Security Posture Letter

Your Clients Are Starting to Ask. Now You Have an Answer.

Something has shifted in the last few years. Larger companies, government contractors, healthcare organizations, and commercial real estate firms have started asking their vendors and service providers to demonstrate basic security before signing agreements. Sometimes it's a formal questionnaire. Sometimes it's a clause in a contract. Sometimes it's just a pointed question from their legal team.

If your business sells to other businesses (especially if you handle any of their data, have access to their systems, or connect to their network in any way) this is a conversation you're probably already having or will have soon.

Most smaller businesses don't have a good answer. They say something like "yeah, we take security seriously" and hope that's enough. Increasingly, it isn't.

This is a formal document we issue on behalf of your business after reviewing your security environment. It summarizes the controls you have in place. It includes things like multi-factor authentication, endpoint protection, data backup procedures, employee training, and access management. This is written in plain language that a non-technical reader can understand and act on.

It isn't a guarantee that nothing will ever go wrong. It's an honest, documented statement of where your business stands. 

Before we issue the letter we do a review of your environment. Depending on what's already in place, this may be a standalone engagement or a natural extension of an assessment we've already completed.

The letter itself documents:

  • Authentication Controls. Whether multi-factor authentication is in place across your business accounts and on what platforms.
  • Endpoint Protection. Whether business devices are running managed security software and what that software covers.
  • Data Handling Practices. How customer and business data is stored, who has access to it, and whether backups are maintained and tested.
  • Email Security. Whether your email domain has the technical controls in place to prevent spoofing and unauthorized access.
  • Employee Training. Whether your team has received security awareness training and how recently.
  • Access Management. Whether former employees are removed from systems promptly and whether access is limited to what each person actually needs.
  • Vendor and Software Practices. A summary of your approach to the third-party tools your business uses and what access they're granted.

How It Gets Used

Most clients use the letter in one of a few ways. Some attach it to a contract response when a client asks about their security posture. Some include it in an RFP submission where security is a scoring criterion. Some keep it on file to send quickly when the question comes up rather than scrambling to put something together on a deadline.

The letter is dated and specific to your environment at the time of issue. We recommend renewing it annually or after any significant change to your systems. This is both to keep it accurate and to show the businesses you work with that security is something you maintain, not just something you documented once.

Reach out to us

News

View all
1 3
View all