A compliance officer of a large organization has reviewed the firm’s vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.
Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)
- Executing vendor compliance assessments against the organization’s security controls
- Executing NDAs prior to sharing critical data with third parties
- Soliciting third-party audit reports on an annual basis
- Maintaining and reviewing the organizational risk assessment on a quarterly basis
- Completing a business impact assessment for all critical service providers
- Utilizing DLP capabilities at both the endpoint and perimeter levels