Key Considerations for Changing Vendors in an Organization's Process

C.

The risk assessment process is continual and any changes to an established process should include a new- risk assessment.

While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own.

When an organization uses a vendor, it is important to regularly assess the risks associated with that vendor to ensure that the organization's assets, including data, are adequately protected.

In this scenario, a risk assessment was completed during the development of the process that involves the use of a vendor. However, a year after implementation, the organization has made a monetary decision to use a different vendor.

Based on this situation, the correct answer is C. A new risk assessment should be performed. This is because the risks associated with the new vendor may be different from those associated with the previous vendor. The risk assessment should be conducted to identify any new risks that may arise due to the new vendor and to ensure that the organization's assets are adequately protected.

Option A, "Nothing, since a risk assessment was completed during development," is incorrect because the previous risk assessment may not be sufficient to address the risks associated with the new vendor.

Option B, "A vulnerability assessment should be conducted," is incorrect because a vulnerability assessment only assesses the vulnerabilities of the organization's assets and not the risks associated with the new vendor.

Option D, "The new vendor's SAS 70 type II report should be reviewed," is also incorrect because SAS 70 type II is an audit of a service organization's internal controls over financial reporting, and it may not cover all the risks associated with the new vendor. Additionally, SAS 70 type II reports are no longer issued, and organizations now use Service Organization Control (SOC) reports.