Exam SY0-701 topic 1 question 308 discussion

D. Due diligence In this context, due diligence refers to the process of evaluating the security, compliance, and risk associated with a third-party vendor or service, such as a SaaS application. Requesting a SOC 2 report is a common part of the due diligence process to assess the vendor's controls related to security, availability, processing integrity, confidentiality, and privacy. Internal audit (A) refers to an organization's internal review of its own processes, not an external vendor. Penetration testing (B) involves actively testing for vulnerabilities by simulating attacks, which is not applicable here. Attestation (C) refers to a third-party audit or certification, such as the SOC 2 report itself, but the analyst is conducting due diligence by requesting the report.

Due Diligence is a type of practice. it verify and assess various aspects, including security, compliance, and risks. The security analyst is performing due diligence by asking for a SOC 2 report from the SaaS vendor to make an informed decision.

Security challenges with Software-as-a-Service (SaaS) providers --> Vendor selection should consider due diligence, historical performance and commitment to security

D. Due diligence Due diligence in this context involves evaluating the security, availability, processing integrity, confidentiality, and privacy of the SaaS application by reviewing the SOC 2 report provided by the vendor. This process helps ensure that the vendor meets the required security and operational standards before the SaaS application is implemented.