Some open-ended questions
Getting an objective assessment of the security posture of your organization can be tricky. Everybody has their own perspectives, biases, and goals which can affect their thinking.
I've built up this set of somewhat open-ended questions that I like to refer to. They can be used individually or as part of a group, and as a one-off or addressed over time. You'd probably come up with your own variations on them.
In somewhat-particular order:
-
What is/are the primary business goal/s that security is contributing towards achieving?
-
What types of sensitive data does your organization store, process, or transmit?
-
What are your primary compliance targets?
-
Have you experienced any security or privacy incidents of note within the last two calendar years?
-
Where do the security & privacy functions within your organization report to?
-
What external-facing and internal-only security & privacy policies and standards does your organization have established?
-
What security & privacy training do organization employees receive?
-
What does the overall architecture of your organization's technology environment look like?
-
Who are your primary external/outsourced partners (cloud / SaaS providers, etc), and how do you address security/privacy within those relationships?
-
What are the primary security controls deployed to end-user systems within your organization?
-
What are the primary security controls deployed within your organization's technology infrastructure?
-
What are the primary security controls associated with your organization's product?
-
How do you audit activity and monitor security of end-user systems, technology infrastructure, and product elements?
-
How do you handle identity management and specifically authentication/authorization within your technology environment?
-
How do you disable identity/access that is no longer necessary/approved?
-
How do you utilize encryption within your technology environment, both of data-in-transit and data-at-rest?
-
How are security updates applied across both end-user systems, technology infrastructure, and product elements?
-
What are the primary security activities (automated & manual) conducted within your product development processes?
-
Do you have any recent security testing reports (penetration test, vulnerability scan) or audit/assurance documentation (SOC2 Type II, ISO 27001, etc)?
These don't necessary just apply to your organization. They could be equally applied to partners/vendors with whom you're considering working.
There are many other ways to address this, but I'm quite partial to this relatively short-but-sweet approach.