Your company has a contract with an external vendor that mandates critical vulnerabilities to be fixed within 48 hours of detection. A critical vulnerability was detected on a server managed by this vendor, but after 48 hours, there is no evidence that the issue has been addressed. What should be your first course of action?
Review the terms of the contract regarding compliance criteria and communicate the breach to the vendor.
Notify internal stakeholders about the failure to address the vulnerability.
Escalate the issue to higher management within your company.
Seek legal advice to address the vendor's non-compliance.
The correct first course of action would be to review the terms of the contract regarding compliance criteria and then communicate the breach to the vendor. The contract includes details about the performance metrics and timelines that must be adhered to, and understanding these will guide the appropriate response. Notifying internal stakeholders is important, but first verifying the details of the contract ensures that the complaint is accurate. Escalating to higher management or seeking legal advice might be necessary steps, but they come after confirming the breach and initial communication with the vendor.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compliance criteria in a contract?
Open an interactive chat with Bash
What constitutes a critical vulnerability?
Open an interactive chat with Bash
Why is it important to communicate a breach to the vendor?