An organization recently experienced a data breach due to a misconfigured cloud storage bucket. As part of the IT risk assessment, which control should be prioritized to prevent recurrence?
Automated scanning detects and often corrects misconfigurations in real-time, directly mitigating the root cause.
Why this answer
Option D is correct because automated cloud configuration scanning and remediation tools directly address the root cause of a misconfigured cloud storage bucket by continuously monitoring cloud infrastructure against security baselines (e.g., CIS benchmarks) and automatically correcting deviations. This prevents recurrence by catching misconfigurations in real time, rather than relying on manual approval processes or periodic testing that may miss transient changes.
Exam trap
The trap here is that candidates often choose Option A (management approval) because it seems like a strong administrative control, but CRISC emphasizes that preventive technical controls—especially automated ones—are prioritized over manual processes for recurring technical risks like cloud misconfigurations.
How to eliminate wrong answers
Option A is wrong because requiring management approval for all cloud storage changes introduces a manual bottleneck that does not prevent misconfigurations from being deployed; it only adds a review step that may still miss technical misconfigurations, especially in dynamic cloud environments with Infrastructure as Code (IaC). Option B is wrong because mandatory annual security awareness training, while valuable for general security hygiene, does not address the specific technical failure of a misconfigured cloud bucket—training cannot prevent automated or scripted misconfigurations that bypass human interaction. Option C is wrong because increasing the frequency of third-party penetration testing provides only periodic snapshots of security posture and cannot detect or remediate misconfigurations that occur between tests; it is a detective control, not a preventive one.