CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CCAK

Free CCAK Exam Braindumps (page: 34)

Page 34 of 78
PDF with 308 Questions

What does "The Egregious 11" refer to?

  1. The OWASP Top 10 adapted to cloud computing
  2. A list of top shortcomings of cloud computing
  3. A list of top breaches in cloud computing
  4. A list of top threats to cloud computing

Answer(s): D

Explanation:

The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. The Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches, misconfigurations, insufficient identity and access management, and account hijacking. The report also provides recommendations for security, compliance, risk and technology practitioners to mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of current literature and media reports. The report is intended to raise awareness of the risks and challenges associated with cloud computing and promote strong security practices.


Reference:

CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing:
Egregious 11



Which objective is MOST appropriate to measure the effectiveness of password policy?

  1. The number of related incidents decreases.
  2. Attempts to log with weak credentials increases.
  3. The number of related incidents increases.
  4. Newly created account credentials satisfy requirements.

Answer(s): D

Explanation:

The objective that is most appropriate to measure the effectiveness of password policy is newly created account credentials satisfy requirements. This is because password policy is a set of rules and guidelines that define the characteristics and usage of passwords in a system or network. Password policy aims to enhance the security and confidentiality of the system or network by preventing unauthorized access, data breaches, and identity theft. Therefore, the best way to evaluate the effectiveness of password policy is to check whether the newly created account credentials meet the requirements of the policy, such as length, complexity, expiration, and history. This objective can be measured by conducting periodic audits, reviews, or tests of the account creation process and verifying that the passwords comply with the policy standards. This is part of the Cloud Control Matrix (CCM) domain IAM-02: User ID Credentials, which states that "The organization should have a policy and procedures to manage user ID credentials for cloud services and data."


Reference:

CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 76



An auditor wants to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization.
Which of the following can BEST help to gain the required information?

  1. ISAE 3402 report
  2. ISO/IEC 27001 certification
  3. SOC1 Type 1 report
  4. SOC2 Type 2 report

Answer(s): D

Explanation:

A SOC2 Type 2 report can best help an auditor to get information about the operating effectiveness of controls addressing privacy, availability, and confidentiality of a service organization. A SOC2 Type 2 report is an internal control report that examines the security, availability, processing integrity, confidentiality, and privacy of a service organization's system and data over a specified period of time, typically 3-12 months. A SOC2 Type 2 report is based on the AICPA Trust Services Criteria and provides an independent auditor's opinion on the design and operating effectiveness of the service organization's controls. A SOC2 Type 2 report can help an auditor to assess the risks and challenges associated with outsourcing services to a cloud provider and to verify that the provider meets the relevant compliance requirements and industry standards.


Reference:

CCAK Study Guide, Chapter
5: Cloud Auditing, page 971; SOC 2 Type II Compliance: Definition, Requirements, and Why You Need It2



Which of the following is a cloud-specific security standard?

  1. 15027017
  2. 15014001
  3. 15022301
  4. 15027701

Answer(s): A

Explanation:

ISO/IEC 15027017 is a cloud-specific security standard that provides guidelines for information security controls applicable to the provision and use of cloud services. It is based on ISO/IEC 27002, which is a general standard for information security management, but it also includes additional controls and implementation guidance that specifically relate to cloud services. ISO/IEC 15027017 is intended to help both cloud service providers and cloud service customers to enhance the security and confidentiality of their cloud environment and to comply with relevant regulatory requirements and industry standards.


Reference:

ISO/IEC 27017:2015 - Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services1; Cloud Security Standards: ISO, PCI, GDPR and Your Cloud - Exabeam3; ISO/IEC 27017 - Wikipedia2



Page 34 of 78



Post your Comments and Discuss ISACA CCAK exam with other Community members:

ccak commented on June 08, 2023
ccak is hard
Anonymous
upvote