Real CCAK Exam Dumps To Help You Prepare Certificate of Cloud Auditing Knowledge Well

Eleanor2022-05-13T08:14:52+00:00

Certificate of Cloud Auditing Knowledge (CCAK), developed by the Cloud Security Alliance (CSA) and ISACA, is the first-ever, technical, vendor-neutral credential for cloud auditing. Get ready for passing Certificate of Cloud Auditing Knowledge (CCAK) exam before attending CCAK exam by reading real CCAK exam dumps. We have created the actual CCAK dumps questions and answers to help you prepare for CCAK exam well and successfully. These CCAK dumps questions are very accurately prepared and get the efficient manners to attempt your CCAK exam questions as well and efficiently.

Below are CCAK free dumps questions available online for reading first:

Page 1 of 5

1. Which of the following is a corrective control that may be identified in a SaaS service provider?

Log monitoring

Penetration testing

Incident response plans

Vulnerability scan

2. Which of the following are the three MAIN phases of the cloud controls matrix (CCM) mapping methodology?

Plan --> Develop --> Release

Deploy --> Monitor --> Audit

Initiation --> Execution --> Monitoring and Controlling

Preparation --> Execution --> Peer Review and Publication

3. SAST testing is performed by:

scanning the application source code.

scanning the application interface.

scanning all infrastructure components.

performing manual actions to gain control of the application.

4. Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:

recognizes the shared responsibility for risk management between the customer and the CS

leverages SaaS threat models developed by peer organizations.

is developed by an independent third-party with expertise in the organization’s industry sector.

considers the loss of visibility and control from transitioning to the cloud.

5. What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?

Access controls

Vulnerability management

Source code reviews

Patching

6. When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?

Validate if the strategy covers unavailability of all components required to operate the business-as-usual or in disrupted mode, in parts or total- when impacted by a disruption.

Validate if the strategy covers all aspects of Business Continuity and Resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.

Validate if the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.

Validate if the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.

7. What areas should be reviewed when auditing a public cloud?

Patching, source code reviews, hypervisor, access controls

Identity and access management, data protection

Patching, configuration, hypervisor, backups

Vulnerability management, cyber security reviews, patching

8. Which of the following parties should have accountability for cloud compliance requirements?

Customer

Equally shared between customer and provider

Provider

Either customer or provider, depending on requirements

9. While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet.

Given this discovery, what should be the most appropriate action for the auditor to perform?

Highlighting the gap to the audit sponsor at the sponsor’s earliest possible availability

Asking the organization’s cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet

Documenting the finding in the audit report and sharing the gap with the relevant stakeholders

Informing the organization’s internal audit manager immediately about the gap

10. Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to specify trusted services?

Security, confidentiality, availability, privacy and processing integrity

Security, applicability, availability, privacy and processing integrity

Security, confidentiality, availability, privacy and trustworthiness

Security, data integrity, availability, privacy and processing integrity

Page 2 of 5

11. What type of termination occurs at the initiative of one party, and without the fault of the other party?

Termination for cause

Termination for convenience

Termination at the end of the term

Termination without the fault

12. To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

develop a cloud audit plan on the basis of a detailed risk assessment.

schedule the audits and monitor the time spent on each audit.

train the cloud audit staff on current technology used in the organization.

monitor progress of audits and initiate cost control measures.

13. Which of the following data destruction methods is the MOST effective and efficient?

Crypto-shredding

Degaussing

Multi-pass wipes

Physical destruction

14. Which of the following is the risk associated with storing data in a cloud that crosses jurisdictions?

Compliance risk

Provider administration risk

Audit risk

Virtualization risk

15. Which of the following configuration change controls is acceptable to a cloud auditor?

Development, test and production are hosted in the same network environment.

Programmers have permanent access to production software.

The Head of Development approves changes requested to production.

Programmers cannot make uncontrolled changes to the source code production version.

16. In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Cloud service customer

Shared responsibility

Cloud service provider

Patching on hypervisor layer is not required

17. An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP) .

What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?

Review third-party audit reports.

Review CSP’s published questionnaires.

Directly audit the CS

Send supplier questionnaire to the CS

18. Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?

ISO/IEC 27017:2015

CSA Cloud Control Matrix (CCM)

NIST SP 800-146

ISO/IEC 27002

19. Which of the following would be considered as a factor to trust in a cloud service provider?

The level of exposure for public information

The level of proved technical skills

The level of willingness to cooperate

The level of open source evidence available

20. Which of the following is an example of integrity technical impact?

The cloud provider reports a breach of customer personal data from an unsecured server.

A hacker using a stolen administrator identity alerts the discount percentage in the product database.

A DDoS attack renders the customer’s cloud inaccessible for 24 hours.

An administrator inadvertently click on Phish bait exposing his company to a ransomware attack.

Page 3 of 5

21. An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models .

Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?

Use of an established standard/regulation to map controls and use as the audit criteria

For efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment

As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.

Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage

22. Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

Blue team

White box

Gray box

Red team

23. 1.Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?

SOC3 - Type2

Cloud Control Matrix (CCM)

SOC2 - Type1

SOC1 - Type1

24. Under GDPR, an organization should report a data breach within what time frame?

72 hours

2 weeks

1 week

48 hours

25. Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

Design

Stakeholder identification

Development

Risk assessment

26. A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel .

Which access control method will allow IT personnel to be segregated across the various locations?

Role Based Access Control

Attribute Based Access Control

Policy Based Access Control

Rule Based Access Control

27. If the degree of verification for information shared with the auditor during an audit is low, the auditor should:

reject the information as audit evidence.

stop evaluating the requirement altogether and review other audit areas.

delve deeper to obtain the required information to decide conclusively.

use professional judgment to determine the degree of reliance that can be placed on the information as evidence.

28. Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization’s DevOps pipeline?

Verify the inclusion of security gates in the pipeline.

Conduct an architectural assessment.

Review the CI/CD pipeline audit logs.

Verify separation of development and production pipelines.

29. An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community.

From the following, to whom should the auditor report the findings?

Public

Management of organization being audited

Shareholders/interested parties

Cloud service provider

30. Which of the following CSP activities requires a client’s approval?

Delete the guest account or test accounts

Delete the master account or subscription owner accounts

Delete the guest account or destroy test data

Delete the test accounts or destroy test data

Page 4 of 5

31. In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

both operating system and application infrastructure contained within the CSP’s instances.

both operating system and application infrastructure contained within the customer’s instances

only application infrastructure contained within the CSP’s instances.

only application infrastructure contained within the customer’s instances.

32. After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data.

In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?

As an integrity breach

As control breach

As an availability breach

As a confidentiality breach

33. Which of the following contract terms is necessary to meet a company’s requirement that needs to move data from one CSP to another?

Drag and Drop

Lift and shift

Flexibility to move

Transition and data portability

34. An auditor is performing an audit on behalf of a cloud customer.

For assessing security awareness, the auditor should:

assess the existence and adequacy of a security awareness training program at the cloud service provider’s organization as the cloud customer hired the auditor to review and cloud service.

assess the existence and adequacy of a security awareness training program at both the cloud customer’s organization and the cloud service provider’s organization.

assess the existence and adequacy of a security awareness training program at the cloud customer’s organization as they hired the auditor.

not assess the security awareness training program as it is each organization’s responsibility

35. Which of the following is an example of financial business impact?

A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

A DDoS attack renders the customer's cloud inaccessible for 24 hours resulting in millions in lost sales.

The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euro.

36. The MOST critical concept of managing the build and test of code in DevOps is:

continuous build.

continuous delivery.

continuous deployment.

continuous integration.

37. You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure .

Which of the following is your BEST option?

Implement ISO/IEC 27002 and complement it with additional controls from the CC

Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.

Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.

Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.

38. Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?

Ensure HIPAA compliance

Implement a cloud access security broker

Consult the legal department

Do not allow data to be in cleratext

39. Which of the following is the MOST feasible way to validate the performance of CSPs for the delivery of technology resources?

Cloud compliance program

Legacy IT compliance program

Internal audit program

Service organization controls report

40. Which plan will guide an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of their service providers?

Incident Response Plans

Security Incident Plans

Unexpected Event Plans

Emergency Incident Plans

Page 5 of 5

41. When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?

Cloud Service Provider encryption capabilities

The presence of PII

Organizational security policies

Cost-benefit analysis

42. The Cloud Octagon Model was developed to support organizations:

risk assessment methodology.

risk treatment methodology.

incident response methodology.

incident detection methodology.

43. One of the Cloud Control Matrix’s (CCM’s) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.”

Which of the following controls under the Audit Assurance and Compliance domain does this match to?

Audit planning

Information system and regulatory mapping

GDPR auditing

Independent audits

44. To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

Parallel testing

Full application stack unit testing

Regression testing

Functional verification

45. With regard to the Cloud Control Matrix (CCM), the ‘Architectural Relevance’ is a feature that enables the filtering of security controls by:

relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF), and the Zachman Framework for Enterprise Architecture.

relevant delivery models such as Software as a Service, Platform as a Service, Infrastructure as a Service.

relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.

relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

Real CCAK Exam Dumps To Help You Prepare Certificate of Cloud Auditing Knowledge Well