At my old job we were in a similar situation with lots of requests, we ended up
creating our own report and distributing it. Unfortunantly we found that a very
large number of people wouldn't accept it, and wouldn't even look it over and
just submit the questions that weren't already answered.
To top it off, most of the people reading these reports didn't understand what
they were reading, anything more complex than 'yes/no' would not be understood.
David Lang
On Wed, 30 Oct 2013, Edward Ned Harvey (lopser) wrote:
At a 3rd party communication service vendor where I work, we occasionally
(borderline regularly) see 3rd party security questionnaires from prospective
customers, which are almost identical. Questions like:
Has an information security policy been implemented?
Is there an access control policy based on the principle of least privilege
that has been implemented and communicated to all employees?
Are procedures in place to register and revoke individuals from resource access
control lists?
Are controls in place to provide access for authorized users based on business
need and least privilage?
And so on, for pages and pages.
My question is - there's so much similarity in these questionnaires, I'd like to know
where they come from. We'd like to prepare our "standard" one of these
questionnaires, and when customers request one to be completed, we'd like to give them
our standard generic version, to hopefully cut out a lot of the work necessary to
complete them.
If I can't find a source of a "generic" one, I'm going to have to create one
from scratch, based on a difficult hand-merge of customer specific versions of these
questionnaires we've received from customers.
Do any of you use such questionnaires? (I'm sure some do.) Where did you get
it from originally?
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
