ExamGecko
Search Search Login
Home Home / Isaca / CCAK

Isaca CCAK Practice Test - Questions Answers, Page 10

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
Which of the following is an example of a corrective control?
When establishing cloud governance, an organization should FIRST test by migrating:
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question 91

Report
Export
Collapse

Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls. Which of the following controls BEST matches this control description?

A.
Network Security
A.
Network Security
Answers
B.
Change Detection
B.
Change Detection
Answers
C.
Virtual Instance and OS Hardening
C.
Virtual Instance and OS Hardening
Answers
D.
Network Vulnerability Management
D.
Network Vulnerability Management
Answers
Suggested answer: A

Explanation:

Reference: https://csf.tools/reference/cloud-controls-matrix/version-3-0-1/ivs/

Question 92

Report
Export
Collapse

Which of the following is a direct benefit of mapping the Cloud Control Matrix (CCM) to other international standards and regulations?

A.
CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
A.
CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
Answers
B.
CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
B.
CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
Answers
C.
CCM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions.
C.
CCM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions.
Answers
D.
CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
D.
CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
Answers
Suggested answer: B

Explanation:

Reference: https://cloudsecurityalliance.org/press-releases/2021/03/15/cloud-security-alliance-releases-additional-mappingsupdate-to-cloud-controls-matrix-ccm-v4/

Question 93

Report
Export
Collapse

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

A.
assess the existence and adequacy of a security awareness training program at the cloud service provider's organization as the cloud customer hired the auditor to review and cloud service.
A.
assess the existence and adequacy of a security awareness training program at the cloud service provider's organization as the cloud customer hired the auditor to review and cloud service.
Answers
B.
assess the existence and adequacy of a security awareness training program at both the cloud customer's organization and the cloud service provider's organization.
B.
assess the existence and adequacy of a security awareness training program at both the cloud customer's organization and the cloud service provider's organization.
Answers
C.
assess the existence and adequacy of a security awareness training program at the cloud customer's organization as they hired the auditor.
C.
assess the existence and adequacy of a security awareness training program at the cloud customer's organization as they hired the auditor.
Answers
D.
not assess the security awareness training program as it is each organization's responsibility
D.
not assess the security awareness training program as it is each organization's responsibility
Answers
Suggested answer: D

Question 94

Report
Export
Collapse

Which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for

Infrastructure as a Service (IaaS) deployments? The visibility of:

A.
output from threat modeling exercises.
A.
output from threat modeling exercises.
Answers
B.
results from automated testing.
B.
results from automated testing.
Answers
C.
source code within build scripts.
C.
source code within build scripts.
Answers
D.
service level agreements.
D.
service level agreements.
Answers
Suggested answer: A

Question 95

Report
Export
Collapse

If the degree of verification for information shared with the auditor during an audit is low, the auditor should:

A.
reject the information as audit evidence.
A.
reject the information as audit evidence.
Answers
B.
stop evaluating the requirement altogether and review other audit areas.
B.
stop evaluating the requirement altogether and review other audit areas.
Answers
C.
delve deeper to obtain the required information to decide conclusively.
C.
delve deeper to obtain the required information to decide conclusively.
Answers
D.
use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
D.
use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
Answers
Suggested answer: D

Question 96

Report
Export
Collapse

What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?

A.
Annual
A.
Annual
Answers
B.
Quarterly
B.
Quarterly
Answers
C.
Monthly
C.
Monthly
Answers
D.
Semi-annual
D.
Semi-annual
Answers
Suggested answer: A

Explanation:

Reference: https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2021/isaca-provides-guidance-around-euproposed-digital-operational-resilience-act

Question 97

Report
Export
Collapse

Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?

A.
Verify the inclusion of security gates in the pipeline.
A.
Verify the inclusion of security gates in the pipeline.
Answers
B.
Conduct an architectural assessment.
B.
Conduct an architectural assessment.
Answers
C.
Review the CI/CD pipeline audit logs.
C.
Review the CI/CD pipeline audit logs.
Answers
D.
Verify separation of development and production pipelines.
D.
Verify separation of development and production pipelines.
Answers
Suggested answer: C

Explanation:

Reference: https://cntemngwa.medium.com/how-to-assess-and-audit-devops-security-to-improve-business-value-10e81a2a6fd5

Question 98

Report
Export
Collapse

Which of the following CSP activities requires a client's approval?

A.
Delete the guest account or test accounts
A.
Delete the guest account or test accounts
Answers
B.
Delete the master account or subscription owner accounts
B.
Delete the master account or subscription owner accounts
Answers
C.
Delete the guest account or destroy test data
C.
Delete the guest account or destroy test data
Answers
D.
Delete the test accounts or destroy test data
D.
Delete the test accounts or destroy test data
Answers
Suggested answer: D

Question 99

Report
Export
Collapse

An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud.

Which of the following standards would BEST assist in identifying controls to consider for this migration?

A.
ISO/IEC 27701
A.
ISO/IEC 27701
Answers
B.
ISO/IEC 22301
B.
ISO/IEC 22301
Answers
C.
ISO/IEC 27002
C.
ISO/IEC 27002
Answers
D.
ISO/IEC 27017
D.
ISO/IEC 27017
Answers
Suggested answer: D

Explanation:

ISO/IEC 27017 standard defines the requirements for an information security management system (ISMS). Note that the entire organization is not necessarily affected by the standard, because it all depends on the scope of the ISMS. The scope could be limited by the provider to one group within an organization, and there is no guarantee that any group outside of the scope has appropriate ISMSs in place. It is up to the auditor to verify that the scope of the engagement is "fit for purpose." As the customer, you are responsible for determining whether the scope of the certification is relevant for your purposes.

Question 100

Report
Export
Collapse

SAST testing is performed by:

A.
scanning the application source code.
A.
scanning the application source code.
Answers
B.
scanning the application interface.
B.
scanning the application interface.
Answers
C.
scanning all infrastructure components.
C.
scanning all infrastructure components.
Answers
D.
performing manual actions to gain control of the application.
D.
performing manual actions to gain control of the application.
Answers
Suggested answer: A

Explanation:

SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code for items such as credentials embedded into application code and a test of input validation, both of which are major concerns for application security.

Total 170 questions
Go to page: of 17
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms