A compliance officer of a large organization has reviewed the firm’s vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.
Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)
A . Executing vendor compliance assessments against the organization’s security controls
B . Executing NDAs prior to sharing critical data with third parties
C . Soliciting third-party audit reports on an annual basis
D . Maintaining and reviewing the organizational risk assessment on a quarterly basis
E . Completing a business impact assessment for all critical service providers
F . Utilizing DLP capabilities at both the endpoint and perimeter levels
Answer: A, C
Leave a Reply