Last weekend’s announcement of the SolarWinds supply chain breach has undoubtedly raised questions about whether your company will be impacted. To help the community understand its exposure, Prevalent has assembled a list of 7 essential question to ask third parties in order to gauge their response to this incident. See below for the questions and some possible response options to measure risk levels and understand potential third-party disruptions.
1. Has the organization been impacted by the recent SolarWinds “Sunburst” malware cyberattack? |
a. Yes b. No |
2. What is the nature of the impact to the organization as a result of this cyberattack? |
a. Significant impact to our network, IT operations or security products: The cyber-attack has caused systems or infrastructure to stop working or become unavailable. There has been a loss of confidentiality or integrity of data. b. High level of impact to our network, IT operations or security products: Service availability has been periodically lost, and there is the potential for some systems to periodically stop. Some loss of confidentiality or integrity of data. c. Low level of impact to our network, IT operations or security products: No loss of confidentiality or integrity of data; minimal or no disruption to service availability. d. The cyber-attack has had little to no impact to our network, IT operations or security products. |
3. Does it affect critical services delivered to clients? |
a. Yes b. No |
4. Does the organization have an incident investigation and response plan in place? |
a. The organization has a documented incident management policy. b. The incident management policy includes rules for reporting information security events and weaknesses. c. An incident response plan is developed as part of incident investigation and recovery. d. Incident response planning includes escalation procedures to internal parties, and communication procedures to clients. |
5. Who is a point of contact who can answer additional queries? |
|
6. Has the organization amended existing controls, or implemented new controls to resolve and mitigate the impact the cyber-attack has had on the business? |
a. Controls have been identified and implemented to mitigate the impact from the cyber-attack. b. Controls have been identified and are currently being implemented to mitigate the impact from the cyber-attack. c. The organization has identified which controls need to be updated or implemented, however this has not been implemented yet. d. Controls have not or are not able to be implemented. |
7. If controls are unable to be implemented, is the organization able to implement compensating controls or methods to avoid future cyber-attacks? |
a. Compensating controls or workaround methods have been implemented which has mitigated the impact caused by the cyber-attack. b. The organization has not identified or is able to implement compensating controls to mitigate the impact caused by the cyber-attack. |
Prevalent customers: We are updating your platform to include the above questionnaire. Also, Prevalent does not use SolarWinds and therefore is not at risk of the Orion cyber-attack.
We hope these questions make your job a little bit easier in the face of this potential disruption. Once the dust settles, keep in mind that Prevalent offers a third-party risk management platform that includes more than 60 questionnaire templates meant to help you automate the tedious tasks of assessing vendors. In the meantime, everyone at Prevalent wishes good health to you, your team, and your families in the New Year.
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
11/08/2024
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024
Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily...
10/07/2024