Shared Assessments Third Party Risk Management CTPRP Question # 20 Topic 3 Discussion
CTPRP Exam Topic 3 Question 20 Discussion:
Question #: 20
Topic #: 3
Your company has been alerted that an IT vendor began utilizing a subcontractor located in a country restricted by company policy. What is the BEST approach to handle this situation?
A.
Notify management to approve an exception and ensure that contract provisions require prior “notification and evidence of subcontractor due diligence
B.
inform the business unit and recommend that the company cease future work with the IT vendor due to company policy
C.
Update the vender inventory with the mew location information in order to schedule a reassessment
D.
Inform the business unit and ask the vendor to replace the subcontractor at their expense in “order to move the processing back to an approved country
This answer is the best approach because it aligns with the principles of third-party risk management, which include ensuring compliance with company policies, contractual obligations, and regulatory requirements. By asking the vendor to replace the subcontractor, the company is exercising its right to terminate or modify the relationship if the vendor fails to meet the agreed-upon standards or poses unacceptable risks. This also minimizes the potential impact of the vendor’s non-compliance on the company’s reputation, operations, and data security. The other options are less effective because they either ignore the issue, compromise the company’s policy, or rely on the vendor’s self-assessment without verification. References:
Third Party Risk Management Framework, Module 3: Program Governance, Section 3.2: Policies and Procedures, p. 14
Third Party Risk Management Framework, Module 4: Program Components, Section 4.3: Contracting, p. 24
Third Party Risk Management Framework, Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32
Best-Practices Guidance for Third-Party Risk, Section: Defend Against Privileged User Risks, p. 2
Five Best Practices to Manage and Control Third-Party Risk, Section: Best Practices for Controlling Third-Party Vendor Risks, p. 3
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit