Certified Information Systems Auditor (CISA) — Question 344
An organization is migrating its HR application to an Infrastructure as a Service (IaaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?
Answer options
- A. The cloud provider
- B. The cloud provider's external auditor
- C. The operating system vendor
- D. The organization
Correct answer: D
Explanation
The organization is primarily responsible for the security configurations of the operating system as they manage the application and its environment in the IaaS model. While the cloud provider offers infrastructure and the operating system vendor provides the software, the organization retains control over the security settings and configurations necessary to protect their application.