Changed CCAK Exam Questions

Role-based access controls (RBAC) are a method of restricting access to resources based on the roles of individual users within an organization. RBAC allows administrators to assign permissions to roles, rather than to specific users, and then assign users to those roles. This simplifies the management of access rights and reduces the risk of unauthorized or excessive access. RBAC is especially important for ensuring adequate restriction on the number of people who can access the pipeline production environment, which is the final stage of the continuous integration and continuous delivery (CI/CD) process where code is deployed to the end-users. Access to the production environment should be limited to only those who are responsible for deploying, monitoring, and maintaining the code, such as production engineers, release managers, or site reliability engineers. Developers, testers, or other stakeholders should not have access to the production environment, as this could compromise the security, quality, and performance of the code. RBAC can help enforce this separation of duties and responsibilities by defining different roles for different pipeline stages and granting appropriate permissions to each role. For example, developers may have permission to create, edit, and test code in the development pipeline, but not to deploy or modify code in the production pipeline. Conversely, production engineers may have permission to deploy, monitor, and troubleshoot code in the production pipeline, but not to create or edit code in the development pipeline. RBAC can also help implement the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks. This reduces the attack surface and minimizes the potential damage in case of a breach or misuse. RBAC can be configured at different levels of granularity, such as at the organization, project, or object level, depending on the needs and complexity of the organization. RBAC can also leverage existing identity and access management (IAM) solutions, such as Azure Active Directory or AWS IAM, to integrate with cloud services and applications.

References:

Set pipeline permissions - Azure Pipelines

Azure DevOps: Access, Roles and Permissions

Cloud Computing — What IT Auditors Should Really Know

 An auditor examining a cloud service provider’s SLA should be most concerned about whether the agreement excludes any operational matters that are material to the service operations, as this could indicate a lack of transparency, accountability, and quality assurance from the provider. Operational matters are the aspects of the cloud service that affect its functionality, performance, availability, reliability, security, and compliance. Examples of operational matters include service scope, roles and responsibilities, service levels and metrics, monitoring and reporting mechanisms, incident and problem management, change management, backup and recovery, data protection and privacy, and termination and exit clauses12. These matters are material to the service operations if they have a significant impact on the achievement of the service objectives and expectations of the cloud customer. The auditor should verify that the SLA covers all the relevant and material operational matters in a clear and comprehensive manner, and that the provider adheres to the SLA terms and conditions.

The other options are not the most concerning for the auditor. Option A is a desirable feature of an SLA, but not a concern if it is missing. Option B is an unrealistic expectation of an SLA, as sourcing and financial matters are usually essential in meeting the SLA. Option C is a specific example of an operational matter that is material to the service operations, but not the only one that should be included in the SLA. References:

Cloud Services Due Diligence Checklist

Cloud Computing: Agencies Need to Incorporate Key Practices to Ensure Effective Performance

 An example of financial business impact is a distributed denial of service (DDoS) attack that renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales. Financial business impact refers to the monetary losses or gains that an organization may experience as a result of a cloud security incident. Financial business impact can be measured by factors such as revenue, profit, cost, cash flow, market share, and stock price .

Option A is an example of financial business impact because it shows how a DDoS attack, which is a type of cyberattack that overwhelms a system or network with malicious traffic and prevents legitimate users from accessing it, can cause direct and significant financial losses for the customer’s organization due to the interruption of its cloud services and the inability to generate sales. Option A also implies that the customer’s organization depends on the availability of its cloud services for its core business operations.

The other options are not examples of financial business impact. Option B is an example of operational business impact, which refers to the disruption or degradation of the organization’s processes, functions, or activities as a result of a cloud security incident. Operational business impact can be measured by factors such as productivity, efficiency, quality, performance, and customer satisfaction . Option B shows how a hacker using a stolen administrator identity, which is a type of identity theft or impersonation attack that exploits the credentials or privileges of a legitimate user to access or manipulate a system or network, can cause operational business impact for the customer’s organization by bringing down its SaaS sales and marketing systems, which are essential for its business functions.

Option C is an example of reputational business impact, which refers to the damage or enhancement of the organization’s image, brand, or reputation as a result of a cloud security incident. Reputational business impact can be measured by factors such as trust, loyalty, satisfaction, awareness, and perception of the organization’s stakeholders, such as customers, partners, investors, regulators, and media . Option C shows how a breach reported in a timely manner to the CEO, which is a good practice for ensuring transparency and accountability in the event of a cloud security incident, can still cause reputational business impact for the customer’s organization due to the public blame game between the CFO and CISO, which reflects poorly on the organization’s leadership and culture and leads to the board replacing all three. References :=

Business Impact Analysis - Ready.gov

Business Impact Analysis - Cloud Security Alliance

What Is A Distributed Denial-of-Service (DDoS) Attack? | Cloudflare

What is Identity Theft? - Cloud Security Alliance

Incident Response - Cloud Security Alliance

The auditor’s next course of action should be to review the contract and DR capability of the cloud service provider. This will help the auditor to verify if the provider has a DR plan that meets the organization’s requirements and expectations, and if the provider has evidence of testing and validating the plan annually. The auditor should also check if the contract specifies the roles and responsibilities of both parties, the RTO and RPO values, the SLA terms, and the penalties for non-compliance.

Reviewing the security white paper of the provider (option A) might give some information about the provider’s security practices and controls, but it might not be sufficient or relevant to assess the DR plan. Reviewing the provider’s audit reports (option B) might also provide some assurance about the provider’s compliance with standards and regulations, but it might not address the specific DR needs of the organization. Planning an audit of the provider (option D) might be a possible course of action, but it would require more time and resources, and it might not be feasible or necessary if the contract and DR capability are already satisfactory. References:

Disaster recovery planning guide

Audit a Disaster Recovery Plan

How to Maintain and Test a Business Continuity and Disaster Recovery Plan