How do you all manage your security questionnaires? Does your security team work in RFPIO, or do you have to manage these for them? Any suggestions for getting a security team into RFPIO would be wonderful. Thanks in advance!
Our security team enjoys working in RFPIO. They have a custom collection built out, allowing them to utilize Auto-Respond effectively for questions specific to security questionnaires. 80% of the security questionnaires they are responding to have similar answers, so the ability to automate this process has been huge! A big factor in encouraging adoption for our team was utilizing the Reporting feature to showcase how much time was saved - especially as the team increased adoption.
As Helene mentions, we have done the same. In many cases we're using the RFPIO Answer library to answer security questions ourselves and having the security team or product engineering team weigh in when we cannot answer. They all have access to RFPIO so we just tag our dedicated contacts. We did some upfront work by connecting with each of the different teams, explaining what RFPIO was and why it was a benefit, and then asked for a point person. It's working well.
Yes, combination of both Helene and Allison's comments. Since we often see security-type questions within RFPs, we have the security question/answer pairs in the Library - this way, the proposal team can take a first pass on answering questions that are part of the RFP. If we receive a security questionnaire, not associated to an RFP, the Security Team uses RFPIO themselves - they know how to import the document and can use the library to complete the questions.
Any suggestions on how the Security information is best organized? There are many standard templates we deal with like the Sig and CAIQ, but there are also portals that we see frequently (One Trust, CORL, etc.) Right now, we are 'trying' to organize our Security Collection with Custom fields that identify 1) which template the Q&A pair is related to (it is multi-select as they can be applicable to many), 2) Tags to indicate which version of a questionnaire it is related to (i.e. CAIQ 3.1, CAIQ 4.0.2, etc.) and 3) another custom field indicating what part of the organization it is related to (corporate, product, SaaS, etc.).
Is this the best method to organize security content? Any suggestions from people who deal with this all the time? Security is only half of what my team does with RFPs being the primary focus.
All suggestions and feedback are welcome! :)
@Beth_B This is definitely an approach that I've seen be successful, as you're leaving plenty of "breadcrumbs" for users to zero-in on the content they need.
Something I might suggest (and this absolutely just a suggestion) is to use tags to indicate if it's corporate, product, SaaS, etc., and then use custom fields to indicate the version of the questionnaire.
The logic behind this is that tags work best when used more broadly, and this will also help keep the overall number of tags you have in your library down. Also, custom fields are reportable, so if you ever wanted to do a deep dive into what versions of CAIQ files you're seeing most often you'll have that ability.
Would love to hear how others are handling this as well!
About the eventThis 60 minute session, part of our two part Foundations series, helps new or returning users build a strong Content Library and understand how it supports reliable, AI powered work across Responsive. What You’ll LearnIn this session, we’ll focus on how to add, organize, and find content quickly and…
What tools do I need for knowledge management? | Responsive
Getting Started with Content Governance Automation
Getting started with security questionnaire automation | Responsive
