Exam CISM topic 1 question 516 discussion

We cant review 4th party contrators. Usually an agreement is given to the thrid party saying the 4th party needs to comply.

How the hell is it A? Since when you can monitor 3rd party companies let alone their contractors? I think C here

A. Perform periodic security assessments of the contractors' activities.

Option A

Performing periodic security assessments of the contractors' activities would provide the BEST assurance that the third party's contract programmers comply with the organization's security policies. This approach will enable the organization to evaluate the security controls and procedures implemented by the third-party and assess their effectiveness in complying with the organization's security policies. By conducting security assessments, the organization will be able to identify any vulnerabilities, gaps, or weaknesses in the third-party's security posture and recommend remediation measures. This will help to ensure that the third-party's contract programmers comply with the organization's security policies and that the organization's information assets are adequately protected.

A. Perform periodic security assessments of the contractors' activities would provide the best assurance that the third party's contract programmers comply with the organization's security policies. This is because security assessments involve a thorough review of the contractors' activities, including their development processes, tools and methodologies, as well as the security controls they have implemented. This will allow the organization to identify any potential vulnerabilities or noncompliance issues and address them proactively. While the other options such as conducting periodic vulnerability scans, requiring annual signed agreements, and including penalties for noncompliance in the contracting agreement, are also important and can help to ensure compliance, they are not as comprehensive as security assessments, and may not provide the same level of assurance.