CCAK Practice Questions
126 real CCAK exam questions with expert-verified answers and explanations. Page 2 of 3.
- Question #51Cloud Auditing Basics and Tools
If the degree of verification for information shared with the auditor during an audit is low, the auditor should:
Audit EvidenceProfessional JudgmentEvidence ReliabilityVerification - Question #52Cloud Audit Reporting and Assurance
Which best describes the difference between a type 1 and a type 2 SOC report?
SOC ReportsType 1 SOCType 2 SOCAttestation - Question #53Cloud Compliance
You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure. Which of the following is your BEST option?
ISMSISO 27001ISO 27017Cloud Security Standards - Question #54Cloud Security Auditing
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
DevSecOpsCI/CD PipelineSecurity TestingContainer Security - Question #55Cloud Audit Reporting and Assurance
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. From the follo...
Community CloudAudit ReportingCloud Service ProviderAudit Stakeholders - Question #56Cloud Compliance
Which of the following parties should have accountability for cloud compliance requirements?
Cloud complianceShared responsibility modelCloud accountabilityCompliance requirements - Question #57Cloud Data Governance
Which of the following data destruction methods is the MOST effective and efficient?
Data destructionMedia sanitizationDegaussingData lifecycle management - Question #58Cloud Compliance
Under GDPR, an organization should report a data breach within what time frame?
GDPRData breachReporting requirementsCompliance - Question #59Cloud Governance
Which of the following cloud models prohibits penetration testing?
Cloud ModelsPenetration TestingCloud Security PoliciesCloud Governance - Question #60Cloud Governance
What type of termination occurs at the initiative of one party, and without the fault of the other party?
Contract terminationCloud service agreementsContract lifecycleExit strategy - Question #61Cloud Auditing for Infrastructure, Platform, and Software as a Service (IaaS, PaaS, SaaS)
Which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service...
Threat ModelingIaaS AuditingDesign ReviewSecurity Controls - Question #62Cloud Auditing Basics and Tools
An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:
Shared Responsibility ModelCloud Audit ScopeSecurity Awareness TrainingCustomer Responsibility - Question #63Cloud Compliance
The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?
C5 frameworkCloud complianceRegulatory agenciesCompliance standards - Question #64Cloud Compliance
Which statement about compliance responsibilities and ownership of accountability is correct?
Compliance ownershipAccountabilityResponsibilityCloud compliance principles - Question #65Cloud Security Auditing
Which objective is MOST appropriate to measure the effectiveness of password policy?
Password PolicySecurity Policy EffectivenessSecurity MetricsAudit Objectives - Question #66Cloud Compliance
A Dot Release of Cloud Control Matrix (CCM) indicates what?
Cloud Control Matrix (CCM)CCM VersioningControl FrameworksCSA - Question #67Cloud Auditing Basics and Tools
What should be the auditor's PRIMARY objective while examining a cloud service provider's (CSP's) SLA?
SLA AuditingCloud Service AgreementsAvailability RequirementsAuditor Objectives - Question #68Cloud Security Auditing
Which of the following is an example of a corrective control?
Corrective ControlsAccess ControlAuthenticationControl Types - Question #69Cloud Compliance
Which of the following is a cloud-specific security standard?
Cloud Security StandardsISO 27017Information Security ControlsCloud Compliance Frameworks - Question #70Cloud Auditing Basics and Tools
The PRIMARY objective for an auditor to understand the organization's context for a cloud audit is to:
Cloud Audit PlanningOrganizational ContextAudit ObjectivesPreliminary Audit Activities - Question #71Cloud Auditing Basics and Tools
Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to specify trusted services?
AICPA Trust Services Criteria (TSC)SOC 2Trusted servicesAuditing frameworks - Question #72Cloud Compliance
Which of the following is the BEST control framework for a European manufacturing corporation that is migrating to the cloud?
GDPR ComplianceControl FrameworksCloud RegulationsData Protection - Question #73Cloud Governance
Account design in the cloud should be driven by:
Cloud Account DesignCloud Security ArchitectureIdentity and Access ManagementSecurity Controls - Question #74Cloud Compliance
Organizations maintain mappings between the different control frameworks they adopt to:
Control FrameworksCompliance MappingCross-Framework ComplianceCompliance Management - Question #75Cloud Compliance
A CSP providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standa...
FedRAMPGovernment complianceCloud service providerAuthorization - Question #76Cloud Risk Management
Which plan will guide an organization on how to react to a security incident that might occur on the organization's systems, or that might be affecting one of their service provide...
Incident ResponseSecurity IncidentCloud SecurityRisk Management - Question #77Cloud Security Auditing
Which of the following would be the MOST critical finding of an application security and DevOps audit?
Application SecurityDevOps SecuritySecurity ArchitectureCritical Findings - Question #78Cloud Governance
What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?
Cloud Service ProviderBusiness Continuity PlanOperational ResilienceAudit Schedule - Question #79Cloud Compliance
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out tho...
Cloud Control Matrix (CCM)Corporate GovernanceCompliance AssessmentControl Filtering - Question #80Cloud Governance
Which of the following is the BEST way for a client to enforce a policy violation committed by a cloud service provider (CSP)?
Policy enforcementCloud governanceContractual agreementsDocumentation best practices - Question #81Cloud Auditing for Infrastructure, Platform, and Software as a Service (IaaS, PaaS, SaaS)
Which of the following is a corrective control that may be identified in a SaaS service provider?
Corrective controlsSaaS security controlsVulnerability managementSecurity control types - Question #82Cloud Auditing Basics and Tools
Which of the following configuration change controls is acceptable to a cloud auditor?
Change ManagementIT General Controls (ITGC)Segregation of DutiesCloud Auditing - Question #83Cloud Compliance
In cloud computing, with whom does the responsibility and accountability for compliance lie?
Shared Responsibility ModelCloud ComplianceAccountabilityCustomer Responsibility - Question #84Cloud Audit Reporting and Assurance
The BEST method to report continuous assessment of a cloud provider's services to the CSA is through:
Cloud Controls Matrix (CCM)CSA STARThird-party assuranceContinuous assessment - Question #85Cloud Security Auditing
SAST testing is performed by:
SASTApplication Security TestingStatic AnalysisSource Code Analysis - Question #86Cloud Governance
When a client's business process changes, the CSP SLA should:
SLA ManagementCloud ContractsChange ManagementService Level Agreements - Question #87Cloud Auditing Basics and Tools
The PRIMARY objective of an audit initiation meeting with a cloud audit client is to:
Audit initiationCloud audit scopeAudit planningEngagement kickoff - Question #88Cloud Governance
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availab...
Operations MaintenanceBusiness ContinuityAvailability ManagementManagement Controls - Question #89Cloud Compliance
An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP bur...
CSA STAR RegistryCSP burden reductionCloud compliance communicationCustomer inquiry management - Question #90Cloud Security Auditing
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?
Security TestingPenetration TestingSocial EngineeringPhysical Security - Question #91Cloud Risk Management
When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?
Top Threats AnalysisIncident Impact AssessmentCloud Physical SecurityCloud Environmental Security - Question #92Cloud Auditing Basics and Tools
When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strateg...
Business ContinuityOperational ResilienceCloud Auditing StrategyShared Responsibility Model - Question #93Cloud Auditing for Infrastructure, Platform, and Software as a Service (IaaS, PaaS, SaaS)
Which of the following metrics are frequently immature?
Cloud MetricsIaaSCloud Monitoring MaturityCloud Auditing Challenges - Question #94Cloud Compliance
The MAIN difference between Cloud Control Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ) is that:
Cloud Control Matrix (CCM)Consensus Assessment Initiative Questionnaire (CAIQ)CSASecurity Frameworks - Question #95Cloud Auditing for Infrastructure, Platform, and Software as a Service (IaaS, PaaS, SaaS)
The MOST critical concept of managing the build and test of code in DevOps is:
DevOpsContinuous DeliveryContinuous IntegrationSoftware Release Process - Question #96Cloud Compliance
Which of the following is a direct benefit of mapping the Cloud Control Matrix (CCM) to other international standards and regulations?
Cloud Control Matrix (CCM)Standard mappingCompliance streamliningCloud compliance frameworks - Question #97Cloud Risk Management
The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to b...
Business continuity planningCloud service classificationHigh availabilityCloud migration strategy - Question #98Cloud Audit Reporting and Assurance
Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?
Cloud Assurance ProgramProgram EstablishmentCloud MigrationDevelopment Phase - Question #99Cloud Security Auditing
Customer management interface, if compromised over public internet, can lead to:
Cloud securityData compromiseManagement interfaceVulnerability - Question #100Cloud Governance
To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:
Cloud MigrationService-Oriented ArchitectureAuditor RoleCloud Strategy