Section 10.92 Vendor Assessment Flashcards
Objectives 2.2 Explain common threat vectors and attack surfaces. Objectives 2.3 Explain various types of vulnerabilities. Objectives 5.3 Explain the processes associated with third-party risk assessment and management.
Vendor Assessments
Process to evaluate the security, reliability, and performance of external entities
Crucial due to interconnectivity and potential impact on multiple businesses
Entities in Vendor Assessment
Vendors
Provide goods or services to organizations
e.g Microsoft
Entities in Vendor Assessment
Suppliers
Involved in production and delivery of products or parts
e.g Computer manufacturers might have multiple suppliers to provide processors, memory, harddrives etc
Entities in Vendor Assessment
Managed Service Providers (MSPs)
Manage IT services on behalf of organisations
e.g AWS or Google Cloud
Entities in Vendor Assessment
Penetration Testing of Suppliers
Simulated cyberattacks to identify vulnerabilities in supplier systems
■ Validates supplier’s cybersecurity practices and potential risks to your organization
Right-to-Audit Clause
Contract provision allowing organizations to evaluate vendor’s internal processes for compliance
■ Ensures transparency and adherence to standards
Internal Audits
Vendor’s self-assessment of practices against industry or organisational requirements
■ Demonstrates commitment to security and quality
Vendor to carry out its own internal audits
Independent Assessments
Evaluations conducted by third-party entities without a stake in the organization or vendor
■ Provides a neutral perspective on adherence to security or performance standards
Supply Chain Analysis
Assessment of an entire vendor supply chain for security and reliability
■ Ensures integrity of the vendor’s entire supply chain, including sources of parts or products
