Interview Questions for Security and Data Protection

Symmetric and asymmetric encryption are two fundamental approaches to securing data. The key difference lies in the number of keys used. Think of it like this: symmetric encryption is like a secret handshake – both parties need to know the same secret (the key) to communicate. Asymmetric encryption, on the other hand, is like sending a locked box with a unique keyhole; you send the box (encrypted data) with a public key, and only the recipient, who holds the matching private key, can unlock it.

• Symmetric Encryption: Uses a single secret key to encrypt and decrypt data. It’s faster and more efficient but requires a secure method to share the key between parties. Examples include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
• Asymmetric Encryption: Uses a pair of keys – a public key and a private key. The public key can be freely shared and used to encrypt data; only the corresponding private key can decrypt it. This solves the key exchange problem inherent in symmetric encryption. Examples include RSA (Rivest-Shamir-Adleman) and ECC (Elliptic Curve Cryptography). This is commonly used for securing communication channels (SSL/TLS) and digital signatures.

In practice, often a hybrid approach is used where asymmetric encryption is used to securely exchange a symmetric key, and then symmetric encryption is used for the bulk data encryption due to its higher speed.

The CIA triad – Confidentiality, Integrity, and Availability – represents the core principles of information security. It’s a framework for understanding and managing the risks to data and systems. Imagine a bank’s customer database:

• Confidentiality: Ensuring that only authorized individuals or systems can access sensitive information. In our bank example, this means preventing unauthorized access to customer account details and preventing data breaches.
• Integrity: Guaranteeing that data is accurate, complete, and trustworthy and hasn’t been tampered with. For the bank, this means ensuring that transaction records are accurate and haven’t been altered fraudulently.
• Availability: Making sure that information and systems are accessible to authorized users when they need them. This means the bank’s online banking systems must be operational and accessible to customers 24/7 (or during designated hours).

Maintaining a balance between these three pillars is crucial. Overemphasizing one can negatively impact the others. For example, implementing extremely strict access controls (high confidentiality) might hinder availability if it slows down legitimate access for authorized users.

A robust incident response plan (IRP) outlines the steps an organization takes to prepare for, detect, respond to, and recover from security incidents. A well-structured IRP is critical for minimizing damage and maintaining business continuity.

• Preparation: Includes risk assessment, establishing roles and responsibilities, defining communication protocols, and creating backups and recovery procedures.
• Detection: This involves implementing security monitoring tools (SIEM, IDS/IPS), establishing security alerts and thresholds, and employee training on recognizing suspicious activities.
• Analysis: Investigating the incident to determine its scope, impact, and root cause. This may involve forensic analysis of systems and logs.
• Containment: Isolating affected systems or data to prevent further damage or spread of the incident. This could include disconnecting infected machines from the network.
• Eradication: Removing the threat entirely; this may involve reinstalling systems, applying patches, and cleaning infected machines.
• Recovery: Restoring systems and data from backups, and ensuring normal operations are resumed. This may include bringing systems back online and verifying data integrity.
• Post-Incident Activity: Conducting a post-incident review to identify lessons learned, improve security procedures, and update the IRP itself.

Regular testing and simulations are vital to ensure the plan’s effectiveness and that teams are prepared to execute it efficiently.

Zero-trust security is a security model that assumes no implicit trust granted to any user, device, or network, regardless of location. It operates on the principle of "never trust, always verify." Traditional security models often rely on network perimeters (firewalls), but zero trust acknowledges that perimeters are increasingly blurred with the rise of remote work and cloud computing.

Instead of relying on location, zero trust verifies every access request based on multiple factors, including:

• Identity: Verifying the user’s identity through multi-factor authentication (MFA).
• Device posture: Assessing the security status of the device accessing resources (e.g., is it patched, does it have antivirus software?).
• Context: Considering the location, time of day, and application attempting to access resources.
• Data: Applying access controls based on data sensitivity and the principle of least privilege.

This approach helps to minimize the blast radius of a security breach, even if an attacker gains access to one part of the network. Think of it as constantly verifying credentials and access at every point of interaction, eliminating any assumption of inherent trust.

Malware encompasses various malicious software designed to harm computer systems. Some common types include:

• Viruses: Self-replicating programs that attach themselves to other files and spread when those files are executed. They often cause damage or disrupt system operations.
• Worms: Self-replicating programs that spread across networks without needing a host file. They can quickly consume network bandwidth and overwhelm systems.
• Trojans: Disguised as legitimate software, they often grant attackers unauthorized access to a system. They may steal data, install other malware, or take control of the system.
• Ransomware: Encrypts a victim’s files and demands a ransom for their release. This can severely disrupt businesses and cause significant financial losses.
• Spyware: Secretly monitors a user’s activity and collects sensitive information, like passwords and credit card details. This information is then transmitted to the attacker.
• Adware: Displays unwanted advertisements on a user’s computer. While not as destructive as other malware, it can be annoying and slow down system performance.

Malware operates through various techniques, including exploiting software vulnerabilities, social engineering (tricking users into executing malicious code), and using malicious links or attachments. Strong security practices, such as keeping software up to date, using antivirus software, and practicing safe browsing habits are essential to protect against malware.

Data privacy regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) aim to protect individuals’ personal data. Key principles include:

• Lawfulness, fairness, and transparency: Data collection must be lawful, fair, and transparent to the individual.
• Purpose limitation: Data can only be collected for specified, explicit, and legitimate purposes.
• Data minimization: Only data necessary for the specified purpose should be collected.
• Accuracy: Data must be accurate and kept up to date.
• Storage limitation: Data should only be stored for as long as necessary.
• Integrity and confidentiality: Data must be protected against unauthorized access, loss, or destruction.
• Accountability: Data controllers are accountable for complying with the regulations.
• Individual rights: Individuals have the right to access, correct, erase, and restrict the processing of their data. (e.g., Right to be forgotten).

These regulations place significant obligations on organizations that handle personal data. Non-compliance can lead to substantial fines and reputational damage. Understanding and implementing appropriate data protection measures is crucial for any organization handling personal data.

A risk assessment involves identifying, analyzing, and prioritizing potential threats and vulnerabilities to an organization’s assets. It’s a systematic process to understand the likelihood and potential impact of security incidents.

Here’s a common approach:

1. Identify Assets: Determine what needs protecting. This includes hardware, software, data, intellectual property, and personnel.
2. Identify Threats: List potential threats that could compromise your assets. This could include malicious attacks (phishing, malware), natural disasters (fire, floods), and human error.
3. Identify Vulnerabilities: Determine weaknesses in your systems or processes that could be exploited by threats. This might include unpatched software, weak passwords, or inadequate access controls.
4. Analyze Risks: For each combination of threat and vulnerability, assess the likelihood (probability) of the threat occurring and the potential impact (severity) if it does. This often involves qualitative judgments but can be supported by quantitative data (e.g., historical incident rates).
5. Prioritize Risks: Rank risks based on their likelihood and impact. Risks with high likelihood and high impact should be addressed first.
6. Develop Risk Mitigation Strategies: Develop strategies to reduce or eliminate the identified risks. This may include implementing security controls (firewalls, intrusion detection systems), employee training, incident response plans, or risk transfer mechanisms (insurance).
7. Monitor and Review: Regularly monitor the effectiveness of mitigation strategies and update the risk assessment as necessary. The risk landscape is constantly evolving, so periodic reviews are essential.

Risk assessments should be tailored to the specific organization and its context. They are crucial for making informed decisions about security investments and resource allocation.

Vulnerability scanning and penetration testing are crucial components of a robust security posture. Vulnerability scanning uses automated tools to identify known weaknesses in systems and applications, like outdated software or misconfigured servers. Think of it as a security checkup – it highlights potential problems. Penetration testing, on the other hand, simulates real-world attacks to assess the effectiveness of existing security measures. It’s like a security stress test, pushing the boundaries to find exploitable vulnerabilities that a scanner might miss.

In my experience, I’ve utilized various scanning tools like Nessus and OpenVAS, conducting both internal and external scans. The results are then carefully analyzed to prioritize critical vulnerabilities based on their severity and exploitability. For penetration testing, I’ve employed methodologies like OWASP testing guide, focusing on areas like web application security, network security, and infrastructure security. I’ve worked on projects ranging from small-scale assessments of individual web applications to large-scale engagements encompassing entire enterprise networks. A memorable project involved identifying a critical SQL injection vulnerability in a customer’s e-commerce platform, which could have resulted in significant data breach. Addressing that vulnerability prevented potential financial losses and reputational damage.

I’ve always ensured that all testing is conducted ethically and with proper authorization, adhering to strict guidelines and reporting procedures.

SIEM tools are the central nervous system of a security operation. They aggregate and analyze security logs from various sources – firewalls, intrusion detection systems, servers, and more – providing a unified view of security events. Think of it as a sophisticated dashboard showing all security activity in real-time. This allows security analysts to detect threats, investigate incidents, and respond effectively.

My experience includes working with several leading SIEM platforms, including Splunk and QRadar. I’m proficient in configuring these tools, developing custom dashboards and alerts, and creating reports to track key security metrics. For example, I once used Splunk to create an alert that automatically notified the security team whenever an unusual number of login attempts failed from a single IP address, which helped us quickly detect and stop a brute-force attack. SIEMs are essential for threat detection, incident response, compliance auditing, and overall security monitoring.

Handling security incidents requires a structured and methodical approach. I follow a well-defined incident response plan which typically involves these phases:

• Preparation: Developing and regularly testing the incident response plan, establishing communication channels, and identifying key personnel.
• Identification: Detecting and confirming the occurrence of a security incident through monitoring tools like SIEM and vulnerability scans.
• Containment: Isolating the affected systems to prevent further damage or spread of the incident, like disabling compromised accounts or blocking malicious traffic.
• Eradication: Removing the root cause of the incident, such as malware removal, patching vulnerabilities, and restoring compromised data.
• Recovery: Restoring affected systems to their normal operational state, validating data integrity, and ensuring business continuity.
• Post-incident activity: Analyzing the incident to identify weaknesses in security controls, documenting lessons learned, and implementing improvements to prevent future occurrences. A crucial part is sharing findings with relevant stakeholders.

I’ve managed several incidents, ranging from phishing attacks to data breaches. My approach prioritizes minimizing damage, restoring operations quickly, and learning from each experience to enhance our overall security posture. A successful incident response relies heavily on clear communication, collaboration, and a well-defined plan.

Access control lists (ACLs) are sets of rules that determine which users or groups have permission to access specific resources. Imagine a bouncer at a nightclub – the ACL is the list of people allowed entry, specifying what areas they can access. They define who can read, write, execute, or modify files, folders, network devices, or other resources.

ACLs are implemented at various levels, such as file systems (e.g., NTFS permissions in Windows), network devices (e.g., firewall rules), and databases. Each rule specifies a subject (user or group), an object (resource), and the permissions granted. For example, an ACL might grant user ‘John’ read and write access to the ‘Documents’ folder but only read access to the ‘Confidential’ folder. Effective ACL management is vital for controlling access to sensitive information and preventing unauthorized access. Poorly configured ACLs can create significant security vulnerabilities.

Authentication methods verify the identity of a user or device. Several methods exist, each with strengths and weaknesses:

• Passwords: Simple to implement but vulnerable to brute-force attacks, phishing, and weak password choices. Multi-factor authentication (MFA) significantly improves password security.
• Biometrics: Using fingerprints, facial recognition, or iris scans for authentication. Strong security but can be intrusive and susceptible to spoofing in certain circumstances.
• Tokens (hardware or software): Generate one-time passwords, offering strong security. Hardware tokens are more secure but can be lost or stolen. Software tokens are convenient but rely on device security.
• Certificates: Digital certificates verify the identity of a user or device. Widely used for secure communication (SSL/TLS) and application access. Relies on certificate management infrastructure.
• Multi-factor authentication (MFA): Combining two or more authentication methods (e.g., password and a one-time code from a phone). Provides strong protection against unauthorized access, even if one factor is compromised.

The choice of authentication method depends on the sensitivity of the data and resources being protected, the risk tolerance, and the cost of implementation.

Securing a cloud-based infrastructure requires a multi-layered approach addressing various aspects of security:

• Identity and Access Management (IAM): Implementing robust IAM controls with strong passwords, MFA, and least privilege access. Use granular permissions to limit access to only necessary resources.
• Virtual Private Cloud (VPC): Using VPCs to create isolated networks within the cloud provider’s infrastructure, enhancing security and control.
• Data encryption: Encrypting data both in transit (using HTTPS/TLS) and at rest (using encryption services). This protects data from unauthorized access, even if the underlying systems are compromised.
• Security Information and Event Management (SIEM): Implementing a SIEM to monitor cloud logs and detect suspicious activity.
• Firewall management: Configuring firewalls to control network traffic, blocking unauthorized access and enforcing security policies.
• Regular security audits and penetration testing: Performing regular assessments to identify vulnerabilities and ensure the effectiveness of security controls.
• Vulnerability management: Regularly scanning and patching systems to address known vulnerabilities.
• Compliance: Adhering to relevant industry standards and regulatory requirements (e.g., ISO 27001, SOC 2, HIPAA).

Cloud security is a shared responsibility model; the cloud provider handles the security ‘of’ the cloud, while the customer is responsible for security ‘in’ the cloud. Understanding this shared responsibility is critical for effectively securing your cloud environment.

Firewalls are essential for controlling network traffic and preventing unauthorized access. There are several types:

• Packet filtering firewalls: Inspect individual packets based on header information (IP address, port number, protocol). Simple and fast but can be easily bypassed.
• Stateful inspection firewalls: Track the state of network connections, allowing only expected return traffic. More secure than packet filtering.
• Application-level gateways: Inspect application-level data, providing more granular control and security. They are slower but more secure. They work at layer 7 of the OSI model.
• Next-Generation Firewalls (NGFWs): Combine features of multiple firewall types, including deep packet inspection, intrusion prevention, and application control. Offer comprehensive security but can be complex to manage.
• Cloud-based firewalls: Firewalls deployed in the cloud, offering scalability and flexibility. They may integrate with other cloud security services.

I have experience with all these types. The choice of firewall depends on the specific security requirements, budget, and technical expertise. NGFWs are increasingly popular due to their comprehensive security features, but simpler firewalls might be suitable for smaller networks with less stringent security needs.

Data encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) to protect its confidentiality. This protection applies both while the data is at rest (stored) and in transit (being transmitted).

Encryption at rest protects data stored on servers, databases, laptops, and other storage media. Think of it like locking a safe – the data is secured even if someone gains physical access to the safe. Common methods include encrypting hard drives using tools like BitLocker (Windows) or FileVault (macOS), and encrypting databases using techniques built into database management systems.

Encryption in transit secures data while it’s being transmitted across a network, such as over the internet or between servers. It’s like using a sealed envelope for sending a letter – the contents remain confidential during transportation. This is typically achieved using protocols like Transport Layer Security (TLS) or Secure Sockets Layer (SSL), which encrypt communication between web browsers and servers (HTTPS).

Example: A bank uses encryption at rest to protect customer financial data stored on their servers and encryption in transit to secure online banking transactions. If a hacker gains access to the server, they won’t be able to read the encrypted data. Similarly, if the online banking traffic is intercepted, the encrypted data will remain unreadable.

Security audits are systematic examinations of an organization’s security posture to identify vulnerabilities and weaknesses. Different types of audits focus on specific aspects of security:

• Vulnerability assessments: These audits scan systems and networks for known security flaws (like outdated software or misconfigurations) without actually attempting to exploit them. Think of it as a security checkup identifying potential problems.
• Penetration testing (ethical hacking): This involves simulating real-world attacks to identify exploitable vulnerabilities. This is like a security stress test pushing the boundaries to find weaknesses.
• Compliance audits: These audits ensure an organization adheres to specific security regulations and standards (like HIPAA, PCI DSS, GDPR). They are like a regulatory inspection verifying compliance.
• Internal audits: These audits are conducted by an organization’s internal security team and focus on evaluating its security controls and practices. It’s a self-assessment to pinpoint areas for improvement.
• Third-party audits: These are conducted by independent security experts to provide an unbiased assessment of an organization’s security. This is like getting a second opinion from an outside expert.

I have extensive experience in designing, developing, and delivering security awareness training programs. My approach emphasizes practical application and engaging content rather than just theoretical knowledge. I’ve worked with diverse teams, tailoring training to their specific roles and responsibilities. For example:

• I’ve developed phishing simulations to train employees to identify and report suspicious emails, tracking participation and effectiveness.
• I’ve created interactive modules covering topics like password hygiene, social engineering, and data security best practices using real-world examples.
• I’ve conducted presentations and workshops to build awareness on emerging threats and technologies.
• I’ve incorporated gamification and interactive scenarios into training to improve engagement and knowledge retention.

I also regularly assess the effectiveness of training through post-training assessments and feedback, making adjustments as needed. I believe effective training should be ongoing and adapt to evolving threat landscapes.

Prioritizing security vulnerabilities is crucial. I use a risk-based approach, considering factors like:

• Likelihood: How likely is the vulnerability to be exploited? Some vulnerabilities are easy to exploit, while others are highly technical.
• Impact: What would be the consequences if the vulnerability were exploited? This might include data breaches, system downtime, or financial losses.
• Exploitability: How easily can the vulnerability be exploited? Some vulnerabilities require advanced technical skills, while others can be exploited with simple tools.

I often use frameworks like the Common Vulnerability Scoring System (CVSS) which provides a standardized score for vulnerabilities. I then prioritize vulnerabilities based on their risk score, addressing the highest-risk ones first. I also consider the remediation effort required – some vulnerabilities are quick fixes, while others need extensive system changes.

Example: A vulnerability with a high likelihood of exploitation, high impact (e.g., data breach), and low exploitability will be a top priority. A vulnerability with a low likelihood, low impact, and high exploitability might be less urgent.

Social engineering is the art of manipulating individuals into divulging confidential information or performing actions that compromise security. Common techniques include:

• Phishing: Deceiving individuals into clicking malicious links or revealing credentials through emails or websites that mimic legitimate organizations.
• Baiting: Offering something tempting (e.g., a free gift card) to entice individuals to click on malicious links or download malware.
• Pretexting: Creating a believable scenario to trick individuals into revealing information (e.g., pretending to be from IT support).
• Quid pro quo: Offering a service or favor in exchange for information or access.
• Tailgating: Following someone through a secured entrance without proper authorization.

Example: A phishing email might appear to be from a bank, asking the recipient to update their account information by clicking on a malicious link. This link could lead to a fake website that steals the user’s login credentials.

Multi-factor authentication (MFA) is a security measure requiring users to provide multiple forms of authentication to verify their identity before granting access to a system or resource. It significantly enhances security by adding multiple layers of protection.

Typical factors include:

• Something you know: A password or PIN.
• Something you have: A security token, smartphone, or smart card.
• Something you are: Biometric authentication (fingerprint, facial recognition).

MFA works by requiring authentication using at least two of these factors. Even if an attacker obtains one factor (like a password), they won’t be able to access the system without the other(s).

Example: To access a bank account, a user might need to enter their password (something you know) and then verify their identity using a one-time code sent to their smartphone (something you have).

Effective data backup and recovery plans are crucial for business continuity. To ensure effectiveness, I follow these steps:

• Regular backups: Backups should be performed frequently, with the frequency determined by the criticality of the data and the acceptable data loss tolerance. This might involve daily, hourly, or even continuous backups.
• Multiple backup copies: Storing backups in multiple locations (e.g., on-site and off-site) protects against data loss due to physical disasters or ransomware attacks.
• Testing recovery processes: Regularly testing the recovery plan ensures it functions correctly and that the backups are valid. This could involve restoring data to a test environment.
• Versioning: Maintain multiple versions of backups to enable recovery to previous states if needed.
• Data immutability: For critical data, use immutable backups, which cannot be altered or deleted, safeguarding against ransomware attacks.
• Secure storage: Backups should be stored securely, using encryption to protect them from unauthorized access.
• Documented procedures: Clearly documented procedures guide staff through the backup and recovery process in case of an incident.

Regularly reviewing and updating the plan based on changing needs and vulnerabilities is paramount.

Blockchain technology, at its core, is a distributed, immutable ledger. Its security relies on cryptographic hashing, consensus mechanisms (like Proof-of-Work or Proof-of-Stake), and decentralization. My experience involves understanding these aspects and their implications for data integrity and confidentiality. For example, I’ve worked on projects assessing the security of blockchain implementations for supply chain management. We analyzed the risk of 51% attacks, where a malicious actor controls a majority of the network’s computing power to manipulate the blockchain. We also evaluated the security of smart contracts, highlighting vulnerabilities like reentrancy attacks, which could lead to significant financial losses. Furthermore, I’ve explored the use of blockchain for secure data storage, focusing on the trade-offs between decentralization, scalability, and performance. A key consideration is the security of the private keys used to access and manage blockchain assets – losing these keys could result in irretrievable data loss.

Physical security focuses on protecting physical assets from unauthorized access, theft, or damage. Think of things like security guards, surveillance cameras, locked doors, and fences. It’s about controlling the physical environment. Logical security, on the other hand, protects data and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This involves measures like firewalls, intrusion detection systems, access control lists, and encryption. It’s about controlling access to digital assets. A simple analogy: physical security is like guarding a building, while logical security is like securing the data stored inside that building. For example, a strong physical security system could prevent a thief from stealing a server, but a weak logical security system could allow that thief to remotely access and compromise the data on that server even without physically touching it.

I’m very familiar with several security frameworks, including NIST Cybersecurity Framework and ISO 27001. NIST provides a flexible, adaptable approach to managing cybersecurity risk. I’ve used its guidelines to develop and implement risk management strategies in various contexts. ISO 27001, on the other hand, offers a comprehensive framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). I have experience conducting ISO 27001 audits and gap analyses, identifying areas where organizations need to strengthen their security controls. Understanding these frameworks allows me to approach security holistically, ensuring that controls are in place across people, processes, and technology. This is crucial for achieving a robust and effective security posture. For example, during a recent project, we mapped client requirements to the NIST CSF, allowing us to prioritize security controls based on their impact and likelihood.

My experience with IDS/IPS spans various deployments, from network-based systems to host-based solutions. I’ve worked with commercial products like Snort and Suricata, as well as open-source alternatives. Beyond simply deploying these systems, my expertise involves fine-tuning their configuration to minimize false positives while maximizing their effectiveness. A critical aspect is understanding the specific threats relevant to the environment being protected. Misconfiguration can lead to security blind spots or generate overwhelming alerts that are ignored. For instance, I once worked on a project where a poorly configured IDS was generating thousands of false alerts daily, effectively rendering it useless. By carefully analyzing the alert patterns and refining the rule sets, we significantly reduced the noise and improved the system’s ability to detect actual intrusions.

Threat modeling is a crucial part of my security process. I’ve used various methodologies, including STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) and PASTA (Process for Attack Simulation and Threat Analysis). The process typically starts by defining the system’s scope and identifying potential threats based on the system’s architecture and functionality. This is followed by assessing the likelihood and impact of these threats. The goal is to proactively identify and mitigate vulnerabilities before they can be exploited. For example, I recently led a threat modeling exercise for a new e-commerce platform. We identified vulnerabilities related to insecure data storage, weak authentication mechanisms, and insufficient input validation. This allowed us to implement necessary security controls during the development phase, rather than having to deal with costly remediation after deployment.

Staying current in the ever-evolving landscape of security threats and vulnerabilities requires a multi-faceted approach. I regularly review security advisories from sources like the National Vulnerability Database (NVD) and CERT. I subscribe to security newsletters and follow industry experts on social media and various online forums. Attending conferences and workshops allows me to network with other professionals and learn about the latest threats and mitigation strategies. Active participation in online security communities and participating in Capture The Flag (CTF) events helps maintain practical hands-on skills. It’s vital to keep abreast of emerging threats like zero-day exploits and new attack vectors to proactively strengthen security measures.

In a previous role, we faced a significant data breach involving a third-party vendor. The vendor, responsible for managing our customer database, experienced a ransomware attack that exposed sensitive customer information. My immediate response involved coordinating with the vendor, internal IT, and legal teams to contain the breach. We implemented emergency patching, initiated a forensic investigation to determine the extent of the compromise, and worked on notifying affected customers. We also conducted a thorough review of our third-party risk management processes, implementing stricter security requirements for all future vendors, including penetration testing and regular vulnerability assessments. The experience highlighted the importance of robust vendor management and incident response planning. We learned valuable lessons about the cascading effects of a single breach and improved our ability to handle future incidents. This experience reinforced the need for proactive risk assessment and thorough due diligence in managing third-party relationships.