Domain 5 :Explain the processes associated with third-party risk assessment and management Flashcards

1
Q

Vendor assesment

A

A vendor assessment is a thorough background check for potential suppliers that allows an organization to gauge their due diligence, competence, and dependability for the safeguarding of business interests and stringent quality control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Penetration testing

A

is a structured and authorized examination of a company’s network, applications, or systems. It aims to identify and assess potential vulnerabilities that could be exploited by malicious entities. The intention is not to damage but to unveil weak points to help organizations strengthen their defenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Unknown environment:

A

Pen testers in an unknown environment (previously known as a black box) are provided with no preliminary information about the company. They focus on external exploitation strategies to unearth vulnerabilities, thereby emulating the approach of real-world attackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

partially known environment

A

Pen testers in a partially known environment (previously known as a gray box) are privy to limited internal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Known Enviorment

A

Pen testers in a known environment (previously known as a white box) have comprehensive access to system and application details, including source code, and provide a thorough and detailed analysis of security postures. They test applications prior to release to ensure that there are no vulnerabilities. They are normally on the payroll

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bug bounty

A

: A bug bounty works on a reward basis to uncover vulnerabilities that might escape notice during regular security audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Right-to-audit clause:

A

Including a right-to-audit clause in agreements with vendors is crucial for maintaining transparency and trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Supply Chain analyisis

A

Supply chain analysis is essential as it uncovers risks associated with a vendor’s suppliers and subcontractors. It examines various components of a vendor’s supply chain, evaluating the stability, security, and reliability of each link.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Supply Chain

A

supply chain is a network of companies and people that are involved in the production and delivery of a product or service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Due diligence

A

Due diligence is essential to any vendor selection. It’s a rigorous investigation and evaluation process, in which organizations scrutinize potential vendors on various fronts, including financial stability, operational capabilities, compliance with relevant regulations, and past performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Conflicts of Interest

A

Identifying and managing conflicts of interest is crucial to maintaining the impartiality and fairness of the vendor selection process. Organizations must evaluate any existing relationships or affiliations between decision-makers and potential vendors that could influence the selection process unduly, and subsequently address these conflicts of interest to uphold transparency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Agreement Types

A

A thorough understanding of the different agreement types is pivotal in third-party risk assessments, as they establish clear, contractual foundations, outlining responsibilities, expectations, and liabilities, and thereby mitigate unforeseen vulnerabilities:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Service-level-agreements

A

An SLA is a contractual arrangement between a service provider and a recipient that outlines the expected level of service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Memorandum of Agreement (MOA)

A

An MOA is legally binding. It meticulously outlines the terms and conditions and detailed roles and responsibilities of the parties involved. The MOA serves to clarify the expectations and obligations of each party to avoid disputes and ensure mutual understanding and cooperation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Master Service Agreement (MSA)

A

The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Work Order (WO)/Statement of Work (SOW):

A

While an MSA outlines the terms and conditions of a contracted partnership, a WO or SOW looks at the specifics of individual tasks or projects.

17
Q

Business Partnership Agreement (BPA)

A

A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared.

18
Q

Vendor Monitoring

A

Vendor monitoring is a pivotal aspect of third-party risk management and provides a systematic approach to the evaluation and oversight of vendors’ performance and compliance

19
Q

Questionnaires

A

Questionnaires, in the context of vendor monitoring, are structured surveys or sets of inquiries systematically designed to gather detailed information about various aspects of a vendor’s operations

20
Q

Rules of Engagement

A

Rules of engagement are essentially guidelines or agreements that outline the expectations, responsibilities, and protocols governing the interaction between an organization and its vendors

21
Q

rules of engagement include

A

SLAs: In a software development partnership, SLAs can define response times for issue resolution, project milestones, and uptime guarantees.
Payment terms: Rules can detail payment schedules, invoicing procedures, and penalties for late payments, ensuring financial transactions run smoothly.
Communication protocols: Vendors and organizations can specify the preferred communication channels, frequency of updates, and responsible points of contact.
Confidentiality and data security: Rules can outline the measures both parties must take to safeguard sensitive information and protect intellectual property and customer data.

22
Q

LEAP

A

Cisco created this proprietary EAP authentication type for mutual client and server authentication on its WLANs. The LEAP server sends the client a random challenge, and the client returns a hashed password. Once authenticated, the client asks the server for a password, and a key exchange follows.

PEAP (Protected EAP)

23
Q

RAID 5

A

RAID 5 (Striping with Parity)

•	Description: Stripes data and parity information across three or more disks.
•	Advantages:
•	Fault tolerance. Can withstand the failure of one disk.
•	Efficient storage utilization (only one disk’s worth of space is used for parity).
•	Disadvantages:
•	Slower write performance due to parity calculations.
•	Use Case: General-purpose systems requiring a balance between performance, fault tolerance, and storage efficiency.
24
Q

RAID 5

A

RAID 5 (Striping with Parity)

•	Description: Stripes data and parity information across three or more disks.
•	Advantages:
•	Fault tolerance. Can withstand the failure of one disk.
•	Efficient storage utilization (only one disk’s worth of space is used for parity).
•	Disadvantages:
•	Slower write performance due to parity calculations.
•	Use Case: General-purpose systems requiring a balance between performance, fault tolerance, and storage efficiency.
25
Q

EAP-TLS

A

EAP-TLS provides certificate-based, mutual authentication of the network and the client. Both the client and the server must have certificates to perform this authentication. EAP-TLS randomly generates session-based, user-based Wired Equivalent Privacy (WEP) keys. These keys secure communications between the AP and the WLAN client.

26
Q
A
27
Q

Txt record

A

A TXT (Text) record is a type of DNS (Domain Name System) record used to associate arbitrary text with a domain name. It is commonly used for various purposes, such as domain verification, email security, and providing human-readable information about a domain. Here are some common uses of TXT records