New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

CCAK Certificate of Cloud Auditing Knowledge Questions and Answers

Questions 4

Which of the following is an example of availability technical impact?

Options:

A.

A distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

B.

The cloud provider reports a breach of customer personal data from an unsecured server.

C.

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.

A hacker using a stolen administrator identity alters the discount percentage in the product database

Buy Now
Questions 5

Which of the following metrics are frequently immature?

Options:

A.

Metrics around specific Software as a Service (SaaS) application services

B.

Metrics around Infrastructure as a Service (laaS) computing environments

C.

Metrics around Infrastructure as a Service (laaS) storage and network environments

D.

Metrics around Platform as a Service (PaaS) development environments

Buy Now
Questions 6

What do cloud service providers offer to encourage clients to extend the cloud platform?

Options:

A.

Cloud console

B.

Reward programs

C.

Access to the cloud infrastructure

D.

Application programming interfaces (APIs)

Buy Now
Questions 7

is it important for the individuals in charge of cloud compliance to understand the organization's past?

Options:

A.

To determine the current state of the organization's compliance

B.

To determine the risk profile of the organization

C.

To address any open findings from previous external audits

D.

To verify whether the measures implemented from the lessons learned are effective

Buy Now
Questions 8

A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

Options:

A.

The auditor should review the service providers' security controls even more strictly, as they are further separated from the cloud customer.

B.

The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.

C.

As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.

D.

As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services

Buy Now
Questions 9

In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

Options:

A.

both operating system and application infrastructure contained within the cloud service

provider’s instances.

B.

both operating system and application infrastructure contained within the customer’s

instances.

C.

only application infrastructure contained within the cloud service provider’s instances.

D.

only application infrastructure contained within the customer's instance

Buy Now
Questions 10

Which of the following has the MOST substantial impact on how aggressive or conservative the cloud approach of an organization will be?

Options:

A.

Applicable laws and regulations

B.

Internal policies and technical standards

C.

Risk scoring criteria

D.

Risk appetite and budget constraints

Buy Now
Questions 11

What areas should be reviewed when auditing a public cloud?

Options:

A.

Patching and configuration

B.

Vulnerability management and cyber security reviews

C.

Identity and access management (IAM) and data protection

D.

Source code reviews and hypervisor

Buy Now
Questions 12

The MOST important goal of regression testing is to ensure:

Options:

A.

the expected outputs are provided by the new features.

B.

the system can handle a high number of users.

C.

the system can be restored after a technical issue.

D.

new releases do not impact previous stable features.

Buy Now
Questions 13

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

Options:

A.

Automating risk monitoring and reporting processes

B.

Reporting emerging threats to senior stakeholders

C.

Establishing ownership and accountability

D.

Monitoring key risk indicators (KRIs) for multi-cloud environments

Buy Now
Questions 14

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

Options:

A.

treated as confidential information and withheld from all sub cloud service providers.

B.

treated as sensitive information and withheld from certain sub cloud service providers.

C.

passed to the sub cloud service providers.

D.

passed to the sub cloud service providers based on the sub cloud service providers' geographic location.

Buy Now
Questions 15

If a customer management interface is compromised over the public Internet, it can lead to:

Options:

A.

incomplete wiping of the data.

B.

computing and data compromise for customers.

C.

ease of acquisition of cloud services.

D.

access to the RAM of neighboring cloud computers.

Buy Now
Questions 16

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls, and penetration testing?

Options:

A.

Red team

B.

Blue team

C.

White box

D.

Gray box

Buy Now
Questions 17

Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?

Options:

A.

Cloud strategy owners

B.

Internal control function

C.

Cloud process owners

D.

Legal functions

Buy Now
Questions 18

The MOST important factor to consider when implementing cloud-related controls is the:

Options:

A.

shared responsibility model.

B.

effectiveness of the controls.

C.

risk reporting.

D.

risk ownership

Buy Now
Questions 19

The FINAL decision to include a material finding in a cloud audit report should be made by the:

Options:

A.

auditee's senior management.

B.

organization's chief executive officer (CEO).

C.

cloud auditor.

: D. organization's chief information security officer (CISO)

Buy Now
Questions 20

Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is:

Options:

A.

responsible to the cloud customer and its clients.

B.

responsible only to the cloud customer.

C.

not responsible at all to any external parties.

D.

responsible to the cloud customer and its end users

Buy Now
Questions 21

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following

What should be the BEST recommendation to reduce the provider’s burden?

Options:

A.

The provider can answer each customer individually.

B.

The provider can direct all customer inquiries to the information in the CSA STAR registry.

C.

The provider can schedule a call with each customer.

D.

The provider can share all security reports with customers to streamline the process

Buy Now
Questions 22

Which of the following helps an organization to identify control gaps and shortcomings in the context of cloud computing?

Options:

A.

Walk-through peer review

B.

Periodic documentation review

C.

User security awareness training

D.

Monitoring effectiveness

Buy Now
Questions 23

A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment. What additional control should the cloud auditor check?

Options:

A.

Approval of the change by the change advisory board

B.

Explicit documented approval from all customers whose data is affected

C.

Training for the librarian

D.

Verification that the hardware of the test and production environments are compatible

Buy Now
Questions 24

Which of the following would be the MOST critical finding of an application security and DevOps audit?

Options:

A.

Certifications with global security standards specific to cloud are not reviewed, and the impact of noted findings are not assessed.

B.

Outsourced cloud service interruption, breach, or loss of stored data occurred at the cloud service provider.

C.

The organization is not using a unified framework to integrate cloud compliance with regulatory requirements.

D.

Application architecture and configurations did not consider security measures.

Buy Now
Questions 25

What type of termination occurs at the initiative of one party and without the fault of the other party?

Options:

A.

Termination without the fault

B.

Termination at the end of the term

C.

Termination for cause

D.

Termination for convenience

Buy Now
Questions 26

Which of the following processes should be performed FIRST to properly implement the NIST SP 800-53 r4 control framework in an organization?

Options:

A.

A selection of the security objectives the organization wants to improve

B.

A security categorization of the information systems

C.

A comprehensive business impact analysis (BIA)

D.

A comprehensive tailoring of the controls of the framework

Buy Now
Questions 27

What is below the waterline in the context of cloud operationalization?

Options:

A.

The controls operated by the customer

B.

The controls operated by both

C.

The controls operated by the cloud access security broker (CASB)

D.

The controls operated by the cloud service provider

Buy Now
Questions 28

A contract containing the phrase "You automatically consent to these terms by using or logging into the service to which they pertain" is establishing a contract of:

Options:

A.

exclusivity.

B.

adhesion.

C.

execution.

D.

exclusion.

Buy Now
Questions 29

The BEST way to deliver continuous compliance in a cloud environment is to:

Options:

A.

combine point-in-time assurance approaches with continuous monitoring.

B.

increase the frequency of external audits from annual to quarterly.

C.

combine point-in-time assurance approaches with continuous auditing.

D.

decrease the interval between attestations of compliance

Buy Now
Questions 30

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?

Options:

A.

Management of the organization being audited

B.

Shareholders and interested parties

C.

Cloud service provider

D.

Public

Buy Now
Questions 31

The MAIN limitation of relying on traditional cloud compliance assurance approaches such as SOC2 attestations is that:

Options:

A.

they can only be performed by skilled cloud audit service providers.

B.

they are subject to change when the regulatory climate changes.

C.

they provide a point-in-time snapshot of an organization's compliance posture.

D.

they place responsibility for demonstrating compliance on the vendor organization.

Buy Now
Questions 32

When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:

Options:

A.

shared.

B.

avoided.

C.

transferred.

D.

maintained.

Buy Now
Questions 33

When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Options:

A.

Return or destruction of information

B.

Data retention, backup, and recovery

C.

Patch management process

D.

Network intrusion detection

Buy Now
Questions 34

Which of the following should a cloud auditor recommend regarding controls for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

Options:

A.

Assessment of contractual and regulatory requirements for customer access

B.

Establishment of policies and procedures across multiple system interfaces, jurisdictions,

and business functions to prevent improper disclosure, alteration, or destruction

C.

Data input and output integrity routines

D.

Testing in accordance with leading industry standards such as OWASP

Buy Now
Questions 35

Market share and geolocation are aspects PRIMARILY related to:

Options:

A.

business perspective.

B.

cloud perspective.

C.

risk perspective.

D.

governance perspective.

Buy Now
Questions 36

What legal documents should be provided to the auditors in relation to risk management?

Options:

A.

Enterprise cloud strategy and policy

B.

Contracts and service level agreements (SLAs) of cloud service providers

C.

Policies and procedures established around third-party risk assessments

D.

Inventory of third-party attestation reports

Buy Now
Questions 37

What is the FIRST thing to define when an organization is moving to the cloud?

Options:

A.

Goals of the migration

B.

Internal service level agreements (SLAs)

C.

Specific requirements

D.

Provider evaluation criteria

Buy Now
Questions 38

Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

Options:

A.

develop new security baselines for the industry.

B.

define different control frameworks for different cloud service providers.

C.

build an operational cloud risk management program.

D.

facilitate communication with their legal department.

Buy Now
Questions 39

organization should document the compliance responsibilities and ownership of accountability in a RACI chart or its informational equivalents in order to:

Options:

A.

provide a holistic and seamless view of the cloud service provider's responsibility for compliance with prevailing laws and regulations.

B.

provide a holistic and seamless view of the enterprise's responsibility for compliance with prevailing laws and regulations.

C.

conform to the organization's governance model.

D.

define the cloud compliance requirements and how they interplay with the organization’s business strategy, goals, and other compliance requirements.

Buy Now
Questions 40

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

Options:

A.

obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.

B.

determine whether the organization can be considered fully compliant with the mapped standards because of the implementation of every CCM Control Specification.

C.

understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards.

Buy Now
Questions 41

Which of the following types of risk is associated specifically with the use of multi-cloud environments in an organization?

Options:

A.

Risk of supply chain visibility and validation

B.

Risk of reduced visibility and control

C.

Risk of service reliability and uptime

D.

Risk of unauthorized access to customer and business data

Buy Now
Questions 42

A dot release of the Cloud Controls Matrix (CCM) indicates:

Options:

A.

a revision of the CCM domain structure.

B.

a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.

C.

the introduction of new control frameworks mapped to previously published CCM controls.

D.

technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.

Buy Now
Questions 43

In all three cloud deployment models, (laaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Options:

A.

Cloud service provider

B.

Shared responsibility

C.

Cloud service customer

D.

Patching on hypervisor layer not required

Buy Now
Questions 44

To support a customer's verification of the cloud service provider claims regarding its responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?

Options:

A.

External audit

B.

Internal audit

C.

Contractual agreement

D.

Security assessment

Buy Now
Questions 45

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

Options:

A.

ISO/IEC 27001 implementation.

B.

GB/T 22080-2008.

C.

SOC 2 Type 1 or 2 reports.

D.

GDPR CoC certification.

Buy Now
Questions 46

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Options:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

policies and procedures of the cloud customer

D.

the organizational chart of the provider.

Buy Now
Questions 47

Why should the results of third-party audits and certification be relied on when analyzing and assessing the cybersecurity risks in the cloud?

Options:

A.

To establish an audit mindset within the organization

B.

To contrast the risk generated by the loss of control

C.

To reinforce the role of the internal audit function

D.

To establish an accountability culture within the organization

Buy Now
Questions 48

Which industry organization offers both security controls and cloud-relevant benchmarking?

Options:

A.

Cloud Security Alliance (CSA)

B.

SANS Institute

C.

International Organization for Standardization (ISO)

D.

Center for Internet Security (CIS)

Buy Now
Questions 49

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

Options:

A.

As an integrity breach

B.

As an availability breach

C.

As a confidentiality breach

D.

As a control breach

Buy Now
Questions 50

Which of the following activities is performed outside information security monitoring?

Options:

A.

Management review of the information security framework

B.

Monitoring the effectiveness of implemented controls

C.

Collection and review of security events before escalation

D.

Periodic review of risks, vulnerabilities, likelihoods, and threats

Buy Now
Questions 51

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

Options:

A.

Location of data

B.

Amount of server storage

C.

Access controls

D.

Type of network technology

Buy Now
Questions 52

Who is accountable for the use of a cloud service?

Options:

A.

The cloud access security broker (CASB)

B.

The supplier

C.

The cloud service provider

D.

The organization (client)

Buy Now
Questions 53

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

Options:

A.

The audit logs are overwritten every 30 days, and all past audit trail is lost.

B.

The audit trails are backed up regularly, but the backup is not encrypted.

C.

The provider does not maintain audit logs in their environment.

D.

The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

Buy Now
Questions 54

Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?

Options:

A.

Defining the metrics and indicators to monitor the implementation of the compliance program

B.

Determining the risk treatment options to be used in the compliance program

C.

Mapping who possesses the information and data that should drive the compliance goals

D.

Selecting the external frameworks that will be used as reference

Buy Now
Exam Code: CCAK
Exam Name: Certificate of Cloud Auditing Knowledge
Last Update: Dec 25, 2024
Questions: 182
CCAK pdf

CCAK PDF

$25.5  $84.99
CCAK Engine

CCAK Testing Engine

$30  $99.99
CCAK PDF + Engine

CCAK PDF + Testing Engine

$40.5  $134.99