CCAK: Certificate of Cloud Auditing Knowledge Part 1
Question #: 1
Topic #: 1
Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization’s SaaS vendor?
A. Risk exceptions policy
B. Contractual requirements
C. Risk appetite
D. Board oversight
Selected Answer: C
———————————————————————-
Question #: 2
Topic #: 1
A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP’s security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?
A. Double gray box
B. Tandem
C. Reversal
D. Double blind
Selected Answer: D
———————————————————————-
Question #: 3
Topic #: 1
Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action is MOST relevant?
A. Focusing on auditing high-risk areas
B. Testing the adequacy of cloud controls design
C. Relying on management testing of cloud controls
D. Testing the operational effectiveness of cloud controls
Selected Answer: A
———————————————————————-
Question #: 4
Topic #: 1
In an organization, how are policy violations MOST likely to occur?
A. By accident
B. Deliberately by the ISP
C. Deliberately
D. Deliberately by the cloud provider
Selected Answer: A
———————————————————————-
Question #: 5
Topic #: 1
Which of the following is the BEST tool to perform cloud security control audits?
A. General Data Protection Regulation (GDPR)
B. ISO 27001
C. Federal Information Processing Standard (FIPS) 140-2
D. CSA Cloud Control Matrix (CCM)
Selected Answer: D
———————————————————————-
Question #: 6
Topic #: 1
Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls. Which of the following controls BEST matches this control description?
A. Network Security
B. Change Detection
C. Virtual Instance and OS Hardening
D. Network Vulnerability Management
Selected Answer: A
———————————————————————-
Question #: 7
Topic #: 1
After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data. In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?
A. As an integrity breach
B. As control breach
C. As an availability breach
D. As a confidentiality breach
Selected Answer: A
———————————————————————-
Question #: 8
Topic #: 1
Organizations maintain mappings between the different control frameworks they adopt to:
A. help identify controls with common assessment status.
B. avoid duplication of work when assessing compliance.
C. help identify controls with different assessment status.
D. start a compliance assessment using latest assessment.
Selected Answer: B
———————————————————————-
Question #: 9
Topic #: 1
SAST testing is performed by:
A. scanning the application source code.
B. scanning the application interface.
C. scanning all infrastructure components.
D. performing manual actions to gain control of the application.
Selected Answer: A
———————————————————————-
Question #: 10
Topic #: 1
When a client’s business process changes, the CSP SLA should:
A. be reviewed, but the SLA cannot be updated.
B. not be reviewed, but the cloud contract should be cancelled immediately.
C. not be reviewed as the SLA cannot be updated.
D. be reviewed and updated if required.
Selected Answer: D
———————————————————————-
Question #: 11
Topic #: 1
The PRIMARY objective of an audit initiation meeting with a cloud audit client is to:
A. select the methodology of the audit.
B. review requested evidence provided by the audit client.
C. discuss the scope of the cloud audit.
D. identify resource requirements of the cloud audit.
Selected Answer: C
———————————————————————-
Question #: 12
Topic #: 1
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
A. Operations Maintenance
B. System Development Maintenance
C. Equipment Maintenance
D. System Maintenance
Selected Answer: A
———————————————————————-
Question #: 13
Topic #: 1
An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP burden?
A. CSP can share all security reports with customers to streamline the process.
B. CSP can schedule a call with each customer.
C. CSP can answer each customer individually.
D. CSP can direct all customers’ inquiries to the information in the CSA STAR registry.
Selected Answer: D
———————————————————————-
Question #: 14
Topic #: 1
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?
A. Blue team
B. White box
C. Gray box
D. Red team
Selected Answer: D
———————————————————————-
Question #: 15
Topic #: 1
When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?
A. Determine the impact on the controls that were selected by the organization to respond to identified risks.
B. Determine the impact on confidentiality, integrity and availability of the information system.
C. Determine the impact on the financial, operational, compliance and reputation of the organization.
D. Determine the impact on the physical and environmental security of the organization, excluding informational assets.
Selected Answer: B
———————————————————————-
Question #: 16
Topic #: 1
When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?
A. Validate if the strategy covers unavailability of all components required to operate the business-as-usual or in disrupted mode, in parts or total- when impacted by a disruption.
B. Validate if the strategy covers all aspects of Business Continuity and Resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.
C. Validate if the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.
D. Validate if the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.
Selected Answer: C
———————————————————————-
Question #: 17
Topic #: 1
Which of the following metrics are frequently immature?
A. Metrics around Infrastructure as a Service (IaaS) storage and network environments
B. Metrics around Platform as a Service (PaaS) development environments
C. Metrics around Infrastructure as a Service (IaaS) computing environments
D. Metrics around specific Software as a Service (SaaS) application services
Selected Answer: D
———————————————————————-
Question #: 18
Topic #: 1
The MAIN difference between Cloud Control Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ) is that:
A. CCM assesses the presence of controls, whereas CAIQ assesses overall security of a service.
B. CCM has a set of security questions, whereas CAIQ has a set of security controls.
C. CCM has 14 domains and CAIQ has 16 domains.
D. CCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in IaaS, PaaS, and SaaS offerings.
Selected Answer: D
———————————————————————-
Question #: 19
Topic #: 1
Which of the following is an example of financial business impact?
A. A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.
B. While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.
C. A DDoS attack renders the customer’s cloud inaccessible for 24 hours resulting in millions in lost sales.
D. The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euro.
Selected Answer: C
———————————————————————-
Question #: 20
Topic #: 1
From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?
A. Process of security integration using automation in software development
B. Development standards for addressing integration, testing, and deployment issues
C. Operational framework that promotes software consistency through automation
D. Making software development simpler, faster, and easier using automation
Selected Answer: A
