Free ISACA CCAK Übungsprüfungen - Seite 4 von 9

Question #31

What should be the control audit frequency for an organization’s business continuity management and operational resilience strategy?

A . Annually
B . Biannually
C . Quarterly
D . Monthly

Lösung einblenden Lösung ausblenden

Question #32

An auditor is auditing the services provided by a cloud service provider.

When evaluating the security of the cloud customer’s data in the cloud, which of the following should be of GREATEST concern to the auditor?

A . Personally identifiable information (Pll) is pseudonymized but not fully encrypted.
B . The cloud customer has encrypted the confidential data in the cloud using its own encryption keys.
C . The confidential data stored in the cloud is encrypted using encryption keys that are managed by the provider.
D . According to the cloud customer’s data handling policy, all confidential data should be encrypted, but the confidential data stored in the cloud is well segmented but not encrypted.

Lösung einblenden Lösung ausblenden

Question #33

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

A . Impact analysis
B . Likelihood
C . Mitigation
D . Residual risk

Lösung einblenden Lösung ausblenden

Question #34

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

A . GDPR CoC certification.
B . GB/T 22080-2008.
C . SOC 2 Type 1 or 2 reports.
D . ISO/IEC 27001 implementation.

Lösung einblenden Lösung ausblenden

Question #35

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month.

Which of the following should be the BEST recommendation to reduce the provider’s burden?

A . The provider can schedule a call with each customer.
B . The provider can share all security reports with customers to streamline the process.
C . The provider can answer each customer individually.
D . The provider can direct all customer inquiries to the information in the CSA STAR registry

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The CSA STAR registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings1 The registry is designed for users of cloud services to assess their cloud providers’ security and compliance posture, including the regulations, standards, and frameworks they adhere to1 The registry also promotes industry transparency and reduces complexity and costs for both providers and customers2

The provider can direct all customer inquiries to the information in the CSA STAR registry, as this would be the best recommendation to reduce the provider’s burden. By publishing to the registry, the provider can show current and potential customers their security and compliance posture, without having to fill out multiple customer questionnaires or requests for proposal (RFPs)2 The provider can also leverage the different levels of assurance available in the registry, such as self-assessment, third-party audit, or certification, to demonstrate their security maturity and trustworthiness1 The provider can also benefit from the CSA Trusted Cloud Providers program, which recognizes providers that have fulfilled additional training and volunteer requirements with CSA, demonstrating their commitment to cloud security competency and industry best practices3

The other options are not correct because:

Option A is not correct because the provider can schedule a call with each customer is not a good recommendation to reduce the provider’s burden. Scheduling a call with each customer would be time-consuming, inefficient, and impractical, especially if the provider receives multiple inquiries and RFPs every month. Scheduling a call would also not guarantee that the customer would be satisfied with the provider’s security and compliance posture, as they may still request additional information or evidence. Scheduling a call would also not help the provider differentiate themselves from other providers in the market, as they may not be able to showcase their security maturity and trustworthiness effectively.

Option B is not correct because the provider can share all security reports with customers to streamline the process is not a good recommendation to reduce the provider’s burden. Sharing all security reports with customers may not be feasible, as some reports may contain sensitive or confidential information that should not be disclosed to external parties. Sharing all security reports may also not be desirable, as some reports may be outdated, incomplete, or inconsistent, which could undermine the provider’s credibility and reputation. Sharing all security reports may also not be effective, as some customers may not have the expertise or resources to review and understand them properly.

Option C is not correct because the provider can answer each customer individually is not a good recommendation to reduce the provider’s burden. Answering each customer individually would be tedious, repetitive, and costly, as the provider would have to provide similar or identical information to different customers over and over again. Answering each customer individually would also not ensure that the provider’s security and compliance posture is consistent and accurate, as they may make mistakes or omissions in their responses. Answering each customer individually would also not help the provider stand out from other providers in the market, as they may not be able to highlight their security achievements and certifications.

Reference: 1: STAR | CSA 2: Why your cloud services need the CSA STAR Registry listing 3: STAR Registry | CSA

Question #36

From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?

A . Evaluation summaries
B . logs
C . SOC reports
D . Interviews

Lösung einblenden Lösung ausblenden

Question #37

A cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when:

A . generalized audit software is unavailable.
B . the auditor wants to avoid sampling risk.
C . the probability of error must be objectively quantified.
D . the tolerable error rate cannot be determined.

Lösung einblenden Lösung ausblenden

Question #38

When mapping controls to architectural implementations, requirements define:

A . control objectives.
B . control activities.
C . guidelines.
D . policies.

Lösung einblenden Lösung ausblenden

Question #39

An auditor examining a cloud service provider’s service level agreement (SLA) should be MOST concerned about whether:

A . the agreement includes any operational matters that are material to the service operations.
B . the agreement excludes any sourcing and financial matters that are material in meeting the service level agreement (SLA).
C . the agreement includes any service availability matters that are material to the service operations.
D . the agreement excludes any operational matters that are material to the service operations

Lösung einblenden Lösung ausblenden

Question #40

Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?

A . Nondisclosure agreements (NDAs)
B . Independent auditor report
C . First-party audit
D . Industry certifications

Lösung einblenden Lösung ausblenden