An organization plans to contract with an outside service provider to host its corporate web site. The MOST important concern for the information security manager is to ensure that:

A.
an audit of the service provider uncovers no significant weakness.

B.
the contract includes a nondisclosure agreement (NDA) to protect the organization’s intellectual property.

C.
the contract should mandate that the service provider will comply with security policies.

D.
the third-party service provider conducts regular penetration testing.

Explanation:
It is critical to include the security requirements in the contract based on the company’s security policy to ensure that the necessary security controls are implemented by the service provider. The audit is normally a one-time effort and cannot provide ongoing assurance of the security. A nondisclosure agreement (NDA) should be part of the contract; however, it is not critical to the security of the web site. Penetration testing alone would not provide total security to the web site; there are lots of controls that cannot be tested through penetration testing.