A financial services company relies on a third-party for its core customer relationship management (CRM) software. During a routine review, the company's security team discovers that the vendor has no formal process for security audits and lacks clear contractual security obligations. Which of the following would be the MOST effective initial step to mitigate the supply chain risk posed by this vendor?
Immediately begin searching for an alternative CRM vendor with a better security reputation.
Establish contractual security requirements and a right-to-audit clause with the vendor.
Isolate the CRM software on a dedicated, segregated network segment.
Encrypt all data in transit between the company's network and the vendor's CRM software.
The most effective initial action is to establish formal security requirements and conduct regular assessments. This directly addresses the core issue of a lack of security oversight for the vendor. By contractually mandating security standards and verifying them through audits, the company can ensure the vendor's security posture meets its requirements, mitigating the risk of a supply chain attack. While isolating the software and encrypting traffic are valuable technical controls, they do not address the vendor's internal security weaknesses. Switching vendors is a drastic step that may not be immediately feasible and introduces new risks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are supply chain attacks?
Open an interactive chat with Bash
What types of security assessments should be conducted for third-party vendors?
Open an interactive chat with Bash
What are some stringent security requirements that can be imposed on vendors?