Weekly Byte: The Dreaded Security and Compliance Questionnaire
While evaluating pMD, health systems and other large enterprises often ask us to fill out security and compliance questionnaires. Overall these are more similar than different. For example, "Do you allow users to share accounts?" and "Do you encrypt protected health information in transit and at rest?" show up nearly every time. Even though the questions are mostly boilerplate and our answers are strong, I used to dread the task of filling out the spreadsheets, if only because they tend to be so long. It's not unusual to see several hundred questions.
But I've actually enjoyed working through the last couple of compliance questionnaires that came along. It's fun to get a chance to show off in the areas where we're exceptionally strong. For example, how many other companies can confidently say that they have two-factor authentication turned on for 100% of their corporate email accounts? How many can hot-switch from one datacenter to another if needed, any of which is fully capable of serving all of their customers? How many automatically prevent users from choosing complex but easily-guessed passwords such as "Password123!"?
Some of the survey questions are almost whimsical - for example, one asked whether data backups are stored on magnetic tape. Who does that anymore?! Another asked which departments are represented in our compliance policy review committee, and also the membership of the committee responsible for overseeing the compliance policy review committee. I had to remind myself that most of the vendors that this enterprise works with probably have more than thirteen employees.
Humor value aside, I always find at least a few insightful questions from each enterprise that challenge how we think about security. We don't always approach thorny compliance challenges in the same way as another organization, but it's healthy to have to explain why and to always evaluate our approach for any blind spots. As with other parts of the sales process, hearing these concerns expressed (even in spreadsheet form) makes us more sensitive to our customers' needs. I say keep 'em coming!
But I've actually enjoyed working through the last couple of compliance questionnaires that came along. It's fun to get a chance to show off in the areas where we're exceptionally strong. For example, how many other companies can confidently say that they have two-factor authentication turned on for 100% of their corporate email accounts? How many can hot-switch from one datacenter to another if needed, any of which is fully capable of serving all of their customers? How many automatically prevent users from choosing complex but easily-guessed passwords such as "Password123!"?
Some of the survey questions are almost whimsical - for example, one asked whether data backups are stored on magnetic tape. Who does that anymore?! Another asked which departments are represented in our compliance policy review committee, and also the membership of the committee responsible for overseeing the compliance policy review committee. I had to remind myself that most of the vendors that this enterprise works with probably have more than thirteen employees.
Humor value aside, I always find at least a few insightful questions from each enterprise that challenge how we think about security. We don't always approach thorny compliance challenges in the same way as another organization, but it's healthy to have to explain why and to always evaluate our approach for any blind spots. As with other parts of the sales process, hearing these concerns expressed (even in spreadsheet form) makes us more sensitive to our customers' needs. I say keep 'em coming!
