Certified Information Security Manager (CISM) — Question 551

An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to have access to critical business information. The security manager should focus PRIMARILY on defining:

Answer options

• A. security requirements for the process being outsourced
• B. risk-reporting methodologies
• C. service level agreements (SLAs)
• D. security metrics

Correct answer: A

Explanation

The correct answer is A because establishing security requirements is critical when a third party will access sensitive information. While risk-reporting methodologies, SLAs, and security metrics are important, they are secondary to ensuring that the security measures are clearly defined for the outsourced process.