CCAK exam

A cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when:A . generalized audit software is unavailable.B . the auditor wants to avoid sampling risk.C . the probability of error must be objectively quantified.D . the tolerable error rate cannot be determined.View AnswerAnswer: C Explanation: According to the...

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?A . Establishing ownership and accountabilityB . Reporting emerging threats to senior stakeholdersC . Monitoring key risk indicators (KRIs) for multi-cloud environmentsD . Automating risk monitoring and reporting...

The Cloud Octagon Model was developed to support organizations':A . risk treatment methodology.B . incident detection methodology.C . incident response methodology.D . risk assessment methodology.View AnswerAnswer: D Explanation: The Cloud Octagon Model was developed to support organizations’ risk assessment methodology. Risk assessment is the process of identifying, analyzing, and evaluating...

When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:A . shared.B . avoided.C . transferred.D . maintained.View AnswerAnswer: D Explanation: When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider’s model...

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT...

Which objective is MOST appropriate to measure the effectiveness of password policy?A . The number of related incidents decreases.B . Attempts to log with weak credentials increases.C . The number of related incidents increases.D . Newly created account credentials satisfy requirements.View AnswerAnswer: D Explanation: The objective that is most appropriate...

What legal documents should be provided to the auditors in relation to risk management?A . Enterprise cloud strategy and policyB . Contracts and service level agreements (SLAs) of cloud service providersC . Policies and procedures established around third-party risk assessmentsD . Inventory of third-party attestation reportsView AnswerAnswer: B Explanation: Contracts...

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?A . Separation of production and development pipelinesB . Ensuring segregation of duties in the production and development pipelinesC . Role-based access controls in the production and development pipelinesD . Periodic...

A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors....

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:A . ISO/IEC 27001 implementation.B . GB/T 22080-2008.C . SOC 2 Type 1 or 2 reports.D . GDPR CoC certification.View AnswerAnswer: A Explanation: The CSA STAR Certification is based on...