Third-Party Vendor Risk Flashcards
Supply Chain Attacks
■ An attack that targets a weaker link in the supply chain to gain access to a
primary target
■ Exploit vulnerabilities in suppliers or service providers to access more secure
systems
Vendor Due Diligence
Safeguarding Against Supply Chain Attacks
● Rigorous evaluation of vendor cybersecurity and supply chain practices
Regular Monitoring & Audits
Safeguarding Against Supply Chain Attacks
● Continuous monitoring and periodic audits of supply chains to detect
suspicious activities
Education and Collaboration
Safeguarding Against Supply Chain Attacks
● Sharing threat information and best practices within the industry
● Collaborating with organizations and industry groups for joint defense
Incorporating Contractual Safeguards
Safeguarding Against Supply Chain Attacks
● Embedding cybersecurity clauses in contracts with suppliers or service
providers
● Ensuring adherence to security standards with legal repercussions for
non-compliance
Vendor Assessments
■ Process to evaluate the security, reliability, and performance of external entities
■ Crucial due to interconnectivity and potential impact on multiple businesses
Entities in Vendor Assessment
■ Vendors
● Provide goods or services to organizations
■ Suppliers
● Involved in production and delivery of products or parts
■ Managed Service Providers (MSPs)
● Manage IT services on behalf of organizations
Right-to-Audit Clause
■ Contract provision allowing organizations to evaluate vendor’s internal processes
for compliance
■ Ensures transparency and adherence to standards
Internal Audits
■ Vendor’s self-assessment of practices against industry or organizational
requirements
■ Demonstrates commitment to security and quality
Independent Assessments
■ Evaluations conducted by third-party entities without a stake in the organization
or vendor
■ Provides a neutral perspective on adherence to security or performance
standards
Supply Chain Analysis
■ Assessment of an entire vendor supply chain for security and reliability
■ Ensures integrity of the vendor’s entire supply chain, including sources of parts or
products
Vendor Questionnaires
■ Vendor questionnaires provide insights into operations, capabilities, and
compliance
■ Standardized criteria for fair and informed decision-making
Rules of Engagement
■ Cover communication protocols, data sharing, and negotiation boundaries
■ Ensure productive and compliant interactions
Vendor Monitoring
■ Mechanism used to ensure that the chosen vendor still aligns with organizational
needs and standards
■ Performance reviews assess deliverables against agreed-upon standards and
objectives
■ Feedback loops
● Involve a two-way communication channel where both the organization
and the vendor share feedback
Service Level Agreement (SLA)
● Defines the standard of service a client can expect from a provider
● Includes performance benchmarks and penalties for deviations
Memorandum of Agreement (MOA)
Formal, outlines specific responsibilities and roles
Memorandum of Understanding (MOU)
Less binding, expresses mutual intent without detailed specifics
Master Service Agreement (MSA)
● Covers general terms of engagement across multiple transactions
● Used for recurring client relationships, supplemented by Statements of
Work
Statement of Work (SOW)
● Specifies project details, deliverables, timelines, and milestones
● Provides in-depth project-related information
Non-Disclosure Agreement (NDA)
● Ensures confidentiality of sensitive information shared during
negotiations
● Commitment to privacy, protecting proprietary data
Business Partnership Agreement (BPA) or Joint Venture Agreement (JV)
● Goes beyond basic contracts when two entities collaborate
● Outlines partnership nature, profit-sharing, decision-making, and exit
strategies
● Defines ownership of intellectual property and revenue distribution
