A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operating system of the virtual machines has not been patched for critical vulnerabilities. Under the shared responsibility model, who is responsible for this control failure?

Answer options:

The cloud service provider (CSP)

The customer (the company)

Both the CSP and the customer equally

The software vendor of the operating system

How to approach this question

Recall the Shared Responsibility Model. IaaS = Customer manages OS. PaaS = Provider manages OS. SaaS = Provider manages OS.

Full Answer

B.The customer (the company)✓ Correct

The customer (the company)

In an IaaS model (e.g., AWS EC2), the customer is responsible for 'security in the cloud', which includes the guest operating system, application software, and firewall configuration.

Common mistakes

Assuming the cloud provider handles all patching.

Question 02 All questions Question 04

Practice the full CPA ISC Practice Exam 4

82 questions · hints · full answers · grading

More questions from this exam

Q01A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environ...Hard Q02An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provi...Hard Q04An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its...Hard Q05During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can...Hard Q06An auditor is reviewing the backup strategy for a financial transaction system with a Recovery Po...Hard

View all 82 questions →