CGEIT Certified in the Governance of Enterprise IT – Question288

An enterprise is planning to outsource data processing for personally identifiable information (PII). When is the MOST appropriate time to define the requirements for security and privacy of information?

A.
During the initial vendor selection process
B. After an assessment of the current information architecture
C. When issuing requests for proposals (RFPs)
D. When developing service level agreements (SLAs)

Correct Answer: B