- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
You’ve gone through the rigorous process of completing your SOC 2 certification. Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!”
It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI (Request For Information) this afternoon? Would you and your team panic, or be able to respond calmly, wholly and confidently?
First of all, try not to panic. While it’s perfectly natural to feel your first RFI is an attempt to air your dirty laundry, it doesn’t do you any good to get your mind spinning full speed on unproductive thoughts and assumptions. One of the reasons you achieved SOC 2 in the first place was so your organization could respond to these types of requests. Take a deep breath - you’ve got this. Once your blood pressure is back to a reasonable level, start by looking at the RFI itself and ask yourself some questions:
- What is explicitly this RFI asking for? Customers are often just doing their due diligence when they ask you security-related questions, but those questions often come in the form of an overly broad template someone found on the Internet and forwarded to you. In other words, customers might not really know what they’re asking for, and it’s hard to blame since there is no standard or consortium to use a standard (though the Vendor Security Alliance questionnaire is worth a look). So you might need to shoot back an email to your customer or set up a quick call to clarify the basis and intent of the RFI before responding in full.
- Can I limit the scope and/or push back at all? Definitely. Because the RFI may be broad or overreaching, look for opportunities to limit the information you share. For example, sharing your revenue level or the names on your cap table is an unreasonable request. You can also withhold information about your technical infrastructure that you regard as confidential. In general, don’t be afraid to push back on requests that feel unusual.
- Who else will this information be shared with? Remember that while you make serious efforts to carefully handle any customer information, the responses you provide to an RFI may not be treated as carefully. Write your responses as if they will immediately go on the front page of someone else’s Web site.
- Can I template this for next time? You might spend hours writing and editing your first RFI response, so keep a copy of it handy. Next time you might just be able to respond with a slightly tweaked boilerplate to save time.
As you prepare the responses to your customer’s request, take another look at your policies and see if they need some tuning. Many organizations, when they first sit down to write these policies, create them with only their internal staff in mind - a policy might contain some lighthearted language or an inside joke to make the policies more fun and easy to read. While those efforts certainly help in the spirit of getting people to read your policies, it won’t do you any favors when it comes to an RFI. Ultimately, your customers will read these policies, so they should be professional in tone and quality.
Also, keep in mind these RFIs do not need to be answered “all or nothing.” It is completely acceptable to answer “no” or “not yet” to items on your customers’ questionnaires. As long as you are taking care of basic security and process hygiene, you should have a reasonable percentage of questions you can respond positively to. But do not lie or attempt to cover up gaps that exist in the environment. The goal is to show improvement over time, so maybe you are doing 40 percent of what a questionnaire asks about today, but next quarter you will be doing 60 percent. As a general rule, you don’t want to answer “yes” to all the items, nor do you want to say “no” to everything.
Receiving and responding to RFIs can get your pulse pounding. But with a set of professionally written policies, a good understanding of the information your customers need - as well as information you should not share - you can respond to RFIs with ease. Remember to save your responses and start building boilerplates so you can respond more quickly and thoroughly to future information requests.
Need to complete SOC 2 to close a deal? StrongDM speeds up the work to enforce access controls & gather evidence to deliver SOC 2 on a tight timeline. See StrongDM in action with a 15-minute demo or give it a test drive yourself with a free, 14-day trial.
To learn more on how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.
About the Author
Brian Johnson, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.
Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.