1.12 Applying Supply Chain and Risk Management (SCRM) Concepts Flashcards
What is the primary goal of acquisitions?
To add value to an oranization.
Who must security work with to understand the business rationale for acquiring new assets or services during acquisition?
The data owner.
What three things must security know about new assets to best protect them following an acquisition?
How the asset will be used | Who will access the asset | What types of data will the asset store or transfer
What is a Service Level Agreement (SLA) used for when participating with vendors or services?
Documents the security requirements to help the organizatrion evaluate different vendors and/or products against the security requirements.
Stipulations such as how a vendor will continue to meet security requirements are often in the form of what contract addendum? Give an example.
Service Level Agreements | When a hospital gets a new vendor, an SLA is contracted to ensure HIPPA is always in compliance for their data.
What are Service Level Requirements (SLRs)? What may these requirements pertain to?
Additional organizational requirements that must be considered during an acquisition. | Detail service descriptions, Detail service level targets, dictate mutual responsibilities.
Why are Service Level Requirements (SLR) important during the procurement process?
It defines the security service and service level targets that each potential supplier can be evaluated against.
When a supplier is selected during the procurement proces, what will be used to inform the requirements documented in the Service Level Agreement (SLA)?
Service Level Requirements.
What expectations and stipulations are included in a Service Level Agreement (SLA)?
Service Levels (performance levels) | Governance (Customer and provider know who is responsible for what) | Security (Expected security controls are in place by provides that speak to accountability and responsibility, though accountability is always belonging to the data owner) | Compliance with laws and regulations relating to the customer’s industry and place of business | Liability/Indemnification when any element of the SLA is not met or below standards.
What is the purpose of a Service Level Report (SLR)?
To identify how well expectations defined in the SLA are being met by the service provider.
Who typically provides Service Level Reports (SLRs)?
Typically, they are provided to the customer by the service provider.
What may be contained in a Service Level Report (SLR)?
Achievements of Metrics defined in the Service Level Agreement (SLA) | Identification of Issues | Reporting Channels | Management | Third-party SOC Reports, which provide independent verification and assurance that the terms of an SLA are being met.
When would a third-party audit be beneficial to a customer?
When a customer is unable to evaluate all the facets of a service provider’s offering or when a customer wants an outside company to evaluate whether the terms of an Service Level Agreement (SLA) are being met.
