Free ISACA CCAK Practice Exams - Page 3 of 10

Question #21

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A . Development of the monitoring goals and requirements
B . Identification of processes, functions, and systems
C . Identification of roles and responsibilities
D . Identification of the relevant laws, regulations, and standards

Reveal Solution Hide Solution

Question #22

What type of termination occurs at the initiative of one party and without the fault of the other party?

A . Termination without the fault
B . Termination at the end of the term
C . Termination for cause
D . Termination for convenience

Reveal Solution Hide Solution

Question #23

Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?

A . CSA’sGDPRCoC
B . EUGDPR
C . NIST SP 800-53
D . PCI-DSS

Reveal Solution Hide Solution

Question #24

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

A . facilitate an effective relationship between the cloud service provider and cloud client.
B . ensure understanding of true risk and perceived risk by the cloud service users.
C . provide global, accredited, and trusted certification of the cloud service provider.
D . enable the cloud service provider to prioritize resources to meet its own requirements.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

According to the CSA website, the primary purpose of the Open Certification Framework (OCF) for the CSA STAR program is to provide global, accredited, trusted certification of cloud providers1 The OCF is an industry initiative to allow global, trusted independent evaluation of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification and/or attestation according to the Cloud Security Alliance’s industry leading security guidance and control framework2 The OCF aims to address the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services, such as the lack of simple, cost effective ways to evaluate and compare providers’ resilience, data protection, privacy, and service portability2 The OCF also aims to promote industry transparency and reduce complexity and costs for both providers and customers3

The other options are not correct because:

Option A is not correct because facilitating an effective relationship between the cloud service provider and cloud client is not the primary purpose of the OCF for the CSA STAR program, but rather a potential benefit or outcome of it. The OCF can help facilitate an effective relationship between the provider and the client by providing a common language and framework for assessing and communicating the security and compliance posture of the provider, as well as enabling trust and confidence in the provider’s capabilities and performance. However, this is not the main goal or objective of the OCF, but rather a means to achieve it.

Option B is not correct because ensuring understanding of true risk and perceived risk by the cloud service users is not the primary purpose of the OCF for the CSA STAR program, but rather a possible implication or consequence of it. The OCF can help ensure understanding of true risk and perceived risk by the cloud service users by providing objective and verifiable information and evidence about the provider’s security and compliance level, as well as allowing comparison and benchmarking with other providers in the market. However, this is not the main aim or intention of the OCF, but rather a result or effect of it.

Option D is not correct because enabling the cloud service provider to prioritize resources to meet its own requirements is not the primary purpose of the OCF for the CSA STAR program, but rather a potential advantage or opportunity for it. The OCF can enable the cloud service provider to prioritize resources to meet its own requirements by providing a flexible, incremental and multi-layered approach to certification and/or attestation that allows the provider to choose the level of assurance that suits their business needs and goals. However, this is not the main reason or motivation for the OCF, but rather a benefit or option for it.

Reference: 1: Open Certification Framework Working Group | CSA 2: Open Certification Framework |

CSA – Cloud Security Alliance 3: Why your cloud services need the CSA STAR Registry listing

Question #25

The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

A . National Institute of Standards and Technology (NIST)
B . National Cybersecurity Agency of France (ANSSI) / Agency national de la securite des systems information (ANSSI)
C . Federal Office for Information Security in Germany (BSI) / Bundesamt fur Sicherheit in der Informationstechnik (BSI)
D . National Security Agency (NSA)

Reveal Solution Hide Solution

Question #26

From the perspective of a senior cloud security audit practitioner in an organization with a mature security program and cloud adoption, which of the following statements BEST describes the DevSecOps concept?

A . Process of security integration using automation in software development
B . Operational framework that promotes software consistency through automation
C . Development standards for addressing integration, testing, and deployment issues
D . Making software development simpler, faster, and easier using automation

Reveal Solution Hide Solution

Question #27

Which of the following cloud service provider activities MUST obtain a client’s approval?

A . Destroying test data
B . Deleting subscription owner accounts
C . Deleting test accounts
D . Deleting guest accounts

Reveal Solution Hide Solution

Question #28

To ensure integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

A . Parallel testing
B . Full application stack unit testing
C . Functional verification
D . Regression testing

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Regression testing is a type of software testing that confirms that a recent program or code change has not adversely affected existing features1 It involves re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change2 Regression testing is suitable for large code sets in environments where time to completion is critical, as it can help detect and prevent defects, improve quality, and enable faster delivery of secure software. Regression testing can be automated to reduce manual errors, speed up feedback loops, and increase efficiency and reliability3

The other options are not correct because:

Option A is not correct because parallel testing is a type of software testing that involves testing multiple applications or subsystems concurrently to reduce the test time4 Parallel testing does not necessarily ensure the integration of security testing, as it depends on the quality and coverage of the test cases and scenarios used for each application or subsystem. Parallel testing may also introduce challenges such as synchronization, coordination, and communication among the testers and developers5

Option B is not correct because full application stack unit testing is a type of software testing that involves testing individual units or components of an application in isolation to verify their functionality, logic, interfaces, and performance6 Full application stack unit testing does not ensure the integration of security testing, as it does not consider the interactions and dependencies among the units or components, or the behavior of the application as a whole. Unit testing is typically performed by developers at an early stage of the software development life cycle, and may not cover all the security aspects or requirements of the application7

Option C is not correct because functional verification is a type of software testing that involves verifying that the software meets the specified requirements and satisfies the user needs. Functional verification does not ensure the integration of security testing, as it does not focus on how the software is designed or configured, or how it handles malicious or unexpected inputs. Functional verification is typically performed by quality assurance teams at a later stage of the software development life cycle, and may not detect all the security vulnerabilities or risks of the software.

Reference: 1: Wikipedia. Regression testing – Wikipedia. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 2: Katalon.

What is Regression Testing? Definition, Tools, Examples – Katalon.

[Online]. Available: 4. [Accessed: 14-Apr-2023]. 3: BMC Software. Shift Left Testing: What, Why &

How To Shift Left C BMC Software | Blogs. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 4: Guru99.

What is Parallel Testing? with Example – Guru99. [Online]. Available:. [Accessed: 14-Apr-2023]. 5:

LambdaTest. Parallel Testing In Selenium WebDriver | LambdaTest Blog. [Online]. Available:

. [Accessed: 14-Apr-2023]. 6: Guru99.

What is Unit Testing? Types & Examples – Guru99. [Online].

Available:. [Accessed: 14-Apr-2023]. 7: Software Testing Help. Unit Testing Vs Integration Testing:

Difference Between These Two – SoftwareTestingHelp.com Blog. [Online]. Available:. [Accessed: 14-

Apr-2023]. : Guru99.

What is Functional Testing? Types & Examples – Guru99. [Online]. Available: .

[Accessed: 14-Apr-2023]. : Software Testing Help. Functional Testing Vs Non-Functional Testing –

SoftwareTestingHelp.com Blog. [Online]. Available:. [Accessed: 14-Apr-2023].

Question #29

With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

A . relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF). and the Zachman Framework for Enterprise Architecture.
B . relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.
C . relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.
D . relevant delivery models such as Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (laaS).

Reveal Solution Hide Solution

Question #30

To BEST prevent a data breach from happening, cryptographic keys should be:

A . distributed in public-facing repositories.
B . embedded in source code.
C . rotated regularly.
D . transmitted in clear text.

Reveal Solution Hide Solution