Which of the following is the MOST appropriate action to take?

A bank has just outsourced the security department to a consulting firm, but retained the security
architecture group. A few months into the contract the bank discovers that the consulting firm has
sub-contracted some of the security functions to another provider. Management is pressuring the
sourcing manager to ensure adequate protections are in place to insulate the bank from legal and
service exposures. Which of the following is the MOST appropriate action to take?

A bank has just outsourced the security department to a consulting firm, but retained the security
architecture group. A few months into the contract the bank discovers that the consulting firm has
sub-contracted some of the security functions to another provider. Management is pressuring the
sourcing manager to ensure adequate protections are in place to insulate the bank from legal and
service exposures. Which of the following is the MOST appropriate action to take?

A.
Directly establish another separate service contract with the sub-contractor to limit the risk
exposure and legal implications.

B.
Ensure the consulting firm has service agreements with the sub-contractor; if the agreement
does not exist, exit the contract when possible.

C.
Log it as a risk in the business risk register and pass the risk to the consulting firm for
acceptance and responsibility.

D.
Terminate the contract immediately and bring the security department in-house again to reduce
legal and regulatory exposure.



Leave a Reply 0

Your email address will not be published. Required fields are marked *