Section 10.93 Vendor Selection and Monitoring Flashcards
Objectives 2.2 Explain common threat vectors and attack surfaces. Objectives 2.3 Explain various types of vulnerabilities. Objectives 5.3 Explain the processes associated with third-party risk assessment and management.
Vendor Selection and Monitoring
■ Due diligence
A rigorous evaluation that goes beyond surface-level credentials
● Includes the following
○ Evaluating financial stability
○ Operational history
○ Client testimonials
○ On-the-ground practices to ensure cultural alignment
Similar to hiring a team member
Conflict of Interest
Arises when personal relationships could potentially cloud the judgement of individuals in vendor selection
Vendor Questionnaires
Vendor questionnaires provide insights into operations, capabilities, and compliance
■ Standardised criteria for fair and informed decision-making
Rules of Engagement
Guidelines for interaction between organisation and vendors
■ Cover communication protocols, data sharing, and negotiation boundaries
■ Ensure vendor interactions are productive and compliant
Vendor Continuous Monitoring
Monitoring: Mechanism used to ensure that the chosen vendor still aligns with organisational needs and standards
■ Performance reviews assess deliverables against agreed-upon standards and objectives
■ Feedback loops:
● Involve a two-way communication channel where both the organization and the vendor share feedback
