Which of the following is the MOST critical activity to ensure the ongoing security of outsourced IT services?
A.
Provide security awareness training to the third-party provider’s employees
B.
Conduct regular security reviews of the third-party provider
C.
Include security requirements in the service contract
D.
Request that the third-party provider comply with the organization’s information security policy
Explanation:
Regular security audits and reviews of the practices of the provider to prevent potential information security damage will help verify the security of outsourced services. Depending on the type of services outsourced,
security awareness may not be necessary. Security requirements should be included in the contract, but what is most important is verifying that the requirements are met by the provider. It is not necessary to require the provider to fully comply with the policy if only some of the policy is related and applicable.