210 ◾ The Security Risk Assessment Handbook
© 2011 by Taylor & Francis Group, LLC
controls within that outsourced function. e following approaches for obtaining
appropriate data should be considered.
6.2.5.4.1.1 Approach 1: Review Contracts —e security risk assessment team
member could simply review the contracts covering the outsourcing of the critical
function. e assessor should look for the following elements in the contract:
◾ Is there a service-level agreement associated with the outsourced function?
− Are reasonable and relevant security metrics dened?
− Are these security metrics measured and reported?
◾ Is there a business associate agreement or other contractual agreement cover-
ing the sharing of sensitive information?
− Doe