We've been helping a client with "due diligence" recently. They were asked by one of their customers to fill out a very long, very dry questionnaire that prompted them to think about their own policies, procedures and indeed to ask their suppliers some similar questions. Since this is something we've done a few times over the years, we thought we'd write up a bit about it.
What is "Due Diligence"?
All companies have a duty of care, which in IT terms usually means things like:
- Take reasonable steps to secure customer data, personal information, payment details, employee data, etc
- Take reasonable steps to avoid sending viruses or other malware in emails or attachments, Internet downloads they provide, etc.
- Take reasonable steps to physically protect yourself and the systems that contain customer data or run services for them
(and many more aspects, besides these!)
In order to be able to say you've "taken reasonable steps", you inevitably have to check with your suppliers that they too are taking reasonable steps when they do things on your behalf. You probably don't need to ask the people that supply you with printer toner, but you do need to ask anyone who provides you with IT services or (possibly) products. You may even need to check with people that provide you with advice or consultancy too - depending on what they do for you.
To "do due diligence" then, you end up asking suppliers a load of questions about how they do things to make sure they live up to your standards. Likewise, your customers will do this to you. In order to answer most of these questions you'll need some documentary evidence - things like records of when you did certain things (and how they went), but also procedures and policies. On that point, this may even extend to having all your employees "sign up" to certain procedures and policies to ensure that they too live up to your standards.
This may all sound like a lot of work. If you're dealing with some really big, really bureaucratic companies then it may indeed turn into a lot of work. For everyone else, it needn't be quite such a problem - you're probably doing a lot of things already, so it may just mean you've got to document a few of them here and there.
The UK National Cyber Security Centre wrote a pragmatic high-level example of what questions to ask your suppliers: https://www.ncsc.gov.uk/guidance/supplier-assurance-questions
If you get your supplier on the phone and ask them the questions suggested, then you have done some due diligence. However, proving it might be tricky, so most people elect to fill out a questionnaire instead. That way you've got precise questions and the answers are documented for future reference and to serve as evidence of exactly what you (and your supplier) said.
If you need help deciphering a due diligence questionnaire, getting some procedures and policies written, or want to ask your suppliers questions, Pre-Emptive can help - just get in touch.
The Dreaded Questionnaire
Once you start writing a questionnaire for your suppliers, you'll probably find that for every topic there are umpteen sub-topics, sub-headings and additional areas you want to explore. You're free to do so, but remember that someone's got to actually answer all these questions, which takes up their time - and in some cases, answering a single question may take hours and hours to answer correctly. Too few questions may not be enough to claim you took "reasonable care", but too many questions (or lots of irrelevant questions) make it hard for people to do business with you - which ultimately means you'll end up paying more for the same thing.
It also turns out that asking questions can be hard. If you're too open-ended or not clear enough, then you won't get the answers you want. If you're too precise then all you get back is "yes/no" type responses which don't necessarily tell you what you want.
Over the years we've seen some real clangers of questions that are seemingly impossible to understand, let alone to answer correctly. Then again, sometimes you find the questions have been really well written and reviewed and whilst there may be lots of them, they're quite easy to answer.
Here are some of the sorts of questions we've seen (these ones are pretty reasonable!):
- Do the application audit logs have sufficient granularity to determine what specific functions, pages, access points, etc. an individual has accessed?
- Do all administrative accounts require the use of string password and multi-factor authentication?
- Is/are your production network(s) isolated from development/test environments?
- Is the use of removable media disabled on your servers, workstations and laptops? Or if use of removable media is enabled, are your servers and workstations monitored for removable media activity?
In a lot of cases, you'll also be asked to provide copies of reports and policies. Things you can expect to have to provide include:
- A recent Security Audit (from a sufficiently qualified party)
- A recent Penetration Test result (from a sufficiently qualified party)
- Information Security Policy
- Network Security Policy
- Physical Security Policy
- Incident Response Policy
- Operational/Business Continuity Plan
- ...(you get the idea)
It all depends what sort of work you're going to be doing and who you're doing it for, so you may need more or less than these.
The important thing to note here is that your policies should be tailored to your company and your ways of working. They do need to have the right clauses about protecting yourselves and customer data, but if your people all work from home, then it's obviously going to be different from a company where everyone has to work in an office. Likewise, if you run all your servers in the cloud, then you'll be different to someone who runs on-prem. It's also okay to be a small company - you're only expected to be sensible with the resources you have available.
Whatever your company's size and shape, these policies shouldn't be hard to adhere to - you're hopefully doing it all already, so hopefully you just need to write it down (and then make sure everyone really is doing it).
If you need help writing or updating policies, Pre-Emptive can help - just get in touch.
Image credit: https://flic.kr/p/2iogbdf