Question 1

The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

Accepted Answer

C

Explanation: :

Question 2

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

Accepted Answer

D

Explanation: The CSA STAR Certification is based on criteria outlined in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to ISO/IEC 27001 implementation. The CCM is a cybersecurity control framework for cloud computing that covers 17 domains and 197 control objectives that address all key aspects of cloud technology. ISO/IEC 27001 is a standard for information security management systems that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. The CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas1. The CSA STAR Certification is a third-party independent assessment of the security of a cloud service provider and provides a high level of assurance and trust to customers2. Reference: CSA STAR Certification - Azure Compliance | Microsoft Learn STAR | CSA

Question 3

Which of the following is a category of trust in cloud computing?

Accepted Answer

C

Explanation: Reputation-based trust is a category of trust in cloud computing that relies on the feedback, ratings, reviews, or recommendations of other users or third parties who have used or evaluated the cloud service provider or the cloud service. Reputation-based trust reflects the collective opinion and experience of the cloud community regarding the quality, reliability, security, and performance of the cloud service provider or the cloud service. Reputation-based trust can help potential customers to make informed decisions about choosing a cloud service provider or a cloud service based on the reputation score or ranking of the provider or the service. Reputation-based trust can also motivate cloud service providers to improve their services and maintain their reputation by meeting or exceeding customer expectations. Reputation-based trust is one of the most common and widely used forms of trust in cloud computing, as it is easy to access and understand. However, reputation-based trust also has some limitations and challenges, such as: The accuracy and validity of the reputation data may depend on the source, method, and frequency of data collection and aggregation. For example, some reputation data may be outdated, incomplete, biased, manipulated, or falsified by malicious actors or competitors. The interpretation and comparison of the reputation data may vary depending on the context, criteria, and p

Question 4

A cloud service provider utilizes services of other service providers for its cloud service. Which of the
following is the BEST approach for the auditor while performing the audit for the cloud service?

Accepted Answer

B

Explanation: According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply1. The auditor should understand the nature and scope of the services provided by the service provider, the contractual obligations and service level agreements, the security and compliance requirements, and the monitoring and reporting mechanisms. The auditor should also assess the risks and controls associated with the service provider, and determine if additional audit procedures are needed to obtain sufficient assurance. The other options are not the best approach for the auditor. Option A is too strict and might not be feasible or necessary, depending on the type and level of services provided by the service provider. Option C is too lax and might overlook significant risks and gaps in the cloud service. Option D is too narrow and might ignore the impact of the service provider on the cloud customer’s business context. Reference: ISACA Cloud Auditing Knowledge Certificate Study Guide, page 13-14.

Question 5

Which of the following are the three MAIN phases of the Cloud Controls Matrix (CCM) mapping methodology?

Accepted Answer

C

Explanation: The three main phases of the Cloud Controls Matrix (CCM) mapping methodology are preparation, execution, and peer review and publication. The CCM mapping methodology is a process to map the CCM controls to other standards, regulations, or frameworks that are relevant for cloud security. The mapping helps to identify the commonalities and differences between the CCM and the other standards, regulations, or frameworks, and to provide guidance for cloud service providers and customers on how to achieve compliance with multiple requirements using the CCM. The mapping methodology consists of the following phases1: Preparation: This phase involves defining the scope, objectives, and deliverables of the mapping project, as well as identifying the stakeholders, resources, and tools needed. This phase also includes conducting a preliminary analysis of the CCM and the other standard, regulation, or framework to be mapped, and establishing the mapping criteria and rules. Execution: This phase involves performing the actual mapping of the CCM controls to the other standard, regulation, or framework using a spreadsheet template. This phase also includes documenting the mapping results, providing explanations and justifications for each mapping decision, and resolving any issues or conflicts that may arise during the mapping process. Peer Review and Publication: This phase involves validating and verifying the quality and accuracy of the mapping results by conducting a peer review with subject matter experts from both the CCM working group and the other standard, regulation, or framework organization. This phase also includes finalizing and publishing the mapping document as a CSA artifact, and communicating and promoting the mapping to the relevant audiences. Reference := Methodology for the Mapping of the Cloud Controls Matrix1

Question 6

A dot release of the Cloud Controls Matrix (CCM) indicates:

Accepted Answer

B

Explanation: A dot release of the Cloud Controls Matrix (CCM) indicates a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release. A dot release is a minor update to the CCM that reflects the feedback from the cloud security community and the changes in the cloud technology landscape. A dot release does not change the domain structure or the overall scope of the CCM, but rather improves the clarity, accuracy, and relevance of the existing controls. A dot release is denoted by a decimal number after the major version number, such as CCM v4.1 or CCM v4.2. The current version of the CCM is v4.0, which was released in October 20211. The other options are incorrect because: A . a revision of the CCM domain structure: A revision of the CCM domain structure is a major change that affects the organization and categorization of the controls into different domains. A revision of the CCM domain structure requires a full release, not a dot release, and is denoted by an integer number, such as CCM v3 or CCM v42. C . the introduction of new control frameworks mapped to previously published CCM controls: The introduction of new control frameworks mapped to previously published CCM controls is an additional feature that enhances the usability and applicability of the CCM. The introduction of new control frameworks mapped to previously published CCM controls does not require a dot release or a full release, but rather an update to the mapping table that shows the relationship between the CCM controls and other industry-accepted security standards, regulations, and frameworks3. D . technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release: A technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release is a significant change that affects the content and scope of the CCM. A technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release requires a full release, not a dot release, and is denoted by an integer number, such as CCM v3 or CCM v42. Reference: Cloud Controls Matrix (CCM) - CSA The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar Cloud Security Alliance Releases New Cloud Controls Matrix Auditing Guidelines

Question 7

Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

Accepted Answer

B

Explanation: APIs are likely to be attacked continuously by bad actors because they are generally the most exposed part of an application or system. APIs serve as the interface between different components or services, and often expose sensitive data or functionality to the outside world. APIs can be accessed by anyone with an Internet connection, and can be easily discovered by scanning or crawling techniques. Therefore, APIs are a prime target for attackers who want to exploit vulnerabilities, steal data, or disrupt services. Reference: ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 88-89. OWASP, The Ten Most Critical API Security Risks - OWASP Foundation, 2019, p. 4-5

Question 8

In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?

Accepted Answer

A

Explanation: Database backup and replication guidelines are essential for ensuring the availability and integrity of data in the event of a disruption or disaster. They describe how the data is backed up, stored, restored, and synchronized across different locations and platforms. An auditor should review these guidelines to verify that they are aligned with the business continuity objectives, policies, and procedures of the organization and the cloud service provider. The auditor should also check that the backup and replication processes are tested regularly and that the results are documented and reported. Reference: ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 96 Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v4.0, 2021, BCR-01: Business Continuity Planning/Resilience

Question 9

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Accepted Answer

B

Explanation: Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include audits, assessments, and independent verification of compliance certifications with agreement terms. This is because cloud services involve multiple parties in the supply chain, such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering the cloud services and ensuring their quality, security, and compliance. Therefore, it is important for the cloud customers to have visibility and assurance of the performance and compliance of the cloud providers and their sub-providers. Audits, assessments, and independent verification of compliance certifications are methods to evaluate the effectiveness of the controls and processes implemented by the cloud providers and their sub-providers to meet the agreement terms. These methods can help the cloud customers to identify any gaps or risks in the supply chain and to take corrective actions if needed. This is part of the Cloud Control Matrix (CCM) domain COM-04: Audit Assurance & Compliance, which states that "The organization should have a policy and procedures to conduct audits and assessments of cloud services and data to verify compliance with applicable regulatory frameworks, contractual obligations, and industry standards."12 Reference := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 551; Practical Guide to Cloud Service Agreements Version 2.02

Question 10

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

Accepted Answer

C

Explanation: Establishing ownership and accountability most enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization’s cloud compliance program. Cloud compliance refers to the principle that cloud-delivered systems must comply with the standards required by their customers. Compliance requirements may include data protection regulations such as HIPAA, PCI DSS, GDPR, ISO/IEC 27001, NIST, and SOX. A cloud compliance program is a set of policies, procedures, and controls that help an organization to achieve and maintain compliance with these requirements12. A cloud compliance program involves identifying, assessing, prioritizing, and mitigating the risks associated with using cloud services. To effectively manage these risks, an organization needs to establish ownership and accountability for each risk and its remediation. Ownership and accountability mean assigning clear roles and responsibilities to the internal stakeholders who are involved in the cloud compliance program, such as the cloud service provider, the cloud customer, the cloud users, the cloud auditors, and the cloud regulators. By doing so, an organization can ensure that the internal stakeholders have the authority, resources, and incentives to make timely and informed decisions for the remediation of risks123. The other options are not the most effective ways to enhance the internal stakeholder decision- making process for the remediation of risks. Option A, automating risk monitoring and reporting processes, is a good practice for improving the efficiency and accuracy of the cloud compliance program, but it does not address the issue of who is responsible for making decisions based on the monitoring and reporting results. Option B, reporting emerging threats to senior stakeholders, is a good practice for increasing the awareness and visibility of the cloud compliance program, but it does not address the issue of how to prioritize and respond to the emerging threats. Option D, monitoring key risk indicators (KRIs) for multi-cloud environments, is a good practice for measuring and tracking the performance and effectiveness of the cloud compliance program, but it does not address the issue of how to align and coordinate the decisions across different cloud environments123. Reference := Cloud Compliance Frameworks: What You Need to Know1 Cloud Compliance: What It Is + 8 Best Practices for Improving It2 Cloud Computing: Auditing Challenges - ISACA

Question 11

Controls mapping found in the Scope Applicability column of the Cloud Controls Matrix (CCM) may help organizations to realize cost savings:

Accepted Answer

A

Explanation: Controls mapping found in the Scope Applicability column of the Cloud Controls Matrix (CCM) may help organizations to realize cost savings by avoiding duplication of efforts in the compliance evaluation and for the eventual control design and implementation. The Scope Applicability column is a feature of the CCM that indicates which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) a control applies to. This feature can help organizations to identify and select the most relevant and appropriate controls for their specific cloud scenario, as well as to map them to multiple industry-accepted security standards, regulations, and frameworks. By doing so, organizations can reduce the time, resources, and costs involved in achieving and maintaining compliance with various cloud security requirements123. The other options are not directly related to the question. Option B, by implementing layered security, thus reducing the likelihood of data breaches and the associated costs, is not a valid reason because layered security is a general principle of defense in depth, not a specific feature of the CCM or the Scope Applicability column. Option C, by avoiding the need to hire a cloud security specialist to perform the periodic risk assessment exercise, is not a valid reason because using the CCM or the Scope Applicability column does not eliminate the need for a cloud security specialist or a periodic risk assessment exercise, which are essential for ensuring the effectiveness and adequacy of the cloud security controls. Option D, by avoiding fines for breaching those regulations that impose a controls mapping in order to prove compliance, is not a valid reason because controls mapping is not a mandatory requirement for proving compliance, but a voluntary tool for facilitating compliance. Reference := What is CAIQ? | CSA - Cloud Security Alliance1 Understanding the Cloud Control Matrix | CloudBolt Software2 Cloud Controls Matrix (CCM) - CSA

Question 12

The MOST important factor to consider when implementing cloud-related controls is the:

Accepted Answer

A

Explanation: The most important factor to consider when implementing cloud-related controls is the shared responsibility model. The shared responsibility model is a framework that defines the roles and responsibilities of cloud service providers (CSPs) and cloud customers (CCs) in ensuring the security and compliance of cloud computing environments. The shared responsibility model helps to clarify which security tasks are handled by the CSP and which tasks are handled by the CC, depending on the type of cloud service model (IaaS, PaaS, SaaS) and the specific contractual agreements. The shared responsibility model also helps to avoid gaps or overlaps in security controls, and to allocate resources and accountability accordingly12. Reference: Shared responsibility in the cloud - Microsoft Azure Understanding the Shared Responsibilities Model in Cloud Services - ISACA

Question 13

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

Accepted Answer

A

Explanation: The most effective way to enhance the internal stakeholder decision-making process for the remediation of risks identified from an organization’s cloud compliance program is to establish ownership and accountability for each risk and its corresponding control. Ownership and accountability mean that the stakeholders who are responsible for managing, implementing, monitoring, and reporting on the cloud compliance program have clearly defined roles, responsibilities, expectations, and authorities. Ownership and accountability also mean that the stakeholders who are affected by or involved in the cloud compliance program have sufficient awareness, communication, collaboration, and feedback mechanisms. Establishing ownership and accountability helps to ensure that the risks and controls are properly identified, assessed, prioritized, treated, and reviewed in a timely and consistent manner. It also helps to foster a culture of trust, transparency, and accountability among the internal stakeholders and to align their goals and interests with the organization’s cloud compliance objectives.1 [2][2] Reference := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 521; Cloud Compliance: A Framework for Using Cloud Services While Maintaining Data Protection Compliance[

Question 14

It is MOST important for an auditor to be aware that an inventory of assets within a cloud environment:

Accepted Answer

D

Explanation: It is most important for an auditor to be aware that an inventory of assets within a cloud environment is fundamental for the security management program. An inventory of assets is a list of all the hardware, software, data, and services that are owned, used, or managed by an organization in the cloud. An inventory of assets helps the organization to identify, classify, and prioritize its cloud resources and to implement appropriate security controls and policies to protect them. An inventory of assets also helps the organization to comply with relevant regulations, standards, and contracts that may apply to its cloud environment.12 An auditor should be aware of the importance of an inventory of assets in the cloud because it provides a baseline for assessing the security posture and compliance status of the organization’s cloud environment. An auditor can use the inventory of assets to verify that the organization has a clear and accurate understanding of its cloud resources and their characteristics, such as location, ownership, configuration, dependencies, vulnerabilities, and risks. An auditor can also use the inventory of assets to evaluate whether the organization has implemented adequate security measures and processes to protect its cloud resources from threats and incidents. An auditor can also use the inventory of assets to identify any gaps or weaknesses in the organization’s security management program and to provide recommendations for improvement.34 Reference := Why is IT Asset Inventory Management Critical? - Fresh Security1; Use asset inventory to manage your resources’ security posture2; The importance of asset inventory in cybersecurity3; The Importance Of Asset Inventory In Cyber Security And CMDB - Visore4

Question 15

Which of the following is the BEST tool to perform cloud security control audits?

Accepted Answer

B

Explanation: The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a comprehensive framework that provides organizations with a detailed understanding of security concepts and principles that are aligned to the cloud model. The CCM covers 16 domains of cloud security, such as data security, identity and access management, encryption and key management, incident response, and audit assurance and compliance. The CCM also maps to other standards, such as ISO 27001, NIST SP 800-53, PCI DSS, COBIT, and GDPR, to facilitate compliance and assurance activities1. The General Data Protection Regulation (GDPR) is not a tool, but rather a regulation that aims to protect the personal data and privacy of individuals in the European Union (EU) and the European Economic Area (EEA). The GDPR imposes strict requirements on organizations that process personal data of individuals in these regions, such as obtaining consent, ensuring data security, reporting breaches, and respecting data subject rights. The GDPR is relevant for cloud security audits, but it is not a comprehensive framework that covers all aspects of cloud security2. The Federal Information Processing Standard (FIPS) 140-2 is not a tool, but rather a standard that specifies the security requirements for cryptographic modules used by federal agencies and other organizations. The FIPS 140-2 defines four levels of security, from Level 1 (lowest) to Level 4 (highest), based on the design and implementation of the cryptographic module. The FIPS 140-2 is important for cloud security audits, especially for organizations that handle sensitive or classified information, but it is not a comprehensive framework that covers all aspects of cloud security3. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). An ISMS is a systematic approach to managing information security risks and ensuring the confidentiality, integrity and availability of information assets. ISO 27001 is relevant for cloud security audits, as it provides a framework for assessing and improving the security posture of an organization. However, ISO 27001 does not provide specific guidance or controls for cloud services, which is why ISO 27017:2015 was developed as an extension to ISO 27001 for cloud services4. Reference := Cloud Controls Matrix | Cloud Security Alliance General Data Protection Regulation - Wikipedia FIPS PUB 140-2 - NIST ISO/IEC 27001:2013(en), Information technology ? Security techniques …

Free ISACA CCAK Actual Exam Questions