If you're familiar with vendor security questionnaires, you're probably also familiar with the arduous process you need to go through to provide specific and verifiable company answers. Oftentimes, you may not even know where your company's policies are located, or what they contain. SmartChat™ can help.
Here's an example of a Storytell user answering this security question:
Step 1: Load your policies into SmartChat™
You can load all your policies (no matter what format they live in) into SmartChat. Here's what this user did:
Then upload them to Storytell and tag them:
Step 2: SmartChat™ with just that tag and start asking your questions!
In the example above, the user is asking:
Are applications designed in accordance with industry accepted standards (e.g., OWASP for web applications)?
And Storytell's response based on the underlying policy information is:
Yes, applications at [company] are designed in accordance with industry-accepted standards, including those outlined by the Open Web Application Security Project (OWASP) for web applications. The Secure Development Policy of [company] mandates that all software development, including web applications, must adhere to established standards and policies. This includes conducting system security testing at defined periods during the development lifecycle and ensuring that no code is deployed to production systems without documented, successful test results and evidence of security remediation activities.
Additionally, application code is scanned prior to deployment, and patches to address application vulnerabilities that materially impact security should be deployed within 90 days of discovery. Acceptance testing programs and related criteria are established for new information systems, upgrades, and new versions, which further aligns with industry best practices such as those recommended by OWASP.
The policy also specifies the protection of test data, ensuring that confidential customer data is protected in accordance with all contracts and commitments, and is not used for testing purposes without explicit permission from the data owner and the Chief Technology Officer (CTO). This careful approach to software development and adherence to industry standards is part of [company]'s commitment to maintaining a secure and reliable computing environment.
You can use Story Tiles™ to verify the veracity of the underlying policy information in the answers: