CAS-002 · Question #607
CAS-002 Question #607: Real Exam Question with Answer & Explanation
The correct answer is B: Ensure the consulting firm has service agreements with the sub-contractor; if the agreement. When a primary vendor sub-contracts work without explicit authorization, the client must ensure the primary vendor's contract flows down appropriate security and service requirements to the sub-contractor rather than creating a direct relationship or simply accepting the risk.
Question
Options
- ADirectly establish another separate service contract with the sub-contractor to limit the risk
- BEnsure the consulting firm has service agreements with the sub-contractor; if the agreement
- CLog it as a risk in the business risk register and pass the risk to the consulting firm for
- DTerminate the contract immediately and bring the security department in-house again to
Explanation
When a primary vendor sub-contracts work without explicit authorization, the client must ensure the primary vendor's contract flows down appropriate security and service requirements to the sub-contractor rather than creating a direct relationship or simply accepting the risk.
Common mistakes.
- A. Directly contracting with the sub-contractor creates a parallel legal relationship that bypasses the primary vendor's accountability and complicates governance without eliminating the original exposure.
- C. Logging the risk and passing it to the consulting firm without requiring contractual remediation does not provide the adequate protections management is demanding against legal and service exposures.
- D. Immediately terminating the contract and insourcing is a disproportionate response when contractual remediation options have not yet been pursued and the issue may be resolvable.
Concept tested. Third-party vendor contract governance and sub-contractor oversight
Reference. https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
Community Discussion
No community discussion yet for this question.