An external cloud service provider has been chosen by a financial company to deliver some
capabilities that used to be performed in-house. Which of the following would provide the
BEST amount of coverage to the financial company byway of continually asserting that
there is an acceptable security posture being achieved by the service provider?
A.
Perform a penetration test every 6 to 12 months and mandate that any unacceptably high
issues or risks are mitigated.
B.
Perform a risk assessment annually and mandate that any unacceptably high risks are
mitigated.
C.
Define required security service levels, agree on security evaluation criteria, and perform
regular compliance checks based on the service levels and evaluation criteria.
D.
Ensure that the service provider aligns to an industry standard, such as ISO 27000 series
or another regulatory compliance framework and request that they self-monitor annually.