CCAK Practice Questions

A.  

NIST 800-73, because it is a control framework implemented by the main cloud providers

B.  

ISO/IEC 27018

C.  

ISO/IEC 27002

D.  

(S) Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

A.  

Location of data

B.  

Amount of server storage

C.  

Access controls

D.  

Type of network technology

A.  

Process of security integration using automation in software development

B.  

Operational framework that promotes software consistency through automation

C.  

Development standards for addressing integration, testing, and deployment issues

D.  

Making software development simpler, faster, and easier using automation

A.  

Procedures

B.  

Governance

C.  

Cryptography and authentication

D.  

Documentation quality

A.  

The number of related incidents decreases.

B.  

Attempts to log with weak credentials increases.

C.  

The number of related incidents increases.

D.  

Newly created account credentials satisfy requirements.

A.  

The cloud provider reports a breach of customer personal data from an unsecured server.

B.  

distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.

C.  

An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.

D.  

A hacker using a stolen administrator identity alters the discount percentage in the product database.

A.  

facilitate an effective relationship between the cloud service provider and cloud client.

B.  

enable the cloud service provider to prioritize resources to meet its own requirements.

C.  

provide global, accredited, and trusted certification of the cloud service provider.

D.  

ensure understanding of true risk and perceived risk by the cloud service users

A.  

Discard all work done and start implementing NIST 800-53 from scratch.

B.  

Recommend no change, since the scope of ISO/IEC 27002 is broader.

C.  

Recommend no change, since NIST 800-53 is a US-scoped control framework.

D.  

Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

A.  

Enterprise cloud strategy and policy, as well as inventory of third-party attestation reports

B.  

Policies and procedures established around third-party risk assessments, including questionnaires that are required to be completed to assess risk associated with use of third-party services

C.  

Enterprise cloud strategy and policy, as well as the enterprise cloud security strategy

D.  

Inventory of third-party attestation reports and enterprise cloud security strategy

A.  

determine whether the organization has carried out control self-assessment (CSA) and validated audit reports of the cloud service providers.

B.  

validate an understanding of the organization's current state and how the cloud audit plan fits into the existing audit approach.

C.  

validate the organization's performance effectiveness utilizing cloud service provider solutions.

D.  

validate whether an organization has a cloud audit plan in place.