Exam SY0-701 topic 1 question 12 discussion

An analysis would safely address if their was a lack of reliability, or authenticity when procuring hardware from a supplier to protect the company.

A penetration test would be checking the security practices of your supply chain to ensure they are not easily tampered with, but does not address the lack of reliability, & authenticity that would protect a company from the possible procurement of faulty supplies/hardware like an analysis would. An enforced acquisition policy would be a bad practice especially if the parts were faulty. A right to audit clause, & Statement of Work (SOW) is the first step to allowing an analysis, or penetration test of vendor services, & goods.

A right to audit clause, ensure that you have control over what is being supplied and not just rely on supplier previous record.

Thorough analysis of the supply chain is the best approach to mitigate the risks associated with procuring counterfeit hardware. It focuses on ensuring that hardware is sourced from legitimate, certified vendors and suppliers.

A. A thorough analysis of the supply chain A thorough analysis of the supply chain helps identify and mitigate risks related to counterfeit hardware. By assessing the origin and authenticity of hardware components, verifying suppliers, and ensuring compliance with standards, the company can reduce the chances of receiving counterfeit or substandard hardware. While the other options might be useful in different contexts, supply chain analysis specifically addresses the issue of procuring counterfeit hardware.

The best answer to the question is C: A right to audit clause in vendor contracts and SOWs. Here's why: Option C: This option ensures that the company has the legal right to inspect the hardware and its supply chain, which can help mitigate the risks associated with procuring counterfeit hardware. It provides a contractual obligation for the vendor to allow audits, ensuring that the company can verify the authenticity of the hardware before deployment. While options A and B are also valid practices for managing supply chain risks, they do not directly address the specific risk of procuring counterfeit hardware. Option D is an excellent practice for identifying vulnerabilities in a network, but it does not specifically address the issue of counterfeit hardware. In summary, having the legal right to audit vendors and their supply chains is the most direct and effective way to address the risks associated with procuring counterfeit hardware.

The company should implement a supply chain risk management (SCRM) program.

In the process of conducting due diligence, companies can request for (external) audits which will fall under the right to audit clause. Right to audit clause is not only after the fact

I was about to say C, although correct answer is A - bcoz audit is AFTER the transaction. We want to investigate first, before buying anything from the suplier.

I think the key word is "procuring". This involves getting quotes from vendors. Some requirements may only allow components and manufacturing from US based vendors. That's where you need to be mindful of the supply chain. Case example - some brands were found to be beaconing information to foreign countries.

While "C" is a valuable measure, it primarily ensures compliance and accountability after the fact. It allows for the detection of issues during audits but doesn’t proactively prevent counterfeit hardware from entering the supply chain. "A" is a more proactive approach. It involves evaluating and monitoring the entire supply chain to identify and mitigate risks before counterfeit hardware can be procured. So, it should be "A" - correct answer.

I did a lot of back and forth with ChatGPT regarding this topic, and even brought up some of the points people were making here. The first response it got was also A. But after discussing what both options (A & C) can offer as a solution to this problem, it eventually changed it's mind to C. To me C makes most sense as it provides an actionable solution that provides direct control

You cannot do a thorough analysis of the supply chain without a right to audit. ;-) Also, a right to audit will be fundamental to separate the supplier that allow (and become a supplier) from those one that would not allow auditing (and not become a supplier).

Trick question? Is Assessment the same as analysis as far as Comptia is concerned? Vendor assessment is a thorough background check for potential suppliers that allows an organization to gauge their due diligence, competence, and dependability for the safeguarding of business interests and stringent quality control.

Vendor Accountability: By including a right to audit clause, the company ensures vendors are accountable for providing certified hardware. This clause can serve as a deterrent against the supply of counterfeit products, as vendors know their processes and products can be reviewed at any time. Verification of Authenticity: Audits can include checks on the supply chain processes, manufacturing practices, and documentation related to the origin and certification of hardware. This ensures that only legitimate products are used in network construction. Just saying...

I could see A or C. I'm leaning towards A.

A penetration test would be checking the security practices of your supply chain to ensure they are not easily tampered with, but does not address the lack of reliability, & authenticity that would reason for the procurement of faulty supplies (hardware) like an analysis would. An enforced acquisition policy would be a bad practice especially if the parts were faulty. A right to audit clause, & Statement of Work (SOW) is the first step to allowing an analysis, or penetration test of vendor services, & goods.