nerdexam
ExamsCAS-002Questions#335
CompTIA

CAS-002 · Question #335

CAS-002 Question #335: Real Exam Question with Answer & Explanation

The correct answer is C: Security clauses are implemented into the contract such as the right to audit.. Due diligence for cloud outsourcing focuses on reviewing existing documentation, certifications, and establishing contractual security obligations rather than performing active technical assessments of the provider's systems.

Question

A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization's customer database. The database will be accessed by both the company's users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).

Options

  • APhysical penetration test of the datacenter to ensure there are appropriate controls.
  • BPenetration testing of the solution to ensure that the customer data is well protected.
  • CSecurity clauses are implemented into the contract such as the right to audit.
  • DReview of the organizations security policies, procedures and relevant hosting certifications.
  • ECode review of the solution to ensure that there are no back doors located in the software.

Explanation

Due diligence for cloud outsourcing focuses on reviewing existing documentation, certifications, and establishing contractual security obligations rather than performing active technical assessments of the provider's systems.

Common mistakes.

  • A. Physical penetration testing of a cloud provider's datacenter is not a standard due diligence activity; physical security is typically validated through third-party audits and certifications rather than direct testing, which providers rarely permit.
  • B. Active penetration testing of the solution is a due care activity performed after the engagement is established, not a procurement-stage due diligence review activity.
  • E. Source code review for back doors is an invasive active assessment activity, not a due diligence review; cloud providers do not typically grant access to proprietary source code during vendor evaluation.

Concept tested. Due diligence activities during cloud service provider procurement

Reference. https://cloudsecurityalliance.org/research/guidance

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice