Third Party Vendor Risks

Question 1

Define Third-party Vendor Risks

Answer 1

Potential security and operational challenges from external collaborators

Scope:
 Encompasses vendors, suppliers, or service providers

Risks:
 Impact on integrity, data security, and overall business continuity

Question 2

Common Threat Vectors and Attack Surfaces

Answer 2

Threat Vectors
 Paths attackers use to gain access

Attack Surfaces
 Points where an unauthorized user can try to enter

Question 3

3 Types of Vulnerabilities

Answer 3

1: Hardware Vulnerabilities
 Components with vulnerabilities

2: Software Vulnerabilities
 Applications with hidden backdoors

3: Operational Vulnerabilities
 Lack of cybersecurity protocols

Question 4

Vendor Assessments

Answer 4

Evaluation
 Pre-partnership assessment
 Penetration Testing - testing vendor security
 Audit Rights - right to audit vendors
 Evidence Collection - internal and external audit
evidence

Vendor Selection and Monitoring
 Importance - meticulous selection process
 Vigilance - Ongoing monitoring of vendor performance

Contracts and Agreements
 Basic Contracts - forming relationships
 Nuanced Agreements - SLAs, MOUs, NDAs for specific
safeguards

Question 5

Supply chain risks - hardware manufactures

Answer 5

 Products like routers and switches are composed of
many components from various suppliers
 Component tampering or untrustworthy vendors can
introduce vulnerabilities
 Rigorous supply chain assessments needed to trace
origins and component integrity
 Trusted foundry programs ensure secure
manufacturing

Question 6

Supply chain risks - Secondary/Aftermarket Sources

Answer 6

 Risk of acquiring counterfeit or tampered devices
 Devices may contain malware or vulnerabilities
 Budget-friendly but high-risk option

Question 7

Supply chain risks - Software Developers/Providers

Answer 7

 Software developers and software providers are
integral cogs in the supply chain
 However, software can introduce vulnerabilities
 Check for proper licensing, authenticity, known
vulnerabilities, and malware
 Open-source software allows source code review
 Proprietary software can be scanned for vulnerabilities

Question 8

Supply chain risks - Service Providers/MSPs

Answer 8

Managed Service Providers
 Organizations that provide a range of technology
services and support to businesses and other clients

Question 9

Supply chain risks - Security challenges with Software-as-a-Service (SaaS) providers and considerations

Answer 9

 Data confidentiality and integrity concerns
 Assess provider’s cybersecurity protocols and support
for security incidents
 Vendor selection should consider due diligence,
historical performance, and commitment to security

Considerations
 Evaluate data security measures
 Ensure confidentiality and integrity
 Assess cybersecurity protocols
 Response to a security breach

Question 10

Define Supply Chain Attacks

Answer 10

 An attack that targets a weaker link in the supply chain
to gain access to a primary target
 Exploit vulnerabilities in suppliers or service providers
to access more secure systems

Question 11

CHIPS Act of 2022

Answer 11

 U.S. federal statute providing funding to boost
semiconductor research and manufacturing in the U.S.
 Aims to reduce reliance on foreign made
semiconductors, strengthen the domestic supply chain,
and enhance security

Question 12

What are Semiconductors

Answer 12

Essential components in a wide range of products, from smartphones and cars to medical devices and defense systems

Question 13

4 ways of Safeguarding Against Supply Chain Attacks

Answer 13

1: Vendor Due Diligence
 Rigorous evaluation of vendor cybersecurity and supply
chain practices

2: Regular Monitoring & Audits
 Continuous monitoring and periodic audits of supply
chains to detect suspicious activities

3: Education and Collaboration
 Sharing threat information and best practices within
the industry
 Collaborating with organizations and industry groups
for joint defense

4: Incorporating Contractual Safeguards
 Embedding cybersecurity clauses in contracts with
suppliers or service providers
 Ensuring adherence to security standards with legal
repercussions for non-compliance

Question 14

Define Vendor Assessments

Answer 14

 Process to evaluate the security, reliability, and
performance of external entities
 Crucial due to interconnectivity and potential impact on
multiple businesses
 Entities in Vendor Assessment

Question 15

Managed Service Providers (MSPs)

Answer 15

Manage IT services on behalf of organizations

Question 16

Penetration Testing of Suppliers

Answer 16

Validates supplier’s cybersecurity practices and potential risks to your organization

Question 17

Right-to-Audit Clause

Answer 17

 Contract provision allowing organizations to evaluate
vendor’s internal processes for compliance
 Ensures transparency and adherence to standards

Question 18

Independent Assessments

Answer 18

 Evaluations conducted by third-party entities without a
stake in the organization or vendor
 Provides a neutral perspective on adherence to security
or performance standards

Question 19

Supply Chain Analysis

Answer 19

 Assessment of an entire vendor supply chain for
security and reliability
 Ensures integrity of the vendor’s entire supply chain,
including sources of parts or products

Question 20

Vendor Selection Process includes

Answer 20

 Evaluating financial stability
 Operational history
 Client testimonials
 On-the-ground practices to ensure cultural alignment
 Check for conflicts of interest that could bias the
selection process

Question 21

Vendor Questionnaires

Answer 21

 Vendor questionnaires provide insights into operations,
capabilities, and compliance
 Standardized criteria for fair and informed decision-
making

Question 22

Rules of Engagement

Answer 22

 Guidelines for interaction between organization and
vendors
 Cover communication protocols, data sharing, and
negotiation boundaries
 Ensure productive and compliant interactions

Question 23

Vendor Monitoring

Answer 23

 Mechanism used to ensure that the chosen vendor still
aligns with organizational needs and standards
 Performance reviews assess deliverables against
agreed-upon standards and objectives

Question 24

Feedback loops

Answer 24

Involve a two-way communication channel where both the organization and the vendor share feedback

Question 25

7 Types of Contracts and Agreements

Answer 25

1: Basic Contract
 Versatile tool that formally establishes a relationship
between two parties
 Defines roles, responsibilities, and consequences for
non-compliance
 Specifies terms like payment structure, delivery
timelines, and product specifications

2: Service Level Agreement (SLA)
 Defines the standard of service a client can expect from
a provider
 Includes performance benchmarks and penalties for
deviations

3: Memorandum of Agreement (MOA) and Memorandum
of Understanding (MOU)
MOA
 Formal, outlines specific responsibilities and roles

MOU
 Less binding, expresses mutual intent without detailed
specifics

4: Master Service Agreement (MSA)
 Covers general terms of engagement across multiple
transactions
 Used for recurring client relationships, supplemented
by Statements of Work

5: Statement of Work (SOW)
 Specifies project details, deliverables, timelines, and
milestones
 Provides in-depth project-related information

6: Non-Disclosure Agreement (NDA)
 Ensures confidentiality of sensitive information shared
during negotiations
 Commitment to privacy, protecting proprietary data

7: Business Partnership Agreement (BPA) or Joint Venture
Agreement (JV)
 Goes beyond basic contracts when two entities
collaborate
 Outlines partnership nature, profit-sharing, decision-
making, and exit strategies
 Defines ownership of intellectual property and revenue
distribution