What department typically owns the Third Party due diligence/assessment process?

Third Party Risk Management (TPRM)

Procurement14%

Operational Risk46%

Audit18%

Vendor Risk Management 10%

Cybersecurity10%

Legal2%

83 PARTICIPANTS
1.3k views

Content you might like

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

Apart from applying the patches just released, what other mitigation tactics are you using to address the zero-day SharePoint vulnerabilities impacting on-premises servers?

Are you reevaluating your software supply chain security strategy?

We have recently updated our strategy.19%

Yes44%

No, but I expect we will reevaluate our strategy.18%

No16%

Other (please share in the comments)

View Results

Which factors are currently impeding your efforts to patch the Log4j vulnerability? (Select all that apply.)

Difficulty determining the extent of our exposure17%

Difficulty determining if third-party vendors have been affected44%

Third-party vendors who are unable or unwilling to patch Log4j47%

Lack of support26%

Lack of patch management controls17%

New versions that contain breaking changes12%

Affected software is no longer maintained16%

Insufficient human resources12%

Current update processes slow down remediation7%

Transitive dependencies are unclear6%

Software inventory is not updated10%

Patching Log4j has been deprioritized4%

Patching requires too much downtime4%

Other (Please share below!)2%

View Results