Information Security Manager's Response

D.

It is important to ensure that adequate levels of protection are written into service level agreements (SLAs) and other outsourcing contracts.

Information must be obtained from providers to determine how that outsource provider is securing information assets prior to making any recommendation or taking any action in order to support management decision making.

Choice A is not acceptable in most situations and therefore not a good answer.

When the Service Level Agreement (SLA) for an outsourced IT function does not reflect an adequate level of protection, the information security manager needs to take appropriate actions to address the issue. Here are some options:

A. Ensure the provider is made liable for losses. This is not a recommended course of action as it may lead to legal disputes and may not necessarily improve the security posture of the organization. Moreover, making the provider liable for losses may not be feasible under the terms of the SLA.

B. Recommend not renewing the contract upon expiration. This is a reasonable option if the organization can afford to terminate the contract and find an alternative provider who can meet the required level of protection. However, this may not be feasible if the organization has a long-term commitment with the provider or if the provider is the only option available in the market.

C. Recommend the immediate termination of the contract. This is an extreme option and should only be considered if there are serious security breaches or if the provider is unwilling to improve the security posture. Termination of the contract may have legal and financial implications, and it is important to carefully consider the consequences before taking this step.

D. Determine the current level of security. This is a recommended first step before taking any action. The information security manager should conduct a risk assessment to determine the current level of security and identify any gaps that need to be addressed. Based on the assessment, the manager can then work with the provider to improve the security posture and negotiate a revised SLA that reflects the required level of protection.

In conclusion, the best course of action for an information security manager when the SLA for an outsourced IT function does not reflect an adequate level of protection is to determine the current level of security, identify gaps, and work with the provider to improve the security posture and negotiate a revised SLA. Depending on the severity of the situation, the manager may also consider not renewing the contract or recommending termination, but these options should be carefully considered and only taken as a last resort.