Google's decided that the first-phase questionnaire it uses to vet vendors might be useful to the rest of the world.
Until now an internal document, the Vendor Security Assessment Questionnaire (VSAQ) was created to help Mountain View cope with the huge number of vendor approaches it receives.
The questionnaires help vendors describe their security posture to Google, so as to thin out the amount of stuff the Chocolate Factory has to let in the door for a presentation.
The VSAQs are high-level rather than high-detail stuff. For example, the questionnaire dealing with physical and data centre security might be answered in as few as five responses (the questionnaire forks some responses into further questions).
There are four templates provided with the VSAQ Framework: the Web and Application Security Questionnaire, the Security and Privacy Program Questionnaire, the Infrastructure Security Questionnaire, and the Physical and Data Centre Security Questionnaire.
Because of the choose-your-own-adventure nature of the questionnaires, Google's written its own rendering engine to work with the standard templates. The post includes demonstrations of the questionnaires.
“We hope it will help companies spin up, or further improve their own vendor security programs. We also hope the base questionnaires can serve as a self-assessment tool for security-conscious companies and developers looking to improve their security posture,” Googlers Lukas Weichselbaum and Daniel Fabian write in the company's security blog.
The VSAQ, posted to GitHub, includes a client-side reference implementation for low-volume users. If you want to run assessments at Google-like scale, Mountain View recommends you develop a server-side component. ®