Certified in Risk and Information Systems Control (CRISC) — Question 513

An organization is reviewing a contract for a Software as a Service (SaaS) sales application with a 99.9% uptime service level agreement (SLA). Which of the following BEST describes ownership of availability risk?

Answer options

• A. The liability for the risk is owned by the cloud provider
• B. The liability for the risk is owned by the sales department
• C. The risk is transferred to the cloud provider
• D. The risk is shared by both organizations

Correct answer: D

Explanation

The correct answer is D because both the organization and the cloud provider have roles in managing and mitigating availability risk, despite the cloud provider's commitment to uptime. Options A, B, and C do not fully capture the shared responsibility that exists in such agreements, as it is not solely the cloud provider's or the sales department's liability.