Certified in Risk and Information Systems Control (CRISC) — Question 1233

An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?

Answer options

• A. Due diligence for the recommended cloud vendor has not been performed.
• B. The business can introduce new Software as a Service (SaaS) solutions without IT approval.
• C. The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (IaaS) provider.
• D. Architecture responsibilities may not be clearly defined.

Correct answer: B

Explanation

The greatest concern for the risk practitioner is that users can implement new SaaS solutions without IT oversight, which can lead to security vulnerabilities and compliance issues. While due diligence (A) and architecture responsibilities (D) are important, they are secondary to the risks posed by uncontrolled SaaS adoption. Outsourcing infrastructure maintenance (C) is a common practice and may not inherently pose a risk if managed properly.