CCAK: Certificate of Cloud Auditing Knowledge Part 4
Question #: 81
Topic #: 1
With regard to the Cloud Control Matrix (CCM), the ‘Architectural Relevance’ is a feature that enables the filtering of security controls by:
A. relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF), and the Zachman Framework for Enterprise Architecture.
B. relevant delivery models such as Software as a Service, Platform as a Service, Infrastructure as a Service.
C. relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.
D. relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.
Selected Answer: A
———————————————————————-
Question #: 82
Topic #: 1
To support customer’s verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?
A. Contractual agreement
B. Internal audit
C. External audit
D. Security assessment
Selected Answer: C
———————————————————————-
Question #: 83
Topic #: 1
Which of the following has the MOST substantial impact on how aggressive or conservative the cloud approach of an organization will be?
A. Internal policies and technical standards
B. Risk scoring criteria
C. Applicable laws and regulations
D. Risk appetite and budget constraints
Selected Answer: D
———————————————————————-
Question #: 84
Topic #: 1
Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization’s DevOps pipeline?
A. Verify the inclusion of security gates in the pipeline.
B. Conduct an architectural assessment.
C. Review the CI/CD pipeline audit logs.
D. Verify separation of development and production pipelines.
Selected Answer: B
———————————————————————-
Question #: 85
Topic #: 1
Which of the following are the three MAIN phases of the cloud controls matrix (CCM) mapping methodology?
A. Plan –> Develop –> Release
B. Deploy –> Monitor –> Audit
C. Initiation –> Execution –> Monitoring and Controlling
D. Preparation –> Execution –> Peer Review and Publication
Selected Answer: D
———————————————————————-
Question #: 86
Topic #: 1
A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?
A. Role Based Access Control
B. Attribute Based Access Control
C. Policy Based Access Control
D. Rule Based Access Control
Selected Answer: B
———————————————————————-
Question #: 87
Topic #: 1
Which of the following is the MOST feasible way to validate the performance of CSPs for the delivery of technology resources?
A. Cloud compliance program
B. Legacy IT compliance program
C. Internal audit program
D. Service organization controls report
Selected Answer: A
———————————————————————-
Question #: 88
Topic #: 1
What data center and physical security measures should a cloud customer consider when assessing a cloud service provider?
A. Assess use of monitoring systems to control ingress and egress points of entry to the data center.
B. Implement physical security perimeters to safeguard personnel, data and information systems.
C. Conduct a due diligence to verify the cloud provider applies adequate physical security measures.
D. Review internal policies and procedures for relocation of hardware and software to an offsite location.
Selected Answer: C
———————————————————————-
Question #: 89
Topic #: 1
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
A. Updated audit/work program
B. Documentation criteria for the audit evidence
C. Processes and systems to be audited
D. Testing procedure to be performed
Selected Answer: C
———————————————————————-
Question #: 90
Topic #: 1
When establishing cloud governance, an organization should FIRST test by migrating:
A. all applications at once to the cloud.
B. complex applications to the cloud.
C. legacy applications to the cloud.
D. a few applications to the cloud.
Selected Answer: D
———————————————————————-
Question #: 91
Topic #: 1
When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?
A. Data retention, backup, and recovery
B. Patch management process
C. Return or destruction of information
D. Network intrusion detection
Selected Answer: C
———————————————————————-
Question #: 92
Topic #: 1
The BEST way to deliver continuous compliance in a cloud environment is to:
A. decrease the interval between attestations of compliance.
B. combine point-in-time assurance approaches with continuous monitoring.
C. increase the frequency of external audits from annual to quarterly.
D. combine point-in-time assurance approaches with continuous auditing.
Selected Answer: D
———————————————————————-
Question #: 93
Topic #: 1
To identify key actors and requirements, which of the following MUST be considered when designing a cloud compliance program?
A. Cloud service provider, internal and external audit perspectives
B. Business/organizational, governance, cloud and risk perspectives
C. Enterprise risk management, data protection, privacy and legal perspectives
D. Key stakeholders, enterprise risk management, and Internal audit perspectives
Selected Answer: C
———————————————————————-
Question #: 94
Topic #: 1
Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?
A. ISO/IEC 27017:2015
B. CSA Cloud Control Matrix (CCM)
C. NIST SP 800-146
D. ISO/IEC 27002
Selected Answer: A
———————————————————————-
Question #: 95
Topic #: 1
Which of the following is the common cause of misconfiguration in a cloud environment?
A. Absence of effective change control
B. Using multiple cloud service providers
C. New cloud computing techniques
D. Traditional change process mechanisms
Selected Answer: A
———————————————————————-
Question #: 96
Topic #: 1
To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?
A. Parallel testing
B. Full application stack unit testing
C. Regression testing
D. Functional verification
Selected Answer: A
———————————————————————-
Question #: 97
Topic #: 1
One of the Cloud Control Matrix’s (CCM’s) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.” Which of the following controls under the Audit Assurance and Compliance domain does this match to?
A. Audit planning
B. Information system and regulatory mapping
C. GDPR auditing
D. Independent audits
Selected Answer: D
———————————————————————-
Question #: 98
Topic #: 1
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
A. both operating system and application infrastructure contained within the CSP’s instances.
B. both operating system and application infrastructure contained within the customer’s instances
C. only application infrastructure contained within the CSP’s instances.
D. only application infrastructure contained within the customer’s instances.
Selected Answer: B
———————————————————————-
Question #: 99
Topic #: 1
When building a cloud governance model, which of the following requirements will focus more on the cloud service provider’s evaluation and control checklist?
A. Security requirements
B. Legal requirements
C. Compliance requirements
D. Operational requirements
Selected Answer: A
———————————————————————-
Question #: 100
Topic #: 1
Prioritizing assurance activities for an organization’s cloud services portfolio depends PRIMARILY on an organization’s ability to:
A. schedule frequent reviews with high-risk cloud service providers.
B. develop plans using a standardized risk-based approach.
C. maintain a comprehensive cloud service inventory.
D. collate views from various business functions using cloud services.
Selected Answer: B
———————————————————————-
Question #: 101
Topic #: 1
If the degree of verification for information shared with the auditor during an audit is low, the auditor should:
A. reject the information as audit evidence.
B. stop evaluating the requirement altogether and review other audit areas.
C. delve deeper to obtain the required information to decide conclusively.
D. use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
Selected Answer: C
———————————————————————-
Question #: 102
Topic #: 1
Which best describes the difference between a type 1 and a type 2 SOC report?
A. A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.
B. A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.
C. A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.
D. There is no difference between a type 2 and type 1 SOC report.
Selected Answer: A
———————————————————————-
Question #: 103
Topic #: 1
You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure. Which of the following is your BEST option?
A. Implement ISO/IEC 27002 and complement it with additional controls from the CCM.
B. Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.
C. Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.
D. Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.
Selected Answer: B
———————————————————————-
Question #: 104
Topic #: 1
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
A. Within developer’s laptop
B. Within the CI/CD server
C. Within version repositories
D. Within the CI/CD pipeline
Selected Answer: D
———————————————————————-
Question #: 105
Topic #: 1
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. From the following, to whom should the auditor report the findings?
A. Public
B. Management of organization being audited
C. Shareholders/interested parties
D. Cloud service provider
Selected Answer: C
———————————————————————-
Question #: 106
Topic #: 1
Which of the following parties should have accountability for cloud compliance requirements?
A. Customer
B. Equally shared between customer and provider
C. Provider
D. Either customer or provider, depending on requirements
Selected Answer: A
———————————————————————-
Question #: 107
Topic #: 1
Which of the following data destruction methods is the MOST effective and efficient?
A. Crypto-shredding
B. Degaussing
C. Multi-pass wipes
D. Physical destruction
Selected Answer: A
———————————————————————-
Question #: 108
Topic #: 1
Under GDPR, an organization should report a data breach within what time frame?
A. 72 hours
B. 2 weeks
C. 1 week
D. 48 hours
Selected Answer: A
———————————————————————-
Question #: 109
Topic #: 1
Which of the following cloud models prohibits penetration testing?
A. Hybrid Cloud
B. Private Cloud
C. Public Cloud
D. Community Cloud
Selected Answer: C
———————————————————————-
Question #: 110
Topic #: 1
What type of termination occurs at the initiative of one party, and without the fault of the other party?
A. Termination for cause
B. Termination for convenience
C. Termination at the end of the term
D. Termination without the fault
Selected Answer: B
———————————————————————-
Question #: 111
Topic #: 1
Which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (IaaS) deployments? The visibility of:
A. output from threat modeling exercises.
B. results from automated testing.
C. source code within build scripts.
D. service level agreements.
Selected Answer: C
———————————————————————-
Question #: 112
Topic #: 1
An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:
A. assess the existence and adequacy of a security awareness training program at the cloud service provider’s organization as the cloud customer hired the auditor to review and cloud service.
B. assess the existence and adequacy of a security awareness training program at both the cloud customer’s organization and the cloud service provider’s organization.
C. assess the existence and adequacy of a security awareness training program at the cloud customer’s organization as they hired the auditor.
D. not assess the security awareness training program as it is each organization’s responsibility
Selected Answer: B
———————————————————————-
Question #: 113
Topic #: 1
The MOST critical concept of managing the build and test of code in DevOps is:
A. continuous build.
B. continuous delivery.
C. continuous deployment.
D. continuous integration.
Selected Answer: D
———————————————————————-
Question #: 114
Topic #: 1
The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?
A. Agence nationale de la sécurité des systèmes d’information (ANSSI)
B. National Institute of Standards and Technology (NIST)
C. National Security Agency (NSA)
D. Bundesamt für Sicherheit in der Informationstechnik (BSI)
Selected Answer: D
———————————————————————-
Question #: 115
Topic #: 1
Which statement about compliance responsibilities and ownership of accountability is correct?
A. Organizations may be able to transfer their accountability for compliance with various regulatory requirements to their CSPs, but they retain the ownership of responsibility.
B. Organizations may be able to transfer their responsibility for compliance with various regulatory requirements to their CSPs, but they retain the ownership of accountability.
C. Organizations may transfer their responsibility and accountability for compliance with various regulatory requirements to their CSPs.
D. Organizations are not able to transfer their responsibility nor accountability for compliance with various regulatory requirements to their CSPs.
Selected Answer: B
———————————————————————-
Question #: 116
Topic #: 1
Which objective is MOST appropriate to measure the effectiveness of password policy?
A. The number of related incidents increases.
B. Attempts to log with weak credentials increases.
C. Newly created account credentials satisfy requirements.
D. The number of related incidents decreases.
Selected Answer: D
———————————————————————-
Question #: 117
Topic #: 1
A Dot Release of Cloud Control Matrix (CCM) indicates what?
A. The introduction of new control frameworks mapped to previously-published CCM controls.
B. A revision of the CCM domain structure.
C. A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.
D. A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.
Selected Answer: C
———————————————————————-
Question #: 118
Topic #: 1
What should be the auditor’s PRIMARY objective while examining a cloud service provider’s (CSP’s) SLA?
A. Verifying whether commensurate compensation in the form of service credits is factored in if the CSC is unable to match its SLA obligations
B. Verifying whether the SLA includes all the operational matters which are material to the operation of the service
C. Verifying whether the SLA caters to the availability requirements of the cloud service customer (CSC)
D. Verifying whether the SLAs are well-defined and measurable
Selected Answer: D
———————————————————————-
Question #: 119
Topic #: 1
Which of the following is an example of a corrective control?
A. A central anti-virus system installing the latest signature files before allowing a connection to the network
B. Unsuccessful access attempts being automatically logged for investigation
C. Privileged access to critical information systems requiring a second factor of authentication using soft token
D. All new employees having standard access rights until their manager approves privileged rights
Selected Answer: B
———————————————————————-
Question #: 120
Topic #: 1
Which of the following is a cloud-specific security standard?
A. ISO27017
B. ISO27701
C. ISO22301
D. ISO14001
Selected Answer: A
