Free ISACA CCAK Übungsprüfungen - Seite 8 von 9

Question #71

To ensure integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

A . Parallel testing
B . Full application stack unit testing
C . Functional verification
D . Regression testing

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

Regression testing is a type of software testing that confirms that a recent program or code change has not adversely affected existing features1 It involves re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change2 Regression testing is suitable for large code sets in environments where time to completion is critical, as it can help detect and prevent defects, improve quality, and enable faster delivery of secure software. Regression testing can be automated to reduce manual errors, speed up feedback loops, and increase efficiency and reliability3

The other options are not correct because:

Option A is not correct because parallel testing is a type of software testing that involves testing multiple applications or subsystems concurrently to reduce the test time4 Parallel testing does not necessarily ensure the integration of security testing, as it depends on the quality and coverage of the test cases and scenarios used for each application or subsystem. Parallel testing may also introduce challenges such as synchronization, coordination, and communication among the testers and developers5

Option B is not correct because full application stack unit testing is a type of software testing that involves testing individual units or components of an application in isolation to verify their functionality, logic, interfaces, and performance6 Full application stack unit testing does not ensure the integration of security testing, as it does not consider the interactions and dependencies among the units or components, or the behavior of the application as a whole. Unit testing is typically performed by developers at an early stage of the software development life cycle, and may not cover all the security aspects or requirements of the application7

Option C is not correct because functional verification is a type of software testing that involves verifying that the software meets the specified requirements and satisfies the user needs. Functional verification does not ensure the integration of security testing, as it does not focus on how the software is designed or configured, or how it handles malicious or unexpected inputs. Functional verification is typically performed by quality assurance teams at a later stage of the software development life cycle, and may not detect all the security vulnerabilities or risks of the software.

Reference: 1: Wikipedia. Regression testing – Wikipedia. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 2: Katalon.

What is Regression Testing? Definition, Tools, Examples – Katalon.

[Online]. Available: 4. [Accessed: 14-Apr-2023]. 3: BMC Software. Shift Left Testing: What, Why &

How To Shift Left C BMC Software | Blogs. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 4: Guru99.

What is Parallel Testing? with Example – Guru99. [Online]. Available:. [Accessed: 14-Apr-2023]. 5:

LambdaTest. Parallel Testing In Selenium WebDriver | LambdaTest Blog. [Online]. Available:

. [Accessed: 14-Apr-2023]. 6: Guru99.

What is Unit Testing? Types & Examples – Guru99. [Online].

Available:. [Accessed: 14-Apr-2023]. 7: Software Testing Help. Unit Testing Vs Integration Testing:

Difference Between These Two – SoftwareTestingHelp.com Blog. [Online]. Available:. [Accessed: 14-

Apr-2023]. : Guru99.

What is Functional Testing? Types & Examples – Guru99. [Online]. Available: .

[Accessed: 14-Apr-2023]. : Software Testing Help. Functional Testing Vs Non-Functional Testing –

SoftwareTestingHelp.com Blog. [Online]. Available:. [Accessed: 14-Apr-2023].

Question #72

Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?

A . Enterprise cloud strategy and policy, as well as inventory of third-party attestation reports
B . Policies and procedures established around third-party risk assessments, including questionnaires that are required to be completed to assess risk associated with use of third-party services
C . Enterprise cloud strategy and policy, as well as the enterprise cloud security strategy
D . Inventory of third-party attestation reports and enterprise cloud security strategy

Lösung einblenden Lösung ausblenden

Question #73

Which of the following is the MOST relevant question in the cloud compliance program design phase?

A . Who owns the cloud services strategy?
B . Who owns the cloud strategy?
C . Who owns the cloud governance strategy?
D . Who owns the cloud portfolio strategy?

Lösung einblenden Lösung ausblenden

Question #74

With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

A . relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF). and the Zachman Framework for Enterprise Architecture.
B . relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.
C . relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.
D . relevant delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (laaS).

Lösung einblenden Lösung ausblenden

Question #75

For an auditor auditing an organization’s cloud resources, which of the following should be of GREATEST concern?

A . The organization does not have separate policies for governing its cloud environment.
B . The organization’s IT team does not include resources with cloud certifications.
C . The organization does not perform periodic reviews or control monitoring for its cloud environment, but it has a documented audit plan and performs an audit for its cloud environment every alternate year.
D . The risk management team reports to the head of audit.

Lösung einblenden Lösung ausblenden

Question #76

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

A . Determine the impact on the controls that were selected by the organization to respond to identified risks.
B . Determine the impact on confidentiality, integrity, and availability of the information system.
C . Determine the impact on the physical and environmental security of the organization, excluding informational assets.
D . Determine the impact on the financial, operational, compliance, and reputation of the organization.

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

When applying the Top Threats Analysis methodology following an incident, the scope of the technical impact identification step is to determine the impact on confidentiality, integrity, and availability of the information system. The Top Threats Analysis methodology is a framework developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the most critical threats to cloud computing. The methodology consists of six steps: threat identification, threat analysis, technical impact identification, business impact analysis, risk assessment, and risk treatment12.

The technical impact identification step is the third step of the methodology, and it aims to assess how the incident affected the security properties of the information system, namely confidentiality, integrity, and availability. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial. The technical impact identification step can help organizations to understand the severity and extent of the incident and its consequences on the information system12.

The other options are not within the scope of the technical impact identification step.

Option A, determine the impact on the controls that were selected by the organization to respond to identified risks, is not within the scope because it is part of the risk treatment step, which is the sixth and final step of the methodology.

Option C, determine the impact on the physical and environmental security of the organization, excluding informational assets, is not within the scope because it is not related to the information system or its security properties.

Option D, determine the impact on the financial, operational, compliance, and reputation of the organization, is not within the scope because it is part of the business impact analysis step, which is the fourth step of the methodology.

Reference: =

Top Threats Analysis Methodology – CSA1

Top Threats Analysis Methodology – Cloud Security Alliance

Question #77

In a situation where duties related to cloud risk management and control are split between an organization and its cloud service providers, which of the following would BEST help to ensure a coordinated approach to risk and control processes?

A . Establishing a joint security operations center
B . Automating reporting of risk and control compliance
C . Co-locating compliance management specialists
D . Maintaining a centralized risk and controls dashboard

Lösung einblenden Lösung ausblenden

Question #78

When performing audits in relation to the organizational strategy and governance, what should be requested from the cloud service provider?

A . Enterprise cloud security strategy
B . Enterprise cloud strategy and policy
C . Attestation reports
D . Policies and procedures

Lösung einblenden Lösung ausblenden

Question #79

What type of termination occurs at the initiative of one party and without the fault of the other party?

A . Termination without the fault
B . Termination at the end of the term
C . Termination for cause
D . Termination for convenience

Lösung einblenden Lösung ausblenden

Question #80

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

A . ISO/IEC 27017:2015
B . ISO/IEC 27002
C . NIST SP 800-146
D . Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Lösung einblenden Lösung ausblenden