A small organization has a contract with a multinational cloud computing vendor. Which of the following would present the GREATEST concern to an information security manager if omitted from the contract?
A.
Escrow of software code with conditions for code release
B.
Right of the subscriber to conduct onsite audits of the vendor
C.
Authority of the subscriber to approve access to its data
D.
Commingling of subscribers' data on the same physical server
From ISACA's point of view, the correct answer is C. Authority of the subscriber to approve access to its data. This is because the subscriber must have control over the access to its data in order to maintain confidentiality and privacy. If this authority is omitted from the contract, the subscriber may not have a say in who can access its data, which could lead to unauthorized access or a breach of confidentiality. Escrow of software code, the right to conduct onsite audits, and commingling of data are all important considerations, but they are not as critical as the subscriber's authority to approve access to its data.
For many reasons.
1. Topology and configuration management is paramount. My consideration of awarding the contract to service provider is influenced by server co-mingling. How do I know if a Bad Actor state is on the same hardware.
2. If there is a security incident, how will forensics have access to the data if other customers data is affected/lost?
3. Logical separation is a great thought, but most Defense in Depth allows horizontal movement, once you in a certain level, horizontal movement normally comes with.
So many reasons this is a bad answer.
C. Authority of the subscriber to approve access to its data
The authority to approve access to the subscriber's data is of paramount importance, as maintaining control over data access is a critical factor in protecting the confidentiality and integrity of the organization's sensitive and proprietary information. Without it, the organization could face risks that threaten its security posture and regulatory compliance.
C. Authority of the subscriber to approve access to its data
The GREATEST concern for an information security manager in a contract with a multinational cloud computing vendor would be the omission of the authority of the subscriber to approve access to its data (Option C). This is because data security and privacy are paramount concerns when using cloud services. If the subscriber does not have control over who can access their data and under what circumstances, it can lead to significant security and privacy risks.
Bard says:
The answer is B. Right of the subscriber to conduct onsite audits of the vendor.
The right of the subscriber to conduct onsite audits of the vendor is the most critical clause to include in a contract with a cloud computing vendor. This right allows the subscriber to verify that the vendor is adhering to the security requirements outlined in the contract.
Here's why the other options are not as critical:
A. Escrow of software code with conditions for code release: Escrow is a valuable safeguard, but it is not as essential as the right to conduct audits. Audits provide a more comprehensive assessment of the vendor's security practices.
C. Authority of the subscriber to approve access to its data: While it is important for the subscriber to have control over who accesses its data, this can be managed through contractual provisions and access control mechanisms. Audits provide a broader view of the vendor's security posture.
D. Commingling of subscribers' data on the same physical server: While commingling of data can raise privacy concerns, it is not as critical as the right to conduct audits. Audits can assess whether the vendor is taking appropriate measures to protect data and prevent unauthorized access, regardless of where the data is stored.
Therefore, the right of the subscriber to conduct onsite audits of the vendor is the most critical clause to include in a contract with a cloud computing vendor. It provides the subscriber with the necessary oversight to ensure that the vendor is meeting its security obligations and protecting the subscriber's data.
Having the right to conduct onsite audits is crucial for the subscriber to ensure that the cloud computing vendor is meeting agreed-upon security standards and adhering to the terms of the contract. Onsite audits provide a direct means of assessing the physical and logical security measures implemented by the vendor, helping to verify compliance and identify any potential security risks or vulnerabilities. This oversight is essential for maintaining trust and ensuring the security of the subscriber's data within the cloud environment.
C. Authority of the subscriber to approve access to its data
The GREATEST concern for an information security manager in a contract with a multinational cloud computing vendor would be the omission of the authority of the subscriber to approve access to its data (Option C). This is because data security and privacy are paramount concerns when using cloud services. If the subscriber does not have control over who can access their data and under what circumstances, it can lead to significant security and privacy risks.
this is not important. A physical server can have many different instances and each client to have each own instance, separated logically to other instances.
Think about it a s building with flats. You have your own flat with your own key, regardless if in the building there are other flats. You cant access their's, they cant access yours.
So: Physical Server = Building
Instance= A flat
Commingling of subscribers' data on the same physical server is the greatest concern for an information security manager if omitted from the contract. When data is stored on the same physical server as data belonging to other customers, it increases the risk of data leakage, unauthorized access, and other security breaches
If you are a low-paying customer, the cloud provider can put your data on the same physical server to save costs. If you do not have authority to approve access to your data then you do not have control over it, this could be a bigger concern.
Authority of the subscriber to approve access to its data would present the GREATEST concern to an information security manager if omitted from the contract between a small organization and a multinational cloud computing vendor.
Quite sure it's D. The most important aspect of such a contract is the subscriber's authority to approve access to its data. If this authority is omitted from the contract, the subscriber's data may be vulnerable to unauthorized access by the cloud vendor or other third parties.
IMO this is more important than data being on the same server.
Yes, it should be D. Sensitive data in the same server with other customer would present the greatest concern as it increases the risk of data breaches and exposure of sensitive information.
Yes, it should be D. Sensitive data in the same server with other customer would present the greatest concern as it increases the risk of data breaches and exposure of sensitive information.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
mad68
Highly Voted 1 year, 8 months agoRio42
Most Recent 1 month, 1 week agohelg420
8 months, 1 week agooluchecpoint
11 months, 1 week agoCISSPST
1 year agoCyberbug2021
1 year, 1 month agoCyberbug2021
1 year, 1 month agoViperhunter
1 year, 1 month agooluchecpoint
1 year, 4 months agorichck102
1 year, 7 months agocidigi
10 months agoAbhey
1 year, 8 months agoUser21
1 year, 8 months agobambs
1 year, 9 months agojoshuactz
1 year, 11 months agojoshuactz
1 year, 11 months agovavofa5697
1 year, 11 months agovavofa5697
1 year, 11 months agoAntonivs
1 year, 11 months agoSSP_Secure
2 years ago