Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CCAK
Free trial
Verified
Question 26
The PRIMARY objective for an auditor to understand the organization’s context for a cloud audit is to:
- A: determine whether the organization has carried out control self-assessment and validated audit reports of the cloud service providers (CSP).
- B: validate an understanding of the organization’s current state and how the cloud audit plan fits into the existing audit approach.
- C: validate whether an organization has a cloud audit plan in place.
- D: validate the organization’s performance effectiveness utilizing cloud service providers (CSP) solutions.
Question 27
Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to specify trusted services?
- A: Security, confidentiality, availability, privacy and processing integrity
- B: Security, applicability, availability, privacy and processing integrity
- C: Security, confidentiality, availability, privacy and trustworthiness
- D: Security, data integrity, availability, privacy and processing integrity
Question 28
Account design in the cloud should be driven by:
- A: security requirements.
- B: organizational structure.
- C: business continuity policies.
- D: management structure.
Question 29
What should be the control audit frequency for Business Continuity Management?
- A: Quarterly
- B: Annually
- C: Monthly
- D: Semi-annually
Question 30
When identifying the governance stakeholders in an organization, which of the following roles would MOST likely be responsible for cloud migration and ongoing maintenance?
- A: Enterprise architects
- B: IT
- C: Governance risk, and compliance (GRC)
- D: Cloud providers
Question 31
The cloud risk management process should:
- A: evaluate only the cloud providers’ general maturity.
- B: verify the provider’s policy aligns with the customer’s policy.
- C: evaluate the specific cloud service features.
- D: evaluate the services of the same security features.
Question 32
Which of the following is a category of trust in cloud computing?
- A: Reputation-based trust
- B: Background-based trust
- C: Loyalty-based trust
- D: Transparency-based trust
Question 33
An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP burden?
- A: CSP can share all security reports with customers to streamline the process.
- B: CSP can schedule a call with each customer.
- C: CSP can answer each customer individually.
- D: CSP can direct all customers’ inquiries to the information in the CSA STAR registry.
Question 34
While using public cloud services, cloud users may cede direct control over:
- A: anti-malware solutions.
- B: encryption keys.
- C: security patching.
- D: penetration testing.
Question 35
As part of cloud migration, who is responsible for defining and setting the applicable controls?
- A: Cloud customer
- B: Shared responsibility
- C: Cloud auditor
- D: Cloud provider
Question 36
In which of the following risk scenarios should a cloud customer have the full responsibility in all cloud service models?
- A: Infrastructure risk
- B: Identity and access risk
- C: Endpoint risk
- D: Data classification risk
Question 37
In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:
- A: passed to the sub cloud service providers based on the sub cloud service providers’ geographic location.
- B: passed to the sub cloud service providers.
- C: treated as confidential information and withheld from all sub cloud service providers.
- D: treated as sensitive information and withheld from certain sub cloud service providers.
Question 38
A contract containing the phrase “You automatically consent to these terms by using or logging into the service to which they pertain” is establishing a contract of:
- A: exclusion.
- B: adhesion.
- C: exclusively.
- D: execution.
Question 39
Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?
- A: Network segmentation
- B: Incident management
- C: Privileged access monitoring
- D: Data encryption
Question 40
Which of the following is an important challenge in the design and building of a cloud compliance program?
- A: Determining the total cost of all cloud components
- B: Identifying all cloud components used in the organization
- C: Assigning risk ownership for the cloud components
- D: Understanding the cloud computing context
Question 41
Which of the following is MOST relevant to determine whether an organization is a risk taker or is risk-averse?
- A: Risk management methodology
- B: Risk culture
- C: Risk heat map
- D: Risk appetite
Question 42
An audit that can be achieved using real-time automated scripts or manual testing and that organizations continuously perform as part of operations to help them implement continuous assurance and compliance its:
- A: a governance and strategy audit.
- B: a compliance and controls audit.
- C: access review.
- D: configuration and activity monitoring.
Question 43
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?
- A: Blue team
- B: White box
- C: Gray box
- D: Red team
Question 44
Which of the following processes should be performed FIRST to properly implement the NIST SP 800-53 r4 control framework in an organization?
- A: A comprehensive tailoring of the controls of the framework
- B: A security categorization of the information systems
- C: A selection of the security objectives the organization wants to improve
- D: A comprehensive business impact analysis (BIA)
Question 45
Which of the following enables auditors to conduct gap analysis?
- A: The experience gained over the years
- B: Using a standardized control framework
- C: Understanding the customer risk profile
- D: The as-is and to-be enterprise architecture (EA)
Question 46
Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?
- A: SOC 2 Type 1
- B: SOC 2 Type 2
- C: SOC 3 Type 2
- D: SOC 1 Type 1
Question 47
Which of the following BEST describes the Center for Internet Security (CIS) benchmarks applied to a cloud service provider?
- A: Best practices for the tuning of performance in cloud service providers’ services
- B: Best practices for the secure configuration of the cloud service provider services
- C: Comparisons of the performance obtained from the cloud service providers
- D: Comparisons of the security capabilities provided by the cloud service providers
Question 48
A large organization recently migrated to the cloud and identified Function as a Service (FaaS) as a new service category that enhances the concept of:
- A: beta testing.
- B: fuzzing.
- C: alpha testing.
- D: scripting.
Question 49
Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?
- A: German IDW PS 951
- B: Multi-Tier Cloud Security (MTCS)
- C: BSI Criteria Catalogue C5
- D: BSI IT-basic protection catalogue
Question 50
Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?
- A: CCM maps to existing security standards, best practices, and regulations.
- B: CCM utilizes an ITIL framework to define the capabilities needed to manage the IT services and security services.
- C: CCM V4 is an improved version from CCM V3.0.1.
- D: CCM uses a specific control for Infrastructure as a Service (IaaS).
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!