Here’s a questionnaire you can send to suppliers during extended work from home (WFH) periods.
Military strategists will tell you that the outcome of many famous battles could have been predicted ahead of time by the robustness of the supply lines. That’s why a major part of every military service is logistics and planning. Besides weapons, ammo, and replacement troops, the side that usually wins also had the best food, water, medical supplies, communications, clothing, and shelter. “You can’t win battles wearing wet shoes” the saying goes.
The current COVID-19 pandemic response has all companies and organizations re-examining how to keep the business running, people working, and customers happy during this extended work from home period. Your organization can’t excel at what it needs to do without the products and services it depends on.
This has led many people to a new way of incorporating third-party risk as a part of their normal business continuity plans (BCPs). Most organizations worry about third-party risk primarily as a computer security risk problem and only measure that risk during onboarding or perhaps annually thereafter. It’s mostly a confidentiality and integrity issue. That makes perfect sense. You don’t want to interact with a new vendor that increases your own risk unnecessarily. So, most organizations do third-party risk management as a way to ensure that their vendors are using good computer security practices.
Often times, availability is the most neglected part of the computer security triad (i.e., CIA – Confidentiality, Integrity, and Availability) and it is primarily focused on as a local issue – Can my organization do what it needs to do during a disaster event? An organization cannot do that without ensuring its suppliers and other vendors also have their availability angles covered just as strongly as their other computer security concerns. The recent COVID-19 pandemic has acutely tested all of us and our supply lines.
One way to measure third-party availability risk is to send the organizations you are dependent on a quick Extended Emergency Third-Party Risk Questionnaire. You can make your own or search them out on the Internet. Here’s one that the risk management team at KnowBe4 came up with.
Sample Extended Emergency Third-Party Risk Questionnaire
As part of our normal third-party risk management assessment process and in light of recent events, we are asking our third-party vendors to review and respond to a relatively short questionnaire regarding availability concerns and understanding what your organizational external pandemic response and recovery plans are. Please review and answer each of the following questions:
|Was your organization impacted by an event (e.g., COVID-19, natural disaster, etc.) which required an unusual portion of your workforce to begin working from home (WFH) or an alternative remote location for an extended period of time?|
|Does your company have a business continuity planning (BCP) document which covers extended work from home scenarios?|
|If your company does have a BCP document which covers extended work from home scenarios, can you share a copy of your extended work from home plan or a high-level version of it? If so, please communicate how that can be securely shared? If not, why not?|
|Please share as candidly and detailed as you can the state of your organization’s existing operations as they support our organization’s critical operations. How well are services and/or products being provided compare to the normal, non-emergency, state?|
|Does your organization provide 24 x 7 x 365 support for critical business issues that can impact the services your organization provides to our organization? If not, please explain further.|
|Are critical areas of the business still being exposed to the general public as a part of providing their services? If so, please explain further.|
|Do the services you provide our organization have dependencies on other sub-service providers? If yes, please explain further.|
|If you must close your normal office and/or operation locations, how do you plan to communicate with our organization?|
|If you must close your normal office and/or operation locations, how and when will you communicate to our organization the ongoing developments to your ongoing response and recovery situation (such as when will you reopen a certain office)?|
|Are you still continuing to run security awareness training & simulated phishing to your remote workforce? If not, explain further.|
|Other additional questions:|
This is a time-sensitive request and would appreciate your response no later than [DATE DUE].
Please feel free to reach out with any questions.
We shared this example questionnaire, or previous versions, with several customers who rely on us who then used it as a template to other organizations they rely on. We invite you to do the same. Even if you already know how your dependent suppliers are doing and responding in this latest COVID-19 pandemic, it can’t hurt to send this survey to get those third-party vendor’s responses documented. It can only help for the next emergency. If you haven’t incorporated availability as part of your normal third-party risk assessment, it’s time to start. You should vet early and often, because the landscape is ever changing.