Free ISACA CCAK Practice Exams - Page 4 of 10

Question #31

Which of the following would be the MOST critical finding of an application security and DevOps audit?

A . Certifications with global security standards specific to cloud are not reviewed, and the impact of noted findings are not assessed.
B . Application architecture and configurations did not consider security measures.
C . Outsourced cloud service interruption, breach, or loss of stored data occurred at the cloud service
provider.
D . The organization is not using a unified framework to integrate cloud compliance with regulatory requirements

Correct Answer: B
B

Explanation:

According to the web search results, the most critical finding of an application security and DevOps audit would be that the application architecture and configurations did not consider security measures. This finding indicates a serious lack of security by design and security by default principles, which are essential for ensuring the confidentiality, integrity, and availability of the application and its data. If the application architecture and configurations are not secure, they could expose the application to various threats and vulnerabilities, such as unauthorized access, data breaches, denial-of-service attacks, injection attacks, cross-site scripting attacks, and others. This finding could also result in non-compliance with relevant security standards and regulations, such as ISO 27001, PCI DSS, GDPR, and others. Therefore, this finding should be addressed with high priority and urgency by implementing appropriate security measures and controls in the application architecture and configurations.

The other options are not as critical as option

B.

Option A is a moderate finding that indicates a lack

of awareness and assessment of the global security standards specific to cloud, such as ISO 27017,

ISO 27018, CSA CCM, NIST SP 800-53, and others. This finding could affect the security and

compliance of the cloud services used by the application, but it does not directly impact the

application itself.

Option C is a severe finding that indicates a major incident that occurred at the

cloud service provider level, such as a service interruption, breach, or loss of stored data. This finding

could affect the availability, confidentiality, and integrity of the application and its data, but it is not

caused by the application itself.

Option D is a minor finding that indicates a lack of efficiency and

consistency in integrating cloud compliance with regulatory requirements. This finding could affect

the compliance posture of the application and its data, but it does not directly impact the security or

functionality of the application.

Reference: [Application Security Best Practices – OWASP]

[DevSecOps: What It Is and How to Get Started – ISACA]

[Cloud Security Standards: What to Expect & What to Negotiate – CSA] [Cloud Computing Security Audit – ISACA] [Cloud Computing Incident Response – ISACA]

[Cloud Compliance: A Framework for Using Cloud Services While Maintaining Compliance – ISACA]

Question #32

Which of the following is the MOST relevant question in the cloud compliance program design phase?

A . Who owns the cloud services strategy?
B . Who owns the cloud strategy?
C . Who owns the cloud governance strategy?
D . Who owns the cloud portfolio strategy?

Reveal Solution Hide Solution

Question #33

Organizations maintain mappings between the different control frameworks they adopt to:

A . help identify controls with common assessment status.
B . avoid duplication of work when assessing compliance,
C . help identify controls with different assessment status.
D . start a compliance assessment using the latest assessment.

Reveal Solution Hide Solution

Question #34

The MAIN difference between the Cloud Controls Matrix (CCM) and the Consensus Assessment Initiative Questionnaire (CAIQ) is that:

A . CCM assesses the presence of controls, whereas CAIQ assesses the overall security of a service.
B . CCM has 14 domains, whereas CAIQ has 16 domains.
C . CCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in Infrastructure as a Service (laaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings.
D . CCM has a set of security questions, whereas CAIQ has a set of security controls.

Reveal Solution Hide Solution

Question #35

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

A . Ensuring segregation of duties in the production and development pipelines
B . Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations
C . Role-based access controls in the production and development pipelines
D . Separation of production and development pipelines

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Role-based access control (RBAC) is a method of restricting access to resources based on the roles of individual users within an organization1 RBAC can help ensure adequate restriction on the number of people who can access the pipeline production environment, as it can limit the permissions and actions that each user can perform on the pipeline resources, such as code, secrets, environments, etc. RBAC can also help enforce the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks2

The other options are not correct because:

Option A is not correct because ensuring segregation of duties in the production and development pipelines is not sufficient to ensure adequate restriction on the number of people who can access the pipeline production environment. Segregation of duties is a practice that aims to prevent fraud, errors, or conflicts of interest by dividing responsibilities among different people or teams3 However, segregation of duties does not necessarily limit the number of people who can access the pipeline resources, as it depends on how the roles and permissions are defined and assigned. Segregation of duties is also more relevant for preventing unauthorized changes or deployments to the production environment, rather than restricting access to it4

Option B is not correct because periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations is not a proactive measure to ensure adequate restriction on the number of people who can access the pipeline production environment. Audit logs are records of events or activities that occur within a system or process5 Audit logs can help monitor and detect any unauthorized or suspicious access to the pipeline resources, but they cannot prevent or restrict such access in the first place. Audit logs are also dependent on the frequency and quality of the review process, which may not be timely or effective enough to mitigate the risks of access violations6

Option D is not correct because separation of production and development pipelines is not a direct way to ensure adequate restriction on the number of people who can access the pipeline production environment. Separation of production and development pipelines is a practice that aims to isolate and protect the production environment from any potential errors, bugs, or vulnerabilities that may arise from the development process. However, separation of pipelines does not automatically imply restriction of access, as it depends on how the roles and permissions are configured for each pipeline. Separation of pipelines may also introduce challenges such as synchronization, coordination, and communication among the pipeline teams and stakeholders.

Reference: 1: Wikipedia. Role-based access control – Wikipedia. [Online]. Available: 1. [Accessed: 14-Apr-2023]. 2: Microsoft Learn. Set pipeline permissions – Azure Pipelines | Microsoft Learn.

[Online]. Available: 1. [Accessed: 14-Apr-2023]. 3: Investopedia. Segregation Of Duties Definition -Investopedia.com Blog. [Online]. Available:. [Accessed: 14-Apr-2023]. 4: Cider Security. Insufficient PBAC (Pipeline-Based Access Controls) – Cider Security Blog. [Online]. Available:. [Accessed: 14-Apr-2023]. 5: Wikipedia. Audit trail – Wikipedia. [Online]. Available:. [Accessed: 14-Apr-2023]. 6: Microsoft Learn. Securing Azure Pipelines – Azure Pipelines | Microsoft Learn. [Online]. Available: .

[Accessed: 14-Apr-2023]. : AWS DevOps Blog.

How to implement CI/CD with AWS CodePipeline –

AWS DevOps Blog | Amazon Web Services Blog. [Online]. Available:. [Accessed: 14-Apr-2023]. :

LambdaTest.

What Is Parallel Testing? with Example – LambdaTest Blog. [Online]. Available: .

[Accessed: 14-Apr-2023].

Question #36

Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?

A . The similarity of the cloud to the on-premise environment in terms of compliance
B . The fairly static nature of the service portfolio and architecture of the cloud
C . The rapidly changing service portfolio and architecture of the cloud
D . That cloud providers should not be part of the compliance program

Reveal Solution Hide Solution

Question #37

Which of the following is an example of availability technical impact?

A . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours.
B . The cloud provider reports a breach of customer personal data from an unsecured server.
C . An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.
D . A hacker using a stolen administrator identity alters the discount percentage in the product database

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

An example of availability technical impact is a distributed denial of service (DDoS) attack that renders the customer’s cloud inaccessible for 24 hours. Availability technical impact refers to the effect of a cloud security incident on the protection of data and services from disruption or denial. Availability is one of the three security properties of an information system, along with confidentiality and integrity.

Option A is an example of availability technical impact because it shows how a DDoS attack, which is a type of cyberattack that overwhelms a system or network with malicious traffic and prevents legitimate users from accessing it, can cause a severe and prolonged disruption of the customer’s cloud services.

Option A also implies that the customer’s organization depends on the availability of its cloud services for its core business operations.

The other options are not examples of availability technical impact.

Option B is an example of confidentiality technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized access or disclosure.

Option B shows how a breach of customer personal data from an unsecured server, which is a type of data leakage or exposure attack that exploits the lack of proper security controls on a system or network, can cause a violation of the privacy and security of the customer’s data.

Option C is an example of integrity technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized modification or deletion.

Option C shows how an administrator inadvertently clicking on phish bait, which is a type of social engineering or phishing attack that tricks a user into clicking on a malicious link or attachment, can expose the company to a ransomware attack, which is a type of malware or encryption attack that locks or encrypts the data and demands a ransom for its release.

Option D is also an example of integrity technical impact, as it shows how a hacker using a stolen administrator identity, which is a type of identity theft or impersonation attack that exploits the credentials or privileges of a legitimate user to access or manipulate a system or network, can alter the discount percentage in the product database, which is a type of data tampering or corruption attack that affects the accuracy and reliability of the data.

Reference: =

OWASP Risk Rating Methodology | OWASP Foundation1

OEE Factors: Availability, Performance, and Quality | OEE2

The Effects of Technological Developments on Work and Their …

Question #38

An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

A . obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.
B . determine whether the organization can be considered fully compliant with the mapped standards because of the implementation of every CCM Control Specification.
C . understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards.

Reveal Solution Hide Solution

Question #39

Which of the following is a direct benefit of mapping the Cloud Controls Matrix (CCM) to other international standards and regulations?

A . CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
B . CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
C . CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
D . CCM mapping enables an uninterrupted data flow and in particular the export of personal data across different jurisdictions.

Reveal Solution Hide Solution

Question #40

To ensure that compliance obligations for data residency in the cloud are aligned with an organization’s risk appetite, which of the following activities is MOST important to perform?

A . Manage compliance obligations through a structured risk management process.
B . Communicate the organization’s risk appetite across cloud service providers.
C . Perform a cloud vendor assessment every time there is a change to data flows.
D . Develop risk metrics to show how the organization is meeting the obligations.

Reveal Solution Hide Solution