5.3.2 – Organizational Security Policies.Third-party Risk Management

Questions and Answers

What should a company do to protect against the highest risk vendors?

Have security policies and procedures in place (correct)

Avoid working with any third-party vendors

Share all data openly with third parties

Only work with cloud services

Why is it important to categorize the risk associated with providing data to third party vendors?

To avoid sharing any data with third parties

To determine the price of the services

To identify the highest risk vendors (correct)

To increase data sharing with third parties

What happened in November of 2013 involving Target and a third party vendor?

Target refused to work with any third party vendors

An enormous breach to the network was caused by a security policy breach (correct)

All vendors followed security policies strictly

An increase in sales occurred due to effective vendor management

Why is it important to have a list of security requirements in the original contract with a third party vendor?

To understand what the security requirements are and enforce them

What is almost required when working with a cloud service?

Putting your data into that cloud service

What kind of data is shared with third party vendors in business relationships?

Data that's important for business operations

What type of agreement sets a minimum set of service terms for a particular service or product when working with a third party?

Service Level Agreement

Which document acts as an informal letter of intent between two parties and may contain confidential information related to a particular business process?

Memorandum Of Understanding

What type of agreement creates confidentiality between parties to prevent the disclosure of shared information to others?

Non-Disclosure Agreement

Which evaluation assesses the quality of the measurement process used in a company's measurement systems?

Measurement System Analysis

What agreement provides details about ownership stakes, financial agreements, and decision-making in a business partnership?

Business Partnership Agreement

When does a manufacturer stop selling and supporting a product?

End Of Service Life (EOSL)

Which type of agreement is an informal letter of intent that may not have the same binding qualities as a contract?

Memorandum Of Understanding

How did the malware initially infect the Target network?

Through an HVAC vendor connecting to the network

What was a consequence of the malware infecting the Target network?

Gaining access to over 110 million credit card numbers

Why is it important to assess security risks in the supply chain?

To understand where security vulnerabilities may exist

How did SolarWinds customers unknowingly install malware onto their systems?

By downloading software updates provided by SolarWinds

What made customers trust the malware-infected software update from SolarWinds?

Digital signature validation and trust in SolarWinds

What can be a potential security concern between a business partner's network and your corporate network?

Direct network connection without proper monitoring

Why might an IPsec connection between corporations pose a risk?

It provides an easy way for malicious data to move between networks

Why is it important for a company to categorize the risk associated with providing data to third party vendors?

To have security policies and procedures in place.

What is a crucial step in protecting against potential security breaches when working with third party vendors?

Having security requirements stated in the contract.

What role does the original contract play in maintaining security standards with third party vendors?

Providing a framework for security requirements and enforcement.

In what situation would a company not be as vulnerable to data breaches when working with third party vendors?

When data sharing risks are appropriately categorized and mitigated.

What potential consequence could arise if a company fails to categorize the risk associated with sharing data with third party vendors?

Data breaches due to lack of appropriate security measures.

How can having a list of security requirements in the original contract benefit a company working with third party vendors?

Providing a framework for maintaining security standards.

What document provides a way for a company to evaluate and assess the quality of the process used in their measurement systems?

Measurement System Analysis (MSA)

What was the initial infection vector for the malware that affected the Target network?

HVAC vendor's email attachment

In a business partnership, which agreement provides information about ownership stakes, financial agreements, and decision-making processes?

Business Partnership Agreement (BPA)

Why did the malware manage to spread from the HVAC vendor to the Target servers?

Lack of segmentation in the HVAC vendor's network

Which type of agreement is an informal understanding between two parties that may contain confidential information regarding a specific business process?

Nondisclosure Agreement

What allowed attackers to gain access to over 110 million credit card numbers in the Target breach?

Installation of unauthorized software on Target servers

When working with third parties, what provides a minimum set of service terms for a particular service or product?

Service Level Agreement

What is a potential consequence of not assessing security risks in the supply chain?

Loss of intellectual property

What is a common way to manage exactly what type of traffic can be transferred between two networks when in a business partnership?

Including a firewall or filter

Why did SolarWinds customers unknowingly install malware onto their systems?

Trusted a digitally signed update

In the context of confidentiality between parties, which agreement creates privacy between them to avoid disclosing shared information?

Nondisclosure Agreement

How did attackers compromise thousands of networks through SolarWinds?

Installed malware on SolarWinds servers

When planning to go into business with a third party, what might be used as an informal letter of intent regarding specific business processes?

Memorandum Of Understanding (MOU)

What poses a significant security concern in a direct network connection between a corporate network and a business partner's network?

"Relatively open path" for data transfer

What type of agreement may not have the binding qualities of a full contract but informs parties of expectations?

Memorandum Of Understanding (MOU)

Why is it crucial to monitor data transfer between corporate and business partner networks?

"Relatively open path" with potential risks

When working with third parties, what kind of agreement might set a minimum level of service for internet access?

Service Level Agreement

What is one crucial step in handling risks associated with a direct network connection between corporate and business partner networks?

Monitoring for malicious activity in data transfer

What is used to assess the quality of the process in the measurement systems within a company?

Measurement System Analysis (MSA)

Why should policies be established for secure data transfer between corporate and business partner networks?

To address potential security concerns and mitigate risks