Certified Information Security Manager (CISM) — Question 80

What would be an information security manager's BEST recommendation upon learning that an existing contract with a third party does not clearly identify requirements for safeguarding the organization's critical data?

Answer options

• A. Cancel the outsourcing contract.
• B. Transfer the risk to the provider.
• C. Create an addendum to the existing contract.
• D. Initiate an external audit of the provider's data center.

Correct answer: C

Explanation

The best course of action is to create an addendum to the existing contract, as this allows for the clarification of data protection requirements without severing the relationship. Cancelling the contract could disrupt services, transferring risk may not ensure adequate protection, and conducting an audit, while useful, does not directly address the contract's deficiencies.