CISA · Question #482
CISA Question #482: Real Exam Question with Answer & Explanation
The correct answer is C: The vendor is excluded from the third-party due diligence process.. If the vendor is excluded from the third-party due diligence process, the organization has no assurance about the vendor's security posture, privacy practices, or risk level - despite that vendor handling sensitive PII. This is a fundamental breakdown in third-party risk manageme
Question
An outsourced recruitment vendor processes personally identifiable information (PII) related to an organization's new hires. Which of the following would be the GREATEST concern to an IS auditor reviewing the third-party risk management process?
Options
- AThe vendor collects data using an external-facing web service.
- BThe vendor uses a fourth party to host client data.
- CThe vendor is excluded from the third-party due diligence process.
- DThe vendor lacks a team of dedicated privacy professionals.
Explanation
If the vendor is excluded from the third-party due diligence process, the organization has no assurance about the vendor's security posture, privacy practices, or risk level - despite that vendor handling sensitive PII. This is a fundamental breakdown in third-party risk management. Using a fourth party (B) is a concern but can be mitigated with contractual controls. Using an external-facing web service (A) and lacking dedicated privacy staff (D) are risks but are manageable if identified through due diligence. Being excluded from due diligence entirely means the risk is unassessed and unmanaged.
Topics
Community Discussion
No community discussion yet for this question.