Exam CISSP topic 1 question 28 discussion

A is about operational necessity, while C is about a strategic advantage. Most organizations first choose IDaaS because they lack the resources to build and maintain an on-premises solution. The risk transfer factor (C) adds value but isn't usually the core reason for the decision.

The question is asking "...enhance the security of its user authentication processes...". Also, I remind myselft to confine my thoughts within the provided context. A? "Lack resources and On premise solution" I do not see any wording in the context associated with this assumption. So A is out. C? " transferring the risk.." Again, does this transferring risk enhances authentication security? Am I answering the question at all? D? "In house ..." Similar to A and C. These options try to add buffer overflow info which are not within the questions context. The closest option is B. It exactly echos "...enhance the security of its user authentication processes..."

A is wrong because they DO have the resources. The company wants to ENHANCE the security. The only option is C

A: answer C is wrong because the question says " to enhance the security of its user authentication processes", transferring risk does not enhance security of the user

A: as lack of resources.

"A company is attempting to enhance the security of its user authentication processes" means that the company already has an on-premises solution. For enhancement, they lack resources, hence moving with IDaaS. Answer A.

I didn't find any cost related options. I chose B and after seeing the answer, I reevaluated A. Option A is actually equivalent to reducing costs

Best answer is A. I think people choosing option C are thinking about "risk transfer" as part of risk management, but (1) this question isn't really about RM and (2) risk transfer USUALLY is centered around insurance.

A is the only answer that makes sense. Transferring risk, C, does not make sense. There is always risk and that's not a driving factor here.

Corp.com chose Identity as a Service (IDaaS) as their solution because of its inherent security benefits, its ability to transfer risk to the vendor, and its scalability and affordability. IDaaS is a third-party authentication solution that uses cloud-based software to provide authentication services, such as user authentication, single sign-on, and multi-factor authentication. This type of solution is often more secure than an on-premise solution because it is hosted by a trusted third-party, who is responsible for maintaining the security of the system. Additionally, IDaaS solutions are known for transferring the security risk to the vendor, which can be beneficial for companies that lack the resources to support an on-premise solution. Finally, IDaaS solutions are known for their scalability and affordability, as they are often much cheaper than developing an in-house authentication solution and can easily be scaled up or down, depending on the company’s needs. Resources: 1. What is Identity as a Service (IDaaS)? - https://www.techopedia.com/definition/31761/identity-as-a-service-idaas 2. Why IDaaS is the Best Choice for

From the ISC Official Study Guide: "Risk Assignment - Assigning risk or transferring risk is the placement of the responsibility of loss due to a risk onto another entity or organization. Purchasing cybersecurity or tradition insurance and outsourcing are common forms of assigning risk or transferring risk. Also known as assignment of risk and transference of risk.

Enhance the security- Objective

Just joined - some of these questions are great ! I just want to know which b@5t4rd wrote them !! 'A' doesn't sound sensible because there's an assumption that the company doesn't have a team for managing IDaaS. Upon viewing Pete Zeger's 7.5hr youtube classic, I am leaning towards B, third party solutions are better, mostly :-) The business wished to enhance, not because of some in-house skills shortage, but because there's something out there that can do a better job. This question is actually quite tough and we can fall into the trap of reading too much into it, and that is the crux of the problem !

This is not about risk transfer purpose. We select vendor because they are secured enough to match our requirements and we don't have enough resources to support the on premise system.

Now what if the company has enough resources to support on-prem solution? How we would know that?

You cannot transfer the risk to the vendor as they are handling YOUR information, for which YOU are ultimately accountable.

Requirement is to enhance security. Options C and D do not meet this requirement. Option B is not necessarily true. Thus answer is A. Lack of resources could refer to skills, experience or availability of in-house team and would be a management consideration.