March Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CCAK Questions and Answers

Question # 6

A cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when:

A.

generalized audit software is unavailable.

B.

the auditor wants to avoid sampling risk.

C.

the probability of error must be objectively quantified.

D.

the tolerable error rate cannot be determined.

Full Access
Question # 7

Which of the following is an example of reputational business impact?

A.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

B.

The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euros.

C.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

D.

A hacker using a stolen administrator identity brings down the Software as a Service (SaaS) sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

Full Access
Question # 8

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

A.

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

B.

passed to the sub cloud service providers.

C.

treated as confidential information and withheld from all sub cloud service providers.

D.

treated as sensitive information and withheld from certain sub cloud service providers.

Full Access
Question # 9

Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

A.

Processes and systems to be audited

B.

Updated audit work program

C.

Documentation criteria for the audit evidence

D.

Testing procedure to be performed

Full Access
Question # 10

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

A.

Establishing ownership and accountability

B.

Reporting emerging threats to senior stakeholders

C.

Monitoring key risk indicators (KRIs) for multi-cloud environments

D.

Automating risk monitoring and reporting processes

Full Access
Question # 11

An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

A.

Filter out only those controls directly influenced by contractual agreements.

B.

Leverage this feature to enable the adoption of the Shared Responsibility Model.

C.

Filter out only those controls having a direct impact on current terms of service (TOS) and

service level agreement (SLA).

D.

Leverage this feature to enable a smarter selection of the next cloud provider.

Full Access
Question # 12

Which of the following enables auditors to conduct gap analyses of what a cloud service provider offers versus what the customer requires?

A.

Using a standardized control framework

B.

The experience gained over the years

C.

Understanding the customer risk profile

D.

The as-is and to-be enterprise architecture (EA

Full Access
Question # 13

What is a sign that an organization has adopted a shift-left concept of code release cycles?

A.

Large entities with slower release cadences and geographically dispersed systems

B.

A waterfall model to move resources through the development to release phases

C.

Maturity of start-up entities with high-iteration to low-volume code commits

D.

Incorporation of automation to identify and address software code problems early

Full Access
Question # 14

Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

A.

Documentation criteria for the audit evidence

B.

Testing procedure to be performed

C.

Processes and systems to be audited

D.

Updated audit work program

Full Access
Question # 15

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

A.

ISO/IEC 27017:2015

B.

ISO/IEC 27002

C.

NIST SP 800-146

D.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Full Access
Question # 16

What areas should be reviewed when auditing a public cloud?

A.

Identity and access management (IAM) and data protection

B.

Source code reviews and hypervisor

C.

Patching and configuration

D.

Vulnerability management and cyber security reviews

Full Access
Question # 17

Which of the following should a cloud auditor recommend regarding controls for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

A.

Assessment of contractual and regulatory requirements for customer access

B.

Establishment of policies and procedures across multiple system interfaces, jurisdictions,

and business functions to prevent improper disclosure, alteration, or destruction

C.

Data input and output integrity routines

D.

Testing in accordance with leading industry standards such as OWASP

Full Access
Question # 18

Which of the following is an example of a corrective control?

A.

A central antivirus system installing the latest signature files before allowing a connection to the network

B.

All new employees having standard access rights until their manager approves privileged rights

C.

Unsuccessful access attempts being automatically logged for investigation

D.

Privileged access to critical information systems requiring a second factor of authentication using a soft token

Full Access
Question # 19

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

A.

Impact analysis

B.

Likelihood

C.

Mitigation

D.

Residual risk

Full Access
Question # 20

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following

What should be the BEST recommendation to reduce the provider’s burden?

A.

The provider can answer each customer individually.

B.

The provider can direct all customer inquiries to the information in the CSA STAR registry.

C.

The provider can schedule a call with each customer.

D.

The provider can share all security reports with customers to streamline the process

Full Access
Question # 21

Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

A.

develop new security baselines for the industry.

B.

define different control frameworks for different cloud service providers.

C.

build an operational cloud risk management program.

D.

facilitate communication with their legal department.

Full Access
Question # 22

An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

A.

Review the provider's published questionnaires.

B.

Review third-party audit reports.

C.

Directly audit the provider.

D.

Send a supplier questionnaire to the provider.

Full Access
Question # 23

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

A.

Location of data

B.

Amount of server storage

C.

Access controls

D.

Type of network technology

Full Access
Question # 24

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:

A.

client organization has a clear understanding of the provider s suppliers.

B.

suppliers are accountable for the provider's service that they are providing.

C.

client organization does not need to worry about the provider's suppliers, as this is the

provider's responsibility.

D.

client organization and provider are both responsible for the provider's suppliers.

Full Access
Question # 25

In all three cloud deployment models, (laaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

A.

Cloud service provider

B.

Shared responsibility

C.

Cloud service customer

D.

Patching on hypervisor layer not required

Full Access
Question # 26

Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

A.

Contractual documents of the cloud service provider

B.

Heat maps

C.

Data security process flow

D.

Turtle diagram

Full Access
Question # 27

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

A.

As an availability breach

B.

As a control breach

C.

As a confidentiality breach

D.

As an integrity breach

Full Access
Question # 28

Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?

A.

Aligning the cloud service delivery with the organization’s objectives

B.

Aligning shared responsibilities between provider and customer

C.

Aligning the cloud provider’s service level agreement (SLA) with the organization's policy

D.

Aligning the organization's activity with the cloud provider’s policy

Full Access
Question # 29

Which of the following is MOST important to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions?

A.

Deploying new features using cloud orchestration tools

B.

Performing prior due diligence of the vendor

C.

Establishing responsibility in the vendor contract

D.

Implementing service level agreements (SLAs) around changes to baseline configurations

Full Access
Question # 30

Visibility to which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (laaS) deployments?

A.

Source code within build scripts

B.

Output from threat modeling exercises

C.

Service level agreements (SLAs)

D.

Results from automated testing

Full Access
Question # 31

An auditor examining a cloud service provider's service level agreement (SLA) should be MOST concerned about whether:

A.

the agreement includes any operational matters that are material to the service operations.

B.

the agreement excludes any sourcing and financial matters that are material in meeting the

service level agreement (SLA).

C.

the agreement includes any service availability matters that are material to the service operations.

D.

the agreement excludes any operational matters that are material to the service operations

Full Access
Question # 32

A certification target helps in the formation of a continuous certification framework by incorporating:

A.

the service level objective (SLO) and service qualitative objective (SQO).

B.

the scope description and security attributes to be tested.

C.

the frequency of evaluating security attributes.

D.

CSA STAR level 2 attestation.

Full Access
Question # 33

What is the FIRST thing to define when an organization is moving to the cloud?

A.

Goals of the migration

B.

Internal service level agreements (SLAs)

C.

Specific requirements

D.

Provider evaluation criteria

Full Access
Question # 34

Which of the following activities is performed outside information security monitoring?

A.

Management review of the information security framework

B.

Monitoring the effectiveness of implemented controls

C.

Collection and review of security events before escalation

D.

Periodic review of risks, vulnerabilities, likelihoods, and threats

Full Access
Question # 35

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:

A.

client organization does not need to worry about the provider's suppliers, as this is the

provider's responsibility.

B.

suppliers are accountable for the provider's service that they are providing.

C.

client organization and provider are both responsible for the provider's suppliers.

D.

client organization has a clear understanding of the provider's suppliers.

Full Access
Question # 36

Which of the following is MOST important to ensure effective operationalization of cloud security controls?

A.

Identifying business requirements

B.

Comparing different control frameworks

C.

Assessing existing risks

D.

Training and awareness

Full Access
Question # 37

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A.

Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security

brokers (CASBs).

B.

Cloud service providers can document roles and responsibilities for cloud security.

C.

Cloud service providers can document their security and compliance controls.

D.

Cloud service providers need the CAIQ to improve quality of customer service

Full Access
Question # 38

The PRIMARY objective for an auditor to understand the organization's context for a cloud audit is to:

A.

determine whether the organization has carried out control self-assessment (CSA) and validated audit reports of the cloud service providers.

B.

validate an understanding of the organization's current state and how the cloud audit plan fits into the existing audit approach.

C.

validate the organization's performance effectiveness utilizing cloud service provider solutions.

D.

validate whether an organization has a cloud audit plan in place.

Full Access
Question # 39

Which of the following is the FIRST step of the Cloud Risk Evaluation Framework?

A.

Analyzing potential impact and likelihood

B.

Establishing cloud risk profile

C.

Evaluating and documenting the risks

D.

Identifying key risk categories

Full Access
Question # 40

Which of the following is the MOST significant difference between a cloud risk management program and a traditional risk management program?

A.

Virtualization of the IT landscape

B.

Shared responsibility model

C.

Risk management practices adopted by the cloud service provider

D.

Hosting sensitive information in the cloud environment

Full Access
Question # 41

Which of the following types of risk is associated specifically with the use of multi-cloud environments in an organization?

A.

Risk of supply chain visibility and validation

B.

Risk of reduced visibility and control

C.

Risk of service reliability and uptime

D.

Risk of unauthorized access to customer and business data

Full Access
Question # 42

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

A.

enterprise architecture (EA).

B.

object-oriented architecture.

C.

service-oriented architecture.

D.

software architecture

Full Access
Question # 43

Which of the following cloud service provider activities MUST obtain a client's approval?

A.

Destroying test data

B.

Deleting subscription owner accounts

C.

Deleting test accounts

D.

Deleting guest accounts

Full Access
Question # 44

A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment. What additional control should the cloud auditor check?

A.

Approval of the change by the change advisory board

B.

Explicit documented approval from all customers whose data is affected

C.

Training for the librarian

D.

Verification that the hardware of the test and production environments are compatible

Full Access
Question # 45

Which of the following is a direct benefit of mapping the Cloud Controls Matrix (CCM) to other international standards and regulations?

A.

CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.

B.

CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.

C.

CCM mapping entitles cloud service providers to be certified under the CSA STAR program.

D.

CCM mapping enables an uninterrupted data flow and in particular the export of personal data across different jurisdictions.

Full Access
Question # 46

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

A.

cloud user.

B.

cloud service provider. 0

C.

cloud customer.

D.

certification authority (CA)

Full Access
Question # 47

The Cloud Octagon Model was developed to support organizations':

A.

risk treatment methodology.

B.

incident detection methodology.

C.

incident response methodology.

D.

risk assessment methodology.

Full Access
Question # 48

In audit parlance, what is meant by "management representation"?

A.

A person or group of persons representing executive management during audits

B.

A mechanism to represent organizational structure

C.

A project management technique to demonstrate management's involvement in key

project stages

D.

Statements made by management in response to specific inquiries

Full Access
Question # 49

Which of the following is an example of financial business impact?

A.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

B.

A hacker using a stolen administrator identity brings down the Software of a Service (SaaS)

sales and marketing systems, resulting in the inability to process customer orders or

manage customer relationships.

C.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed

each other in public, resulting in a loss of public confidence that led the board to replace all

Full Access
Question # 50

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

A.

Control self-assessment (CSA)

B.

Third-party vendor involvement

C.

Exception reporting

D.

Application team internal review

Full Access
Question # 51

What type of termination occurs at the initiative of one party and without the fault of the other party?

A.

Termination without the fault

B.

Termination at the end of the term

C.

Termination for cause

D.

Termination for convenience

Full Access
Question # 52

When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer

A.

To determine the total cost of the cloud services to be deployed

B.

To confirm whether the compensating controls implemented are sufficient for the cloud

services

C.

To determine how those services will fit within its policies and procedures

D.

To confirm which vendor will be selected based on compliance with security requirements

Full Access