Your company decides to subscribe to a portfolio of software services as SaaS from a well-known cloud service provider. The program policy limits the consumption of software to business use only. Employees are not allowed to use the software at home or for personal use. As a security professional, you are tasked to assess the risk and propose solutions to mitigate risk. Which of the following least contributes to the risk assessment process. (Source: Wentz QOTD)
A. Context diagram
B. Location-based authentication
C. OSINT (Open-source intelligence)
D. SDLC (System Development Life Cycle)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Location-based authentication.

Location-based authentication is a solution to be compliant with the policy. It’s part of the risk treatment or response strategy, so it contributes to the risk assessment process the least.

System Development Life Cycle (SDLC) is crucial to security engineering. We have to take care of security concerns across the SDLC. However, the term “development” in SDLC can be misleading, as a system is composed of many elements that can be made inhouse or bought from external parties. Subscription to cloud services is a procurement project. That’s part of the SDLC.

A context diagram depicts stakeholders for further analysis. OSINT can be conducted to collect information about providers or any stakeholders.

Reference