Certified in Risk and Information Systems Control (CRISC) — Question 1196

Which of the following would present the GREATEST risk when outsourcing the data processing of personally identifiable information (PII) to a vendor with subcontractors?

Answer options

• A. The vendor's service level agreements (SLAs) are not defined.
• B. There have been no recent onsite visits to the vendor.
• C. The vendor does not have a third-party risk management program.
• D. The contract lacks a right-to-audit clause.

Correct answer: C

Explanation

The absence of a third-party risk management program (option C) is the most significant risk because it indicates that the vendor may not adequately assess or mitigate risks associated with subcontractors who handle PII. Without this program, there could be vulnerabilities in data protection that are not addressed. The other options, while important, do not directly relate to the overall management of risks posed by subcontractors handling sensitive information.