Exam CISSP topic 1 question 222 discussion

it could query and get unauthorized data compromising confidentiality. could flood and crash the API. could write garbage compromising integrity. all possible because query integrity was not enforced. it s B.

Not C - Security relates to protecting against unauthorized access, but the issue here is about the correctness of system processing, not access control.

Look it up

One key component of Procesing Integrity is: Authorization: Confirming that processing activities are authorized and align with the organization's objectives and policies.

In the context of a System Organization Control (SOC) 2 audit, the trust service principles include Security, Availability, Processing Integrity, Confidentiality, and Privacy. Among these principles, the one MOST applicable in a situation where an Application Programming Interface (API) is performing an action not aligned with the scope or objective of the system is: C. Security The Security principle in SOC 2 encompasses controls related to the protection of system resources against unauthorized access (both physical and logical). If an API is performing actions outside the defined scope or objectives, it could be a security-related concern, as it might involve unauthorized access or actions that compromise the security of the system. Addressing such findings is crucial to ensure that the system's security controls align with the specified criteria and objectives.

The Security trust service principle within the SOC 2 framework encompasses the protection of information and systems against unauthorized access (both physical and logical). It includes the policies, processes, and controls designed to safeguard the confidentiality, integrity, and availability of the system.

I think the principal is D.. Processing Integrity is not a service principal

While the finding related to an API performing an action that is not aligned with the scope or objective of the system might also indicate a processing integrity issue, the control objective of processing integrity is to ensure that system processing is complete, accurate, timely, and authorized. This means that processing integrity is more concerned with the accuracy and completeness of the data processing rather than the security of the system. In this case, the finding indicates a security issue because the API is performing an action that is not aligned with the scope or objective of the system. This means that the system is not secure and that unauthorized actions are being performed, which is a violation of the security principle. Therefore, the most applicable trust service principle in this situation is "Security."

API performing an action that is not aligned with the scope or objective of the system? Processing Integrity-Answer Integrity-Data and system are protected from intentional, unauthorized, or accidental changes. Answer: B

Answer is D. "Availability. Information and systems are available for operation and use to meet the entity’s objectives." The actions DON'T follow the business scope. So this would, keyword" MOST" be applicable to availability. It can't be processing integrity because processing integrity is more-so about the accuracy of the data. "Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives." https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/trustdataintegritytaskforce

https://www.vistainfosec.com/blog/choosing-soc-2-principles/

Processing integrity

Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

I think that that way it is impacting A

Really B?