March Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Isaca > Cloud Security Alliance > CCAK

CCAK Certificate of Cloud Auditing Knowledge Question and Answers

Question # 4

Which of the following is an example of a corrective control?

A.

A central antivirus system installing the latest signature files before allowing a connection to the network

B.

All new employees having standard access rights until their manager approves privileged rights

C.

Unsuccessful access attempts being automatically logged for investigation

D.

Privileged access to critical information systems requiring a second factor of authentication using a soft token

Full Access
Question # 5

When mapping controls to architectural implementations, requirements define:

A.

control objectives.

B.

control activities.

C.

guidelines.

D.

policies.

Full Access
Question # 6

The BEST way to deliver continuous compliance in a cloud environment is to:

A.

combine point-in-time assurance approaches with continuous monitoring.

B.

increase the frequency of external audits from annual to quarterly.

C.

combine point-in-time assurance approaches with continuous auditing.

D.

decrease the interval between attestations of compliance

Full Access
Question # 7

The MAIN limitation of relying on traditional cloud compliance assurance approaches such as SOC2 attestations is that:

A.

they can only be performed by skilled cloud audit service providers.

B.

they are subject to change when the regulatory climate changes.

C.

they provide a point-in-time snapshot of an organization's compliance posture.

D.

they place responsibility for demonstrating compliance on the vendor organization.

Full Access
Question # 8

What areas should be reviewed when auditing a public cloud?

A.

Patching and configuration

B.

Vulnerability management and cyber security reviews

C.

Identity and access management (IAM) and data protection

D.

Source code reviews and hypervisor

Full Access
Question # 9

Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?

A.

Nondisclosure agreements (NDAs)

B.

Independent auditor report

C.

First-party audit

D.

Industry certifications

Full Access
Question # 10

Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

A.

BSI IT-basic protection catalogue

B.

Multi-Tier Cloud Security (MTCS)

C.

German IDW PS 951

D.

BSI Criteria Catalogue C5

Full Access
Question # 11

What type of termination occurs at the initiative of one party and without the fault of the other party?

A.

Termination without the fault

B.

Termination at the end of the term

C.

Termination for cause

D.

Termination for convenience

Full Access
Question # 12

What is the MOST effective way to ensure a vendor is compliant with the agreed-upon cloud service?

A.

Examine the cloud provider's certifications and ensure the scope is appropriate.

B.

Document the requirements and responsibilities within the customer contract

C.

Interview the cloud security team and ensure compliance.

D.

Pen test the cloud service provider to ensure compliance.

Full Access
Question # 13

The Cloud Octagon Model was developed to support organizations':

A.

risk treatment methodology.

B.

incident detection methodology.

C.

incident response methodology.

D.

risk assessment methodology.

Full Access
Question # 14

Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

A.

develop new security baselines for the industry.

B.

define different control frameworks for different cloud service providers.

C.

build an operational cloud risk management program.

D.

facilitate communication with their legal department.

Full Access
Question # 15

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

A.

Review the contract and DR capability.

B.

Plan an audit of the provider.

C.

Review the security white paper of the provider.

D.

Review the provider's audit reports.

Full Access
Question # 16

As Infrastructure as a Service (laaS) cloud service providers often do not allow the cloud service customers to perform on-premise audits, the BEST approach for the auditor should be to:

A.

use other sources of available data for evaluating the customer's controls.

B.

recommend that the customer not use the services provided by the provider.

C.

refrain from auditing the provider's security controls due to lack of cooperation.

D.

escalate the lack of support from the provider to the regulatory authority.

Full Access
Question # 17

Which of the following is MOST useful for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution?

A.

SaaS provider contract

B.

Payments made by the service owner

C.

SaaS vendor white papers

D.

Cloud compliance obligations register

Full Access
Question # 18

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

A.

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

B.

passed to the sub cloud service providers.

C.

treated as confidential information and withheld from all sub cloud service providers.

D.

treated as sensitive information and withheld from certain sub cloud service providers.

Full Access
Question # 19

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

A.

Determine the impact on confidentiality, integrity, and availability of the information system.

B.

Determine the impact on the physical and environmental security of the organization, excluding informational assets.

C.

Determine the impact on the controls that were selected by the organization to respond to identified risks.

D.

Determine the impact on the financial, operational, compliance, and reputation of the

Full Access
Question # 20

Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?

A.

CSA'sGDPRCoC

B.

EUGDPR

C.

NIST SP 800-53

D.

PCI-DSS

Full Access
Question # 21

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A.

Development of the monitoring goals and requirements

B.

Identification of processes, functions, and systems

C.

Identification of roles and responsibilities

D.

Identification of the relevant laws, regulations, and standards

Full Access
Question # 22

Which of the following has the MOST substantial impact on how aggressive or conservative the cloud approach of an organization will be?

A.

Applicable laws and regulations

B.

Internal policies and technical standards

C.

Risk scoring criteria

D.

Risk appetite and budget constraints

Full Access
Question # 23

To ensure a cloud service provider is complying with an organization's privacy requirements, a cloud auditor should FIRST review:

A.

organizational policies, standards, and procedures.

B.

adherence to organization policies, standards, and procedures.

C.

legal and regulatory requirements.

D.

the IT infrastructure.

Full Access
Question # 24

What is a sign that an organization has adopted a shift-left concept of code release cycles?

A.

Large entities with slower release cadences and geographically dispersed systems

B.

Incorporation of automation to identify and address software code problems early

C.

A waterfall model remove resources through the development to release phases

D.

Maturity of start-up entities with high-iteration to low-volume code commits

Full Access
Question # 25

Which of the following is the MOST relevant question in the cloud compliance program design phase?

A.

Who owns the cloud services strategy?

B.

Who owns the cloud strategy?

C.

Who owns the cloud governance strategy?

D.

Who owns the cloud portfolio strategy?

Full Access
Question # 26

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

A.

cloud user.

B.

cloud service provider. 0

C.

cloud customer.

D.

certification authority (CA)

Full Access
Question # 27

A contract containing the phrase "You automatically consent to these terms by using or logging into the service to which they pertain" is establishing a contract of:

A.

exclusivity.

B.

adhesion.

C.

execution.

D.

exclusion.

Full Access
Question # 28

Which of the following is the BEST tool to perform cloud security control audits?

A.

General Data Protection Regulation (GDPR)

B.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

C.

Federal Information Processing Standard (FIPS) 140-2

D.

ISO 27001

Full Access
Question # 29

Which of the following would be considered as a factor to trust in a cloud service provider?

A.

The level of willingness to cooperate

B.

The level of exposure for public information

C.

The level of open source evidence available

D.

The level of proven technical skills

Full Access
Question # 30

Which of the following is an example of availability technical impact?

A.

A distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

B.

The cloud provider reports a breach of customer personal data from an unsecured server.

C.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.

A hacker using a stolen administrator identity alters the discount percentage in the product database

Full Access
Question # 31

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

policies and procedures of the cloud customer

D.

the organizational chart of the provider.

Full Access
Question # 32

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A.

Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security

brokers (CASBs).

B.

Cloud service providers can document roles and responsibilities for cloud security.

C.

Cloud service providers can document their security and compliance controls.

D.

Cloud service providers need the CAIQ to improve quality of customer service

Full Access
Question # 33

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

A.

ISO/IEC 27001 implementation.

B.

GB/T 22080-2008.

C.

SOC 2 Type 1 or 2 reports.

D.

GDPR CoC certification.

Full Access
Question # 34

A certification target helps in the formation of a continuous certification framework by incorporating:

A.

the service level objective (SLO) and service qualitative objective (SQO).

B.

the scope description and security attributes to be tested.

C.

the frequency of evaluating security attributes.

D.

CSA STAR level 2 attestation.

Full Access
Question # 35

When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer

A.

To determine the total cost of the cloud services to be deployed

B.

To confirm whether the compensating controls implemented are sufficient for the cloud

services

C.

To determine how those services will fit within its policies and procedures

D.

To confirm which vendor will be selected based on compliance with security requirements

Full Access
Question # 36

What is below the waterline in the context of cloud operationalization?

A.

The controls operated by the customer

B.

The controls operated by both

C.

The controls operated by the cloud access security broker (CASB)

D.

The controls operated by the cloud service provider

Full Access
Question # 37

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

A.

The audit logs are overwritten every 30 days, and all past audit trail is lost.

B.

The audit trails are backed up regularly, but the backup is not encrypted.

C.

The provider does not maintain audit logs in their environment.

D.

The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

Full Access
Question # 38

is it important for the individuals in charge of cloud compliance to understand the organization's past?

A.

To determine the current state of the organization's compliance

B.

To determine the risk profile of the organization

C.

To address any open findings from previous external audits

D.

To verify whether the measures implemented from the lessons learned are effective

Full Access
Question # 39

Which of the following would be the MOST critical finding of an application security and DevOps audit?

A.

Certifications with global security standards specific to cloud are not reviewed, and the impact of noted findings are not assessed.

B.

Outsourced cloud service interruption, breach, or loss of stored data occurred at the cloud service provider.

C.

The organization is not using a unified framework to integrate cloud compliance with regulatory requirements.

D.

Application architecture and configurations did not consider security measures.

Full Access
Question # 40

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

A.

Ensuring segregation of duties in the production and development pipelines

B.

Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

C.

Role-based access controls in the production and development pipelines

D.

Separation of production and development pipelines

Full Access
Question # 41

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

A.

Separation of production and development pipelines

B.

Ensuring segregation of duties in the production and development pipelines

C.

Role-based access controls in the production and development pipelines

D.

Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

Full Access
Question # 42

Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?

A.

Data encryption

B.

Incident management

C.

Network segmentation

D.

Privileged access monitoring

Full Access
Question # 43

A dot release of the Cloud Controls Matrix (CCM) indicates:

A.

a revision of the CCM domain structure.

B.

a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.

C.

the introduction of new control frameworks mapped to previously published CCM controls.

D.

technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.

Full Access
Question # 44

Which of the following types of risk is associated specifically with the use of multi-cloud environments in an organization?

A.

Risk of supply chain visibility and validation

B.

Risk of reduced visibility and control

C.

Risk of service reliability and uptime

D.

Risk of unauthorized access to customer and business data

Full Access
Question # 45

organization should document the compliance responsibilities and ownership of accountability in a RACI chart or its informational equivalents in order to:

A.

provide a holistic and seamless view of the cloud service provider's responsibility for compliance with prevailing laws and regulations.

B.

provide a holistic and seamless view of the enterprise's responsibility for compliance with prevailing laws and regulations.

C.

conform to the organization's governance model.

D.

define the cloud compliance requirements and how they interplay with the organization’s business strategy, goals, and other compliance requirements.

Full Access
Question # 46

Which of the following is the MOST significant difference between a cloud risk management program and a traditional risk management program?

A.

Virtualization of the IT landscape

B.

Shared responsibility model

C.

Risk management practices adopted by the cloud service provider

D.

Hosting sensitive information in the cloud environment

Full Access
Question # 47

Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?

A.

Enterprise cloud strategy and policy, as well as inventory of third-party attestation reports

B.

Policies and procedures established around third-party risk assessments, including questionnaires that are required to be completed to assess risk associated with use of third-party services

C.

Enterprise cloud strategy and policy, as well as the enterprise cloud security strategy

D.

Inventory of third-party attestation reports and enterprise cloud security strategy

Full Access
Question # 48

DevSecOps aims to integrate security tools and processes directly into the software development life cycle and should be done:

A.

at the end of the development cycle.

B.

after go-live.

C.

in all development steps.

D.

at the beginning of the development cycle.

Full Access
Question # 49

In audit parlance, what is meant by "management representation"?

A.

A person or group of persons representing executive management during audits

B.

A mechanism to represent organizational structure

C.

A project management technique to demonstrate management's involvement in key

project stages

D.

Statements made by management in response to specific inquiries

Full Access
Question # 50

A new company has all its operations in the cloud. Which of the following would be the BEST information security control framework to implement?

A.

NIST 800-73, because it is a control framework implemented by the main cloud providers

B.

ISO/IEC 27018

C.

ISO/IEC 27002

D.

(S) Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Full Access
Question # 51

What do cloud service providers offer to encourage clients to extend the cloud platform?

A.

Cloud console

B.

Reward programs

C.

Access to the cloud infrastructure

D.

Application programming interfaces (APIs)

Full Access
Question # 52

Which of the following cloud service provider activities MUST obtain a client's approval?

A.

Destroying test data

B.

Deleting subscription owner accounts

C.

Deleting test accounts

D.

Deleting guest accounts

Full Access