Navigation

How Can We Help?

CompTIA Security Plus: Section 10 – Third Party Vendor Risks

Created On
Last Updated On
byeditor
Print
You are here:
< All Topics





SY0-701 Section 10: Third-Party Vendor Risks (Comprehensive & Exam-Focused)


SY0-701 Section 10: Third-Party Vendor Risks

Domain 4: Supply Chain & Vendor Management – Evaluate and manage risks from external partners following CompTIA Security+ SY0-701 objectives.

10.1 Vendor Governance & Classification

Governance Framework

  • Vendor Management Policy: High-level document defining roles, responsibilities, and oversight processes for vendor relationships.
  • Vendor Governance Committee: Cross-functional team that reviews vendor risk assessments and approves engagements.
  • Risk Appetite and Risk Tolerance: Organizational thresholds for acceptable vendor risk levels.

Vendor Tiering & Criticality

Tier Description Due Diligence Depth
Tier 1 (Critical) Vendors with direct access to sensitive data or critical systems. On-site audits, continuous security monitoring, Service Organization Control reports.
Tier 2 (Important) Vendors supporting critical systems indirectly (e.g., software dependencies). Security questionnaires, periodic remote assessments.
Tier 3 (Routine) Vendors with minimal impact on business operations. Self-assessment checklists, annual reviews.

10.2 Risk Assessment Lifecycle

Pre-contractual Assessment

  • Initial Screening: Background checks, sanction list screening, identity verification.
  • Security Questionnaires:
    • Shared Assessments Standardized Information Gathering (SIG) questionnaire.
    • Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ).
  • Documentation Review: Examination of vendor policies, System and Organization Controls (SOC) 1 and SOC 2 reports, International Organization for Standardization 27001 (ISO 27001) certificates, Payment Card Industry Data Security Standard (PCI DSS) compliance.

Contractual Phase

  • Service Level Agreement (SLA): Defines performance metrics, uptime guarantees, and penalties for non-compliance.
  • Data Processing Agreement (DPA): Required under General Data Protection Regulation (GDPR) Article 28 to govern data controller and processor responsibilities.
  • Non-Disclosure Agreement (NDA): Protects proprietary and confidential information exchanged.
  • Right to Audit Clause: Grants the organization the ability to perform on-site or remote audits to verify controls.
  • Termination & Data Disposition: Specifies procedures for data return or secure destruction upon contract end.
Exam Focus: Identify which agreement or clause addresses specific requirements (e.g., GDPR breach notification timeline).

Post-contractual Monitoring

  • Continuous Monitoring Platforms:
    • SecurityScorecard – Rates vendor security posture based on external scans.
    • BitSight – Provides real-time security ratings and alerts.
  • Performance Dashboards: Track key performance indicators (KPIs) such as patching cadence, incident response times.
  • Annual Audits: Require SOC 2 Type II or ISO 27001 annual surveillance audit and penetration testing of vendor-facing systems.

10.3 Key Control Domains

Identity & Access Management Controls

  • Role-Based Access Control (RBAC): Assign vendor accounts minimal permissions based on roles.
  • Multi-Factor Authentication (MFA): Enforce for all remote vendor access (e.g., VPN, web portals).
  • Privileged Access Management (PAM): Temporary, supervised access for critical tasks.

Network & System Controls

  • Network Segmentation: Use Virtual Local Area Networks (VLANs), firewall rules, and bastion hosts to limit vendor system reach.
  • Encryption:
    • Transport Layer Security 1.2/1.3 (TLS) for data in transit.
    • Advanced Encryption Standard 256-bit (AES-256) for data at rest.

Data Protection & Monitoring

  • Data Loss Prevention (DLP): Enforce policies on sensitive data leaving enterprise perimeter.
  • Immutable Backups: Ensure vendor backup data cannot be altered by ransomware or insider threats.

Resilience & Continuity

  • Redundancy: Maintain at least two independent vendors for critical services.
  • Disaster Recovery Plans: Validate vendor Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

10.4 Compliance & Legal Considerations

Regulatory Frameworks

  • GDPR (Article 28) – Data processor obligations.
  • Health Insurance Portability and Accountability Act (HIPAA) – Business Associate Agreements (BAA).
  • PCI DSS – Service Provider Requirements.
  • Sarbanes-Oxley Act (SOX) – Vendor controls for financial reporting.

Contractual Safeguards

  • Indemnification: Vendor liability clauses for breach-related costs.
  • Cyber Insurance: Minimum coverage levels and proof of insurance.
  • Jurisdiction & Governing Law: Legal venue for dispute resolution.

10.5 Supply Chain Threats & Mitigations

Threat Vectors

  • Software Supply Chain Attacks: Malicious code inserted during build or update (e.g., SolarWinds Orion breach).
  • Hardware Trojans: Malicious circuits embedded in electronic components.
  • Outage Risks: Vendor system failures, geopolitical disruptions.

Mitigation Techniques

  • Software Bill of Materials (SBOM): Track all software components and dependencies.
  • Trusted Foundry Programs: Acquire hardware from vetted suppliers.
  • Alternate Vendor Strategy: Pre-contract agreements with backup providers.

Sample Exam Questions & Answers

Q1

Which report provides an evaluation of a service organization’s operational security controls over a defined period?

A: SOC 2 Type II report (covers controls operating effectiveness over time).

Q2

Under the General Data Protection Regulation, within how many hours must a data processor notify the data controller of a personal data breach?

A: 72 hours.

Q3

Which contractual clause ensures the organization can perform unannounced inspections of vendor data centers?

A: Right to Audit clause.

Exam Strategy: Focus on matching vendor risk activities to CompTIA objectives: risk assessment (4.4), control implementation (4.4), monitoring (4.5).

Knowledge Checkpoints

  • Distinguish SOC 1 vs SOC 2 vs SOC 3 reports and Type I vs Type II.
  • Recall GDPR Article 28 requirements.
  • Understand SBOM and its role in software supply chain security.
  • Identify appropriate contractual terms for data protection and breach response.
  • Map mitigation strategies to specific supply chain threats.


CompTIA IT Security Course

Section 10

Third Party Vendor Risks

security risks to an organization that can result from external entitites

supply chain risks – supply chains can serve as an open door into an organization!

supply chain attacks – hw counterfeiting, chipwashing etc

vendor assessments, how to evaluate a vendor and how to conduct audits

vendor selection and monitoring

contracts and agreements – what they should include for this

SLAs
MOUs
NDAs
BPAs etc

 

hw manufacturers: there is often a chain of different manufacturers and suppliers involved in producing them… any weak link can comprimise the hw!

purchasing hw from secondary sources – this increases the risk of tampering or malware, trojans, backdoors etc.

software providers – also integral parts of the supply chain and has to be checked, anti virus, authenticity etc. open source can be safer, but still has to be scanned. Proprietary sw should also be checked and scanned.

service providers – and managed service providers or MSPs:

 

Supply Chain Attacks

adversaries may attack weaker links in the supply chain to get into your organization – eg switches, etc

counterfeit hw eg chipwashing, substituting a chip in a hw device with a counterfeit bugged chip…

root kits getting in via supply chain suppliers…

big risk for companies and govt organisations

 

Vendor Assessment

Vendors, the sellers

Suppliers – hw producers and s/w developers

Managed Service Providers – they are external service businesses who specialise in managing parts of your internal IT system

Vendor Due diligence: ask, what are their own precautions?

regular monitoring and audit of vendors essential

independent assessment – can provide information

contractual arrangements

use penetration tests to see if a vendor or supplier is safe

when reviewing the contract with the vendor or supplier, ensure there is a right granted to perform a penetration test on them for example

– important else running a pentest without this could be construed as attempted cracking/hacking.

Supply Chain Analysis – would scrutinise every link in the supply chain of a vendor etc.

Vendor assessment, contract review, pentest are all essential for this.

TIP:

Dont permit incoming proposals from vendors or external sources, initiate them yourself… like calling for a taxi in third world country! Call it yourself, dont get into one that just drives up to you at the kerbside! = safer.

 

Feedback looks, 2 way communic, where customer and vendor share info with each other. They are valuable for security and risk minimization.

 

Contracts and Agreements:

all business rels operate on basis of contracts

types:

basic:

formally estabs rel between both parties.
eg payment structure, delivery expectations, the service or product etc

SLA Service Level Agreement : used to define standard of service for a non tangible ie service

Memorandum of Agreement / Understanding:

MOA: is more formal, sets out roles and resps of each partner

MOU: less binding more declaration of mutual intent. Might be used initially before an MOA

 

MSA: Master Service Agreement: a top agreement, further agreements then refer to this

SOW: Statement of Work, sets out details of a particular project

NDA: non disclosure agreement: agree to keep info private and confidential to both parties only

 

BPA: Business Partnersship Agreement

2 entities pool their resources for mutual benefit

sometimes called a Joint Venture Agreement

 

 

 

 

 

 

 

 

 

 

 

 

Tags:
Table of Contents