CRISC Certified in Risk and Information Systems Control – Question273

Which of the following is the MOST critical security consideration when an enterprise outsource is major part of IT department to a third party whose servers are in foreign company?

A.
A security breach notification may get delayed due to time difference
B. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
C. Laws and regulations of the country of origin may not be enforceable in foreign country
D. Additional network intrusion detection sensors should be installed, resulting in additional cost

Correct Answer: C

Explanation:

Explanation:
Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws.
Incorrect Answers:
A: Security breach notification is not a problem and also time difference does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications.
B: Outsourcing does not remove the enterprise’s responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem.
D: The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.