Learn about the most important contract clause an IS auditor should look for when reviewing an agreement for a third-party hosted CRM system containing personal data.
Table of Contents
Question
An IS auditor is reviewing the contract for a customer relationship management (CRM) system containing personal identifiable information (PII) hosted by a third party. The absence of which of the following would be the GREATEST concern regarding the contract?
A. Right-to-audit clause
B. Service level agreements (SLAs)
C. System availability requirements
D. Confidentiality terms
Answer
A. Right-to-audit clause
Explanation
A right-to-audit clause is critical because it gives the client organization the contractual right to audit the vendor’s security controls, processes, and compliance. Without this, the client would have no way to verify that the vendor is properly securing the sensitive personal identifiable information (PII) as required.
While the other items are also important for a hosting contract, they are not as critical as the right-to-audit from an IS auditor’s perspective:
B. Service Level Agreements (SLAs) specify performance requirements but don’t address auditing and verifying security.
C. System availability requirements relate to uptime/downtime but not the ability to audit security controls.
D. Confidentiality terms prohibit the vendor from disclosing data but don’t give the client the right to audit the vendor’s practices.
Therefore, the absence of a right-to-audit clause would be the most concerning for an IS auditor reviewing this contract, as it removes the client’s ability to verify the vendor’s security and compliance through an audit. The right-to-audit is an essential safeguard for sensitive data hosted by third parties.
ISACA CISA certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the ISACA CISA exam and earn ISACA CISA certification.