We’ve adopted ServiceNow Vendor Risk Management (VRM) to manage our risk assessment during the procurement process for Internet of Things (IoT) devices across Microsoft.

ServiceNow VRM provides a centralized, managed solution for assessing security risks for IoT devices and the vendors that supply them for us. With this solution, our vendor risk management processes at Microsoft are more automated and efficient, better monitored, and easier for our employees and vendors to use.

Introduction

At Microsoft, our business necessitates an extensive supply chain that depends on trusted non-Microsoft vendors. These vendors provide much of the hardware and software upon which we run our business. Our Microsoft security team ensures that our vendors and the hardware and software they provide adhere to our compliance and security requirements.

As part of our broader governance, risk, and compliance processes, the vendors and partners that supply these products and services must undergo an assessment of their operations and the products or services they supply. The security team provides technical expertise to confirm that software and hardware adhere to modern security practices. We have multiple business groups that work with the security team to assess vendors. Each business group has nuances that affect the way the security team creates and processes vendor assessments.

One such example is the IoT Security Assessment program. This program focuses on IoT devices procured and deployed throughout Microsoft. Each vendor and the product they supply must be vetted to maintain our security standards.

Improving the vendor assessment process

Globally, we at Microsoft manage thousands of IoT devices supplied by many different vendors. These devices include card readers, cameras, kiosks, and HVAC systems equipment. Each of these devices and the software that supports them must undergo the security assessment processes established by our security team. The basic assessment process includes the following three high-level steps:

• Vendor questionnaire. This questionnaire provides business and technical data about each vendor and IoT device. The Microsoft employee responsible for procuring the device sends an assessment request to the security team, which then triages the request and sends the appropriate risk questionnaire to the vendor. The vendor completes the questionnaire, and then returns it back to the security team.
• Preassessment Questionnaire. We use an initial pre-assessment questionnaire to determine the depth of review required for the solution. Based on the analysis, an in-depth questionnaire is then sent to the vendor to get detailed business and technical data about the device or solution.
• Device-security test. After the vendor returns the questionnaire, the security team then performs security testing on the IoT device hardware and if applicable, software. Any issues are reported back to the vendor for correction.

In response to IoT Security Assessment process changes, including increased vendor data requirements, our security team had previously adopted a simple solution for tracking the assessment process. However, the volume of incoming requests and the detailed nature of IoT device assessments quickly surpassed the original solution’s capabilities, which were centered around file-based assessments exchanged through email and stored in a shared folder.

Setting goals for vendor assessment

The original solution was largely a manual process that involved potential for human error, lost data, and an untracked workflow. We realized that the IoT Security Assessment program needed a more robust and automated process for managing vendors and devices. To begin the workflow reinvention process, we established specific goals for the new solution:

• Facilitate more secure IoT device data. The primary IoT Security Assessment program mandate is to ensure that IoT devices at Microsoft are secure. This high-level goal informed the research for the new solution and how we achieved more specific goals within the solution.
• Minimize manual effort required for assessments. We wanted integrated automation wherever possible to reuse assessment components and reduce both manual effort and potential for error. We needed our security team focused on technical assessments and device vetting, not tracking emails and location of assessment forms.
• Improve the vendor and Microsoft employee experience. In the original solution, both our vendors and our employees procuring IoT devices dealt with a complex set of workflow steps. Our goal for the new solution was an easy-to-use, simplified environment in which all assessment process steps could be more easily performed, tracked, and managed.
• Enable self-service assessment creation and management. Each vendor and device assessment are unique, even if only slightly. We wanted to direct assessment creation and editing tasks to the employees who knew the vendor best and simplify tasks such as updating assessment details or adding questions.
• Manage and track workflow communication. Our original solution contained too many untracked email messages that weren’t a traceable part of the assessment workflow. We wanted our new solution to better manage and track communication between the security team, our employees, and vendors.

Based on these goals, we researched available solutions. Ultimately, we decided on a solution from one of our trusted partners: ServiceNow Vendor Risk Management (VRM).

Simplifying vendor risk management with ServiceNow VRM

The ServiceNow VRM platform provides centralized management across the entire vendor assessment lifecycle process. It has built-in capability for:

• Vendor portfolio management
• Assessment management
• Issue remediation
• Risk scoring
• Integrated monitoring and auditing of vendor risk management processes

We adopted ServiceNow VRM for the IoT Security Assessment program as a single tool to help us more securely engage vendors, assess supply chain risk, and follow IoT device security assessment through to completion.

With ServiceNow VRM, our entire vendor assessment process is hosted online in the ServiceNow VRM portal. Through this centralized portal, employees can create, manage, and assign assessments. Vendors can also use the portal to review incoming assessment requests and complete assessments. All parties involved can review the progress of assessments, receive notification when action is required, and perform necessary actions without switching tools. Improving visibility for the entire process means that both employees and vendors can check the status of assessments, issues, and tasks, and more quickly identify emerging risks.

Automated workflows in ServiceNow VRM improves collaboration. It also helps us establish consistent workflows and enables employees and vendors to reuse assessment components across products and devices.

ServiceNow integrates directly with our Microsoft Azure Active Directory (Azure AD) tenant to supply single sign-on (SSO) and multifactor authentication to the ServiceNow VRM portal. This capability complies with our security standards while providing a seamless sign-on process for our employees and our vendors.

Onboarding to ServiceNow VRM

In less than three months the IoT Security Assessment program transitioned from our original, manual solution to ServiceNow VRM. Our process started with defining our future requirements and ended with going live with ServiceNow VRM for all IoT security assessments. A quick migration reduced duplicate vendor management tasks in both the original solution and ServiceNow VRM, and it simplified the transition for employees and vendors.

Defining the schema for the vendor database records

Establishing a schema for storing data about vendors and devices helped us better understand assessment requirements. ServiceNow VRM integrates with ServiceNow IT Service Management (ITSM) to track and resolve vendor assessment issues and tasks. It also supplies the schema for vendor records, which directly affects the simplicity and accuracy of the integration and future IT Security assessments.

Configuring and testing vendor assessment forms

We use forms in ServiceNow VRM to create reusable assessment templates. All individual assessments are created using a form, which ensures consistency, reduces potential for human error, and reduces manual effort for assessment creation and management. We also perform all form and assessment tasks in the ServiceNow VRM portal, which creates experience continuity for our employees and security team members. Vendors simply complete individual assessments, which are then reviewed for validity. Assessment answers that require further attention or correction generate a prioritized list of issue records for the vendor to review and take action against.

Documenting and configuring notifications and reminders

We manage all assessment workflow communication within the ServiceNow VRM portal. We’ve customized communications for each of the Microsoft business groups using ServiceNow VRM, including the different assessment types used. All communication and handoff data are tracked, including which assessment is being performed, why it’s being performed, and who is responsible for the process.

End-to-end testing and pilot

Before deploying ServiceNow VRM to the larger group of IoT vendors, we ran a test pilot for the onboarding processes with a single vendor. We used this pilot to confirm processes, test end-to-end functionality, and make any necessary adjustments to our onboarding processes.

Benefits

Centralizing and automating our IoT vendor risk assessment process using ServiceNow VRM has vastly improved the end-to-end experience for our employees, vendors, and the IoT security team. Some of the most significant benefits include:

• Manual effort reduced by more than 50 percent. The combination of issue generation rules, risk score calculation, and email templates have greatly reduced the manual effort required across our vendor assessment process. Our employees and vendors enjoy a more streamlined experience while our security team can focus on the technical aspects of the assessment rather than on process logistics.
• Simplified communication. Access through the ServiceNow VRM portal means that all parties involved review and take part in the assessment process in real time and from a single interface. The number of messages sent between employees and vendors is greatly reduced while overall communication and visibility into the assessment process increases.
• Better understanding of IoT security assessment health. Increased monitoring capabilities, accurate metrics, and complete auditing capability in ServiceNow VRM make it easier for us to understand exactly what’s happening in the assessment environment. We can instantly obtain important insights including ongoing assessments, completed assessments, repeated assessments, issues generated, and end-to-end assessment timelines.

Our IoT Security Assessment program is only the beginning of our process evolution. Here are the next steps that we will take on our journey:

• Extend our ServiceNow VRM capabilities to include implementing a fully automated, no-touch assessment process for low-priority assessments, and vendor-tiering to calculate vendor risk-level.
• Add automated IoT security risk data uploads to our ServiceNow VRM.
• Bring the benefits captured by the IoT Security Assessment program to the rest of Microsoft, which will unify our vendor management processes.

• Read more about modernizing the support experience with ServiceNow and Microsoft.
• Explore instrumenting ServiceNow with Azure Monitor.
• Unpack using Microsoft Teams and ServiceNow to enhance end-user support.