An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP). The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?
When outsourcing security monitoring to an MSSP, it is crucial to include the right to audit the MSSP's security process in the contract. This ensures that the trading organization can verify that the MSSP is complying with the required security standards and adequately protecting sensitive information. Auditing allows for an independent assessment of the MSSP’s compliance and effectiveness in managing security risks, which is essential for maintaining the integrity and security of the organization’s operations.
Would need permission to audit, going with D
D is correct
Good equipments without good internal policies would result a bad deal. I'd say D
Answer is Correct First which and how are the servers and then the policies https://www.csoonline.com/article/2118687/guidelines-for-choosing-to-outsource-security-management.html
I am also voting for D. It is common that MSSP would not allow access to hardware, etc, but indirect evidence of that via 3rd party auditor, that is common, acceptable and reasonable to ask.
. The right to audit the MSSP's security process should be included in the outsourcing contract. This allows the organization to verify that the MSSP is meeting the requirements set out in the contract and is providing the level of service that has been agreed upon. The organization should also ensure that the contract includes provisions for reporting on security incidents and breach notifications. While including an overview of equipment and having an executive manager responsible for information security are important considerations, they are not as critical as the right to audit the MSSP's security process.
D. How can you verify what the hardware is if you cannot audit? A makes no sense.
Definetely D.
D. There is requirement for MSSP to conduct a security audit but no detailed overview of all equipment. https://resources.sei.cmu.edu/asset_files/securityimprovementmodule/2003_006_001_14105.pdf IE3: Identify the third party organization(s) responsible for conducting your latest security risk evaluation, security audit, and vulnerability assessment. Describe how often this is done and how it is performed. Include the most recent results and the date of these results.
gimme that big D
D sounds appropriate.
Answer C) The MSSP having an executive manager responsible for information security ISO 27001 and GDPR require an executive level person to be responsible for Information Security The 5th clause of ISO 27001 is titled "Management Responsibility". This clause requires organizations to demonstrate leadership and commitment to information security. It also requires organizations to appoint a management representative to oversee the implementation and maintenance of the ISMS.
However, the question does not state that the MSSP has any form of certification. So it would be up to the customer org (which does have ISO27001) to verify how good those MSSP's are (due diligence). I vote for D within those constraints.