Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Isaca CCAK - Certificate of Cloud Auditing Knowledge

Page: 1 / 7
Total 207 questions

Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

A.

Contractual documents of the cloud service provider

B.

Heat maps

C.

Data security process flow

D.

Turtle diagram

Which of the following are independent assessment organizations that verify cloud providers' security implementations and provide the overall risk posture of a cloud environment for a FedRAMP security authorization decision?

A.

FedRAMP Program Management Office (FedRAMP PMO)

B.

American Association of Laboratory Accreditation (A2LA)

C.

Third-party Assessment Organizations (3PAOs)

D.

FedRAMP Joint Authorization Boards (JABs)

The MAIN limitation of relying on traditional cloud compliance assurance approaches such as SOC2 attestations is that:

A.

they can only be performed by skilled cloud audit service providers.

B.

they are subject to change when the regulatory climate changes.

C.

they provide a point-in-time snapshot of an organization's compliance posture.

D.

they place responsibility for demonstrating compliance on the vendor organization.

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A.

Rule-based access control

B.

Attribute-based access control

C.

Policy-based access control

D.

Role-based access control

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

A.

facilitate an effective relationship between the cloud service provider and cloud client.

B.

ensure understanding of true risk and perceived risk by the cloud service users.

C.

provide global, accredited, and trusted certification of the cloud service provider.

D.

enable the cloud service provider to prioritize resources to meet its own requirements.

What type of termination occurs at the initiative of one party and without the fault of the other party?

A.

Termination without the fault

B.

Termination at the end of the term

C.

Termination for cause

D.

Termination for convenience

Which of the following is an example of financial business impact?

A.

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

B.

A hacker using a stolen administrator identity brings down the Software of a Service (SaaS)

sales and marketing systems, resulting in the inability to process customer orders or

manage customer relationships.

C.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed

each other in public, resulting in a loss of public confidence that led the board to replace all

Which of the following provides the BEST evidence that a cloud service provider's continuous integration and continuous delivery (CI/CD) development pipeline includes checks for compliance as new features are added to its Software as a Service (SaaS) applications?

A.

Compliance tests are automated and integrated within the Cl tool.

B.

Developers keep credentials outside the code base and in a secure repository.

C.

Frequent compliance checks are performed for development environments.

D.

Third-party security libraries are continuously kept up to date.

Which of the following should a cloud auditor recommend regarding controls for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

A.

Assessment of contractual and regulatory requirements for customer access

B.

Establishment of policies and procedures across multiple system interfaces, jurisdictions,

and business functions to prevent improper disclosure, alteration, or destruction

C.

Data input and output integrity routines

D.

Testing in accordance with leading industry standards such as OWASP

Which of the following cloud environments should be a concern to an organization s cloud auditor?

A.

The cloud service provider s data center is more than 100 miles away.

B.

The technical team is trained on only one vendor Infrastructure as a Service (laaS) platform, but the organization has subscribed to another vendor's laaS platform as an alternative.

C.

The organization entirely depends on several proprietary Software as a Service (SaaS) applications.

D.

The failover region of the cloud service provider is on another continent