BUSINESS: Multi-line insurance company providing coverage to families in Arizona, Illinois, Indiana, Iowa, Ohio and Wisconsin.
SCOPE: Arizona, Illinois, Indiana, Iowa, Ohio and Wisconsin
SIZE: 700 employees
BUSINESS CHALLENGE: Pekin Insurance needed to implement a faster, more efficient, economical method of conducting third party risk assessments, in order to guard against data breaches and improve the productivity and efficiency of its InfoSec team.
SOLUTION: Qualys Security Assessment Questionnaire
WHY THEY CHOSE QUALYS:
- Web-based central console simplifies the design, distribution, tracking and analysis of multiple vendor-risk assessment campaigns and optimizes the accuracy of audit results
- Ability to set criticality levels and scores makes it easy see which areas of an assessment the organization needs to pay more attention to.
- Unified dashboard provides a clear view into Pekin Insurance's compliance performance metrics.
Pekin Insurance Ushers In New Era for Vendor Risk Assessments
Streamlining third party vendor risk assessments with a cloud-based solution
Pekin Insurance, a provider of life, business, auto, home and health coverage, had a manual vendor-risk assessment process that wasn’t keeping up with the demands of its fast-growing business.
The Illinois-based company conducted these assessments by emailing static questionnaires to vendors and other trusted third parties, and tracking responses on spreadsheets, as many organizations still do today.
"We were able to create a one-stop shopping experience with SAQ, compared with how we were doing it manually. It's making us more productive and efficient as a team."
Manager, Enterprise Records & Information Governance, Pekin Insurance
However, this method for checking its third-party network’s IT security competency and compliance with government regulations and industry standards couldn’t scale in response to new trends, including:
- Pekin Insurance’s rapid, widespread adoption of new technologies, such as cloud computing, from multiple vendors
- An increase in the number and complexity of regulations and industry standards impacting the company and its third parties
Last year, Pekin Insurance, which has about 900 employees and $2 billion in combined assets, realized its manual vendor-risk assessment process was straining its six-person InfoSec staff and creating a backlog of these IT security evaluations.
"Asking my security analysts to do a manual process for security assessments just wasn't working," says Jonathan Osmolski, Manager, Enterprise Records & Information Governance at Pekin Insurance. “And oftentimes we'd hear complaints from the business saying, 'We need to be faster at this.'"
Pekin Insurance Finds Solution in Qualys SAQ
When conducted regularly and properly, these assessments — a critical risk management practice — slash a company's probabilities of suffering a breach by identifying poor InfoSec and privacy practices among vendors, partners, contractors and other third parties.
Pekin Insurance considered adopting a full-fledged GRC (Governance, Risk Management and Compliance) system but concluded it would cost too much and take too long to deploy, and possibly even involve hiring specialized staff to manage it.
"We had a tactical need to be better at performing IT security assessments. We couldn’t wait to build out a GRC solution, nor did we have the budget at that point in time," Osmolski said.
In short, Pekin Insurance needed a tool that would allow it to conduct these assessments more quickly, efficiently and economically. Luckily, the company, a Qualys customer since 2010, didn’t have to look very far to find what it needed.
It trialed Qualys’ SAQ (Security Assessment Questionnaire), a cloud-based solution designed specifically for automating, streamlining and improving the process of conducting third-party IT security risk assessments.
Osmolski's team was quickly able to re-build its spreadsheet-based, 76-question assessment within SAQ's web-based UI and replicate its process. "It's turnkey," he says. "You can be off to the races within two hours."
They were impressed at how quickly and easily they were able to simplify the design, distribution, tracking and analysis of multiple vendor-risk assessment campaigns from SAQ's web-based central console.
"We were able to create a one-stop shopping experience with SAQ, compared with how we were doing it manually," he says. "It's making us more productive and efficient as a team."
SAQ: A Nex-Gen Tool for Vendor Risk Management
Here's how SAQ frees organizations from unreliable and labor-intensive manual processes, and optimizes the accuracy of audit results.
Intuitive campaign design
SAQ helps create campaign questionnaires with due dates, notifications, assigned reviewers, various answer formats, question criticality, answer scores, evidence requirements and varying workflows. You do this using SAQ’s wizard and its simple, drag-and-drop web UI. You can also use SAQ’s library of out-of-the-box templates covering common compliance standards.
Simplified questionnaire distribution
There's no need to set up user accounts. Organizations enter vendor emails and SAQ auto-provisions the surveys. Respondents complete surveys on browser-based forms, and can delegate questions they can’t answer. As deadlines approach, administrators can trigger reminder emails to respondents. Organizations can also set up recurring campaigns.
Automated campaign tracking
SAQ captures responses in real time and aggregates them in one central dashboard, so administrators can see campaigns’ progress. SAQ displays charts updated live, and lets administrators drill down to individual respondent questionnaires, and slice and dice results. Administrators can manage multiple campaigns at different stages of completion.
Comprehensive, customizable reports
SAQ generates proof of compliance with detailed reports and caters to a variety of users, including upper management via executive-level dashboards, as well as auditors and compliance officers with more granular views of the data. SAQ can also be used for polling your employees and managers in internal audits and documenting compliance.
Benefits Galore for Pekin Insurance
With SAQ in place, Pekin Insurance has left behind emailed surveys and manual aggregation of results in spreadsheets, reaping a variety of business, compliance and technology benefits.
- The members of the small but highly efficient InfoSec team now have more time to focus on their primary jobs, including vulnerability management, threat hunting and patch deployment.
- An SAQ feature that lets organizations set criticality levels for questions and scores for answer options in the questionnaire templates is saving Pekin Insurance time because it can now more easily see which areas of an assessment it needs to pay more attention to, according to Osmolski.
- Pekin Insurance has sharpened its questionnaires by leveraging the flexibility SAQ provides when designing surveys and response workflows. "We took our existing questionnaire way beyond the capabilities of Excel," Osmolski says. The company has also taken advantage of SAQ's library of pre-built questionnaires, tailored for specific types of vendors and regulations.
- Assessment data, which was previously located in multiple repositories, making it hard to track campaigns and visualize their progress, is now easily accessible in SAQ's dashboard. "We needed a centralized place to put the data," he says.
- Because Pekin Insurance uses other Qualys apps — including Qualys VM for vulnerability management and Qualys PCI for compliance with the Payment Card Industry Data Security Standard (PCI DSS) — the company now has all its Qualys data on its security compliance executive dashboard. This gives Pekin Insurance a clear view into its compliance performance metrics, according to Osmolski.