Which of the following is the MOST important reason for an information security review of
contracts? To help ensure that:

A.
the parties to the agreement can perform.

B.
confidential data are not included in the agreement.

C.
appropriate controls are included.

D.
the right to audit is a requirement.

Explanation:

Agreements with external parties can expose an organization to information security risks that
must be assessed and appropriately mitigated. The ability of the parties to perform is normally the
responsibility of legal and the business operation involved. Confidential information may be in the
agreement by necessity and. while the information security manager can advise and provide
approaches to protect the information, the responsibility rests with the business and legal. Audit
rights may be one of many possible controls to include in a third-party agreement, but is not
necessarily a contract requirement, depending on the nature of the agreement.