New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Isaca CCAK Certificate of Cloud Auditing Knowledge Exam Practice Test

Demo: 54 questions
Total 182 questions

Certificate of Cloud Auditing Knowledge Questions and Answers

Question 1

Which of the following activities is performed outside information security monitoring?

Options:

A.

Management review of the information security framework

B.

Monitoring the effectiveness of implemented controls

C.

Collection and review of security events before escalation

D.

Periodic review of risks, vulnerabilities, likelihoods, and threats

Question 2

What is a sign that an organization has adopted a shift-left concept of code release cycles?

Options:

A.

Large entities with slower release cadences and geographically dispersed systems

B.

A waterfall model to move resources through the development to release phases

C.

Maturity of start-up entities with high-iteration to low-volume code commits

D.

Incorporation of automation to identify and address software code problems early

Question 3

Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?

Options:

A.

CSA'sGDPRCoC

B.

EUGDPR

C.

NIST SP 800-53

D.

PCI-DSS

Question 4

Which of the following is the BEST method to demonstrate assurance in the cloud services to multiple cloud customers?

Options:

A.

Provider’s financial stability report and market value

B.

Reputation of the service provider in the industry

C.

Provider self-assessment and technical documents

D.

External attestation and certification audit reports

Question 5

Which of the following attestations allows for immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

Options:

A.

BSI Criteria Catalogue C5

B.

PCI-DSS

C.

MTCS

D.

CSA STAR Attestation

Question 6

What is a sign that an organization has adopted a shift-left concept of code release cycles?

Options:

A.

Large entities with slower release cadences and geographically dispersed systems

B.

Incorporation of automation to identify and address software code problems early

C.

A waterfall model remove resources through the development to release phases

D.

Maturity of start-up entities with high-iteration to low-volume code commits

Question 7

What does “The Egregious 11" refer to?

Options:

A.

The OWASP Top 10 adapted to cloud computing

B.

A list of top shortcomings of cloud computing

C.

A list of top breaches in cloud computing

D.

A list of top threats to cloud computing

Question 8

If a customer management interface is compromised over the public Internet, it can lead to:

Options:

A.

incomplete wiping of the data.

B.

computing and data compromise for customers.

C.

ease of acquisition of cloud services.

D.

access to the RAM of neighboring cloud computers.

Question 9

The MOST critical concept for managing the building and testing of code in DevOps is:

Options:

A.

continuous build.

B.

continuous delivery.

C.

continuous integration.

D.

continuous deployment.

Question 10

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

Options:

A.

Rule-based access control

B.

Attribute-based access control

C.

Policy-based access control

D.

Role-based access control

Question 11

Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

Options:

A.

Contractual documents of the cloud service provider

B.

Heat maps

C.

Data security process flow

D.

Turtle diagram

Question 12

As Infrastructure as a Service (laaS) cloud service providers often do not allow the cloud service customers to perform on-premise audits, the BEST approach for the auditor should be to:

Options:

A.

use other sources of available data for evaluating the customer's controls.

B.

recommend that the customer not use the services provided by the provider.

C.

refrain from auditing the provider's security controls due to lack of cooperation.

D.

escalate the lack of support from the provider to the regulatory authority.

Question 13

What areas should be reviewed when auditing a public cloud?

Options:

A.

Identity and access management (IAM) and data protection

B.

Source code reviews and hypervisor

C.

Patching and configuration

D.

Vulnerability management and cyber security reviews

Question 14

Which of the following should a cloud auditor recommend regarding controls for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

Options:

A.

Assessment of contractual and regulatory requirements for customer access

B.

Establishment of policies and procedures across multiple system interfaces, jurisdictions,

and business functions to prevent improper disclosure, alteration, or destruction

C.

Data input and output integrity routines

D.

Testing in accordance with leading industry standards such as OWASP

Question 15

organization should document the compliance responsibilities and ownership of accountability in a RACI chart or its informational equivalents in order to:

Options:

A.

provide a holistic and seamless view of the cloud service provider's responsibility for compliance with prevailing laws and regulations.

B.

provide a holistic and seamless view of the enterprise's responsibility for compliance with prevailing laws and regulations.

C.

conform to the organization's governance model.

D.

define the cloud compliance requirements and how they interplay with the organization’s business strategy, goals, and other compliance requirements.

Question 16

An auditor examining a cloud service provider's service level agreement (SLA) should be MOST concerned about whether:

Options:

A.

the agreement includes any operational matters that are material to the service operations.

B.

the agreement excludes any sourcing and financial matters that are material in meeting the

service level agreement (SLA).

C.

the agreement includes any service availability matters that are material to the service operations.

D.

the agreement excludes any operational matters that are material to the service operations

Question 17

Which of the following is a cloud-specific security standard?

Options:

A.

15027017

B.

15014001

C.

15022301

D.

15027701

Question 18

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

Options:

A.

Ensuring segregation of duties in the production and development pipelines

B.

Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

C.

Role-based access controls in the production and development pipelines

D.

Separation of production and development pipelines

Question 19

Which of the following is an example of reputational business impact?

Options:

A.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

B.

The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euros.

C.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

D.

A hacker using a stolen administrator identity brings down the Software as a Service (SaaS) sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

Question 20

Which of the following is MOST important to ensure effective operationalization of cloud security controls?

Options:

A.

Identifying business requirements

B.

Comparing different control frameworks

C.

Assessing existing risks

D.

Training and awareness

Question 21

Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?

Options:

A.

SOC 3 Type 2

B.

SOC 2 Type 2

C.

SOC 1 Type 1

D.

SOC 2 Type 1

Question 22

Which of the following can be used to determine whether access keys are stored in the source code or any other configuration files during development?

Options:

A.

Static code review

B.

Dynamic code review

C.

Vulnerability scanning

D.

Credential scanning

Question 23

What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

Options:

A.

Access controls

B.

Vulnerability management

C.

Patching

D.

Source code reviews

Question 24

To ensure a cloud service provider is complying with an organization's privacy requirements, a cloud auditor should FIRST review:

Options:

A.

organizational policies, standards, and procedures.

B.

adherence to organization policies, standards, and procedures.

C.

legal and regulatory requirements.

D.

the IT infrastructure.

Question 25

Market share and geolocation are aspects PRIMARILY related to:

Options:

A.

business perspective.

B.

cloud perspective.

C.

risk perspective.

D.

governance perspective.

Question 26

What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

Options:

A.

Source code reviews

B.

Patching

C.

Access controls

D.

Vulnerability management

Question 27

Which of the following would be considered as a factor to trust in a cloud service provider?

Options:

A.

The level of willingness to cooperate

B.

The level of exposure for public information

C.

The level of open source evidence available

D.

The level of proven technical skills

Question 28

The MOST important factor to consider when implementing cloud-related controls is the:

Options:

A.

shared responsibility model.

B.

effectiveness of the controls.

C.

risk reporting.

D.

risk ownership

Question 29

Which of the following is the FIRST step of the Cloud Risk Evaluation Framework?

Options:

A.

Analyzing potential impact and likelihood

B.

Establishing cloud risk profile

C.

Evaluating and documenting the risks

D.

Identifying key risk categories

Question 30

Which of the following is MOST useful for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution?

Options:

A.

SaaS provider contract

B.

Payments made by the service owner

C.

SaaS vendor white papers

D.

Cloud compliance obligations register

Question 31

Which of the following is an example of integrity technical impact?

Options:

A.

The cloud provider reports a breach of customer personal data from an unsecured server.

B.

distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

C.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.

A hacker using a stolen administrator identity alters the discount percentage in the product database.

Question 32

An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

Options:

A.

Review the provider's published questionnaires.

B.

Review third-party audit reports.

C.

Directly audit the provider.

D.

Send a supplier questionnaire to the provider.

Question 33

A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

Options:

A.

CSA STAR Level Certificate

B.

Multi-Tier Cloud Security (MTCS) Attestation

C.

ISO/IEC 27001:2013 Certification

D.

FedRAMP Authorization

Question 34

Visibility to which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (laaS) deployments?

Options:

A.

Source code within build scripts

B.

Output from threat modeling exercises

C.

Service level agreements (SLAs)

D.

Results from automated testing

Question 35

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

Options:

A.

Cloud Controls Matrix (CCM) and ISO/IEC 27001:2013 controls.

B.

ISO/IEC 27001:2013 controls.

C.

all Cloud Controls Matrix (CCM) controls and TSPC security principles.

D.

maturity model criteria.

Question 36

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

Options:

A.

Control self-assessment (CSA)

B.

Third-party vendor involvement

C.

Exception reporting

D.

Application team internal review

Question 37

Under GDPR, an organization should report a data breach within what time frame?

Options:

A.

48 hours

B.

72 hours

C.

1 week

D.

2 weeks

Question 38

What areas should be reviewed when auditing a public cloud?

Options:

A.

Patching and configuration

B.

Vulnerability management and cyber security reviews

C.

Identity and access management (IAM) and data protection

D.

Source code reviews and hypervisor

Question 39

When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Options:

A.

Return or destruction of information

B.

Data retention, backup, and recovery

C.

Patch management process

D.

Network intrusion detection

Question 40

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

Options:

A.

ISO/IEC 27017:2015

B.

ISO/IEC 27002

C.

NIST SP 800-146

D.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Question 41

While using Software as a Service (SaaS) to store secret customer information, an organization identifies a risk of disclosure to unauthorized parties. Although the SaaS service continues to be used, secret customer data is not processed. Which of the following risk treatment methods is being practiced?

Options:

A.

Risk acceptance

B.

Risk transfer

C.

Risk mitigation

D.

Risk reduction

Question 42

Which of the following cloud service provider activities MUST obtain a client's approval?

Options:

A.

Destroying test data

B.

Deleting subscription owner accounts

C.

Deleting test accounts

D.

Deleting guest accounts

Question 43

With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

Options:

A.

relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF). and the Zachman Framework for Enterprise Architecture.

B.

relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.

C.

relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

D.

relevant delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (laaS).

Question 44

From the perspective of a senior cloud security audit practitioner in an organization with a mature security program and cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Options:

A.

Process of security integration using automation in software development

B.

Operational framework that promotes software consistency through automation

C.

Development standards for addressing integration, testing, and deployment issues

D.

Making software development simpler, faster, and easier using automation

Question 45

When mapping controls to architectural implementations, requirements define:

Options:

A.

control objectives.

B.

control activities.

C.

guidelines.

D.

policies.

Question 46

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls, and penetration testing?

Options:

A.

Red team

B.

Blue team

C.

White box

D.

Gray box

Question 47

A new company has all its operations in the cloud. Which of the following would be the BEST information security control framework to implement?

Options:

A.

NIST 800-73, because it is a control framework implemented by the main cloud providers

B.

ISO/IEC 27018

C.

ISO/IEC 27002

D.

(S) Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Question 48

Which of the following is the MOST significant difference between a cloud risk management program and a traditional risk management program?

Options:

A.

Virtualization of the IT landscape

B.

Shared responsibility model

C.

Risk management practices adopted by the cloud service provider

D.

Hosting sensitive information in the cloud environment

Question 49

When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:

Options:

A.

shared.

B.

avoided.

C.

transferred.

D.

maintained.

Question 50

The Cloud Octagon Model was developed to support organizations':

Options:

A.

risk treatment methodology.

B.

incident detection methodology.

C.

incident response methodology.

D.

risk assessment methodology.

Question 51

Which of the following is an example of a corrective control?

Options:

A.

A central antivirus system installing the latest signature files before allowing a connection to the network

B.

All new employees having standard access rights until their manager approves privileged rights

C.

Unsuccessful access attempts being automatically logged for investigation

D.

Privileged access to critical information systems requiring a second factor of authentication using a soft token

Question 52

It is MOST important for an auditor to be aware that an inventory of assets within a cloud environment:

Options:

A.

should be mapped only if discovered during the audit.

B.

is not fundamental for the security management program, as this is a cloud service.

C.

can be a misleading source of data.

D.

is fundamental for the security management program

Question 53

In audit parlance, what is meant by "management representation"?

Options:

A.

A person or group of persons representing executive management during audits

B.

A mechanism to represent organizational structure

C.

A project management technique to demonstrate management's involvement in key

project stages

D.

Statements made by management in response to specific inquiries

Question 54

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?

Options:

A.

Management of the organization being audited

B.

Shareholders and interested parties

C.

Cloud service provider

D.

Public

Demo: 54 questions
Total 182 questions