The organization has decided to outsource the majority of the IT department with a vendor that is
hosting servers in a foreign country. Of the following, which is the MOST critical security
consideration?

A.
Laws and regulations of the country of origin may not be enforceable in the foreign country.

B.
A security breach notification might get delayed due to the time difference.

C.
Additional network intrusion detection sensors should be installed, resulting in an additional
cost.

D.
The company could lose physical control over the server and be unable to monitor the physical
security posture of the servers.

Explanation:

A company is held to the local laws and regulations of the country in which the company resides,
even if the company decides to place servers with a vendor that hosts the servers in a foreign
country. A potential violation of local laws applicable to the company might not be recognized or
rectified (i.e., prosecuted) due to the lack of knowledge of the local laws that are applicable and
the inability to enforce the laws. Option B is not a problem. Time difference does not play a role in
a 24/7 environment. Pagers, cellular phones, telephones, etc. are usually available to
communicate notifications. Option C is a manageable problem that requires additional funding, but

can be addressed. Option D is a problem that can be addressed. Most hosting providers have
standardized the level of physical security that is in place. Regular physical audits or a SAS 70
report can address such concerns.