Download Latest CCAK Questions

Cryptography and authentication are good candidates for continuous auditing, as they are critical aspects of cloud security that require constant monitoring and verification. Cryptography and authentication refer to the methods and techniques that ensure the confidentiality, integrity, and availability of data and communications in the cloud environment. Cryptography involves the use of encryption algorithms and keys to protect data from unauthorized access or modification. Authentication involves the use of credentials and tokens to verify the identity and access rights of users or devices. Continuous auditing can help to assess the effectiveness and compliance of cryptography and authentication controls, such as data encryption, key management, password policies, multifactor authentication, single sign-on, etc. Continuous auditing can also help to detect and alert any anomalies or issues that may compromise or affect cryptography and authentication, such as data breaches, key leakage, password cracking, unauthorized access, etc123.

Procedures (A) are not good candidates for continuous auditing, as they are not specific or measurable aspects of cloud security that can be easily automated or tested. Procedures refer to the steps or actions that are performed to achieve a certain objective or result in a specific domain or context. Procedures may vary depending on the type, nature, or complexity of the task or process involved. Continuous auditing requires a clear and consistent definition of the expected outcome or output, as well as the criteria or metrics to evaluate it. Procedures may not provide such a definition or criteria, and may require human judgment or interpretation to assess their effectiveness or compliance123.

Governance (B) is not a good candidate for continuous auditing, as it is not a specific or measurable aspect of cloud security that can be easily automated or tested. Governance refers to the framework or system that defines the roles, responsibilities, policies, standards, procedures, and practices for managing and overseeing an organization or a domain. Governance may involve multiple stakeholders, such as management, board of directors, regulators, auditors, customers, etc., who have different interests, expectations, or perspectives. Continuous auditing requires a clear and consistent definition of the expected outcome or output, as well as the criteria or metrics to evaluate it. Governance may not provide such a definition or criteria, and may require human judgment or interpretation to assess its effectiveness or compliance123.

Documentation quality (D) is not a good candidate for continuous auditing, as it is not a specific or measurable aspect of cloud security that can be easily automated or tested. Documentation quality refers to the degree to which the documents that describe or support an organization or a domain are accurate, complete, consistent, relevant, and understandable. Documentation quality may depend on various factors, such as the purpose, audience, format, style, language, structure, content, etc., of the documents involved. Continuous auditing requires a clear and consistent definition of the expected outcome or output, as well as the criteria or metrics to evaluate it. Documentation quality may not provide such a definition or criteria, and may require human judgment or interpretation to assess its effectiveness or compliance123. References :=

Cloud Audits: A Guide for Cloud Service Providers - Cloud Standards …

Cloud Audits: A Guide for Cloud Service Customers - Cloud Standards …

Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam

Organizations maintain mappings between the different control frameworks they adopt to avoid duplication of work when assessing compliance. This is because different control frameworks may have overlapping or equivalent controls that address the same objectives or risks. By mapping these controls, organizations can streamline their compliance assessment process and reduce the cost and effort involved. Mappings also help organizations to identify any gaps or inconsistencies in their control coverage and address them accordingly. This is part of the Cloud Control Matrix (CCM) domain COM-03: Control Frameworks, which states that "The organization should identify and adopt applicable control frameworks, standards, and best practices to support the cloud compliance program."1 References := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 54

The CSA STAR Certification is based on criteria outlined in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to ISO/IEC 27001 implementation. The CCM is a cybersecurity control framework for cloud computing that covers 17 domains and 197 control objectives that address all key aspects of cloud technology. ISO/IEC 27001 is a standard for information security management systems that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. The CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas1. The CSA STAR Certification is a third-party independent assessment of the security of a cloud service provider and provides a high level of assurance and trust to customers2.

References:

CSA STAR Certification - Azure Compliance | Microsoft Learn

STAR | CSA

A detective control is a type of internal control that seeks to uncover problems in a company’s processes once they have occurred1. Examples of detective controls include physical inventory checks, reviews of account reports and reconciliations, as well as assessments of current controls1. Detective controls use platform telemetry to detect misconfigurations, vulnerabilities, and potentially malicious activity in the cloud environment2.

In a Software as a Service (SaaS) service provider, privileged access monitoring is a detective control that can help identify unauthorized or suspicious activities by users who have elevated permissions to access or modify cloud resources, data, or configurations. Privileged access monitoring can involve logging, auditing, alerting, and reporting on the actions performed by privileged users3. This can help detect security incidents, compliance violations, or operational errors in a timely manner and enable appropriate responses.

Data encryption, incident management, and network segmentation are examples of preventive controls, which are designed to prevent problems from occurring in the first place. Data encryption protects the confidentiality and integrity of data by transforming it into an unreadable format that can only be decrypted with a valid key1. Incident management is a process that aims to restore normal service operations as quickly as possible after a disruption or an adverse event4. Network segmentation divides a network into smaller subnetworks that have different access levels and security policies, reducing the attack surface and limiting the impact of a breach1.

References:

Detective controls - SaaS Lens - docs.aws.amazon.com3, section on Privileged access monitoring

Detective controls | Cloud Architecture Center | Google Cloud2, section on Detective controls

Internal control: how do preventive and detective controls work?4, section on SaaS Solutions to Support Internal Control

Detective Control: Definition, Examples, Vs. Preventive Control1, section on What Is a Detective Control?