CISSP · Question #897
A security professional determines that a number of outsourcing contracts inherited from a previous merger do not adhere to the current security requirements. Which of the following BEST minimizes the
The correct answer is C. Verify all contracts before a merger occurs. This question tests knowledge of third-party risk management and due diligence practices during mergers and acquisitions. Proactive contract review before a merger is the most effective way to prevent inheriting non-compliant vendor agreements.
Question
Options
- ADefine additional security controls directly after the merger
- BInclude a procurement officer in the merger team
- CVerify all contracts before a merger occurs
- DAssign a compliancy officer to review the merger conditions
How the community answered
(62 responses)- A5% (3)
- B8% (5)
- C68% (42)
- D19% (12)
Why each option
This question tests knowledge of third-party risk management and due diligence practices during mergers and acquisitions. Proactive contract review before a merger is the most effective way to prevent inheriting non-compliant vendor agreements.
Defining additional security controls after the merger is a reactive measure that does not prevent the inheritance of non-compliant contracts, as the organization is already legally bound by those agreements at that point.
Including a procurement officer addresses purchasing processes going forward but does not specifically ensure that existing inherited contracts are reviewed for security compliance before the merger is completed.
Verifying all contracts before a merger occurs is the most effective preventive control because it allows the security team to identify non-compliant outsourcing agreements during due diligence, before those contracts and their associated risks are legally inherited. This proactive approach enables the organization to renegotiate, terminate, or accept risk on problematic contracts prior to the merger being finalized, directly addressing the root cause of the problem described.
Assigning a compliance officer to review merger conditions is a broader administrative role that may not focus specifically on vetting individual outsourcing contracts for security requirement adherence prior to the merger.
Concept tested: Third-party risk management and merger due diligence
Source: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.