nerdexam
ExamsCAS-001Questions#170
CompTIA

CAS-001 · Question #170

CAS-001 Question #170: Real Exam Question with Answer & Explanation

The correct answer is C: Ensure there are security controls within the contract and the right to audit.. When outsourcing sensitive data handling to a third party, the most critical requirement is ensuring the contract mandates security controls and grants the right to audit compliance.

Question

(CRM) and marketing / leads management to Company XYZ. Which of the following is the MOST important to be considered before going ahead with the service?

Options

  • AInternal auditors have approved the outsourcing arrangement.
  • BPenetration testing can be performed on the externally facing web system.
  • CEnsure there are security controls within the contract and the right to audit.
  • DA physical site audit is performed on Company XYZ's management / operation.

Explanation

When outsourcing sensitive data handling to a third party, the most critical requirement is ensuring the contract mandates security controls and grants the right to audit compliance.

Common mistakes.

  • A. Internal auditor approval is a governance step that may be required procedurally, but it does not by itself ensure the third party maintains adequate security controls over sensitive data.
  • B. The ability to perform penetration testing on the external web system is a useful security assurance activity but is secondary to having contractual security obligations and audit rights in place.
  • D. A physical site audit provides a point-in-time assessment of the vendor's operations but is less comprehensive and less continuously enforceable than contractual security controls with ongoing audit rights.

Concept tested. Third-party vendor risk management and contractual security controls

Reference. https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice