Free ISACA CCAK Übungsprüfungen - Seite 3 von 9

Question #21

What is the MOST effective way to ensure a vendor is compliant with the agreed-upon cloud service?

A . Examine the cloud provider’s certifications and ensure the scope is appropriate.
B . Document the requirements and responsibilities within the customer contract
C . Interview the cloud security team and ensure compliance.
D . Pen test the cloud service provider to ensure compliance.

Richtige Antwort: A
A

Explanation:

The most effective way to ensure a vendor is compliant with the agreed-upon cloud service is to examine the cloud provider’s certifications and ensure the scope is appropriate. Certifications are independent attestations of the cloud provider’s compliance with various standards, regulations, and best practices related to cloud security, privacy, and governance1. They provide assurance to customers that the cloud provider has implemented adequate controls and processes to meet their contractual obligations and expectations2. However, not all certifications are equally relevant or comprehensive, so customers need to verify that the certifications cover the specific cloud service, region, and data type that they are using3. Customers should also review the certification reports or audit evidence to understand the scope, methodology, and results of the assessment4.

The other options are not as effective as examining the cloud provider’s certifications. Documenting the requirements and responsibilities within the customer contract is an important step to establish the terms and conditions of the cloud service agreement, but it does not guarantee that the vendor will comply with them5. Customers need to monitor and verify the vendor’s performance and compliance on an ongoing basis. Interviewing the cloud security team may provide some insights into the vendor’s compliance practices, but it may not be sufficient or reliable without independent verification or documentation. Pen testing the cloud service provider may reveal some vulnerabilities or weaknesses in the vendor’s security posture, but it may not cover all aspects of compliance or be authorized by the vendor. Pen testing should be done with caution and consent, as it may cause disruption or damage to the cloud service or violate the terms of service.

Reference: Cloud Compliance: What You Need To Know – Linford & Company LLP1, section on Cloud Compliance Cloud Services Due Diligence Checklist | Trust Center2, section on Why Microsoft created the Cloud Services Due Diligence Checklist

The top cloud providers for government | ZDNET3, section on What is FedRAMP? Cloud Computing Security Considerations | Cyber.gov.au4, section on Certification

Cloud Audits and Compliance: What You Need To Know – Linford & Company LLP5, section on Cloud Compliance Management

Cloud Services Due Diligence Checklist | Trust Center, section on How to use the checklist Cloud Computing Security Considerations | Cyber.gov.au, section on Security governance The top cloud providers for government | ZDNET, section on Penetration testing Penetration Testing in AWS – Amazon Web Services (AWS), section on Introduction

Question #22

In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?

A . Database backup and replication guidelines
B . System backup documentation
C . Incident management documentation
D . Operational manuals

Lösung einblenden Lösung ausblenden

Question #23

Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?

A . Defining the metrics and indicators to monitor the implementation of the compliance program
B . Determining the risk treatment options to be used in the compliance program
C . Mapping who possesses the information and data that should drive the compliance goals
D . Selecting the external frameworks that will be used as reference

Lösung einblenden Lösung ausblenden

Question #24

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework.

Which of the following is the FIRST step to this change?

A . Discard all work done and start implementing NIST 800-53 from scratch.
B . Recommend no change, since the scope of ISO/IEC 27002 is broader.
C . Recommend no change, since NIST 800-53 is a US-scoped control framework.
D . Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Lösung einblenden Lösung ausblenden

Question #25

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually.

What should be the auditor’s NEXT course of action?

A . Review the security white paper of the provider.
B . Review the provider’s audit reports.
C . Review the contract and DR capability.
D . Plan an audit of the provider

Lösung einblenden Lösung ausblenden

Question #26

Which of the following is an example of availability technical impact?

A . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours.
B . The cloud provider reports a breach of customer personal data from an unsecured server.
C . An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.
D . A hacker using a stolen administrator identity alters the discount percentage in the product database

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

An example of availability technical impact is a distributed denial of service (DDoS) attack that renders the customer’s cloud inaccessible for 24 hours. Availability technical impact refers to the effect of a cloud security incident on the protection of data and services from disruption or denial. Availability is one of the three security properties of an information system, along with confidentiality and integrity.

Option A is an example of availability technical impact because it shows how a DDoS attack, which is a type of cyberattack that overwhelms a system or network with malicious traffic and prevents legitimate users from accessing it, can cause a severe and prolonged disruption of the customer’s cloud services.

Option A also implies that the customer’s organization depends on the availability of its cloud services for its core business operations.

The other options are not examples of availability technical impact.

Option B is an example of confidentiality technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized access or disclosure.

Option B shows how a breach of customer personal data from an unsecured server, which is a type of data leakage or exposure attack that exploits the lack of proper security controls on a system or network, can cause a violation of the privacy and security of the customer’s data.

Option C is an example of integrity technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized modification or deletion.

Option C shows how an administrator inadvertently clicking on phish bait, which is a type of social engineering or phishing attack that tricks a user into clicking on a malicious link or attachment, can expose the company to a ransomware attack, which is a type of malware or encryption attack that locks or encrypts the data and demands a ransom for its release.

Option D is also an example of integrity technical impact, as it shows how a hacker using a stolen administrator identity, which is a type of identity theft or impersonation attack that exploits the credentials or privileges of a legitimate user to access or manipulate a system or network, can alter the discount percentage in the product database, which is a type of data tampering or corruption attack that affects the accuracy and reliability of the data.

Reference: =

OWASP Risk Rating Methodology | OWASP Foundation1

OEE Factors: Availability, Performance, and Quality | OEE2

The Effects of Technological Developments on Work and Their …

Question #27

When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer

A . To determine the total cost of the cloud services to be deployed
B . To confirm whether the compensating controls implemented are sufficient for the cloud services
C . To determine how those services will fit within its policies and procedures
D . To confirm which vendor will be selected based on compliance with security requirements

Lösung einblenden Lösung ausblenden

Question #28

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A . Development of the monitoring goals and requirements
B . Identification of processes, functions, and systems
C . Identification of roles and responsibilities
D . Identification of the relevant laws, regulations, and standards

Lösung einblenden Lösung ausblenden

Question #29

Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?

A . CCM utilizes an ITIL framework to define the capabilities needed to manage the IT services and security services.
B . CCM maps to existing security standards, best practices, and regulations.
C . CCM uses a specific control for Infrastructure as a Service (laaS).
D . CCM V4 is an improved version from CCM V3.0.1.

Lösung einblenden Lösung ausblenden

Question #30

What is the FIRST thing to define when an organization is moving to the cloud?

A . Goals of the migration
B . Internal service level agreements (SLAs)
C . Specific requirements
D . Provider evaluation criteria

Lösung einblenden Lösung ausblenden