New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Isaca CCAK Dumps Questions Answers

Page: 1 / 14
Total 182 questions

Certificate of Cloud Auditing Knowledge Questions and Answers

Question 1

Which of the following would be the MOST critical finding of an application security and DevOps audit?

Options:

A.

Certifications with global security standards specific to cloud are not reviewed, and the impact of noted findings are not assessed.

B.

Application architecture and configurations did not consider security measures.

C.

Outsourced cloud service interruption, breach, or loss of stored data occurred at the cloud service provider.

D.

The organization is not using a unified framework to integrate cloud compliance with regulatory requirements

Buy Now
Question 2

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

Options:

A.

cloud user.

B.

cloud service provider. 0

C.

cloud customer.

D.

certification authority (CA)

Question 3

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

Options:

A.

Discard all work done and start implementing NIST 800-53 from scratch.

B.

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Question 4

Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?

Options:

A.

Cloud strategy owners

B.

Internal control function

C.

Cloud process owners

D.

Legal functions

Question 5

Which of the following helps an organization to identify control gaps and shortcomings in the context of cloud computing?

Options:

A.

Walk-through peer review

B.

Periodic documentation review

C.

User security awareness training

D.

Monitoring effectiveness

Question 6

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

Options:

A.

Control self-assessment (CSA)

B.

Third-party vendor involvement

C.

Exception reporting

D.

Application team internal review

Question 7

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

Options:

A.

ISO/IEC 27017:2015

B.

ISO/IEC 27002

C.

NIST SP 800-146

D.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Question 8

Who should define what constitutes a policy violation?

Options:

A.

The external auditor

B.

The organization

C.

The Internet service provider (ISP)

D.

The cloud provider

Question 9

An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

Options:

A.

Review the provider's published questionnaires.

B.

Review third-party audit reports.

C.

Directly audit the provider.

D.

Send a supplier questionnaire to the provider.

Question 10

Which of the following is the MOST significant difference between a cloud risk management program and a traditional risk management program?

Options:

A.

Virtualization of the IT landscape

B.

Shared responsibility model

C.

Risk management practices adopted by the cloud service provider

D.

Hosting sensitive information in the cloud environment

Question 11

Which of the following processes should be performed FIRST to properly implement the NIST SP 800-53 r4 control framework in an organization?

Options:

A.

A selection of the security objectives the organization wants to improve

B.

A security categorization of the information systems

C.

A comprehensive business impact analysis (BIA)

D.

A comprehensive tailoring of the controls of the framework

Question 12

The BEST method to report continuous assessment of a cloud provider’s services to the Cloud Security Alliance (CSA) is through:

Options:

A.

Cloud Controls Matrix (CCM) assessment by a third-party auditor on a periodic basis.

B.

tools selected by the third-party auditor.

C.

SOC 2 Type 2 attestation.

D.

a set of dedicated application programming interfaces (APIs).

Question 13

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month.

Which of the following should be the BEST recommendation to reduce the provider's burden?

Options:

A.

The provider can schedule a call with each customer.

B.

The provider can share all security reports with customers to streamline the process.

C.

The provider can answer each customer individually.

D.

The provider can direct all customer inquiries to the information in the CSA STAR registry

Question 14

In all three cloud deployment models, (laaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Options:

A.

Cloud service provider

B.

Shared responsibility

C.

Cloud service customer

D.

Patching on hypervisor layer not required

Question 15

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

Options:

A.

Location of data

B.

Amount of server storage

C.

Access controls

D.

Type of network technology

Question 16

is it important for the individuals in charge of cloud compliance to understand the organization's past?

Options:

A.

To determine the current state of the organization's compliance

B.

To determine the risk profile of the organization

C.

To address any open findings from previous external audits

D.

To verify whether the measures implemented from the lessons learned are effective

Question 17

Which of the following is a good candidate for continuous auditing?

Options:

A.

Procedures

B.

Governance

C.

Cryptography and authentication

D.

Documentation quality

Question 18

Organizations maintain mappings between the different control frameworks they adopt to:

Options:

A.

help identify controls with common assessment status.

B.

avoid duplication of work when assessing compliance,

C.

help identify controls with different assessment status.

D.

start a compliance assessment using the latest assessment.

Question 19

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

Options:

A.

GDPR CoC certification.

B.

GB/T 22080-2008.

C.

SOC 2 Type 1 or 2 reports.

D.

ISO/IEC 27001 implementation.

Question 20

Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?

Options:

A.

Data encryption

B.

Incident management

C.

Network segmentation

D.

Privileged access monitoring

Question 21

Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?

Options:

A.

Aligning the cloud service delivery with the organization’s objectives

B.

Aligning shared responsibilities between provider and customer

C.

Aligning the cloud provider’s service level agreement (SLA) with the organization's policy

D.

Aligning the organization's activity with the cloud provider’s policy

Question 22

A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode has been selected by the provider?

Options:

A.

Reversal

B.

Double blind

C.

Double gray box

D.

Tandem

Question 23

Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?

Options:

A.

The IT department does not clearly articulate the cloud to the organization.

B.

There is a lack of visibility over the cloud service providers' supply chain.

C.

Customers do not understand cloud technologies in enough detail.

D.

Cloud services are very complicated.

Question 24

A cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when:

Options:

A.

generalized audit software is unavailable.

B.

the auditor wants to avoid sampling risk.

C.

the probability of error must be objectively quantified.

D.

the tolerable error rate cannot be determined.

Question 25

Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?

Options:

A.

CSA'sGDPRCoC

B.

EUGDPR

C.

NIST SP 800-53

D.

PCI-DSS

Question 26

With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

Options:

A.

relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF). and the Zachman Framework for Enterprise Architecture.

B.

relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.

C.

relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

D.

relevant delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (laaS).

Question 27

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?

Options:

A.

Management of the organization being audited

B.

Shareholders and interested parties

C.

Cloud service provider

D.

Public

Question 28

Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?

Options:

A.

CCM uses a specific control for Infrastructure as a Service (IaaS).

B.

CCM maps to existing security standards, best practices, and regulations.

C.

CCM V4 is an improved version from CCM V3.0.1.

D.

CCM utilizes an ITIL framework to define the capabilities needed to manage the IT services and security services.

Question 29

Which of the following is an example of availability technical impact?

Options:

A.

The cloud provider reports a breach of customer personal data from an unsecured server.

B.

A hacker using a stolen administrator identity alters the discount percentage in the product database.

C.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours.

D.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack

Question 30

When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Options:

A.

Return or destruction of information

B.

Data retention, backup, and recovery

C.

Patch management process

D.

Network intrusion detection

Question 31

Which of the following cloud service provider activities MUST obtain a client's approval?

Options:

A.

Destroying test data

B.

Deleting subscription owner accounts

C.

Deleting test accounts

D.

Deleting guest accounts

Question 32

From an auditor perspective, which of the following BEST describes shadow IT?

Options:

A.

An opportunity to diversify the cloud control approach

B.

A weakness in the cloud compliance posture

C.

A strength of disaster recovery (DR) planning

D.

A risk that jeopardizes business continuity planning

Question 33

The FINAL decision to include a material finding in a cloud audit report should be made by the:

Options:

A.

auditee's senior management.

B.

organization's chief executive officer (CEO).

C.

cloud auditor.

: D. organization's chief information security officer (CISO)

Question 34

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

Options:

A.

obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.

B.

determine whether the organization can be considered fully compliant with the mapped standards because of the implementation of every CCM Control Specification.

C.

understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards.

Question 35

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

Options:

A.

facilitate an effective relationship between the cloud service provider and cloud client.

B.

enable the cloud service provider to prioritize resources to meet its own requirements.

C.

provide global, accredited, and trusted certification of the cloud service provider.

D.

ensure understanding of true risk and perceived risk by the cloud service users

Question 36

What areas should be reviewed when auditing a public cloud?

Options:

A.

Patching and configuration

B.

Vulnerability management and cyber security reviews

C.

Identity and access management (IAM) and data protection

D.

Source code reviews and hypervisor

Question 37

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

Options:

A.

Separation of production and development pipelines

B.

Ensuring segregation of duties in the production and development pipelines

C.

Role-based access controls in the production and development pipelines

D.

Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

Question 38

An auditor examining a cloud service provider's service level agreement (SLA) should be MOST concerned about whether:

Options:

A.

the agreement includes any operational matters that are material to the service operations.

B.

the agreement excludes any sourcing and financial matters that are material in meeting the

service level agreement (SLA).

C.

the agreement includes any service availability matters that are material to the service operations.

D.

the agreement excludes any operational matters that are material to the service operations

Question 39

Which of the following is an example of financial business impact?

Options:

A.

A distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for

24 hours, resulting in millions in lost sales.

B.

A hacker using a stolen administrator identity brings down the Software of a Service (SaaS)

sales and marketing systems, resulting in the inability to process customer orders or

manage customer relationships.

C.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed

each other in public consulting in a loss of public confidence that led the board to replace all

three.

Question 40

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

Options:

A.

Review the security white paper of the provider.

B.

Review the provider’s audit reports.

C.

Review the contract and DR capability.

D.

Plan an audit of the provider

Question 41

The BEST way to deliver continuous compliance in a cloud environment is to:

Options:

A.

combine point-in-time assurance approaches with continuous monitoring.

B.

increase the frequency of external audits from annual to quarterly.

C.

combine point-in-time assurance approaches with continuous auditing.

D.

decrease the interval between attestations of compliance

Question 42

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

Options:

A.

ISO/IEC 27002

B.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

C.

NISTSP 800-146

D.

ISO/IEC 27017:2015

Question 43

Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?

Options:

A.

SOC 3 Type 2

B.

SOC 2 Type 2

C.

SOC 1 Type 1

D.

SOC 2 Type 1

Question 44

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

Options:

A.

Cloud Controls Matrix (CCM) and ISO/IEC 27001:2013 controls.

B.

ISO/IEC 27001:2013 controls.

C.

all Cloud Controls Matrix (CCM) controls and TSPC security principles.

D.

maturity model criteria.

Question 45

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

Options:

A.

As an availability breach

B.

As a control breach

C.

As a confidentiality breach

D.

As an integrity breach

Question 46

Which of the following enables auditors to conduct gap analyses of what a cloud service provider offers versus what the customer requires?

Options:

A.

Using a standardized control framework

B.

The experience gained over the years

C.

Understanding the customer risk profile

D.

The as-is and to-be enterprise architecture (EA

Question 47

Which of the following is an example of integrity technical impact?

Options:

A.

The cloud provider reports a breach of customer personal data from an unsecured server.

B.

distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

C.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.

A hacker using a stolen administrator identity alters the discount percentage in the product database.

Question 48

Which of the following is the BEST tool to perform cloud security control audits?

Options:

A.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

B.

General Data Protection Regulation (GDPR)

C.

Federal Information Processing Standard (FIPS) 140-2

D.

ISO 27001

Question 49

In a situation where duties related to cloud risk management and control are split between an organization and its cloud service providers, which of the following would BEST help to ensure a coordinated approach to risk and control processes?

Options:

A.

Establishing a joint security operations center

B.

Automating reporting of risk and control compliance

C.

Co-locating compliance management specialists

D.

Maintaining a centralized risk and controls dashboard

Question 50

Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

Options:

A.

Contractual documents of the cloud service provider

B.

Heat maps

C.

Data security process flow

D.

Turtle diagram

Question 51

Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is:

Options:

A.

responsible to the cloud customer and its clients.

B.

responsible only to the cloud customer.

C.

not responsible at all to any external parties.

D.

responsible to the cloud customer and its end users

Question 52

Which objective is MOST appropriate to measure the effectiveness of password policy?

Options:

A.

The number of related incidents decreases.

B.

Attempts to log with weak credentials increases.

C.

The number of related incidents increases.

D.

Newly created account credentials satisfy requirements.

Question 53

Which of the following metrics are frequently immature?

Options:

A.

Metrics around specific Software as a Service (SaaS) application services

B.

Metrics around Infrastructure as a Service (laaS) computing environments

C.

Metrics around Infrastructure as a Service (laaS) storage and network environments

D.

Metrics around Platform as a Service (PaaS) development environments

Question 54

Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?

Options:

A.

CCM utilizes an ITIL framework to define the capabilities needed to manage the IT services and security services.

B.

CCM maps to existing security standards, best practices, and regulations.

C.

CCM uses a specific control for Infrastructure as a Service (laaS).

D.

CCM V4 is an improved version from CCM V3.0.1.

Page: 1 / 14
Total 182 questions