CCAK exam

The Cloud Octagon Model was developed to support organizations':A . risk treatment methodology.B . incident detection methodology.C . incident response methodology.D . risk assessment methodology.View AnswerAnswer: D Explanation: The Cloud Octagon Model was developed to support organizations’ risk assessment methodology. Risk assessment is the process of identifying, analyzing, and evaluating...

When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:A . shared.B . avoided.C . transferred.D . maintained.View AnswerAnswer: D Explanation: When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider’s model...

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT...

Which objective is MOST appropriate to measure the effectiveness of password policy?A . The number of related incidents decreases.B . Attempts to log with weak credentials increases.C . The number of related incidents increases.D . Newly created account credentials satisfy requirements.View AnswerAnswer: D Explanation: The objective that is most appropriate...

What legal documents should be provided to the auditors in relation to risk management?A . Enterprise cloud strategy and policyB . Contracts and service level agreements (SLAs) of cloud service providersC . Policies and procedures established around third-party risk assessmentsD . Inventory of third-party attestation reportsView AnswerAnswer: B Explanation: Contracts...

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?A . Separation of production and development pipelinesB . Ensuring segregation of duties in the production and development pipelinesC . Role-based access controls in the production and development pipelinesD . Periodic...

A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors....

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:A . ISO/IEC 27001 implementation.B . GB/T 22080-2008.C . SOC 2 Type 1 or 2 reports.D . GDPR CoC certification.View AnswerAnswer: A Explanation: The CSA STAR Certification is based on...

Which of the following is an example of financial business impact?A . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.B . A hacker using a stolen administrator identity brings down the Software of a Service (SaaS) sales...

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:A . facilitate an effective relationship between the cloud service provider and cloud client.B . enable the cloud service provider to prioritize resources to meet its own requirements.C . provide global, accredited, and trusted certification of...