Processes associated with third-party risk assessment and mgt
Authored by Edlyn Gregorio
Other
Professional Development
Used 1+ times
AI Actions
Add similar questions
Adjust reading levels
Convert to real-world scenario
Translate activity
More...
Content View
Student View
20 questions
Show all answers
1.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
A financial organization is evaluating a payment processor as a new vendor. The vendor provides its SOC 2 Type II report from an independent auditor, showing compliance with security controls over the past year.
What type of vendor assurance does this represent?
A. Internal audit
B. Independent assessment
C. Right-to-audit clause
D. Service-level agreement
Answer explanation
A SOC 2 Type II report is an independent third-party assessment confirming that controls were tested and validated by an external auditor. This provides objective assurance, distinct from an internal audit or contractual right-to-audit clause.
2.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
An electronics manufacturer sources parts from multiple international suppliers. A security review reveals that one upstream supplier uses outdated firmware in embedded chips, but the immediate vendor claims compliance with all standards.
What should the organization do NEXT?
A. Accept the risk since the direct vendor is compliant.
B. Require the vendor to conduct a supply chain security analysis.
C. Conduct a penetration test on the vendor’s network.
D. Terminate the vendor contract immediately.
Answer explanation
The issue lies upstream — beyond the direct vendor. The organization should request a supply chain analysis to assess risks in indirect suppliers. This is part of extended third-party risk governance, especially in manufacturing and IT hardware.
3.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
A government contract includes a clause allowing the client agency to perform unannounced inspections and reviews of the contractor’s data protection controls at any time.
Which agreement feature does this BEST describe?
A. Evidence of internal audits
B. Independent audit
C. Right-to-audit clause
D. Memorandum of understanding
Answer explanation
A right-to-audit clause gives the customer authority to perform inspections or request proof of compliance. It ensures transparency and accountability — often required in regulated or government contracts.
4.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
During vendor selection for a new cloud backup provider, a project manager recommends a company owned by their sibling. The company passes all technical checks.
What is the primary concern for security governance?
A. Lack of SLA
B. Conflict of interest
C. Missing NDA
D. Lack of supply chain visibility
Answer explanation
Even if technically qualified, personal relationships create a conflict of interest that can bias selection and compromise integrity. Governance policies require disclosure and recusal to maintain ethical and compliant procurement processes.
5.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
An organization hires a managed service provider (MSP) to monitor network performance. The contract defines uptime guarantees, response times, and penalties for missed targets.
Which agreement type is this?
A. Memorandum of understanding (MOU)
B. Service-level agreement (SLA)
C. Master service agreement (MSA)
D. Business partner agreement (BPA)
Answer explanation
A Service-Level Agreement (SLA) defines performance metrics (e.g., uptime, response, penalties). It’s legally enforceable and focused on service delivery expectations, not high-level partnership terms.
6.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
Two research institutions agree to collaborate on cybersecurity innovation without exchanging funds. The document outlines shared goals and cooperative intentions but is not legally binding.
Which document should they use?
A. Memorandum of agreement (MOA)
B. Memorandum of understanding (MOU)
C. Non-disclosure agreement (NDA)
D. Master service agreement (MSA)
Answer explanation
An MOU outlines mutual intent and collaboration goals, but it’s non-binding. An MOA is similar but typically legally enforceable and includes obligations. Here, since it’s cooperative and informal → MOU fits best.
7.
MULTIPLE CHOICE QUESTION
1 min • 1 pt
A software vendor claims they never received the company’s confidential design documents. Later, the same design appears in a competitor’s prototype. The NDA signed with the vendor doesn’t specify what constitutes a breach.
Which governance issue occurred?
A. Lack of due diligence
B. Poorly defined rules of engagement
C. Weak SLA enforcement
D. Inadequate NDA scope and specificity
Answer explanation
A vague Non-Disclosure Agreement is ineffective. NDAs must clearly define confidential data, breach conditions, and consequences. Governance requires precise legal language to ensure enforceability and protect intellectual property.
Access all questions and much more by creating a free account
Create resources
Host any resource
Get auto-graded reports
Continue with Google
Continue with Email
Continue with Classlink
Continue with Clever
or continue with
Microsoft
%20(1).png)
Apple
Others
Already have an account?
