, read the case study.