CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

28-AA: Asset Support

This section evaluates how your organization supports and maintains IT assets once they are in use.

The questions focus on whether you have defined processes for troubleshooting, patching, and updating systems; how you manage vendor support contracts and warranties; and how incidents or defects related to specific assets are tracked and resolved.

Overall, this section confirms that assets are not only deployed securely, but also properly supported over time so they remain functional, up to date, and aligned with security and operational requirements.

Explanation: Understanding the troubleshooting tools helps assess their security features, compatibility, and compliance with organizational policies. This also ensures the tools do not introduce vulnerabilities or data breaches during support sessions.

Risks of Incorrect Answer: Usage of insecure or unverified tools could result in data leakage or unauthorized access.

Lack of appropriate tools might lead to inefficiencies or extended downtime during troubleshooting.

Applicable Frameworks: NIST CSF (ID.AM-4): Understanding technology assets in use.

ISO 27001 (A.12.5.1): Secure system operation tools.

Explanation: Knowing the licensing and source of the tool ensures it is supported, updated, and free from unverified modifications that could pose security risks.

Risks of Incorrect Answer: Open-source or free tools without regular updates may introduce vulnerabilities.

Lack of support in case of a breach or technical issue could lead to downtime.

Applicable Frameworks: NIST CSF (PR.DS-6): Securing technology components.

ISO 27001 (A.15.1.1): Security of third-party services.

Explanation: Positive acknowledgment ensures the CSR's consent is obtained before a remote session, mitigating the risk of unauthorized access or misuse.

Risks of Incorrect Answer: Remote access without consent can lead to breaches or data tampering.

Violates user privacy and might result in non-compliance with regulatory frameworks.

Applicable Frameworks:

NIST CSF (PR.AC-3): Ensuring access control and consent.

ISO 27001 (A.9.4.1): Restricting system access to authorized personnel.

Explanation: An automated and secure password reset process prevents unauthorized password changes and ensures the CSR’s identity is verified effectively during remote resets.

Risks of Incorrect Answer: Manual processes without robust verification could lead to impersonation or social engineering attacks.

Unsecured password resets can result in account takeovers and data breaches.

Applicable Frameworks: NIST CSF (PR.AC-1): Identification and authentication controls.

PCI DSS (8.1.7): Identity validation for non-face-to-face processes.

Explanation: Regular patching ensures that vulnerabilities are addressed promptly, reducing the risk of exploitation by malicious actors.

Risks of Incorrect Answer: Unpatched systems are susceptible to known exploits and malware.

Non-compliance with regulatory requirements for maintaining secure systems.

Applicable Frameworks: NIST CSF (PR.IP-12): Maintenance and patch management.

ISO 27001 (A.12.6.1): Managing technical vulnerabilities.

HIPAA: Ensuring secure system configurations

THANK YOU.

You have completed the
Asset Support portion
of the vendor assessment.


Press Submit
so that we can process
your responses

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.