Exam Objectives 5.3
Explain the processes associated with third-party risk assessment and management.
- Vendor assessment: Ensuring you have the right vendor:
- Penetration testing: Identifying vulnerabilities in systems or networks
- Right-to-audit clause: Allows you to audit a vendor
- Evidence of internal audits: Validates internal controls and risk management
- Independent assessments: Unbiased evaluations of a vendor’s operations
- Supply chain analysis: Evaluating risks in vendor’s supply chain
- Vendor selection: Choosing vendors through comprehensive assessment:
- Due diligence: Thorough evaluation of a potential vendor’s reliability
- Conflict of interest: Addressing biases in vendor selection
- Agreement types: Deciding how you will work together:
- Service-Level Agreement (SLA): Defines service expectations and responsibilities
- Memorandum of Agreement (MOA): Outlines binding cooperation terms and conditions
- Memorandum of Understanding (MOU): Documents mutual goals;...