ExamGecko
Login
Home / Isaca / CCAK / List of questions
Ask Question

Isaca CCAK Practice Test - Questions Answers

List of questions

Question 1

Report Export Collapse

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

Ensuring segregation of duties in the production and development pipelines.
Ensuring segregation of duties in the production and development pipelines.
Role-based access controls in the production and development pipelines.
Role-based access controls in the production and development pipelines.
Separation of production and development pipelines.
Separation of production and development pipelines.
Periodic review of the Cl/CD pipeline audit logs to identify any access violations.
Periodic review of the Cl/CD pipeline audit logs to identify any access violations.
Suggested answer: C
Explanation:

Reference: https://www.isaca.org/-/media/files/isacadp/project/isaca/articles/journal/2016/volume-2/journal-volume-2-2016

asked 18/09/2024
Grant Richardson
32 questions

Question 2

Report Export Collapse

Which of the following metrics are frequently immature?

Metrics around Infrastructure as a Service (IaaS) storage and network environments
Metrics around Infrastructure as a Service (IaaS) storage and network environments
Metrics around Platform as a Service (PaaS) development environments
Metrics around Platform as a Service (PaaS) development environments
Metrics around Infrastructure as a Service (IaaS) computing environments
Metrics around Infrastructure as a Service (IaaS) computing environments
Metrics around specific Software as a Service (SaaS) application services
Metrics around specific Software as a Service (SaaS) application services
Suggested answer: A
asked 18/09/2024
Unai M
39 questions

Question 3

Report Export Collapse

Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

Design
Design
Stakeholder identification
Stakeholder identification
Development
Development
Risk assessment
Risk assessment
Suggested answer: C
asked 18/09/2024
Andries Coetzee
30 questions

Question 4

Report Export Collapse

From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Process of security integration using automation in software development
Process of security integration using automation in software development
Development standards for addressing integration, testing, and deployment issues
Development standards for addressing integration, testing, and deployment issues
Operational framework that promotes software consistency through automation
Operational framework that promotes software consistency through automation
Making software development simpler, faster, and easier using automation
Making software development simpler, faster, and easier using automation
Suggested answer: B
Explanation:

Reference: https://www.synopsys.com/blogs/software-security/devsecops-challenges-benefits/

asked 18/09/2024
Bruno Piovan
27 questions

Question 5

Report Export Collapse

The Open Certification Framework is structured on three levels of trust. Those three levels of trust are:

CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Compliance
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Compliance
CSA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
CSA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Monitoring and Control
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Monitoring and Control
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
Suggested answer: D
Explanation:

Reference: https://www.cloudwatchhub.eu/cloud-security-alliance-open-certification-framework

asked 18/09/2024
Naing Thet
41 questions

Question 6

Report Export Collapse

Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action is MOST relevant?

Focusing on auditing high-risk areas
Focusing on auditing high-risk areas
Testing the adequacy of cloud controls design
Testing the adequacy of cloud controls design
Relying on management testing of cloud controls
Relying on management testing of cloud controls
Testing the operational effectiveness of cloud controls
Testing the operational effectiveness of cloud controls
Suggested answer: A
Explanation:

Reference: https://www.ucop.edu/ethics-compliance-audit-services/_files/webinars/10-14-16-cloudcomputing/cloudcomputing.pdf (31)

Isaca CCAK image Question 6 explanation 41426 09182024210218000000

asked 18/09/2024
hamza reza
49 questions

Question 7

Report Export Collapse

Which of the following is a corrective control that may be identified in a SaaS service provider?

Log monitoring
Log monitoring
Penetration testing
Penetration testing
Incident response plans
Incident response plans
Vulnerability scan
Vulnerability scan
Suggested answer: D
asked 18/09/2024
Calvin Bolico
30 questions

Question 8

Report Export Collapse

The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

risk management policy.
risk management policy.
cloud policy.
cloud policy.
business continuity plan.
business continuity plan.
information security standard for cloud technologies.
information security standard for cloud technologies.
Suggested answer: C
asked 18/09/2024
andrea rosi
44 questions

Question 9

Report Export Collapse

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

Determine the impact on the controls that were selected by the organization to respond to identified risks.
Determine the impact on the controls that were selected by the organization to respond to identified risks.
Determine the impact on confidentiality, integrity and availability of the information system.
Determine the impact on confidentiality, integrity and availability of the information system.
Determine the impact on the financial, operational, compliance and reputation of the organization.
Determine the impact on the financial, operational, compliance and reputation of the organization.
Determine the impact on the physical and environmental security of the organization, excluding informational assets.
Determine the impact on the physical and environmental security of the organization, excluding informational assets.
Suggested answer: D
asked 18/09/2024
Marco Romani
37 questions

Question 10

Report Export Collapse

An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance

Relevance" feature to filter out those controls:

relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
Suggested answer: A
asked 18/09/2024
Isidre Piguillem
42 questions
Total 195 questions
Go to page: of 20
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:
A certification target helps in the formation of a continuous certification framework by incorporating:
What is below the waterline in the context of cloud operationalization?
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:
Which statement about compliance responsibilities and ownership of accountability is correct?
A Dot Release of Cloud Control Matrix (CCM) indicates what?
When establishing cloud governance, an organization should FIRST test by migrating:
Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?