5.3

Question 1

A condition outlined in a contract between an organization and a third-party that says that the organization is allowed to perform a security audit on the third-party.

Answer 1

Right-to-audit clause

Question 2

A document that defines the purpose and scope of a penetration test.

It includes when the test will happen, what systems are included or exempted from the test, the IP address ranges that will be tested, contact information of people to notify in case something goes awry, how to handle sensitive data, and whether the test occurs internally or externally.

Answer 2

Rules of engagement

Question 3

Documents that verify the authenticity and thoroughness of an internal security audit. This is produced by a third-party to the organization with which it has an agreement.

These documents might be required for compliance with industry standards.

Answer 3

Evidence of internal audits

Question 4

The most common way for an organization to verify the security of a third-party

Answer 4

Pentesting

Question 5

The process of evaluating the security of third-party products, from raw materials to the final deliverable.

Includes communication between the organization and third-party, IT systems, patches, physical security, etc.

Answer 5

Supply chain analysis

Question 6

The process of bringing in an outside contractor to evaluate the security of your organization and provide recommendations.

This knowledgeable third-party may be able to provide a different perspective and seasoned skills that can benefit the company.

Answer 6

Independent assessment

Question 7

The process of investigating and getting more information about a company before doing business with them.

Answer 7

Due diligence

Question 8

When there is something that might compromise the judgement on either side of the business relationship. It may prevent the two companies from doing business with each other.

Ex. A third-party you want to do business with also works with your competitor.
The third-party employs a relative of your organization’s executive.

Answer 8

Conflict of interest

Question 9

The process of ongoing management and assessment of the vendor relationship that keeps going even after the contract is signed.

Includes regular financial health checks, IT security reviews, news articles, and social media posts.

Answer 9

Vendor monitoring

Question 10

A simple way to find out more information about how a vendor does business. A method used to carry out due diligence.

The results are used to update a vendor risk analysis. It also allows you to recommend solutions to the vendor for better security.

Includes questions about their due diligence process, their disaster recovery plans, their storage methods, etc.

Answer 10

Questionnaire

Question 11

SLA stands for

Answer 11

Service-Level Agreement

Question 12

MOA stands for

Answer 12

Memorandum of Agreement

Question 13

MOU stands for

Answer 13

Memorandum of Understanding

Question 14

MSA stands for

Answer 14

Master Service Agreement

Question 15

WO stands for

Answer 15

Work Order

Question 16

SOW stands for

Answer 16

Statement of Work

Question 17

True/False

WO and SOW are the same thing

Answer 17

True

Question 18

A document that lists the minimum terms for services provided.

This document is typically used between customers and service providers

Ex. Uptime, response time agreement

Ex. No more than 4 hours of unscheduled downtime, and during any downtime, a technician should be dispatched

Ex. The customer is required to keep spare parts onsite

Answer 18

SLA

Question 19

NDA stands for

Answer 19

Non-Disclosure Agreement

Question 20

BPA stands for

Answer 20

Business Partners Agreement

Question 21

A document that provides very broad common goals between two organizations that would like to work together. Both sides agree in general to the contents.

This is NOT a signed, legal contract.

Answer 21

MOU

Question 22

A document that describes in detail the relationship between two organizations that want to work together. It is one step above the MOU.

This is a legal document, and may have some legally-binding information, but is NOT a legally-binding contract.

Answer 22

MOA

Question 23

A document that sets the terms between two organizations that want to work with each other. It may even include terms that make the framework to cover future transactions.

This is a legally-binding contract.

Used as a foundation that additional services will use going forward between the two companies.

Ex. How billing works, terms of service, how payment system works.

Answer 23

MSA

Question 24

A document that includes a detailed breakdown that lists what services will be provided and when. It lists specific items that need to be completed.

Used in conjunction with the MSA to avoid renegotiating basic terms of the contract, instead focusing on detailed, specific tasks.

In essence, it helps evaluate whether the job was done properly.

Ex. The scope of the job, the location, deliverables schedule, acceptance criteria, etc.

Answer 24

WO / SOW

Question 25

A document that prevents confidential information in the agreement from being disclosed.

A legally-binding contract.

Ex. Trade secrets, business activities, etc.

Answer 25

NDA

Question 26

2 types of NDAs

Answer 26

Unilateral/one-way

Bilateral/mutual

Question 27

A document that describes the financial details associated with the agreement, and what type of ownership stake is acquired as part of the agreement. This document is made when two organizations begin a formal relationship.

It also describes who makes business decisions - documenting specific individuals and scope.

It also details what happens when things go wrong - financial issues, disaster recovery, etc.

Answer 27

BPA

Question 28

4 things a BPA lists

Answer 28

Financial details
Ownership stake
Business decisions
Contingency plans