A. The Data Security Standards (DSS) framework should be used to scope the assessment
B. A System and Organization Controls (SOC) report is sufficient if the report addresses the same location
C. The Report on Compliance (ROC) provides the assessment results completed by a qualified security assessor that includes an onsite audit
D. The Self-Assessment Questionnaire (SAQ) provides independent testing of controls
A. We have established Management and Board-level reporting to enable risk-based decisionmaking
B. We conduct onsite or virtual assessments for all third parties
C. We have established vendor risk ratings and classifications based on a tiered hierarchy
D. We have defined senior and executive management accountabilities for oversight of our TPRM program
A. Conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an emergency response plan
B. Use the results of continuous monitoring tools to develop the emergency response plan
C. incorporate periodic crisis management team tabletop exercises to test different scenarios
D. Consider work-from-home parameters in the emergency response plan
A. All topic areas included in the questionnaire require validation during the assessment
B. The total number of questions included in the questionnaire assigns the risk tier
C. Assessment questionnaires should be configured based on the risk rating and type of service being evaluated
D. Questionnaires are optional since reliance on contract terms is a sufficient control
A. Asset inventories should include connections to external parties, networks, or systems that process data
B. Each asset should include an organizational owner who is responsible for the asset throughout its life cycle
C. Assets should be classified based on criticality or data sensitivity
D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines
A. Normal termination
B. Termination for convenience
C. Termination for cause
D. Regulatory/supervisory termination
A. Include a provision in the contract prohibiting the vendor from outsourcing any service which includes access to confidential data or systems
B. Include a provision in the vender contract requiring the vendor to provide notice and obtain written consent before outsourcing any service
C. Require the vendor to maintain a cyber-insurance policy for any service that is outsourced which includes access to confidential data or systems
D. Incorporate notification and approval contract provisions for subcontracting that require evidence of due diligence as defined by a TPRM program
A. Vendor assessments should be conducted during onboarding and then be replaced by continuous monitoring
B. Vendor assessment frequency may need to be changed if the vendor has disclosed a data breach
C. Vendor assessments should be scheduled based on the type of services/products provided
D. Vendor assessment frequency should be based on the level of risk and criticality of the vendor to your operations as determined by their vendor risk score
A. Security vulnerabilities and security defects are synonymous
B. Security defects should be treated as exploitable vulnerabilities
C. A security defect can become a security vulnerability if undetected after migration into production
D. A security defect is a security flaw identified in an application due to poor coding practices
A. Mutual indemnification
B. Cyber Insurance
C. Force majeure
D. Limitation of liability
