CCAK: Certificate of Cloud Auditing Knowledge Part 2
Question #: 21
Topic #: 1
Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:
A. recognizes the shared responsibility for risk management between the customer and the CSP.
B. leverages SaaS threat models developed by peer organizations.
C. is developed by an independent third-party with expertise in the organization’s industry sector.
D. considers the loss of visibility and control from transitioning to the cloud.
Selected Answer: A
———————————————————————-
Question #: 22
Topic #: 1
While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?
A. Highlighting the gap to the audit sponsor at the sponsor’s earliest possible availability
B. Asking the organization’s cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet
C. Documenting the finding in the audit report and sharing the gap with the relevant stakeholders
D. Informing the organization’s internal audit manager immediately about the gap
Selected Answer: D
———————————————————————-
Question #: 23
Topic #: 1
To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:
A. ISO/IЕС 27001: 2013 controls.
B. maturity model criteria.
C. all Cloud Control Matrix (CCM) controls and TSPC security principles.
D. Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls.
Selected Answer: C
———————————————————————-
Question #: 24
Topic #: 1
Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?
A. The rapidly changing service portfolio and architecture of the cloud.
B. Cloud providers should not be part of the compliance program.
C. The fairly static nature of the service portfolio and architecture of the cloud.
D. The cloud is similar to the on-premise environment in terms of compliance.
Selected Answer: A
———————————————————————-
Question #: 25
Topic #: 1
When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?
A. To determine how those services will fit within its policies and procedures
B. To determine the total cost of the cloud services to be deployed
C. To confirm which vendor will be selected based on the compliance with security requirements
D. To confirm if the compensating controls implemented are sufficient for the cloud
Selected Answer: A
———————————————————————-
Question #: 26
Topic #: 1
Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?
A. PC-IDSS
B. CSA STAR Attestation
C. MTCS
D. BSI Criteria Catalogue C5
Selected Answer: B
———————————————————————-
Question #: 27
Topic #: 1
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:
A. develop a cloud audit plan on the basis of a detailed risk assessment.
B. schedule the audits and monitor the time spent on each audit.
C. train the cloud audit staff on current technology used in the organization.
D. monitor progress of audits and initiate cost control measures.
Selected Answer: A
———————————————————————-
Question #: 28
Topic #: 1
Which of the following is an example of integrity technical impact?
A. The cloud provider reports a breach of customer personal data from an unsecured server.
B. A hacker using a stolen administrator identity alerts the discount percentage in the product database.
C. A DDoS attack renders the customer’s cloud inaccessible for 24 hours.
D. An administrator inadvertently clicked on Phish bait exposing his company to a ransomware attack.
Selected Answer: B
———————————————————————-
Question #: 29
Topic #: 1
What is a sign of an organization that has adopted a shift-left concept of code release cycles?
A. A waterfall model to move resources through the development to release phases
B. Incorporation of automation to identify and address software code problems early
C. Maturity of start-up entities with high-iteration to low-volume code commits
D. Large entities with slower release cadences and geographical dispersed systems
Selected Answer: B
———————————————————————-
Question #: 30
Topic #: 1
Cloud Control Matrix (CCM) controls can be used by cloud customers to:
A. develop new security baselines for the industry.
B. define different control frameworks for different cloud service providers.
C. facilitate communication with their legal department.
D. build an operational cloud risk management program.
Selected Answer: D
———————————————————————-
Question #: 31
Topic #: 1
Within an organization, which of the following functions should be responsible for defining the cloud adoption approach?
A. Audit committee
B. Compliance manager
C. IT manager
D. Senior management
Selected Answer: D
———————————————————————-
Question #: 32
Topic #: 1
An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?
A. Review third-party audit reports.
B. Review CSP’s published questionnaires.
C. Directly audit the CSP.
D. Send supplier questionnaire to the CSP.
Selected Answer: A
———————————————————————-
Question #: 33
Topic #: 1
Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud compliance program?
A. Cloud process owners
B. Internal control function
C. Legal functions
D. Cloud strategy owners
Selected Answer: D
———————————————————————-
Question #: 34
Topic #: 1
Which of the following CSP activities requires a client’s approval?
A. Delete the guest account or test accounts
B. Delete the master account or subscription owner accounts
C. Delete the guest account or destroy test data
D. Delete the test accounts or destroy test data
Selected Answer: B
———————————————————————-
Question #: 35
Topic #: 1
A cloud service provider does not allow audits using automated tools as these tools could be considered destructive techniques for the cloud environment. Which of the following aspects of the audit will be constrained?
A. Purpose
B. Objectives
C. Nature of relationship
D. Scope
Selected Answer: D
———————————————————————-
Question #: 36
Topic #: 1
An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud. Which of the following standards would BEST assist in identifying controls to consider for this migration?
A. ISO/IEC 27701
B. ISO/IEC 22301
C. ISO/IEC 27002
D. ISO/IEC 27017
Selected Answer: D
———————————————————————-
Question #: 37
Topic #: 1
An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models. Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?
A. Use of an established standard/regulation to map controls and use as the audit criteria
B. For efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment
C. As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.
D. Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage
Selected Answer: A
———————————————————————-
Question #: 38
Topic #: 1
Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?
A. SOC3 – Type2
B. Cloud Control Matrix (CCM)
C. SOC2 – Type1
D. SOC1 – Type1
Selected Answer: B
———————————————————————-
Question #: 39
Topic #: 1
Which of the following aspects of risk management involves identifying the potential reputational harm and/or financial harm when an incident occurs?
A. Mitigations
B. Residual risk
C. Likelihood
D. Impact Analysis
Selected Answer: D
———————————————————————-
Question #: 40
Topic #: 1
When using a SaaS solution, who is responsible for application security?
A. The cloud service provider only
B. The cloud service consumer only
C. Both cloud consumer and the enterprise
D. Both cloud provider and the consumer
Selected Answer: D
