CRISC Third-Party and Vendor Risk Management

Question 1

Which activity is MOST important when onboarding a new critical third-party vendor?

Accepted Answer

Conducting a thorough due diligence risk assessment

Answer

Reviewing the vendor's marketing materials

Answer

Negotiating the lowest possible contract price

Answer

Assigning an internal project manager to the relationship

Question 2

A 'fourth-party risk' in vendor management refers to:

Accepted Answer

Risk from subcontractors or suppliers used by your primary vendors

Answer

Risk from the organization's internal fourth department

Answer

Risk arising from the fourth quarter of the fiscal year

Answer

Risk from the fourth item on the vendor contract

Question 3

Which contract provision gives an organization the RIGHT to examine a vendor's controls and compliance posture?

Accepted Answer

Right-to-audit clause

Answer

Indemnification clause

Answer

Force majeure clause

Answer

Limitation of liability clause

Question 4

When classifying vendors by risk tier, which factor is MOST relevant to assigning a vendor to the highest risk tier?

Accepted Answer

The volume of sensitive data the vendor accesses or processes

Answer

The vendor's geographic headquarters location

Answer

The length of the vendor relationship

Answer

The number of employees the vendor has

Question 5

What is the PRIMARY purpose of a Service Level Agreement (SLA) in vendor risk management?

Accepted Answer

To set measurable performance and availability expectations that can be monitored

Answer

To define ownership of intellectual property created during the engagement

Answer

To establish the vendor's financial responsibility for data breaches

Answer

To outline the marketing obligations of each party

Question 6

An organization terminates its relationship with a cloud vendor. Which action is MOST critical from a risk management perspective?

Accepted Answer

Ensuring all organizational data is securely retrieved and deleted from vendor systems

Answer

Sending a formal termination letter with 30-day notice

Answer

Publishing an announcement to notify stakeholders

Answer

Issuing a final invoice for outstanding payments

Question 7

Which metric is MOST useful for ongoing monitoring of a vendor's security risk posture?

Accepted Answer

Frequency and severity of security incidents reported by the vendor

Answer

The vendor's annual revenue growth rate

Answer

The number of years the vendor has been in business

Answer

The vendor's employee satisfaction score