An external cloud service provider has been chosen by a financial company to deliver some
capabilities that used to be performed in-house. Which of the following would provide the BEST
amount of coverage to the financial company byway of continually asserting that there is an
acceptable security posture being achieved by the service provider?
A.
Define required security service levels, agree on security evaluation criteria, and perform regular
compliance checks based on the service levels and evaluation criteria.
B.
Perform a penetration test every 6 to 12 months and mandate that any unacceptably high issues
or risks are mitigated.
C.
Perform a risk assessment annually and mandate that any unacceptably high risks are mitigated.
D.
Ensure that the service provider aligns to an industry standard, such as ISO 27000 series or
another regulatory compliance framework and request that they self-monitor annually.