Winter Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CCAK Certificate of Cloud Auditing Knowledge Questions and Answers

Questions 4

A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

Options:

A.

The auditor should review the service providers' security controls even more strictly, as they are further separated from the cloud customer.

B.

The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.

C.

As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.

D.

As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services

Buy Now
Questions 5

An auditor is assessing a European organization's compliance. Which regulation is suitable if health information needs to be protected?

Options:

A.

GDPR

B.

DPIA

C.

DPA

D.

HIPAA

Buy Now
Questions 6

Which of the following is a direct benefit of mapping the Cloud Controls Matrix (CCM) to other international standards and regulations?

Options:

A.

CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.

B.

CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.

C.

CCM mapping entitles cloud service providers to be certified under the CSA STAR program.

D.

CCM mapping enables an uninterrupted data flow and in particular the export of personal data across different jurisdictions.

Buy Now
Questions 7

What should be the control audit frequency for an organization's business continuity management and operational resilience strategy?

Options:

A.

Annually

B.

Biannually

C.

Quarterly

D.

Monthly

Buy Now
Questions 8

Which of the following is an example of financial business impact?

Options:

A.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

B.

A hacker using a stolen administrator identity brings down the Software of a Service (SaaS)

sales and marketing systems, resulting in the inability to process customer orders or

manage customer relationships.

C.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed

each other in public, resulting in a loss of public confidence that led the board to replace all

Buy Now
Questions 9

Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?

Options:

A.

Aligning the cloud service delivery with the organization’s objectives

B.

Aligning shared responsibilities between provider and customer

C.

Aligning the cloud provider’s service level agreement (SLA) with the organization's policy

D.

Aligning the organization's activity with the cloud provider’s policy

Buy Now
Questions 10

What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

Options:

A.

DAST is slower but thorough.

B.

Unlike SAST, DAST is a black box and programming language agnostic.

C.

DAST can dynamically integrate with most continuous integration and continuous delivery (CI/CD) tools.

D.

DAST delivers more false positives than SAST

Buy Now
Questions 11

In all three cloud deployment models, (laaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Options:

A.

Cloud service provider

B.

Shared responsibility

C.

Cloud service customer

D.

Patching on hypervisor layer not required

Buy Now
Questions 12

Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?

Options:

A.

Nondisclosure agreements (NDAs)

B.

Independent auditor report

C.

First-party audit

D.

Industry certifications

Buy Now
Questions 13

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month.

Which of the following should be the BEST recommendation to reduce the provider's burden?

Options:

A.

The provider can schedule a call with each customer.

B.

The provider can share all security reports with customers to streamline the process.

C.

The provider can answer each customer individually.

D.

The provider can direct all customer inquiries to the information in the CSA STAR registry

Buy Now
Questions 14

Which of the following would be considered as a factor to trust in a cloud service provider?

Options:

A.

The level of willingness to cooperate

B.

The level of exposure for public information

C.

The level of open source evidence available

D.

The level of proven technical skills

Buy Now
Questions 15

An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

Options:

A.

Review the provider's published questionnaires.

B.

Review third-party audit reports.

C.

Directly audit the provider.

D.

Send a supplier questionnaire to the provider.

Buy Now
Questions 16

To promote the adoption of secure cloud services across the federal government by

Options:

A.

To providing a standardized approach to security and risk assessment

B.

To provide agencies of the federal government a dedicated tool to certify Authority to

Operate (ATO)

C.

To enable 3PAOs to perform independent security assessments of cloud service providers

D.

To publish a comprehensive and official framework for the secure implementation of

controls for cloud security

Buy Now
Questions 17

What legal documents should be provided to the auditors in relation to risk management?

Options:

A.

Enterprise cloud strategy and policy

B.

Contracts and service level agreements (SLAs) of cloud service providers

C.

Policies and procedures established around third-party risk assessments

D.

Inventory of third-party attestation reports

Buy Now
Questions 18

The MOST critical concept for managing the building and testing of code in DevOps is:

Options:

A.

continuous build.

B.

continuous delivery.

C.

continuous integration.

D.

continuous deployment.

Buy Now
Questions 19

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls, and penetration testing?

Options:

A.

Red team

B.

Blue team

C.

White box

D.

Gray box

Buy Now
Questions 20

Which of the following provides the BEST evidence that a cloud service provider's continuous integration and continuous delivery (CI/CD) development pipeline includes checks for compliance as new features are added to its Software as a Service (SaaS) applications?

Options:

A.

Compliance tests are automated and integrated within the Cl tool.

B.

Developers keep credentials outside the code base and in a secure repository.

C.

Frequent compliance checks are performed for development environments.

D.

Third-party security libraries are continuously kept up to date.

Buy Now
Questions 21

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

Options:

A.

cloud user.

B.

cloud service provider. 0

C.

cloud customer.

D.

certification authority (CA)

Buy Now
Questions 22

Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is:

Options:

A.

responsible to the cloud customer and its clients.

B.

responsible only to the cloud customer.

C.

not responsible at all to any external parties.

D.

responsible to the cloud customer and its end users

Buy Now
Questions 23

Which of the following is an example of availability technical impact?

Options:

A.

A distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

B.

The cloud provider reports a breach of customer personal data from an unsecured server.

C.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.

A hacker using a stolen administrator identity alters the discount percentage in the product database

Buy Now
Questions 24

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

Options:

A.

ISO/IEC 27001 implementation.

B.

GB/T 22080-2008.

C.

SOC 2 Type 1 or 2 reports.

D.

GDPR CoC certification.

Buy Now
Questions 25

When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Options:

A.

Return or destruction of information

B.

Data retention, backup, and recovery

C.

Patch management process

D.

Network intrusion detection

Buy Now
Questions 26

Which of the following has the MOST substantial impact on how aggressive or conservative the cloud approach of an organization will be?

Options:

A.

Applicable laws and regulations

B.

Internal policies and technical standards

C.

Risk scoring criteria

D.

Risk appetite and budget constraints

Buy Now
Questions 27

Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?

Options:

A.

CSA'sGDPRCoC

B.

EUGDPR

C.

NIST SP 800-53

D.

PCI-DSS

Buy Now
Questions 28

An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

Options:

A.

The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.

B.

Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.

C.

As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.

D.

Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to in appropriate password policy configured on the VMs.

Buy Now
Questions 29

What areas should be reviewed when auditing a public cloud?

Options:

A.

Patching and configuration

B.

Vulnerability management and cyber security reviews

C.

Identity and access management (IAM) and data protection

D.

Source code reviews and hypervisor

Buy Now
Questions 30

Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

Options:

A.

BSI IT-basic protection catalogue

B.

Multi-Tier Cloud Security (MTCS)

C.

German IDW PS 951

D.

BSI Criteria Catalogue C5

Buy Now
Questions 31

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

Options:

A.

enterprise architecture (EA).

B.

object-oriented architecture.

C.

service-oriented architecture.

D.

software architecture

Buy Now
Questions 32

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

Options:

A.

Discard all work done and start implementing NIST 800-53 from scratch.

B.

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Buy Now
Questions 33

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

Options:

A.

Cloud Controls Matrix (CCM) and ISO/IEC 27001:2013 controls.

B.

ISO/IEC 27001:2013 controls.

C.

all Cloud Controls Matrix (CCM) controls and TSPC security principles.

D.

maturity model criteria.

Buy Now
Questions 34

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

Options:

A.

Determine the impact on the controls that were selected by the organization to respond to

identified risks.

B.

Determine the impact on confidentiality, integrity, and availability of the information

system.

C.

Determine the impact on the physical and environmental security of the organization,

excluding informational assets.

D.

Determine the impact on the financial, operational, compliance, and reputation of the

organization.

Buy Now
Questions 35

Which of the following are the three MAIN phases of the Cloud Controls Matrix (CCM) mapping methodology?

Options:

A.

Initiation — Execution — Monitoring and Controlling

B.

Plan - Develop - Release

C.

Preparation — Execution - Peer Review and Publication

Buy Now
Questions 36

The three layers of Open Certification Framework (OCF) PRIMARILY help cloud service providers and cloud clients improve the level of:

Options:

A.

legal and regulatory compliance.

B.

risk and controls.

C.

audit structure and formats.

D.

transparency and assurance.

Buy Now
Questions 37

If a customer management interface is compromised over the public Internet, it can lead to:

Options:

A.

incomplete wiping of the data.

B.

computing and data compromise for customers.

C.

ease of acquisition of cloud services.

D.

access to the RAM of neighboring cloud computers.

Buy Now
Questions 38

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?

Options:

A.

Management of the organization being audited

B.

Public

C.

Shareholders and interested parties

D.

Cloud service provider

Buy Now
Questions 39

One of the control specifications in the Cloud Controls Matrix (CCM) states that "independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligation." Which of the following controls under the Audit Assurance and Compliance domain does this match to?

Options:

A.

Information system and regulatory mapping

B.

GDPR auditing

C.

Audit planning

D.

Independent audits

Buy Now
Questions 40

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

Options:

A.

Review the security white paper of the provider.

B.

Review the provider’s audit reports.

C.

Review the contract and DR capability.

D.

Plan an audit of the provider

Buy Now
Questions 41

Which of the following is the BEST method to demonstrate assurance in the cloud services to multiple cloud customers?

Options:

A.

Provider’s financial stability report and market value

B.

Reputation of the service provider in the industry

C.

Provider self-assessment and technical documents

D.

External attestation and certification audit reports

Buy Now
Questions 42

What is the FIRST thing to define when an organization is moving to the cloud?

Options:

A.

Goals of the migration

B.

Internal service level agreements (SLAs)

C.

Specific requirements

D.

Provider evaluation criteria

Buy Now
Questions 43

Market share and geolocation are aspects PRIMARILY related to:

Options:

A.

business perspective.

B.

cloud perspective.

C.

risk perspective.

D.

governance perspective.

Buy Now
Questions 44

Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?

Options:

A.

Data encryption

B.

Incident management

C.

Network segmentation

D.

Privileged access monitoring

Buy Now
Questions 45

Which of the following attestations allows for immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

Options:

A.

BSI Criteria Catalogue C5

B.

PCI-DSS

C.

MTCS

D.

CSA STAR Attestation

Buy Now
Questions 46

From the perspective of a senior cloud security audit practitioner in an organization with a mature security program and cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Options:

A.

Process of security integration using automation in software development

B.

Operational framework that promotes software consistency through automation

C.

Development standards for addressing integration, testing, and deployment issues

D.

Making software development simpler, faster, and easier using automation

Buy Now
Questions 47

"Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls." Which of the following types of controls BEST matches this control description?

Options:

A.

Virtual instance and OS hardening

B.

Network security

C.

Network vulnerability management

D.

Change detection

Buy Now
Questions 48

is it important for the individuals in charge of cloud compliance to understand the organization's past?

Options:

A.

To determine the current state of the organization's compliance

B.

To determine the risk profile of the organization

C.

To address any open findings from previous external audits

D.

To verify whether the measures implemented from the lessons learned are effective

Buy Now
Questions 49

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

Options:

A.

ISO/IEC 27002

B.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

C.

NISTSP 800-146

D.

ISO/IEC 27017:2015

Buy Now
Questions 50

Which of the following is MOST important to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions?

Options:

A.

Deploying new features using cloud orchestration tools

B.

Performing prior due diligence of the vendor

C.

Establishing responsibility in the vendor contract

D.

Implementing service level agreements (SLAs) around changes to baseline configurations

Buy Now
Questions 51

Which industry organization offers both security controls and cloud-relevant benchmarking?

Options:

A.

Cloud Security Alliance (CSA)

B.

SANS Institute

C.

International Organization for Standardization (ISO)

D.

Center for Internet Security (CIS)

Buy Now
Questions 52

In audit parlance, what is meant by "management representation"?

Options:

A.

A person or group of persons representing executive management during audits

B.

A mechanism to represent organizational structure

C.

A project management technique to demonstrate management's involvement in key

project stages

D.

Statements made by management in response to specific inquiries

Buy Now
Questions 53

An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

Options:

A.

Filter out only those controls directly influenced by contractual agreements.

B.

Leverage this feature to enable the adoption of the Shared Responsibility Model.

C.

Filter out only those controls having a direct impact on current terms of service (TOS) and

service level agreement (SLA).

D.

Leverage this feature to enable a smarter selection of the next cloud provider.

Buy Now
Questions 54

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Options:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

policies and procedures of the cloud customer

D.

the organizational chart of the provider.

Buy Now
Exam Code: CCAK
Exam Name: Certificate of Cloud Auditing Knowledge
Last Update: Dec 1, 2024
Questions: 182

PDF + Testing Engine

$66  $164.99

Testing Engine

$50  $124.99
buy now CCAK testing engine

PDF (Q&A)

$42  $104.99
buy now CCAK pdf