isaca ccak practice test

Certificate of Cloud Auditing Knowledge

Last exam update: May 17 ,2024
Page 1 out of 8. Viewing questions 1-15 out of 126

Question 1

Which of the following is the common cause of misconfiguration in a cloud environment?

  • A. Absence of effective change control
  • B. Using multiple cloud service providers
  • C. New cloud computing techniques
  • D. Traditional change process mechanisms
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://businessinsights.bitdefender.com/the-top-5-cloud-threats-that-smbs-need-to-address

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following metrics are frequently immature?

  • A. Metrics around Infrastructure as a Service (IaaS) storage and network environments
  • B. Metrics around Platform as a Service (PaaS) development environments
  • C. Metrics around Infrastructure as a Service (IaaS) computing environments
  • D. Metrics around specific Software as a Service (SaaS) application services
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of
continuous auditing of performance on a cloud system?

  • A. Service Level Objective (SLO)
  • B. Recovery Point Objectives (RPO)
  • C. Service Level Agreement (SLA)
  • D. Recovery Time Objectives (RTO)
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Which of the following is MOST important to consider when developing an effective threat model during the introduction of a
new SaaS service into a customer organizations architecture? The threat model:

  • A. recognizes the shared responsibility for risk management between the customer and the CSP.
  • B. leverages SaaS threat models developed by peer organizations.
  • C. is developed by an independent third-party with expertise in the organization’s industry sector.
  • D. considers the loss of visibility and control from transitioning to the cloud.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate
place(s) to perform security tests?

  • A. Within developer’s laptop
  • B. Within the CI/CD server
  • C. Within version repositories
  • D. Within the CI/CD pipeline
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some
of the infrastructure to the cloud. Which of the following standards would BEST assist in identifying controls to consider for
this migration?

  • A. ISO/IEC 27701
  • B. ISO/IEC 22301
  • C. ISO/IEC 27002
  • D. ISO/IEC 27017
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
ISO/IEC 27017 standard defines the requirements for an information security management system (ISMS). Note that the
entire organization is not necessarily affected by the standard, because it all depends on the scope of the ISMS. The scope
could be limited by the provider to one group within an organization, and there is no guarantee that any group outside of the
scope has appropriate ISMSs in place. It is up to the auditor to verify that the scope of the engagement is fit for purpose. As
the customer, you are responsible for determining whether the scope of the certification is relevant for your purposes.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of
the Corporate Governance Relevance feature to filter out those controls:

  • A. relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
  • B. that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
  • C. that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
  • D. that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

How should controls be designed by an organization?

  • A. By the internal audit team
  • B. Using the ISO27001 framework
  • C. By the cloud provider
  • D. Using the organization’s risk management framework
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2016/internal-control-key-to-delivering-
stakeholder-value

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the
risk arising from changes to an organizations SaaS vendor?

  • A. Risk exceptions policy
  • B. Contractual requirements
  • C. Risk appetite
  • D. Board oversight
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://assets.kpmg/content/dam/kpmg/ch/pdf/key-risks-internal-audit-2018.pdf

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

What data center and physical security measures should a cloud customer consider when assessing a cloud service
provider?

  • A. Assess use of monitoring systems to control ingress and egress points of entry to the data center.
  • B. Implement physical security perimeters to safeguard personnel, data and information systems.
  • C. Conduct a due diligence to verify the cloud provider applies adequate physical security measures.
  • D. Review internal policies and procedures for relocation of hardware and software to an offsite location.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://www.omg.org/cloud/deliverables/CSCC-Security-for-Cloud-Computing-10-Steps-to-Ensure-Success.pdf

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Prioritizing assurance activities for an organizations cloud services portfolio depends PRIMARILY on an organizations
ability to:

  • A. schedule frequent reviews with high-risk cloud service providers.
  • B. develop plans using a standardized risk-based approach.
  • C. maintain a comprehensive cloud service inventory.
  • D. collate views from various business functions using cloud services.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST)
methodology?

  • A. Unlike SAST, DAST is a blackbox and programming language agnostic.
  • B. DAST can dynamically integrate with most CI/CD tools.
  • C. DAST delivers more false positives than SAST.
  • D. DAST is slower but thorough.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference/

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?

  • A. Access controls
  • B. Vulnerability management
  • C. Source code reviews
  • D. Patching
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919233

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?

  • A. Cloud Service Provider encryption capabilities
  • B. The presence of PII
  • C. Organizational security policies
  • D. Cost-benefit analysis
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

When a client’s business process changes, the CSP SLA should:

  • A. be reviewed, but the SLA cannot be updated.
  • B. not be reviewed, but the cloud contract should be cancelled immediately.
  • C. not be reviewed as the SLA cannot be updated.
  • D. be reviewed and updated if required.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: http://www.diva-portal.org/smash/get/diva2:1312384/FULLTEXT01.pdf

Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2