ISACA CCAK Certificate of Cloud Auditing Knowledge Online Training

Question #11

Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

A . regulatory guidelines impacting the cloud customer.
B . audits, assessments, and independent verification of compliance certifications with agreement terms.
C . the organizational chart of the provider.
D . policies and procedures of the cloud customer

Reveal Solution Hide Solution

Question #12

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A . Cloud service providers need the CAIQ to improve quality of customer service.
B . Cloud service providers can document their security and compliance controls.
C . Cloud service providers can document roles and responsibilities for cloud security.
D . Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security

Reveal Solution Hide Solution

Question #13

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

A . obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.
B . determine whether the organization can be considered fully compliant with the mapped standards because of the implementation of every CCM Control Specification.
C . understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards.

Reveal Solution Hide Solution

Question #14

Which of the following are the three MAIN phases of the Cloud Controls Matrix (CCM) mapping methodology?

A . Initiation ― Execution ― Monitoring and Controlling
B . Plan – Develop – Release
C . Preparation ― Execution – Peer Review and Publication

Reveal Solution Hide Solution

Question #15

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

A . Determine the impact on confidentiality, integrity, and availability of the information system.
B . Determine the impact on the physical and environmental security of the organization, excluding informational assets.
C . Determine the impact on the controls that were selected by the organization to respond to identified risks.
D . Determine the impact on the financial, operational, compliance, and reputation of the

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When applying the Top Threats Analysis methodology following an incident, the scope of the technical impact identification step is to determine the impact on confidentiality, integrity, and availability of the information system. The Top Threats Analysis methodology is a process developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top threats to cloud computing, as defined in the CSA Top Threats reports. The methodology consists of six steps1:

Scope definition: Define the scope of the analysis, such as the cloud service model, deployment model, and business context.

Threat identification: Identify the relevant threats from the CSA Top Threats reports that may affect the scope of the analysis.

Technical impact identification: Determine the impact on confidentiality, integrity, and availability of the information system caused by each threat. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial.

Business impact identification: Determine the impact on the business objectives and operations caused by each threat, such as financial loss, reputational damage, legal liability, or regulatory compliance.

Risk assessment: Assess the likelihood and severity of each threat based on the technical and business impacts, and prioritize the threats according to their risk level.

Risk treatment: Select and implement appropriate risk treatment options for each threat, such as avoidance, mitigation, transfer, or acceptance.

The technical impact identification step is important because it helps to measure the extent of damage or harm that each threat can cause to the information system and its components. This step also helps to align the technical impacts with the business impacts and to support the risk assessment and treatment steps.

Reference: CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 81

Question #16

Which of the following is an example of availability technical impact?

A . The cloud provider reports a breach of customer personal data from an unsecured server.
B . A hacker using a stolen administrator identity alters the discount percentage in the product database.
C . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours.
D . An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack

Reveal Solution Hide Solution

Question #17

Which of the following is an example of financial business impact?

A . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.
B . A hacker using a stolen administrator identity brings down the Software of a Service (SaaS) sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.
C . While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all

Reveal Solution Hide Solution

Question #18

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data.

In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

A . As an availability breach
B . As a control breach
C . As a confidentiality breach
D . As an integrity breach

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The technical impact of this incident would be categorized as an integrity breach in reference to the Top Threats Analysis methodology. The Top Threats Analysis methodology is a process developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top threats to cloud computing, as defined in the CSA Top Threats reports. The methodology consists of six steps: scope definition, threat identification, technical impact identification, business impact identification, risk assessment, and risk treatment. Each of these provides different insights and visibility into the organization’s security posture.1

The technical impact identification step involves determining the impact on confidentiality, integrity, and availability of the information system caused by each threat. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial.2

An integrity breach occurs when a threat compromises the accuracy and consistency of the data or system. An integrity breach can result in data corruption, falsification, or manipulation, which can affect the reliability and trustworthiness of the data or system. An integrity breach can also have serious consequences for the business operations and decisions that depend on the data or system.3 In this case, the cybersecurity criminal was able to access an encrypted file system and overwrite parts of some files with random data. This means that the data in those files was altered without authorization and became unusable or invalid. This is a clear example of an integrity breach, as it violated the principle of ensuring that data is accurate and consistent throughout its lifecycle.4

Reference: CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 811; What is CIA Triad? Definition and Examples2; Data Integrity vs Data Security: What’s The Difference?3; Data Integrity: Definition & Examples

Question #19

Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?

A . The IT department does not clearly articulate the cloud to the organization.
B . There is a lack of visibility over the cloud service providers’ supply chain.
C . Customers do not understand cloud technologies in enough detail.
D . Cloud services are very complicated.

Reveal Solution Hide Solution

Question #20

It is MOST important for an auditor to be aware that an inventory of assets within a cloud environment:

A . should be mapped only if discovered during the audit.
B . is not fundamental for the security management program, as this is a cloud service.
C . can be a misleading source of data.
D . is fundamental for the security management program

Reveal Solution Hide Solution