Free ISACA CCAK Practice Exams - Page 5 of 10

Question #41

The FINAL decision to include a material finding in a cloud audit report should be made by the:

A . auditee’s senior management.
B . organization’s chief executive officer (CEO).
C . cloud auditor.
D . organization’s chief information security officer (CISO)

Reveal Solution Hide Solution

Question #42

The BEST way to deliver continuous compliance in a cloud environment is to:

A . combine point-in-time assurance approaches with continuous monitoring.
B . increase the frequency of external audits from annual to quarterly.
C . combine point-in-time assurance approaches with continuous auditing.
D . decrease the interval between attestations of compliance

Reveal Solution Hide Solution

Question #43

A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment.

What additional control should the cloud auditor check?

A . Approval of the change by the change advisory board
B . Explicit documented approval from all customers whose data is affected
C . Training for the librarian
D . Verification that the hardware of the test and production environments are compatible

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The cloud auditor should check if there is explicit documented approval from all customers whose data is affected by the transfer of production data to the test environment. This is because production data may contain sensitive or personal information that is subject to privacy and security regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Therefore, using production data for testing purposes without the consent of the data owners may violate their rights and expose the organization to legal and reputational risks. This is also stated in the Cloud Controls Matrix (CCM) control DSI-04: Production / Non-Production Environments12, which is part of the Data Security & Information Lifecycle Management domain. The CCM is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program.

The other options are not directly related to the question.

Option A, approval of the change by the change advisory board, refers to the process of reviewing and authorizing changes to the system or software before they are implemented in the production environment. This is a good practice for ensuring the quality and reliability of the system or software, but it does not address the issue of using production data for testing purposes.

Option C, training for the librarian, refers to the process of providing adequate education and awareness to the staff who are responsible for managing and transferring data between different environments. This is a good practice for ensuring the competence and accountability of the staff, but it does not address the issue of obtaining consent from the data owners.

Option D, verification that the hardware of the test and production environments are compatible, refers to the process of ensuring that the system or software can run smoothly and consistently on both environments. This is a good practice for ensuring the performance and functionality of the system or software, but it does not address the issue of protecting the privacy and security of the production data.

Reference: =

Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 6: Cloud Security Controls

Cloud Controls Matrix (CCM) – CSA3

DSI-04: Production / Non-Production Environments – CSF Tools – Identity Digital1

DSI: Data Security & Information Lifecycle Management – CSF Tools – Identity Digital

Question #44

Which plan guides an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of its service providers?

A . Incident response plan
B . Security incident plan
C . Unexpected event plan
D . Emergency incident plan

Reveal Solution Hide Solution

Question #45

organization should document the compliance responsibilities and ownership of accountability in a RACI chart or its informational equivalents in order to:

A . provide a holistic and seamless view of the cloud service provider’s responsibility for compliance with prevailing laws and regulations.
B . provide a holistic and seamless view of the enterprise’s responsibility for compliance with prevailing laws and regulations.
C . conform to the organization’s governance model.
D . define the cloud compliance requirements and how they interplay with the organization’s business strategy, goals, and other compliance requirements.

Reveal Solution Hide Solution

Question #46

The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

A . facilitate an effective relationship between the cloud service provider and cloud client.
B . enable the cloud service provider to prioritize resources to meet its own requirements.
C . provide global, accredited, and trusted certification of the cloud service provider.
D . ensure understanding of true risk and perceived risk by the cloud service users

Reveal Solution Hide Solution

Question #47

Under GDPR, an organization should report a data breach within what time frame?

A . 48 hours
B . 72 hours
C . 1 week
D . 2 weeks

Reveal Solution Hide Solution

Question #48

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework.

Which of the following is the FIRST step to this change?

A . Discard all work done and start implementing NIST 800-53 from scratch.
B . Recommend no change, since the scope of ISO/IEC 27002 is broader.
C . Recommend no change, since NIST 800-53 is a US-scoped control framework.
D . Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

Reveal Solution Hide Solution

Question #49

In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:

A . treated as confidential information and withheld from all sub cloud service providers.
B . treated as sensitive information and withheld from certain sub cloud service providers.
C . passed to the sub cloud service providers.
D . passed to the sub cloud service providers based on the sub cloud service providers’ geographic location.

Reveal Solution Hide Solution

Question #50

What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

A . Access controls
B . Vulnerability management
C . Patching
D . Source code reviews

Reveal Solution Hide Solution