When security leaders are asked to assess their company’s security and governance, the process that can sometimes involve reviewing a 400-question assessment that looks suspiciously like an entire security governance framework dropped into a locked spreadsheet with the only options for answers being “yes” or “no” are most certainly not the way to gather critical information. Yet, tactics such as this are used often — and sometimes devoid of the information you need to accurately answer the questionnaire.

When used correctly, questionnaires and assessments can be valuable. David Levine, Vice President of Information Security & CISO for Ricoh USA, Inc. wrote about this topic and provides advice in an article for CSO1, a source of news, analysis and research on security and risk management.

Levine says that while some vendors have developed tools that try to solve this puzzle, as of yet, there’s no silver bullet. Some strategies he recommends:

  • Implement a process, automated if possible, that documents requests and associated training that helps ensure you receive the questionnaires as soon as possible
  • Require all employees, or requestors, to share all relevant information (scope, data types, etc.) upfront
  • Catalogue the answers you are providing to help ensure consistent information is provided, review that information on a regular basis and add new answers as you see new questions

The article discusses more strategies that can help improve your IT security and governance using questionnaires and assessments. Bottom line: a comprehensive questionnaire with the right context is much more efficient and ultimately more relevant.


David Levine is the VP Information Security & CISO for Ricoh USA Inc. where he oversees operational security, security policy, access management and eDiscovery support while chairing Ricoh’s Security Advisory Councils and HIPPA Board of Directors, as well as leading Ricoh’s Global Virtual Security team.

David knows that a comprehensive security questionnaire with the right context and relevant questions can help strengthen your IT security and governance. But how do you get there? Read David’s article at CSO1.com to learn more.