Certified Information Systems Security Professional (CISSP) — Question 150

A large international organization that collects information from its consumers has contracted with a Software as a Service (SaaS) cloud provider to process this data. The SaaS cloud provider uses additional data processing to demonstrate other capabilities it wishes to offer to the data owner. This vendor believes additional data processing activity is allowed since they are not disclosing to other organizations. Which of the following BEST supports this rationale?

Answer options

• A. The data was encrypted at all times and only a few cloud provider employees had access.
• B. As the data owner, the cloud provider has the authority to direct how the data will be processed.
• C. As the data processor, the cloud provider has the authority to direct how the data will be processed.
• D. The agreement between the two parties is vague and does not detail how the data can be used.

Correct answer: D

Explanation

The correct answer is D because if the agreement is unclear regarding data usage, the cloud provider may misinterpret their rights to process the data further. Options A, B, and C do not support the rationale since encryption does not justify additional processing, and both the owner and processor roles typically have specific rights that do not imply unrestricted processing authority.