Certified Information Security Manager (CISM) — Question 911

A finance department director has decided to outsource the organization's budget application and has identified potential providers. Which of the following actions should be initiated FIRST by the information security manager?

Answer options

• A. Determine the required security controls for the new solution.
• B. Obtain audit reports on the service providers’ hosting environment.
• C. Review the disaster recovery plans (DRPs) of the providers.
• D. Align the roles of the organization's and the service providers’ staffs.

Correct answer: A

Explanation

The correct action is to determine the required security controls for the new solution, as establishing security measures is essential before engaging with a vendor. Obtaining audit reports, reviewing disaster recovery plans, and aligning roles are important but should follow after ensuring that the necessary security controls are identified for the outsourced application.