Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Isaca CCAK - Certificate of Cloud Auditing Knowledge

Page: 2 / 7
Total 207 questions

The MAIN difference between the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ) is that:

A.

CCM assesses the presence of controls, whereas CAIQ assesses the overall security of a service.

B.

CCM has 14 domains, whereas CAIQ has 16 domains.

C.

CCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in Infrastructure as a Service (laaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings.

D.

CCM has a set of security questions, whereas CAIQ has a set of security controls.

The FINAL decision to include a material finding in a cloud audit report should be made by the:

A.

auditee's senior management.

B.

organization's chief executive officer (CEO).

C.

cloud auditor.

: D. organization's chief information security officer (CISO)

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

A.

Discard all work done and start implementing NIST 800-53 from scratch.

B.

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

What is the FIRST thing to define when an organization is moving to the cloud?

A.

Goals of the migration

B.

Internal service level agreements (SLAs)

C.

Specific requirements

D.

Provider evaluation criteria

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

policies and procedures of the cloud customer

D.

the organizational chart of the provider.

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

A.

regulatory guidelines impacting the cloud customer.

B.

audits, assessments, and independent verification of compliance certifications with agreement terms.

C.

the organizational chart of the provider.

D.

policies and procedures of the cloud customer

Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?

A.

Cloud strategy owners

B.

Internal control function

C.

Cloud process owners

D.

Legal functions

Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?

A.

Enterprise cloud strategy and policy, as well as inventory of third-party attestation reports

B.

Policies and procedures established around third-party risk assessments, including questionnaires that are required to be completed to assess risk associated with use of third-party services

C.

Enterprise cloud strategy and policy, as well as the enterprise cloud security strategy

D.

Inventory of third-party attestation reports and enterprise cloud security strategy

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

A.

Automating risk monitoring and reporting processes

B.

Reporting emerging threats to senior stakeholders

C.

Establishing ownership and accountability

D.

Monitoring key risk indicators (KRIs) for multi-cloud environments

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

A.

Likelihood

B.

Mitigation

C.

Residual risk

D.

Impact analysis