Certificate of Cloud Auditing Knowledge v1.0 (CCAK)

Page:    1 / 14   
Total 200 questions

Which of the following would be considered as a factor to trust in a cloud service provider?

  • A. The level of exposure for public information
  • B. The level of proved technical skills
  • C. The level of willingness to cooperate
  • D. The level of open source evidence available


Answer : C

When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?

  • A. Cloud Service Provider encryption capabilities
  • B. The presence of PII
  • C. Organizational security policies
  • D. Cost-benefit analysis


Answer : A

A certification target helps in the formation of a continuous certification framework by incorporating:

  • A. CSA STAR level 2 attestation.
  • B. service level objective and service qualitative objective.
  • C. frequency of evaluating security attributes.
  • D. scope description and security attributes to be tested.


Answer : B

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

  • A. Cloud service customer
  • B. Shared responsibility
  • C. Cloud service provider
  • D. Patching on hypervisor layer is not required


Answer : A

Supply chain agreements between CSP and cloud customers should, at minimum, include:

  • A. Organization chart of the CSP
  • B. Policies and procedures of the cloud customer
  • C. Audits, assessments and independent verification of compliance certifications with agreement terms
  • D. Regulatory guidelines impacting the cloud customer


Answer : C

Which of the following contract terms is necessary to meet a company’s requirement that needs to move data from one CSP to another?

  • A. Drag and Drop
  • B. Lift and shift
  • C. Flexibility to move
  • D. Transition and data portability


Answer : D

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

  • A. Policy based access control
  • B. Attribute based access control
  • C. Rule based access control
  • D. Role based access control


Answer : C

The Cloud Octagon Model was developed to support organizations:

  • A. risk assessment methodology.
  • B. risk treatment methodology.
  • C. incident response methodology.
  • D. incident detection methodology.


Answer : A

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

  • A. Ensuring segregation of duties in the production and development pipelines.
  • B. Role-based access controls in the production and development pipelines.
  • C. Separation of production and development pipelines.
  • D. Periodic review of the Cl/CD pipeline audit logs to identify any access violations.


Answer : C

A cloud customer configured and developed a solution on top of the certified cloud services. Building on top of a compliant CSP:

  • A. means that the cloud customer is also compliant.
  • B. means that the cloud customer and client are both compliant.
  • C. means that the cloud customer is compliant but their client is not compliant.
  • D. does not necessarily mean that the cloud customer is also compliant.


Answer : D

The rapid and dynamic rate of changes found in a cloud environment affects the organization’s:

  • A. risk profile.
  • B. risk appetite.
  • C. risk scoring.
  • D. risk communication.


Answer : B

A CSP providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

  • A. Multi-Tier Cloud Security (MTCS) Attestation
  • B. FedRAMP Authorization
  • C. ISO/IEC 27001:2013 Certification
  • D. CSA STAR Level Certificate


Answer : B

Which plan will guide an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of their service providers?

  • A. Incident Response Plans
  • B. Security Incident Plans
  • C. Unexpected Event Plans
  • D. Emergency Incident Plans


Answer : A

Which of the following would be the MOST critical finding of an application security and DevOps audit?

  • A. The organization is not using a unified framework to integrate cloud compliance with regulatory requirements.
  • B. Application architecture and configurations did not consider security measures.
  • C. Outsourced cloud service interruption, breach or loss of data stored at the cloud service provider.
  • D. Certifications with global security standards specific to cloud are not reviewed and the impact of noted findings are not assessed.


Answer : B

What should be an organization’s control audit schedule of a cloud service provider’s business continuity plan and operational resilience policy?

  • A. Annual
  • B. Quarterly
  • C. Monthly
  • D. Semi-annual


Answer : A

Page:    1 / 14   
Total 200 questions