Exercises: Third-Party and Supply Chain Risk Management

These exercises move from vocabulary to judgment to hands-on practice with the artifacts a TPRM analyst actually produces — scored questionnaires, SBOM lookups, contract clauses, and breach playbooks. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/ open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

All scenarios and figures are constructed for teaching (Tier 3). Where an exercise asks you to "score" or "rate," there is rarely one perfect answer; the reasoning and the explicit assumptions matter more than the number. Use documentation values only (meridianbank.example, 203.0.113.0/24, etc.).

Part A — Core vocabulary ⭐

1.† In one sentence each, define third-party risk, supply chain risk, fourth-party risk, and concentration risk. Then write one sentence that uses all four correctly in the context of a bank that relies on a single core-banking vendor running on a single cloud provider.

2. Classify each item as an example of third-party, fourth-party, supply chain (software), or concentration risk: (a) your payroll vendor is breached and your employees' SSNs leak; (b) the AWS region your payroll vendor uses has an outage; (c) a transitive open-source library in your web app has a critical CVE; (d) 80% of your sector depends on the same three core-banking providers; (e) a janitorial contractor's badge-system account is phished; (f) a monitoring tool you installed shipped with malicious code injected during the vendor's build.

3. Define software bill of materials (SBOM) in one sentence, and name the two dominant standard formats. Give the everyday analogy from the chapter and explain what each "minimum element" (version, unique identifier, dependency relationship) lets a defender do.

4.† Define software provenance and explain in two sentences why an SBOM is necessary but not sufficient for software supply chain assurance. Name the framework that addresses the gap.

5. Distinguish a vendor security assessment from continuous vendor monitoring. Why is a program that does the first but not the second "managing risk only on the day it signs"?

6. Match each to the leg(s) of the CIA triad most threatened: (a) a vendor breach exposing customer PII; (b) a core-banking vendor outage; (c) a tampered software update that silently alters transaction records; (d) a fourth-party CDN failure taking your customer portal offline.

Part B — Score a vendor ⭐⭐

7.† Score the questionnaire below for a Tier 2 vendor (an HR-analytics SaaS holding internal but non-regulated employee data). Use the weighted method from §29.4 with the critical-control override (any critical control scoring below 2 caps the result at HIGH-RISK). Compute the percentage, decide the tier, and list the gaps to remediate before signing.

8. Re-score Exercise 7's vendor but change Q5 (SOC 2) from a 1 to a 4 (the vendor produces a current, in-scope report). Does the tier change? Does the percentage? Explain what this tells you about the relationship between the average and the critical-control override.

9.† A vendor answers "Yes" to every question on a self-attestation questionnaire and scores 100%. List three concrete things you would require before you trust that 100%, and explain the principle ("trust, but verify") that motivates each.

10. Your manager wants a single number — "give them a grade, A–F" — for every vendor, and wants to average all questionnaire scores equally with no weights and no overrides. Write a three-sentence argument for why equal-weight averaging with no critical-control override is dangerous, with one example of a vendor it would misgrade.

11. ⭐⭐⭐ Design a tiering rubric for a hospital (not a bank). What data types, access levels, criticality factors, and integration factors would push a vendor to Tier 1? Give one example vendor for each of your three tiers and justify the placement.

Part C — Read an SBOM ⭐⭐

12.† Read this CycloneDX-style SBOM excerpt (illustrative) for an application branch-portal 2.1.0.

{
  "metadata": { "component": { "name": "branch-portal", "version": "2.1.0" } },
  "components": [
    { "name": "spring-core",  "version": "5.3.20", "purl": "pkg:maven/org.springframework/spring-core@5.3.20" },
    { "name": "log4j-core",   "version": "2.17.1", "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.1" },
    { "name": "commons-text", "version": "1.9",    "purl": "pkg:maven/org.apache.commons/commons-text@1.9" }
  ],
  "dependencies": [
    { "ref": "branch-portal", "dependsOn": ["spring-core"] },
    { "ref": "spring-core",   "dependsOn": ["log4j-core", "commons-text"] }
  ]
}

(a) Which components are direct dependencies of branch-portal, and which are transitive? (b) Is the log4j-core version vulnerable to Log4Shell (CVE-2021-44228, fixed in 2.17.0+)? (c) commons-text 1.9 is associated with a separate critical RCE (the "Text4Shell" class, CVE-2022-42889). Given the dependency graph, is branch-portal exposed to it, and how did it get pulled in? (d) Write one sentence explaining why having this SBOM means you can answer (b) and (c) in seconds rather than days.

13. Given a directory of 400 stored SBOMs and a newly disclosed critical CVE in a library called fancyparse 1.2.3, describe in steps the process (not code) by which your tooling tells you which applications are exposed. Which field in the SBOM makes the match reliable, and why is matching on the library name alone insufficient?

14.† An SBOM for a commercial appliance lists openssl 1.0.2k. The appliance vendor says "we are not affected by recent OpenSSL CVEs." Using the chapter's reasoning, write the two-sentence response you would send the vendor, and state what evidence would resolve the disagreement (consider VEX — a Vulnerability Exploitability eXchange statement — at a conceptual level).

15. Explain why a single SBOM generated once at release can become stale, and what continuous process keeps SBOM-based detection useful over the multi-year life of a deployed product.

Part D — Write the requirements / policy ⭐⭐–⭐⭐⭐

16.† Write four contractual security clauses (one to three sentences each) for a Tier 1 software vendor that delivers code running inside Meridian's data center: (a) a breach-notification clause; (b) a right-to-audit clause; (c) a data-return/destruction clause; (d) an SBOM-delivery clause. Make each specific enough to enforce (name a timeframe, a cadence, a format).

17. Write a one-paragraph tiering policy statement for Meridian: how vendors are discovered and inventoried, the three tiers and their criteria, and what assessment depth each tier requires. Plain enough that a procurement manager who isn't a security expert could apply it.

18.† Map each of these four contract clauses to the risk-treatment option it implements (mitigate / transfer / avoid / accept — from Chapter 27): (a) minimum-controls clause; (b) cyber-insurance/ indemnification clause; (c) right-to-terminate clause; (d) a documented decision to single-source the core-banking vendor despite concentration risk. Explain each mapping in a phrase.

19. ⭐⭐⭐ Design it. Meridian is adopting a new SaaS provider for loan-document storage (regulated PII). Write the requirements section of the procurement request: the security controls the vendor must have, the evidence you'll require, the contract clauses, and the ongoing-monitoring plan. Half a page. State the residual risk that remains after all of it.

20. Write a short sub-processor (fourth-party) clause and explain, in two sentences, how this single clause is your only practical lever over companies you have no contract with.

Part E — Respond to a vendor breach ⭐⭐

21.† A monitoring vendor whose product runs on your network with administrative privileges announces it was compromised at the source (a SolarWinds-style build compromise) and that a malicious update may have been installed by customers over the past several months. Write the first five actions of your response, in order, distinguishing what you do to your environment from what you request from the vendor. Which of these is a full incident-response activity rather than a procurement task?

22. A payroll vendor holding employee PII discloses a breach but is slow and vague about scope. (a) Why does your own data inventory let you act before the vendor's disclosure is complete? (b) Why does your regulatory/customer notification duty not transfer to the vendor? (c) Name the contract clause you would invoke to compel more information.

23.† Respond to this telemetry. During a vendor-breach hunt, you pull authentication logs for the service account your monitoring vendor uses on your network. All times UTC; source IP in 203.0.113.0/24.

02:14:07  user=svc-monitor  src=203.0.113.10  action=login         result=OK
02:14:31  user=svc-monitor  src=203.0.113.10  action=enum_admins   result=OK
02:15:02  user=svc-monitor  src=203.0.113.10  action=read_share    target=\\fs01\HR  result=OK
02:15:55  user=svc-monitor  src=203.0.113.10  action=create_token  result=OK

(a) The monitoring account normally only reads performance counters. Which actions here are anomalous and suggest the vendor's foothold is being abused for lateral movement? (b) What is your immediate containment action on your side? (c) Which chapter's discipline (name it) governs the broader hunt you now launch across the environment?

24. After a vendor breach is contained, list four things a mature program does in the reassessment phase, and explain why a vendor breach is also a test of your own TPRM program.

Part F — CTF-style challenge ⭐⭐⭐

25.† The vendor that passed the audit. A vendor presents a glowing SOC 2 Type II report, a 96% questionnaire score, and a confident sales engineer. Your junior analyst recommends immediate approval as Tier 1 with no conditions. Find everything that could still be wrong despite the report and the score — list at least five distinct gaps or unchecked assumptions a thorough reviewer would surface (consider: scope, date, exceptions, the difference between the audited service and the one you're buying, transitive/ sub-processor risk, concentration, and what the questionnaire didn't ask). Then write the three conditions you would attach to approval.

Part G — Interleaved & forward-looking ⭐⭐

26. (Interleaved with Chapter 23.) A newly disclosed CVE matches a component in three of your stored SBOMs. One match is on the CISA KEV catalog; the other two are not and have low EPSS scores. Using the risk-based prioritization from Chapter 23, in what order do you patch, and why does the SBOM+feed pipeline make this triage possible at all?

27. (Interleaved with Chapter 27.) Your enterprise risk register (Chapter 27) has a row for "core-banking vendor outage" scored likelihood 2 × impact 5 = 10. Is this purely a third-party risk, a concentration risk, or both? How would you record the treatment given there's no realistic alternative vendor, and what residual risk do you document?

28. (Interleaved with Chapter 12.) Chapter 12 introduced software composition analysis (SCA) and dependency scanning. How does an SBOM relate to SCA — are they the same thing? Explain how SCA produces and consumes SBOMs across the SDLC.

29. This chapter sets up Chapter 31 (DevSecOps / secure pipeline). Based on the SolarWinds lesson, predict two controls Chapter 31 will add to the build pipeline itself to provide the provenance that an SBOM cannot.

30. ⭐⭐⭐ Open reflection. Pick a real organization you know (your school, employer, or a public company) and list its five most critical third-party dependencies. For each, identify which flavor of risk it represents (data/access, supply chain, fourth-party, concentration) and one control you'd prioritize. Which dependency, if compromised, would hurt the organization most — and is that the one currently watched most closely?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.