Certified in the Governance of Enterprise IT (CGEIT) — Question 357

An enterprise is planning to outsource data processing for personally identifiable information (PII). When is the MOST appropriate time to define the requirements for security and privacy of information?

Answer options

• A. During the initial vendor selection process
• B. After an assessment of the current information architecture
• C. When issuing requests for proposals (RFPs)
• D. When developing service level agreements (SLAs)

Correct answer: B

Explanation

Defining requirements for security and privacy is most effectively done after assessing the current information architecture, as this evaluation provides insight into existing vulnerabilities and data handling practices. Choosing a vendor or issuing RFPs before this assessment may lead to misaligned expectations and inadequate security measures. Furthermore, developing SLAs without prior evaluation might result in insufficient protection for PII.