A bank has just outsourced the security department to a consulting firm, but retained the security architecture group. A few months into the contract the bank discovers that the consulting firm has sub-contracted some of the security functions to another provider. Management is pressuring the sourcing manager to ensure adequate protections are in place to insulate the bank from legal and service exposures.
Which of the following is the MOST appropriate action to take?
A . Directly establish another separate service contract with the sub-contractor to limit the risk exposure and legal implications.
B . Ensure the consulting firm has service agreements with the sub-contractor; if the agreement does not exist, exit the contract when possible.
C . Log it as a risk in the business risk register and pass the risk to the consulting firm for acceptance and responsibility.
D . Terminate the contract immediately and bring the security department in-house again to reduce legal and regulatory exposure.
Answer: B
Leave a Reply