Ask HN: How do you respond to security questionnaires?

[reiderrider]

A software company we are integrating with wants their 100 question security assessment questionnaire completed. Any advice?

We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.

These questionnaires are time consuming and redundant. It seems insecure to produce something that details our security too. Does a /security page with some details suffice? Am I just being lazy?

[ziddoap]

>We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.

>These questionnaires are time consuming and redundant.

This is how data breaches happen. You should be willing to jump through a few, usually reasonable, hoops if you're storing medical and financial data.

Instead of looking for a quick-fix that will "suffice", you may consider actually securing the sensitive data you hold on other people.

Edit: After a little googling, I'm genuinely concerned about the product you are offering, at a firm of your size, with no compliance. Yikes from me.

[reiderrider]

Well our conclusion is to work on security for a week and then submit. I didn’t say anything about not having security/compliance rather about completing another security questionnaire.

[ziddoap]

You may not have specifically said it, but it is certainly clear from the way you are speaking about security as an annoying burden.

Just, for example, your comment "Work on security for a week and then submit". What does that even mean? Security is a going concern, not a one-and-done. What do you expect to accomplish in a week?

You mentioned you have no 3rd party pentest, nor SOC compliance. Regardless if they are required by law, not having a rudimentary pentest (which are fairly inexpensive) speaks volumes about your companies posture on security.

I hope you let the people that are trusting you with their extremely private medical and financial data that you are tired of answering security questionnaires, and aren't too concerned about having a 3rd party validate your security.

[mtmail]

Charge extra, or rather tell the company they need the enterprise pricing plan, to make it worth the time investment. Companies with those questionaires are used to suppliers pushing back, charging extra or dropping out (either not returning the questionaire or answering insuffiently). It's part of dealing with enterprise B2B clients. I had to sign anti-slavery and anti-human-traffiking statements...

Some questions you won't agree with, e.g. I've been asked how often we change our wifi passwords. Better to be honest and let them assess the risk than overpromising.

[reiderrider]

For a customer we absolutely would. We aren’t charging and vice-versa as integrating is value added for both parties. They could double our usage so we’ll work on security for a week to get a passing score and then submit the questionnaire. Thx

[moksly]

Is it even legal to hand over medical data to a company without SOC 2 compliance?

[reiderrider]

Yes. Typically there’s a business associate HIPAA agreement that outlines use. SOC 2’s start at $35,000 with a month of an engineering time and 99.9% of insurance agencies don’t have one. Getting it done is the long term plan.