CRISC Question #462: Real Exam Question with Answer & Explanation

Question

Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?

Options

• AThe vendor must provide periodic independent assurance reports.
• BThe vendor must host data in a specific geographic location.
• CThe vendor must be held liable for regulatory fines for failure to protect data.
• DThe vendor must participate in an annual vendor performance review.

Explanation

Specifying data hosting location in a SaaS contract is crucial for complying with data residency requirements and regulatory obligations.

Common mistakes.

• A. While periodic independent assurance reports (like SOC 2) are important for demonstrating security posture, they do not directly dictate or enforce where data is stored for compliance purposes.
• C. Holding the vendor liable for regulatory fines is a critical contractual clause for risk transfer but does not, in itself, guarantee proactive data protection or compliance with data residency laws.
• D. An annual vendor performance review is a general governance practice for managing vendor relationships and service quality, but it does not directly address specific data protection requirements like residency.

Concept tested. SaaS contract data residency requirements

Reference. https://learn.microsoft.com/en-us/compliance/regulatory/gdpr-data-residency-requirements

No community discussion yet for this question.