Certified Information Security Manager (CISM) — Question 29

A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract?

Answer options

• A. Escrow of software code with conditions for code release
• B. Right of the subscriber to conduct onsite audits of the vendor
• C. Authority of the subscriber to approve access to its data
• D. Commingling of subscribers' data on the same physical server

Correct answer: C

Explanation

The authority of the subscriber to approve access to its data is crucial for maintaining control over sensitive information. Without this clause, the organization risks unauthorized access to its data by the vendor or other parties. The other options, while important, do not directly address the immediate control over data access, which is a primary concern for security management.