On a tight timeline to find a way forward, the VRM team made a quick decision to build a survey to assess its immediate risk threshold and looked to internal systems to solve the problem.
Excel wasn’t going to deliver the efficiency they needed, and there wasn’t time to hire a consultant. Instead, the team chose to use existing data in Onspring, the system of record for their current VRM and Information Security programs. They were already using Onspring to perform annual risk assessments on vendors, so they could use existing contact data for business owners and vendors housed in the platform to survey the current Log4j vulnerability situation, keeping all information in one solution.
The team took the following actions in their response to the Log4j vulnerability:
1 – Determine the vendor population
Within this first step, the team had to first establish the selection criteria by determining the risk parameters used to select vendors for the survey, by asking the following questions:
- Does the vendor run a SaaS environment or internet-facing website, making them more susceptible to the Log4j risk?
- How much risk does the vendor pose to the larger company? (This was measured on a 3-point scale of low to high risk.)
The second element was determining the information source, which meant that their single source of truth would be from the InfoSec and VRM assessment population within Onspring.
The population was determined by running a report in Onspring using existing risk data in its Third-party / Vendor Risk Management solution against these criteria and using a report filter that siphoned those SaaS/internet-facing website providers with a medium-high or high risk rating OR those vendors who had previously scored poorly on prior InfoSec surveys, which could indicate weak patching controls.
This filtering yielded the 82 highest-risk vendors.
2 – Draft Log4j vulnerability assessment questions
10x your VRM results
Learn how to build scalable vendor assessments to stay ahead of the next cyber vulnerability.
3 – Configure and launch survey
Leaning into their pre-existing vendor data already built, the VRM team configured their Log4j vulnerability survey—a repeatable flag vulnerability survey—as well as a vulnerability management application in Onspring within a week, before deploying it to vendors with business owners notified.
4 – Analyze responses to Log4j vulnerabilities
The company needed to decide how to display and report the findings to the company’s executive management team and other stakeholders. It was important for the company to show its current risk environment based on vendor responses and status, such as:
- Was the vendor impacted?
- What is the current remediation status?
- Is remediation complete? For how many impacted vendors?
- Have reports been sent to InfoSec? Legal?
In addition to a straightforward, easy-to-consume dashboard, Onspring’s reporting capabilities enabled the VRM team to filter and customize data to create reports for different stakeholders to view real-time visibility into the company’s response to the Log4j vulnerability.