CCAK: Certificate of Cloud Auditing Knowledge Part 3
Question #: 41
Topic #: 1
Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?
A. Aligning the cloud service delivery with the organization’s objective
B. Aligning the cloud provider’s SLA with the organization’s policy
C. Aligning shared responsibilities between provider and customer
D. Aligning the organization’s activity with the cloud provider’s policy
Selected Answer: C
———————————————————————-
Question #: 42
Topic #: 1
What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?
A. Access controls
B. Vulnerability management
C. Source code reviews
D. Patching
Selected Answer: A
———————————————————————-
Question #: 43
Topic #: 1
The Open Certification Framework is structured on three levels of trust. Those three levels of trust are:
A. CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Compliance
B. CSA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
C. CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Monitoring and Control
D. CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
Selected Answer: D
———————————————————————-
Question #: 44
Topic #: 1
Which of the following is a fundamental concept of FedRAMP that intends to save costs, time, and staff conducting superfluous agency security assessments?
A. Use often, provide many times
B. Be economical, act deliberately
C. Use existing, provide many times
D. Do once, use many times
Selected Answer: D
———————————————————————-
Question #: 45
Topic #: 1
Which of the following is the risk associated with storing data in a cloud that crosses jurisdictions?
A. Compliance risk
B. Provider administration risk
C. Audit risk
D. Virtualization risk
Selected Answer: A
———————————————————————-
Question #: 46
Topic #: 1
Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?
A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.
B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.
C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.
D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.
Selected Answer: D
———————————————————————-
Question #: 47
Topic #: 1
During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor’s NEXT course of action?
A. Review the CSP audit reports.
B. Review the security white paper of the CSP.
C. Review the contract and DR capability.
D. Plan an audit of the CSP.
Selected Answer: A
———————————————————————-
Question #: 48
Topic #: 1
Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?
A. Ensure HIPAA compliance
B. Implement a cloud access security broker
C. Consult the legal department
D. Do not allow data to be in cleratext
Selected Answer: C
———————————————————————-
Question #: 49
Topic #: 1
In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
A. Service Provider control
B. Impact and Risk control
C. Data Inventory control
D. Compliance control
Selected Answer: D
———————————————————————-
Question #: 50
Topic #: 1
What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?
A. Unlike SAST, DAST is a blackbox and programming language agnostic.
B. DAST can dynamically integrate with most CI/CD tools.
C. DAST delivers more false positives than SAST.
D. DAST is slower but thorough.
Selected Answer: A
———————————————————————-
Question #: 51
Topic #: 1
Which of the following is a direct benefit of mapping the Cloud Control Matrix (CCM) to other international standards and regulations?
A. CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
B. CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
C. CCM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions.
D. CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
Selected Answer: B
———————————————————————-
Question #: 52
Topic #: 1
The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:
A. risk management policy.
B. cloud policy.
C. business continuity plan.
D. information security standard for cloud technologies.
Selected Answer: B
———————————————————————-
Question #: 53
Topic #: 1
Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?
A. Design
B. Stakeholder identification
C. Development
D. Risk assessment
Selected Answer: B
———————————————————————-
Question #: 54
Topic #: 1
Customer management interface, if compromised over public internet, can lead to:
A. customer’s computing and data compromise.
B. access to the RAM of neighboring cloud computer.
C. ease of acquisition of cloud services.
D. incomplete wiping of the data.
Selected Answer: A
———————————————————————-
Question #: 55
Topic #: 1
To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:
A. object-oriented architecture.
B. software architecture.
C. service-oriented architecture.
D. enterprise architecture.
Selected Answer: D
———————————————————————-
Question #: 56
Topic #: 1
How should controls be designed by an organization?
A. By the internal audit team
B. Using the ISO27001 framework
C. By the cloud provider
D. Using the organization’s risk management framework
Selected Answer: D
———————————————————————-
Question #: 57
Topic #: 1
Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?
A. Service Level Objective (SLO)
B. Recovery Point Objectives (RPO)
C. Service Level Agreement (SLA)
D. Recovery Time Objectives (RTO)
Selected Answer: A
———————————————————————-
Question #: 58
Topic #: 1
Your company is purchasing an application from a vendor. They do not allow you to perform an on-site audit on their information system. However, they say, they will provide the third-party audit attestation on the adequate control design within their environment. Which report is the vendor providing you?
A. SOC 3
B. SOC 2, TYPE 2
C. SOC 1
D. SOC 2, TYPE 1
Selected Answer: D
———————————————————————-
Question #: 59
Topic #: 1
Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?
A. Development of the monitoring goals and requirements
B. Identification of processes, functions, and systems
C. Identification of the relevant laws, regulations, and standards
D. Identification of roles and responsibilities
Selected Answer: B
———————————————————————-
Question #: 60
Topic #: 1
Which of the following would be considered as a factor to trust in a cloud service provider?
A. The level of exposure for public information
B. The level of proved technical skills
C. The level of willingness to cooperate
D. The level of open source evidence available
Selected Answer: D
———————————————————————-
Question #: 61
Topic #: 1
When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?
A. Cloud Service Provider encryption capabilities
B. The presence of PII
C. Organizational security policies
D. Cost-benefit analysis
Selected Answer: C
———————————————————————-
Question #: 62
Topic #: 1
A certification target helps in the formation of a continuous certification framework by incorporating:
A. CSA STAR level 2 attestation.
B. service level objective and service qualitative objective.
C. frequency of evaluating security attributes.
D. scope description and security attributes to be tested.
Selected Answer: D
———————————————————————-
Question #: 63
Topic #: 1
In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?
A. Cloud service customer
B. Shared responsibility
C. Cloud service provider
D. Patching on hypervisor layer is not required
Selected Answer: C
———————————————————————-
Question #: 64
Topic #: 1
Supply chain agreements between CSP and cloud customers should, at minimum, include:
A. Organization chart of the CSP
B. Policies and procedures of the cloud customer
C. Audits, assessments and independent verification of compliance certifications with agreement terms
D. Regulatory guidelines impacting the cloud customer
Selected Answer: C
———————————————————————-
Question #: 65
Topic #: 1
Which of the following contract terms is necessary to meet a company’s requirement that needs to move data from one CSP to another?
A. Drag and Drop
B. Lift and shift
C. Flexibility to move
D. Transition and data portability
Selected Answer: D
———————————————————————-
Question #: 66
Topic #: 1
Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?
A. Policy based access control
B. Attribute based access control
C. Rule based access control
D. Role based access control
Selected Answer: B
———————————————————————-
Question #: 67
Topic #: 1
The Cloud Octagon Model was developed to support organizations:
A. risk assessment methodology.
B. risk treatment methodology.
C. incident response methodology.
D. incident detection methodology.
Selected Answer: A
———————————————————————-
Question #: 68
Topic #: 1
Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?
A. Ensuring segregation of duties in the production and development pipelines.
B. Role-based access controls in the production and development pipelines.
C. Separation of production and development pipelines.
D. Periodic review of the Cl/CD pipeline audit logs to identify any access violations.
Selected Answer: B
———————————————————————-
Question #: 69
Topic #: 1
A cloud customer configured and developed a solution on top of the certified cloud services. Building on top of a compliant CSP:
A. means that the cloud customer is also compliant.
B. means that the cloud customer and client are both compliant.
C. means that the cloud customer is compliant but their client is not compliant.
D. does not necessarily mean that the cloud customer is also compliant.
Selected Answer: D
———————————————————————-
Question #: 70
Topic #: 1
The rapid and dynamic rate of changes found in a cloud environment affects the organization’s:
A. risk profile.
B. risk appetite.
C. risk scoring.
D. risk communication.
Selected Answer: A
———————————————————————-
Question #: 71
Topic #: 1
A CSP providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?
A. Multi-Tier Cloud Security (MTCS) Attestation
B. FedRAMP Authorization
C. ISO/IEC 27001:2013 Certification
D. CSA STAR Level Certificate
Selected Answer: B
———————————————————————-
Question #: 72
Topic #: 1
Which plan will guide an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of their service providers?
A. Incident Response Plans
B. Security Incident Plans
C. Unexpected Event Plans
D. Emergency Incident Plans
Selected Answer: A
———————————————————————-
Question #: 73
Topic #: 1
Which of the following would be the MOST critical finding of an application security and DevOps audit?
A. The organization is not using a unified framework to integrate cloud compliance with regulatory requirements.
B. Application architecture and configurations did not consider security measures.
C. Outsourced cloud service interruption, breach or loss of data stored at the cloud service provider.
D. Certifications with global security standards specific to cloud are not reviewed and the impact of noted findings are not assessed.
Selected Answer: B
———————————————————————-
Question #: 74
Topic #: 1
What should be an organization’s control audit schedule of a cloud service provider’s business continuity plan and operational resilience policy?
A. Annual
B. Quarterly
C. Monthly
D. Semi-annual
Selected Answer: A
———————————————————————-
Question #: 75
Topic #: 1
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the “Corporate Governance Relevance” feature to filter out those controls:
A. relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
B. that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
C. that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
D. that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
Selected Answer: A
———————————————————————-
Question #: 76
Topic #: 1
Which of the following is the BEST way for a client to enforce a policy violation committed by a cloud service provider (CSP)?
A. The violation is agreed upon and documented.
B. Nothing can be done to enforce violations as this is a cloud service.
C. The violation is agreed to verbally by the CSP.
D. Violations will be automatically enforced so no action is needed.
Selected Answer: A
———————————————————————-
Question #: 77
Topic #: 1
Which of the following is a corrective control that may be identified in a SaaS service provider?
A. Log monitoring
B. Penetration testing
C. Incident response plans
D. Vulnerability scan
Selected Answer: C
———————————————————————-
Question #: 78
Topic #: 1
Which of the following configuration change controls is acceptable to a cloud auditor?
A. Development, test and production are hosted in the same network environment.
B. Programmers have permanent access to production software.
C. The Head of Development approves changes requested to production.
D. Programmers cannot make uncontrolled changes to the source code production version.
Selected Answer: D
———————————————————————-
Question #: 79
Topic #: 1
In cloud computing, with whom does the responsibility and accountability for compliance lie?
A. The cloud service provider is responsible and accountable for compliance.
B. The cloud service provider is responsible for compliance, and the cloud service customer is accountable.
C. The cloud service customer is responsible and accountable for compliance.
D. The cloud service customer is responsible for compliance, and the cloud service provider is accountable.
Selected Answer: C
———————————————————————-
Question #: 80
Topic #: 1
The BEST method to report continuous assessment of a cloud provider’s services to the CSA is through:
A. a set of dedicated application programming interfaces (APIs).
B. SOC 2 Type 2 attestation.
C. CCM assessment by a third-party auditor on a periodic basis.
D. tools selected by the third-party auditor.
Selected Answer: A
