Third-Party Vendor Risks Flashcards
■ Products like routers and switches are composed of many components from various suppliers
■ Component tampering or untrustworthy vendors can introduce vulnerabilities
■ Rigorous supply chain assessments needed to trace origins and component integrity
■ Trusted foundry programs ensure secure manufacturing
Hardware Manufacturers
■ An attack that targets a weaker link in the supply chain to gain access to a primary target
■ Exploit vulnerabilities in suppliers or service providers to access more secure systems
Supply Chain Attacks
■ U.S. federal statute providing funding to boost semiconductor research and manufacturing in the U.S.
■ Aims to reduce reliance on foreign-made semiconductors, strengthen the domestic supply chain, and enhance security
CHIPS Act of 2022
● Essential components in a wide range of products, from smartphones and cars to medical devices and defense systems
Semiconductors
■ Process to evaluate the security, reliability, and performance of external entities
■ Crucial due to interconnectivity and potential impact on multiple businesses
Vendor Assessments
Entities in Vendor Assessment
Vendors - provide goods or services
Suppliers - involved in production and delivery of products or parts
Managed Service Providers (MSPs) - Manage IT services on behalf of organizations
● Simulated cyberattacks to identify vulnerabilities in supplier systems
■ Validates supplier’s cybersecurity practices and potential risks to your organization
Penetration Testing
■ Contract provision allowing organizations to evaluate vendor’s internal processes for compliance
■ Ensures transparency and adherence to standards
Right-to-Audit Clause
■ Vendor’s self-assessment of practices against industry or organizational requirements
■ Demonstrates commitment to security and quality
Internal Audits
■ Evaluations conducted by third-party entities without a stake in the organization or vendor
■ Provides a neutral perspective on adherence to security or performance standards
Independent Assessments
■ Assessment of an entire vendor supply chain for security and reliability
■ Ensures integrity of the vendor’s entire supply chain, including sources of parts or products
Supply Chain Analysis
■ Guidelines for interaction between organization and vendors
■ Cover communication protocols, data sharing, and negotiation boundaries
■ Ensure productive and compliant interactions
Rules of Engagement
■ Comprehensive documents filled out by potential vendors
■ Vendor questionnaires provide insights into operations, capabilities, and compliance
■ Standardized criteria for fair and informed decision-making
Vendor Questionnaires
■ Mechanism used to ensure that the chosen vendor still aligns with organizational needs and standards
■ Performance reviews assess deliverables against agreed-upon standards and objectives
■ Feedback loops
Vendor Monitoring
● Versatile tool that formally establishes a relationship between two parties
● Defines roles, responsibilities, and consequences for non-compliance
● Specifies terms like payment structure, delivery timelines, and product specifications
Basic Contract
● Defines the standard of service a client can expect from a provider
● Includes performance benchmarks and penalties for deviations
Outlines the expectations regarding the quality, timelines, and scopes of services
Service Level Agreement (SLA)
Formal, outlines specific responsibilities and roles
OR
Less binding, expresses mutual intent without detailed specifics
Memorandum of Agreement (MOA)
OR
Memorandum of Understanding (MOU)
● Covers general terms of engagement across multiple transactions
● Used for recurring client relationships, supplemented by Statements of work
Master Service Agreement (MSA)
● Specifies project details, deliverables, timelines, and milestones
● Provides in-depth project-related information
Statement of Work (SOW)
● Ensures confidentiality of sensitive information shared during
negotiations
● Commitment to privacy, protecting proprietary data
Non-Disclosure Agreement (NDA)
● Goes beyond basic contracts when two entities collaborate
● Outlines partnership nature, profit-sharing, decision-making, and exit strategies
● Defines ownership of intellectual property and revenue distribution
Business Partnership Agreement (BPA)
or
Joint Venture Agreement (JV)
