Mandating periodic independent security audits by accredited assessors is correct.

Mandating periodic independent security audits by accredited assessors gives Aurora Systems impartial, evidence based verification of suppliers security controls and practices. Independent auditors can validate that controls are implemented and effective and they can provide formal reports that the company can track over time. Requiring audits on a recurring schedule creates an ongoing assurance process that detects regressions and changes in risk as suppliers update systems and processes.

Collecting continuous security telemetry from suppliers and ingesting it into the company security monitoring is not the best single answer. Direct telemetry can be useful as a supplement but it is often impractical because of legal, privacy and integration constraints and it does not replace third party validation of control design and effectiveness.

Accepting vendor self assessment questionnaires without independent verification is incorrect because self reported answers can be incomplete or biased and they do not provide objective evidence. Self assessments should be validated by independent audits or testing to ensure accuracy.

Performing a one time onboarding security review and not scheduling further evaluations is wrong because supplier security posture changes over time and a single review will not detect new vulnerabilities, process changes, or control degradation. Ongoing evaluations are required for continuous assurance.

Full AWS Practitioner Certification Question