Article by Evan Francen, CISM, CISSP, CEO of SecurityStudio originally appeared on Security Today
Some third-parties (or vendors) will think of every excuse in the book for not completing your information security risk assessment. The fact is, there are very few valid excuses.
In this article, I’ll cover a recent real-world example where a vendor used came up with no less than 10 excuses. It takes some creativity to come up with so many excuses for not completing one questionnaire!
We’ll take each excuse and address it with a rebuttal, one by one. Use this article as a reference for your own third-party due diligence.
The foundation of every third-party relationship is just that, the relationship. Relationships with third-parties are just like relationships between people. A good relationship is based upon mutual trust and transparency.
When someone in a relationship fails to provide clear answers to legitimate questions you have about the nature of the relationship, it should erode trust and force you to act.
This is especially true in a customer/vendor relationship where the customer is supposed to be the one in power. As a customer, you deserve answers, NOT excuses.
What better way to demonstrate a point than to use a real-world scenario? In this scenario, the vendor came up with at least 10 excuses over the course of nearly four months for not complying with their customer’s request. Ready? Here we go.