ExpertHard1 markMultiple Choice
CPA · Question 01 · Area I: Information Systems
A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The client utilizes an Infrastructure as a Service (IaaS) model. When defining the scope of the IT audit, which of the following components is the client's management primarily responsible for securing, rather than the cloud service provider?
A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The client utilizes an Infrastructure as a Service (IaaS) model. When defining the scope of the IT audit, which of the following components is the client's management primarily responsible for securing, rather than the cloud service provider?
Answer options:
A.
Physical security of the data centers hosting the servers
B.
Maintenance of the hypervisor and virtualization layer
C.
Operating system configuration and application patching
D.
Network infrastructure up to the virtualization layer
How to approach this question
Recall the Shared Responsibility Model for cloud computing. In IaaS, the provider gives you the 'hardware' (virtualized), and you manage everything from the OS up.
Full Answer
C.Operating system configuration and application patching✓ Correct
C
Under the Shared Responsibility Model for IaaS, the cloud provider manages the physical infrastructure, network, and virtualization layer. The customer is responsible for the operating system, applications, data, and access control.
Common mistakes
Confusing IaaS with PaaS (where the provider manages the OS) or SaaS (where the provider manages the application).
Practice the full CPA ISC Practice Exam
82 questions · hints · full answers · grading
More questions from this exam
Q02During a walkthrough of a client's change management process, the auditor notes that developers h...HardQ03A service organization provides a real-time transaction processing platform. The service level ag...HardQ04An auditor is reviewing a SQL query used by the finance team to generate a report of all sales tr...HardQ05A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud dep...HardQ06An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'd...Hard