Certified in the Governance of Enterprise IT (CGEIT) — Question 143

Of the following, the BEST response to the absence of a data security breach notification by a service provider is to contractually require that:

Answer options

• A. security incidents identified by the provider be reported.
• B. security related key performance indicators be included in all service level agreements.
• C. security incident information be shared only on a need-to-know basis.
• D. a registry of all security breaches be maintained by the service provider.

Correct answer: A

Explanation

The best response is to require that security incidents identified by the provider be reported, as this ensures timely awareness of any breaches. The other options may enhance security but do not specifically address the immediate need for notification of incidents, which is critical for timely response and mitigation.