Vendor Risk Management (VRM) Portal and IP Address Access Controls

The VRM application provides workflow to assess third parties and ensure that they have sufficient controls to mitigate risk. This includes a portal where vendors can directly log in and respond to assessments. However, it is not unusual for ServiceNow customers to use IP address access control for security, so that only users on the corporate network are able to access the instance. This of course prevents vendors from accessing the portal. What to do?

The first, and most out-of-the-box option, is to work with your Information Security team and request an approval to remove the IP address access control. Some tactics you might use here include,

• Providing information on ServiceNow’s robust security model (A best practices guide is available)
• Considering services such as ‘Vault’ which can provide a variety of encryption, further safeguarding your instance
• Performing a penetration test to confirm that no knowledge bases, portal pages or APIs are inadvertently exposed
• Determining if the need for Internet access is part of other roadmap items, such as HR onboarding

If, based on your security policy, this first option is not feasible, then an alternate approach is to consider a second instance. In this option, an ‘external’ instance is deployed and then data (Engagement, vendor / user and assessment records) is shared between the two using Instance Data Replication (IDR). This approach unfortunately introduces significant license costs – for the extra instances (don’t forget QA!) and IDR. It also introduces operational complexity (the need to monitor, patch and maintain 2 prod instances).

Are you thinking about deploying Vendor Risk Management and use IP address access control? Are you considering one of these approaches? Or maybe you have another suggestion?