What type of controls are the sole responsibility of the client?

The correct answer, indicating that customer or client-specific controls are the sole responsibility of the client, underscores the importance of tailored security measures that an organization must implement to protect its own unique assets, data, and operations. These controls are designed to meet the specific needs, regulatory requirements, and risk profiles of the organization.

Clients need to take ownership of these controls because they are best positioned to assess their own vulnerabilities, business processes, and the specific threats they could face. These controls may include security policies, access management practices, employee training, and incident response plans that align with the particular operational context of the client.

In contrast, shared controls involve responsibilities that are divided between clients and service providers, while inherited controls are those that a client receives from the service provider’s infrastructure. Vendor controls are primarily the responsibility of the vendor, as they relate to the security measures implemented by the third-party service provider. By understanding that customer-specific controls are essential to their unique environment, clients can effectively enhance their security posture.