An organization utilizes a third party to classify its customers' personally identifiable information (PII). What is the BEST way to hold the third party accountable for data leaks?

• A. Include detailed documentation requirements within the formal statement of work.
• B. Submit a formal request for proposal (RFP) containing detailed documentation of requirements.
• C. Ensure a nondisclosure agreement is signed by both parties' senior management.
• D. Require the service provider to sign off on the organization's acceptable use policy.

Correct answer:??????????????

________________________________ Note The official answer (but it could be wrong because it is not provided by ISACA) is: "A. Include detailed documentation requirements within the formal statement of work" Other experts claim that the correct answer is: "D. Require the service provider to sign off on the organization's acceptable use policy" Other experts claim that the correct answer is: "C. Ensure a nondisclosure agreement is signed by both parties' senior management.." It should be C. It's the BEST option to ensure confidentiality as ISACA states an NDA is "A legal contract between at least two parties that outlines confidential materials that the parties wish to share with one another for certain purposes, but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement."

What is the best answer in your opinion? An explanation is most definitely welcome.

Many thanks