An external cloud service provider has been chosen by a financial company to deliver some capabilities that used to be performed in-house. Which of the following would provide the BEST amount of coverage to the financial company byway of continually asserting that there is an acceptable security posture being achieved by the service provider?
A. Define required security service levels, agree on security evaluation criteria, and perform regular compliance checks based on the service levels and evaluation criteria.
B. Perform a penetration test every 6 to 12 months and mandate that any unacceptably high issues or risks are mitigated.
C. Perform a risk assessment annually and mandate that any unacceptably high risks are mitigated.
D. Ensure that the service provider aligns to an industry standard, such as ISO 27000 series or another regulatory compliance framework and request that they self-monitor annually.
