To ensure their vendors have necessary measures in place, businesses often request security audit forms that capture details about vendor practices. These forms typically consist of questions regarding physical and digital security systems, common procedures, and recovery plans.
In the case of preventive measures falling short, a deal will not go through. To make this decision, the collected data must then be analyzed by in-house teams, and then presented to the decision-makers. Ultimately, a process like this involves capturing vendor data, aggregating the results, analyzing them, and reporting.
Traditionally, Excel has been the go-to platform for most businesses to build workflows of data capture and analysis. They prefer creating and distributing these types of forms in Excel, because it’s easier to build the user interface, as well as the calculation logic. However, this approach comes with its flaws – workbooks acting as the UI, database, and reporting platform means that this method lacks a centralized database, and forms must be collected manually via emails or other means, and then collected back.
Implementing this type of a system as a web-based application with a centralized database and access control mechanism can alleviate the shortcomings of an Excel-based approach. Using SpreadsheetWEB to do this conversion means that you can still utilize all flexibility offered by Excel, while not having to code any of the web pieces of the application. Let’s take an example to see how these types of applications can be more lenient for the business users. You can access the application here.
The purpose of this survey is to determine whether the prospect vendors comply with certain security standards. Here, each question has a certain weight and specific answers to some questions can raise a red flag, meaning that something is off.
This is a fairly complicated security audit application that consists of hundreds of questions over 14 pages. Each section is dedicated to a group of questions about specific are of security, like security policies or asset management practices. There are questions with various input types such as radio buttons, dropdowns, and file upload fields. These fields are also dynamic in the sense that they can hide or disable other inputs, sections, or even entire pages of the web application based on their outcome. This allows simplifying this complex form to declutter the user interface and guiding the end user throughout. For instance, selecting “Yes” for the question “Is the inventory updated as part of the system or application onboarding and offboarding process?” populates another field underneath (Describe), prompting the user to enter further details about this subject.
Each question bears a weight depending on the user selections. For example, entering a number between 6 and 20 into the question “How many individuals within the organization are assigned full-time to information security?” will give a coefficient of 0.75, while entering anything less than that will be 0.50 by weight. This logic was created in Excel, and the calculations are coming directly from the workbook.
At the end of the questionnaire, a Summary page that is only available to the admin users produces a table of risk analysis, shows security scores, and indicates whether there are any red flags. Some factors are simply too important and can make or break a deal. For example, answering ‘No’ for the “Does the vendor perform risk assessments on its third parties?” question raises a red flag and the system will show this to the analysts on the final page.
This particular entry came with several red flags, and may not be a good match to do business with. However, we now have this information on our database. With the web application approach, audit data is collected in a centralized location, where it can be downloaded easily by admin users for further analysis. Security audits play a very important role in decision-making processes, and as such, there are many moving parts in an application that captures vendor details for security analysis. Excel is a great platform to build these types of forms, but not so great for actually distributing them to numerous users. SpreadsheetWEB can transform complex audit tools into web applications and help you overcome most of the challenges posed by using a desktop software for collecting and processing data.