Answer: C - Effective vendor management policies typically involve routine monitoring of the third-party vendor by the organization to ensure compliance with contractual provisions. This monitoring supports the organization’s due diligence in ensuring the vendor’s implementation of reasonable and appropriate security measures. In addition, contracts typically set out the vendor’s responsibility to uphold the privacy and security of data provided by the organization (the data controller).
The data controller is responsible for protecting the data it collects, uses, and shares. Data processing vendors should be held accountable for protecting the sensitive information shared with them.