Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

06. CISM - Chapter 6 - Information Security Program Management > 06. Management of External Services (332) > Flashcards

06. Management of External Services (332) Flashcards

1
Q

TPRM

Third Party Risk Management activities are used to discover and manage risks associated with external third parties

332

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

TPRM

Security managers should consult with several stakeholders in teh organisation to identify subsets of third parties. Stakeholders include;

  • Legal
  • Procurement
  • Accounts payable
  • Information Technology
  • Facilities
  • Department heads and business unit leaders
  • Location specific leaders

337

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

TPRM Life Cycle

Managing business relationships with third parties is a life cycle process;

Initial assessment
Third party suitability assessment
Onboarding
Beginning business relationship, estbalish risk level criteria
Legal Agreement
Legal agreements finalised

339

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RIsk Tiering and Vendor Classification

  • Not possible in large organisations to perform due dilligence on all third party vendors.
  • Organisations should apply a risk based approach and classify vendors according to risk level
  • Examples of vendor classification;

Volume of sensitive customer data
Amount of customer sensitive data
Volume of sensitive internal data
Amount of sensitive internal data
Operational criticality
How much does organisation depend on the vendor for day to day operations
Physical access
Degree to which vendor has phsycal access ot organisations infromation processing centers
Access to systems
Ability of third party to access information systems.
Contractual obligations
Requirements to maintain security program as part of contract

342

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Assessing Thirt Parties

Techniques to assess third parties;

  1. Questionnaires
  2. Questionnaire confirmation
  3. Site visit
  4. External attestations
  5. External business intelligence
  6. External cyber intelligence
  7. Security scans and penetration tests
  8. Intrusive monitoring

344

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Questionnaires and Evidence

Sending qustionnaire to third party periodically with request to answer questions and provide specific artifcts to serve as evidence to responses

346

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Proactive Issue Remediation

Risks of outsourcing to third parties can be remedied through contract provisioning;

  1. Service Level Agreements
  2. Quality
  3. Security Policy and Controls
  4. Business Continuity
  5. Employee Integrity
  6. Ownership of intellectual property
  7. Roles and Responsibilities
  8. Schedule
  9. Regulation
  10. Warranty
  11. Dispute and resolution
  12. Payment

347

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

06. CISM - Chapter 6 - Information Security Program Management (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions