CCAK Online Practice Questions and Answers

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?

A. Highlighting the gap to the audit sponsor at the sponsor's earliest possible availability

B. Asking the organization's cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet

C. Documenting the finding in the audit report and sharing the gap with the relevant stakeholders

D. Informing the organization's internal audit manager immediately about the gap

Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?

A. The rapidly changing service portfolio and architecture of the cloud.

B. Cloud providers should not be part of the compliance program.

C. The fairly static nature of the service portfolio and architecture of the cloud.

D. The cloud is similar to the on-premise environment in terms of compliance.

The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

A. risk management policy.

B. cloud policy.

C. business continuity plan.

D. information security standard for cloud technologies.

How should controls be designed by an organization?

A. By the internal audit team

B. Using the ISO27001 framework

C. By the cloud provider D. Using the organization's risk management framework

To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

A. Parallel testing

B. Full application stack unit testing

C. Regression testing

D. Functional verification

One of the Cloud Control Matrix's (CCM's) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.” Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A. Audit planning

B. Information system and regulatory mapping

C. GDPR auditing

D. Independent audits

The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

A. Agence nationale de la sécurité des systèmes d’information (ANSSI)

B. National Institute of Standards and Technology (NIST)

C. National Security Agency (NSA)

D. Bundesamt für Sicherheit in der Informationstechnik (BSI)

Which of the following is a cloud-specific security standard?

A. ISO27017

B. ISO27701

C. ISO22301

D. ISO14001

Account design in the cloud should be driven by:

A. security requirements.

B. organizational structure.

C. business continuity policies.

D. management structure.

What should be the control audit frequency for Business Continuity Management?

A. Quarterly

B. Annually

C. Monthly

D. Semi-annually