Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Isaca CCAK - Certificate of Cloud Auditing Knowledge

Page: 5 / 7
Total 207 questions

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

A.

ISO/IEC 27002

B.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

C.

NISTSP 800-146

D.

ISO/IEC 27017:2015

Which of the following is the PRIMARY component to determine the success or failure of an organization’s cloud compliance program?

A.

Defining the metrics and indicators to monitor the implementation of the compliance program

B.

Determining the risk treatment options to be used in the compliance program

C.

Mapping who possesses the information and data that should drive the compliance goals

D.

Selecting the external frameworks that will be used as reference

When establishing cloud governance, an organization should FIRST test by migrating:

A.

legacy applications to the cloud.

B.

a few applications to the cloud.

C.

all applications at once to the cloud.

D.

complex applications to the cloud

An auditor is assessing a European organization's compliance. Which regulation is suitable if health information needs to be protected?

A.

GDPR

B.

DPIA

C.

DPA

D.

HIPAA

Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

A.

Location of data

B.

Amount of server storage

C.

Access controls

D.

Type of network technology

Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?

A.

CCM utilizes an ITIL framework to define the capabilities needed to manage the IT services and security services.

B.

CCM maps to existing security standards, best practices, and regulations.

C.

CCM uses a specific control for Infrastructure as a Service (laaS).

D.

CCM V4 is an improved version from CCM V3.0.1.

An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

A.

The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.

B.

Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.

C.

As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.

D.

Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to in appropriate password policy configured on the VMs.

Which of the following is the BEST recommendation to offer an organization's HR department planning to adopt a new public Software as a Service (SaaS) application to ease the recruiting process?

A.

Implement a cloud access security broker (CASB).

B.

Do not allow data to be in clear text.

C.

Ensure HIPAA compliance.

D.

Consult the legal department.

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

A.

Control self-assessment (CSA)

B.

Third-party vendor involvement

C.

Exception reporting

D.

Application team internal review

An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following

What should be the BEST recommendation to reduce the provider’s burden?

A.

The provider can answer each customer individually.

B.

The provider can direct all customer inquiries to the information in the CSA STAR registry.

C.

The provider can schedule a call with each customer.

D.

The provider can share all security reports with customers to streamline the process