If you are a service provider bidding for IT work from a large company, you may have received a security questionnaire to complete. But what are the dos and don'ts of preparing your response?
The security questionnaire is the part of a tender document that asks about your security controls, such as patching, business continuity and security policies, writes Michael Pike, CISSP GSNA MBCS. Over the years, I have worked with various organisations to help them understand these security questions and answers. In my experience, there is no magic formula for a winning supplier proposal, but there are a few key points to bear in mind.
The security questionnaire should be viewed as an integral part of your proposal, and subject to the same rigour. Although it may sometimes be separate from the main tender document, do not assume it is any less important.
Security is a business enabler in today's world, and most larger companies will want to see that security is integral to the way you do business. So if information security is normally handled by your IT department, this is a good opportunity to start getting the business side of your organisation involved as well.
If you have evaluated your own services and infrastructure against a relevant external standard (e.g. ISO27001), then you should have much of the material you need to respond to the security questionnaire. If not, you should probably make a start on this. If you are a small business, government sources such as Business Link and BERR offer useful pointers. More tailored advice can be obtained from an experienced consultant, such as a CISSP-qualified practitioner.
There are a few other basic rules, which may seem simple, but are sometimes forgotten even by big suppliers:
- Make sure you answer each question in the format requested. I've seen a supplier respond to a large section of the questionnaire with the statement "see our Security Policy (attached)". The format of a security questionnaire is often designed so that suppliers' proposals can be compared alongside each other, and alongside the customer's IT security policies. If the information is buried in an attached document, this is not possible, which makes it far easier for the customer to just reject your proposal.
- Make sure you understand the security requirements behind the solution. I once dealt with a proposed system that would be processing sensitive data, and where tape back-ups would be required. The supplier proposal detailed the tape rotation schedule and the fireproof safe, but there was no mention of encryption - they simply had not understood that it would be needed.
- Do not be afraid to ask for clarification of a particular question. Some organisations use a standard set of questions, which will not always make sense in every scenario. Many will be happy to point you in the right direction if you ask.
- Security is an important part of IT service provision. Whether the contract is worth a few thousand or several millions of pounds, your potential customer needs to know that you will keep their data as secure as they would do themselves. This is the real reason behind the security questionnaire, and the reason it is crucial to the tender process. It is also an important part of a supplier's sales pitch.
Michael Pike, CISSP GSNA MBCS, is an information security consultant who works in the UK financial sector, advising on infrastructure security and third-party risk.