5.3 - CompTIA Security+

Vendor assessment

Penetration testing

• Penetration testing: A simulated cyber attack against the organization's systems or networks to identify vulnerabilities that could be exploited by attackers. Used to evaluate a vendors’ security posture and identify security vulnerabilities.

Right-to-audit clause

• Right-to-audit clause: A contractual provision that grants an organization the authority to conduct audits or assessments of vendor operational practices, information systems, and security controls.

Evidence of internal audits

• Evidence of internal audits: When performing vendor due diligence, looking for evidence that the vendor has internal audit practices is crucial. Internal audit provides an independent and objective evaluation of an organization's internal controls, risk management practices, and compliance with policies and regulations.

Independent assessments

• Independent assessments: Organizations often rely on independent assessments as crucial vendor selection criteria. Independent assessments involve engaging with independent experts to evaluate and verify vendor capabilities, security, and compliance practices.

Supply chain analysis

• Supply chain analysis: This process evaluates the security posture and risk management practices of all entities involved in the production and delivery of goods, ensuring that each link in the supply chain meets necessary security standards and mitigates potential vulnerabilities.

Vendor selection

Due diligence

• Due diligence: A legal principle that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system, or investigating vendors.

Conflict of interest

• Conflict of interest: Occurs when an individual or organization has competing interests or obligations that could compromise their ability to act objectively, impartially, or in the best interest of another party.

Agreement types

Service-level agreement (SLA)

• Service-level agreement (SLA): A legally binding agreement that sets the service requirements and expectations between a consumer and a provider.

Memorandum of agreement (MOA)

• Memorandum of agreement (MOA): A legal document forming the basis for two parties to cooperate without a formal contract (a cooperative agreement). Can be legally binding (or not) depending on the specific agreement terms.

Memorandum of understanding (MOU)

• Memorandum of understanding (MOU): A nonbinding agreement that outlines the intentions, shared goals, and general terms of cooperation between parties.

Master service agreement (MSA)

• Master service agreement (MSA): A legally binding contract that establishes precedence and guidelines for any business documents that are executed between two parties.

Work order (WO)/statement of work (SOW)

• Work order (WO)/statement of work (SOW): A legally binding document that defines the expectations, scope, and deliverables for a specific business arrangement.

Non-disclosure agreement (NDA)

• Non-disclosure agreement (NDA): A legally binding document that ensures the confidentiality and protection of sensitive information shared during the relationship. Is likely to be signed alongside an MOU.

Business partners agreement (BPA)

• Business partnership agreement (BPA): An agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

Vendor monitoring

• Vendor monitoring: Vendor monitoring involves continuously overseeing and evaluating vendors to ensure ongoing adherence to security standards, compliance requirements, and contractual obligations.

Questionnaires

• Questionnaires: In vendor management, structured means of obtaining consistent information, enabling more effective risk analysis and comparison.

Rules of engagement

• Rules of Engagement (RoE): A definition of how a pen test will be executed and what constraints will be in place. This provides the pen tester with guidelines to consult as they conduct their tests so that they don't have to constantly ask management for permission to do something.