ExamGecko
Search Search Login
Home Home / Isaca / CCAK

Isaca CCAK Practice Test - Questions Answers

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
Which of the following is an example of a corrective control?
When establishing cloud governance, an organization should FIRST test by migrating:
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question 1

Report
Export
Collapse

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

A.
Ensuring segregation of duties in the production and development pipelines.
A.
Ensuring segregation of duties in the production and development pipelines.
Answers
B.
Role-based access controls in the production and development pipelines.
B.
Role-based access controls in the production and development pipelines.
Answers
C.
Separation of production and development pipelines.
C.
Separation of production and development pipelines.
Answers
D.
Periodic review of the Cl/CD pipeline audit logs to identify any access violations.
D.
Periodic review of the Cl/CD pipeline audit logs to identify any access violations.
Answers
Suggested answer: C

Explanation:

Reference: https://www.isaca.org/-/media/files/isacadp/project/isaca/articles/journal/2016/volume-2/journal-volume-2-2016

Question 2

Report
Export
Collapse

Which of the following metrics are frequently immature?

A.
Metrics around Infrastructure as a Service (IaaS) storage and network environments
A.
Metrics around Infrastructure as a Service (IaaS) storage and network environments
Answers
B.
Metrics around Platform as a Service (PaaS) development environments
B.
Metrics around Platform as a Service (PaaS) development environments
Answers
C.
Metrics around Infrastructure as a Service (IaaS) computing environments
C.
Metrics around Infrastructure as a Service (IaaS) computing environments
Answers
D.
Metrics around specific Software as a Service (SaaS) application services
D.
Metrics around specific Software as a Service (SaaS) application services
Answers
Suggested answer: A

Question 3

Report
Export
Collapse

Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

A.
Design
A.
Design
Answers
B.
Stakeholder identification
B.
Stakeholder identification
Answers
C.
Development
C.
Development
Answers
D.
Risk assessment
D.
Risk assessment
Answers
Suggested answer: C

Question 4

Report
Export
Collapse

From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?

A.
Process of security integration using automation in software development
A.
Process of security integration using automation in software development
Answers
B.
Development standards for addressing integration, testing, and deployment issues
B.
Development standards for addressing integration, testing, and deployment issues
Answers
C.
Operational framework that promotes software consistency through automation
C.
Operational framework that promotes software consistency through automation
Answers
D.
Making software development simpler, faster, and easier using automation
D.
Making software development simpler, faster, and easier using automation
Answers
Suggested answer: B

Explanation:

Reference: https://www.synopsys.com/blogs/software-security/devsecops-challenges-benefits/

Question 5

Report
Export
Collapse

The Open Certification Framework is structured on three levels of trust. Those three levels of trust are:

A.
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Compliance
A.
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Compliance
Answers
B.
CSA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
B.
CSA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
Answers
C.
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Monitoring and Control
C.
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Monitoring and Control
Answers
D.
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
D.
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
Answers
Suggested answer: D

Explanation:

Reference: https://www.cloudwatchhub.eu/cloud-security-alliance-open-certification-framework

Question 6

Report
Export
Collapse

Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action is MOST relevant?

A.
Focusing on auditing high-risk areas
A.
Focusing on auditing high-risk areas
Answers
B.
Testing the adequacy of cloud controls design
B.
Testing the adequacy of cloud controls design
Answers
C.
Relying on management testing of cloud controls
C.
Relying on management testing of cloud controls
Answers
D.
Testing the operational effectiveness of cloud controls
D.
Testing the operational effectiveness of cloud controls
Answers
Suggested answer: A

Explanation:

Reference: https://www.ucop.edu/ethics-compliance-audit-services/_files/webinars/10-14-16-cloudcomputing/cloudcomputing.pdf (31)

Question 7

Report
Export
Collapse

Which of the following is a corrective control that may be identified in a SaaS service provider?

A.
Log monitoring
A.
Log monitoring
Answers
B.
Penetration testing
B.
Penetration testing
Answers
C.
Incident response plans
C.
Incident response plans
Answers
D.
Vulnerability scan
D.
Vulnerability scan
Answers
Suggested answer: D

Question 8

Report
Export
Collapse

The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

A.
risk management policy.
A.
risk management policy.
Answers
B.
cloud policy.
B.
cloud policy.
Answers
C.
business continuity plan.
C.
business continuity plan.
Answers
D.
information security standard for cloud technologies.
D.
information security standard for cloud technologies.
Answers
Suggested answer: C

Question 9

Report
Export
Collapse

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

A.
Determine the impact on the controls that were selected by the organization to respond to identified risks.
A.
Determine the impact on the controls that were selected by the organization to respond to identified risks.
Answers
B.
Determine the impact on confidentiality, integrity and availability of the information system.
B.
Determine the impact on confidentiality, integrity and availability of the information system.
Answers
C.
Determine the impact on the financial, operational, compliance and reputation of the organization.
C.
Determine the impact on the financial, operational, compliance and reputation of the organization.
Answers
D.
Determine the impact on the physical and environmental security of the organization, excluding informational assets.
D.
Determine the impact on the physical and environmental security of the organization, excluding informational assets.
Answers
Suggested answer: D

Question 10

Report
Export
Collapse

An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance

Relevance" feature to filter out those controls:

A.
relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
A.
relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
Answers
B.
that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
B.
that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
Answers
C.
that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
C.
that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
Answers
D.
that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
D.
that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
Answers
Suggested answer: A
Total 170 questions
Go to page: of 17
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms