A large online bookseller decides to contract with a vendor to manage Personal Information (PI). What is the least important factor for the company to consider when selecting the vendor?
The correct answer is clearly C. The vendor’s employee retention rates.
Reference: The IAPP textbook, U.S. Private-Sector Privacy, 4th Edition, 2024, Section 4.2.2 Vendor/Third-Party Risk Assessments. The factors to consider are as Bhimesh mentioned in his comment. The vendor’s employee retention rates are not mentioned in the textbook as one of the factors. Regardless, while employee retention is important for any business, of the answer choices provided, it is the least directly relevant to the vendor’s ability to manage personal information securely and effectively.
Vendor Due Diligence
A procuring organization may have specific standards and processes for vendor selection. A prospective vendor should be evaluated against these standards.
Standards for selecting vendors may include:
1. Reputation
2. Financial condition and insurance
3. Information security controls
4. Point of transfer
5. Disposal of information
6. Employee training and user awareness
7. Vendor incident response
8. Audit rights.
The reason I considered vendor employee retention rate at an important factor is if employees at the vendor have access to PI and are constantly leaving that opens a possibility for the employees that have left to disclose PI.
Agree. Option C, the vendor's employee retention rates, is the least important factor for the company to consider when selecting a vendor to manage Personal Information (PI).
While it is important for a company to consider the reputation and financial health of a vendor, as well as their employee training program, the retention rates of the vendor's employees are not a direct indicator of the vendor's ability to protect personal information.
It is important for the company to ensure that the vendor has appropriate security measures in place to protect personal information, such as access controls, encryption, and data breach response procedures. The company should also consider the vendor's compliance with applicable privacy and data protection laws, as well as their experience working with sensitive personal information.
Overall, while employee retention rates may indirectly reflect the quality of the vendor's services, they are not a direct factor in assessing the vendor's ability to manage personal information.
The answer should be C. On page 90-91 of the book, Section 4.7.2 Vendor Due Diligence, employee retention rate was not mentioned.
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
twiny
2 months, 2 weeks agoBhimesh
7 months, 2 weeks agoRomeokton
9 months, 3 weeks agojjjrbm
1 year agoPrivaceeeeee9876
1 year, 6 months agoSupp2023
1 year, 8 months agoQwamer
1 year, 8 months ago