CompTIA SecurityX (CAS-005) — Question 103

A global organization is reviewing potential vendors to outsource a critical payroll function. Each vendor's plan includes using local resources in multiple regions to ensure compliance with all regulations. The organization's Chief Information Security Officer is conducting a risk assessment on the potential outsourcing vendors' subprocessors. Which of the following best explains the need for this risk assessment?

Answer options

• A. Risk mitigations must be more comprehensive than the existing payroll provider.
• B. Due care must be exercised during all procurement activities.
• C. The responsibility of protecting PII remains with the organization.
• D. Specific regulatory requirements must be met in each jurisdiction.

Correct answer: C

Explanation

The correct answer, C, highlights that even when outsourcing, the organization retains the responsibility for protecting Personally Identifiable Information (PII). Options A and B, while relevant to risk management and procurement, do not directly address the core issue of PII protection. Option D focuses on regulatory compliance but overlooks the organization's accountability for PII.