Free SolarWinds Vendor Questionnaire Template (2024 Edition)

The SolarWinds supply chain breach in December 2020 is among the most sophisticated and widespread cyber attacks ever deployed. The attack was estimated to have affected nearly 20,000 customers, including the U.S. Federal Government and high-level organizations in the private sector after attackers mobilized hidden code within SolarWinds products and the company’s Orion platform.

Sending a SolarWinds questionnaire to third-party vendors is now an essential step in vendor due diligence for organizations across multiple industries, including education, technology, finance, and government services. By gaining insight into how a vendor uses SolarWinds application monitoring services and/or was affected by the breach, your organization will better understand a vendor’s overall security posture and commitment to healthy risk hygiene.

Keep reading to discover sample questions your organization can include in its SolarWinds vendor questionnaire.

Learn how UpGuard streamlines the vendor questionnaire process.>

What Do Organizations Use SolarWinds For?

The SolarWinds Orion Platform is a stack of database management products that allow IT security professionals to track database metrics and manage infrastructure and performance. The stack of applications available from SolarWinds.com includes programs that assist organizations with the following tasks:

• Network Performance Monitoring (NPM)
• Network Troubleshooting
• Server & Application Monitoring (SAM)
• User Device Tracker (UDT)
• Service Desk Communications Management
• IP Address & IP SLA Management
• Simple Network Management Protocol SNMP Polling
• Web Performance Management (WPM)
• SQL Server Performance Monitoring
• Machine Types Management
• Hybrid Cloud Observability
• NPM and External Infrastructure (CISCO, AWS, Microsoft Azure) Integration
• Network Server Performance Management (Windows, Linux, Mac)

‍

Questions To Ask Vendors Regarding SolarWinds & IT Service Management

Here are several questions your organization can use to build out its own SolarWinds security questionnaire and assess the status of your vendors.

1. Was your organization impacted by the recent SolarWinds Orion malware cyber attack?

• Yes
• No
• [Open text field for vendor comments]

2. Has your organization ever run an affected version of a SolarWinds Product?

• Yes, we are currently
• Yes, we have in the past
• No, we have never
• [Open text field for vendor comments]

3. Have you updated the affected SolarWinds products to unaffected versions?

• Yes
• No
• Not applicable
• [Open text field for vendor comments]‍

4. Are you aware of any suspicious activity or compromised data related to a SolarWinds incident?

• Yes
• No
• Not applicable
• [Open text field for vendor comments]

5. Do you partner with any third parties affected by the SolarWinds breach?

• Yes
• No
• Unsure
• [Open text field for vendor comments]

6. If yes, please list the vendors below

• Vendor Name:
• Vendor Name:
• Vendor Name:
• [Open text field for vendor comments]

7. If you do partner with any vendors who were affected by the breach, what level of data is shared with them?

• Sensitive data
• Personal data
• No data is shared
• Not applicable
• [Open text field for vendor comments]

8. How significantly did the SolarWinds attack impact your organization?

• The attack significantly impacted our network, IT infrastructure, and security programs, disrupting operations and business continuity. There also was a loss of sensitive data.
• The attack greatly impacted our network, IT infrastructure, and/or security programs, causing a slight disruption to operations and business continuity. Some data confidentiality was lost.
• The attack slightly impacted our network, IT infrastructure, and/ or security programs. However, business operations were not disrupted, and no data was lost or corrupted.
• The attack did not impact our network, IT infrastructure, and/or security programs.
• [Open text field for vendor comments]

9. Did the SolarWinds attack disrupt critical services your organization delivers to clients and partners?

• Yes
• No
• [Open text field for vendor comments]

10. Does your organization’s cybersecurity program possess a developed incident response plan?

• Yes, our organization does have an incident response plan in place that includes steps for identification, mitigation, reporting, future prevention, and client communication.
• Yes, our organization does have an incident response plan in place. Still, the plan is either outdated and needs to be updated or does not include procedures for one or more of the following: identification, mitigation, reporting, future prevention, or client communication.
• No, we develop incident response procedures case-by-case after an incident investigation.
• No, our organization does not have any developed procedures for incident response.
• [Open text field for vendor comments]

11. Who is your organization’s point of contact for additional security queries?

• Name:
• Title:
• Email Address:
• Phone Number:
• [Open text field for vendor comments]

12. Has your organization implemented new protections, installed new controls, or updated existing infrastructure to resolve the SolarWinds attack's impact on the business?

• New controls and protections have been identified and installed for future prevention
• New controls and protections have been identified and are currently being installed for future prevention
• New controls and protections have been identified, but installation has not yet begun
• New controls and protections have not been identified or installed
• [Open text field for vendor comments]

13. If your organization has yet to install new controls, has it implemented workaround methods or compensating controls to avoid similar attacks in the future?

• Compensating controls and/or workaround methods have been implemented to mitigate and/or prevent future cyber attacks
• Compensating controls and/or workaround methods have been identified to mitigate and/or prevent future cyber attacks, but they have not yet been implemented
• Compensating controls and/or workaround methods have yet to be identified or implemented
• [Open text field for vendor comments]

Streamline SolarWinds Vendor Questionnaires With UpGuard

UpGuard’s questionnaire library includes a comprehensive SolarWinds vendor questionnaire and other security questionnaires that meet industry standards. Organizations looking to improve their vendor due diligence protocols and develop robust Third-Party Risk Management programs can use UpGuard’s library of questionnaires to identify and mitigate risks throughout the vendor lifecycle.

In addition to its comprehensive library of security questionnaires, UpGuard Vendor Risk also provides organizations access to several other powerful Cyber Vendor Risk Management tools.

Notable features and use cases of UpGuard Vendor Risk include:

• Vendor Security Ratings: Instantly understand your vendor’s security posture
• Vendor Risk Assessments: Reduce the time it takes to assess new and existing vendors‍
• Vendor Tiering: Classify vendors based on their level of inherent risk and your organization’s unique risk tolerance‍
• Compliance Reporting: Map vendor details against common compliance frameworks (NIST, ISO 27001, etc.)‍
• Vendor Data Leak Detection: Prevent data leakage due to third-party breaches‍
• 24/7 Continuous Vendor Monitoring: Receive real-time updates when your vendor’s security ratings change

Start your UpGuard free trial right now.