When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:
When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:A . shared.B . avoided.C . transferred.D . maintained.View AnswerAnswer: D Explanation: When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider’s model...
What should be the auditor's NEXT course of action?
During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT...
Which objective is MOST appropriate to measure the effectiveness of password policy?
Which objective is MOST appropriate to measure the effectiveness of password policy?A . The number of related incidents decreases.B . Attempts to log with weak credentials increases.C . The number of related incidents increases.D . Newly created account credentials satisfy requirements.View AnswerAnswer: D Explanation: The objective that is most appropriate...
What legal documents should be provided to the auditors in relation to risk management?
What legal documents should be provided to the auditors in relation to risk management?A . Enterprise cloud strategy and policyB . Contracts and service level agreements (SLAs) of cloud service providersC . Policies and procedures established around third-party risk assessmentsD . Inventory of third-party attestation reportsView AnswerAnswer: B Explanation: Contracts...
Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?
Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?A . Separation of production and development pipelinesB . Ensuring segregation of duties in the production and development pipelinesC . Role-based access controls in the production and development pipelinesD . Periodic...
Which mode has been selected by the provider?
A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors....
The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:
The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:A . ISO/IEC 27001 implementation.B . GB/T 22080-2008.C . SOC 2 Type 1 or 2 reports.D . GDPR CoC certification.View AnswerAnswer: A Explanation: The CSA STAR Certification is based on...
Which of the following is an example of financial business impact?
Which of the following is an example of financial business impact?A . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.B . A hacker using a stolen administrator identity brings down the Software of a Service (SaaS) sales...
The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:
The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:A . facilitate an effective relationship between the cloud service provider and cloud client.B . enable the cloud service provider to prioritize resources to meet its own requirements.C . provide global, accredited, and trusted certification of...
Which of the following can BEST help to gain the required information?
An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. Which of the following can BEST help to gain the required information?A . ISAE 3402 reportB . ISO/IEC 27001 certificationC . SOC1 Type 1 reportD . SOC2 Type 2...