
Ask HN: How do you respond to security questionnaires? - reiderrider
A software company we are integrating with wants their 100 question security assessment questionnaire completed. Any advice?<p>We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.<p>These questionnaires are time consuming and redundant. It seems insecure to produce something that details our security too. Does a &#x2F;security page with some details suffice? Am I just being lazy?
======
ziddoap
> _We are a two engineer team without a SOC audit and without a third party
> pen test that stores medical and financial data._

> _These questionnaires are time consuming and redundant._

This is how data breaches happen. You should be willing to jump through a few,
usually reasonable, hoops if you're storing medical and financial data.

Instead of looking for a quick-fix that will "suffice", you may consider
actually securing the sensitive data you hold on other people.

Edit: After a little googling, I'm genuinely concerned about the product you
are offering, at a firm of your size, with no compliance. Yikes from me.

~~~
reiderrider
Well our conclusion is to work on security for a week and then submit. I
didn’t say anything about not having security/compliance rather about
completing another security questionnaire.

~~~
ziddoap
You may not have specifically said it, but it is certainly clear from the way
you are speaking about security as an annoying burden.

Just, for example, your comment "Work on security for a week and then submit".
What does that even mean? Security is a going concern, not a one-and-done.
What do you expect to accomplish in a week?

You mentioned you have no 3rd party pentest, nor SOC compliance. Regardless if
they are required by law, not having a rudimentary pentest (which are fairly
inexpensive) speaks volumes about your companies posture on security.

I hope you let the people that are trusting you with their _extremely private
medical and financial data_ that you are tired of answering security
questionnaires, and aren't too concerned about having a 3rd party validate
your security.

------
mtmail
Charge extra, or rather tell the company they need the enterprise pricing
plan, to make it worth the time investment. Companies with those questionaires
are used to suppliers pushing back, charging extra or dropping out (either not
returning the questionaire or answering insuffiently). It's part of dealing
with enterprise B2B clients. I had to sign anti-slavery and anti-human-
traffiking statements...

Some questions you won't agree with, e.g. I've been asked how often we change
our wifi passwords. Better to be honest and let them assess the risk than
overpromising.

~~~
reiderrider
For a customer we absolutely would. We aren’t charging and vice-versa as
integrating is value added for both parties. They could double our usage so
we’ll work on security for a week to get a passing score and then submit the
questionnaire. Thx

------
moksly
Is it even legal to hand over medical data to a company without SOC 2
compliance?

~~~
reiderrider
Yes. Typically there’s a business associate HIPAA agreement that outlines use.
SOC 2’s start at $35,000 with a month of an engineering time and 99.9% of
insurance agencies don’t have one. Getting it done is the long term plan.

