A software company we are integrating with wants their 100 question security assessment questionnaire completed. Any advice?<p>We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.<p>These questionnaires are time consuming and redundant. It seems insecure to produce something that details our security too. Does a /security page with some details suffice? Am I just being lazy?
><i>We are a two engineer team without a SOC audit and without a third party pen test that stores medical and financial data.</i><p>><i>These questionnaires are time consuming and redundant.</i><p>This is how data breaches happen. You should be willing to jump through a few, usually reasonable, hoops if you're storing medical and financial data.<p>Instead of looking for a quick-fix that will "suffice", you may consider actually securing the sensitive data you hold on other people.<p>Edit: After a little googling, I'm genuinely concerned about the product you are offering, at a firm of your size, with no compliance. Yikes from me.
Charge extra, or rather tell the company they need the enterprise pricing plan, to make it worth the time investment. Companies with those questionaires are used to suppliers pushing back, charging extra or dropping out (either not returning the questionaire or answering insuffiently). It's part of dealing with enterprise B2B clients. I had to sign anti-slavery and anti-human-traffiking statements...<p>Some questions you won't agree with, e.g. I've been asked how often we change our wifi passwords. Better to be honest and let them assess the risk than overpromising.