Quiz: Cyber-risk through 3rd party vendors

1. Which of the following is not considered a third party?

A

Contractors working in your IT team

B

The vendor engaged to train your team in agile coaching

C

Business units

D

Social media agency developing content

2. Which of the following is not a typical vendor security question?

A

Is there a formal process to review user access?

B

Is expired media securely disposed?

C

What due diligence is performed on vendors/ contractors?

D

Where have your employees in the security team worked previously?

3. Why is third party cyber risk important?

A

Potential of a data breach

B

Potential customer data theft

C

Potential of data mishandling

D

All of the above

4. You have narrowed down to 2 choices of a third party vendor to work with. How would you make the selection if you are concerned about security?

A

Choose the vendor with ISO27001 certification to ensure security

B

Choose the vendor that has done multiple similar projects

C

Choose the cheaper vendor

D

Choose the most reputable vendor

5. What should you do if your third party vendor informs you of a breach that has occurred in their systems?

A

Stop working with the vendor immediately

B

Get your incidence response team to collaborate with the vendor, isolate and stop the breach

C

Change to using internal processes and disconnect all work with the vendor

D

Use your own backup of all systems

6. You have shortlisted 3 third party vendors to help with a scope of work that involves critical customer data and shared your company’s Technology & Risk Management (TRM) documentation with them. The vendors are requesting over 3 weeks of time to answer whether or not they comply with everything in your TRM but your project is urgent and you need to select a vendor and get them to start work by this week. What should you do?

6. You have shortlisted 3 third party vendors to help with a scope of work that involves critical customer data and shared your company’s Technology & Risk Management (TRM) documentation with them. The vendors are requesting over 3 weeks of time to answer whether or not they comply with everything in your TRM but your project is urgent and you need to select a vendor and get them to start work by this week. What should you do?

A

Skip the TRM process and select the lowest quote

B

Go with the vendor that has the most experience in similar projects

C

Choose the most reputable and credible vendor

D

Go through a phone call with each vendor and ask them whether they comply with the TRM requirements individually

7. What are the most common reasons for third party breaches?

A

Human error

B

Lack of using a firewall

C

Insufficient employee training

D

Vendors taking on unnecessary risk

8. What is an example of privilege misuse?

A

Unauthorised sharing of your organisation’s credentials with a sub-contractor

B

Using the third party vendor’s existing access to your data to perform required tasks

C

The third party vendor develops a cross-selling opportunity using your data

D

The third party vendor planting malicious code in your systems

9. What are the main components of costs in a data breach?

A

Loss of business attributed to the breach

B

Reputational damage

C

Engaging a forensic investigator

D

All of the above

10. Which of the following specify a way of calculating the costs of a data breach?

A

Activity based costing - Identify the activities in an organisation and assign the cost of the activity based on actual consumption of the related products and services

B

Calculating how much the company would have lost because of the breach

C

Estimating the loss due to reputational damage

D

Estimation of opportunity cost