When entering into a third party vendor agreement for security services, at what point in the process is it BEST to understand and validate the security posture and compliance level of the vendor?
A.
At the time the security services are being performed and the vendor needs access to the network
B.
Once the agreement has been signed and the security vendor states that they will need access to the network
C.
Once the vendor is on premise and before they perform security services
D.
Prior to signing the agreement and before any security services are being performed
Evaluating a vendor’s security posture and compliance level prior to signing the agreement ensures that potential risks are identified and mitigated early in the process.
It also ensures that the vendor aligns with the organization's security policies and regulatory requirements before gaining access to sensitive systems or data.
Why Other Options Are Incorrect:
A. At the time the security services are being performed: By this stage, risks might already have been introduced.
B. Once the agreement has been signed: This exposes the organization to contractual obligations without ensuring proper security controls.
C. Once the vendor is on-premise: At this point, it may be too late to address security gaps or terminate the relationship without significant disruption.
EC-Council CISO Reference:
Vendor risk management processes outlined in the curriculum emphasize pre-contractual due diligence as a best practice for reducing third-party risks.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit