CSL CSL Vendor & Third-Party Risk Management

Question 1

What is the first step in establishing a third-party risk management (TPRM) program?

Accepted Answer

Create an inventory and risk tiering of all third-party relationships

Answer

Risk tiering classifies vendors by the sensitivity of data they access and their business criticality, allowing resources to be focused on the highest-risk relationships.

Question 2

Which contractual mechanism gives an organization the right to assess a vendor's security controls directly?

Accepted Answer

Right-to-audit clause

Answer

A right-to-audit clause contractually entitles the organization to conduct or commission security assessments of the vendor's environment.

Question 3

A SaaS vendor suffers a breach affecting your organization's data. Under GDPR, who bears primary responsibility for notifying affected individuals?

Accepted Answer

Your organization as the data controller

Answer

Under GDPR, the data controller (your organization) is responsible for notifying supervisory authorities and affected individuals, regardless of where the breach originated.

Question 4

What does a SOC 2 Type II report demonstrate about a cloud vendor?

Accepted Answer

The vendor's controls operated effectively over a sustained audit period

Answer

SOC 2 Type II audits cover a period of time (typically 6–12 months), demonstrating that security controls were operating consistently, not just present at one point.

Question 5

Which risk most commonly arises from fourth-party (sub-processor) relationships in vendor management?

Accepted Answer

Hidden dependencies that inherit the primary vendor's risk without direct oversight

Answer

Fourth-party risks arise when your vendors outsource to sub-processors you have no direct visibility into, creating blind spots in your supply chain risk exposure.

(CSL) Cybersecurity Leadership Certification Practice Test

(CSL) Cybersecurity Leadership Certification Practice Test

CSL CSL Vendor & Third-Party Risk Management