What is the primary purpose of conducting due diligence before engaging a third-party vendor?

• A. Incorrect – Pricing is important but not the primary focus of due diligence.

• B. Incorrect – Marketing strategy is not relevant to risk evaluation.

• C. ✅ Correct – Due diligence helps assess the vendor’s financial, operational, and security risks.

• D. Incorrect – A large customer base does not guarantee low risk.

Which of the following is the most effective control to ensure ongoing compliance of a third-party vendor?

• A. Incorrect – A one-time assessment does not account for changes over time.

• B. Incorrect – Contract renewal alone does not verify compliance.

• C. ✅ Correct – Continuous monitoring provides real-time insights into vendor compliance.

• D. Incorrect – Self-attestation may be biased or inaccurate.

Which of the following is the best indicator of elevated third-party risk?

• A. Incorrect – Certification is a positive indicator, not a risk.

• B. ✅ Correct – Multiple breaches suggest poor security posture.

• C. Incorrect – Team size does not directly indicate risk.

• D. Incorrect – Cloud usage is common and not inherently risky.

What is the primary reason to include termination clauses in third-party contracts?

• A. Incorrect – Cost reduction is not the main purpose.

• B. ✅ Correct – Termination clauses provide a legal exit if the vendor fails to meet obligations.

• C. Incorrect – These clauses are not for extending contracts.

• D. Incorrect – Legal obligations cannot be avoided through termination clauses.

Which of the following is the most appropriate time to perform a third-party risk assessment?

• A. Incorrect – Waiting until after an incident is reactive, not proactive.

• B. Incorrect – Risk assessments should not be limited to renewals.

• C. ✅ Correct – Assessing risk before onboarding helps prevent issues.

• D. Incorrect – Risk assessments should be initiated by the organization, not the vendor.

An organization outsources its data processing to a third-party vendor located in a different legal jurisdiction. What is the most critical risk the organization must address in this scenario?

• A. Incorrect – Marketing practices are not directly relevant to data processing risk.

• B. Incorrect – While turnover can affect operations, it’s not the most critical issue here.

• C. ✅ Correct – Cross-border data transfer must comply with data protection laws (e.g., GDPR, HIPAA), which vary by jurisdiction.

• D. Incorrect – Use of open-source software may pose risks, but legal compliance is more critical in this context.

Which of the following best demonstrates effective governance over third-party risk in a large enterprise?

• A. Incorrect – Sole reliance on procurement lacks the necessary risk and compliance oversight.

• B. Incorrect – NDAs are important but do not constitute governance.

• C. ✅ Correct – A cross-functional committee ensures comprehensive oversight, including legal, IT, risk, and business units.

• D. Incorrect – Ongoing assessments are necessary; onboarding alone is insufficient.

A third-party vendor provides critical infrastructure services to your organization. The vendor has passed all initial risk assessments, but your organization lacks visibility into their subcontractors. What is the most appropriate risk mitigation strategy?

• A. ✅ Correct – Gaining visibility into subcontractors helps assess downstream risks and ensures comprehensive oversight.

• B. Incorrect – Accepting the risk without understanding subcontractor exposure is irresponsible.

• C. Incorrect – Termination is extreme and may not be feasible or cost-effective.

• D. Incorrect – Internal audits do not address third-party or subcontractor risks directly.