5.3 Third-party Risk Assessment Flashcards

1
Q

Questionnaires

A

An important part of due diligence and ongoing
vendor monitoring
– Get answers directly from the vendor
* Security-related questions
– What is the vendor’s due diligence process?
– What plans are in place for disaster recovery?
– What secure storage method is used for company
data?
– And more
* Results are used to update a vendor risk analysis
– Updated during the life of the vendor relationship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Rules of engagement

A

An important document
– Defines purpose and scope
– Makes everyone aware of the test parameters
* Type of testing and schedule
– On-site physical breach, internal test, external test
– Normal working hours, after 6 PM only, etc.
* The rules
– IP address ranges
– Emergency contacts
– How to handle sensitive information
– In-scope and out-of-scope devices or applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Common agreements

A

Service Level Agreement (SLA)
– Minimum terms for services provided
– Uptime, response time agreement, etc.
– Commonly used between customers and service providers
* Contract with an Internet provider
– SLA is no more than four hours of unscheduled downtime
– Technician will be dispatched
– May require customer to keep spare equipment on-site
* Memorandum of Understanding (MOU)
– Both sides agree in general to the contents of
the memorandum
– Usually states common goals, but not much more
– May include statements of confidentiality
– Informal letter of intent; not a signed contract
* Memorandum of Agreement (MOA)
– The next step above a MOU
– Both sides conditionally agree to the objectives
– Can also be a legal document, even without legal language
– Unlike a contract, may not contain legally
enforceable promises
* Master Service Agreement (MSA)
– Legal contract and agreement of terms
– A broad framework to cover later transactions
– Many detailed negotiations happen here
– Future projects will be based on this agreement
* Work order (WO) / Statement of Work (SOW)
– Specific list of items to be completed
– Used in conjunction with a MSA
– Details the scope of the job, location, deliverables
schedule, acceptance criteria, and more
– Was the job done properly? Let’s refer to the SOW.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Non-disclosure agreement (NDA)

A

Confidentiality agreement between parties
– Information in the agreement should not
be disclosed
* Protects confidential information
– Trade secrets
– Business activities
– Anything else listed in the NDA
* Unilateral or bilateral (or multilateral)
– One-way NDA or mutual NDA
* Formal contract
– Signatures are usually required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Common agreements

A

Business Partners Agreement (BPA)
– Going into business together
– Owner stake
– Financial contract
* Decision-making
– Who makes the business decisions?
– The BPA lists specific individuals and scope
* Prepare for contingencies
– Financial issues
– Disaster recovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly