Quiz: Third-Party and Supply Chain Risk Management

DataField.Dev

Quiz: Third-Party and Supply Chain Risk Management

Twenty-five self-check questions: multiple choice, true/false-with-justification, and short answer. Several are tagged with the exam domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for (ISC)² CISSP. Answer first, then check the key at the end. A topic-to-question review map follows the key.

Multiple Choice

1. [Sec+] Your organization deploys a network-monitoring product that, unknown to you, was weaponized inside the vendor's build pipeline before being signed and shipped. This is best described as: - A) Fourth-party risk - B) A software supply chain attack - C) Concentration risk - D) A misconfiguration

2. [Sec+] What does a software bill of materials (SBOM) primarily provide? - A) Proof that an artifact was built from the expected source by an untampered process - B) A machine-readable inventory of the components inside a piece of software - C) A contractual commitment from the vendor to patch within 30 days - D) A real-time alert when a vendor is breached

3. [CISSP] Which best captures why concentration risk cannot be solved by assessing the vendor more thoroughly? - A) The vendor refuses to share its SOC 2 report - B) Concentration risk is about aggregate dependence; even a perfectly secure vendor is still a single point of failure - C) Assessments are always inaccurate - D) Concentration risk only applies to open-source software

4. [Sec+] "Are we running Log4j, and where?" was hard to answer in December 2021 mainly because: - A) Log4j was a commercial product no one had licensed - B) Log4j was usually a transitive dependency buried inside other libraries and products - C) The CVE had no identifier - D) Java does not allow logging

5. The single highest-leverage step in vendor assessment, because it directs finite review capacity, is: - A) Reading the entire SOC 2 report aloud - B) Tiering vendors by the risk they carry - C) Sending every vendor the same 300-question survey - D) Requiring a penetration test of every vendor annually

6. [CISSP] Which contract clause most directly gives you reach into fourth-party (your vendor's vendor) risk? - A) The right-to-terminate clause - B) The cyber-insurance clause - C) The sub-processor disclosure and flow-down clause - D) The data-residency clause

7. [Sec+] An SBOM would not have detected the SolarWinds Sunburst compromise because: - A) SBOMs only cover open-source code - B) The malicious code was injected during the build, so shipped components looked legitimate and were correctly signed - C) SolarWinds did not use any third-party libraries - D) SBOMs are not machine-readable

8. The supply chain control that addresses the SolarWinds-class gap — proving an artifact is what you think it is — is: - A) A larger SBOM - B) Software provenance / SLSA (build-integrity verification) - C) A stricter password policy - D) Encrypting the SBOM at rest

9. [Sec+] A vendor scores 91% on a weighted questionnaire but answered "No" to MFA on administrative access. The defensible outcome is: - A) Approve — 91% is a passing grade - B) Reject or conditionally approve; a failed critical control caps the rating regardless of the average - C) Re-weight the questionnaire until 91% becomes 95% - D) Ignore the MFA answer since it's only one question

10. [CISSP] In a vendor breach where the vendor's product runs inside your network with privilege, the most accurate framing of your response is: - A) A procurement task handled entirely by the vendor-management team - B) A full incident-response event in your own environment - C) Nothing — the vendor owns the breach and the cleanup - D) A compliance audit

11. [Sec+] Which is a risk transfer (not mitigation) mechanism in a vendor contract? - A) The minimum-controls clause - B) The right-to-audit clause - C) The cyber-insurance / indemnification clause - D) The SBOM-delivery clause

12. Offboarding a vendor most often leaks data because: - A) Vendors always act maliciously at the end - B) The organization fails to confirm data return/destruction and to revoke all access - C) Contracts forbid deleting data - D) Encryption keys expire automatically

13. [Sec+] Which pairing correctly matches the supply chain failure to its primary defense? - A) Log4Shell → provenance/SLSA; SolarWinds → SBOM - B) Log4Shell → SBOM (find the vulnerable component); SolarWinds → provenance/SLSA (prove the build wasn't tampered with) - C) Both → password rotation - D) Both → SOC 2 report

14. [CISSP] The GLBA Safeguards Rule, relevant to a regulated bank, specifically requires which TPRM-related activity? - A) Publishing an SBOM publicly - B) Overseeing service providers by contract and ongoing monitoring - C) Encrypting all email - D) Performing red-team exercises monthly

True / False (with one-sentence justification)

15. [Sec+] True or False: A current SOC 2 Type II report means you can skip reviewing the report's scope and exceptions. Justify.

16. True or False: An SBOM provides value the moment it is generated, even if it is never compared against vulnerability feeds. Justify.

17. [CISSP] True or False: If a vendor holding your customer data is breached, your duty to notify regulators and customers transfers to the vendor. Justify.

18. True or False: A vendor self-attestation questionnaire is reliable enough that corroborating evidence is unnecessary for critical controls. Justify.

19. [Sec+] True or False: Concentration risk and supply chain risk are two names for the same thing. Justify.

Short Answer

20. [Sec+] In two sentences, distinguish third-party risk from supply chain risk, with a concrete example of each.

21. Name the five lifecycle stages of TPRM (after inventory) and state the characteristic failure mode of the monitoring stage.

22. [CISSP] A vendor's contract says it will "comply with all applicable laws." Explain, using "compliance is the floor, not the ceiling," why this clause alone is insufficient for a Tier 1 vendor and give one stronger requirement you'd add.

23. Explain why a vendor questionnaire should produce a structured verdict (overall rating + flagged gaps + required remediations + residual risk) rather than a single percentage.

24. [Sec+] You hold SBOMs for 400 applications. A critical CVE is disclosed in a transitive library. Describe in two sentences how this changes your response compared to an organization without SBOMs.

25. [CISSP] During a vendor-breach response, why must you stay strictly on your side of the relationship (your logs, your data, your access) and not probe the vendor's systems, even to learn more?

Answer Key

Show answers and explanations

1. **B** — Code weaponized in the vendor's build before delivery is a software supply chain attack (the SolarWinds pattern). [Sec+] 2. **B** — An SBOM is a machine-readable component inventory; (A) describes provenance/SLSA. [Sec+] 3. **B** — Concentration risk is aggregate dependence; a secure single provider is still a single point of failure, treated with diversification/resilience/exit plans, not a better assessment. [CISSP] 4. **B** — Log4j was typically a buried transitive dependency, so it wasn't on anyone's chosen-components list. [Sec+] 5. **B** — Tiering directs scarce deep-review effort where the risk is, preventing both drowning and rubber-stamping. 6. **C** — The sub-processor disclosure/flow-down clause is your only practical reach into companies you have no direct contract with. [CISSP] 7. **B** — Sunburst was injected at build time; shipped components looked legitimate and were correctly signed, so an inventory of components wouldn't flag it. [Sec+] 8. **B** — Software provenance / SLSA proves an artifact was built from expected source by an untampered process. 9. **B** — A failed critical control (admin MFA) caps the rating regardless of the weighted average; the high average must not hide a likely breach path. [Sec+] 10. **B** — A compromised vendor product running inside your network with privilege is a full IR event in your environment, not just a procurement matter. [CISSP] 11. **C** — Cyber-insurance/indemnification shifts the *cost* of a breach (transfer); minimum-controls and right-to-audit are mitigation. [Sec+] 12. **B** — Offboarding leaks come from not confirming data destruction and not revoking all access (the forgotten backup, the still-valid API key). 13. **B** — Log4Shell (known vuln in a dependency) → SBOM; SolarWinds (tampered build) → provenance/SLSA. [Sec+] 14. **B** — GLBA's Safeguards Rule requires overseeing service providers via contract and ongoing monitoring. [CISSP] 15. **False** — The scope may not cover the service you're buying and exceptions can hide real gaps; you must read both. A report you didn't actually read is theater. [Sec+] 16. **False** — An SBOM is an ingredient list; its value comes from continuously matching components+versions against vulnerability feeds (NVD/KEV/OSV). Sitting in a folder, it warns no one. 17. **False** — The notification duty stays with you as the data owner/controller once you know your data was breached; the vendor's breach triggers your duty, it doesn't transfer it. [CISSP] 18. **False** — A questionnaire is the vendor grading its own homework; critical claims must be corroborated with evidence (SOC 2, pen-test summary, policy screenshot) — trust, but verify. 19. **False** — Supply chain risk is a compromised/flawed component you deploy; concentration risk is outsized dependence on one provider. Different failure modes, different treatments. [Sec+] 20. *Third-party risk*: a direct vendor breach exposing data/access you gave them (e.g., a breached payroll processor leaks employee SSNs). *Supply chain risk*: a component you deploy is compromised/flawed before it reaches you (e.g., a transitive Log4j with a critical CVE, or a tampered SolarWinds update). [Sec+] 21. Assess → contract → onboard → monitor → offboard. The *monitoring* stage fails because programs assess once at signing and never look again while the vendor's posture drifts for years. 22. "Applicable laws" requires only the minimum (the floor); your exposure and notification needs exceed it. Add a stronger requirement such as breach notification within 72 hours (tighter than many regulatory minimums), a firm right to audit, or specific minimum controls referencing ISO 27001/SOC 2. [CISSP] 23. Because a single percentage lets strong answers on low-stakes questions paper over weak answers on critical ones; a structured verdict surfaces the deal-breakers (e.g., a failed critical control), the required fixes, and what risk remains if approved. 24. Without SBOMs, you spend days/weeks grepping artifacts and querying vendors to find where the library runs. With SBOMs continuously matched against feeds, you query your store and know which applications are exposed in minutes, then triage by KEV/EPSS. [Sec+] 25. Probing the vendor's systems is unauthorized access to someone else's network — a crime regardless of intent; the lawful channel for learning the vendor's side is the right-to-audit clause and the vendor's own disclosure, while you investigate only the environment you're authorized to (yours). [CISSP]

Topics to Review by Question

Definitions / risk flavors: Q1, Q3, Q19, Q20 → §29.1
TPRM lifecycle / tiering / offboarding: Q5, Q12, Q21 → §29.2
SBOM / Log4Shell / provenance / SolarWinds: Q2, Q4, Q7, Q8, Q13, Q16, Q24 → §29.3
Questionnaire scoring / contractual requirements / treatment mapping: Q6, Q9, Q11, Q22, Q23 → §29.4
Continuous monitoring / vendor-breach response / authorization: Q10, Q17, Q25 → §29.5
Regulation (GLBA) / Meridian application: Q14, Q15, Q18 → §29.4, §29.6