10: 3 Supply Chain Risk

Question 1

Vendor Security Policy Minimum

Answer 1

ensure that vendors policies are at least as stringent as your own

Question 2

Vendor Management Lifecycle (1)

Answer 2

Vendor Selection - May use Request for Proposals, or an informal process. Assess provider’s risk management program.

Question 3

Vendor Management Lifecycle (2)

Answer 3

Onboarding - Verify contract details, arrange secure data transfer, establish incident procedures

Question 4

Vendor Management Lifecycle (3)

Answer 4

Monitoring - Conduct site visits, review independent audits, handle security audits

Question 5

Vendor Management Lifecycle (4)

Answer 5

Offboarding - Destroy confidential information, unwind a business relationship gracefully

Question 6

NDAs

Answer 6

Non-disclosure agreement

Question 7

SLR

Answer 7

Service Level Requirements, document specific requirements customer has about any aspect of the vendor (i.e. system response time)

Question 8

SLA

Answer 8

Service Level Agreement - describes condition of service and any penalties

Question 9

MOU

Answer 9

Memorandum of Understanding - letter written to document aspect of relationship (often can be within same organization)

Question 10

BPA

Answer 10

Business Partnership Agreement (Responsibilties, division of profits

Question 11

ISA

Answer 11

Interconnection Security Agreement - standards used

Question 12

MSA

Answer 12

Master Services Agreement - Includes all key terms used to govern relationship

Question 13

SOW

Answer 13

Statement of Work - for an individual project, governed by MSA

Question 14

Data Ownership Language

Answer 14

Customer Retains ownership, vendor right to use info is limited, agreements should limit data sharing with third parties

Question 15

Data protection provisions

Answer 15

important if vendor will be sole custodian of information

Question 16

Assessment vs Audits origin

Answer 16

Assessments requested by an orgs IT staff, while Audits are performed at request of someone else

Question 17

Audit

Answer 17

Detailed tests on a specific standard - Follows a formal standard and a review period, should have clearly defined scope

Question 18

Internal Auditors

Answer 18

Works for the org but reports independently, performing work at request of org leadership

Question 19

External Auditors

Answer 19

Independent firms that normally perform audits at request of org leadership or regulators

Question 20

User Access Review

Answer 20

Validate rights and permissions

Question 21

Gap Analysis

Answer 21

Provides a roadmap for future work

Question 22

Use of Cloud Service providers on audits

Answer 22

Expands the scope of the audit

Question 23

SOC Reports

Answer 23

Service Organizational control reports - Audits done by cloud providers themselves

Question 24

SOC 1

Answer 24

Provides assurance required for customer financial audits

Question 25

SOC 2

Answer 25

Provides detailed assurance of confidentiality, integrity, and availability controls

Question 26

SOC 3

Answer 26

Provides high-level public reporting of confidentiality, integrity, and availability controls

Question 27

Type 1 Report

Answer 27

Describes the controls that the provide has in place and an opinion on the suitability of these controls

Question 28

Type 2 Report

Answer 28

Includes the Type 1 information, and a test to ensure the controls are working