Due diligence is the process of evaluating the risks and opportunities associated with a potential or existing third-party vendor. Due diligence can vary in scope and depth depending on the level of risk that the vendor poses to the organization. Lower risk vendors are those that have minimal impact on the organization’s operations, reputation, or compliance, and that do not handle sensitive or confidential data or systems. For lower risk vendors, conducting due diligence may involve accepting the service provider’s self-assessment questionnaire responses as sufficient evidence of their capabilities, performance, and compliance. A self-assessment questionnaire is a tool that allows the vendor to provide information about their organization, services, processes, controls, and policies. The organization can use the questionnaire to verify the vendor’s identity, qualifications, references, and certifications, and to assess the vendor’s alignment with the organization’s standards and expectations. Accepting the vendor’s self-assessment questionnaire responses as the primary source of due diligence can save time and resources for the organization, and can also demonstrate trust and confidence in the vendor. However, the organization should also ensure that the questionnaire is comprehensive, relevant, and updated, and that the vendor’s responses are accurate, complete, and consistent.
The organization should also reserve the right to request additional information or documentation from the vendor if needed, and to conduct periodic reviews or audits of the vendor’s performance and compliance.
The other options do not best describe conducting due diligence of a lower risk vendor, because they either involve more extensive or rigorous methods of due diligence, or they are not directly related to due diligence.
Preparing reports to management regarding the status of third party risk management and remediation activities is an important part of monitoring and managing the vendor relationship, but it is not a due diligence activity per se. Reviewing a service provider’s self-assessment questionnaire and external audit report(s) is a more thorough way of conducting due diligence, but it may not be necessary or feasible for lower risk vendors, especially if the external audit report(s) are not readily available or relevant. Requesting and filing a service provider’s external audit report(s) for future reference is a good practice for maintaining documentation and evidence of due diligence, but it is not a due diligence activity itself.
References:
* Third Party Risk Management (TPRM) | Shared Assessments
* Vendor Due Diligence Strategy Guide and Checklist | Prevalent
* Vendor due diligence: a practical guide and checklist

Personal information is any information that can be used to identify an individual, either directly or indirectly, such as name, address, email, phone number, ID number, etc. Personal data is a term used in some jurisdictions, such as the European Union, to refer to personal information that is subject to data protection laws and regulations. However, the scope and definition of personal data may vary depending on the jurisdiction and the context. For example, the GDPR defines personal data as “any information relating to an identified or identifiable natural person” and includes online identifiers, such as IP addresses, cookies, or device IDs, as well as special categories of data, such as biometric, genetic, health, or political data. On the other hand, the US does not have a single federal law that regulates personal data, but rather a patchwork of sector-specific and state-level laws that may have different definitions and requirements. For example, the California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and excludes publicly available information from its scope. Therefore, from a privacy perspective, it is important to understand the different legal definitions and obligations that may apply to personal information or personal data depending on the jurisdiction and the context of the data processing activity. References:
* GDPR personal data – what information does this cover?
* Personal Information, Data Classification, Life Cycle and Best Practices
* 5 Types of Data Classification (With Examples)

A Zero Trust approach to access management is based on the principle of verifying every access request as if it originates from an open network, regardless of the source, destination, or context. This means that no implicit trust is granted based on network location, user identity, or device status. Instead, every access request is evaluated based on multiple factors, such as user credentials, device health, data sensitivity, and threat intelligence. A Zero Trust approach also requires that all communication is encrypted and protected, and that access is granted on a per session basis with the least privilege principle123.
Utilizing a solution that allows direct access by third parties to the organization’s network does not reflect a Zero Trust approach, because it implies that the network perimeter is a reliable boundary for security and trust.
This assumption is risky, because it exposes the organization to potential breaches and attacks from compromised or malicious third parties, who may have access to sensitive data and resources without proper verification or protection. A Zero Trust approach would require that third parties use secure and isolated channels to access the organization’s network, such as VPNs, proxies, or gateways, and that their access is monitored and controlled based on granular policies and conditions123. References:
* Zero Trust part 1: Identity and access management
* Zero Trust Model – Modern Security Architecture | Microsoft Security
* Zero Trust identity and access management development best practices …

An organization’s Ethics and Code of Conduct Program is a set of policies, procedures, and practices that define the expected standards of behavior and ethical values for all employees and stakeholders. A key component of such a program is a disciplinary process that outlines the consequences and actions for violating the code of conduct or any other relevant policies. A disciplinary process helps to enforce the code of conduct, deter unethical behavior, and protect the organization’s reputation and integrity. A disciplinary process should include clear criteria for determining the severity and frequency of violations, the roles and responsibilities of the parties involved, the steps and timelines for investigation and resolution, and the range of sanctions and remedies available. A disciplinary process should also be fair, consistent, transparent, and respectful of the rights and dignity of the accused and the accuser. A disciplinary process may involve formal termination or change of status of the employee, depending on the nature and impact of the violation. Therefore, option B is a correct component of an organization’s Ethics and Code of Conduct Program.
The other options are not necessarily components of an Ethics and Code of Conduct Program, although they may be related or supportive of it. Option A, participation in the company’s annual privacy awareness program, is more likely to be a component of a Privacy Program, which is a specific area of ethics and compliance that deals with the protection and use of personal information. Option C, signing acknowledgement of Acceptable Use policy for use of company assets, is more likely to be a component of an Information Security Program, which is another specific area of ethics and compliance that deals with the safeguarding and management of data and systems. Option D, a process to conduct periodic access reviews of critical Human Resource files, is more likely to be a component of an Internal Control Program, which is a general area of ethics and compliance that deals with the design and implementation of controls to ensure the reliability and accuracy of financial and operational information. References:
* 1: Creating an Effective Code of Conduct (and Code Program) – Corporate Compliance Insights
* 2: Code of Conduct & Ethics (Examples and Best Practices) – Status.net
* 3: Why Have a Code of Conduct – Free Ethics & Compliance Toolkit
* 4: “Code of Ethics” and “Code of Conduct” – GeeksforGeeks
* 5: Six Tips on How to Implement a Strong Ethics Program – KnowledgeLeader

The most important factor when scoping assessments of cloud-based third parties that access, process, and retain personal data is to identify the type of cloud hosting deployment or service model. This is because different cloud models have different implications for the allocation of security responsibilities between the third party and the cloud hosting provider. For example, in a Software as a Service (SaaS) model, the cloud provider is responsible for most of the security controls, while in an Infrastructure as a Service (IaaS) model, the third party is responsible for securing its own data and applications. Therefore, it is essential to understand the type of cloud model and the corresponding security roles and responsibilities before conducting an assessment. This will help to avoid gaps, overlaps, or conflicts in security controls and expectations.
References:
* Guidance on Cloud Security Assessment and Authorization – ITSP.50.105, Canadian Centre for Cyber Security, May 2020, Section 2.1.1
* The Importance of Properly Scoping Cloud Environments, PCI Security Standards Council and Cloud Security Alliance, August 2021
* Third party and cloud: Regulatory challenges, KPMG, 2022, Section 2.1
* Certified Third Party Risk Professional (CTPRP) Study Guide, Shared Assessments, 2021, Section 4.2.2

The risk of increased expense to conduct vendor assessments based on client contractual requirements is the least important factor in defining your risk assessment process for new global third party relationships. This is because the expense of vendor assessments is not a direct risk to your organization’s security, compliance, reputation, or performance, but rather a cost of doing business that can be budgeted and optimized. While vendor assessments are necessary and beneficial, they are not the primary driver of your risk assessment process, which should focus on the potential impact and likelihood of adverse events or incidents involving your third parties. The other factors (B, C, and D) are more important because they directly affect the level of risk exposure and the mitigation strategies for your third parties. For example, natural disasters and physical security risks can disrupt your third party’s operations and service delivery, government regulation and political stability can affect your third party’s compliance and legal obligations, and financial risk can affect your third party’s solvency and reliability. Therefore, these factors should be considered more carefully when defining your risk assessment process. References:
* 1: Third Party Risk Management: Managing Risk | Deloitte US
* 2: What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard
* 3: What is Third-Party Risk Management? | Blog | OneTrust

This statement does not reflect current practice in addressing fourth party risk or subcontracting risk because it is not sufficient to rely on external audit reports alone. Outsourcers should also perform their own due diligence and monitoring of the subcontractors, as well as ensure that the third party has a robust TPRM program in place. External audit reports may not cover all the relevant aspects of subcontracting risk, such as data security, compliance, performance, and quality. Moreover, external audit reports may not be timely, accurate, or consistent, and may not reflect the current state of the subcontractor’s operations. Therefore, outsourcers should adopt a more proactive and comprehensive approach to managing subcontracting risk, rather than relying on external audit reports. References:
* Shared Assessments Program, page 13: “Outsourcers should not rely solely on external audit reports to address subcontracting risk. Outsourcers should also inspect the vendor’s TPRM program and require evidence of the assessments of subcontractors.”
* Five Best Practices to Manage and Control Third-Party Risk, page 3: “Restricting privileged accounts

The best approach to address the conflict between the vendor’s legal obligations to retain data for tax purposes and the company’s policy to require data return or destruction at contract termination is A. Determine if a policy exception and approval is required, and require that data safeguarding obligations continue after termination. This approach recognizes that the vendor may have valid reasons to retain some data for a certain period of time, and that the company may have flexibility to grant exceptions to its policy under certain circumstances. However, this approach also ensures that the company maintains oversight and control over the data that the vendor retains, and that the vendor continues to comply with the data safeguarding obligations, such as encryption, access control, audit, and breach notification, until the data is returned or destroyed. This approach balances the interests and risks of both parties, and minimizes the potential for data breaches, misuse, or loss.
The other approaches are not the best ways to address the conflict, as they may create more problems or risks for either party. B. Change the risk rating of the vendor to reflect a higher risk tier. This approach does not resolve the conflict, but rather shifts the responsibility to the company to manage the increased risk of the vendor retaining the data. Changing the risk rating may also affect the contract terms, such as pricing, service level agreements, or liability clauses, and may require renegotiation or termination of the contract. C. Insist the vendor adheres to the policy and contract provisions without exception. This approach is too rigid and may not be feasible or reasonable for the vendor, especially if they have legal obligations to retain the data. This approach may also damage the relationship and trust between the parties, and may lead to disputes or litigation. D. Conduct an assessment of the vendor’s data governance and records management program. This approach is too time-consuming and costly, and may not be necessary or relevant for the conflict. Conducting an assessment may provide some assurance about the vendor’s data practices, but it does not address the underlying issue of the conflicting data retention requirements. Moreover, conducting an assessment may not be possible or appropriate during the contract negotiation process, as it may require access to the vendor’s systems, data, or personnel. References:
* : Best Practices for Data Destruction – ed
* : CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION – DataOlogie
* : Third-Party Risk Management: Final Interagency Guidance
* : Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

When reviewing application risk for application service providers, the most important factors are the functionality and type of data the application processes, the remote connectivity options, and the APl integration methods. These factors determine the level of exposure, sensitivity, and complexity of the application, and thus the potential impact and likelihood of a security breach or a compliance violation. The number of software releases is less important, as it does not directly affect the application’s security or functionality. However, it may indicate the maturity and quality of the software development process, which is another aspect of application risk assessment. References:
* Application Security Risk: Assessment and Modeling, ISACA Journal, Volume 2, 2016

Criticality is a measure of how essential a service provider is to the organization’s core business functions and objectives. It reflects the potential consequences of a service disruption or failure on the organization’s operations, reputation, compliance, and financial performance. Criticality is not the same as risk, which is the likelihood and severity of a negative event occurring. Criticality helps to prioritize the risk assessment and mitigation efforts for different service providers based on their relative importance to the organization.
Criticality is not limited to a specific type of service, such as disaster recovery or personal information, nor is it determined by the mode of access or connectivity. Criticality is assigned to the service providers that have the greatest impact on the organization’s ability to deliver its products or services to its customers and stakeholders in a timely and satisfactory manner. References:
* Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide1
* Milliman. (2017). Defining “critical or important functions or activities” for outsourcing purposes2
* Webster, C. and Sundaram, D.S. (2009). Effect of service provider’s communication style on customer satisfaction in professional services setting: the moderating role of criticality and service nature. Journal of Services Marketing, 23(2), 103-1131

This answer is the best approach because it aligns with the principles of third-party risk management, which include ensuring compliance with company policies, contractual obligations, and regulatory requirements. By asking the vendor to replace the subcontractor, the company is exercising its right to terminate or modify the relationship if the vendor fails to meet the agreed-upon standards or poses unacceptable risks. This also minimizes the potential impact of the vendor’s non-compliance on the company’s reputation, operations, and data security. The other options are less effective because they either ignore the issue, compromise the company’s policy, or rely on the vendor’s self-assessment without verification. References:
* Third Party Risk Management Framework, Module 3: Program Governance, Section 3.2: Policies and Procedures, p. 14
* Third Party Risk Management Framework, Module 4: Program Components, Section 4.3: Contracting, p. 24
* Third Party Risk Management Framework, Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32
* Best-Practices Guidance for Third-Party Risk, Section: Defend Against Privileged User Risks, p. 2
* Five Best Practices to Manage and Control Third-Party Risk, Section: Best Practices for Controlling Third-Party Vendor Risks, p. 3

An Asset Management program is a set of policies, procedures, and practices that aim to optimize the value, performance, and lifecycle of the organization’s assets, such as physical, financial, human, or information assets123. An Asset Management program typically defines policy requirements for the following aspects of asset management:
* The Policy states requirements for the reuse of physical media (e.g., devices, servers, disk drives, etc.):
This requirement ensures that the organization follows proper procedures for sanitizing, wiping, or destroying physical media that contain sensitive or confidential data before reusing, recycling, or disposing of them123. This requirement helps prevent data leakage, theft, or loss, and protects the organization’s reputation and compliance123.
* The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement: This requirement ensures that the organization recovers all the data and assets that were assigned, loaned, or accessed by the employees and contractors during their employment, contract, or agreement123. This requirement helps maintain the security, integrity, and availability of the organization’s data and assets, and prevents unauthorized or inappropriate use or disclosure of them123.
* The Policy defines requirements for the inventory, identification, and disposal of equipment and/or physical media: This requirement ensures that the organization maintains an accurate and up-to-date
* record of all the equipment and physical media that it owns, leases, or uses, and assigns unique identifiers to them123. This requirement also ensures that the organization follows proper procedures for disposing of equipment and physical media that are no longer needed, useful, or functional123. This requirement helps improve the efficiency, effectiveness, and accountability of the organization’s asset management processes, and reduces the risks of waste, fraud, or misuse of the organization’s resources123.
However, option D, a policy requirement that requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times, is typically not defined in an Asset Management program. Rather, this requirement is more likely to be defined in a Physical Security program, which is a set of policies, procedures, and practices that aim to protect the organization’s premises, assets, and personnel from unauthorized access, damage, or harm . A Physical Security program typically defines policy requirements for the following aspects of physical security:
* The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times: This requirement ensures that the organization controls and monitors the access of visitors to the facility, and verifies their identity, purpose, and authorization .
This requirement also ensures that the organization prevents visitors from accessing restricted or sensitive areas, equipment, or information, and escorts them throughout their visit . This requirement helps enhance the security, safety, and compliance of the organization’s facility, assets, and personnel, and prevents potential threats, incidents, or breaches .
* The Policy defines requirements for the locking, alarming, and surveillance of the facility and its entrances and exits: This requirement ensures that the organization secures the perimeter and the interior of the facility, and detects and responds to any unauthorized or suspicious activity or intrusion . This requirement also ensures that the organization uses appropriate and effective physical security measures, such as locks, alarms, cameras, guards, or barriers, to deter, prevent, or delay unauthorized access . This requirement helps protect the organization’s facility, assets, and personnel from theft, vandalism, sabotage, or attack .
* The Policy specifies requirements for the emergency preparedness and response of the facility and its occupants: This requirement ensures that the organization plans and implements procedures for dealing with emergencies, such as fire, flood, earthquake, power outage, or active shooter, that may affect the facility and its occupants . This requirement also ensures that the organization provides adequate and accessible equipment, resources, and training for the emergency preparedness and response, such as fire extinguishers, first aid kits, evacuation routes, emergency contacts, or drills . This requirement helps ensure the safety, health, and continuity of the organization’s facility, assets, and personnel, and minimizes the impact and damage of emergencies .
Therefore, option D is the correct answer, as it is the only one that does not reflect a policy requirement that is typically defined in an Asset Management program. References: The following resources support the verified answer and explanation:
* 1: Asset Management Policy Guide + Free Template | Fiix
* 2: Asset Management Policy: How to Build One From Scratch – Limble CMMS
* 3: How to develop an asset management policy, strategy and governance framework: Set up a consistent approach to asset management in your municipality
* : Physical Security Policy – SANS
* : Physical Security Policy – IT Governance

Contract addendums are supplementary documents that modify or amend the original contract terms. They can be used to address third party risk obligations, such as security, privacy, compliance, or performance standards, without having to rewrite the entire MSA. However, contract addendums should be consistent with the MSA and clearly specify the scope, duration, and responsibilities of each party. Contract addendums can also be used to update or revise the contract terms in response to changing business needs or regulatory requirements12.
The other statements are true regarding the different types of contracts and agreements between outsourcers and service providers. Evergreen contracts are contracts that do not have a fixed end date and are automatically renewed unless one party decides to terminate them under the existing contract provisions3.
RFPs are documents that solicit proposals from potential service providers for a specific project or service.
RFPs should include mandatory requirements based on an organization’s TPRM program policies, standards and procedures, such as risk assessment, due diligence, monitoring, reporting, and remediation . SOWs are documents that define the operational requirements and obligations for each party, such as the scope, deliverables, timelines, costs, quality, and performance metrics . References:
* 1: Contracts and third-party risk – KPMG UK
* 2: Third-Party Risk & Contract Management: A Comprehensive Beginner’s Guide – Trackado
* 3: What Is an Evergreen Contract? | Legal Beagle
* : [Best Practices Guidance for Third Party Risk – GARP]
* : Third-Party Risk Management: A Comprehensive Guide – UpGuard
* : Statement of Work (SOW) – Definition, Contents & Examples
* : How to Write a Statement of Work for Any Industry | Smartsheet

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, risk based decisioning is the process of applying risk criteria to prioritize and address the gaps identified during a third-party risk assessment1. The assessor should analyze the gaps based on the impact, likelihood, and urgency of the risk, and document the findings and recommendations in a report. The assessor should also review the existing or proposed compensating controls that could mitigate the risk, and submit the report to the business owner for approval of the risk treatment plan. The risk treatment plan could include accepting, transferring, avoiding, or reducing the risk, depending on the risk appetite and tolerance of the organization1.
The other statements do not reflect the best use of risk based decisioning, as they either ignore the risk analysis and documentation process, or apply a uniform or arbitrary approach to prioritizing and addressing the gaps. The assessor should not decide or conclude on the risk treatment plan without consulting the business owner, as the business owner is ultimately responsible for the third-party relationship and the risk management decisions1. The assessor should also not communicate that the gaps would not be included in the report if they were corrected immediately, as this could compromise the integrity and transparency of the assessment process and the report2.
References:
* 1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, pages 29-30,
33-34
* 2: Third-Party Risk Management: Final Interagency Guidance, page 10

An outsourcer’s vendor risk assessment process should include all the steps mentioned in options A, B, and C, as they are essential for ensuring a consistent, comprehensive, and effective evaluation of the vendor’s performance, compliance, and risk profile. However, option D is not a necessary or recommended part of the vendor risk assessment process, as it does not reflect the actual level of risk posed by the vendor, but rather the availability of resources within the outsourcer’s organization. Defining assessment frequency based on resource capacity could lead to under-assessing or over-assessing vendors, depending on the outsourcer’s workload, budget, and staff. This could result in missing critical issues, wasting time and money, or creating gaps in the vendor oversight program. Therefore, option D is the correct answer, as it is the only one that does not belong to the vendor risk assessment process. References: The following resources support the verified answer and explanation:
* Shared Assessments’ CTPRP Job Guide, page 10, section 2.1.1, states that “The frequency of assessments should be based on the risk tier of the third party, not on the availability of resources.”
* Guide to Vendor Risk Assessment, section “Step 3: Determine the Frequency of Vendor Risk Assessments”, explains that “The frequency of vendor risk assessments should be based on the level of risk each vendor poses to your organization, not on the availability of resources or convenience.”
* How to Conduct a Successful Vendor Risk Assessment in 9 Steps, section “Step 8: Determine the Frequency of Vendor Risk Assessments”, advises that “The frequency of vendor risk assessments should be based on the level of risk each vendor poses to your organization, not on the availability of resources or convenience.”

Questionnaires are one of the most common and effective tools for conducting third party risk assessments.
They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization.
However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.
The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.
The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed.
For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.
By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2:
Third-party risk assessment questionnaires – KPMG India

Notification obligations in incident response are the legal or contractual duties to inform relevant parties about a security breach or incident that affects their data or systems. These obligations may vary depending on the type, scope, and impact of the incident, as well as the jurisdiction, industry, and contractual agreements involved. The factors that are most likely to trigger notification obligations are:
* Regulatory requirements: Different laws and regulations may impose different notification obligations on organizations that experience or cause a security incident. For example, the General Data Protection Regulation (GDPR) requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach, and to notify the affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms1. Similarly, the Computer-Security Incident Notification Rule requires banks and their service providers to notify their primary federal regulator as soon as possible, but no later than 36 hours, after a computer-security incident that materially disrupts, degrades, or impairs their operations, services, or customers2.
* Data classification or sensitivity: The type and sensitivity of the data involved in a security incident may also affect the notification obligations. For example, if the data contains personally identifiable information (PII), health information, financial information, or other confidential or sensitive information, the organization may have to notify the data owners, regulators, law enforcement, or other stakeholders about the incident and the potential risks to their privacy or security3. The data classification or sensitivity may also determine the content and timing of the notification, as well as the appropriate communication channels to use.
* Contractual terms: The contractual agreements between an organization and its third-party vendors or service providers may also specify the notification obligations in case of a security incident. For example, the contract may define the roles and responsibilities of each party, the notification procedures and timelines, the information to be shared, the remediation actions to be taken, and the penalties or liabilities for breach of contract. The contractual terms may also reflect the regulatory requirements or industry standards that apply to the organization or the third party.
The factor that is least likely to trigger notification obligations is:
* Encryption of data: Encryption of data is a security measure that protects the data from unauthorized access, modification, or disclosure. Encryption of data may reduce the impact or severity of a security incident, as it may prevent or limit the exposure of the data to malicious actors. However, encryption of data does not eliminate the notification obligations, as the organization still has to assess the nature and extent of the incident, and determine whether the encryption was effective or compromised. Moreover, encryption of data may not be sufficient to protect the data from other types of threats, such as deletion, corruption, or ransomware. Therefore, encryption of data is not a factor that influences the notification obligations in incident response.
References:
* 1: GDPR Article 33: Notification of a personal data breach to the supervisory authority
* 2: Computer-Security Incident Notification Rule
* 3: Third-Party Incident Management (TPIM): How to Balance IRPs with Third Parties
* : [Improving Third-Party Incident Response]
* : [Third-Party Incident Response Playbook]
* : [Does Encryption Protect You From a Data Breach?]

An IT asset management program is a set of processes and tools that help an organization manage its IT assets throughout their lifecycle, from acquisition to disposal. An IT asset management program should include the following components1234:
* Maintaining inventories of systems, connections, and software applications: This component involves creating and updating a comprehensive and accurate list of all IT assets owned or used by the
* organization, including their location, ownership, configuration, and status. This helps the organization optimize the use of its IT resources, reduce costs, and ensure compliance with licensing and regulatory requirements.
* Tracking and monitoring availability of vendor updates and any timelines for end of support: This component involves keeping track of the latest updates, patches, and security fixes provided by the vendors of the IT assets, as well as the end-of-life dates and support options for the assets. This helps the organization maintain the security, performance, and functionality of its IT assets, and plan for timely replacement or migration of obsolete or unsupported assets.
* Identifying and tracking adherence to IT asset end-of-life policy: This component involves defining and implementing a policy for retiring and disposing of IT assets that are no longer needed, useful, or supported by the organization. This helps the organization reduce risks, costs, and environmental impacts associated with IT asset disposal, and ensure compliance with data protection and disposal regulations.
Defining application security standards for internally developed applications is not a component of an IT asset management program, but rather a component of an application development and security program. An application development and security program is a set of processes and tools that help an organization design, develop, test, deploy, and maintain secure and reliable applications, whether they are internally developed or acquired from external sources. An application development and security program should include the following components5 :
* Defining application security standards for internally developed applications: This component involves establishing and enforcing a set of security requirements and best practices for the applications developed by the organization, such as secure coding, testing, and deployment methodologies, security controls, and vulnerability management. This helps the organization ensure the confidentiality, integrity, and availability of its applications and data, and prevent or mitigate security breaches and incidents.
* Performing application security assessments for externally acquired applications: This component involves conducting security reviews and audits of the applications acquired from external sources, such as vendors, partners, or open source communities, before integrating them into the organization’s IT environment. This helps the organization identify and address any security risks, gaps, or weaknesses in the applications, and ensure compatibility and compliance with the organization’s security policies and standards.
References:
* ITAM: The ultimate guide to IT asset management
* IT asset management: 10 best practices for success
* Asset Management: The Five Core Components
* The Fundamentals of Asset Management
* Application Development and Security Program
* Application Security Best Practices

An Information Security Incident Management Program is a set of policies, procedures, and tools that enable an organization to prevent, detect, respond to, and recover from information security incidents. An information security incident is any event that compromises the confidentiality, integrity, or availability of information assets, systems, or services12. A formal Information Security Incident Management Program typically includes the following components12:
* The definition of internal escalation processes: This component defines the roles and responsibilities, communication channels, and reporting mechanisms for escalating and managing information security incidents within the organization. It also establishes the criteria and thresholds for determining the severity and impact of incidents, and the appropriate level of response and escalation.
* The protocols for disclosure of information to external parties: This component defines the rules and guidelines for disclosing information about information security incidents to external stakeholders, such as customers, regulators, law enforcement, media, or other third parties. It also specifies the legal and contractual obligations, the timing and frequency, the format and content, and the approval and authorization processes for disclosure.
* The mechanisms for notification to clients: This component defines the methods and procedures for notifying clients or customers who may be affected by information security incidents. It also specifies the objectives, scope, and content of notification, as well as the timing and frequency, the delivery channels, and the feedback and follow-up mechanisms.
* The processes in support of disaster recovery: This component defines the steps and actions for restoring the normal operations of the organization after a major information security incident that causes
* significant disruption or damage to the information assets, systems, or services. It also specifies the roles and responsibilities, the resources and tools, the backup and recovery plans, and the testing and validation procedures for disaster recovery.
The statement that reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program is D. The program includes processes in support of disaster recovery. While disaster recovery is an important aspect of information security, it is not a specific component of an Information Security Incident Management Program. Rather, it is a separate program that covers the broader scope of business continuity and resilience, and may involve other types of disasters besides information security incidents, such as natural disasters, power outages, or pandemics3 . Therefore, the correct answer is D. The program includes processes in support of disaster recovery. References: 1: Computer Security Incident Handling Guide 2: Develop and Implement a Security Incident Management Program 3: Business Continuity Management vs Disaster Recovery : What is the difference between disaster recovery and security incident response?

For services with system-to-system access, ensuring sufficient time for quality assurance (QA) testing before implementing changes is crucial to reducing the risk of business disruption to the outsourcer. This requirement ensures that any modifications to the system are thoroughly vetted for potential issues that could impact the outsourcer’s operations. QA testing allows for the identification and remediation of bugs, compatibility issues, and other potential problems that could lead to operational disruptions or security vulnerabilities. By allocating adequate time for QA testing, organizations can ensure that changes are fully functional and secure, thereby maintaining the integrity and availability of services provided to the outsourcer. This practice is aligned with industry standards for change management, which advocate for comprehensive testing and validation processes to ensure the reliability and stability of system changes.
References:
* Industry standards such as ITIL (Information Technology Infrastructure Library) emphasize the importance of thorough testing and validation within the change management process to minimize the risk of disruptions and ensure the smooth operation of services.
* Guides like “Managing Change in IT Outsourcing Arrangements: The TPRM Perspective” provide insights into best practices for change management in third-party relationships, including the critical role
* of QA testing in mitigating risks associated with system changes.