Which activity assesses risks associated with external software providers?

Assessing risk from external software providers is about third‑party risk management. A vendor risk assessment systematically looks at a provider’s security controls, data handling practices, access management, regulatory compliance, and business continuity, as well as any subcontractors they rely on. It helps determine how outsourcing software or services could affect your organization and what mitigations, contract terms, or ongoing monitoring are needed. Data classification focuses on labeling information by sensitivity, which guides protection within your own environment but doesn’t evaluate a supplier’s risk. Incident response deals with how you detect and react to security incidents, not with evaluating external providers. Log management involves collecting and analyzing logs for monitoring and forensics, not assessing vendor risk. So, evaluating risks associated with external software providers is addressed most directly by a vendor risk assessment.