Question

An information security manager is assisting in the development of the request for proposal (RFP) for a new outsourced service. This will require the third party to

have access to critical business information. The security manager should focus PRIMARILY on defining:

A. security metrics

B. service level agreements (SLAs)

C. risk-reporting methodologies

D. security requirements for the process being outsourced

Correct Answer: ?????????????

____________________

■ Answer A (security metrics) is believed to be the correct one (but often they are not)

■ But I do not believe that answer is the correct one

■ I am undecided on 2 answers:

   1) A. Service Level Agreements (SLAs): defines the level of service you expect from a vendor, laying out the "metrics" by which service is measured

   2) D. Security Requirements for the process being outsourced: Since the process is at the RFP step, the information security manager should focus on security requirements

■ Please enter an explanation of why that answer is correct and why the others are not.

Many Thanks!

Answer 1

Hi

As per my view answer should be "security requirements for the process being outsourced"

Reason:

Purpose of Information Security Manager to assist for the RFP for new outsources proejct , off course a security of data nothing else.As we know job of Security Manager is to overseeing and controlling all aspects of computer security in a business. The job entails planning and carrying out security measures that will protect a business’s data and information from deliberate attack, unauthorised access.

He will assess the all security measures and will be sure that there should not be lack of security for the data/information.

He will assist to :

-Assessing the risks to computer systems and planning to minimise possible threats

-Ensuring that international and national network security standards are met

-Preparing technical documentation and reports

Company would also be expected to be care of security aspect of the system by working closely with security managers on the overall security strategy of the business.

Why other options could be wrong:

1. service level agreements (SLAs): your said reason seems to be correct as there is not any role of security manager in this mainly.

risk-reporting methodologies: its about contents.what should be included in report or what shoudl not. no relation with ISM

Thanks

Thanks