A vendor risk management questionnaire (also known as a third-party risk assessment questionnaire or vendor risk assessment questionnaire) is designed to help your organization identify potential weaknesses among your third-party vendors and partners that could result in a data breach, data leak or other type of cyber attack.
An incident response plan is a set of written instructions that outline your organization's response to data breaches, data leaks, cyber attacks and security incidents. Incident response planning contains specific directions for specific attack scenarios, avoiding further damages, reducing recovery time and mitigating cybersecurity risk. Incident response procedures focus on planning for security breaches and how organization's will recover from them.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol designed to protect your organization's email domain from being used in email spoofing. Email spoofing is often used for social engineering attacks like business email compromise attacks, phishing or spear phishing emails, emails scams and other cyber attacks.
An exploit is a piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data. Once vulnerabilities are identified, they are posted on Common Vulnerabilities and Exposures (CVE). CVE is a free vulnerability dictionary designed to improve global cyber security and cyber resilience by creating a standardized identifier for a given vulnerability or exposure.
Spear phishing is an email spoofing attack targeting a specific organization or individual. Spear phishing emails aim to infect the victim with malware or trick them into revealing sensitive data and sensitive information. Spear phishers look for target who could result in financial gain or exposure of trade secrets for corporate espionage, personally identifiable information (PII) for identity theft and protected health information (PHI) for insurance fraud.
Data security is the process of protecting sensitive data from unauthorized access and corruption throughout its lifecycle. Data security employs a range of techniques and technologies including data encryption, tokenization, two-factor authentication, key management, access control, physical security, logical controls and organizational standards to limit unauthorized access and maintain data privacy.
Protected health information (PHI) is any information about health status, provision of health care or payment for health care that is created or collected by a covered entity, or their business associate, and can be linked to a specific individual. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to implement safeguards to ensure the confidentiality, integrity and availability of PHI.
A third-party vendor is any entity that your organization does business with. This includes suppliers, manufacturers, service providers, business partners, affiliates, brokers, distributors, resellers and agents. Vendors can be upstream (suppliers and vendors) and downstream (distributors and resellers), as well as non-contractual entities.
In cybersecurity, an attack vector is a path or means by which an attacker can gain unauthorized access to a computer or network to deliver a payload or malicious outcome. Attack vectors allow attackers to exploit system vulnerabilities, install different types of malware and launch cyber attacks. Attack vectors can also be exploited to gain access to sensitive data, personally identifiable information (PII) and other sensitive information that would result in a data breach.
Malware, or malicious software, is any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware. Generally, software is considered malware based on the intent of its creator rather than its actual features.
