Certified Information Security Manager (CISM) — Question 428

An organization that conducts business globally is planning to utilize a third-party service provider to process payroll information. Which of the following issues poses the GREATEST risk to the organization?

Answer options

• A. The third party has not provided evidence of compliance with local regulations where data is generated.
• B. The third party does not have an independent assessment of controls available for review.
• C. The third party’s service level agreement (SLA) does not include guarantees of uptime.
• D. The third-party contract does not include an indemnity clause for compensation in the event of a breach.

Correct answer: A

Explanation

The greatest risk to the organization arises from the third party's lack of compliance with local regulations, as this can lead to legal penalties and damage to reputation. While the absence of an independent assessment of controls (option B) and issues with the SLA (option C) are concerns, they do not pose as significant a risk as regulatory non-compliance. Similarly, the lack of an indemnity clause (option D) is important but primarily addresses financial repercussions rather than legal compliance.