Third-party Vendor Risks (OBJ 2.2, 2.3, & 5.3)

Third-party Vendor Risks

• What does "third-party vendor risk" mean?
• Potential security and operational challenges from external collaborators (vendors, suppliers, or service providers)
• Scope
  • Encompasses vendors, suppliers, or service providers
• Risks
  • Impact on integrity, data security, and overall business continuity
  • Supply Chain Risks
  • Supply Chain Attacks

Common Threat Vectors and Attack Surfaces

• Threat Vectors
  • Paths attackers use to gain access
• Attack Surfaces
  • Points where an unauthorized user can try to enter

Various Types of Vulnerabilities

• Hardware Vulnerabilities
  • Components with vulnerabilities
• Software Vulnerabilities
  • Applications with hidden backdoors
• Operational Vulnerabilities
  • Lack of cybersecurity protocols

Vendor Assessments

• Evaluation
  • Pre-partnership assessment
• Penetration Testing
  • Testing vendor security
• Audit Rights
  • Right to audit vendors
• Evidence Collection
  • Internal and external audit evidence

Vendor Selection and Monitoring

• Importance
  • Meticulous selection process
• Vigilance
  • Ongoing monitoring of vendor performance

Contracts and Agreements

• Basic Contracts
  • Forming relationships
• Nuanced Agreements
  • SLAs, MOUs, NDAs for specific safeguards