Business Partner IT Risk Management Survey

Thank you for participating in our brief survey! As a token of our appreciation for your honest responses, you will receive an exclusive report with a comprehensive analysis of the findings. With the results, you will be able to benchmark your third-party risk management program against other leading organizations.

Additionally, you’ll be entered to win a $100 Amazon gift card (must provide contact information).

1. What option below best describes your role related to IT Security? (Please assume IT and information security are equivalent for this survey.) *This question is required.

Please enter an 'other' value for this selection.

2. PARTNER CONTROL ENVIRONMENT: How often (frequency) does your organization use the following controls for all business partners? Please select the response that is most accurate. *This question is required.

Space Cell	Never	Rarely	About Half	Frequently	Always
External entity audit reports (e.g. SOC II, etc.)	External entity audit reports (e.g. SOC II, etc.): Never	External entity audit reports (e.g. SOC II, etc.): Rarely	External entity audit reports (e.g. SOC II, etc.): About Half	External entity audit reports (e.g. SOC II, etc.): Frequently	External entity audit reports (e.g. SOC II, etc.): Always
Telephone / web audit interviews	Telephone / web audit interviews: Never	Telephone / web audit interviews: Rarely	Telephone / web audit interviews: About Half	Telephone / web audit interviews: Frequently	Telephone / web audit interviews: Always
On-premises audits / site visits of partner	On-premises audits / site visits of partner: Never	On-premises audits / site visits of partner: Rarely	On-premises audits / site visits of partner: About Half	On-premises audits / site visits of partner: Frequently	On-premises audits / site visits of partner: Always
Encrypted communications with partner	Encrypted communications with partner: Never	Encrypted communications with partner: Rarely	Encrypted communications with partner: About Half	Encrypted communications with partner: Frequently	Encrypted communications with partner: Always
Firewall-isolated network	Firewall-isolated network: Never	Firewall-isolated network: Rarely	Firewall-isolated network: About Half	Firewall-isolated network: Frequently	Firewall-isolated network: Always
Unique user accounts	Unique user accounts: Never	Unique user accounts: Rarely	Unique user accounts: About Half	Unique user accounts: Frequently	Unique user accounts: Always
Multifactor authentication (tokens, etc.)	Multifactor authentication (tokens, etc.): Never	Multifactor authentication (tokens, etc.): Rarely	Multifactor authentication (tokens, etc.): About Half	Multifactor authentication (tokens, etc.): Frequently	Multifactor authentication (tokens, etc.): Always
Network monitoring (IDS)	Network monitoring (IDS): Never	Network monitoring (IDS): Rarely	Network monitoring (IDS): About Half	Network monitoring (IDS): Frequently	Network monitoring (IDS): Always
User activity monitoring (UBA)	User activity monitoring (UBA): Never	User activity monitoring (UBA): Rarely	User activity monitoring (UBA): About Half	User activity monitoring (UBA): Frequently	User activity monitoring (UBA): Always
Custom application protection (WAF, CASB, etc.)	Custom application protection (WAF, CASB, etc.): Never	Custom application protection (WAF, CASB, etc.): Rarely	Custom application protection (WAF, CASB, etc.): About Half	Custom application protection (WAF, CASB, etc.): Frequently	Custom application protection (WAF, CASB, etc.): Always
Custom data protection (DLP, DRM, etc.)	Custom data protection (DLP, DRM, etc.): Never	Custom data protection (DLP, DRM, etc.): Rarely	Custom data protection (DLP, DRM, etc.): About Half	Custom data protection (DLP, DRM, etc.): Frequently	Custom data protection (DLP, DRM, etc.): Always
User session recording/review	User session recording/review: Never	User session recording/review: Rarely	User session recording/review: About Half	User session recording/review: Frequently	User session recording/review: Always
Emulation, virtual machines, containers for separation	Emulation, virtual machines, containers for separation: Never	Emulation, virtual machines, containers for separation: Rarely	Emulation, virtual machines, containers for separation: About Half	Emulation, virtual machines, containers for separation: Frequently	Emulation, virtual machines, containers for separation: Always
3rd party online "scoring" service	3rd party online "scoring" service: Never	3rd party online "scoring" service: Rarely	3rd party online "scoring" service: About Half	3rd party online "scoring" service: Frequently	3rd party online "scoring" service: Always
Enter another option	Other: Never	Other: Rarely	Other: About Half	Other: Frequently	Other: Always

3. PARTNER RISK: When assessing the risk of a business partner or prospective partner what effect do the following factors have in your ultimate assessment of risk toward a partner relationship? (NONE = no impact on risk assessment.) *This question is required.

Space Cell	Lowest Risk	Much Lower	Lower	NONE	Higher	Much Higher	Highest Risk
Very Large Partners (revenue, employees, etc.)	Very Large Partners (revenue, employees, etc.): Lowest Risk	Very Large Partners (revenue, employees, etc.): Much Lower	Very Large Partners (revenue, employees, etc.): Lower	Very Large Partners (revenue, employees, etc.): NONE	Very Large Partners (revenue, employees, etc.): Higher	Very Large Partners (revenue, employees, etc.): Much Higher	Very Large Partners (revenue, employees, etc.): Highest Risk
Very Small Partners (revenue, employees, etc.)	Very Small Partners (revenue, employees, etc.): Lowest Risk	Very Small Partners (revenue, employees, etc.): Much Lower	Very Small Partners (revenue, employees, etc.): Lower	Very Small Partners (revenue, employees, etc.): NONE	Very Small Partners (revenue, employees, etc.): Higher	Very Small Partners (revenue, employees, etc.): Much Higher	Very Small Partners (revenue, employees, etc.): Highest Risk
Less IT Activity (users, connections, etc.)	Less IT Activity (users, connections, etc.): Lowest Risk	Less IT Activity (users, connections, etc.): Much Lower	Less IT Activity (users, connections, etc.): Lower	Less IT Activity (users, connections, etc.): NONE	Less IT Activity (users, connections, etc.): Higher	Less IT Activity (users, connections, etc.): Much Higher	Less IT Activity (users, connections, etc.): Highest Risk
More IT Activity (users, connections, etc.)	More IT Activity (users, connections, etc.): Lowest Risk	More IT Activity (users, connections, etc.): Much Lower	More IT Activity (users, connections, etc.): Lower	More IT Activity (users, connections, etc.): NONE	More IT Activity (users, connections, etc.): Higher	More IT Activity (users, connections, etc.): Much Higher	More IT Activity (users, connections, etc.): Highest Risk
Higher Contract Value	Higher Contract Value: Lowest Risk	Higher Contract Value: Much Lower	Higher Contract Value: Lower	Higher Contract Value: NONE	Higher Contract Value: Higher	Higher Contract Value: Much Higher	Higher Contract Value: Highest Risk
Lower Contract Value	Lower Contract Value: Lowest Risk	Lower Contract Value: Much Lower	Lower Contract Value: Lower	Lower Contract Value: NONE	Lower Contract Value: Higher	Lower Contract Value: Much Higher	Lower Contract Value: Highest Risk
Highly Sensitive Data	Highly Sensitive Data: Lowest Risk	Highly Sensitive Data: Much Lower	Highly Sensitive Data: Lower	Highly Sensitive Data: NONE	Highly Sensitive Data: Higher	Highly Sensitive Data: Much Higher	Highly Sensitive Data: Highest Risk
Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.)	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): Lowest Risk	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): Much Lower	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): Lower	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): NONE	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): Higher	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): Much Higher	Strong Positive 3rd party audit information (e.g. SOC II, PCI related, etc.): Highest Risk
Strong Positive audit results by my organization	Strong Positive audit results by my organization: Lowest Risk	Strong Positive audit results by my organization: Much Lower	Strong Positive audit results by my organization: Lower	Strong Positive audit results by my organization: NONE	Strong Positive audit results by my organization: Higher	Strong Positive audit results by my organization: Much Higher	Strong Positive audit results by my organization: Highest Risk
Strong Positive (High) 3rd Party online risk "score" (IT info)	Strong Positive (High) 3rd Party online risk "score" (IT info): Lowest Risk	Strong Positive (High) 3rd Party online risk "score" (IT info): Much Lower	Strong Positive (High) 3rd Party online risk "score" (IT info): Lower	Strong Positive (High) 3rd Party online risk "score" (IT info): NONE	Strong Positive (High) 3rd Party online risk "score" (IT info): Higher	Strong Positive (High) 3rd Party online risk "score" (IT info): Much Higher	Strong Positive (High) 3rd Party online risk "score" (IT info): Highest Risk
Recent breach(es) at partner	Recent breach(es) at partner: Lowest Risk	Recent breach(es) at partner: Much Lower	Recent breach(es) at partner: Lower	Recent breach(es) at partner: NONE	Recent breach(es) at partner: Higher	Recent breach(es) at partner: Much Higher	Recent breach(es) at partner: Highest Risk
Enter another option	Other: Lowest Risk	Other: Much Lower	Other: Lower	Other: NONE	Other: Higher	Other: Much Higher	Other: Highest Risk

4. DECISIONS: How frequently have the following IT and information risk-related events occurred between your organization and its business partners in the past THREE years? *This question is required.

Space Cell	Never	Once	A few times	~10 times	~50 times	Many times (>100)
My org rejected a proposal primarily because the partner's IT security was inadequate	My org rejected a proposal primarily because the partner's IT security was inadequate: Never	My org rejected a proposal primarily because the partner's IT security was inadequate: Once	My org rejected a proposal primarily because the partner's IT security was inadequate: A few times	My org rejected a proposal primarily because the partner's IT security was inadequate: ~10 times	My org rejected a proposal primarily because the partner's IT security was inadequate: ~50 times	My org rejected a proposal primarily because the partner's IT security was inadequate: Many times (>100)
My org selected a proposal primarily because the partner's IT security was superior	My org selected a proposal primarily because the partner's IT security was superior: Never	My org selected a proposal primarily because the partner's IT security was superior: Once	My org selected a proposal primarily because the partner's IT security was superior: A few times	My org selected a proposal primarily because the partner's IT security was superior: ~10 times	My org selected a proposal primarily because the partner's IT security was superior: ~50 times	My org selected a proposal primarily because the partner's IT security was superior: Many times (>100)
My org paid more to a partner for additional IT security measures	My org paid more to a partner for additional IT security measures: Never	My org paid more to a partner for additional IT security measures: Once	My org paid more to a partner for additional IT security measures: A few times	My org paid more to a partner for additional IT security measures: ~10 times	My org paid more to a partner for additional IT security measures: ~50 times	My org paid more to a partner for additional IT security measures: Many times (>100)
My org negotiated a lower rate because partner security was only adequate	My org negotiated a lower rate because partner security was only adequate: Never	My org negotiated a lower rate because partner security was only adequate: Once	My org negotiated a lower rate because partner security was only adequate: A few times	My org negotiated a lower rate because partner security was only adequate: ~10 times	My org negotiated a lower rate because partner security was only adequate: ~50 times	My org negotiated a lower rate because partner security was only adequate: Many times (>100)
My org withheld payment from partner due to security concerns	My org withheld payment from partner due to security concerns: Never	My org withheld payment from partner due to security concerns: Once	My org withheld payment from partner due to security concerns: A few times	My org withheld payment from partner due to security concerns: ~10 times	My org withheld payment from partner due to security concerns: ~50 times	My org withheld payment from partner due to security concerns: Many times (>100)

5. INCIDENTS: How frequently have the following IT and information risk-related events occurred between your organization and its business partners in the past THREE years? *This question is required.

Space Cell	Never	Once	A few times	~10 times	~50 times	Many times (>100)
My org detected minor security issues (e.g. malware) in the partner IT environment	My org detected minor security issues (e.g. malware) in the partner IT environment: Never	My org detected minor security issues (e.g. malware) in the partner IT environment: Once	My org detected minor security issues (e.g. malware) in the partner IT environment: A few times	My org detected minor security issues (e.g. malware) in the partner IT environment: ~10 times	My org detected minor security issues (e.g. malware) in the partner IT environment: ~50 times	My org detected minor security issues (e.g. malware) in the partner IT environment: Many times (>100)
Our partner detected minor security issues in my org's IT environment	Our partner detected minor security issues in my org's IT environment: Never	Our partner detected minor security issues in my org's IT environment: Once	Our partner detected minor security issues in my org's IT environment: A few times	Our partner detected minor security issues in my org's IT environment: ~10 times	Our partner detected minor security issues in my org's IT environment: ~50 times	Our partner detected minor security issues in my org's IT environment: Many times (>100)
My org detected a significant security breach in the partner IT environment	My org detected a significant security breach in the partner IT environment: Never	My org detected a significant security breach in the partner IT environment: Once	My org detected a significant security breach in the partner IT environment: A few times	My org detected a significant security breach in the partner IT environment: ~10 times	My org detected a significant security breach in the partner IT environment: ~50 times	My org detected a significant security breach in the partner IT environment: Many times (>100)
Our partner detected a significant security breach in my org's IT environment	Our partner detected a significant security breach in my org's IT environment: Never	Our partner detected a significant security breach in my org's IT environment: Once	Our partner detected a significant security breach in my org's IT environment: A few times	Our partner detected a significant security breach in my org's IT environment: ~10 times	Our partner detected a significant security breach in my org's IT environment: ~50 times	Our partner detected a significant security breach in my org's IT environment: Many times (>100)
My org detected a security problem in the partner IT environment that turned out to be incorrect	My org detected a security problem in the partner IT environment that turned out to be incorrect: Never	My org detected a security problem in the partner IT environment that turned out to be incorrect: Once	My org detected a security problem in the partner IT environment that turned out to be incorrect: A few times	My org detected a security problem in the partner IT environment that turned out to be incorrect: ~10 times	My org detected a security problem in the partner IT environment that turned out to be incorrect: ~50 times	My org detected a security problem in the partner IT environment that turned out to be incorrect: Many times (>100)
Our partner detected a security problem in my org's IT environment that turned out to be incorrect	Our partner detected a security problem in my org's IT environment that turned out to be incorrect: Never	Our partner detected a security problem in my org's IT environment that turned out to be incorrect: Once	Our partner detected a security problem in my org's IT environment that turned out to be incorrect: A few times	Our partner detected a security problem in my org's IT environment that turned out to be incorrect: ~10 times	Our partner detected a security problem in my org's IT environment that turned out to be incorrect: ~50 times	Our partner detected a security problem in my org's IT environment that turned out to be incorrect: Many times (>100)

6. Which of the following statements about your organization's IT security posture compared with your business partner's IT security posture do you believe is most accurate? *This question is required.

Please enter an 'other' value for this selection.

7. How many full-time equivalent employees (FTEs) and audits does your Business Partner / Vendor Relationship risk management team have/conduct? *This question is required.

Number of org FTEs involved in business partner risk management (approx):
Number of partner audits your org's team conducts every MONTH (approx):
Number of audits conducted on your organization by partners every MONTH (approx):

8. Please provide the following information about your organization (round to millions - $m - for financial items).

Industry:
Number of Employees:
Annual Revenue ($m):
Annual IT Budget($m):
Annual IT Security Budget ($m):

9. Please provide any feedback or comments about this survey or the challenges of business partner risk management in the box below.

10. Thank you for completing this survey. The following Contact Information is optional, but required if you'd like to be considered for the $100 Amazon gift card drawing and/or the survey results report:

Name:
Email Address: