Fourth-party risk
Definition
The risk arising from a vendor's own subcontractors and suppliers. If a critical vendor outsources key processes to a subcontractor, the organisation's data or operations may depend on a party it has never assessed. Fourth-party risk is a growing focus in mature third-party risk programmes.
Related terms
- Audit rights clause
- A contractual provision giving the buying organisation the right to assess, inspect, or commission a third-party audit of the vendor's security controls....
- CAIQ (Consensus Assessments Initiative Questionnaire)
- A questionnaire published by the Cloud Security Alliance, designed specifically for cloud service providers. It maps to the CSA Cloud Controls Matrix...
- Inherent risk
- The level of risk a vendor relationship carries before any controls are applied. Inherent risk determines how deep an assessment must be:...
- SIG (Standardised Information Gathering)
- A vendor security questionnaire published by Shared Assessments. The SIG Core covers eighteen risk domains including access control, data security, and business...
- SOC 2 Type II report
- An independent audit report on a service organisation's controls related to security, availability, processing integrity, confidentiality, and privacy. Type II reports cover...
Explained in
- Vendor Security Questionnaires and AssessmentsThe risk arising from a vendor's own subcontractors and suppliers. If a critical vendor outsources key processes to a subcontractor, the organisation's data or...