New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Isaca > Cloud Security Alliance > CCAK

CCAK Certificate of Cloud Auditing Knowledge Question and Answers

Question # 4

Which of the following is the BEST method to demonstrate assurance in the cloud services to multiple cloud customers?

A.

Provider’s financial stability report and market value

B.

Reputation of the service provider in the industry

C.

Provider self-assessment and technical documents

D.

External attestation and certification audit reports

Full Access
Question # 5

Which of the following is an example of integrity technical impact?

A.

The cloud provider reports a breach of customer personal data from an unsecured server.

B.

distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

C.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.

A hacker using a stolen administrator identity alters the discount percentage in the product database.

Full Access
Question # 6

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

A.

obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.

B.

determine whether the organization can be considered fully compliant with the mapped standards because of the implementation of every CCM Control Specification.

C.

understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards.

Full Access
Question # 7

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

A.

treated as confidential information and withheld from all sub cloud service providers.

B.

treated as sensitive information and withheld from certain sub cloud service providers.

C.

passed to the sub cloud service providers.

D.

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

Full Access
Question # 8

Which of the following is an example of financial business impact?

A.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

B.

A hacker using a stolen administrator identity brings down the Software of a Service (SaaS)

sales and marketing systems, resulting in the inability to process customer orders or

manage customer relationships.

C.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed

each other in public, resulting in a loss of public confidence that led the board to replace all

Full Access
Question # 9

What should be the control audit frequency for an organization's business continuity management and operational resilience strategy?

A.

Annually

B.

Biannually

C.

Quarterly

D.

Monthly

Full Access
Question # 10

Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

A.

are the asset with private IP addresses.

B.

are generally the most exposed part.

C.

could be poorly designed.

D.

act as a very effective backdoor.

Full Access
Question # 11

A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

A.

CSA STAR Level Certificate

B.

Multi-Tier Cloud Security (MTCS) Attestation

C.

ISO/IEC 27001:2013 Certification

D.

FedRAMP Authorization

Full Access
Question # 12

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

A.

GDPR CoC certification.

B.

GB/T 22080-2008.

C.

SOC 2 Type 1 or 2 reports.

D.

ISO/IEC 27001 implementation.

Full Access
Question # 13

Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?

A.

Cloud strategy owners

B.

Internal control function

C.

Cloud process owners

D.

Legal functions

Full Access
Question # 14

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

A.

ISO/IEC 27017:2015

B.

ISO/IEC 27002

C.

NIST SP 800-146

D.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Full Access
Question # 15

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A.

Rule-based access control

B.

Attribute-based access control

C.

Policy-based access control

D.

Role-based access control

Full Access
Question # 16

Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is:

A.

responsible to the cloud customer and its clients.

B.

responsible only to the cloud customer.

C.

not responsible at all to any external parties.

D.

responsible to the cloud customer and its end users

Full Access
Question # 17

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A.

Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security

brokers (CASBs).

B.

Cloud service providers can document roles and responsibilities for cloud security.

C.

Cloud service providers can document their security and compliance controls.

D.

Cloud service providers need the CAIQ to improve quality of customer service

Full Access
Question # 18

The Cloud Octagon Model was developed to support organizations':

A.

risk treatment methodology.

B.

incident detection methodology.

C.

incident response methodology.

D.

risk assessment methodology.

Full Access
Question # 19

Which of the following would be considered as a factor to trust in a cloud service provider?

A.

The level of willingness to cooperate

B.

The level of exposure for public information

C.

The level of open source evidence available

D.

The level of proven technical skills

Full Access
Question # 20

When mapping controls to architectural implementations, requirements define:

A.

control objectives.

B.

control activities.

C.

guidelines.

D.

policies.

Full Access
Question # 21

One of the control specifications in the Cloud Controls Matrix (CCM) states that "independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligation." Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A.

Information system and regulatory mapping

B.

GDPR auditing

C.

Audit planning

D.

Independent audits

Full Access
Question # 22

Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?

A.

SOC 3 Type 2

B.

SOC 2 Type 2

C.

SOC 1 Type 1

D.

SOC 2 Type 1

Full Access
Question # 23

Which of the following enables auditors to conduct gap analyses of what a cloud service provider offers versus what the customer requires?

A.

Using a standardized control framework

B.

The experience gained over the years

C.

Understanding the customer risk profile

D.

The as-is and to-be enterprise architecture (EA

Full Access
Question # 24

A business unit introducing cloud technologies to the organization without the knowledge or approval of the appropriate governance function is an example of:

A.

IT exception

B.

Threat

C.

Shadow IT

D.

Vulnerability

Full Access
Question # 25

The MOST important goal of regression testing is to ensure:

A.

the expected outputs are provided by the new features.

B.

the system can handle a high number of users.

C.

the system can be restored after a technical issue.

D.

new releases do not impact previous stable features.

Full Access
Question # 26

Which of the following is a direct benefit of mapping the Cloud Controls Matrix (CCM) to other international standards and regulations?

A.

CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.

B.

CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.

C.

CCM mapping entitles cloud service providers to be certified under the CSA STAR program.

D.

CCM mapping enables an uninterrupted data flow and in particular the export of personal data across different jurisdictions.

Full Access
Question # 27

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

A.

Separation of production and development pipelines

B.

Ensuring segregation of duties in the production and development pipelines

C.

Role-based access controls in the production and development pipelines

D.

Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

Full Access
Question # 28

During the cloud service provider evaluation process, which of the following BEST helps identify baseline configuration requirements?

A.

Vendor requirements

B.

Product benchmarks

C.

Benchmark controls lists

D.

Contract terms and conditions

Full Access
Question # 29

A contract containing the phrase "You automatically consent to these terms by using or logging into the service to which they pertain" is establishing a contract of:

A.

exclusivity.

B.

adhesion.

C.

execution.

D.

exclusion.

Full Access
Question # 30

Which of the following is the BEST tool to perform cloud security control audits?

A.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

B.

General Data Protection Regulation (GDPR)

C.

Federal Information Processing Standard (FIPS) 140-2

D.

ISO 27001

Full Access
Question # 31

What does “The Egregious 11" refer to?

A.

The OWASP Top 10 adapted to cloud computing

B.

A list of top shortcomings of cloud computing

C.

A list of top breaches in cloud computing

D.

A list of top threats to cloud computing

Full Access
Question # 32

Which of the following is a good candidate for continuous auditing?

A.

Procedures

B.

Governance

C.

Cryptography and authentication

D.

Documentation quality

Full Access
Question # 33

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

A.

Likelihood

B.

Mitigation

C.

Residual risk

D.

Impact analysis

Full Access
Question # 34

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A.

Development of the monitoring goals and requirements

B.

Identification of processes, functions, and systems

C.

Identification of roles and responsibilities

D.

Identification of the relevant laws, regulations, and standards

Full Access
Question # 35

Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?

A.

Defining the metrics and indicators to monitor the implementation of the compliance program

B.

Determining the risk treatment options to be used in the compliance program

C.

Mapping who possesses the information and data that should drive the compliance goals

D.

Selecting the external frameworks that will be used as reference

Full Access
Question # 36

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

A.

Discard all work done and start implementing NIST 800-53 from scratch.

B.

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Full Access
Question # 37

The PRIMARY objective for an auditor to understand the organization's context for a cloud audit is to:

A.

determine whether the organization has carried out control self-assessment (CSA) and validated audit reports of the cloud service providers.

B.

validate an understanding of the organization's current state and how the cloud audit plan fits into the existing audit approach.

C.

validate the organization's performance effectiveness utilizing cloud service provider solutions.

D.

validate whether an organization has a cloud audit plan in place.

Full Access
Question # 38

Which objective is MOST appropriate to measure the effectiveness of password policy?

A.

The number of related incidents decreases.

B.

Attempts to log with weak credentials increases.

C.

The number of related incidents increases.

D.

Newly created account credentials satisfy requirements.

Full Access
Question # 39

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A.

Cloud service providers need the CAIQ to improve quality of customer service.

B.

Cloud service providers can document their security and compliance controls.

C.

Cloud service providers can document roles and responsibilities for cloud security.

D.

Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security

Full Access
Question # 40

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

A.

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

B.

passed to the sub cloud service providers.

C.

treated as confidential information and withheld from all sub cloud service providers.

D.

treated as sensitive information and withheld from certain sub cloud service providers.

Full Access
Question # 41

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

A.

enterprise architecture (EA).

B.

object-oriented architecture.

C.

service-oriented architecture.

D.

software architecture

Full Access
Question # 42

An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

A.

Filter out only those controls directly influenced by contractual agreements.

B.

Leverage this feature to enable the adoption of the Shared Responsibility Model.

C.

Filter out only those controls having a direct impact on current terms of service (TOS) and

service level agreement (SLA).

D.

Leverage this feature to enable a smarter selection of the next cloud provider.

Full Access
Question # 43

When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:

A.

shared.

B.

avoided.

C.

transferred.

D.

maintained.

Full Access
Question # 44

In cloud computing, which KEY subject area relies on measurement results and metrics?

A.

Software as a Service (SaaS) application services

B.

Infrastructure as a Service (IaaS) storage and network

C.

Platform as a Service (PaaS) development environment

D.

Service level agreements (SLAs)

Full Access
Question # 45

The BEST method to report continuous assessment of a cloud provider’s services to the Cloud Security Alliance (CSA) is through:

A.

Cloud Controls Matrix (CCM) assessment by a third-party auditor on a periodic basis.

B.

tools selected by the third-party auditor.

C.

SOC 2 Type 2 attestation.

D.

a set of dedicated application programming interfaces (APIs).

Full Access
Question # 46

Which of the following BEST describes the difference between a Type 1 and a Type 2 SOC report?

A.

A Type 2 SOC report validates the operating effectiveness of controls, whereas a Type 1 SOC report validates the suitability of the design of the controls.

B.

A Type 1 SOC report provides an attestation, whereas a Type 2 SOC report offers a certification.

C.

A Type 2 SOC report validates the suitability of the control design, whereas a Type 1 SOC report validates the operating effectiveness of controls.

D.

There is no difference between a Type 2 and a Type 1 SOC report.

Full Access
Question # 47

While using Software as a Service (SaaS) to store secret customer information, an organization identifies a risk of disclosure to unauthorized parties. Although the SaaS service continues to be used, secret customer data is not processed. Which of the following risk treatment methods is being practiced?

A.

Risk acceptance

B.

Risk transfer

C.

Risk mitigation

D.

Risk reduction

Full Access
Question # 48

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following

What should be the BEST recommendation to reduce the provider’s burden?

A.

The provider can answer each customer individually.

B.

The provider can direct all customer inquiries to the information in the CSA STAR registry.

C.

The provider can schedule a call with each customer.

D.

The provider can share all security reports with customers to streamline the process

Full Access
Question # 49

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

A.

The audit logs are overwritten every 30 days, and all past audit trail is lost.

B.

The audit trails are backed up regularly, but the backup is not encrypted.

C.

The provider does not maintain audit logs in their environment.

D.

The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

Full Access
Question # 50

From an auditor perspective, which of the following BEST describes shadow IT?

A.

An opportunity to diversify the cloud control approach

B.

A weakness in the cloud compliance posture

C.

A strength of disaster recovery (DR) planning

D.

A risk that jeopardizes business continuity planning

Full Access
Question # 51

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

A.

Review the contract and DR capability.

B.

Plan an audit of the provider.

C.

Review the security white paper of the provider.

D.

Review the provider's audit reports.

Full Access
Question # 52

What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

A.

Access controls

B.

Vulnerability management

C.

Patching

D.

Source code reviews

Full Access
Question # 53

Which of the following is the FIRST step of the Cloud Risk Evaluation Framework?

A.

Analyzing potential impact and likelihood

B.

Establishing cloud risk profile

C.

Evaluating and documenting the risks

D.

Identifying key risk categories

Full Access
Question # 54

Which of the following cloud environments should be a concern to an organization s cloud auditor?

A.

The cloud service provider s data center is more than 100 miles away.

B.

The technical team is trained on only one vendor Infrastructure as a Service (laaS) platform, but the organization has subscribed to another vendor's laaS platform as an alternative.

C.

The organization entirely depends on several proprietary Software as a Service (SaaS) applications.

D.

The failover region of the cloud service provider is on another continent

Full Access