ExpertHard1 markMultiple Choice
CPA · Question 03 · Area I: Information Systems
A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operating system of the virtual machines has not been patched for critical vulnerabilities. Under the shared responsibility model, who is responsible for this control failure?
A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operating system of the virtual machines has not been patched for critical vulnerabilities. Under the shared responsibility model, who is responsible for this control failure?
Answer options:
A.
The cloud service provider (CSP)
B.
The customer (the company)
C.
Both the CSP and the customer equally
D.
The software vendor of the operating system
How to approach this question
Recall the Shared Responsibility Model. IaaS = Customer manages OS. PaaS = Provider manages OS. SaaS = Provider manages OS.
Full Answer
B.The customer (the company)✓ Correct
In an IaaS model (e.g., AWS EC2), the customer is responsible for 'security in the cloud', which includes the guest operating system, application software, and firewall configuration.
Common mistakes
Assuming the cloud provider handles all patching.
Practice the full CPA ISC Practice Exam 4
82 questions · hints · full answers · grading
More questions from this exam
Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...HardQ02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...HardQ04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...HardQ05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...HardQ06An auditor is reviewing the backup strategy for a financial transaction system with a Recovery Po...Hard