Free ISACA CCAK Practice Exams

Question #1

In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

A . both operating system and application infrastructure contained within the cloud service
provider’s instances.
B . both operating system and application infrastructure contained within the customer’s instances.
C . only application infrastructure contained within the cloud service provider’s instances.
D . only application infrastructure contained within the customer’s instance

Reveal Solution Hide Solution

Question #2

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A . Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security brokers (CASBs).
B . Cloud service providers can document roles and responsibilities for cloud security.
C . Cloud service providers can document their security and compliance controls.
D . Cloud service providers need the CAIQ to improve quality of customer service

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ) is to help cloud service providers document their security and compliance controls. The CAIQ is a survey provided by the Cloud Security Alliance (CSA) that consists of a set of yes/no questions that correspond to the controls of the Cloud Controls Matrix (CCM), which is a cybersecurity framework for cloud computing. The CAIQ allows cloud service providers to demonstrate their security posture and compliance status to potential customers and auditors, as well as to identify any gaps or risks that need to be addressed. The CAIQ also enables cloud customers to assess the security capabilities of different cloud service providers and compare them based on their needs and requirements123.

The other options are not directly related to the question.

Option A, cloud users can use CAIQ to sign statement of work (SOW) with cloud access security brokers (CASBs), is incorrect because CAIQ is not a contract or an agreement, but a questionnaire that provides information about the security controls of a cloud service provider. A statement of work (SOW) is a document that defines the scope, deliverables, and terms of a project or service. A cloud access security broker (CASB) is a software tool or service that acts as an intermediary between cloud users and cloud service providers, providing visibility, data security, threat protection, and compliance4.

Option B, cloud service providers can document roles and responsibilities for cloud security, is incorrect because CAIQ is not designed to document roles and responsibilities, but security and compliance controls. Roles and responsibilities for cloud security are defined by the shared responsibility model, which outlines how the security tasks and obligations are divided between the cloud service provider and the cloud customer5.

Option D, cloud service providers need the CAIQ to improve quality of customer service, is incorrect because CAIQ is not a measure of customer service quality, but a measure of security control transparency. Customer service quality refers to how well a cloud service provider meets or exceeds the expectations and satisfaction of its customers6.

Reference: =

What is CASB? – Cloud Security Alliance4

What is CAIQ? | CSA – Cloud Security Alliance1

Shared Responsibility Model – Cloud Security Alliance5

What is CAIQ? – Panorays2

What is the Consensus Assessments Initiative Questionnaire (CAIQ …3 What Is Customer Service Quality? – Salesforce.com

Question #3

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually.

What should be the auditor’s NEXT course of action?

A . Review the security white paper of the provider.
B . Review the provider’s audit reports.
C . Review the contract and DR capability.
D . Plan an audit of the provider

Reveal Solution Hide Solution

Question #4

When mapping controls to architectural implementations, requirements define:

A . control objectives.
B . control activities.
C . guidelines.
D . policies.

Reveal Solution Hide Solution

Question #5

The MOST critical concept for managing the building and testing of code in DevOps is:

A . continuous build.
B . continuous delivery.
C . continuous integration.
D . continuous deployment.

Reveal Solution Hide Solution

Question #6

Which of the following is a category of trust in cloud computing?

A . Loyalty-based trust
B . Background-based trust
C . Reputation-based trust
D . Transparency-based trust

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reputation-based trust is a category of trust in cloud computing that relies on the feedback, ratings, reviews, or recommendations of other users or third parties who have used or evaluated the cloud service provider or the cloud service. Reputation-based trust reflects the collective opinion and experience of the cloud community regarding the quality, reliability, security, and performance of the cloud service provider or the cloud service. Reputation-based trust can help potential customers to make informed decisions about choosing a cloud service provider or a cloud service based on the reputation score or ranking of the provider or the service. Reputation-based trust can also motivate cloud service providers to improve their services and maintain their reputation by meeting or exceeding customer expectations.

Reputation-based trust is one of the most common and widely used forms of trust in cloud computing, as it is easy to access and understand.

However, reputation-based trust also has some limitations and challenges, such as:

The accuracy and validity of the reputation data may depend on the source, method, and frequency of data collection and aggregation. For example, some reputation data may be outdated, incomplete, biased, manipulated, or falsified by malicious actors or competitors.

The interpretation and comparison of the reputation data may vary depending on the context, criteria, and preferences of the customers. For example, some customers may value different aspects of the cloud service more than others, such as security, availability, cost, or functionality.

The trustworthiness and accountability of the reputation system itself may be questionable. For example, some reputation systems may lack transparency, consistency, or standardization in their design, implementation, or operation.

Therefore, reputation-based trust should not be the only factor for trusting a cloud service provider or a cloud service. Customers should also consider other forms of trust in cloud computing, such as evidence-based trust, policy-based trust, or certification-based trust

Question #7

To promote the adoption of secure cloud services across the federal government by

A . To providing a standardized approach to security and risk assessment
B . To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO)
C . To enable 3PAOs to perform independent security assessments of cloud service providers
D . To publish a comprehensive and official framework for the secure implementation of controls for cloud security

Reveal Solution Hide Solution

Question #8

An auditor examining a cloud service provider’s service level agreement (SLA) should be MOST concerned about whether:

A . the agreement includes any operational matters that are material to the service operations.
B . the agreement excludes any sourcing and financial matters that are material in meeting the service level agreement (SLA).
C . the agreement includes any service availability matters that are material to the service operations.
D . the agreement excludes any operational matters that are material to the service operations

Reveal Solution Hide Solution

Question #9

The control domain feature within a Cloud Controls Matrix (CCM) represents:

A . CCM’s ability to scan and check Active Directory, LDAP, and x.500 directories for suspicious and/or privileged user accounts.
B . a logical grouping of security controls addressing the same category of IT risks or information security concerns.
C . a set of application programming interfaces (APIs) that allows a cloud consumer to restrict the replication area within a well-defined jurisdictional perimeter.
D . CCM’s ability to scan for anomalies in DNS zones in order to detect DNS spoofing, DNS hijacking, DNS cache poisoning, and similar threats.

Reveal Solution Hide Solution

Question #10

An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud.

Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

A . Filter out only those controls directly influenced by contractual agreements.
B . Leverage this feature to enable the adoption of the Shared Responsibility Model.
C . Filter out only those controls having a direct impact on current terms of service (TOS) and
service level agreement (SLA).
D . Leverage this feature to enable a smarter selection of the next cloud provider.

Reveal Solution Hide Solution