Ask HN: InfoSec questionnaire – what to do when customer wants one completed?
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I'm stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system. Example questions: "Are you able to detect and protect accounts that may have been compromised?" "Do you allow users to change their passwords more than once in a 24-hour time period?" Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board? 1 comments on Hacker News.
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I'm stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system. Example questions: "Are you able to detect and protect accounts that may have been compromised?" "Do you allow users to change their passwords more than once in a 24-hour time period?" Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board?
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I'm stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system. Example questions: "Are you able to detect and protect accounts that may have been compromised?" "Do you allow users to change their passwords more than once in a 24-hour time period?" Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board? 1 comments on Hacker News.
A colleague asked me today if I would recommend they fill out an infosec questionnaire to secure a high-profile question. I'm stumped and maybe some of you have some practical advice. The questions are, basically, do you have bank-level security, and if not, in what way - in quite great detail. Has anyone here run into this situation? If the correctly-answered questionnaire got into the hands of the wrong person, they would have a lot of information to infiltrate the system. Example questions: "Are you able to detect and protect accounts that may have been compromised?" "Do you allow users to change their passwords more than once in a 24-hour time period?" Completely valid but how many small businesses without a security expert on board, have these in place? And why would it be beneficial to tell a customer about this? How could a small business deny completing this questionnaire but still get the customer on board?
Hacker News story: Ask HN: InfoSec questionnaire – what to do when customer wants one completed?
![Hacker News story: Ask HN: InfoSec questionnaire – what to do when customer wants one completed?]()
Reviewed by Tha Kur
on
March 05, 2018
Rating:
No comments: