正解:B
When an organization outsources network and data management to a third party, the first step in risk management is to ensure that the contractual agreement includes strong governance provisions, including:
* Regular vendor control reports to monitor security and performance.
* A right-to-audit clause, allowing the organization to periodically assess compliance and security controls.
* Correct Answer (B - Drafting a Strong Contract with Vendor Control Reports & Right-to-Audit Clause)
* IIA Practice Guide: Auditing Third-Party Risk Management recommends that contracts with vendors include clear security expectations, reporting requirements, and audit rights.
* A right-to-audit clause allows internal auditors to verify compliance with security policies.
* Vendor control reports (e.g., SOC 2 reports) provide assurance that the vendor meets security and compliance standards.
* Why Other Options Are Incorrect:
* Option A (Creating a comprehensive reporting system for vendors):
* While useful, a reporting system alone is not the first step-it should be included after contractual protections are in place.
* Option C (Applying administrative privileges to ensure appropriate access controls):
* This applies to internal access management but does not address third-party risk management.
* Option D (Creating a cybersecurity committee):
* A cybersecurity committee helps manage ongoing risks, but contractual controls are the first step in managing third-party risk.
* IIA Practice Guide: Auditing Third-Party Risk Management - Recommends strong contracts with right-to-audit clauses.
* GTAG 7: Information Technology Outsourcing - Discusses vendor risk management and contractual safeguards.
Step-by-Step Explanation:IIA References for Validation:Thus, the best first step is drafting a strong contract with vendor control reports and a right-to-audit clause (B).