Physical access procedures and activity logs are important components of third-party risk management, as they help to ensure the security and integrity of the physical assets and data of the organization and its third parties. However, requiring physical access logs to be retained indefinitely for audit purposes is not a best practice, as it may pose legal, regulatory, and operational challenges. According to the Supplemental Examination Procedures for Risk Management of Third-Party Relationships, physical access logs should be retained for a reasonable period of time, consistent with the organization’s policies and procedures, and in compliance with applicable laws and regulations1. Retaining physical access logs indefinitely may increase the risk of unauthorized access, data breaches, privacy violations, and litigation2. Therefore, the statement B is the correct answer, as it is the only one that does not reflect a best practice for physical access procedures and activity logs.
References:
1: How to Write Third-Party Risk Management (TPRM) Policies and Procedures - SecurityScorecard Blog
2: Five Best Practices to Manage and Control Third-Party Risk - Broadcom Inc.
3: A checklist for third-party risk management platforms - Crowe LLP
4: Supplemental Examination Procedures for Risk Management of Third-Party Relationships
5: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit