Question 1084 - CISA discussion

An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data.SaaS is a model in which the software is centrally hosted and accessed by the user via a web browser using the internet1.The vendor owns and maintains the software and the data, and the organization pays for the use of the service on a subscription or usage basis1. The greatest risk to the organization related to data backup and retrieval is that the vendor may be unable to restore critical data.

Data backup and retrieval are essential processes for ensuring the availability, integrity, and security of data in case of loss, corruption, or damage2.Data backup is the process of creating and storing copies of data in a separate location from the original data2.Data retrieval is the process of accessing and restoring the backed-up data when needed2.Critical data are data that are vital for the operation, continuity, and recovery of the organization3.

If the vendor is unable to restore critical data, the organization may face severe consequences, such as:

Business disruption: The organization may not be able to perform its core functions, deliver its products or services, or meet its customer or stakeholder expectations3.

Revenue loss: The organization may lose income, market share, or competitive advantage due to reduced sales, customer dissatisfaction, or reputation damage3.

Legal liability: The organization may face lawsuits, fines, or penalties for breaching contractual, regulatory, or statutory obligations related to data protection, privacy, or security3.

Recovery cost: The organization may incur additional expenses for repairing or replacing the lost or corrupted data, restoring the system functionality, or compensating the affected parties3.

The other options are not as great as the vendor's inability to restore critical data.The organization may be locked into an unfavorable contract with the vendor, which may limit its flexibility, control, or choice over the service quality, cost, or duration4.However, this risk can be mitigated by negotiating better terms and conditions, reviewing the contract periodically, or switching to another vendor if possible4.The vendor may be unable to restore data by recovery time objective (RTO) requirements, which are the maximum acceptable time frames for restoring data after a disruption5.However, this risk can be reduced by setting realistic and achievable RTOs, monitoring the vendor's performance, or implementing alternative recovery strategies if needed5. The organization may not be allowed to inspect the vendor's data center, which may limit its visibility, transparency, or assurance over the service provider's infrastructure, security, or compliance. However, this risk can be overcome by requesting third-party audits, certifications, or reports from the vendor that demonstrate their adherence to industry standards and best practices. Therefore, option B is the correct answer.

What is SaaS? Software as a Service | Microsoft Azure

What is Data Backup? - Definition from Techopedia

Critical Data Definition

The Risks of Cloud Computing | Cloud Academy

Recovery Time Objective (RTO) Definition

[Cloud Computing Security Risks: What You Need To Know | CloudHealth by VMware]