ExamGecko
Search Search Login
Home Home / Isaca / CCAK

Isaca CCAK Practice Test - Questions Answers, Page 9

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
Which of the following is an example of a corrective control?
When establishing cloud governance, an organization should FIRST test by migrating:
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question 81

Report
Export
Collapse

Which best describes the difference between a type 1 and a type 2 SOC report?

A.
A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.
A.
A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.
Answers
B.
A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.
B.
A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.
Answers
C.
A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.
C.
A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.
Answers
D.
There is no difference between a type 2 and type 1 SOC report.
D.
There is no difference between a type 2 and type 1 SOC report.
Answers
Suggested answer: C

Explanation:

Reference: https://www.accountingtools.com/articles/2019/8/30/the-difference-between-soc-type-1-and-type-2-reports

Question 82

Report
Export
Collapse

The rapid and dynamic rate of changes found in a cloud environment affects the organization's:

A.
risk profile.
A.
risk profile.
Answers
B.
risk appetite.
B.
risk appetite.
Answers
C.
risk scoring.
C.
risk scoring.
Answers
D.
risk communication.
D.
risk communication.
Answers
Suggested answer: B

Question 83

Report
Export
Collapse

Which of the following parties should have accountability for cloud compliance requirements?

A.
Customer
A.
Customer
Answers
B.
Equally shared between customer and provider
B.
Equally shared between customer and provider
Answers
C.
Provider
C.
Provider
Answers
D.
Either customer or provider, depending on requirements
D.
Either customer or provider, depending on requirements
Answers
Suggested answer: B

Question 84

Report
Export
Collapse

A cloud customer configured and developed a solution on top of the certified cloud services. Building on top of a compliant CSP:

A.
means that the cloud customer is also compliant.
A.
means that the cloud customer is also compliant.
Answers
B.
means that the cloud customer and client are both compliant.
B.
means that the cloud customer and client are both compliant.
Answers
C.
means that the cloud customer is compliant but their client is not compliant.
C.
means that the cloud customer is compliant but their client is not compliant.
Answers
D.
does not necessarily mean that the cloud customer is also compliant.
D.
does not necessarily mean that the cloud customer is also compliant.
Answers
Suggested answer: D

Question 85

Report
Export
Collapse

An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls

CSP is responsible for?

A.
Review third-party audit reports.
A.
Review third-party audit reports.
Answers
B.
Review CSP's published questionnaires.
B.
Review CSP's published questionnaires.
Answers
C.
Directly audit the CSP.
C.
Directly audit the CSP.
Answers
D.
Send supplier questionnaire to the CSP.
D.
Send supplier questionnaire to the CSP.
Answers
Suggested answer: B

Explanation:

Reference: https://www.sapidata.sm/img/cms/CAIQ_v3-1_2020-01-13.pdf

Question 86

Report
Export
Collapse

One of the Cloud Control Matrix's (CCM's) control specifications states that "Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations." Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A.
Audit planning
A.
Audit planning
Answers
B.
Information system and regulatory mapping
B.
Information system and regulatory mapping
Answers
C.
GDPR auditing
C.
GDPR auditing
Answers
D.
Independent audits
D.
Independent audits
Answers
Suggested answer: B

Question 87

Report
Export
Collapse

What data center and physical security measures should a cloud customer consider when assessing a cloud service provider?

A.
Assess use of monitoring systems to control ingress and egress points of entry to the data center.
A.
Assess use of monitoring systems to control ingress and egress points of entry to the data center.
Answers
B.
Implement physical security perimeters to safeguard personnel, data and information systems.
B.
Implement physical security perimeters to safeguard personnel, data and information systems.
Answers
C.
Conduct a due diligence to verify the cloud provider applies adequate physical security measures.
C.
Conduct a due diligence to verify the cloud provider applies adequate physical security measures.
Answers
D.
Review internal policies and procedures for relocation of hardware and software to an offsite location.
D.
Review internal policies and procedures for relocation of hardware and software to an offsite location.
Answers
Suggested answer: C

Explanation:

Reference: https://www.omg.org/cloud/deliverables/CSCC-Security-for-Cloud-Computing-10-Steps-to-Ensure-Success.pdf

Question 88

Report
Export
Collapse

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

A.
object-oriented architecture.
A.
object-oriented architecture.
Answers
B.
software architecture.
B.
software architecture.
Answers
C.
service-oriented architecture.
C.
service-oriented architecture.
Answers
D.
enterprise architecture.
D.
enterprise architecture.
Answers
Suggested answer: C

Question 89

Report
Export
Collapse

An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP burden?

A.
CSP can share all security reports with customers to streamline the process.
A.
CSP can share all security reports with customers to streamline the process.
Answers
B.
CSP can schedule a call with each customer.
B.
CSP can schedule a call with each customer.
Answers
C.
CSP can answer each customer individually.
C.
CSP can answer each customer individually.
Answers
D.
CSP can direct all customers' inquiries to the information in the CSA STAR registry.
D.
CSP can direct all customers' inquiries to the information in the CSA STAR registry.
Answers
Suggested answer: D

Explanation:

Reference: https://cloudsecurityalliance.org/star/registry/

Question 90

Report
Export
Collapse

How should controls be designed by an organization?

A.
By the internal audit team
A.
By the internal audit team
Answers
B.
Using the ISO27001 framework
B.
Using the ISO27001 framework
Answers
C.
By the cloud provider
C.
By the cloud provider
Answers
D.
Using the organization's risk management framework
D.
Using the organization's risk management framework
Answers
Suggested answer: A

Explanation:

Reference: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2016/internal-control-key-to-deliveringstakeholder-value

Total 170 questions
Go to page: of 17
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms