Labour Day Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

Certificate of Cloud Auditing Knowledge Question and Answers

Certificate of Cloud Auditing Knowledge

Last Update Apr 25, 2024
Total Questions : 175

We are offering FREE CCAK Isaca exam questions. All you do is to just go and sign up. Give your details, prepare CCAK free exam questions and then go for complete pool of Certificate of Cloud Auditing Knowledge test questions that will help you more.

CCAK pdf

CCAK PDF

$35  $99.99
 Add to Cart
CCAK Engine

CCAK Testing Engine

$42  $119.99
 Add to Cart
CCAK PDF + Engine

CCAK PDF + Testing Engine

$56  $159.99
 Add to Cart
Questions 1

From an auditor perspective, which of the following BEST describes shadow IT?

Options:

A.  

An opportunity to diversify the cloud control approach

B.  

A weakness in the cloud compliance posture

C.  

A strength of disaster recovery (DR) planning

D.  

A risk that jeopardizes business continuity planning

Discussion 0
Questions 2

Visibility to which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (laaS) deployments?

Options:

A.  

Source code within build scripts

B.  

Output from threat modeling exercises

C.  

Service level agreements (SLAs)

D.  

Results from automated testing

Discussion 0
Questions 3

Market share and geolocation are aspects PRIMARILY related to:

Options:

A.  

business perspective.

B.  

cloud perspective.

C.  

risk perspective.

D.  

governance perspective.

Discussion 0
Questions 4

What areas should be reviewed when auditing a public cloud?

Options:

A.  

Patching and configuration

B.  

Vulnerability management and cyber security reviews

C.  

Identity and access management (IAM) and data protection

D.  

Source code reviews and hypervisor

Discussion 0
Questions 5

The effect of which of the following should have priority in planning the scope and objectives of a cloud audit?

Options:

A.  

Applicable industry good practices

B.  

Applicable statutory requirements

C.  

Organizational policies and procedures

D.  

Applicable corporate standards

Discussion 0
Questions 6

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

Options:

A.  

Review the contract and DR capability.

B.  

Plan an audit of the provider.

C.  

Review the security white paper of the provider.

D.  

Review the provider's audit reports.

Discussion 0
Questions 7

To ensure integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

Options:

A.  

Parallel testing

B.  

Full application stack unit testing

C.  

Functional verification

D.  

Regression testing

Discussion 0
Questions 8

What legal documents should be provided to the auditors in relation to risk management?

Options:

A.  

Enterprise cloud strategy and policy

B.  

Contracts and service level agreements (SLAs) of cloud service providers

C.  

Policies and procedures established around third-party risk assessments

D.  

Inventory of third-party attestation reports

Discussion 0
Questions 9

Which of the following activities is performed outside information security monitoring?

Options:

A.  

Management review of the information security framework

B.  

Monitoring the effectiveness of implemented controls

C.  

Collection and review of security events before escalation

D.  

Periodic review of risks, vulnerabilities, likelihoods, and threats

Discussion 0
Questions 10

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

Options:

A.  

Development of the monitoring goals and requirements

B.  

Identification of processes, functions, and systems

C.  

Identification of roles and responsibilities

D.  

Identification of the relevant laws, regulations, and standards

Discussion 0
Questions 11

What is below the waterline in the context of cloud operationalization?

Options:

A.  

The controls operated by the customer

B.  

The controls operated by both

C.  

The controls operated by the cloud access security broker (CASB)

D.  

The controls operated by the cloud service provider

Discussion 0
Questions 12

Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

Options:

A.  

BSI IT-basic protection catalogue

B.  

Multi-Tier Cloud Security (MTCS)

C.  

German IDW PS 951

D.  

BSI Criteria Catalogue C5

Discussion 0
Questions 13

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

Options:

A.  

As an availability breach

B.  

As a control breach

C.  

As a confidentiality breach

D.  

As an integrity breach

Discussion 0
Questions 14

Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?

Options:

A.  

CCM utilizes an ITIL framework to define the capabilities needed to manage the IT services and security services.

B.  

CCM maps to existing security standards, best practices, and regulations.

C.  

CCM uses a specific control for Infrastructure as a Service (laaS).

D.  

CCM V4 is an improved version from CCM V3.0.1.

Discussion 0
Questions 15

With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

Options:

A.  

relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF). and the Zachman Framework for Enterprise Architecture.

B.  

relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.

C.  

relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

D.  

relevant delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (laaS).

Discussion 0
Questions 16

When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Options:

A.  

Return or destruction of information

B.  

Data retention, backup, and recovery

C.  

Patch management process

D.  

Network intrusion detection

Discussion 0
Questions 17

A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode has been selected by the provider?

Options:

A.  

Reversal

B.  

Double blind

C.  

Double gray box

D.  

Tandem

Discussion 0
Questions 18

An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

Options:

A.  

The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.

B.  

Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.

C.  

As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.

D.  

Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to in appropriate password policy configured on the VMs.

Discussion 0
Questions 19

Which of the following is a direct benefit of mapping the Cloud Controls Matrix (CCM) to other international standards and regulations?

Options:

A.  

CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.

B.  

CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.

C.  

CCM mapping entitles cloud service providers to be certified under the CSA STAR program.

D.  

CCM mapping enables an uninterrupted data flow and in particular the export of personal data across different jurisdictions.

Discussion 0
Questions 20

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

Options:

A.  

Discard all work done and start implementing NIST 800-53 from scratch.

B.  

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.  

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.  

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Discussion 0
Questions 21

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

Options:

A.  

facilitate an effective relationship between the cloud service provider and cloud client.

B.  

enable the cloud service provider to prioritize resources to meet its own requirements.

C.  

provide global, accredited, and trusted certification of the cloud service provider.

D.  

ensure understanding of true risk and perceived risk by the cloud service users

Discussion 0
Questions 22

A certification target helps in the formation of a continuous certification framework by incorporating:

Options:

A.  

the service level objective (SLO) and service qualitative objective (SQO).

B.  

the scope description and security attributes to be tested.

C.  

the frequency of evaluating security attributes.

D.  

CSA STAR level 2 attestation.

Discussion 0
Questions 23

Controls mapping found in the Scope Applicability column of the Cloud Controls Matrix (CCM) may help organizations to realize cost savings:

Options:

A.  

by avoiding duplication of efforts in the compliance evaluation and for the eventual control design and implementation.

B.  

by implementing layered security, thus reducing the likelihood of data breaches and the associated costs.

C.  

by avoiding the need to hire a cloud security specialist to perform the periodic risk assessment exercise.

D.  

by avoiding fines for breaching those regulations that impose a controls mapping in order to prove compliance

Discussion 0
Questions 24

Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?

Options:

A.  

Aligning the cloud service delivery with the organization’s objectives

B.  

Aligning shared responsibilities between provider and customer

C.  

Aligning the cloud provider’s service level agreement (SLA) with the organization's policy

D.  

Aligning the organization's activity with the cloud provider’s policy

Discussion 0
Questions 25

Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

Options:

A.  

are the asset with private IP addresses.

B.  

are generally the most exposed part.

C.  

could be poorly designed.

D.  

act as a very effective backdoor.

Discussion 0
Questions 26

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following

What should be the BEST recommendation to reduce the provider’s burden?

Options:

A.  

The provider can answer each customer individually.

B.  

The provider can direct all customer inquiries to the information in the CSA STAR registry.

C.  

The provider can schedule a call with each customer.

D.  

The provider can share all security reports with customers to streamline the process

Discussion 0
Questions 27

What should be the control audit frequency for an organization's business continuity management and operational resilience strategy?

Options:

A.  

Annually

B.  

Biannually

C.  

Quarterly

D.  

Monthly

Discussion 0
Questions 28

An auditor is assessing a European organization's compliance. Which regulation is suitable if health information needs to be protected?

Options:

A.  

GDPR

B.  

DPIA

C.  

DPA

D.  

HIPAA

Discussion 0
Questions 29

The MOST critical concept for managing the building and testing of code in DevOps is:

Options:

A.  

continuous build.

B.  

continuous delivery.

C.  

continuous integration.

D.  

continuous deployment.

Discussion 0
Questions 30

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

Options:

A.  

Automating risk monitoring and reporting processes

B.  

Reporting emerging threats to senior stakeholders

C.  

Establishing ownership and accountability

D.  

Monitoring key risk indicators (KRIs) for multi-cloud environments

Discussion 0
Questions 31

The MOST important factor to consider when implementing cloud-related controls is the:

Options:

A.  

shared responsibility model.

B.  

effectiveness of the controls.

C.  

risk reporting.

D.  

risk ownership

Discussion 0
Questions 32

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

Options:

A.  

facilitate an effective relationship between the cloud service provider and cloud client.

B.  

ensure understanding of true risk and perceived risk by the cloud service users.

C.  

provide global, accredited, and trusted certification of the cloud service provider.

D.  

enable the cloud service provider to prioritize resources to meet its own requirements.

Discussion 0
Questions 33

From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?

Options:

A.  

Evaluation summaries

B.  

logs

C.  

SOC reports

D.  

Interviews

Discussion 0
Questions 34

Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?

Options:

A.  

SOC 3 Type 2

B.  

SOC 2 Type 2

C.  

SOC 1 Type 1

D.  

SOC 2 Type 1

Discussion 0
Questions 35

From the perspective of a senior cloud security audit practitioner in an organization with a mature security program and cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Options:

A.  

Process of security integration using automation in software development

B.  

Operational framework that promotes software consistency through automation

C.  

Development standards for addressing integration, testing, and deployment issues

D.  

Making software development simpler, faster, and easier using automation

Discussion 0
Questions 36

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

Options:

A.  

Likelihood

B.  

Mitigation

C.  

Residual risk

D.  

Impact analysis

Discussion 0
Questions 37

An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

Options:

A.  

Filter out only those controls directly influenced by contractual agreements.

B.  

Leverage this feature to enable the adoption of the Shared Responsibility Model.

C.  

Filter out only those controls having a direct impact on current terms of service (TOS) and

service level agreement (SLA).

D.  

Leverage this feature to enable a smarter selection of the next cloud provider.

Discussion 0
Questions 38

Which of the following is an example of reputational business impact?

Options:

A.  

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

B.  

The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euros.

C.  

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

D.  

A hacker using a stolen administrator identity brings down the Software as a Service (SaaS) sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

Discussion 0
Questions 39

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

Options:

A.  

treated as confidential information and withheld from all sub cloud service providers.

B.  

treated as sensitive information and withheld from certain sub cloud service providers.

C.  

passed to the sub cloud service providers.

D.  

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

Discussion 0
Questions 40

The BEST way to deliver continuous compliance in a cloud environment is to:

Options:

A.  

combine point-in-time assurance approaches with continuous monitoring.

B.  

increase the frequency of external audits from annual to quarterly.

C.  

combine point-in-time assurance approaches with continuous auditing.

D.  

decrease the interval between attestations of compliance

Discussion 0
Questions 41

Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?

Options:

A.  

Defining the metrics and indicators to monitor the implementation of the compliance program

B.  

Determining the risk treatment options to be used in the compliance program

C.  

Mapping who possesses the information and data that should drive the compliance goals

D.  

Selecting the external frameworks that will be used as reference

Discussion 0
Questions 42

What type of termination occurs at the initiative of one party and without the fault of the other party?

Options:

A.  

Termination without the fault

B.  

Termination at the end of the term

C.  

Termination for cause

D.  

Termination for convenience

Discussion 0
Questions 43

In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?

Options:

A.  

Database backup and replication guidelines

B.  

System backup documentation

C.  

Incident management documentation

D.  

Operational manuals

Discussion 0
Questions 44

Which of the following is MOST useful for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution?

Options:

A.  

SaaS provider contract

B.  

Payments made by the service owner

C.  

SaaS vendor white papers

D.  

Cloud compliance obligations register

Discussion 0
Questions 45

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

Options:

A.  

Control self-assessment (CSA)

B.  

Third-party vendor involvement

C.  

Exception reporting

D.  

Application team internal review

Discussion 0
Questions 46

Who is accountable for the use of a cloud service?

Options:

A.  

The cloud access security broker (CASB)

B.  

The supplier

C.  

The cloud service provider

D.  

The organization (client)

Discussion 0
Questions 47

Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

Options:

A.  

develop new security baselines for the industry.

B.  

define different control frameworks for different cloud service providers.

C.  

build an operational cloud risk management program.

D.  

facilitate communication with their legal department.

Discussion 0
Questions 48

Which of the following attestations allows for immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

Options:

A.  

BSI Criteria Catalogue C5

B.  

PCI-DSS

C.  

MTCS

D.  

CSA STAR Attestation

Discussion 0
Questions 49

Which of the following helps an organization to identify control gaps and shortcomings in the context of cloud computing?

Options:

A.  

Walk-through peer review

B.  

Periodic documentation review

C.  

User security awareness training

D.  

Monitoring effectiveness

Discussion 0
Questions 50

What is a sign that an organization has adopted a shift-left concept of code release cycles?

Options:

A.  

Large entities with slower release cadences and geographically dispersed systems

B.  

A waterfall model to move resources through the development to release phases

C.  

Maturity of start-up entities with high-iteration to low-volume code commits

D.  

Incorporation of automation to identify and address software code problems early

Discussion 0
Questions 51

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

Options:

A.  

ISO/IEC 27017:2015

B.  

ISO/IEC 27002

C.  

NIST SP 800-146

D.  

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Discussion 0
Questions 52

Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?

Options:

A.  

Enterprise cloud strategy and policy, as well as inventory of third-party attestation reports

B.  

Policies and procedures established around third-party risk assessments, including questionnaires that are required to be completed to assess risk associated with use of third-party services

C.  

Enterprise cloud strategy and policy, as well as the enterprise cloud security strategy

D.  

Inventory of third-party attestation reports and enterprise cloud security strategy

Discussion 0
CCAK Questions Answers | CCAK Test Prep | Certificate of Cloud Auditing Knowledge Questions PDF | CCAK Online Exam | CCAK Practice Test | CCAK PDF | CCAK Test Questions | CCAK Study Material | CCAK Exam Preparation | CCAK Valid Dumps | CCAK Real Questions | Cloud Security Alliance CCAK Exam Questions