Security questionnaires play an important role in third-party risk management by identifying potential gaps in a vendor's security program that aren't accessible through automated scanning. Think internal security controls, policies, and procedures like SSO or anti-malware usage.
The issue is creating, administrating, and reviewing security questionnaires is notoriously time-intensive and requires a specific skill set to do well. A skill set that isn't easily accessible for many organizations.
That's why UpGuard has a team of third-party risk management experts who work with our engineering team to manage a growing library of pre-built questionnaires that automatically identify risks based on vendor answers.
Once a risk is identified in a questionnaire, it is automatically shown in the UpGuard platform on the vendor's risk profile, the questionnaire details page, and the portfolio risk profile. These risks can also be used in our remediation workflows and form part of the security rating that a vendor receives.
In addition to the overall security rating of a vendor, vendors also receive a questionnaire score which can range from 0 to 950 depending on the risks identified in questionnaires associated with the vendor and the number of questions that have been left unanswered. 0 is the lowest possible score and 950 is the highest.
If a vendor receives a low score such as 0/950, it means we've identified a number of risks and/or unanswered questions that warrant them receiving a low score. If the vendor were to remediate a risk or answer more questions without introducing additional risks, their questionnaire score would likely increase (depending on the number and severity of the identified risks).
In contrast, if a vendor completes a security questionnaire and no risks are identified they would receive a questionnaire score of 950/950.