ExamTopics Logo
Mail Us[email protected]
Menu
Isc Discussions
exam questions

Exam CISSP All Questions

View all questions & answers for the CISSP exam
Go to Exam

Exam CISSP topic 1 question 112 discussion

Actual exam question from ISC's CISSP
Question #: 112
Topic #: 1
[All CISSP Questions]

An international trading organization that holds an International Organization for Standardization (ISO) 27001 certification is seeking to outsource their security monitoring to a managed security service provider (MSSP). The trading organization's security officer is tasked with drafting the requirements that need to be included in the outsourcing contract. Which of the following MUST be included in the contract?

  • A. A detailed overview of all equipment involved in the outsourcing contract
  • B. The right to perform security compliance tests on the MSSP's equipment
  • C. The MSSP having an executive manager responsible for information security
  • D. The right to audit the MSSP's security process
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by stickerbush1970 at Sept. 25, 2022, 4:32 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
stickerbush1970
Highly Voted 2 years ago
Selected Answer: D
Would need permission to audit, going with D
upvoted 8 times
jackdryan
1 year, 5 months ago
D is correct
upvoted 1 times
...
...
giovi
Highly Voted 2 years ago
Good equipments without good internal policies would result a bad deal. I'd say D
upvoted 6 times
...
Dtony66
Most Recent 5 months, 2 weeks ago
D. How can you verify what the hardware is if you cannot audit? A makes no sense.
upvoted 2 times
...
YesPlease
10 months, 1 week ago
Selected Answer: C
Answer C) The MSSP having an executive manager responsible for information security ISO 27001 and GDPR require an executive level person to be responsible for Information Security The 5th clause of ISO 27001 is titled "Management Responsibility". This clause requires organizations to demonstrate leadership and commitment to information security. It also requires organizations to appoint a management representative to oversee the implementation and maintenance of the ISMS.
upvoted 1 times
J_Ko
2 weeks, 5 days ago
However, the question does not state that the MSSP has any form of certification. So it would be up to the customer org (which does have ISO27001) to verify how good those MSSP's are (due diligence). I vote for D within those constraints.
upvoted 1 times
...
...
PeteyPete
1 year, 3 months ago
D sounds appropriate.
upvoted 1 times
...
Alex71
1 year, 7 months ago
Selected Answer: D
. The right to audit the MSSP's security process should be included in the outsourcing contract. This allows the organization to verify that the MSSP is meeting the requirements set out in the contract and is providing the level of service that has been agreed upon. The organization should also ensure that the contract includes provisions for reporting on security incidents and breach notifications. While including an overview of equipment and having an executive manager responsible for information security are important considerations, they are not as critical as the right to audit the MSSP's security process.
upvoted 4 times
...
Gu321
1 year, 7 months ago
gimme that big D
upvoted 1 times
...
Firedragon
1 year, 11 months ago
Selected Answer: D
D. There is requirement for MSSP to conduct a security audit but no detailed overview of all equipment. https://resources.sei.cmu.edu/asset_files/securityimprovementmodule/2003_006_001_14105.pdf IE3: Identify the third party organization(s) responsible for conducting your latest security risk evaluation, security audit, and vulnerability assessment. Describe how often this is done and how it is performed. Include the most recent results and the date of these results.
upvoted 1 times
...
rootic
1 year, 11 months ago
Selected Answer: D
Definetely D.
upvoted 1 times
...
jsnow2258
2 years ago
Selected Answer: D
I am also voting for D. It is common that MSSP would not allow access to hardware, etc, but indirect evidence of that via 3rd party auditor, that is common, acceptable and reasonable to ask.
upvoted 4 times
...
JAckThePip
2 years ago
Answer is Correct First which and how are the servers and then the policies https://www.csoonline.com/article/2118687/guidelines-for-choosing-to-outsource-security-management.html
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago