Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?
The three layers of Open Certification Framework (OCF) PRIMARILY help cloud service providers and cloud clients improve the level of:
When performing audits in relation to business continuity management and operational resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?
Which of the following is MOST useful for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution?
In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:
What type of termination occurs at the initiative of one party and without the fault of the other party?
If a customer management interface is compromised over the public Internet, it can lead to:
Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?
From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?
The FINAL decision to include a material finding in a cloud audit report should be made by the:
Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls, and penetration testing?
Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?
Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?
The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:
An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?
Which of the following BEST describes the difference between a Type 1 and a Type 2 SOC report?
Why should the results of third-party audits and certification be relied on when analyzing and assessing the cybersecurity risks in the cloud?
After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?
To ensure a cloud service provider is complying with an organization's privacy requirements, a cloud auditor should FIRST review:
An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?
A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?
An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following
What should be the BEST recommendation to reduce the provider’s burden?
The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:
With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:
Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:
Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:
Which of the following is the FIRST step of the Cloud Risk Evaluation Framework?
What is the MOST effective way to ensure a vendor is compliant with the agreed-upon cloud service?
One of the control specifications in the Cloud Controls Matrix (CCM) states that "independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligation." Which of the following controls under the Audit Assurance and Compliance domain does this match to?
Which of the following is MOST important to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions?
In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
What should be the control audit frequency for an organization's business continuity management and operational resilience strategy?
A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment. What additional control should the cloud auditor check?
Which of the following cloud service provider activities MUST obtain a client's approval?
Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?
In cloud computing, which KEY subject area relies on measurement results and metrics?
Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?
Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?
An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?
To support a customer's verification of the cloud service provider claims regarding its responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?