When it comes to cyber incident management of third-party risks, enterprise security professionals can follow a simplified task list to cover their bases by answering the questions "who, what, where, when, why and how."