CCAK Online Practice Questions and Answers

SAST testing is performed by:

A. scanning the application source code.

B. scanning the application interface.

C. scanning all infrastructure components.

D. performing manual actions to gain control of the application.

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?

A. Operations Maintenance

B. System Development Maintenance

C. Equipment Maintenance

D. System Maintenance

Which of the following metrics are frequently immature?

A. Metrics around Infrastructure as a Service (IaaS) storage and network environments

B. Metrics around Platform as a Service (PaaS) development environments

C. Metrics around Infrastructure as a Service (IaaS) computing environments

D. Metrics around specific Software as a Service (SaaS) application services

Which of the following is an example of financial business impact?

A. A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

B. While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

C. A DDoS attack renders the customer's cloud inaccessible for 24 hours resulting in millions in lost sales.

D. The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euro.

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

A. ISO/I 27001: 2013 controls.

B. maturity model criteria.

C. all Cloud Control Matrix (CCM) controls and TSPC security principles.

D. Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls.

When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

A. To determine how those services will fit within its policies and procedures

B. To determine the total cost of the cloud services to be deployed

C. To confirm which vendor will be selected based on the compliance with security requirements

D. To confirm if the compensating controls implemented are sufficient for the cloud

Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

A. PC-IDSS

B. CSA STAR Attestation

C. MTCS

D. BSI Criteria Catalogue C5

Cloud Control Matrix (CCM) controls can be used by cloud customers to:

A. develop new security baselines for the industry.

B. define different control frameworks for different cloud service providers.

C. facilitate communication with their legal department.

D. build an operational cloud risk management program.

Which of the following is the BEST recommendation to offer an organization's HR department planning to adopt a new public SaaS application to ease the recruiting process?

A. Ensure HIPAA compliance

B. Implement a cloud access security broker

C. Consult the legal department

D. Do not allow data to be in cleratext

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A. Development of the monitoring goals and requirements

B. Identification of processes, functions, and systems

C. Identification of the relevant laws, regulations, and standards

D. Identification of roles and responsibilities

When establishing cloud governance, an organization should FIRST test by migrating:

A. all applications at once to the cloud.

B. complex applications to the cloud.

C. legacy applications to the cloud.

D. a few applications to the cloud.

One of the Cloud Control Matrix's (CCM's) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.” Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A. Audit planning

B. Information system and regulatory mapping

C. GDPR auditing

D. Independent audits

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

A. assess the existence and adequacy of a security awareness training program at the cloud service provider's organization as the cloud customer hired the auditor to review and cloud service.

B. assess the existence and adequacy of a security awareness training program at both the cloud customer's organization and the cloud service provider's organization.

C. assess the existence and adequacy of a security awareness training program at the cloud customer's organization as they hired the auditor.

D. not assess the security awareness training program as it is each organization's responsibility

The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

A. Agence nationale de la sécurité des systèmes d’information (ANSSI)

B. National Institute of Standards and Technology (NIST)

C. National Security Agency (NSA)

D. Bundesamt für Sicherheit in der Informationstechnik (BSI)

A Dot Release of Cloud Control Matrix (CCM) indicates what?

A. The introduction of new control frameworks mapped to previously-published CCM controls.

B. A revision of the CCM domain structure.

C. A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.

D. A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.