Free Isaca CCOA Actual Exam Questions - Question 6 Discussion
responsibility model?
Maybe C too, since if you don’t get who manages what, access controls get messed up.
C seems plausible too since misconfiguring access controls directly shows a lack of understanding about who’s responsible for what in the cloud setup. It’s a clear mistake from misunderstanding the shared responsibility.
It’s A, because vendor lock-in (D) isn’t really about misunderstanding responsibility models.
Maybe A, since assuming vendors handle all risks often causes real security gaps.
A, because wrongly assuming the vendor covers all security is a common pitfall.
C Misconfiguring access controls fits well because if you don’t understand who’s responsible for what, you might set permissions wrong, leaving data exposed or locked down too tight. It’s a common outcome of confusion over shared duties.
Maybe A, since people often think the cloud provider covers everything security-wise.
Option A makes the most sense because misunderstanding the shared responsibility model usually means you think the cloud provider handles more than they actually do, especially when it comes to security. That can leave gaps. Options B and C are more about specific technical mistakes rather than a misunderstanding of responsibilities overall. D is more about business strategy than security, so it feels off-topic here.
Is the question asking about a common mistake that leads mainly to security issues, or could it also be about broader business risks? Seems like the shared responsibility model mostly impacts security stuff.