Its A bro are yall crazy? I just took the test and a 2 week course and saw this EXACT question.

D. Open ports and services The question is only asking about RISKS. "Which of the following RISKS should the company focus on to achieve this objective?" Access auditing is not a risk so toss it out. Misconfiguration is one of the top risks for cloud services. Do some research and you'll find many credible sources agreeing that it's one of the top risks to cloud services. Open ports and services is a very common cloud misconfiguration.

Access auditing involves monitoring and recording who accesses the data, what actions they perform, and ensuring that only authorized personnel have access to sensitive information

The company has to depend on or trust the SaaS vendor concerning B-D. Worry all it wants to about that. Get a different vendor if you can't trust it. A is the only one the company has control over to put focus upon.

It’s A

The answer is C. Supply Chain because the company uses a cloud provider to manage their database, making it essential to focus on the security practices of this provider as part of their supply chain risk management.

A - If you do not audit how will you know who is accessing customer data? Key words "breach" & "exposure" whether it is the companies people or the vendors people. Per DION Training guide 701 - Accounting (Auditing) Tracks and records user activities, logins, actions, and changes. Helps detect security incidents, identify vulnerabilities, and provide evidence in case of breaches. Per 601 - Cloud Security Section - Configure, manage, and audit user access to virtualized servers. Security challenges with Software-as-a-Service (SaaS) providers ● Data confidentiality and integrity concerns ● Assess provider's cybersecurity protocols and support for security incidents ● Vendor selection should consider due diligence, historical performance, and commitment to security

I'm sort of agreeing with Chat GBT on this one C. Supply chain When a company relies on a SaaS vendor to host its customer database, the supply chain risk becomes a critical concern. Supply chain risks refer to vulnerabilities introduced through third-party providers, including SaaS vendors. If the SaaS vendor's systems are breached, it could potentially expose the customer data of the company. Additionally, the CompTIA guide has: Supply chain - Cloud — many companies now run part or all of their network services via Internet- accessible clouds. The attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system.

SaaS vendor = supply chain

I picked access auditing because that's really the only thing that makes sense here if the SaaS allows it. You have zero control over the ports & services, so that's a definite non-answer. Supply Chain is completely irrelevant. Outsourced code development is irrelevant (this is SaaS, so you aren't doing coding of the application)

Supply chain seems the most probable. If it's SaaS, the customer is most likely not responsible for port configurations. They would be if that was PaaS or IaaS.

I think D is best. Sure supply chain or 3rd party code is possible, but open ports is MUCH more likely to be an issue.

I am leaning towards Supply chain (C) here. The question is asking about which RISK to focus on, rather than how to mitigate that risk. Third-party hosting of a database is a supply chain risk. Access auditing is how they would go about reducing the risk, however I believe that is out of the scope of the question. Again, we are being asked to identify the risk itself, not how to combat/reduce it. B is wrong because they are not outsourcing any code development. I believe D is wrong because the SaaS vendor should be the one responsible for the service itself. Proper configuration by the vendor is definitely necessary and access auditing can be used to confirm it, however from the company's perspective, their risk is supply chain, not the open ports/services.

Since its a SaaS application, as the customer, you won't have to worry about open ports and services b/c the database will be fully controlled by the SaaS vendor. The only risk that would present itself is having the ability to audit the vendor to make sure they are adequately implementing the necessary controls to protect your data.

The question is asking what risk should the company focus on to reduce customer data exposure after a breach has already occurred. This should change how you think about the answer.

Supply chain security is management of the supply chain that focuses on risk management of external suppliers, vendors, logistics, and transportation.

Whose system is being breached though?