Certificate of Cloud Auditing Knowledge (CCAK) — Question 229

While using Software as a Service (SaaS) to store secret customer information, an organization identifies a risk of disclosure to unauthorized parties. Although the SaaS service continues to be used, secret customer data is not processed. Which of the following risk treatment methods is being practiced?

Answer options

• A. Risk acceptance
• B. Risk transfer
• C. Risk mitigation
• D. Risk reduction

Correct answer: D

Explanation

The organization is practicing risk reduction by not processing secret customer data, which lowers the chance of unauthorized disclosure. Risk acceptance would mean acknowledging the risk without taking action, risk transfer involves shifting the risk to another party, and risk mitigation would include actions taken to lessen the impact or likelihood of the risk, which is not applicable here since processing is not happening.