Which of the following can BEST help to gain the required information?
An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. Which of the following can BEST help to gain the required information?A . ISAE 3402 reportB . ISO/IEC 27001 certificationC . SOC1 Type 1 reportD . SOC2 Type 2...
When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:
When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:A . cloud user.B . cloud service provider. 0C . cloud customer.D . certification authority (CA)View AnswerAnswer: C Explanation: According to the ISACA...
Which of the following is an example of availability technical impact?
Which of the following is an example of availability technical impact?A . The cloud provider reports a breach of customer personal data from an unsecured server.B . A hacker using a stolen administrator identity alters the discount percentage in the product database.C . A distributed denial of service (DDoS) attack...
During the planning phase of a cloud audit, the PRIMARY goal of a cloud auditor is to:
During the planning phase of a cloud audit, the PRIMARY goal of a cloud auditor is to:A . specify appropriate tests.B . address audit objectives.C . minimize audit resources.D . collect sufficient evidence.View AnswerAnswer: B Explanation: According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the primary goal of...
Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:
Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:A . are the asset with private IP addresses.B . are generally the most exposed part.C . could be poorly designed.D . act as a very effective backdoor.View AnswerAnswer: B Explanation: APIs are likely to be...
Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?
Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?A . Location of dataB . Amount of server storageC . Access controlsD . Type of network technologyView AnswerAnswer: C Explanation: Access controls are an assurance requirement when an...
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:A . obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.B . determine whether the organization can be considered fully compliant with the mapped...
Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:
Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:A . client organization has a clear understanding of the provider s suppliers.B . suppliers are accountable for the provider's service that they are providing.C . client organization does not need to...
Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?
Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?A . Nondisclosure agreements (NDAs)B . Independent auditor reportC . First-party auditD . Industry certificationsView AnswerAnswer: B Explanation: An independent auditor report is a...
What is a sign that an organization has adopted a shift-left concept of code release cycles?
What is a sign that an organization has adopted a shift-left concept of code release cycles?A . Large entities with slower release cadences and geographically dispersed systemsB . A waterfall model to move resources through the development to release phasesC . Maturity of start-up entities with high-iteration to low-volume code...