Show:
External Audit and Compliance
Risk
Tools We Use
Knowledge on our Process
CIA
100

What type of SOC Report tests controls over a period of time

Type 2

100

After the controls have been implemented what type of risk still remains ?

Residual Risk

100

Our main platform in which assessments are done.

ProcessUnity

100

Once the Business Unit confirms that the service are still being used what would be the next critical part to continue that assessment

Create the Questionnaire and Send it to the Vendor.

100

represents protection from unauthorized disclosure. The impact of such disclosure can range from disclosure of client’s private data, to loss of reputation, or worse

Confidentiality

200

What ISO standard is for Information Security Management

ISO 27001

200

Without considering the controls in place what type of risk is present.

Inherent Risk

200

Repository of contracts that are published, existing, and drafts, it also serves as the procurement tool for intake request

Ivalua

200

It is often done when the TPIRM has no response and there is no reference that could lead to an answer is found in the documents provided

Send a follow up to the Vendor.

200

represents the authorized end-user’s ability to use the system and data. Availability is lost if the risk target, whether it be information or a physical data, is not available for use, therefore impacting MFC business objectives by causing loss of normal operation or reputational damage.

Availability


300

What does PCI DSS Stands for

Payment Card Industry Data Security Standard

300

IS the process of identifying, assessing, and mitigating the risks posed by external parties that interact with your organization

Third Party Risk Management


300
Main tool for risk management informations.

Archer

300

Oftentimes this internal team is part of the assessment and handles the review and opines to the Business Continuity and Disaster Recovery aspect of the Vendor

BCM Team

300

represents protection from improper alteration. Integrity is lost if unauthorized changes are made to the risk target whether it be information or a physical device either intentionally or accidentally. The impact of such changes can result in fraud or inaccuracy

Integrity

400

What SOC stands for ?

Service Organization Controls

400

Manulife's Third Party Information Risk Management Policy is found at the Global Policy Database at what policy number ? (Whole Policy Code)

MFC-STA-008

400

Before Ivalua was introduced this was the tool in which Intakes request were submitted and IRQ information were found before being uploaded to Archer 

BuySmart

400
The team that formerly handled reviews and opines on whenever a Vendor does access/host/process Personal Information and Health Information 

Privacy Team

400

A CIA combination of 2 Medium and 1 High will net to an overall criticality rating of ?

Significant

500

What does HIPAA stands for

Health Insurance Portability and Accountability Act

500

Manulife's Information Risk Management Policy is found at the Global Policy Database at what policy number ? (Whole Policy Code)

MFC-TLP-001

500
Software for Critical Event and Mass Notification 

MIR3

500

If a Vendor lacks the controls and has significant impact on the overall risk tolerated, what should be open - BE SPECIFIC

Archer Issue

500

A CIA combination of 2 Lows and 1 High will net to an overall criticality rating of ?

Significant