CompTIA Security+ (SY0-701) — Question 606

A security analyst is evaluating a SaaS application that the human resources department would like to implement. The analyst requests a SOC 2 report from the SaaS vendor. Which of the following processes is the analyst most likely conducting?

Answer options

• A. Internal audit
• B. Penetration testing
• C. Attestation
• D. Due diligence

Correct answer: D

Explanation

The correct answer is D, as due diligence involves assessing the security and compliance of third-party services, which includes reviewing SOC 2 reports. The other options do not directly relate to the evaluation of a vendor's security measures; internal audits are internal assessments, penetration testing is a method to identify vulnerabilities, and attestation refers to the formal verification process but does not encompass the broader evaluation context.