What, if anything, should occur?

An organization has a process in place that involves the use of a vendor. A risk assessment was
completed during the development of the process. A year after the implementation a monetary
decision has been made to use a different vendor. What, if anything, should occur?

An organization has a process in place that involves the use of a vendor. A risk assessment was
completed during the development of the process. A year after the implementation a monetary
decision has been made to use a different vendor. What, if anything, should occur?

A.
Nothing, since a risk assessment was completed during development.

B.
A vulnerability assessment should be conducted.

C.
A new risk assessment should be performed.

D.
The new vendor’s SAS 70 type II report should be reviewed.

Explanation:

The risk assessment process is continual and any changes to an established process should
include a new- risk assessment. While a review of the SAS 70 report and a vulnerability
assessment may be components of a risk assessment, neither would constitute sufficient due
diligence on its own.



Leave a Reply 0

Your email address will not be published. Required fields are marked *