CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CCAK

Free CCAK Exam Braindumps (page: 39)

Page 39 of 78
PDF with 308 Questions

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 27001?

  1. ISO/IEC 27017:2015
  2. ISO/IEC 27002
  3. NIST SP 800-146
  4. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Answer(s): A

Explanation:

ISO/IEC 27017:2015 is a standard that provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002, as well as additional controls with implementation guidance that specifically relate to cloud services. ISO/IEC 27017:2015 is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 270011. ISO/IEC 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.
ISO/IEC 27002 is a standard that provides a code of practice for information security controls, but it does not provide specific guidance for cloud services. NIST SP 800-146 is a publication that provides an overview of cloud computing, its characteristics, service models, deployment models, and security considerations, but it does not provide a standard for selecting controls for cloud services. CSA CCM is a framework that provides detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains, but it is not a standard that is based on ISO/IEC 27001.


Reference:

ISO/IEC 27017:2015
[ISO/IEC 27001:2013]
[ISO/IEC 27002:2013]
[NIST SP 800-146]
[CSA CCM]



During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually.
What should be the auditor's NEXT course of action?

  1. Review the security white paper of the provider.
  2. Review the provider's audit reports.
  3. Review the contract and DR capability.
  4. Plan an audit of the provider

Answer(s): C

Explanation:

The auditor's next course of action should be to review the contract and DR capability of the cloud service provider. This will help the auditor to verify if the provider has a DR plan that meets the organization's requirements and expectations, and if the provider has evidence of testing and validating the plan annually. The auditor should also check if the contract specifies the roles and responsibilities of both parties, the RTO and RPO values, the SLA terms, and the penalties for non- compliance.
Reviewing the security white paper of the provider (option A) might give some information about the provider's security practices and controls, but it might not be sufficient or relevant to assess the DR plan. Reviewing the provider's audit reports (option B) might also provide some assurance about the provider's compliance with standards and regulations, but it might not address the specific DR needs of the organization. Planning an audit of the provider (option D) might be a possible course of action, but it would require more time and resources, and it might not be feasible or necessary if the contract and DR capability are already satisfactory.


Reference:

Disaster recovery planning guide
Audit a Disaster Recovery Plan
How to Maintain and Test a Business Continuity and Disaster Recovery Plan



Which of the following is the BEST tool to perform cloud security control audits?

  1. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
  2. General Data Protection Regulation (GDPR)
  3. Federal Information Processing Standard (FIPS) 140-2
  4. ISO 27001

Answer(s): A

Explanation:

The CSA Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a cybersecurity control framework for cloud computing that is aligned to the CSA best practices and is considered the de-facto standard for cloud security and privacy. The CCM provides a set of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology, such as identity and access management, data security, encryption and key management, business continuity and disaster recovery, audit assurance and compliance, and risk management. The CCM

also maps the controls to various industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, PCI DSS, GDPR, and others. The CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The CCM also includes the Consensus Assessment Initiative Questionnaire (CAIQ), which provides a set of "yes or no" questions based on the security controls in the CCM that can be used to assess a cloud service provider.
The other options are not the best tools to perform cloud security control audits, as they are either not specific to cloud computing or not comprehensive enough. GDPR is a regulation that aims to protect the personal data and privacy of individuals in the European Union and the European Economic Area3, but it does not provide a framework for cloud security controls. FIPS 140-2 is a standard that specifies the security requirements for cryptographic modules used by federal agencies in the United States, but it does not cover other aspects of cloud security. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization, but it does not provide specific guidance for cloud services.


Reference:

Cloud Controls Matrix (CCM) - CSA
Cloud Controls Matrix and CAIQ v4 | CSA - Cloud Security Alliance General Data Protection Regulation - Wikipedia
[FIPS 140-2 - Wikipedia]
[ISO/IEC 27001:2013]



When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

  1. cloud user.
  2. cloud service provider. 0
  3. cloud customer.
  4. certification authority (CA)

Answer(s): C

Explanation:

According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the cloud customer is the entity that retains accountability for the business outcome of the system or the processes that are supported by the cloud service. The cloud customer is also responsible for ensuring that the cloud service meets the legal, regulatory, and contractual obligations that apply to the customer's business context. The cloud customer should also perform due diligence and risk assessment before selecting a cloud service provider, and establish a clear and enforceable contract that defines the roles and responsibilities of both parties.
The cloud user is the entity that uses the cloud service on behalf of the cloud customer, but it is not necessarily accountable for the compliance of the service. The cloud service provider is the entity that makes the cloud service available to the cloud customer, but it is not accountable for the compliance of the customer's business context. The certification authority (CA) is an entity that issues digital certificates to verify the identity or authenticity of other entities, but it is not accountable for the compliance of the cloud service.


Reference:

ISACA Cloud Auditing Knowledge Certificate Study Guide, page 10-11.
Certification authority - Wikipedia



Page 39 of 78



Post your Comments and Discuss ISACA CCAK exam with other Community members:

ccak commented on June 08, 2023
ccak is hard
Anonymous
upvote