Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor?

Over the last year, an information security manager has performed risk assessments on multiple third-party vendors.

Which of the following criteria would be MOST helpful in determining the associated level of risk applied to each vendor?
A . Criticality of the service to the organization
B . Compliance requirements associated with the regulation
C . Compensating controls in place to protect information security
D . Corresponding breaches associated with each vendor

View Answer

Answer: A

Explanation:

Associated level of risk applied to each vendor is the Residual Risk (the risk after applying vendor’s controls). CRISC RM 6th, (Residual Risk = Inherent Risk C Cumulative Effect of Controls) Inherent risk is the current risk without applying any control (i.e. before vendor’s controls), this risk is the same quantity in the equation for each vendor. Effect of controls (the value supplied by the vendor) will be different for each vendor. Ex. For vendor 1, Residual Risk1= Inherent/current Risk C Effect of controls of Vendor1 For vendor 2, Residual Risk2= Inherent/current Risk C Effect of controls of Vendor2