Home

Home / Isaca / CCAK

Question list

List of questions

Question 1

(0)

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

Question 2

(0)

Which of the following metrics are frequently immature?

Question 3

(0)

Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

Question 4

(0)

From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps

Question 5

(0)

The Open Certification Framework is structured on three levels of trust. Those three levels of trust are:

Question 6

(0)

Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action i

Question 7

(0)

Which of the following is a corrective control that may be identified in a SaaS service provider?

Question 8

(0)

The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARI

Question 9

(0)

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

Question 10

(0)

An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:

Open VPLUS File

Convert VPLUS to PDF

Related questions

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?

An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:

With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:

As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?

In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

Which of the following is an example of a corrective control?

When establishing cloud governance, an organization should FIRST test by migrating:

In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question 132 - CCAK discussion

Report

A certification target helps in the formation of a continuous certification framework by incorporating:

A.

the service level objective (SLO) and service qualitative objective (SQO).

B.

the scope description and security attributes to be tested.

C.

the frequency of evaluating security attributes.

D.

CSA STAR level 2 attestation.

Suggested answer: B

Explanation:

According to the blog article ''Continuous Auditing and Continuous Certification'' by the Cloud Security Alliance, a certification target helps in the formation of a continuous certification framework by incorporating the scope description and security attributes to be tested1A certification target is a set of security objectives that a cloud service provider (CSP) defines and commits to fulfill as part of the continuous certification process1Each security objective is associated with a policy that specifies the assessment frequency, such as every four hours, every day, or every week1A certification target also includes a set of tools that are capable of verifying that the security objectives are met, such as automated scripts, APIs, or third-party services1

The other options are not correct because:

Option A is not correct because the service level objective (SLO) and service qualitative objective (SQO) are not part of the certification target, but rather part of the service level agreement (SLA) between the CSP and the cloud customer. An SLO is a measurable characteristic of the cloud service, such as availability, performance, or reliability.An SQO is a qualitative characteristic of the cloud service, such as security, privacy, or compliance2The SLA defines the expected level of service and the consequences of not meeting it. The SLA may be used as an input for defining the certification target, but it is not equivalent or synonymous with it.

Option C is not correct because the frequency of evaluating security attributes is not the only component of the certification target, but rather one aspect of it. The frequency of evaluating security attributes is determined by the policy that is associated with each security objective in the certification target.The policy defines how often the security objective should be verified by the tools, such as every four hours, every day, or every week1However, the frequency alone does not define the certification target, as it also depends on the scope description and the security attributes to be tested.

Option D is not correct because CSA STAR level 2 attestation is not a component of the certification target, but rather a prerequisite for it.CSA STAR level 2 attestation is a third-party independent assessment of the CSP's security posture based on ISO/IEC 27001 and CSA Cloud Controls Matrix (CCM)3CSA STAR level 2 attestation provides a baseline assurance level for the CSP before they can define and implement their certification target for continuous certification.CSA STAR level 2 attestation is also required for CSA STAR level 3 certification, which is based on continuous auditing and continuous certification3

Show Answer

asked 17/11/2024

Md Ali Uz Zaman

34 questions

User

Your answer: A B C D

0 comments

Sorted by

Leave a comment first