CCAK exam

What areas should be reviewed when auditing a public cloud?A . Patching, source code reviews, hypervisor, access controlsB . Identity and access management, data protectionC . Patching, configuration, hypervisor, backupsD . Vulnerability management, cyber security reviews, patchingView AnswerAnswer: B

Which of the following is an example of financial business impact?A . A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.B . While the breach was reported in a timely manner to...

Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?A . Ensure HIPAA complianceB . Implement a cloud access security brokerC . Consult the legal departmentD . Do not allow data to be...

SAST testing is performed by:A . scanning the application source code.B . scanning the application interface.C . scanning all infrastructure components.D . performing manual actions to gain control of the application.View AnswerAnswer: A Explanation: SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code...

Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:A . recognizes the shared responsibility for risk management between the customer and the CSC . leverages SaaS threat models...

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?A . Highlighting the gap to the audit sponsor at the sponsor’s earliest possible...

Which of the following would be considered as a factor to trust in a cloud service provider?A . The level of exposure for public informationB . The level of proved technical skillsC . The level of willingness to cooperateD . The level of open source evidence availableView AnswerAnswer: C

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?A . Cloud service customerB . Shared responsibilityC . Cloud service providerD . Patching on hypervisor layer is not requiredView AnswerAnswer: A

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?A . ISO/IEC 27017:2015B . CSA Cloud Control Matrix (CCM)C . NIST SP 800-146D . ISO/IEC 27002View...

Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization’s SaaS vendor?A . Risk exceptions policyB . Contractual requirementsC . Risk appetiteD . Board oversightView AnswerAnswer: C Explanation: Reference: https://assets.kpmg/content/dam/kpmg/ch/pdf/key-risks-internal-audit-2018.pdf