The clarity of the security questions an asset allocator includes in a request for information (RFI) to a potential vendor is critical. One of the biggest problems we see in the security questionnaires asset allocators send us is that they ask binary questions. The problem with Yes/No questions is that they often elicit potentially misleading, ambiguous, incomplete, or irrelevant information. The answers to binary questions (“Yes” or “No”) cannot give an asset allocator a complete picture and consequently can lead to a relationship with a vendor that leaves the door open to unacceptable security risks.
For example, a commonly-asked question on an RFI is “Does your firm have an information security policy?" If a vendor answers “yes,” what does that “yes” actually mean? This response describes nothing about the maturity of the vendor’s information security policy, including:
- How is access controlled?
- How is data classified?
- How are cyberthreats addressed?
- How is remote access protected?
- How is availability ensured?
- How are passwords managed?
- How is physical security maintained?
Without that information, it is impossible to know if establishing a relationship with the vendor might put the allocator at risk. A better question to ask is, “Explain how your firm addresses information security.” This question will elicit a response that provides not only if a vendor has an information security policy, but also what the policy contains and how well they put information security protocols into practice. The answer will show whether the vendor has documented processes in place, and the allocator can decide confidently whether the vendor’s security controls align with their expectations.
This was just one of the four problematic types of questions that allocators ask in the security portion of their RFIs. For additional guidelines that will help allocators improve their current RFI security section - including 10 sample questions they can use - download our white paper, "An Allocator’s Guide to Asking the Right Questions About Information Security in an RFI.”