CRISC · Question #401
CRISC Question #401: Real Exam Question with Answer & Explanation
The correct answer is D: Contractual requirements. To prevent future unauthorized access by a service provider's administrator in an IaaS model, the best protection involves establishing clear contractual requirements.
Question
It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?
Options
- AData encryption
- BIntrusion prevention system (IPS)
- CTwo-factor authentication
- DContractual requirements
Explanation
To prevent future unauthorized access by a service provider's administrator in an IaaS model, the best protection involves establishing clear contractual requirements.
Common mistakes.
- A. Data encryption protects data confidentiality but does not prevent an authorized administrator (who might possess decryption keys or privileged access) from performing unauthorized actions.
- B. An IPS might detect some malicious network activity, but it wouldn't prevent an administrator with legitimate system access credentials from misusing their authorized privileges.
- C. Two-factor authentication protects against unauthorized access to accounts, but if the administrator is authorized to the system, 2FA won't prevent them from misusing that access.
Concept tested. Cloud provider risk mitigation and governance
Topics
Community Discussion
No community discussion yet for this question.