Free ISACA CCAK Übungsprüfungen - Seite 6 von 9

Question #51

Which of the following is an example of availability technical impact?

A . The cloud provider reports a breach of customer personal data from an unsecured server.
B . A hacker using a stolen administrator identity alters the discount percentage in the product database.
C . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours.
D . An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack

Lösung einblenden Lösung ausblenden

Question #52

The PRIMARY objective for an auditor to understand the organization’s context for a cloud audit is to:

A . determine whether the organization has carried out control self-assessment (CSA) and validated audit reports of the cloud service providers.
B . validate an understanding of the organization’s current state and how the cloud audit plan fits into the existing audit approach.
C . validate the organization’s performance effectiveness utilizing cloud service provider solutions.
D . validate whether an organization has a cloud audit plan in place.

Lösung einblenden Lösung ausblenden

Question #53

A certification target helps in the formation of a continuous certification framework by incorporating:

A . the service level objective (SLO) and service qualitative objective (SQO).
B . the scope description and security attributes to be tested.
C . the frequency of evaluating security attributes.
D . CSA STAR level 2 attestation.

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

According to the blog article “Continuous Auditing and Continuous Certification” by the Cloud Security Alliance, a certification target helps in the formation of a continuous certification framework by incorporating the scope description and security attributes to be tested1 A certification target is a set of security objectives that a cloud service provider (CSP) defines and commits to fulfill as part of the continuous certification process1 Each security objective is associated with a policy that specifies the assessment frequency, such as every four hours, every day, or every week1 A certification target also includes a set of tools that are capable of verifying that the security objectives are met, such as automated scripts, APIs, or third-party services1

The other options are not correct because:

Option A is not correct because the service level objective (SLO) and service qualitative objective (SQO) are not part of the certification target, but rather part of the service level agreement (SLA) between the CSP and the cloud customer. An SLO is a measurable characteristic of the cloud service, such as availability, performance, or reliability. An SQO is a qualitative characteristic of the cloud service, such as security, privacy, or compliance2 The SLA defines the expected level of service and the consequences of not meeting it. The SLA may be used as an input for defining the certification target, but it is not equivalent or synonymous with it.

Option C is not correct because the frequency of evaluating security attributes is not the only component of the certification target, but rather one aspect of it. The frequency of evaluating security attributes is determined by the policy that is associated with each security objective in the certification target. The policy defines how often the security objective should be verified by the tools, such as every four hours, every day, or every week1 However, the frequency alone does not define the certification target, as it also depends on the scope description and the security attributes to be tested.

Option D is not correct because CSA STAR level 2 attestation is not a component of the certification target, but rather a prerequisite for it. CSA STAR level 2 attestation is a third-party independent assessment of the CSP’s security posture based on ISO/IEC 27001 and CSA Cloud Controls Matrix (CCM)3 CSA STAR level 2 attestation provides a baseline assurance level for the CSP before they can define and implement their certification target for continuous certification. CSA STAR level 2 attestation is also required for CSA STAR level 3 certification, which is based on continuous auditing and continuous certification3

Reference: 1: Continuous Auditing and Continuous Certification – Cloud Security Alliance 2: Service

Level Agreement | CSA 3: Open Certification Framework | CSA – Cloud Security Alliance

Question #54

A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

A . CSA STAR Level Certificate
B . Multi-Tier Cloud Security (MTCS) Attestation
C . ISO/IEC 27001:2013 Certification
D . FedRAMP Authorization

Lösung einblenden Lösung ausblenden

Question #55

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes.

Which of the following should be the GREATEST concern to the auditor?

A . The audit logs are overwritten every 30 days, and all past audit trail is lost.
B . The audit trails are backed up regularly, but the backup is not encrypted.
C . The provider does not maintain audit logs in their environment.
D . The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

Lösung einblenden Lösung ausblenden

Question #56

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A . Rule-based access control
B . Attribute-based access control
C . Policy-based access control
D . Role-based access control

Lösung einblenden Lösung ausblenden

Question #57

The BEST method to report continuous assessment of a cloud provider’s services to the Cloud Security Alliance (CSA) is through:

A . Cloud Controls Matrix (CCM) assessment by a third-party auditor on a periodic basis.
B . tools selected by the third-party auditor.
C . SOC 2 Type 2 attestation.
D . a set of dedicated application programming interfaces (APIs).

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The best method to report continuous assessment of a cloud provider’s services to the Cloud Security Alliance (CSA) is through a set of dedicated application programming interfaces (APIs). According to the CSA website1, the STAR Continuous program is a component of the STAR certification that allows cloud service providers to validate their security posture on an ongoing basis. The STAR Continuous program leverages a set of APIs that can integrate with the cloud provider’s existing tools and processes, such as security information and event management (SIEM), governance, risk management, and compliance (GRC), or continuous monitoring systems. The APIs enable the cloud provider to collect, analyze, and report security-related data to the CSA STAR registry in near real-time. The APIs also allow the CSA to verify the data and provide feedback to the cloud provider and the customers. The STAR Continuous program aims to provide more transparency, assurance, and trust in the cloud ecosystem by enabling continuous visibility into the security performance of cloud services.

The other methods listed are not suitable for reporting continuous assessment of a cloud provider’s services to the CSA. The Cloud Controls Matrix (CCM) assessment by a third-party auditor on a periodic basis is part of the STAR Certification Level 2 program, which provides a point-in-time validation of the cloud provider’s security controls. However, this method does not provide continuous assessment or reporting, as it only occurs once every 12 or 24 months2. The tools selected by the third-party auditor may vary depending on the scope, criteria, and methodology of the audit, and they may not be compatible or consistent with the CSA’s standards and frameworks.

Moreover, the tools may not be able to report the audit results to the CSA STAR registry automatically or frequently. The SOC 2 Type 2 attestation is an independent audit report that evaluates the cloud provider’s security controls based on the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. However, this report is not specific to cloud computing and does not cover all aspects of the CCM. Furthermore, this report is not intended to be shared publicly or reported to the CSA STAR registry3.

Reference: STAR Continuous | CSA

STAR Certification | CSA

SOC 2 vs CSA STAR: Which One Should You Choose?

Question #58

The effect of which of the following should have priority in planning the scope and objectives of a cloud audit?

A . Applicable industry good practices
B . Applicable statutory requirements
C . Organizational policies and procedures
D . Applicable corporate standards

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The effect of applicable statutory requirements should have priority in planning the scope and objectives of a cloud audit, as they are the mandatory and enforceable rules that govern the cloud service provider and the cloud service customer. Statutory requirements may vary depending on the jurisdiction, industry, or sector of the cloud service provider and the cloud service customer, as well as the type, location, and sensitivity of the data processed or stored in the cloud. Statutory requirements may include laws, regulations, standards, or codes that relate to data protection, privacy, security, compliance, governance, taxation, or liability. The cloud auditor should identify and understand the applicable statutory requirements that affect the cloud service provider and the cloud service customer, and assess whether they are met and adhered to by both parties. The cloud auditor should also verify that the contractual terms and conditions between the cloud service provider and the cloud service customer reflect and comply with the applicable statutory requirements123.

Applicable industry good practices (A) are important for planning the scope and objectives of a cloud audit, but they are not as high priority as applicable statutory requirements. Industry good practices are the recommended or accepted methods or techniques for achieving a desired outcome or result in a specific domain or context. Industry good practices may include frameworks, guidelines, principles, or best practices that are developed by professional bodies, associations, or organizations that have expertise or authority in a certain field or area. Industry good practices may help the cloud service provider and the cloud service customer to improve their performance, quality, efficiency, or effectiveness in delivering or using cloud services. However, industry good practices are not mandatory or enforceable, and they may vary or change over time depending on the evolution of technology or business needs123.

Organizational policies and procedures © are important for planning the scope and objectives of a cloud audit, but they are not as high priority as applicable statutory requirements. Organizational policies and procedures are the internal rules and guidelines that define the objectives, expectations, and responsibilities of an organization regarding its operations, activities, processes, or functions. Organizational policies and procedures may include mission statements, vision statements, values statements, strategies, goals, plans, standards, manuals, handbooks, or instructions that are specific to an organization. Organizational policies and procedures may help the organization to align its actions and decisions with its purpose and direction, as well as to ensure consistency and accountability among its members or stakeholders. However, organizational policies and procedures are not mandatory or enforceable outside the organization, and they may differ or conflict among different organizations123.

Applicable corporate standards (D) are important for planning the scope and objectives of a cloud audit, but they are not as high priority as applicable statutory requirements. Corporate standards are the internal rules and guidelines that define the minimum level of quality, performance, reliability, or compatibility that an organization expects from its products, services, processes, or systems. Corporate standards may include specifications, criteria, metrics, indicators, benchmarks, or baselines that are specific to an organization. Corporate standards may help the organization to measure and evaluate its outputs or outcomes against its objectives or expectations, as well as to identify and address any gaps or issues that may arise. However, corporate standards are not mandatory or enforceable outside the organization, and they may differ or conflict among different organizations123.

Reference: =

Cloud Audits: A Guide for Cloud Service Providers – Cloud Standards …

Cloud Audits: A Guide for Cloud Service Customers – Cloud Standards …

Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam

Question #59

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

A . Control self-assessment (CSA)
B . Third-party vendor involvement
C . Exception reporting
D . Application team internal review

Lösung einblenden Lösung ausblenden

Question #60

Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?

A . Cloud strategy owners
B . Internal control function
C . Cloud process owners
D . Legal functions

Lösung einblenden Lösung ausblenden