Hi -
Like most of us here, we have a large vendor pool so we had to limit the questionnaire to our high / medium risk vendors in specific industries (Healthcare, Financial, SaaS, etc). To make sure that we are not adding additional work on our vendors plate during a time as such, we took a tiered approach with our Log4J questionnaire. Parent question asked if they had been impacted (Y/N), If No = questionnaire is over and we thank them for completing the questionnaire. If Yes, we only ask two additional questions.
While I am sure most of us in this community are taking this approach, we have found that this has worked for us with a high return rate. So far, we have achieved a 56% completion rate and expected to have the rest of our vendor population completed in the next couple days.
Even though we have had a high completion rate, it goes without saying that we did receive a handful of canned responses or links to our site and will just use that information to complete our internal process so it can all be recorded.
------------------------------
Thanks,
JP
------------------------------
Original Message:
Sent: 12-21-2021 03:55 PM
From: Laure Slezak
Subject: Log4J Vulnerability
For anyone who sends out questionnaires to vendors for situations like this, do you see a lot of response to the questions? The vendors that we are reaching out to have access to PII / are critical and high risk and in my experience, they almost never respond to the questions, but instead provide a blanket statement. I'd be interested in finding out if others have any luck with the questionnaire-type response.
thanks!
Original Message:
Sent: 12-17-2021 11:48 AM
From: Michelle Chase
Subject: Log4J Vulnerability
Shared Assessments has developed a scoping tool that might be helpful if you are looking for a template.
Log4j Vulnerability Resources - Shared Assessments
We approached it with a very broad request versus a questionnaire.
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
Original Message:
Sent: 12-15-2021 09:24 AM
From: Anonymous Member
Subject: Log4J Vulnerability
This message was posted by a user wishing to remain anonymous
Would someone be willing to share a basic questionnaire that we can send out to our vendors?
Original Message:
Sent: 12-15-2021 08:19 AM
From: Michelle Chase
Subject: Log4J Vulnerability
Hi Dave, we reached out to all of our vendors rated as operationally critical with high data risk on Monday, following a similar path it sounds like to your organization. We document the responses and work with the InfoSec team to share information and updates. About 1/2 have reported that the they either were not using a vulnerable instance of Log4j or that they were but have not identified any exploits. The remainder are in process completing their reviews so we are actively monitoring.
I am curious how you, or other in the group, handle public or public/private entities such as the regional Federal Reserve Banks and Fannie/Freddie. We have not found a good method to obtain status or information relating to possible security threats, unless we have a connection in the organization, and their reporting requirements don't appear to be the same.
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
Original Message:
Sent: 12-12-2021 03:25 PM
From: Dave Pendroy
Subject: Log4J Vulnerability
Curious what activity is happening in organizations around the Log4J vulnerability from last week. We've been 'all Info Sec hands on deck' this weekend but there hasn't been much chattter in third party risk circles (unless I missed them). Our focus has been on internal system and on Monday we'll shift to supplier/third party communications and next steps. Just curious if others are taking a similar approach or if there is more widespread TPR implications that just haven't hit the web yet. Thoughts?