Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?

Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?
A . Defining the metrics and indicators to monitor the implementation of the compliance program
B . Determining the risk treatment options to be used in the compliance program
C . Mapping who possesses the information and data that should drive the compliance goals
D . Selecting the external frameworks that will be used as reference

View Answer

Answer: C

Explanation:

The primary component to determine the success or failure of an organization’s cloud compliance program is mapping who possesses the information and data that should drive the compliance goals. This is because the cloud compliance program should be aligned with the organization’s business objectives and risk appetite, and the information and data that support these objectives and risks are often distributed across different cloud service providers, business units, and stakeholders. Therefore, it is essential to identify who owns, controls, and accesses the information and data, and how they are protected, processed, and shared in the cloud environment. This is part of the Cloud Control Matrix (CCM) domain COM-02: Data Governance, which states that "The organization should have a policy and procedures to manage data throughout its lifecycle in accordance with regulatory requirements, contractual obligations, and industry standards."1

Reference: CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 53