Free ISACA CCAK Übungsprüfungen - Seite 9 von 9

Question #81

The three layers of Open Certification Framework (OCF) PRIMARILY help cloud service providers and cloud clients improve the level of:

A . legal and regulatory compliance.
B . risk and controls.
C . audit structure and formats.
D . transparency and assurance.

Lösung einblenden Lösung ausblenden

Question #82

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data.

In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

A . As an integrity breach
B . As an availability breach
C . As a confidentiality breach
D . As a control breach

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

As an integrity breach. The technical impact of this incident can be categorized as an integrity breach, which refers to the effect of a cloud security incident on the protection of data from unauthorized modification or deletion. Integrity is one of the three security properties of an information system, along with confidentiality and availability.

The incident described in the question involves a cybersecurity criminal finding a vulnerability in an Internet-facing server of an organization, accessing an encrypted file system, and overwriting parts of some files with random data. This is a type of data tampering or corruption attack that affects the accuracy and reliability of the data. The fact that the file system was encrypted does not prevent the integrity breach, as the attacker did not need to decrypt or read the data, but only to overwrite it. The integrity breach can have serious consequences for the organization, such as data loss, data inconsistency, data recovery costs, and loss of trust.

The other options are not correct categories for the technical impact of this incident.

Option B, as an availability breach, is incorrect because availability refers to the protection of data and services from disruption or denial, which is not the case in this incident.

Option C, as a confidentiality breach, is incorrect because confidentiality refers to the protection of data from unauthorized access or disclosure, which is not the case in this incident.

Option D, as a control breach, is incorrect because control refers to the ability to manage or influence the behavior or outcome of a system or process, which is not a security property of an information system.

Reference: = Top Threats Analysis Methodology – CSA1

Top Threats Analysis Methodology – Cloud Security Alliance2 OWASP Risk Rating Methodology | OWASP Foundation3 OEE Factors: Availability, Performance, and Quality | OEE4 The Effects of Technological Developments on Work and Their

Question #83

Controls mapping found in the Scope Applicability column of the Cloud Controls Matrix (CCM) may help organizations to realize cost savings:

A . by avoiding duplication of efforts in the compliance evaluation and for the eventual control design and implementation.
B . by implementing layered security, thus reducing the likelihood of data breaches and the associated costs.
C . by avoiding the need to hire a cloud security specialist to perform the periodic risk assessment exercise.
D . by avoiding fines for breaching those regulations that impose a controls mapping in order to prove compliance

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Controls mapping found in the Scope Applicability column of the Cloud Controls Matrix (CCM) may help organizations to realize cost savings by avoiding duplication of efforts in the compliance evaluation and for the eventual control design and implementation. The Scope Applicability column is a feature of the CCM that indicates which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) a control applies to. This feature can help organizations to identify and select the most relevant and appropriate controls for their specific cloud scenario, as well as to map them to multiple industry-accepted security standards, regulations, and frameworks. By doing so, organizations can reduce the time, resources, and costs involved in achieving and maintaining compliance with various cloud security requirements123.

The other options are not directly related to the question.

Option B, by implementing layered security, thus reducing the likelihood of data breaches and the associated costs, is not a valid reason because layered security is a general principle of defense in depth, not a specific feature of the CCM or the Scope Applicability column.

Option C, by avoiding the need to hire a cloud security specialist to perform the periodic risk assessment exercise, is not a valid reason because using the CCM or the Scope Applicability column does not eliminate the need for a cloud security specialist or a periodic risk assessment exercise, which are essential for ensuring the effectiveness and adequacy of the cloud security controls.

Option D, by avoiding fines for breaching those regulations that impose a controls mapping in order to prove compliance, is not a valid reason because controls mapping is not a mandatory requirement for proving compliance, but a voluntary tool for facilitating compliance.

Reference: =

What is CAIQ? | CSA – Cloud Security Alliance1

Understanding the Cloud Control Matrix | CloudBolt Software2 Cloud Controls Matrix (CCM) – CSA