CCAK exam

Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:A . client organization has a clear understanding of the provider s suppliers.B . suppliers are accountable for the provider's service that they are providing.C . client organization does not need to...

Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?A . Nondisclosure agreements (NDAs)B . Independent auditor reportC . First-party auditD . Industry certificationsView AnswerAnswer: B Explanation: An independent auditor report is a...

What is a sign that an organization has adopted a shift-left concept of code release cycles?A . Large entities with slower release cadences and geographically dispersed systemsB . A waterfall model to move resources through the development to release phasesC . Maturity of start-up entities with high-iteration to low-volume code...

After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident...

When establishing cloud governance, an organization should FIRST test by migrating:A . legacy applications to the cloud.B . a few applications to the cloud.C . all applications at once to the cloud.D . complex applications to the cloudView AnswerAnswer: B Explanation: When establishing cloud governance, an organization should first test...

Visibility to which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (laaS) deployments?A . Source code within build scriptsB . Output from threat modeling exercisesC . Service level agreements (SLAs)D . Results...

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?A . Impact analysisB . LikelihoodC . MitigationD . Residual riskView AnswerAnswer: A Explanation: According to the web search results, impact analysis is the aspect of risk management that involves identifying...

Which of the following is a category of trust in cloud computing?A . Loyalty-based trustB . Background-based trustC . Reputation-based trustD . Transparency-based trustView AnswerAnswer: C Explanation: Reputation-based trust is a category of trust in cloud computing that relies on the feedback, ratings, reviews, or recommendations of other users or...

What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?A . DAST is slower but thorough.B . Unlike SAST, DAST is a black box and programming language agnostic.C . DAST can dynamically integrate with most continuous integration and continuous delivery (CI/CD) tools.D...

In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?A . Database backup and replication guidelinesB . System backup documentationC . Incident management documentationD . Operational manualsView AnswerAnswer: A Explanation: Database backup and replication guidelines are essential for ensuring the...