An infrastructure team within an energy organization is at the end of a procurement process and has selected a vendor’s SaaS platform to deliver services. As part of the legal negotiation, there are a number of outstanding risks, including:
1. There are clauses that confirm a data retention period in line with what is in the energy organization’s security policy.
2. The data will be hosted and managed outside of the energy organization’s geographical location.
The number of users accessing the system will be small, and no sensitive data will be hosted in the SaaS platform. Which of the following should the project’s security consultant recommend as the NEXT step?
A. Develop a security exemption, as the solution does not meet the security policies of the energy organization.
B. Require a solution owner within the energy organization to accept the identified risks and consequences.
C. Mititgate the risks by asking the vendor to accept the in-country privacy principles and modify the retention period.
D. Review the procurement process to determine the lessons learned in relation to discovering risks toward the end of the process.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
Maybe: C. Mitigate the risks by asking the vendor to accept the in-country privacy principles and modify the retention period ?
Before giving up and accepting the risks, why not ask the vendor if these issues can be addressed? If the issues cannot be addressed, then you can decide whether or not to accept the risks.
Answer could be B because other answers are less relevant. Wow what F up question is this…
Co decided to use Cloud service of SaaS (Software as a Service), and found the risk of:
1) data retention period is in line with the company… what risk? no risk.
2) data stored outside of company… what? dah? why you use Cloud service. What risk? If you want it in house, just don’t use Cloud service?
A. Develop a security exemption (no, what’s to exempt?)
B. Require a solution owner within the energy organization to accept the identified risks and consequences. (Yes maybe. accept data retention fit perfectly with co and use of Cloud service.)
C. Mitigate risks… in-country…and modify the retention period. (no, no risk. What’s the risk? Different geographical location does not mean different country. It could be the next county or other side of river.)
D. Review…determine the lessons learned. (no, no risk was found.)
B
Agree with B. Other options, IMHO, don’t make sense.