
Ask HN: InfoSec questionnaire – what to do when customer wants one completed? - telesilla
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I&#x27;m stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the 
correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system.<p>Example questions:<p>&quot;Are you able to detect and protect accounts that may have been compromised?&quot;<p>&quot;Do you allow users to change their passwords more than once in a 24-hour time period?&quot;<p>Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board?
======
hrbrmstr
Properly constructed information security questionnaires enable a business
partner to conduct a high-level, non-intrusive assessment of your
organization. You have a right to be concerned about the sensitivity of the
data, but if you distrust your business partner that much, then don't do
business with them. Your org is not a special snowflake and this is a very
common practice by organizations of all shapes and sizes with organizations of
all shapes and sizes. They are not the be-all/end-all of information sources
(orgs regularly fib on these forms) and you do have a similar right to ask the
inquisitors how they will protect your form data (that will also partoy show
them you at least give lip-service to data security). It's also far more
likely that your organization is going to get pwnd via phishing that is
completely unrelated to the potential loss of confidentiality of this
document. I say that as someone who has formally studied cybersecurity
breaches for years.

Also, as cyberinsurance increasingly becomes "a thing", you're going to see
this questionnaire situation increase in frequency. Your org should consider
creating a pre-composed (and regularly updated) SSAE 16
([https://en.wikipedia.org/wiki/SSAE_16](https://en.wikipedia.org/wiki/SSAE_16))
to avoid having to fill out unique assessment questionnaires for every request
that comes in. It'll save you time and — unless you "go N/A crazy" on the SSAE
16 — should be accepted by any firm worth doing business with.

------
hluska
>Completely valid but how many small businesses without a security expert on
board, have these in place?

Sorry to say this, but none of your examples require a security expert to
implement. And frankly, they are both what I would consider low hanging
security fruit. If you balk at implementing these, I question whether your
product is ready for the enterprise.

>And why would it be beneficial to tell a customer about this?

This is risk management and honestly, if you don't understand risk management,
you'll have a lot of trouble serving enterprise customers.

It's beneficial because in the company's mind, a legal action is a big enough
risk that they want to invest resources in showing they were diligent before
picking a partner.

>How could a small business deny completing this questionnaire but still get
the customer on board?

There is almost no chance unless you have strong political ties to a major
decision maker at that company. And, even if you do have that kind of
connection, this form isn't asking for the keys to the castle.

Can your company provide a decent level of data security? How do you know?

If the answer to question #1 is not a resounding yes, you have no business
trying to serve an enterprise.

------
stuartleigh
In my experience you won't need to answer yes to every question in order to
"pass" the info sec, but their team will want to be able to understand the
risk of doing business with you. Depending on exactly what it is you'll be
doing together, will determine how much risk they are willing to take on.

~~~
telesilla
Most of the questions should not be answered, in my opinion - if the document
got into the hands of a bad-actor it could be abused. I'll recommend they
liberally use the N/A option and try and have a discussion with the customer
security team.

~~~
hluska
Based on the example questions you posted, you are being paranoid. Neither one
of those questions are terribly sensitive and it doesn't matter if the answers
fall into the wrong hands. Your company isn't that special - many companies
want to know the same things before they work with someone.

Three things:

1.) Security through obscurity never works.

2.) Based on the examples you posted, they aren't asking for anything special.
In fact, they both seem like about the base level of security I would expect
an enterprise ready company to provide. If you want to liberally enter n/a to
cover up that you aren't big enough/don't have enough people/haven't
implemented what they ask, that is dishonest.

3.) If questions like this cause you so much trouble, you need to seriously
ask yourself whether working for a startup is for you. Due diligence processes
(either initiated by an investor who wants to fund you, or a body that wants
to acquire you) should be expected to go much deeper.

~~~
hluska
It's too late to edit this response, but I wanted to add something.

In my original, I said that security through obscurity never works. That isn't
entirely true, because it might work great. The problem is that it makes it
much harder to defend yourself after a breach has happened.

