A security analyst has completed the initial due-diligence assessment of a new cloud service provider and the contract has been signed. Which of the following actions will BEST help the analyst ensure that the provider continues to meet the organization's security requirements and contractual obligations throughout the life of the agreement?
Implement continuous monitoring of the provider's security controls and performance metrics.
Schedule a formal onsite assessment every five years.
Review the provider's SOC 2 Type II report once, then archive it for reference.
Include a confidentiality clause in the contract requiring the provider to protect data.
Continuous monitoring gives the organization ongoing visibility into the provider's security posture, making it possible to detect control failures, new vulnerabilities, or policy violations as soon as they occur. Periodic reviews or contractual clauses alone do not provide real-time assurance, and a five-year audit cadence is far too infrequent.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is continuous monitoring in the context of cloud security?
Open an interactive chat with Bash
What is a SOC 2 Type II report, and how does it differ from continuous monitoring?
Open an interactive chat with Bash
Why are periodic reviews and contractual clauses insufficient on their own?