Question 2
UnclassifiedWhat aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?
Correct answer: C
Explanation
In SaaS, the provider manages the application and infrastructure, while the customer remains responsible for user and data governance. Access controls must be audited because they determine who can “access” the service and its data, making them a customer-side responsibility under the shared responsibility model.
Why each option is right or wrong
A. Patching
B. Source code reviews
C. Access controls
Under the shared responsibility model for SaaS, the provider operates the application stack, but the customer retains responsibility for identity and access management over its own users and data. Auditors therefore examine whether access is limited to authorized users, whether privileged accounts are controlled, and whether authentication/authorization settings are enforced consistently, because those controls sit on the customer side rather than the provider’s infrastructure.
D. Vulnerability management