CCAK exam

Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:A . recognizes the shared responsibility for risk management between the customer and the CSC . leverages SaaS threat models...

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?A . Highlighting the gap to the audit sponsor at the sponsor’s earliest possible...

Which of the following would be considered as a factor to trust in a cloud service provider?A . The level of exposure for public informationB . The level of proved technical skillsC . The level of willingness to cooperateD . The level of open source evidence availableView AnswerAnswer: C

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?A . Cloud service customerB . Shared responsibilityC . Cloud service providerD . Patching on hypervisor layer is not requiredView AnswerAnswer: A

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?A . ISO/IEC 27017:2015B . CSA Cloud Control Matrix (CCM)C . NIST SP 800-146D . ISO/IEC 27002View...

Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization’s SaaS vendor?A . Risk exceptions policyB . Contractual requirementsC . Risk appetiteD . Board oversightView AnswerAnswer: C Explanation: Reference: https://assets.kpmg/content/dam/kpmg/ch/pdf/key-risks-internal-audit-2018.pdf

The Open Certification Framework is structured on three levels of trust. Those three levels of trust are:A . CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR ComplianceB . CSA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR ContinuousC . CSA STAR Self-Assessment, STAR Certification & Attestation (Third-party...

Supply chain agreements between CSP and cloud customers should, at minimum, include:A . Organization chart of the CSPB . Policies and procedures of the cloud customerC . Audits, assessments and independent verification of compliance certifications with agreement termsD . Regulatory guidelines impacting the cloud customerView AnswerAnswer: C Explanation: Reference: https://searchitchannel.techtarget.com/definition/cloud-service-provider-cloud-provider

In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?A . Service Provider controlB . Impact and Risk controlC . Data Inventory controlD . Compliance controlView AnswerAnswer: A Explanation: Reference: https://rmas.fad.harvard.edu/cloud-service-providers

Your company is purchasing an application from a vendor. They do not allow you to perform an on-site audit on their information system. However, they say, they will provide the third-party audit attestation on the adequate control design within their environment. Which report is the vendor providing you?A . SOC...