Free ISACA CCAK Practice Exams - Page 7 of 10

Question #61

An auditor is assessing a European organization’s compliance.

Which regulation is suitable if health information needs to be protected?

A . GDPR
B . DPIA
C . DPA
D . HIPAA

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The General Data Protection Regulation (GDPR) is the regulation that is suitable if health information needs to be protected in the European Union. The GDPR provides the legal framework for the protection of personal data, including health data, and sets out directly applicable rules for the processing of the personal data of individuals1. The GDPR defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status2. The GDPR applies to any organization that processes health data of individuals who are in the EU, regardless of where the organization is established3.

The other options are not correct.

Option B, DPIA, is incorrect because DPIA stands for Data Protection Impact Assessment, which is a process that helps organizations to identify and minimize the data protection risks of a project or activity that involves processing personal data. A DPIA is not a regulation, but a tool or a requirement under the GDPR4.

Option C, DPA, is incorrect because DPA stands for Data Protection Authority, which is an independent public authority that supervises, through investigative and corrective powers, the application of the data protection law. A DPA is not a regulation, but an institution or a body under the GDPR5.

Option D, HIPAA, is incorrect because HIPAA stands for Health Insurance Portability and Accountability Act, which is a US federal law that provides data privacy and security provisions for safeguarding medical information. HIPAA does not apply to the EU, but to the US6.

Reference: =

European Health Data Space1

Article 4 – Definitions | General Data Protection Regulation (GDPR)2 Article 3 – Territorial scope | General Data Protection Regulation (GDPR)3 Data protection impact assessment | European Commission4 Data protection authorities | European Commission5

What is HIPAA? – Definition from WhatIs.com6

Question #62

From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?

A . Evaluation summaries
B . logs
C . SOC reports
D . Interviews

Reveal Solution Hide Solution

Question #63

What should be the control audit frequency for an organization’s business continuity management and operational resilience strategy?

A . Annually
B . Biannually
C . Quarterly
D . Monthly

Reveal Solution Hide Solution

Question #64

The MAIN limitation of relying on traditional cloud compliance assurance approaches such as SOC2 attestations is that:

A . they can only be performed by skilled cloud audit service providers.
B . they are subject to change when the regulatory climate changes.
C . they provide a point-in-time snapshot of an organization’s compliance posture.
D . they place responsibility for demonstrating compliance on the vendor organization.

Reveal Solution Hide Solution

Question #65

Which of the following configuration change controls is acceptable to a cloud auditor?

A . Programmers have permanent access to production software.
B . Programmers cannot make uncontrolled changes to the source code production version.
C . Development, test, and production are hosted in the same network environment.
D . The head of development approves changes requested to production.

Reveal Solution Hide Solution

Question #66

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

A . Control self-assessment (CSA)
B . Third-party vendor involvement
C . Exception reporting
D . Application team internal review

Reveal Solution Hide Solution

Question #67

The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:

A . GDPR CoC certification.
B . GB/T 22080-2008.
C . SOC 2 Type 1 or 2 reports.
D . ISO/IEC 27001 implementation.

Reveal Solution Hide Solution

Question #68

What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

A . Source code reviews
B . Patching
C . Access controls
D . Vulnerability management

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Access controls are the aspect of Software as a Service (SaaS) functionality and operations that the cloud customer is responsible for and should be audited. Access controls refer to the methods and techniques that verify the identity and access rights of users or devices that access or use the SaaS application and its data. Access controls may include credentials, policies, roles, permissions, tokens, multifactor authentication, single sign-on, etc. The cloud customer is responsible for ensuring that only authorized and legitimate users or devices can access or use the SaaS application and its data, as well as for protecting the confidentiality, integrity, and availability of their data. The cloud customer should also monitor and audit the access and usage of the SaaS application and its data, as well as any incidents or issues that may affect them123.

Source code reviews (A) are not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Source code reviews refer to the processes and practices that examine the source code of software applications or systems to identify errors, bugs, vulnerabilities, or inefficiencies that may affect their quality, functionality, or security. Source code reviews are mainly under the responsibility of the cloud service provider, as they own and operate the software applications or systems that deliver SaaS services. The cloud customer has no access or control over these aspects123.

Patching (B) is not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Patching refers to the processes and practices that ensure the security, reliability, and performance of the cloud infrastructure, platform, or software. Patching involves the use of updates or fixes to address vulnerabilities, bugs, errors, or exploits that may compromise or affect the functionality of the cloud components. Patching is mainly under the responsibility of the cloud service provider, as they own and operate the cloud infrastructure, platform, or software. The cloud customer has limited or no access or control over these aspects123. Vulnerability management (D) is not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Vulnerability management refers to the processes and practices that identify, assess, treat, monitor, and report on the risks that affect the security posture of an organization or a domain. Vulnerability management involves the use of tools or techniques to scan, analyze, prioritize, remediate, or mitigate vulnerabilities that may expose an organization or a domain to threats or attacks. Vulnerability management is mainly under the responsibility of the cloud service provider, as they own and operate the cloud infrastructure, platform, or software. The cloud customer has limited or no access or control over these aspects123.

Reference: =

Cloud Audits: A Guide for Cloud Service Providers – Cloud Standards …

Cloud Audits: A Guide for Cloud Service Customers – Cloud Standards …

Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam

Question #69

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A . Rule-based access control
B . Attribute-based access control
C . Policy-based access control
D . Role-based access control

Reveal Solution Hide Solution

Question #70

What areas should be reviewed when auditing a public cloud?

A . Identity and access management (IAM) and data protection
B . Source code reviews and hypervisor
C . Patching and configuration
D . Vulnerability management and cyber security reviews

Reveal Solution Hide Solution