An organization has a process in place that involves the use of a vendor. A risk assessment was completed during the development of the process. A year after the implementation a monetary decision has been made to use a different vendor. What, if anything, should occur? 

Answer options:

A. Nothing, since a risk assessment was completed during development.
B. A vulnerability assessment should be conducted.
C. A new risk assessment should be performed.
D. The new vendor`s SAS 70 type II report should be reviewed.

C

The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own.