Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

HCISSP ISC2 > Domain 6 – Third-Party Risk Management > Flashcards

Domain 6 – Third-Party Risk Management Flashcards

Official (ISC)2 Guide to the HCISPP CBK

1
Q

Third parties can:

A. Introduce additional risk to an organization if not properly assessed and monitored.

B. Alleviate an organization of responsibility during a protected health information breach.

C. Not outsource processing, storage, or transmission of sensitive PHI regardless of contract requirements.

D. Only operate in countries where the original party resides.

A

A. Introduce additional risk to an organization if not properly assessed and monitored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the BEST reason a healthcare organization should create and maintain a list of third-party organizations it does business with?

A. A list of vendors ensures the contracting office can quickly identify a list of potentially secure companies for new requirements.

B. The listing can provide a means for the HCISPP to pair third- party provider information with the criticality of healthcare information frequency and sensitivity.

C. The list can be used by the marketing firm to determine the best channels to market net electronic health record offerings.

D. The third-party organization list is used by the HCISPP to determine the “How” of protection requirements.

A

B. The listing can provide a means for the HCISPP to pair third- party provider information with the criticality of healthcare information frequency and sensitivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following would BEST help a HCISPP determine if a third party has met an external attestation for information security or privacy?

A. Financial soundness
B. Length of time vendor has been in business
C. ISO or SSAE No. 16 certifications
D. Past performance reviews

A

C. ISO or SSAE No. 16 certifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following cloud service models requires the cloud provider to provide the majority of the security controls?

A. Infrastructure as a service
B. Software as a service
C. Platform as a service
D. Network as a service

A

B. Software as a service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the BEST way an HCISPP can ensure that information security and privacy is “built-in” to third-party cloud providers?

A. Purchase whatever solution the majority of the market is consuming.

B. Determine security and privacy requirements prior to researching cloud offerings and ensure any cloud providers can meet them.

C. Purchase cloud services and then negotiate with the cloud provider to ensure the exact controls needed are implemented.

D. Ensure the HCISPP is excluded from contract negotiations because security and privacy tend to increase price.

A

B. Determine security and privacy requirements prior to researching cloud offerings and ensure any cloud providers can meet them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which element of third-party management below has the MOST risk from data remnants?

A. Integration
B. Termination
C. Operations
D. Selection

A

B. Termination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When developing a contract with a third party to process, store, and transmit information, which of the following BEST protects the organization?

A. Vendor compliance with laws and regulations, information security and privacy safeguards, right to audit clauses and full risk transfer to the vendor.

B. Full risk transfer to the vendor, information security and privacy safeguards, right to audit clauses and data breach notification.

C. Vendor compliance with laws and regulations, full risk transfer to the vendor, and right to audit clauses and data breach notification.

D. Vendor compliance with laws and regulations, information security and privacy safeguards, right to audit clauses and data breach notification.

A

D. Vendor compliance with laws and regulations, information security and privacy safeguards, right to audit clauses and data breach notification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following BEST explains when employee background investigations should be required of a third-party vendor?

A. Only when working with a vendor outside of the organization’s home country or jurisdiction.

B. Only when working with a vendor inside of the organization’s home country or jurisdiction.

C. In any contract where the organization has a legal, regulatory, or risk management requirement to ensure information is protected against unauthorized disclosure.

D. In any contract where the vendor will perform research using de-identified information from the organization.

A

C. In any contract where the organization has a legal, regulatory, or risk management requirement to ensure information is protected against unauthorized disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An interconnection security agreement BEST serves to:

A. Establish and memorialize security and privacy expectations for interconnecting parties.

B. Establish fault after a breach and determine which party is most liable.

C. Establish responsibility for network related costs.

D. Memorialize employee access conditions for each party’s data.

A

A. Establish and memorialize security and privacy expectations for interconnecting parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The ________ is MOST responsible to perform due diligence to determine the level of risk introduced by a vendor or third party.

A. Sub-vendor
B. Third-party assessor
C. Business Associate
D. Primary entity

A

D. Primary entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

HCISSP ISC2 (56 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions