If your small or medium-sized business works with large companies, you may soon be facing a cybersecurity hurdle that separates the players from the wannabes. Enterprises are now beginning to incorporate IT security requirements into their standard RFPs and bidding processes. They want their partners and vendors to take security as seriously as they do, so sensitive data stays secure, especially after the Equifax breach.
It’s time to get out in front of this, do a risk assessment and, if possible, get a third-party attestation letter. Here’s an effective two-step approach:
STEP 1: Do an internal assessment
Is your team well-versed on all things IT? If so, they can do an initial assessment internally to see where your organization stands before bringing in a specialist. This draft of the Baldrige Cybersecurity Excellence Builder from the National Institute of Standards and Technology (NIST) is a great tool. Here are a few sample questions from a standard cybersecurity questionnaire that are typical of the things that enterprise clients want to know:
● Do you have a risk assessment program?
● Is there a formal strategy for each identified risk?
● Is there a process to monitor all identified risks on an ongoing basis?
● Is there an information security policy?
● Have the policies been reviewed in the last 12 months?
● Is there a Business Continuity/Disaster Recovery (BC/DR) program?
● Is there a procedure for the handling of information assets?
● Are there procedures for information labeling and handling in accordance with the classification scheme?
● Are electronic systems used to store, process, and/or transport target data?
● Do policies require access controls be in place on applications, operating systems, databases, and network devices to ensure users have least privilege?
• Use our Cybersecurity Partner Interview Guide to find the right security partner for your company.
• Is your IT budget ready for 2020? Our IT Budgeting Guide for 2020 can help – download here.
If you have a lot of NO answers (or “I don’t know” answers), those are red flags. They could point to gaps in your cybersecurity plan, even though they don’t necessarily mean you’ve been doing something wrong. Your way of doing things just may not meet the RFP requirements.
The best way to ensure your organization will be better able to meet RFP requirements is to choose and adhere to one of the cybersecurity standards, such as NIST or ISO. Also, follow the recommendations in our posts about IT’s role in compliance and managing cybersecurity if you don’t have a CIO or CISO.
If you have a lot of YES answers to the questions above, congratulations! Now it’s time to have a third party to validate your answers.
STEP 2: Hire an auditor to validate that you meet the RFP requirements
Security consultant firms perform risk assessments all the time — they are familiar with the intricacies of the various cybersecurity standards and know exactly what to expect from RPF cybersecurity questionnaires and requirements. They’ll work with your team to get the questions answered, provide you with a gap analysis report and, if they’ve find meaningful gaps, give you a proposal to help your company close those gaps so you can pursue the contract.
Ideally, your auditor will prepare an independent third-party attestation letter that states it has evaluated your organization on the specific standards you’re using and it does not find any deficiencies. If it does find areas of deficiency, then it can document the mitigation that will be in place by a certain date.
Attestation letters can be key to zooming past the RFP checkpoints and moving forward in the process — talk about a competitive advantage! On the other hand, if you don’t have an attestation letter, your potential client may want to perform its own audit prior to awarding the contract, which probably won’t leave you any time to remediate any discrepancies they find.
And if the audit occurs after you’ve signed the contract and the audit finds discrepancies, you’ll be in breach of contract. No one wants that.
Leapfrog recommends that all organizations that want to do business with enterprises adopt a cybersecurity standard and then hold themselves to it. In fact, we recommend adhering to standards to protect your IT ecosystem regardless of who you do business with. Adhering to standards takes away the guesswork, makes your business more secure, lets you respond to RFPs faster, and gives you something you can crow about when pitching new business. If you want advice about which standards are best for your business or how you can go about implementing the standards, we invite you to contact us here at Leapfrog.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.
