What should an organization do before providing an external agency physical access to its
information processing facilities (IPFs)?

A.
The processes of the external agency should be subjected to an IS audit by an independent agency.

B.
Employees of the external agency should be trained on the security procedures of the organization.

C.
Any access by an external agency should be limited to the demilitarized zone (DMZ).

D.
The organization should conduct a risk assessment and design and implement appropriate controls.

Explanation:
Physical access of information processing facilities (IPFs) by an external agency introduces
additional threats into an organization. Therefore, a risk assessment should be conducted and
controls designed accordingly. The processes of the external agency are not of concern here. It is
the agency’s interaction with the organization that needs to be protected. Auditing their processes
would not be relevant in this scenario. Training the employees of the external agency may be one
control procedure, but could be performed after access has been granted. Sometimes an external
agency may require access to the processing facilities beyond the demilitarized zone (DMZ). For
example, an agency which undertakes maintenance of servers may require access to the main
server room. Restricting access within the DMZ will not serve the purpose.