Certified Information Security Manager (CISM) — Question 320

An organization has outsourced many application development activities to a third party that uses contract programmers extensively. Which of the following would provide the BEST assurance that the third party's contract programmers comply with the organization's security policies?

Answer options

• A. Perform periodic security assessments of the contractors' activities.
• B. Conduct periodic vulnerability scans of the application.
• C. Require annual signed agreements of adherence to security policies.
• D. Include penalties for noncompliance in the contracting agreement.

Correct answer: A

Explanation

Performing periodic security assessments of the contractors' activities allows for direct evaluation of compliance with security policies, making it the most effective measure. While vulnerability scans and signed agreements are important, they do not provide the same level of assurance as direct assessments. Penalties for noncompliance may deter violations, but they do not ensure adherence to security policies in practice.