5.3 Explain the processes associated with third-party risk assessment and management

Vendor assessment

Ensuring you have the right vendor

Penetration testing

Identifying vulnerabilities in systems

or networks

Right-to-audit clause

allows a business to audit its vendor’s systems and controls

Evidence of internal audits

Documents or reports provided by vendors

indicating that they have conducted internal audits to ensure their systems

and controls are secure and effective

independent assessments

Evaluations conducted by external assessors to

provide impartial insights into a vendor’s security infrastructure, often

heavily considered during vendor selection and risk assessments

supply chain analysis

The evaluation of a vendor’s supply chain to identify

and manage risks presented by subcontractors or suppliers, ensuring the

stability and security of the larger supply chain

vendor selection

The process of choosing a third-party vendor, starting

from identifying organizational needs to conducting due diligence,

including the evaluation of a vendor’s reputation, capabilities, and

compliance with laws and regulations

Due Diligence

The proactive steps an organization takes to identify, assess, and manage cybersecurity risks, ensuring protection of data and compliance with standards

conflict of interest

A situation where personal or financial relationships

might bias the vendor selection process, necessitating transparency and

ethical standards for fair selection

Agreement Types

Formal arrangements between parties that define responsibilities, expectations, and rules for handling data, services, or system interactions, often to ensure security, compliance, and clarity in business or technical relationships

service level agreement (SLA)

A contract between two companies or a

company and an individual that specifies the level of service to be provided.

Supplying replacement equipment within 24 hours after a loss is a simple

example of something an SLA might specify

memorandum of agreement (MOA)

A document that outlines the terms

and details of an agreement between parties, including each party’s

requirements and responsibilities. Also known as a memorandum of

understanding (MOU)

master service agreement (MSA)

A contract outlining the general terms

and conditions of the vendor–organization relationship, addressing basic

elements like payment terms, dispute resolution, and intellectual property

considerations

work order (WO)/statement of work (SOW)

Documents detailing the

specific tasks, deliverables, timelines, and particulars of the service upheld

by the master service agreement (MSA), aiding in task management and

tracking

non-disclosure agreement (NDA)

A legally binding document that

organizations might require of their employees and other people who come

into contact with confidential information

business partner agreement (BPA)

A type of contract that establishes the

responsibilities of each partner

vendor monitoring

The continuous tracking of a vendor’s performance and

adherence to contractual obligations, using KPIs and other metrics to ensure compliance and performance standards are met

questionnaires

Structured forms used in vendor assessments to gather

essential information about a vendor’s capabilities, processes, standards,

and controls, facilitating risk identification and comparison between

vendors

rules of engagement

Agreed-upon protocols governing interactions,

communications, and decision-making processes between an organization

and its third-party vendors, incorporated into contracts to ensure

enforceability and structured relationships