A security analyst has completed the initial due-diligence assessment of a new cloud service provider and the contract has been signed. Which of the following actions will BEST help the analyst ensure that the provider continues to meet the organization's security requirements and contractual obligations throughout the life of the agreement?
Include a confidentiality clause in the contract requiring the provider to protect data.
Review the provider's SOC 2 Type II report once, then archive it for reference.
Schedule a formal onsite assessment every five years.
Implement continuous monitoring of the provider's security controls and performance metrics.
Continuous monitoring gives the organization ongoing visibility into the provider's security posture, making it possible to detect control failures, new vulnerabilities, or policy violations as soon as they occur. Periodic reviews or contractual clauses alone do not provide real-time assurance, and a five-year audit cadence is far too infrequent.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some methods for continuous monitoring of vendors?
Open an interactive chat with Bash
How often should vendors be monitored for compliance?
Open an interactive chat with Bash
What are the potential consequences of not continuously monitoring vendors?