Which of the following should be an IS auditor’s PRIMARY concern when evaluating an organization’s information security policies, procedures, and controls for third-party vendors?
A. The third-party vendors have their own information security requirements.
B. The organization is still responsible for protecting the data.
C. Noncompliance is easily detected.
D. The same procedures and controls are used for all third-party vendors.
A. The third-party vendors have their own information security requirements.
B. The organization is still responsible for protecting the data.
C. Noncompliance is easily detected.
D. The same procedures and controls are used for all third-party vendors.