Main Content
three person icons with a shield image on the middle one

5 Essential Cybersecurity Questions to Ask IT Vendors

Takeaway: When engaging with potential vendors, government officers need to ask the right questions to assess their cybersecurity preparedness. By thoroughly evaluating a vendor's security posture, you can make informed decisions and build partnerships with companies that share their commitment to safeguarding sensitive data.

As a vendor, it's our responsibility to be transparent about our security practices and demonstrate our expertise in this critical area.

Through my experience in various aspects of IT, from core development to database architecture and server setup, I've come to understand the importance of prioritizing security at every level. It's not a one-time checkbox but an ongoing commitment that requires staying up-to-date with the latest industry standards and best practices.

This is especially true when working with government clients.


Cybersecurity questions to ask vendors

When it comes to working with government agencies, cybersecurity is non-negotiable. Any vendor you partner with must have robust security measures in place to protect your sensitive data and systems.

Asking the right questions during the vendor evaluation process helps in assessing their security posture and determining if they meet your stringent requirements.

These questions serve as a litmus test for a vendor's commitment to cybersecurity. They help you gauge the maturity of their security practices, the depth of their expertise, and their ability to adapt to the security challenges faced by government agencies.


1. How is confidentiality and integrity of system and data maintained?

In speaking with government agencies, I've found that one of the top concerns is always ensuring the confidentiality and integrity of data and systems. It's a common question, and they want to know our approach to maintaining this.

For example, we performed a content migration from 50 non-Drupal sites to Drupal for Riverside County. Part of this task was ensuring data security during migration.


CMS Migration Security Checklist


As vendors, we must be able to demonstrate understanding of your unique security needs and have a comprehensive plan in place to keep your sensitive information secure and in line with data privacy standards.


1.1 How does the vendor ensure data encryption and protection?

In my role as a Solutions Architect, I make it a point to highlight our approach to data encryption when discussing security measures with potential clients.

Specifically, I explain that we ensure data encryption is applied wherever necessary, especially for sensitive user information. This is a core part of our commitment to meeting the stringent data security standards required by government agencies.

Our willingness to implement robust encryption practices to keep data secure must be proactively addressed in these conversations as vendors.


2. Does the vendor adhere to NIST standards or similar (e.g., ISO)?

Government agencies must look for vendor compliance with recognized security standards. In my conversations with our clients, I often highlight our adherence to the NIST standards.

Compliance with NIST standards is a major focus for us at Promet Source. Pamela Ross, our VP of Operations & Delivery, designed our policies and procedures to align with NIST requirements to ensure that we maintain this compliance across all our projects.


Credit: N. Hanacek/NIST


There are other standards like ISO, which requires payment for audits and compliance. While ISO is more widely recognized, NIST is regulated and followed by many US companies.

As vendors, we must demonstrate compliance with recognized security standards like NIST or ISO to assure you that we have the necessary security controls and practices in place.

This adherence to industry standards is a key indicator of our vendor's commitment to cybersecurity and our ability to handle sensitive government data responsibly.


2.1 How often these are assessed internally on all projects?

Adherence to these standards is an ongoing commitment. It's not a one-time thing where policies are set and standards are met, and then they’re left alone. We understand that maintaining your trust requires a continuous effort to stay aligned with evolving security standards and best practices in the industry.

I recommend to ask potential vendors this question to gauge how frequently projects are assessed against the standards, whether annually or otherwise.


3. What techniques does the vendor employ to mitigate risk?

Risk mitigation is all about dealing with problems when they arise. When government agencies ask me about our approach to risk mitigation, I explain that it's about having procedures in place to minimize the impact of any issues that come up.

For example, if there's a problem with single sign-on functionality, our focus is on ensuring that data isn't lost and that users can continue accessing the application without disruption. We have specific processes to address these kinds of issues quickly and effectively.

The other risk mitigation technique we do for our clients is to keep an updated ban list of IP/sources for our projects. We routinely review and update the IPs that need to be banned to reduce the exposure to various risks our applications might face.

As vendors, we must be able to explain our risk mitigation techniques to give you the confidence that your vendor can handle potential issues effectively.


4. What techniques does the vendor employ to minimize risk?

Risk minimization is all about being proactive with security. It starts in the planning phase.

During this phase, we work to identify potential risks, assess their likelihood and potential impact, and develop strategies to minimize them. This involves considering various scenarios that could affect the application and anticipating what could go wrong.

For example, when we were working on the website for Riverside County, we knew that missing the launch deadline was a potential risk, because the site needed to be ready for voters to verify their information before the election.

We minimized this risk by including milestones and contingency plans in the project schedule to ensure both our team and the client were prepared to deal with any unforeseen issues.

As vendors, we must be able to explain how we minimize risk because it demonstrates that we have the foresight and expertise to anticipate and plan for potential challenges.

By having a clear, proactive approach to risk minimization, we give you the confidence that we are not just reacting to problems, but actively working to prevent them.


5. What security criteria does the vendor use to evaluate third-party vendors whose services it uses?

Third-party risk management is a critical component of our overall security strategy. For example, if we're integrating a third-party application into a government website, like a Social Media Widget display or a Smart Content module, they also have to meet our security standards before we work with or use them.

By setting a high bar for third-parties, we can give you the confidence that your data is protected not just by us, but by everyone in our ecosystem.


Protect your agency with our vendor security questionnaire

By thoroughly vetting potential vendors' security stances, you can make informed decisions about who to trust with your critical data and systems.

You can build partnerships with vendors who share your commitment to cybersecurity, and who have the expertise and agility to adapt to challenges.

These begin with asking the right questions. And our questionnaire makes it easier to do so.