Third-Party Risk Response
Assess and communicate supplier or vendor security issues with clear internal action plans.
Use this playbook when a vendor incident or supplier CVE raises potential exposure for your organization.
Assessment Workflow
Exposure Identification
- Identify which systems and teams depend on the affected vendor.
- Confirm whether vulnerable components are enabled in your environment.
- Separate confirmed impact from hypothetical scenarios.
Response Planning
- Define immediate containment or compensating controls.
- Coordinate with legal, procurement, and business owners.
- Set communication cadence for leadership updates.
Vendor Incident Prompt
bash
Assess our risk from [vendor incident/CVE]. Return:
- likely exposure points in our environment,
- immediate containment actions,
- information to request from the vendor,
- leadership-ready risk summary.
Decision Framework
| Decision | Trigger | Owner |
|---|---|---|
| Continue operations | Low exposure + compensating controls active | Security + business owner |
| Partial restriction | Medium exposure or uncertain vendor response | Security + IT operations |
| Full isolation/stop use | High-confidence compromise risk | Security leadership + executive sponsor |
Communication Checklist
- State what is confirmed versus pending confirmation.
- Provide clear current risk level and potential business impact.
- Include next update time and responsible owner.