A centralized risk and controls dashboard is the best option for ensuring a coordinated approach to risk and control processes when duties are split between an organization and its cloud service providers. This dashboard provides a unified view of risk and control status across the organization and the cloud services it utilizes. It enables both parties to monitor and manage risks effectively and ensures that control activities are aligned and consistent. This approach supports proactive risk management and facilitates communication and collaboration between the organization and the cloud service provider.
Reference = The concept of a centralized risk and controls dashboard is supported by the Cloud Security Alliance (CSA) and ISACA, which emphasize the importance of visibility and coordination in cloud risk management. The CCAK materials and the Cloud Controls Matrix (CCM) provide guidance on establishing such dashboards as a means to manage and mitigate risks in a cloud environment12.

Credential scanning is a technique that can be used to detect and prevent the exposure of access keys and other sensitive information in the source code or any other configuration files during development. Credential scanning tools can scan the code repositories, files, and commits for any hardcoded credentials, such as access keys, passwords, tokens, certificates, and connection strings. They can also alert the developers or security teams of any potential leaks and suggest remediation actions, such as rotating or revoking the compromised keys, removing the credentials from the code, or using secure storage mechanisms like vaults or environment variables. Credential scanning can be integrated into the development pipeline as part of the continuous integration and continuous delivery (CI/CD) process, or performed periodically as a security audit. Credential scanning can help reduce the risk of credential leakage, which can lead to unauthorized access, data breaches, or account compromise. Reference:
Protecting Source Code in the Cloud with DSPM
Best practices for managing service account keys
Protect your code repository

The CSA STAR registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings1 The registry is designed for users of cloud services to assess their cloud providers' security and compliance posture, including the regulations, standards, and frameworks they adhere to1 The registry also promotes industry transparency and reduces complexity and costs for both providers and customers2 The provider can direct all customer inquiries to the information in the CSA STAR registry, as this would be the best recommendation to reduce the provider's burden. By publishing to the registry, the provider can show current and potential customers their security and compliance posture, without having to fill out multiple customer questionnaires or requests for proposal (RFPs)2 The provider can also leverage the different levels of assurance available in the registry, such as self-assessment, third-party audit, or certification, to demonstrate their security maturity and trustworthiness1 The provider can also benefit from the CSA Trusted Cloud Providers program, which recognizes providers that have fulfilled additional training and volunteer requirements with CSA, demonstrating their commitment to cloud security competency and industry best practices3 The other options are not correct because:
Option A is not correct because the provider can schedule a call with each customer is not a good recommendation to reduce the provider's burden. Scheduling a call with each customer would be time-consuming, inefficient, and impractical, especially if the provider receives multiple inquiries and RFPs every month. Scheduling a call would also not guarantee that the customer would be satisfied with the provider's security and compliance posture, as they may still request additional information or evidence. Scheduling a call would also not help the provider differentiate themselves from other providers in the market, as they may not be able to showcase their security maturity and trustworthiness effectively.
Option B is not correct because the provider can share all security reports with customers to streamline the process is not a good recommendation to reduce the provider's burden. Sharing all security reports with customers may not be feasible, as some reports may contain sensitive or confidential information that should not be disclosed to external parties. Sharing all security reports may also not be desirable, as some reports may be outdated, incomplete, or inconsistent, which could undermine the provider's credibility and reputation. Sharing all security reports may also not be effective, as some customers may not have the expertise or resources to review and understand them properly.
Option C is not correct because the provider can answer each customer individually is not a good recommendation to reduce the provider's burden. Answering each customer individually would be tedious, repetitive, and costly, as the provider would have to provide similar or identical information to different customers over and over again. Answering each customer individually would also not ensure that the provider's security and compliance posture is consistent and accurate, as they may make mistakes or omissions in their responses. Answering each customer individually would also not help the provider stand out from other providers in the market, as they may not be able to highlight their security achievements and certifications.

When reviewing a third-party agreement with a cloud service provider, the greatest concern regarding customer data privacy is the return or destruction of information. This is because customer data may contain sensitive or personal information that needs to be protected from unauthorized access, use, or disclosure. The cloud service provider should have clear and transparent policies and procedures for returning or destroying customer data upon termination of the agreement or upon customer request. The cloud service provider should also provide evidence of the return or destruction of customer data, such as certificates of destruction, audit logs, or reports. The return or destruction of information should comply with applicable laws and regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA). The cloud service provider should also ensure that any subcontractors or affiliates that have access to customer data follow the same policies and procedures12.
Reference:
Cloud Services Agreements - Protecting Your Hosted Environment
CSP agreements, price lists, and offers - Partner Center