New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

CCAK Certificate of Cloud Auditing Knowledge Questions and Answers

Questions 4

Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

Options:

A.

Documentation criteria for the audit evidence

B.

Testing procedure to be performed

C.

Processes and systems to be audited

D.

Updated audit work program

Buy Now
Questions 5

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

Options:

A.

Review the security white paper of the provider.

B.

Review the provider’s audit reports.

C.

Review the contract and DR capability.

D.

Plan an audit of the provider

Buy Now
Questions 6

The three layers of Open Certification Framework (OCF) PRIMARILY help cloud service providers and cloud clients improve the level of:

Options:

A.

legal and regulatory compliance.

B.

risk and controls.

C.

audit structure and formats.

D.

transparency and assurance.

Buy Now
Questions 7

When performing audits in relation to business continuity management and operational resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?

Options:

A.

Validate whether the strategy covers all aspects of business continuity and resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.

B.

Validate whether the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.

C.

Validate whether the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.

Buy Now
Questions 8

Which of the following is MOST useful for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution?

Options:

A.

SaaS provider contract

B.

Payments made by the service owner

C.

SaaS vendor white papers

D.

Cloud compliance obligations register

Buy Now
Questions 9

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

Options:

A.

treated as confidential information and withheld from all sub cloud service providers.

B.

treated as sensitive information and withheld from certain sub cloud service providers.

C.

passed to the sub cloud service providers.

D.

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

Buy Now
Questions 10

What type of termination occurs at the initiative of one party and without the fault of the other party?

Options:

A.

Termination without the fault

B.

Termination at the end of the term

C.

Termination for cause

D.

Termination for convenience

Buy Now
Questions 11

What does “The Egregious 11" refer to?

Options:

A.

The OWASP Top 10 adapted to cloud computing

B.

A list of top shortcomings of cloud computing

C.

A list of top breaches in cloud computing

D.

A list of top threats to cloud computing

Buy Now
Questions 12

The Cloud Octagon Model was developed to support organizations':

Options:

A.

risk treatment methodology.

B.

incident detection methodology.

C.

incident response methodology.

D.

risk assessment methodology.

Buy Now
Questions 13

If a customer management interface is compromised over the public Internet, it can lead to:

Options:

A.

incomplete wiping of the data.

B.

computing and data compromise for customers.

C.

ease of acquisition of cloud services.

D.

access to the RAM of neighboring cloud computers.

Buy Now
Questions 14

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Options:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

policies and procedures of the cloud customer

D.

the organizational chart of the provider.

Buy Now
Questions 15

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?

Options:

A.

Management of the organization being audited

B.

Public

C.

Shareholders and interested parties

D.

Cloud service provider

Buy Now
Questions 16

From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?

Options:

A.

Evaluation summaries

B.

logs

C.

SOC reports

D.

Interviews

Buy Now
Questions 17

The FINAL decision to include a material finding in a cloud audit report should be made by the:

Options:

A.

auditee's senior management.

B.

organization's chief executive officer (CEO).

C.

cloud auditor.

: D. organization's chief information security officer (CISO)

Buy Now
Questions 18

A dot release of the Cloud Controls Matrix (CCM) indicates:

Options:

A.

a revision of the CCM domain structure.

B.

a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.

C.

the introduction of new control frameworks mapped to previously published CCM controls.

D.

technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.

Buy Now
Questions 19

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Options:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

the organizational chart of the provider.

D.

policies and procedures of the cloud customer

Buy Now
Questions 20

What is the FIRST thing to define when an organization is moving to the cloud?

Options:

A.

Goals of the migration

B.

Internal service level agreements (SLAs)

C.

Specific requirements

D.

Provider evaluation criteria

Buy Now
Questions 21

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls, and penetration testing?

Options:

A.

Red team

B.

Blue team

C.

White box

D.

Gray box

Buy Now
Questions 22

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

Options:

A.

Development of the monitoring goals and requirements

B.

Identification of processes, functions, and systems

C.

Identification of roles and responsibilities

D.

Identification of the relevant laws, regulations, and standards

Buy Now
Questions 23

Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?

Options:

A.

Enterprise cloud strategy and policy, as well as inventory of third-party attestation reports

B.

Policies and procedures established around third-party risk assessments, including questionnaires that are required to be completed to assess risk associated with use of third-party services

C.

Enterprise cloud strategy and policy, as well as the enterprise cloud security strategy

D.

Inventory of third-party attestation reports and enterprise cloud security strategy

Buy Now
Questions 24

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

Options:

A.

GDPR CoC certification.

B.

GB/T 22080-2008.

C.

SOC 2 Type 1 or 2 reports.

D.

ISO/IEC 27001 implementation.

Buy Now
Questions 25

In audit parlance, what is meant by "management representation"?

Options:

A.

A person or group of persons representing executive management during audits

B.

A mechanism to represent organizational structure

C.

A project management technique to demonstrate management's involvement in key

project stages

D.

Statements made by management in response to specific inquiries

Buy Now
Questions 26

An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

Options:

A.

Filter out only those controls directly influenced by contractual agreements.

B.

Leverage this feature to enable the adoption of the Shared Responsibility Model.

C.

Filter out only those controls having a direct impact on current terms of service (TOS) and

service level agreement (SLA).

D.

Leverage this feature to enable a smarter selection of the next cloud provider.

Buy Now
Questions 27

Which of the following BEST describes the difference between a Type 1 and a Type 2 SOC report?

Options:

A.

A Type 2 SOC report validates the operating effectiveness of controls, whereas a Type 1 SOC report validates the suitability of the design of the controls.

B.

A Type 1 SOC report provides an attestation, whereas a Type 2 SOC report offers a certification.

C.

A Type 2 SOC report validates the suitability of the control design, whereas a Type 1 SOC report validates the operating effectiveness of controls.

D.

There is no difference between a Type 2 and a Type 1 SOC report.

Buy Now
Questions 28

Why should the results of third-party audits and certification be relied on when analyzing and assessing the cybersecurity risks in the cloud?

Options:

A.

To establish an audit mindset within the organization

B.

To contrast the risk generated by the loss of control

C.

To reinforce the role of the internal audit function

D.

To establish an accountability culture within the organization

Buy Now
Questions 29

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

Options:

A.

As an availability breach

B.

As a control breach

C.

As a confidentiality breach

D.

As an integrity breach

Buy Now
Questions 30

To ensure a cloud service provider is complying with an organization's privacy requirements, a cloud auditor should FIRST review:

Options:

A.

organizational policies, standards, and procedures.

B.

adherence to organization policies, standards, and procedures.

C.

legal and regulatory requirements.

D.

the IT infrastructure.

Buy Now
Questions 31

An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

Options:

A.

The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.

B.

Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.

C.

As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.

D.

Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to in appropriate password policy configured on the VMs.

Buy Now
Questions 32

A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

Options:

A.

CSA STAR Level Certificate

B.

Multi-Tier Cloud Security (MTCS) Attestation

C.

ISO/IEC 27001:2013 Certification

D.

FedRAMP Authorization

Buy Now
Questions 33

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following

What should be the BEST recommendation to reduce the provider’s burden?

Options:

A.

The provider can answer each customer individually.

B.

The provider can direct all customer inquiries to the information in the CSA STAR registry.

C.

The provider can schedule a call with each customer.

D.

The provider can share all security reports with customers to streamline the process

Buy Now
Questions 34

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

Options:

A.

facilitate an effective relationship between the cloud service provider and cloud client.

B.

ensure understanding of true risk and perceived risk by the cloud service users.

C.

provide global, accredited, and trusted certification of the cloud service provider.

D.

enable the cloud service provider to prioritize resources to meet its own requirements.

Buy Now
Questions 35

With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

Options:

A.

relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF). and the Zachman Framework for Enterprise Architecture.

B.

relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.

C.

relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

D.

relevant delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (laaS).

Buy Now
Questions 36

Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

Options:

A.

are the asset with private IP addresses.

B.

are generally the most exposed part.

C.

could be poorly designed.

D.

act as a very effective backdoor.

Buy Now
Questions 37

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:

Options:

A.

client organization has a clear understanding of the provider s suppliers.

B.

suppliers are accountable for the provider's service that they are providing.

C.

client organization does not need to worry about the provider's suppliers, as this is the

provider's responsibility.

D.

client organization and provider are both responsible for the provider's suppliers.

Buy Now
Questions 38

Which of the following is the FIRST step of the Cloud Risk Evaluation Framework?

Options:

A.

Analyzing potential impact and likelihood

B.

Establishing cloud risk profile

C.

Evaluating and documenting the risks

D.

Identifying key risk categories

Buy Now
Questions 39

What is the MOST effective way to ensure a vendor is compliant with the agreed-upon cloud service?

Options:

A.

Examine the cloud provider's certifications and ensure the scope is appropriate.

B.

Document the requirements and responsibilities within the customer contract

C.

Interview the cloud security team and ensure compliance.

D.

Pen test the cloud service provider to ensure compliance.

Buy Now
Questions 40

One of the control specifications in the Cloud Controls Matrix (CCM) states that "independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligation." Which of the following controls under the Audit Assurance and Compliance domain does this match to?

Options:

A.

Information system and regulatory mapping

B.

GDPR auditing

C.

Audit planning

D.

Independent audits

Buy Now
Questions 41

Which of the following is MOST important to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions?

Options:

A.

Deploying new features using cloud orchestration tools

B.

Performing prior due diligence of the vendor

C.

Establishing responsibility in the vendor contract

D.

Implementing service level agreements (SLAs) around changes to baseline configurations

Buy Now
Questions 42

In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

Options:

A.

both operating system and application infrastructure contained within the cloud service

provider’s instances.

B.

both operating system and application infrastructure contained within the customer’s

instances.

C.

only application infrastructure contained within the cloud service provider’s instances.

D.

only application infrastructure contained within the customer's instance

Buy Now
Questions 43

What should be the control audit frequency for an organization's business continuity management and operational resilience strategy?

Options:

A.

Annually

B.

Biannually

C.

Quarterly

D.

Monthly

Buy Now
Questions 44

A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment. What additional control should the cloud auditor check?

Options:

A.

Approval of the change by the change advisory board

B.

Explicit documented approval from all customers whose data is affected

C.

Training for the librarian

D.

Verification that the hardware of the test and production environments are compatible

Buy Now
Questions 45

Which of the following cloud service provider activities MUST obtain a client's approval?

Options:

A.

Destroying test data

B.

Deleting subscription owner accounts

C.

Deleting test accounts

D.

Deleting guest accounts

Buy Now
Questions 46

Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?

Options:

A.

The IT department does not clearly articulate the cloud to the organization.

B.

There is a lack of visibility over the cloud service providers' supply chain.

C.

Customers do not understand cloud technologies in enough detail.

D.

Cloud services are very complicated.

Buy Now
Questions 47

In cloud computing, which KEY subject area relies on measurement results and metrics?

Options:

A.

Software as a Service (SaaS) application services

B.

Infrastructure as a Service (IaaS) storage and network

C.

Platform as a Service (PaaS) development environment

D.

Service level agreements (SLAs)

Buy Now
Questions 48

From an auditor perspective, which of the following BEST describes shadow IT?

Options:

A.

An opportunity to diversify the cloud control approach

B.

A weakness in the cloud compliance posture

C.

A strength of disaster recovery (DR) planning

D.

A risk that jeopardizes business continuity planning

Buy Now
Questions 49

Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

Options:

A.

BSI IT-basic protection catalogue

B.

Multi-Tier Cloud Security (MTCS)

C.

German IDW PS 951

D.

BSI Criteria Catalogue C5

Buy Now
Questions 50

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

Options:

A.

ISO/IEC 27002

B.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

C.

NISTSP 800-146

D.

ISO/IEC 27017:2015

Buy Now
Questions 51

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

Options:

A.

Discard all work done and start implementing NIST 800-53 from scratch.

B.

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Buy Now
Questions 52

Market share and geolocation are aspects PRIMARILY related to:

Options:

A.

business perspective.

B.

cloud perspective.

C.

risk perspective.

D.

governance perspective.

Buy Now
Questions 53

To support a customer's verification of the cloud service provider claims regarding its responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?

Options:

A.

External audit

B.

Internal audit

C.

Contractual agreement

D.

Security assessment

Buy Now
Questions 54

Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

Options:

A.

develop new security baselines for the industry.

B.

define different control frameworks for different cloud service providers.

C.

build an operational cloud risk management program.

D.

facilitate communication with their legal department.

Buy Now
Exam Code: CCAK
Exam Name: Certificate of Cloud Auditing Knowledge
Last Update: Dec 22, 2024
Questions: 182

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99