Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?
- A . SOC3 – Type2
- B . Cloud Control Matrix (CCM)
- C . SOC2 – Type1
- D . SOC1 – Type1
C
Explanation:
Reference: https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2021/volume-22/preventing-the-next-cybersecurity-attack-with-effective-cloud-security-audits
Which of the following is the risk associated with storing data in a cloud that crosses jurisdictions?
- A . Compliance risk
- B . Provider administration risk
- C . Audit risk
- D . Virtualization risk
A
Explanation:
Reference: http://webcache.googleusercontent.com/search?q=cache:9OK2cQSAR3oJ:www.aph.gov.au/DocumentStore.ashx%3Fid%3D88403640-14b5-4c3e-8dd7-315bb5067ba4+&cd=1&hl=en&ct=clnk&gl=pk
Which of the following CSP activities requires a client’s approval?
- A . Delete the guest account or test accounts
- B . Delete the master account or subscription owner accounts
- C . Delete the guest account or destroy test data
- D . Delete the test accounts or destroy test data
Which of the following is the MOST feasible way to validate the performance of CSPs for the delivery of technology resources?
- A . Cloud compliance program
- B . Legacy IT compliance program
- C . Internal audit program
- D . Service organization controls report
Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization’s DevOps pipeline?
- A . Verify the inclusion of security gates in the pipeline.
- B . Conduct an architectural assessment.
- C . Review the CI/CD pipeline audit logs.
- D . Verify separation of development and production pipelines.
C
Explanation:
Reference: https://cntemngwa.medium.com/how-to-assess-and-audit-devops-security-to-improve-business-value-10e81a2a6fd5
Which of the following is an example of integrity technical impact?
- A . The cloud provider reports a breach of customer personal data from an unsecured server.
- B . A hacker using a stolen administrator identity alerts the discount percentage in the product database.
- C . A DDoS attack renders the customer’s cloud inaccessible for 24 hours.
- D . An administrator inadvertently click on Phish bait exposing his company to a ransomware attack.
D
Explanation:
Reference: https://www.kroll.com/en/insights/publications/technology-impact-on-integrity-and-business-practices
Which of the following parties should have accountability for cloud compliance requirements?
- A . Customer
- B . Equally shared between customer and provider
- C . Provider
- D . Either customer or provider, depending on requirements
SAST testing is performed by:
- A . scanning the application source code.
- B . scanning the application interface.
- C . scanning all infrastructure components.
- D . performing manual actions to gain control of the application.
A
Explanation:
SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code for items such as credentials embedded into application code and a test of input validation, both of which are major concerns for application security.
Under GDPR, an organization should report a data breach within what time frame?
- A . 72 hours
- B . 2 weeks
- C . 1 week
- D . 48 hours
A
Explanation:
Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?
- A . Cloud Service Provider encryption capabilities
- B . The presence of PII
- C . Organizational security policies
- D . Cost-benefit analysis
Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?
- A . Ensure HIPAA compliance
- B . Implement a cloud access security broker
- C . Consult the legal department
- D . Do not allow data to be in cleratext
B
Explanation:
Reference: https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-a-casb.html
Which of the following configuration change controls is acceptable to a cloud auditor?
- A . Development, test and production are hosted in the same network environment.
- B . Programmers have permanent access to production software.
- C . The Head of Development approves changes requested to production.
- D . Programmers cannot make uncontrolled changes to the source code production version.
What type of termination occurs at the initiative of one party, and without the fault of the other party?
- A . Termination for cause
- B . Termination for convenience
- C . Termination at the end of the term
- D . Termination without the fault
Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:
- A . recognizes the shared responsibility for risk management between the customer and the CSP.
- B . leverages SaaS threat models developed by peer organizations.
- C . is developed by an independent third-party with expertise in the organization’s industry sector.
- D . considers the loss of visibility and control from transitioning to the cloud.
To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?
- A . Parallel testing
- B . Full application stack unit testing
- C . Regression testing
- D . Functional verification
B
Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/black-box-testing
Which of the following would be considered as a factor to trust in a cloud service provider?
- A . The level of exposure for public information
- B . The level of proved technical skills
- C . The level of willingness to cooperate
- D . The level of open source evidence available
An auditor is performing an audit on behalf of a cloud customer.
For assessing security awareness, the auditor should:
- A . assess the existence and adequacy of a security awareness training program at the cloud service provider’s organization as the cloud customer hired the auditor to review and cloud service.
- B . assess the existence and adequacy of a security awareness training program at both the cloud customer’s organization and the cloud service provider’s organization.
- C . assess the existence and adequacy of a security awareness training program at the cloud customer’s organization as they hired the auditor.
- D . not assess the security awareness training program as it is each organization’s responsibility
While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet.
Given this discovery, what should be the most appropriate action for the auditor to perform?
- A . Highlighting the gap to the audit sponsor at the sponsor’s earliest possible availability
- B . Asking the organization’s cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet
- C . Documenting the finding in the audit report and sharing the gap with the relevant stakeholders
- D . Informing the organization’s internal audit manager immediately about the gap
C
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/issues/2020/volume-1/is-audit-basics-the-components-of-the-it-audit-report
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community.
From the following, to whom should the auditor report the findings?
- A . Public
- B . Management of organization being audited
- C . Shareholders/interested parties
- D . Cloud service provider
Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?
- A . ISO/IEC 27017:2015
- B . CSA Cloud Control Matrix (CCM)
- C . NIST SP 800-146
- D . ISO/IEC 27002
D
Explanation:
Reference: https://cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105
Which of the following data destruction methods is the MOST effective and efficient?
- A . Crypto-shredding
- B . Degaussing
- C . Multi-pass wipes
- D . Physical destruction
An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models .
Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?
- A . Use of an established standard/regulation to map controls and use as the audit criteria
- B . For efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment
- C . As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.
- D . Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage
The Cloud Octagon Model was developed to support organizations:
- A . risk assessment methodology.
- B . risk treatment methodology.
- C . incident response methodology.
- D . incident detection methodology.
If the degree of verification for information shared with the auditor during an audit is low, the auditor should:
- A . reject the information as audit evidence.
- B . stop evaluating the requirement altogether and review other audit areas.
- C . delve deeper to obtain the required information to decide conclusively.
- D . use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
Which of the following is an example of financial business impact?
- A . A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.
- B . While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.
- C . A DDoS attack renders the customer’s cloud inaccessible for 24 hours resulting in millions in lost sales.
- D . The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euro.
Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to specify trusted services?
- A . Security, confidentiality, availability, privacy and processing integrity
- B . Security, applicability, availability, privacy and processing integrity
- C . Security, confidentiality, availability, privacy and trustworthiness
- D . Security, data integrity, availability, privacy and processing integrity
A
Explanation:
Reference: https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?
- A . Access controls
- B . Vulnerability management
- C . Source code reviews
- D . Patching
A
Explanation:
Reference: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919233
Which of the following are the three MAIN phases of the cloud controls matrix (CCM) mapping methodology?
- A . Plan –> Develop –> Release
- B . Deploy –> Monitor –> Audit
- C . Initiation –> Execution –> Monitoring and Controlling
- D . Preparation –> Execution –> Peer Review and Publication
D
Explanation:
Reference: https://docplayer.net/153476370-Methodology-for-the-mapping-of-the-cloud-controls-matrix-ccm.html (page 5)
When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?
- A . Validate if the strategy covers unavailability of all components required to operate the business-as-usual or in disrupted mode, in parts or total- when impacted by a disruption.
- B . Validate if the strategy covers all aspects of Business Continuity and Resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.
- C . Validate if the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.
- D . Validate if the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.
With regard to the Cloud Control Matrix (CCM), the ‘Architectural Relevance’ is a feature that enables the filtering of security controls by:
- A . relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF), and the Zachman Framework for Enterprise Architecture.
- B . relevant delivery models such as Software as a Service, Platform as a Service, Infrastructure as a Service.
- C . relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.
- D . relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.
D
Explanation:
Reference: https://downloads.cloudsecurityalliance.org/initiatives/ccm/CSA_CCM_v3.0.xlsx
Which of the following contract terms is necessary to meet a company’s requirement that needs to move data from one CSP to another?
- A . Drag and Drop
- B . Lift and shift
- C . Flexibility to move
- D . Transition and data portability
D
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/past-issues/2014/data-owners-responsibilities-when-migrating-to-the-cloud
Which plan will guide an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of their service providers?
- A . Incident Response Plans
- B . Security Incident Plans
- C . Unexpected Event Plans
- D . Emergency Incident Plans
You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure .
Which of the following is your BEST option?
- A . Implement ISO/IEC 27002 and complement it with additional controls from the CCM.
- B . Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.
- C . Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.
- D . Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.
Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?
- A . Design
- B . Stakeholder identification
- C . Development
- D . Risk assessment
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?
- A . Blue team
- B . White box
- C . Gray box
- D . Red team
B
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/planning-for-information-security-testinga-practical-approach
One of the Cloud Control Matrix’s (CCM’s) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.”
Which of the following controls under the Audit Assurance and Compliance domain does this match to?
- A . Audit planning
- B . Information system and regulatory mapping
- C . GDPR auditing
- D . Independent audits
What areas should be reviewed when auditing a public cloud?
- A . Patching, source code reviews, hypervisor, access controls
- B . Identity and access management, data protection
- C . Patching, configuration, hypervisor, backups
- D . Vulnerability management, cyber security reviews, patching
In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?
- A . Cloud service customer
- B . Shared responsibility
- C . Cloud service provider
- D . Patching on hypervisor layer is not required
Which of the following is a corrective control that may be identified in a SaaS service provider?
- A . Log monitoring
- B . Penetration testing
- C . Incident response plans
- D . Vulnerability scan
A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel .
Which access control method will allow IT personnel to be segregated across the various locations?
- A . Role Based Access Control
- B . Attribute Based Access Control
- C . Policy Based Access Control
- D . Rule Based Access Control
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
- A . both operating system and application infrastructure contained within the CSP’s instances.
- B . both operating system and application infrastructure contained within the customer’s instances
- C . only application infrastructure contained within the CSP’s instances.
- D . only application infrastructure contained within the customer’s instances.
An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP) .
What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?
- A . Review third-party audit reports.
- B . Review CSP’s published questionnaires.
- C . Directly audit the CSP.
- D . Send supplier questionnaire to the CSP.
B
Explanation:
Reference: https://www.sapidata.sm/img/cms/CAIQ_v3-1_2020-01-13.pdf
To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:
- A . develop a cloud audit plan on the basis of a detailed risk assessment.
- B . schedule the audits and monitor the time spent on each audit.
- C . train the cloud audit staff on current technology used in the organization.
- D . monitor progress of audits and initiate cost control measures.
A
Explanation:
It delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.
After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data.
In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?
- A . As an integrity breach
- B . As control breach
- C . As an availability breach
- D . As a confidentiality breach
The MOST critical concept of managing the build and test of code in DevOps is:
- A . continuous build.
- B . continuous delivery.
- C . continuous deployment.
- D . continuous integration.
B
Explanation:
Reference: https://smartbear.com/blog/devops-testing-strategy-best-practices-tools/