Third Parties, First Problems

VRM Basics

Risky Business

Continuous Monitoring

Policies & Compliance

Funny & Wild Card

100

This is the first step in onboarding a vendor before granting access.

What is due diligence?

100

This type of vendor risk involves system downtime or service interruptions.

What is operational risk?

100

This is the goal of continues monitoring in VRM.

what is to get clean data in Onspring

100

GDPR, HIPAA, and PCI-DSS are all examples of these.

What are regulations/standards?

100

If a vendor ghosted you after onboarding, you'd say they are worse than this kind of ghost.

What is Casper?

200

True or False: All vendors pose the same level of risk.

What is False?

200

A vendor storing your customer data would fall under this type of risk.

What is data privacy risk?

200

IN continuous monitoring, vendors are usually checked this often.

What is daily, weekly, or monthly (depending on risk level)?

200

If a vendor suffers a data breach, they are required to do this immediately.

What is notify their customers/partners?

200

The number of cups of coffee needed before risk analyst start their day.

What is infinite (or at least 2)?

300

This document is often sent to vendors to assess their security posture.

What is a questionnaire?

300

A risk that comes from breaking the law or regulatory rules.

What is compliance/legal risk?

300

Continuous monitoring tools can send this type of early warning.

What is an alert?

300

This type of assessment is typically renewed every 12 months.

What is a vendor risk assessment?

300

VRM is a lot like dating- this is what you should always do before committing.

What is background check/due diligence

400

The process of offboarding a vendor helps prevent this type of lingering access risk.

What is Unauthorized access?

400

This type of risk is the hardest to quantify but could ruin a company's image overnight.

What is a reputational risk?

400

An analyst like Nathan verifying vendor issues is an example of this type of control.

What is detective control?

400

Regulations expect vendors to have this kind of agreement before handling data.

What is a data processing agreement (DPA)?

400

The one thing every vendor swears they are totally compliant with even if they aren't.

What is a SOC 2?

500

Acronym time! VRM stands for this.

What is Vendor Risk Management?

500

The risk occurs when a vendor hires another vendor without telling you.

What is 4th party risk?

500

This scorecard is often used to track vendor risk changes over time.

What is a risk rating or risk score?

500

SOX, GLBA, and FFIEC mostly apply to this type of industry.

What is financial services?

500

If VRM had a mascot, it would probably be this animal- because its always watching.

What is an Owl?