An organization has decided to reduce labor costs by outsourcing back office processing of credit
applications to a provider located in another country. Data sovereignty and privacy concerns
raised by the security team resulted in the third-party provider only accessing and processing the
data via remote desktop sessions. To facilitate communications and improve productivity, staff at
the third party has been provided with corporate email accounts that are only accessible via the
remote desktop sessions. Email forwarding is blocked and staff at the third party can only
communicate with staff within the organization. Which of the following additional controls should
be implemented to prevent data loss? (Select THREE).

A.
Implement hashing of data in transit

B.
Session recording and capture

C.
Disable cross session cut and paste

D.
Monitor approved credit accounts

E.
User access audit reviews

F.
Source IP whitelisting