ExamGecko
Search Search Login
Home Home / Isaca / CCAK

Isaca CCAK Practice Test - Questions Answers, Page 13

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
Which of the following is an example of a corrective control?
When establishing cloud governance, an organization should FIRST test by migrating:
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question 121

Report
Export
Collapse

Which of the following would be considered as a factor to trust in a cloud service provider?

A.
The level of exposure for public information
A.
The level of exposure for public information
Answers
B.
The level of proved technical skills
B.
The level of proved technical skills
Answers
C.
The level of willingness to cooperate
C.
The level of willingness to cooperate
Answers
D.
The level of open source evidence available
D.
The level of open source evidence available
Answers
Suggested answer: C

Question 122

Report
Export
Collapse

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?

A.
Service Level Objective (SLO)
A.
Service Level Objective (SLO)
Answers
B.
Recovery Point Objectives (RPO)
B.
Recovery Point Objectives (RPO)
Answers
C.
Service Level Agreement (SLA)
C.
Service Level Agreement (SLA)
Answers
D.
Recovery Time Objectives (RTO)
D.
Recovery Time Objectives (RTO)
Answers
Suggested answer: C

Question 123

Report
Export
Collapse

In cloud computing, with whom does the responsibility and accountability for compliance lie?

A.
The cloud service provider is responsible and accountable for compliance.
A.
The cloud service provider is responsible and accountable for compliance.
Answers
B.
The cloud service provider is responsible for compliance, and the cloud service customer is accountable.
B.
The cloud service provider is responsible for compliance, and the cloud service customer is accountable.
Answers
C.
The cloud service customer is responsible and accountable for compliance.
C.
The cloud service customer is responsible and accountable for compliance.
Answers
D.
The cloud service customer is responsible for compliance, and the cloud service provider is accountable.
D.
The cloud service customer is responsible for compliance, and the cloud service provider is accountable.
Answers
Suggested answer: D

Question 124

Report
Export
Collapse

A certification target helps in the formation of a continuous certification framework by incorporating:

A.
CSA STAR level 2 attestation.
A.
CSA STAR level 2 attestation.
Answers
B.
service level objective and service qualitative objective.
B.
service level objective and service qualitative objective.
Answers
C.
frequency of evaluating security attributes.
C.
frequency of evaluating security attributes.
Answers
D.
scope description and security attributes to be tested.
D.
scope description and security attributes to be tested.
Answers
Suggested answer: B

Question 125

Report
Export
Collapse

Which of the following are the three MAIN phases of the cloud controls matrix (CCM) mapping methodology?

A.
Plan --> Develop --> Release
A.
Plan --> Develop --> Release
Answers
B.
Deploy --> Monitor --> Audit
B.
Deploy --> Monitor --> Audit
Answers
C.
Initiation --> Execution --> Monitoring and Controlling
C.
Initiation --> Execution --> Monitoring and Controlling
Answers
D.
Preparation --> Execution --> Peer Review and Publication
D.
Preparation --> Execution --> Peer Review and Publication
Answers
Suggested answer: D

Explanation:

Reference: https://docplayer.net/153476370-Methodology-for-the-mapping-of-the-cloud-controls-matrix-ccm.html (page 5)

Question 126

Report
Export
Collapse

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A.
Development of the monitoring goals and requirements
A.
Development of the monitoring goals and requirements
Answers
B.
Identification of processes, functions, and systems
B.
Identification of processes, functions, and systems
Answers
C.
Identification of the relevant laws, regulations, and standards
C.
Identification of the relevant laws, regulations, and standards
Answers
D.
Identification of roles and responsibilities
D.
Identification of roles and responsibilities
Answers
Suggested answer: B

Explanation:

Reference: https://www.isaca.org/resources/isaca-journal/past-issues/2012/cloud-risk-10-principles-and-a-framework-forassessment


Question 127

Report
Export
Collapse

The three layers of Open Certification Framework (OCF) PRIMARILY help cloud service providers and cloud clients improve the level of:

A.

legal and regulatory compliance.

A.

legal and regulatory compliance.

Answers
B.

risk and controls.

B.

risk and controls.

Answers
C.

audit structure and formats.

C.

audit structure and formats.

Answers
D.

transparency and assurance.

D.

transparency and assurance.

Answers
Suggested answer: D

Explanation:

The three layers of the Open Certification Framework (OCF) primarily help cloud service providers and cloud clients improve the level of transparency and assurance. The OCF is designed to provide a trusted and independent evaluation of cloud providers through a flexible, incremental, and multi-layered certification process. This framework enhances transparency by making it easier for consumers to understand and compare providers' security and compliance capabilities. Additionally, it offers assurance by integrating with third-party assessment and attestation statements, thereby increasing the security baseline for all participants.

Reference The benefits of the OCF in improving transparency and assurance are detailed in the Cloud Security Alliance's documentation on the Open Certification Framework1.

Question 128

Report
Export
Collapse

While using Software as a Service (SaaS) to store secret customer information, an organization identifies a risk of disclosure to unauthorized parties. Although the SaaS service continues to be used, secret customer data is not processed. Which of the following risk treatment methods is being practiced?

A.

Risk acceptance

A.

Risk acceptance

Answers
B.

Risk transfer

B.

Risk transfer

Answers
C.

Risk mitigation

C.

Risk mitigation

Answers
D.

Risk reduction

D.

Risk reduction

Answers
Suggested answer: D

Explanation:

Risk reduction is a risk treatment approach where controls are implemented to reduce the likelihood or impact of a risk event. In this scenario, while the SaaS is still in use, the organization has chosen to limit exposure by avoiding the processing of secret customer data, thus reducing the risk of unauthorized disclosure. This aligns with ISACA's guidance in CCAK, which emphasizes limiting risk exposure by controlling data handling and processing policies, a practice that is documented in CSA's Cloud Controls Matrix (CCM) guidelines for data protection and data minimization (CSA CCM Domain DSI-05, Data Security and Information Lifecycle Management).

Question 129

Report
Export
Collapse

A business unit introducing cloud technologies to the organization without the knowledge or approval of the appropriate governance function is an example of:

A.

IT exception

A.

IT exception

Answers
B.

Threat

B.

Threat

Answers
C.

Shadow IT

C.

Shadow IT

Answers
D.

Vulnerability

D.

Vulnerability

Answers
Suggested answer: C

Explanation:

Shadow IT refers to the use of IT resources (hardware, software, or cloud services) within an organization without the explicit approval of the IT or governance team. This practice is often flagged in cloud audits due to potential risks of compliance violations and security threats. The CCAK documentation from ISACA highlights the need for visibility and governance over all IT assets, with specific controls listed in the CSA CCM for Cloud Governance (GOV-09). Shadow IT poses risks to data security, compliance, and can introduce vulnerabilities, as systems are not subject to organizational standards and oversight.

Question 130

Report
Export
Collapse

Which industry organization offers both security controls and cloud-relevant benchmarking?

A.

Cloud Security Alliance (CSA)

A.

Cloud Security Alliance (CSA)

Answers
B.

SANS Institute

B.

SANS Institute

Answers
C.

International Organization for Standardization (ISO)

C.

International Organization for Standardization (ISO)

Answers
D.

Center for Internet Security (CIS)

D.

Center for Internet Security (CIS)

Answers
Suggested answer: A

Explanation:

The Cloud Security Alliance (CSA) provides both cloud-specific security controls (Cloud Controls Matrix, CCM) and benchmarking tools like the CSA STAR program. CSA's CCM maps industry standards and best practices tailored to cloud security requirements, and STAR provides a transparency and assurance framework for benchmarking security maturity. These resources are widely used and referenced in ISACA's CCAK for cloud auditing and are integral for organizations seeking structured guidance on cloud security.

Total 170 questions
Go to page: of 17
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms