The lack of due diligence for the recommended cloud vendor should be of greatest concern to the

risk practitioner, because it exposes the organization to potential risks and issues related to the

security, reliability, performance, and compliance of the cloud service provider. Due diligence is a

process of conducting a thorough investigation and evaluation of a potential vendor or partnerbefore

entering into a contractual relationship. Due diligence helps to verify the vendor’s credentials,

capabilities, reputation, and track record, and to identify any red flags or gaps that may affect the

quality or suitability of the service. Cloud computing is a model of delivering IT services over the

internet, where the service provider owns and manages the IT infrastructure, platforms, or

applications, and the customer pays only for the resources or functions they use. Cloud computing

can offer cost savings, scalability, and flexibility for the business, but it also introduces new risks and

challenges, such as data privacy, security breaches, vendor lock-in, service outages, or regulatory

compliance. Therefore, performing due diligence for the recommended cloud vendor is essential to

ensure that the organization’s expectations and requirements are met, and that the risks and issues

are identified and addressed. The business introducing new SaaS solutions without IT approval, the

maintenance of IT infrastructure being outsourced to an IaaS provider, and the architecture

responsibilities not being clearly defined are all possible concerns for the risk practitioner, but they

are not the greatest concern, as they can bemitigated or resolved with appropriate controls, policies,

or agreements. Reference = Risk and Information Systems Control Study Manual, Chapter 5, Section

5.2.1, page 183