Unsafe Practices: Using Locked Spreadsheets and Documents for Vendor Risk Assessment Questionnaires
As the process of vendor risk management evolves, companies look at ways to create, secure and send vendor risk assessment questionnaires to third-party vendors. To facilitate these questionnaires, most organizations rely on Excel spreadsheets and Word documents. One of these two scenarios is typical in most organizations:
- An enterprise creates an Excel spreadsheet, which includes the vendor risk assessment questions, and then locks the workbook or worksheets before emailing it to the vendor so that only the answer cells are editable
- An enterprise creates a form in a Word document, which includes the vendor risk assessment questions, and then locks the form before emailing it to the vendor so that only the answer cells are editable.
Unfortunately, using these types of locked Excel or Word documents for your vendor risk assessment questionnaires is an unsafe, and often unnecessary, practice for a variety of reasons. The most important reason stems from the fact that these locks are easily unlocked, which gives you and your organization a false sense of security.
Removing the locks from these types of documents is easier than it should be. It doesn’t require any advanced knowledge of the software or special “hacking” skills; you can simply unlock these documents using the Microsoft OpenXML libraries. Numerous forums can be found online detailing the exact steps required to unlock these documents.
Case in Point
At ProcessBolt, we recently helped a customer who received a vendor risk assessment questionnaire that was locked down beyond use. The cells containing the questions were locked and could not be clicked on or read in order to provide answers. Since this was a roadblock to the customer using the ProcessBolt AirLink Excel AddIn, our customer reached out to us to see if we could assist.
We quickly enhanced the ProcessBolt AirLink Excel Addin to work with such locked Excel questionnaires. However, it would have been equally as easy to simply remove the protection from the document using the Microsoft OpenXML libraries.
The truth is, relying on these document protections for securing a vendor risk assessment questionniare is ineffective. To demonstrate this point, we created an open source project that shows just how trivial it is to remove these protections from Excel and Word files. The “OfficeMasterKey” project by ProcessBolt can be found here: https://github.com/ProcessBolt/OfficeMasterKey
Secure Your Future
As security continues to be an issue for most companies, it’s important to periodically review your internal security practices. Are your security measures at the level your company needs? The loose and easily penetrable security of Excel spreadsheets and Word documents is really no security at all.
Vendor risk management portals that house your vendor risk assessment questionnaires, such as ProcessBolt, are the logical and secure alternative to this problem. Vendors log into the portal to review your questionnaire and submit their answers. In addition, vendors can easily and securely attach artifacts and documents to their questionnaire. There is no opportunity for question tampering when your documents are securely stored in our online platform. And updating the questionnaire is as easy as logging in.
To see how easy it is to securely store your vendor risk assessment questionnaires, schedule a demo today.