Before engaging outsourced providers, an information security manager should ensure that the organization’s
data classification requirements:
A.
are compatible with the provider’s own classification.
B.
are communicated to the provider.
C.
exceed those of the outsourcer.
D.
are stated in the contract.
Explanation:
The most effective mechanism to ensure that the organization’s security standards are met by a third party, would be a legal agreement. Choices A. B and C are acceptable options, but not as comprehensive or as binding as a legal contract.