Domain 5 :Explain the processes associated with third-party risk assessment and management Flashcards
Vendor assesment
A vendor assessment is a thorough background check for potential suppliers that allows an organization to gauge their due diligence, competence, and dependability for the safeguarding of business interests and stringent quality control.
Penetration testing
is a structured and authorized examination of a company’s network, applications, or systems. It aims to identify and assess potential vulnerabilities that could be exploited by malicious entities. The intention is not to damage but to unveil weak points to help organizations strengthen their defenses
Unknown environment:
Pen testers in an unknown environment (previously known as a black box) are provided with no preliminary information about the company. They focus on external exploitation strategies to unearth vulnerabilities, thereby emulating the approach of real-world attackers.
partially known environment
Pen testers in a partially known environment (previously known as a gray box) are privy to limited internal information.
Known Enviorment
Pen testers in a known environment (previously known as a white box) have comprehensive access to system and application details, including source code, and provide a thorough and detailed analysis of security postures. They test applications prior to release to ensure that there are no vulnerabilities. They are normally on the payroll
Bug bounty
: A bug bounty works on a reward basis to uncover vulnerabilities that might escape notice during regular security audits
Right-to-audit clause:
Including a right-to-audit clause in agreements with vendors is crucial for maintaining transparency and trust.
Supply Chain analyisis
Supply chain analysis is essential as it uncovers risks associated with a vendor’s suppliers and subcontractors. It examines various components of a vendor’s supply chain, evaluating the stability, security, and reliability of each link.
Supply Chain
supply chain is a network of companies and people that are involved in the production and delivery of a product or service
Due diligence
Due diligence is essential to any vendor selection. It’s a rigorous investigation and evaluation process, in which organizations scrutinize potential vendors on various fronts, including financial stability, operational capabilities, compliance with relevant regulations, and past performance
Conflicts of Interest
Identifying and managing conflicts of interest is crucial to maintaining the impartiality and fairness of the vendor selection process. Organizations must evaluate any existing relationships or affiliations between decision-makers and potential vendors that could influence the selection process unduly, and subsequently address these conflicts of interest to uphold transparency
Agreement Types
A thorough understanding of the different agreement types is pivotal in third-party risk assessments, as they establish clear, contractual foundations, outlining responsibilities, expectations, and liabilities, and thereby mitigate unforeseen vulnerabilities:
Service-level-agreements
An SLA is a contractual arrangement between a service provider and a recipient that outlines the expected level of service.
Memorandum of Agreement (MOA)
An MOA is legally binding. It meticulously outlines the terms and conditions and detailed roles and responsibilities of the parties involved. The MOA serves to clarify the expectations and obligations of each party to avoid disputes and ensure mutual understanding and cooperation.
Master Service Agreement (MSA)
The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities.