What should an organization do before providing an external agency physical access to its
information processing facilities (IPFs)?

A.
The processes of the external agency should be subjected to an IS audit by an independent
agency.

B.
Employees of the external agency should be trained on the security procedures of the
organization.

C.
Any access by an external agency should be limited to the demilitarized zone (DMZ).

D.
The organization should conduct a risk assessment and design and implement appropriate
controls.

Explanation:
Physical access of information processing facilities (IPFs) by an external agency introduces additional
threats into an organization. Therefore, a risk assessment should be conducted and controls
designed accordingly. The processes of the external agency are not of concern here. It is the agency’s
interaction with the organization that needs to be protected. Auditing their processes would not be
relevant in this scenario. Training the employees of the external agency may be one control
procedure, but could be performed after access has been granted. Sometimes an external agency
may require access to the processing facilities beyond the demilitarized zone (DMZ). For example, an
agency which undertakes maintenance of servers may require access to the main server room.
Restricting access within the DMZ will not serve the purpose.