1. A security team runs an automated tool that identifies 47 potential vulnerabilities across a web application and produces a report categorizing each by severity (critical, high, medium, low). A separate engagement uses a skilled security professional who actively attempts to exploit those vulnerabilities to determine which ones can actually be used to gain unauthorized access. What are these two activities, and what is the key difference?
2. Before a penetration test begins, the organization and the testing firm sign a document specifying: which IP address ranges are in scope, that testing may only occur between 10 PM and 6 AM on weeknights, that social engineering attacks are not authorized, and that the lead tester must call the CISO directly if any production system is taken offline. What is this document called, and why is it required before testing begins?
3. A company's contract with a cloud storage provider includes a provision stating: "Customer may, at any time and with 30 days written notice, conduct a direct audit of Provider's security controls, access management practices, and compliance documentation." What is this provision, and why should it be included in vendor contracts?
4. Between March and June 2020, attackers inserted malicious code into the build pipeline of a widely-used network monitoring software. The malicious updates were signed with the vendor's legitimate digital certificate and distributed to approximately 18,000 customers as part of a routine software update. The compromise was not publicly disclosed until December 2020. Which type of attack does this describe, and what is the name of the affected software vendor?
5. A healthcare organization is evaluating a new cloud EHR vendor. The vendor's own security team provides a self-assessment showing excellent security practices. The organization also requests a SOC 2 Type II report produced by an independent CPA firm. Why is the independent assessment more valuable than the vendor's self-assessment for risk decision-making?
6. During vendor selection, the procurement team discovers that a finalist vendor's CEO is the brother-in-law of the company's Chief Procurement Officer (CPO), and that the vendor has recently offered the CPO tickets to an international sporting event. The vendor also serves three direct competitors. Which risk is most directly illustrated by these facts?
Matching: Third-party Risk Assessment Concepts
Match each concept (1–4) to its correct description (A–D).
1Penetration Test
2Rules of Engagement
3Right-to-Audit Clause
4Supply Chain Attack
AA contractual provision granting the customer the right to directly verify vendor security controls and compliance at any time; essential accountability mechanism in vendor relationships
BAn authorized simulated attack that actively attempts to exploit identified vulnerabilities to determine whether they are genuinely exploitable and what impact a real attacker could achieve
CA pre-engagement document defining scope, timing, authorized techniques, out-of-scope systems, and emergency escalation contacts that must be agreed before security testing begins
DA compromise that targets a trusted software supplier or technology partner rather than the victim organization directly, allowing malicious code or access to travel through legitimate delivery mechanisms