Vendor response tracking can be overwhelming for widespread security issues like SolarWinds and Log4j. Managing vendor responses can take valuable time and resources away from an already
busy security team. This piece explains how to ensure your process for managing vendor responses adds value and focuses squarely on mitigating business risk.
Simplify Vendor Response Monitoring
Vendor response monitoring is an element of an overall vendor governance program. It is typically started after an initial assessment of the third-party’s security controls has been completed.
Significant events or changes, such as a merger or an industrywide cybersecurity vulnerability, may trigger additional communications to assess how changes at key vendors affect the company.
However, your monitoring efforts shouldn’t include all vendors. You don’t want to spend the same effort on a general marketing vendor that you would on a payroll vendor. Performing a simple risk assessment can help prioritize your efforts
where they matter the most.
How to Risk-Rank Your Vendors
If your organization doesn’t already risk-rank its vendors, you can quickly sort out higher risk vendors by considering the following elements:
Business criticality: All vendors are either critical or noncritical to the business. If the vendor fails to provide a product or service, and it could result in materially negative impacts to the organization or to its customers and consumers, that vendor
should be considered critical.
Risk impact: Risk impact is an estimate of the potential losses associated with an identified risk. This measure is usually correlated with the probability of a risk occurring.
Data sensitivity: Vendors that hold sensitive data, including personally identifiable information, HIPAA, PCI, etc., should generally be considered high risk.
Network connectivity: Vendors with direct network connectivity to your firm represent a risk, regardless of the type of data they may access. For example, the Target breach happened when attackers compromised one of Target’s HVAC vendors and then
gained access to Target from there.
READ: Guidance for Managing Third-Party Risk
Formalize and Document the Vendor Process
Be sure to include any other elements that may be important to your company. Regardless of how you define your process, it should be documented. The process can be codified as a policy, procedure or standard.
Having a formalized and ratified policy you follow consistently helps demonstrate you have taken reasonable steps to monitor security risk with your vendors. While legal liability is a complex topic, having a documented process is the first step, and
it will also help with audits and regulatory inquiries.
READ: How to Build a Third-Party Risk Management Framework
Questions to Assess Vendor Risk/Monitoring
For vendors that require enhanced monitoring, focus on the quality of your questions. Put some thought into the questions upfront to ensure your efforts will produce the most value. Some considerations include:
Determine how you will send the questions: The most common method is email, but also consider whether you wish to use attachments or online forms such as Google Forms. If you are using email, think about using a separate distribution list or email account,
so messages are not lost in any one individual’s inbox.
Don’t ask for information you don’t need: Using Log4j as an example, do you really need to track each of the five CVE numbers or is it enough to know the vendor has a process in place to address the issue? Filling out questionnaires can be
tedious for the recipient. The more questions you ask, the harder it will be for the recipient to respond and your overall response rate may be weak. Ensure your questions are clear and concise. This helps remove friction and ensures the vendor responds
in a timely manner.
Minimize open-ended questions: Open-ended questions get answers that are prone to optimism or exaggeration and can result in unpredictable answers. Focus your monitoring efforts on simple questions that can be answered simply. Using open-ended questions
such as, “Describe your security awareness activities,” can provide a lot of information, but they also take longer for the recipient to answer and longer for you to review.
Some simple questions for a vulnerability like Log4j [link to: 3 Keys to Addressing Systemic Vulnerabilities] include:
- Are you impacted by CVE # (use specific CVEs)?
- Have you completed patching all affected environments?
- Do you contract with vendors that use the affected utility?
- Are you reaching out to the vendors to understand any direct or indirect impacts/results from the vulnerability?
- Have you discovered any impacts of the vulnerability in your environment, including any active exploits?
- If you have been impacted, what remedial actions have you taken?
Consider Using GRC Tools or Outsourcing to a Vendor
In some cases, even after risk-ranking your vendors, there may still be too much to handle using email. If your company has a GRC tool already in place, it can help. GRC tools often come with a vendor
governance module and can help automate some vendor risk monitoring steps, depending on the tool’s capabilities and how it’s configured. GRC tools do have a learning curve, but they can be very useful once they are mastered.
If you don’t have a GRC tool, some vendor risk management companies have stepped up to address only the vendor management aspects of GRC. These vendor management platforms can act as the foundation for a vendor risk management function. The vendor
management platform market addresses risks related to regulatory compliance and information security needs.
Another possibility is to outsource vendor response tracking to a third party. If your security organization is resource-constrained or doesn’t have the internal capability or expertise to assess third-party cyber risk effectively, you can consider
using a service. Such services provide some oversight of your third parties, and they can handle vendor questions and responses and send information back to your security team.
Note that most security rating services are not sophisticated enough to address exposure to something like Log4j. It is recommended not to rely on a rating service for this scenario.
Tips to Risk Rank Vendors
Log4j and other vulnerabilities are going to be a long-term problem. Make sure your tracking efforts are worthwhile and provide you with business value. Remember:
Keep risk-ranking simple: Have a policy and follow it. Risk-rank your vendors and ask them simple, clear and concise questions. Don’t ask for information that isn’t relevant or doesn’t add value.
Leverage tools or outsource the process: GRC and other tools can help alleviate some of the burden with response management. If this is still too much, you can consider outsourcing the process completely to a third party.
Good questions get good answers: Remember to refine your questions. It doesn’t matter what system or process you’re using if you haven’t asked good questions. Consider the level of detail you really need to track a vulnerability like
Log4j. It may be enough to know your vendors are aware of and responding to the issue, rather than going deeper into the specific details.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.