Free ISACA CCAK Übungsprüfungen - Seite 7 von 9

Question #61

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community.

Of the following, to whom should the auditor report the findings?

A . Management of the organization being audited
B . Shareholders and interested parties
C . Cloud service provider
D . Public

Lösung einblenden Lösung ausblenden

Question #62

From an auditor perspective, which of the following BEST describes shadow IT?

A . An opportunity to diversify the cloud control approach
B . A weakness in the cloud compliance posture
C . A strength of disaster recovery (DR) planning
D . A risk that jeopardizes business continuity planning

Lösung einblenden Lösung ausblenden

Question #63

Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public Software as a Service (SaaS) application to ease the recruiting process?

A . Implement a cloud access security broker (CASB).
B . Do not allow data to be in clear text.
C . Ensure HIPAA compliance.
D . Consult the legal department.

Lösung einblenden Lösung ausblenden

Question #64

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

A . Location of data
B . Amount of server storage
C . Access controls
D . Type of network technology

Lösung einblenden Lösung ausblenden

Question #65

Which of the following configuration change controls is acceptable to a cloud auditor?

A . Programmers have permanent access to production software.
B . Programmers cannot make uncontrolled changes to the source code production version.
C . Development, test, and production are hosted in the same network environment.
D . The head of development approves changes requested to production.

Lösung einblenden Lösung ausblenden

Question #66

To ensure a cloud service provider is complying with an organization’s privacy requirements, a cloud auditor should FIRST review:

A . organizational policies, standards, and procedures.
B . adherence to organization policies, standards, and procedures.
C . legal and regulatory requirements.
D . the IT infrastructure.

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

To ensure a cloud service provider is complying with an organization’s privacy requirements, a cloud auditor should first review the organizational policies, standards, and procedures that define the privacy objectives, expectations, and responsibilities of the organization. The organizational policies, standards, and procedures should also reflect the legal and regulatory requirements that apply to the organization and its cloud service provider, as well as the best practices and guidelines for cloud privacy. The organizational policies, standards, and procedures should provide the basis for evaluating the cloud service provider’s privacy practices and controls, as well as the contractual terms and conditions that govern the cloud service agreement. The cloud auditor should compare the organizational policies, standards, and procedures with the cloud service provider’s self-disclosure statements, third-party audit reports, certifications, attestations, or other evidence of compliance123.

Reviewing the adherence to organization policies, standards, and procedures (B) is a subsequent step that the cloud auditor should perform after reviewing the organizational policies, standards, and procedures themselves. The cloud auditor should assess whether the cloud service provider is following the organization’s policies, standards, and procedures consistently and effectively, as well as whether the organization is monitoring and enforcing the compliance of the cloud service provider. The cloud auditor should also identify any gaps or deviations between the organization’s policies, standards, and procedures and the actual practices and controls of the cloud service provider123.

Reviewing the legal and regulatory requirements © is an important aspect of ensuring a cloud service provider is complying with an organization’s privacy requirements, but it is not the first step that a cloud auditor should take. The legal and regulatory requirements may vary depending on the jurisdiction, industry, or sector of the organization and its cloud service provider. The legal and regulatory requirements may also change over time or be subject to interpretation or dispute. Therefore, the cloud auditor should first review the organizational policies, standards, and procedures that incorporate and translate the legal and regulatory requirements into specific and measurable privacy objectives, expectations, and responsibilities for both parties123.

Reviewing the IT infrastructure (D) is not a relevant or sufficient step for ensuring a cloud service provider is complying with an organization’s privacy requirements. The IT infrastructure refers to the hardware, software, network, and other components that support the delivery of cloud services. The IT infrastructure is only one aspect of cloud security and privacy, and it may not be accessible or visible to the cloud auditor or the organization. The cloud auditor should focus on reviewing the privacy practices and controls that are implemented by the cloud service provider at different layers of the cloud service model (IaaS, PaaS, SaaS), as well as the contractual terms and conditions that define the privacy rights and obligations of both parties123.

Reference: =

Cloud Audits and Compliance: What You Need To Know – Linford & Company LLP Trust in the Cloud in audits of cloud services – PwC

Cloud Compliance & Regulations Resources | Google Cloud

Question #67

The MOST important factor to consider when implementing cloud-related controls is the:

A . shared responsibility model.
B . effectiveness of the controls.
C . risk reporting.
D . risk ownership

Lösung einblenden Lösung ausblenden

Question #68

Which of the following is MOST important for an auditor to understand regarding cloud security controls?

A . Controls adapt to changes in the threat landscape.
B . Controls are the responsibility of the cloud service provider.
C . Controls are the responsibility of the internal audit team.
D . Controls are static and do not change.

Lösung einblenden Lösung ausblenden

Question #69

Which of the following is a category of trust in cloud computing?

A . Loyalty-based trust
B . Background-based trust
C . Reputation-based trust
D . Transparency-based trust

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

Reputation-based trust is a category of trust in cloud computing that relies on the feedback, ratings, reviews, or recommendations of other users or third parties who have used or evaluated the cloud service provider or the cloud service. Reputation-based trust reflects the collective opinion and experience of the cloud community regarding the quality, reliability, security, and performance of the cloud service provider or the cloud service. Reputation-based trust can help potential customers to make informed decisions about choosing a cloud service provider or a cloud service based on the reputation score or ranking of the provider or the service. Reputation-based trust can also motivate cloud service providers to improve their services and maintain their reputation by meeting or exceeding customer expectations.

Reputation-based trust is one of the most common and widely used forms of trust in cloud computing, as it is easy to access and understand.

However, reputation-based trust also has some limitations and challenges, such as:

The accuracy and validity of the reputation data may depend on the source, method, and frequency of data collection and aggregation. For example, some reputation data may be outdated, incomplete, biased, manipulated, or falsified by malicious actors or competitors.

The interpretation and comparison of the reputation data may vary depending on the context, criteria, and preferences of the customers. For example, some customers may value different aspects of the cloud service more than others, such as security, availability, cost, or functionality.

The trustworthiness and accountability of the reputation system itself may be questionable. For example, some reputation systems may lack transparency, consistency, or standardization in their design, implementation, or operation.

Therefore, reputation-based trust should not be the only factor for trusting a cloud service provider or a cloud service. Customers should also consider other forms of trust in cloud computing, such as evidence-based trust, policy-based trust, or certification-based trust

Question #70

Which plan guides an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of its service providers?

A . Incident response plan
B . Security incident plan
C . Unexpected event plan
D . Emergency incident plan

Lösung einblenden Lösung ausblenden