An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service.
This will require the third party to have access to critical business information.
The security manager should focus PRIMARILY on defining:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The primary concern of the information security manager in assisting with the development of a request for proposal (RFP) for a new outsourced service, particularly one that requires third-party access to critical business information, should be to define security requirements for the process being outsourced.
Option A is the correct answer as it is critical to ensure that the security requirements are clearly defined in the RFP to ensure that the third party adequately understands and is capable of meeting the security expectations of the organization. This will ensure that the outsourced service is secure, and that the confidentiality, integrity, and availability of the critical business information are maintained. The security requirements should include policies, procedures, standards, and guidelines that the third party should follow when accessing, processing, storing, and transmitting the critical business information.
Option B, security metrics, may be useful for measuring and reporting the effectiveness of the security controls implemented by the third party, but this should be defined as part of the security requirements in the RFP.
Option C, service level agreements (SLAs), are essential to ensure that the outsourced service meets the performance, availability, and reliability expectations of the organization. However, the security requirements should be defined before the SLAs to ensure that the third party is capable of meeting the security expectations of the organization.
Option D, risk-reporting methodologies, may be useful for monitoring and reporting on the risks associated with the outsourced service, but it should be defined as part of the security requirements in the RFP.