Explanation
A vendor requires privileged access to a key business application. The best recommendation to reduce the risk of data leakage is to implement real-time activity monitoring for privileged roles. This is because real-time activity monitoring can provide visibility and accountability for the actions performed by the vendor with privileged access, such as creating, modifying, deleting, or copying data. Real-time activity monitoring can also enable timely detection and response to any unauthorized or suspicious activities that may indicate data leakage. Including the right-to-audit in the vendor contract is a good practice, but it may not be sufficient to prevent or detect data leakage in a timely manner, as audits are usually performed periodically or on-demand.
Performing a review of privileged roles and responsibilities is also a good practice, but it may not address the specific risk of data leakage by the vendor with privileged access. Requiring the vendor to implement job rotation for privileged roles may reduce the risk of collusion or fraud, but it may not prevent or detect data leakage by any individual with privileged access. References: CISA Review Manual (Digital Version),
[ISACA Privacy Principles and Program Management Guide]

A balanced scorecard is a strategic planning framework that companies use to assign priority to their products, projects, and services; communicate about their targets or goals; and plan their routine activities1. The scorecard enables companies to monitor and measure the success of their strategies to determine how well they have performed. A balanced scorecard for IT management can help assess IT functions and processes by defining four perspectives: financial, customer, internal business process, and learning and growth2. These perspectives can help IT management align their IT objectives with the organization's vision and mission, identify and prioritize the key performance indicators (KPIs) for IT, and evaluate the effectiveness and efficiency of IT operations and services3.
References
1: Balanced Scorecard - Overview, Four Perspectives 2: The IT Balanced Scorecard (BSC) Explained - BMC Software 3: A BALANCED SCORECARD (BSC) FOR IT PERFORMANCE MANAGEMENT - SAS Support

Changing the default configurations of a database system is a critical control for securing it from unauthorized access or exploitation. Default configurations often include weak passwords, unnecessary services, open ports, or known vulnerabilities that can be easily exploited by attackers. The other options are not as important as changing the default configurations, as they do not address the root cause of the security risks. Normalizing tables in the database is a design technique for improving data quality and performance, but it does not affect security. Changing the service port used by the database server is a form of security by obscurity, which can be easily bypassed by port scanning tools. Using the default administration account after changing the account password is still risky, as the account name may be known or guessed by attackers. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.2.4