Domain 5 :Explain the processes associated with third-party risk assessment and management

Question 1

Vendor assesment

Answer 1

A vendor assessment is a thorough background check for potential suppliers that allows an organization to gauge their due diligence, competence, and dependability for the safeguarding of business interests and stringent quality control.

Question 2

Penetration testing

Answer 2

is a structured and authorized examination of a company’s network, applications, or systems. It aims to identify and assess potential vulnerabilities that could be exploited by malicious entities. The intention is not to damage but to unveil weak points to help organizations strengthen their defenses

Question 3

Unknown environment:

Answer 3

Pen testers in an unknown environment (previously known as a black box) are provided with no preliminary information about the company. They focus on external exploitation strategies to unearth vulnerabilities, thereby emulating the approach of real-world attackers.

Question 4

partially known environment

Answer 4

Pen testers in a partially known environment (previously known as a gray box) are privy to limited internal information.

Question 5

Known Enviorment

Answer 5

Pen testers in a known environment (previously known as a white box) have comprehensive access to system and application details, including source code, and provide a thorough and detailed analysis of security postures. They test applications prior to release to ensure that there are no vulnerabilities. They are normally on the payroll

Question 6

Bug bounty

Answer 6

: A bug bounty works on a reward basis to uncover vulnerabilities that might escape notice during regular security audits

Question 7

Right-to-audit clause:

Answer 7

Including a right-to-audit clause in agreements with vendors is crucial for maintaining transparency and trust.

Question 8

Supply Chain analyisis

Answer 8

Supply chain analysis is essential as it uncovers risks associated with a vendor’s suppliers and subcontractors. It examines various components of a vendor’s supply chain, evaluating the stability, security, and reliability of each link.

Question 9

Supply Chain

Answer 9

supply chain is a network of companies and people that are involved in the production and delivery of a product or service

Question 10

Due diligence

Answer 10

Due diligence is essential to any vendor selection. It’s a rigorous investigation and evaluation process, in which organizations scrutinize potential vendors on various fronts, including financial stability, operational capabilities, compliance with relevant regulations, and past performance

Question 11

Conflicts of Interest

Answer 11

Identifying and managing conflicts of interest is crucial to maintaining the impartiality and fairness of the vendor selection process. Organizations must evaluate any existing relationships or affiliations between decision-makers and potential vendors that could influence the selection process unduly, and subsequently address these conflicts of interest to uphold transparency

Question 12

Agreement Types

Answer 12

A thorough understanding of the different agreement types is pivotal in third-party risk assessments, as they establish clear, contractual foundations, outlining responsibilities, expectations, and liabilities, and thereby mitigate unforeseen vulnerabilities:

Question 13

Service-level-agreements

Answer 13

An SLA is a contractual arrangement between a service provider and a recipient that outlines the expected level of service.

Question 14

Memorandum of Agreement (MOA)

Answer 14

An MOA is legally binding. It meticulously outlines the terms and conditions and detailed roles and responsibilities of the parties involved. The MOA serves to clarify the expectations and obligations of each party to avoid disputes and ensure mutual understanding and cooperation.

Question 15

Master Service Agreement (MSA)

Answer 15

The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities.

Question 16

Work Order (WO)/Statement of Work (SOW):

Answer 16

While an MSA outlines the terms and conditions of a contracted partnership, a WO or SOW looks at the specifics of individual tasks or projects.

Question 17

Business Partnership Agreement (BPA)

Answer 17

A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared.

Question 18

Vendor Monitoring

Answer 18

Vendor monitoring is a pivotal aspect of third-party risk management and provides a systematic approach to the evaluation and oversight of vendors’ performance and compliance

Question 19

Questionnaires

Answer 19

Questionnaires, in the context of vendor monitoring, are structured surveys or sets of inquiries systematically designed to gather detailed information about various aspects of a vendor’s operations

Question 20

Rules of Engagement

Answer 20

Rules of engagement are essentially guidelines or agreements that outline the expectations, responsibilities, and protocols governing the interaction between an organization and its vendors

Question 21

rules of engagement include

Answer 21

SLAs: In a software development partnership, SLAs can define response times for issue resolution, project milestones, and uptime guarantees.
Payment terms: Rules can detail payment schedules, invoicing procedures, and penalties for late payments, ensuring financial transactions run smoothly.
Communication protocols: Vendors and organizations can specify the preferred communication channels, frequency of updates, and responsible points of contact.
Confidentiality and data security: Rules can outline the measures both parties must take to safeguard sensitive information and protect intellectual property and customer data.

Question 22

LEAP

Answer 22

Cisco created this proprietary EAP authentication type for mutual client and server authentication on its WLANs. The LEAP server sends the client a random challenge, and the client returns a hashed password. Once authenticated, the client asks the server for a password, and a key exchange follows.

PEAP (Protected EAP)

Question 23

RAID 5

Answer 23

RAID 5 (Striping with Parity)

•	Description: Stripes data and parity information across three or more disks.
•	Advantages:
•	Fault tolerance. Can withstand the failure of one disk.
•	Efficient storage utilization (only one disk’s worth of space is used for parity).
•	Disadvantages:
•	Slower write performance due to parity calculations.
•	Use Case: General-purpose systems requiring a balance between performance, fault tolerance, and storage efficiency.

Question 24

RAID 5

Answer 24

RAID 5 (Striping with Parity)

•	Description: Stripes data and parity information across three or more disks.
•	Advantages:
•	Fault tolerance. Can withstand the failure of one disk.
•	Efficient storage utilization (only one disk’s worth of space is used for parity).
•	Disadvantages:
•	Slower write performance due to parity calculations.
•	Use Case: General-purpose systems requiring a balance between performance, fault tolerance, and storage efficiency.

Question 25

EAP-TLS

Answer 25

EAP-TLS provides certificate-based, mutual authentication of the network and the client. Both the client and the server must have certificates to perform this authentication. EAP-TLS randomly generates session-based, user-based Wired Equivalent Privacy (WEP) keys. These keys secure communications between the AP and the WLAN client.

Question 27

Txt record

Answer 27

A TXT (Text) record is a type of DNS (Domain Name System) record used to associate arbitrary text with a domain name. It is commonly used for various purposes, such as domain verification, email security, and providing human-readable information about a domain. Here are some common uses of TXT records