The organization should ensure that the third party’s physical security controls are in place so that they