Free ISACA CCAK Practice Exams - Page 6 of 10

Question #51

Which of the following is the BEST tool to perform cloud security control audits?

A . General Data Protection Regulation (GDPR)
B . Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
C . Federal Information Processing Standard (FIPS) 140-2
D . ISO 27001

Correct Answer: B
B

Explanation:

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a comprehensive framework that provides organizations with a detailed understanding of security concepts and principles that are aligned to the cloud model. The CCM covers 16 domains of cloud security, such as data security, identity and access management, encryption and key management, incident response, and audit assurance and compliance. The CCM also maps to other standards, such as ISO 27001, NIST SP 800-53, PCI DSS, COBIT, and GDPR, to facilitate compliance and assurance activities1.

The General Data Protection Regulation (GDPR) is not a tool, but rather a regulation that aims to protect the personal data and privacy of individuals in the European Union (EU) and the European Economic Area (EEA). The GDPR imposes strict requirements on organizations that process personal data of individuals in these regions, such as obtaining consent, ensuring data security, reporting breaches, and respecting data subject rights. The GDPR is relevant for cloud security audits, but it is not a comprehensive framework that covers all aspects of cloud security2.

The Federal Information Processing Standard (FIPS) 140-2 is not a tool, but rather a standard that specifies the security requirements for cryptographic modules used by federal agencies and other organizations. The FIPS 140-2 defines four levels of security, from Level 1 (lowest) to Level 4 (highest), based on the design and implementation of the cryptographic module. The FIPS 140-2 is important for cloud security audits, especially for organizations that handle sensitive or classified information, but it is not a comprehensive framework that covers all aspects of cloud security3. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). An ISMS is a systematic approach to managing information security risks and ensuring the confidentiality, integrity and availability of information assets. ISO 27001 is relevant for cloud security audits, as it provides a framework for assessing and improving the security posture of an organization. However, ISO 27001 does not provide specific guidance or controls for cloud services, which is why ISO 27017:2015 was developed as an extension to ISO 27001 for cloud services4.

Reference: = Cloud Controls Matrix | Cloud Security Alliance

General Data Protection Regulation – Wikipedia

FIPS PUB 140-2 – NIST

ISO/IEC 27001:2013(en), Information technology ? Security techniques …

Question #52

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

A . Separation of production and development pipelines
B . Ensuring segregation of duties in the production and development pipelines
C . Role-based access controls in the production and development pipelines
D . Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Role-based access controls (RBAC) are a method of restricting access to resources based on the roles of individual users within an organization. RBAC allows administrators to assign permissions to roles, rather than to specific users, and then assign users to those roles. This simplifies the management of access rights and reduces the risk of unauthorized or excessive access. RBAC is especially important for ensuring adequate restriction on the number of people who can access the pipeline production environment, which is the final stage of the continuous integration and continuous delivery (CI/CD) process where code is deployed to the end-users. Access to the production environment should be limited to only those who are responsible for deploying, monitoring, and maintaining the code, such as production engineers, release managers, or site reliability engineers. Developers, testers, or other stakeholders should not have access to the production environment, as this could compromise the security, quality, and performance of the code. RBAC can help enforce this separation of duties and responsibilities by defining different roles for different pipeline stages and granting appropriate permissions to each role. For example, developers may have permission to create, edit, and test code in the development pipeline, but not to deploy or modify code in the production pipeline.

Conversely, production engineers may have permission to deploy, monitor, and troubleshoot code in the production pipeline, but not to create or edit code in the development pipeline. RBAC can also help implement the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks. This reduces the attack surface and minimizes the potential damage in case of a breach or misuse. RBAC can be configured at different levels of granularity, such as at the organization, project, or object level, depending on the needs and complexity of the organization. RBAC can also leverage existing identity and access management (IAM) solutions, such as Azure Active Directory or AWS IAM, to integrate with cloud services and applications.

Reference: Set pipeline permissions – Azure Pipelines

Azure DevOps: Access, Roles and Permissions

Cloud Computing ― What IT Auditors Should Really Know

Question #53

Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

A . Documentation criteria for the audit evidence
B . Testing procedure to be performed
C . Processes and systems to be audited
D . Updated audit work program

Reveal Solution Hide Solution

Question #54

DevSecOps aims to integrate security tools and processes directly into the software development life cycle and should be done:

A . at the end of the development cycle.
B . after go-live.
C . in all development steps.
D . at the beginning of the development cycle.

Reveal Solution Hide Solution

Question #55

Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

A . Impact analysis
B . Likelihood
C . Mitigation
D . Residual risk

Reveal Solution Hide Solution

Question #56

The Cloud Octagon Model was developed to support organizations’:

A . risk treatment methodology.
B . incident detection methodology.
C . incident response methodology.
D . risk assessment methodology.

Reveal Solution Hide Solution

Question #57

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

A . Cloud service providers need the CAIQ to improve quality of customer service.
B . Cloud service providers can document their security and compliance controls.
C . Cloud service providers can document roles and responsibilities for cloud security.
D . Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security

Reveal Solution Hide Solution

Question #58

Which of the following would be considered as a factor to trust in a cloud service provider?

A . The level of willingness to cooperate
B . The level of exposure for public information
C . The level of open source evidence available
D . The level of proven technical skills

Reveal Solution Hide Solution

Question #59

Management planes deployed in cloud environments may pose a risk of potentially allowing access to the entire environment.

Which of the following controls is MOST appropriate for mitigating this risk?

A . Change management
B . Regular audits
C . Access restriction
D . Increased monitoring

Reveal Solution Hide Solution

Question #60

While using Software as a Service (SaaS) to store secret customer information, an organization identifies a risk of disclosure to unauthorized parties. Although the SaaS service continues to be used, secret customer data is not processed.

Which of the following risk treatment methods is being practiced?

A . Risk acceptance
B . Risk transfer
C . Risk mitigation
D . Risk reduction

Reveal Solution Hide Solution