ExamGecko
Login
Home / Isaca / CCAK / List of questions
Ask Question

Isaca CCAK Practice Test - Questions Answers, Page 10

List of questions

Question 91

Report
Export
Collapse

Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls. Which of the following controls BEST matches this control description?

Network Security
Network Security
Change Detection
Change Detection
Virtual Instance and OS Hardening
Virtual Instance and OS Hardening
Network Vulnerability Management
Network Vulnerability Management
Suggested answer: A

Explanation:

Reference: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/ivs/

Isaca CCAK image Question 91 explanation 41511 09182024210218000000

asked 18/09/2024
Isidre Piguillem
42 questions

Question 92

Report
Export
Collapse

Which of the following is a direct benefit of mapping the Cloud Control Matrix (CCM) to other international standards and regulations?

CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
CCM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions.
CCM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions.
CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
Suggested answer: B

Explanation:

Reference: https://cloudsecurityalliance.org/press-releases/2021/03/15/cloud-security-alliance-releases-additional-mappingsupdate-to-cloud-controls-matrix-ccm-v4/

Isaca CCAK image Question 92 explanation 41512 09182024210218000000

asked 18/09/2024
Ella Parkum
40 questions

Question 93

Report
Export
Collapse

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

assess the existence and adequacy of a security awareness training program at the cloud service provider's organization as the cloud customer hired the auditor to review and cloud service.
assess the existence and adequacy of a security awareness training program at the cloud service provider's organization as the cloud customer hired the auditor to review and cloud service.
assess the existence and adequacy of a security awareness training program at both the cloud customer's organization and the cloud service provider's organization.
assess the existence and adequacy of a security awareness training program at both the cloud customer's organization and the cloud service provider's organization.
assess the existence and adequacy of a security awareness training program at the cloud customer's organization as they hired the auditor.
assess the existence and adequacy of a security awareness training program at the cloud customer's organization as they hired the auditor.
not assess the security awareness training program as it is each organization's responsibility
not assess the security awareness training program as it is each organization's responsibility
Suggested answer: D
asked 18/09/2024
AshokBabu Kumili
43 questions

Question 94

Report
Export
Collapse

Which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for

Infrastructure as a Service (IaaS) deployments? The visibility of:

output from threat modeling exercises.
output from threat modeling exercises.
results from automated testing.
results from automated testing.
source code within build scripts.
source code within build scripts.
service level agreements.
service level agreements.
Suggested answer: A
asked 18/09/2024
Jahcorey Howze
34 questions

Question 95

Report
Export
Collapse

If the degree of verification for information shared with the auditor during an audit is low, the auditor should:

reject the information as audit evidence.
reject the information as audit evidence.
stop evaluating the requirement altogether and review other audit areas.
stop evaluating the requirement altogether and review other audit areas.
delve deeper to obtain the required information to decide conclusively.
delve deeper to obtain the required information to decide conclusively.
use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
Suggested answer: D
asked 18/09/2024
Tom Rez
35 questions

Question 96

Report
Export
Collapse

What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?

Annual
Annual
Quarterly
Quarterly
Monthly
Monthly
Semi-annual
Semi-annual
Suggested answer: A

Explanation:

Reference: https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2021/isaca-provides-guidance-around-euproposed-digital-operational-resilience-act

asked 18/09/2024
Pooja Pendyala
39 questions

Question 97

Report
Export
Collapse

Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?

Verify the inclusion of security gates in the pipeline.
Verify the inclusion of security gates in the pipeline.
Conduct an architectural assessment.
Conduct an architectural assessment.
Review the CI/CD pipeline audit logs.
Review the CI/CD pipeline audit logs.
Verify separation of development and production pipelines.
Verify separation of development and production pipelines.
Suggested answer: C

Explanation:

Reference: https://cntemngwa.medium.com/how-to-assess-and-audit-devops-security-to-improve-business-value-10e81a2a6fd5

asked 18/09/2024
femke vroome
47 questions

Question 98

Report
Export
Collapse

Which of the following CSP activities requires a client's approval?

Delete the guest account or test accounts
Delete the guest account or test accounts
Delete the master account or subscription owner accounts
Delete the master account or subscription owner accounts
Delete the guest account or destroy test data
Delete the guest account or destroy test data
Delete the test accounts or destroy test data
Delete the test accounts or destroy test data
Suggested answer: D
asked 18/09/2024
AHOPlvaro Zorrilla
37 questions

Question 99

Report
Export
Collapse

An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud.

Which of the following standards would BEST assist in identifying controls to consider for this migration?

ISO/IEC 27701
ISO/IEC 27701
ISO/IEC 22301
ISO/IEC 22301
ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27017
ISO/IEC 27017
Suggested answer: D

Explanation:

ISO/IEC 27017 standard defines the requirements for an information security management system (ISMS). Note that the entire organization is not necessarily affected by the standard, because it all depends on the scope of the ISMS. The scope could be limited by the provider to one group within an organization, and there is no guarantee that any group outside of the scope has appropriate ISMSs in place. It is up to the auditor to verify that the scope of the engagement is "fit for purpose." As the customer, you are responsible for determining whether the scope of the certification is relevant for your purposes.

asked 18/09/2024
Ciaran Cullimore
41 questions

Question 100

Report
Export
Collapse

SAST testing is performed by:

scanning the application source code.
scanning the application source code.
scanning the application interface.
scanning the application interface.
scanning all infrastructure components.
scanning all infrastructure components.
performing manual actions to gain control of the application.
performing manual actions to gain control of the application.
Suggested answer: A

Explanation:

SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code for items such as credentials embedded into application code and a test of input validation, both of which are major concerns for application security.

asked 18/09/2024
Karthik Krishnamoorthy
25 questions
Total 195 questions
Go to page: of 20
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:
A certification target helps in the formation of a continuous certification framework by incorporating:
What is below the waterline in the context of cloud operationalization?
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:
Which statement about compliance responsibilities and ownership of accountability is correct?
A Dot Release of Cloud Control Matrix (CCM) indicates what?
When establishing cloud governance, an organization should FIRST test by migrating:
Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?