CCAK exam

Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?A . SOC3 - Type2B . Cloud Control Matrix (CCM)C . SOC2 - Type1D . SOC1 - Type1View AnswerAnswer: C Explanation: Reference: https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2021/volume-22/preventing-the-next-cybersecurity-attack-with-effective-cloud-security-audits

Which of the following parties should have accountability for cloud compliance requirements?A . CustomerB . Equally shared between customer and providerC . ProviderD . Either customer or provider, depending on requirementsView AnswerAnswer: B

The MOST critical concept of managing the build and test of code in DevOps is:A . continuous build.B . continuous delivery.C . continuous deployment.D . continuous integration.View AnswerAnswer: B Explanation: Reference: https://smartbear.com/blog/devops-testing-strategy-best-practices-tools/

What areas should be reviewed when auditing a public cloud?A . Patching, source code reviews, hypervisor, access controlsB . Identity and access management, data protectionC . Patching, configuration, hypervisor, backupsD . Vulnerability management, cyber security reviews, patchingView AnswerAnswer: B

Which of the following is an example of financial business impact?A . A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.B . While the breach was reported in a timely manner to...

Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?A . Ensure HIPAA complianceB . Implement a cloud access security brokerC . Consult the legal departmentD . Do not allow data to be...

SAST testing is performed by:A . scanning the application source code.B . scanning the application interface.C . scanning all infrastructure components.D . performing manual actions to gain control of the application.View AnswerAnswer: A Explanation: SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code...

Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization’s architecture? The threat model:A . recognizes the shared responsibility for risk management between the customer and the CSC . leverages SaaS threat models...

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?A . Highlighting the gap to the audit sponsor at the sponsor’s earliest possible...

Which of the following would be considered as a factor to trust in a cloud service provider?A . The level of exposure for public informationB . The level of proved technical skillsC . The level of willingness to cooperateD . The level of open source evidence availableView AnswerAnswer: C