SolarWinds Breach: 7 Questions to Ask Your Vendors

Assess your organization's exposure with these essential questions for your vendors, suppliers and other third parties.
By:
Prevalent
December 17, 2020
Share:
Blog solarwinds breach 7 vendor questions 1220

Last weekend’s announcement of the SolarWinds supply chain breach has undoubtedly raised questions about whether your company will be impacted. To help the community understand its exposure, Prevalent has assembled a list of 7 essential question to ask third parties in order to gauge their response to this incident. See below for the questions and some possible response options to measure risk levels and understand potential third-party disruptions.

SolarWinds Third-Party Breach Impact Questionnaire

1. Has the organization been impacted by the recent SolarWinds “Sunburst” malware cyberattack?

a. Yes

b. No

2. What is the nature of the impact to the organization as a result of this cyberattack?

a. Significant impact to our network, IT operations or security products: The cyber-attack has caused systems or infrastructure to stop working or become unavailable. There has been a loss of confidentiality or integrity of data.

b. High level of impact to our network, IT operations or security products: Service availability has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data.

c. Low level of impact to our network, IT operations or security products: No loss of confidentiality or integrity of data; minimal or no disruption to service availability.

d. The cyber-attack has had little to no impact to our network, IT operations or security products.

3. Does it affect critical services delivered to clients?

a. Yes

b. No

4. Does the organization have an incident investigation and response plan in place?

a. The organization has a documented incident management policy.

b. The incident management policy includes rules for reporting information security events and weaknesses.

c. An incident response plan is developed as part of incident investigation and recovery.

d. Incident response planning includes escalation procedures to internal parties, and communication procedures to clients.

5. Who is a point of contact who can answer additional queries?

6. Has the organization amended existing controls, or implemented new controls to resolve and mitigate the impact the cyber-attack has had on the business?

a. Controls have been identified and implemented to mitigate the impact from the cyber-attack.

b. Controls have been identified and are currently being implemented to mitigate the impact from the cyber-attack.

c. The organization has identified which controls need to be updated or implemented, however this has not been implemented yet.

d. Controls have not or are not able to be implemented.

7. If controls are unable to be implemented, is the organization able to implement compensating controls or methods to avoid future cyber-attacks?

a. Compensating controls or workaround methods have been implemented which has mitigated the impact caused by the cyber-attack.

b. The organization has not identified or is able to implement compensating controls to mitigate the impact caused by the cyber-attack.

Prevalent customers: We are updating your platform to include the above questionnaire. Also, Prevalent does not use SolarWinds and therefore is not at risk of the Orion cyber-attack.

We hope these questions make your job a little bit easier in the face of this potential disruption. Once the dust settles, keep in mind that Prevalent offers a third-party risk management platform that includes more than 60 questionnaire templates meant to help you automate the tedious tasks of assessing vendors. In the meantime, everyone at Prevalent wishes good health to you, your team, and your families in the New Year.

Tags:
Share:
Prevalent

Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors and suppliers throughout the third-party lifecycle. Our customers benefit from a flexible, hybrid approach to TPRM, where they not only gain solutions tailored to their needs, but also realize a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo