Certified Information Systems Auditor (CISA) — Question 1079

An IS auditor is reviewing the contract for a customer relationship management (CRM) system containing personal identifiable information (PII) hosted by a third party. The absence of which of the following would be the GREATEST concern regarding the contract?

Answer options

• A. Right-to-audit clause
• B. Service level agreements (SLAs)
• C. System availability requirements
• D. Confidentiality terms

Correct answer: D

Explanation

The absence of confidentiality terms is the greatest concern because it directly impacts the protection of personal identifiable information (PII). Without these terms, there is a risk that sensitive information could be disclosed or misused. The other options, while important, do not prioritize the safeguarding of confidential data as significantly as confidentiality terms do.