I'm currently trying to get through a InfoSec questionnaire for a large company, one of their requirements has been that we purchase over $1m of cyber limit.
The questions that we have to answer are heavily focused on the assumptions that we:
1. Have a network.
2. Have a physical premises.
3. Don't use API keys.
I'd happily attest to using AWS IAM properly. I'd happily be told that we aren't using it properly and asked to make changes.
These repetitive one-size-fits-all InfoSec questionnaires are a big part of the reason we started Platformed (https://platformed.com) to automate the process for vendors.
As a smaller vendor selling into a larger organisation you end up spending a lot of time rephrasing the same answer, which often boils down to "We don't have this very specific control you're asking for, but we do have an equivalent more appropriate for our size or business which is ...".
I had a look at the site. Putting the answers in the questions isn't where we struggle it's trying to answer questions sensibly at all that assume a 1990s network topology.
The questions that we have to answer are heavily focused on the assumptions that we:
1. Have a network. 2. Have a physical premises. 3. Don't use API keys.
I'd happily attest to using AWS IAM properly. I'd happily be told that we aren't using it properly and asked to make changes.