CSL CSL Vendor & Third-Party Risk Management

Question 1

What is the first step in establishing a third-party risk management (TPRM) program?

Accepted Answer

Create an inventory and risk tiering of all third-party relationships

Answer

Send security questionnaires to all vendors immediately

Answer

Require all vendors to obtain ISO 27001 certification

Answer

Conduct penetration tests on vendor systems

Question 2

Which contractual mechanism gives an organization the right to assess a vendor's security controls directly?

Accepted Answer

Right-to-audit clause

Answer

Non-disclosure agreement (NDA)

Answer

Service level agreement (SLA)

Answer

Data processing addendum (DPA)

Question 3

A SaaS vendor suffers a breach affecting your organization's data. Under GDPR, who bears primary responsibility for notifying affected individuals?

Accepted Answer

Your organization as the data controller

Answer

The SaaS vendor as the data processor

Answer

The cloud platform hosting the SaaS application

Answer

The cybersecurity insurer

Question 4

What does a SOC 2 Type II report demonstrate about a cloud vendor?

Accepted Answer

The vendor's controls operated effectively over a sustained audit period

Answer

The vendor has passed a one-time security assessment

Answer

The vendor is certified under ISO 27001

Answer

The vendor complies with PCI DSS requirements

Question 5

Which risk most commonly arises from fourth-party (sub-processor) relationships in vendor management?

Accepted Answer

Hidden dependencies that inherit the primary vendor's risk without direct oversight

Answer

Direct contractual liability to the primary vendor

Answer

Increased SLA performance guarantees

Answer

Reduced data processing costs

Question 6

A cybersecurity leader is reviewing vendor contracts. Which clause specifically protects the organization if a vendor experiences a security incident?

Accepted Answer

Indemnification and breach notification clauses

Answer

Termination for convenience clause

Answer

Intellectual property ownership clause

Answer

Warranty and fitness-for-purpose clause