CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CCAK

Free CCAK Exam Braindumps (page: 44)

Page 44 of 78
PDF with 308 Questions

Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?

  1. Separation of production and development pipelines
  2. Ensuring segregation of duties in the production and development pipelines
  3. Role-based access controls in the production and development pipelines
  4. Periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations

Answer(s): C

Explanation:

Role-based access controls (RBAC) are a method of restricting access to resources based on the roles of individual users within an organization. RBAC allows administrators to assign permissions to roles, rather than to specific users, and then assign users to those roles. This simplifies the management of access rights and reduces the risk of unauthorized or excessive access. RBAC is especially important for ensuring adequate restriction on the number of people who can access the pipeline production environment, which is the final stage of the continuous integration and continuous delivery (CI/CD) process where code is deployed to the end-users. Access to the production environment should be limited to only those who are responsible for deploying, monitoring, and maintaining the code, such as production engineers, release managers, or site reliability engineers. Developers, testers, or other stakeholders should not have access to the production environment, as this could compromise the security, quality, and performance of the code. RBAC can help enforce this separation of duties and responsibilities by defining different roles for different pipeline stages and granting appropriate permissions to each role. For example, developers may have permission to create, edit, and test code in the development pipeline, but not to deploy or modify code in the production pipeline. Conversely, production engineers may have permission to deploy, monitor, and troubleshoot code in the production pipeline, but not to create or edit code in the development pipeline. RBAC can also help implement the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks. This reduces the attack surface and minimizes the potential damage in case of a breach or misuse. RBAC can be configured at different levels of granularity, such as at the organization, project, or object level, depending on the needs and complexity of the organization. RBAC can also leverage existing identity and access management (IAM) solutions, such as Azure Active Directory or AWS IAM, to integrate with cloud services and applications.


Reference:

Set pipeline permissions - Azure Pipelines
Azure DevOps: Access, Roles and Permissions
Cloud Computing -- What IT Auditors Should Really Know



The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:

  1. facilitate an effective relationship between the cloud service provider and cloud client.
  2. enable the cloud service provider to prioritize resources to meet its own requirements.
  3. provide global, accredited, and trusted certification of the cloud service provider.
  4. ensure understanding of true risk and perceived risk by the cloud service users

Answer(s): C

Explanation:

The primary purpose of the Open Certification Framework (OCF) for the CSA STAR program is to provide global, accredited, and trusted certification of the cloud service provider. According to the CSA website1, the OCF is an industry initiative to allow global, trusted independent evaluation of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification and/or attestation according to the Cloud Security Alliance's industry leading security guidance and control framework. The OCF aims to address the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. The OCF also integrates with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. The OCF manages the foundation that runs and monitors the CSA STAR Certification program, which is an assurance framework that enables cloud service providers to embed cloud-specific security controls. The STAR Certification program has three levels of assurance, each based on a different type of audit or assessment:
Level 1: Self-Assessment,
Level 2: Third-Party Audit, and
Level 3: Continuous Auditing.
The OCF also oversees the CSA STAR Registry, which is a publicly accessible repository that documents the security controls provided by various cloud computing offerings. The OCF helps consumers to evaluate and compare their providers' resilience, data protection, privacy capabilities, and service portability. It also helps providers to demonstrate their compliance with industry standards and best practices.


Reference:

Open Certification Framework Working Group | CSA
STAR | CSA



An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month.
Which of the following What should be the BEST recommendation to reduce the provider's burden?

  1. The provider can answer each customer individually.
  2. The provider can direct all customer inquiries to the information in the CSA STAR registry.
  3. The provider can schedule a call with each customer.
  4. The provider can share all security reports with customers to streamline the process

Answer(s): B

Explanation:

The CSA STAR registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. The registry is based on the Cloud Controls Matrix (CCM), which is a framework of cloud-specific security best practices, and the GDPR Code of Conduct, which is a set of privacy principles for cloud service providers. The registry allows cloud customers to assess the security and compliance posture of cloud service providers, as well as to compare different providers based on their level of assurance. The registry also reduces the complexity and cost of filling out multiple customer questionnaires and requests for proposal (RFPs). Therefore, the best recommendation to reduce the provider's burden is to direct all customer inquiries to the information in the CSA STAR registry, which can demonstrate the provider's transparency, trustworthiness, and adherence to industry standards. The provider can also encourage customers to use the Consensus Assessments Initiative Questionnaire (CAIQ), which is a standardized set of questions based on the CCM, to evaluate the provider's security controls. Alternatively, the provider can pursue higher levels of assurance, such as third-party audits or continuous monitoring, to further validate their security and privacy practices and increase customer confidence.


Reference:

STAR Registry | CSA
STAR | CSA
CSA Security Trust Assurance and Risk (STAR) Registry Reaches Notable ...
Why CSA STAR Is Important for Cloud Service Providers - A-LIGN



Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

  1. Documentation criteria for the audit evidence
  2. Testing procedure to be performed
  3. Processes and systems to be audited
  4. Updated audit work program

Answer(s): C

Explanation:

The most important audit scope document when conducting a review of a cloud service provider is the document that defines the processes and systems to be audited. This document should clearly identify the objectives, criteria, and boundaries of the audit, as well as the roles and responsibilities of the audit team and the cloud service provider. The document should also specify the scope of the cloud service provider's services, such as the service model, deployment model, geographic location, data classification, and compliance requirements. The document should also describe the scope of the audit evidence, such as the types, sources, methods, and sampling techniques of data collection and analysis. The document should also state the expected deliverables, timelines, and reporting formats of the audit. The document should be agreed upon by both parties before the audit commences.
The document that defines the processes and systems to be audited is essential for ensuring that the audit is relevant, reliable, consistent, and complete. It helps to establish a common understanding and expectation between the auditor and the auditee, as well as to avoid any misunderstandings or conflicts during or after the audit. It also helps to focus the audit on the key risks and controls related to the cloud service provider's operations and performance. It also helps to ensure that the audit complies with the applicable standards, frameworks, and regulations.


Reference:

Cloud Audits and Compliance: What You Need To Know - Linford & Company LLP

How to audit the cloud | ICAEW
Auditing Cloud Computing: A Security and Privacy Guide



Page 44 of 78



Post your Comments and Discuss ISACA CCAK exam with other Community members:

ccak commented on June 08, 2023
ccak is hard
Anonymous
upvote