ISACA CCAK Certificate of Cloud Auditing Knowledge Online Training

Question #21

What do cloud service providers offer to encourage clients to extend the cloud platform?

A . Cloud console
B . Reward programs
C . Access to the cloud infrastructure
D . Application programming interfaces (APIs)

Question #22

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:

A . client organization has a clear understanding of the provider s suppliers.
B . suppliers are accountable for the provider’s service that they are providing.
C . client organization does not need to worry about the provider’s suppliers, as this is the provider’s responsibility.
D . client organization and provider are both responsible for the provider’s suppliers.

Correct Answer: A
A

Explanation:

Regarding suppliers of a cloud service provider, it is most important for the auditor to be aware that the client organization has a clear understanding of the provider’s suppliers. This is because cloud services often involve multiple parties in the supply chain, such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering the cloud services and ensuring their quality, security, and compliance. Therefore, it is essential for the client organization to have visibility and assurance of the performance and compliance of the provider’s suppliers and to establish clear and transparent agreements with them regarding their roles, responsibilities, expectations, and obligations.12

An auditor should be aware of the importance of the client organization’s understanding of the provider’s suppliers because it provides a basis for assessing the risks and challenges associated with outsourcing services to a cloud provider and its supply chain. An auditor can use the client organization’s understanding of the provider’s suppliers to verify that the client organization has conducted a thorough due diligence of the provider’s suppliers and their capabilities, qualifications, certifications, and reputation. An auditor can also use the client organization’s understanding of the provider’s suppliers to evaluate whether the client organization has implemented adequate controls and processes to monitor, audit, or verify the security and compliance status of their cloud services and data across the supply chain. An auditor can also use the client organization’s understanding of the provider’s suppliers to identify any gaps or weaknesses in the client organization’s security management program and to provide recommendations for improvement.34

Reference: Practical Guide to Cloud Service Agreements Version 2.01; HIDDEN INTERDEPENDENCIES BETWEEN INFORMATION AND ORGANIZATIONAL …2; Cloud Computing: The Audit Challenge – ISACA3; Cloud Computing: Audit Considerations – AICPA4

Question #23

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization’s cloud compliance program?

A . Establishing ownership and accountability
B . Reporting emerging threats to senior stakeholders
C . Monitoring key risk indicators (KRIs) for multi-cloud environments
D . Automating risk monitoring and reporting processes

Reveal Solution Hide Solution

Question #24

Visibility to which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (laaS) deployments?

A . Source code within build scripts
B . Output from threat modeling exercises
C . Service level agreements (SLAs)
D . Results from automated testing

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Visibility to the source code within build scripts would give an auditor the best view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (IaaS) deployments. IaaS is a cloud service model that provides virtualized computing resources, such as servers, storage, network, and operating systems, over the internet. Programmatic automation is the process of using code or scripts to automate the provisioning, configuration, management, and monitoring of the cloud infrastructure. Build scripts are files that contain commands or instructions to create or modify the cloud infrastructure according to the desired specifications.12

An auditor can use the source code within build scripts to gain insight into how the organization designs and implements its cloud infrastructure.

The source code can reveal the following information3:

The type, size, and number of cloud resources that are provisioned and deployed

The configuration settings and parameters that are applied to the cloud resources

The security controls and policies that are enforced on the cloud resources

The dependencies and relationships between the cloud resources

The testing and validation methods that are used to verify the functionality and performance of the cloud resources

The logging and auditing mechanisms that are used to track and record the changes and activities on the cloud resources

By reviewing the source code within build scripts, an auditor can evaluate whether the organization follows the best practices and standards for cloud infrastructure design and implementation, such as scalability, reliability, security, compliance, and efficiency. An auditor can also identify any gaps or risks in the organization’s cloud infrastructure and provide recommendations for improvement.

Reference: What is Infrastructure as Code? | Cloud Computing – AWS1; What is Programmatic Automation? – Definition from Techopedia2; How to audit your IaC for better DevSecOps – TechBeacon3

Question #25

The MAIN limitation of relying on traditional cloud compliance assurance approaches such as SOC2 attestations is that:

A . they can only be performed by skilled cloud audit service providers.
B . they are subject to change when the regulatory climate changes.
C . they provide a point-in-time snapshot of an organization’s compliance posture.
D . they place responsibility for demonstrating compliance on the vendor organization.

Reveal Solution Hide Solution

Question #26

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community.

Of the following, to whom should the auditor report the findings?

A . Management of the organization being audited
B . Shareholders and interested parties
C . Cloud service provider
D . Public

Reveal Solution Hide Solution

Question #27

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

A . ISO/IEC 27017:2015
B . ISO/IEC 27002
C . NIST SP 800-146
D . Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Reveal Solution Hide Solution

Question #28

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part

of the organization’s disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually.

What should be the auditor’s NEXT course of action?

A . Review the security white paper of the provider.
B . Review the provider’s audit reports.
C . Review the contract and DR capability.
D . Plan an audit of the provider

Reveal Solution Hide Solution

Question #29

Which of the following is the BEST tool to perform cloud security control audits?

A . Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
B . General Data Protection Regulation (GDPR)
C . Federal Information Processing Standard (FIPS) 140-2
D . ISO 27001

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The CSA Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a cybersecurity control framework for cloud computing that is aligned to the CSA best practices and is considered the de-facto standard for cloud security and privacy1. The CCM provides a set of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology, such as identity and access management, data security, encryption and key management, business continuity and disaster recovery, audit assurance and compliance, and risk management1. The CCM also maps the controls to various industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, PCI DSS, GDPR, and others1. The CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain1. The CCM also includes the Consensus Assessment Initiative Questionnaire (CAIQ), which provides a set of “yes or no” questions based on the security controls in the CCM that can be used to assess a cloud service provider2.

The other options are not the best tools to perform cloud security control audits, as they are either not specific to cloud computing or not comprehensive enough. GDPR is a regulation that aims to protect the personal data and privacy of individuals in the European Union and the European Economic Area3, but it does not provide a framework for cloud security controls. FIPS 140-2 is a standard that specifies the security requirements for cryptographic modules used by federal agencies in the United States, but it does not cover other aspects of cloud security. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization, but it does not provide specific guidance for cloud services.

Reference: Cloud Controls Matrix (CCM) – CSA

Cloud Controls Matrix and CAIQ v4 | CSA – Cloud Security Alliance General Data Protection Regulation – Wikipedia

[FIPS 140-2 – Wikipedia]

[ISO/IEC 27001:2013]

Question #30

When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

A . cloud user.
B . cloud service provider. 0
C . cloud customer.
D . certification authority (CA)

Reveal Solution Hide Solution