Which of the following should be an assurance requirement when an organization is migrating to a
Software as a Service (SaaS) provider?
C
Explanation:
Access controls are an assurance requirement when an organization is migrating to a SaaS provider
because they ensure that only authorized users can access the cloud services and data. Access
controls also help to protect the confidentiality, integrity and availability of the cloud
resources.
Access controls are part of the Cloud Control Matrix (CCM) domain IAM-01: Identity and
Access Management Policy and Procedures, which states that "The organization should have a policy
and procedures to manage user identities and access to cloud services and data."1 Reference :=
CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 751
In a multi-level supply chain structure where cloud service provider A relies on other sub cloud
services, the provider should ensure that any compliance requirements relevant to the provider are:
A
Explanation:
In a multi-level supply chain structure, the cloud service provider should ensure that any compliance
requirements relevant to the provider are passed to the sub cloud service providers, regardless of
their geographic location. This is because the sub cloud service providers may have access to or
process the data of the provider’s customers, and thus may affect the compliance status of the
provider. The provider should also monitor and verify the compliance of the sub cloud service
providers on a regular basis.
This is part of the Cloud Control Matrix (CCM) domain COM-01:
Regulatory Frameworks, which states that "The organization should identify and comply with
applicable regulatory frameworks, contractual obligations, and industry standards."1 Reference :=
CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 51
Which of the following is the PRIMARY component to determine the success or failure of an
organization’s cloud compliance program?
C
Explanation:
The primary component to determine the success or failure of an organization’s cloud compliance
program is mapping who possesses the information and data that should drive the compliance goals.
This is because the cloud compliance program should be aligned with the organization’s business
objectives and risk appetite, and the information and data that support these objectives and risks are
often distributed across different cloud service providers, business units, and stakeholders.
Therefore, it is essential to identify who owns, controls, and accesses the information and data, and
how they are protected, processed, and shared in the cloud environment.
This is part of the Cloud
Control Matrix (CCM) domain COM-02: Data Governance, which states that "The organization should
have a policy and procedures to manage data throughout its lifecycle in accordance with regulatory
requirements, contractual obligations, and industry standards."1 Reference := CCAK Study Guide,
Chapter 3: Cloud Compliance Program, page 53
Organizations maintain mappings between the different control frameworks they adopt to:
B
Explanation:
Organizations maintain mappings between the different control frameworks they adopt to avoid
duplication of work when assessing compliance. This is because different control frameworks may
have overlapping or equivalent controls that address the same objectives or risks. By mapping these
controls, organizations can streamline their compliance assessment process and reduce the cost and
effort involved. Mappings also help organizations to identify any gaps or inconsistencies in their
control coverage and address them accordingly.
This is part of the Cloud Control Matrix (CCM)
domain COM-03: Control Frameworks, which states that "The organization should identify and adopt
applicable control frameworks, standards, and best practices to support the cloud compliance
program."1 Reference := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 54
To assist an organization with planning a cloud migration strategy to execution, an auditor should
recommend the use of:
A
Explanation:
To assist an organization with planning a cloud migration strategy to execution, an auditor should
recommend the use of enterprise architecture (EA). EA is a holistic approach to aligning the business
and IT objectives, processes, and resources of an organization. EA helps to define the current and
future state of the organization, identify the gaps and opportunities, and design the roadmap and
governance for the cloud migration. EA also helps to ensure that the cloud migration is consistent
with the organization’s vision, mission, values, and strategy, and that it meets the requirements of
the stakeholders, customers, and regulators.
EA is part of the Cloud Control Matrix (CCM) domain
GRC-01: Enterprise Risk Management, which states that "The organization should have a policy and
procedures to identify, assess, manage, and monitor risks related to cloud services."1 Reference :=
CCAK Study Guide, Chapter 2: Cloud Governance, page 25
The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM) in addition to:
A
Explanation:
The CSA STAR Certification is based on criteria outlined in the Cloud Security Alliance (CSA) Cloud
Controls Matrix (CCM) in addition to ISO/IEC 27001 implementation. ISO/IEC 27001 is an
international standard that specifies the requirements for establishing, implementing, maintaining
and continually improving an information security management system (ISMS). The CSA STAR
Certification is a third-party independent assessment of the security of a cloud service provider,
which demonstrates the alignment of the provider’s ISMS with the CCM best practices.
The CSA STAR
Certification has three levels: Level 1 (STAR Certification), Level 2 (STAR Attestation), and Level 3
(STAR Continuous Monitoring).1 [2][2] Reference := CCAK Study Guide, Chapter 5: Cloud Auditing,
page 971
; CSA STAR Certification, Overview[2][2]
What does “The Egregious 11" refer to?
D
Explanation:
The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security
Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards,
certifications and best practices to help ensure a secure cloud computing environment. The
Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches,
misconfigurations, insufficient identity and access management, and account hijacking. The report
also provides recommendations for security, compliance, risk and technology practitioners to
mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of
current literature and media reports.
The report is intended to raise awareness of the risks and
challenges associated with cloud computing and promote strong security practices.12 Reference :=
CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing:
Egregious 11
Which objective is MOST appropriate to measure the effectiveness of password policy?
D
Explanation:
The objective that is most appropriate to measure the effectiveness of password policy is newly
created account credentials satisfy requirements. This is because password policy is a set of rules and
guidelines that define the characteristics and usage of passwords in a system or network. Password
policy aims to enhance the security and confidentiality of the system or network by preventing
unauthorized access, data breaches, and identity theft. Therefore, the best way to evaluate the
effectiveness of password policy is to check whether the newly created account credentials meet the
requirements of the policy, such as length, complexity, expiration, and history. This objective can be
measured by conducting periodic audits, reviews, or tests of the account creation process and
verifying that the passwords comply with the policy standards.
This is part of the Cloud Control
Matrix (CCM) domain IAM-02: User ID Credentials, which states that "The organization should have a
policy and procedures to manage user ID credentials for cloud services and data."1 Reference :=
CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 76
An auditor wants to get information about the operating effectiveness of controls addressing privacy,
availability, and confidentiality of a service organization. Which of the following can BEST help to gain
the required information?
D
Explanation:
A SOC2 Type 2 report can best help an auditor to get information about the operating effectiveness
of controls addressing privacy, availability, and confidentiality of a service organization. A SOC2 Type
2 report is an internal control report that examines the security, availability, processing integrity,
confidentiality, and privacy of a service organization’s system and data over a specified period of
time, typically 3-12 months. A SOC2 Type 2 report is based on the AICPA Trust Services Criteria and
provides an independent auditor’s opinion on the design and operating effectiveness of the service
organization’s controls.
A SOC2 Type 2 report can help an auditor to assess the risks and challenges
associated with outsourcing services to a cloud provider and to verify that the provider meets the
relevant compliance requirements and industry standards.12 Reference := CCAK Study Guide,
Chapter 5: Cloud Auditing, page 971; SOC 2 Type II Compliance: Definition, Requirements, and Why
You Need It2
Which of the following is a cloud-specific security standard?
A
Explanation:
ISO/IEC 15027017 is a cloud-specific security standard that provides guidelines for information
security controls applicable to the provision and use of cloud services. It is based on ISO/IEC 27002,
which is a general standard for information security management, but it also includes additional
controls and implementation guidance that specifically relate to cloud services.
ISO/IEC 15027017 is
intended to help both cloud service providers and cloud service customers to enhance the security
and confidentiality of their cloud environment and to comply with relevant regulatory requirements
and industry standards.12 Reference := ISO/IEC 27017:2015 - Information technology — Security
techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud
services1; Cloud Security Standards: ISO, PCI, GDPR and Your Cloud - Exabeam3; ISO/IEC 27017 -
Wikipedia2
Supply chain agreements between a cloud service provider and cloud customers should, at a
minimum, include:
B
Explanation:
Supply chain agreements between a cloud service provider and cloud customers should, at a
minimum, include audits, assessments, and independent verification of compliance certifications
with agreement terms. This is because cloud services involve multiple parties in the supply chain,
such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different
roles and responsibilities in delivering the cloud services and ensuring their quality, security, and
compliance. Therefore, it is important for the cloud customers to have visibility and assurance of the
performance and compliance of the cloud providers and their sub-providers. Audits, assessments,
and independent verification of compliance certifications are methods to evaluate the effectiveness
of the controls and processes implemented by the cloud providers and their sub-providers to meet
the agreement terms. These methods can help the cloud customers to identify any gaps or risks in
the supply chain and to take corrective actions if needed.
This is part of the Cloud Control Matrix
(CCM) domain COM-04: Audit Assurance & Compliance, which states that "The organization should
have a policy and procedures to conduct audits and assessments of cloud services and data to verify
compliance with applicable regulatory frameworks, contractual obligations, and industry
standards."12 Reference := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 551;
Practical Guide to Cloud Service Agreements Version 2.02
Which of the following is the reason for designing the Consensus Assessments Initiative
Questionnaire (CAIQ)?
B
Explanation:
The reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ) is to enable
cloud service providers to document their security and compliance controls in a standardized and
transparent way. The CAIQ is a set of yes/no questions that correspond to the controls of the Cloud
Security Alliance (CSA) Cloud Controls Matrix (CCM), which is a framework of best practices for cloud
security. The CAIQ helps cloud service providers to demonstrate their adherence to the CCM and to
provide evidence of their security posture to potential customers, auditors, and regulators. The CAIQ
also helps cloud customers and auditors to assess the security capabilities of cloud service providers
and to compare different providers based on their responses.
The CAIQ is part of the CSA STAR
program, which is a cloud security assurance program that offers various levels of certification and
attestation for cloud service providers.12
Reference := What is CAIQ?
| CSA - Cloud Security
Alliance3; Consensus Assessment Initiative Questionnaire (CAIQ) v3.1 [No | CSA4
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment
leverages the Scope Applicability direct mapping to:
C
Explanation:
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment
leverages the Scope Applicability direct mapping to understand which controls encompassed by the
CCM may already be partially or fully implemented because of the compliance with other standards.
The Scope Applicability direct mapping is a worksheet within the CCM that maps the CCM control
specifications to several standards within the ISO/IEC 27000 series, such as ISO/IEC 27001, ISO/IEC
27002, ISO/IEC 27017, and ISO/IEC 27018. The mapping helps the organization to identify the
commonalities and differences between the CCM and the ISO/IEC standards, and to determine the
level of compliance with each standard based on the implementation of the CCM controls.
The
mapping also helps the organization to avoid duplication of work and to streamline the compliance
assessment process.12 Reference := What you need to know: Transitioning CSA STAR for Cloud
Controls Matrix …1; Cloud Controls Matrix (CCM) - CSA3
Which of the following are the three MAIN phases of the Cloud Controls Matrix (CCM) mapping
methodology?
C
Explanation:
The three main phases of the Cloud Controls Matrix (CCM) mapping methodology are preparation,
execution, and peer review and publication. The CCM mapping methodology is a process to map the
CCM controls to other standards, regulations, or frameworks that are relevant for cloud security. The
mapping helps to identify the commonalities and differences between the CCM and the other
standards, regulations, or frameworks, and to provide guidance for cloud service providers and
customers on how to achieve compliance with multiple requirements using the CCM.
The mapping
methodology consists of the following phases1
:
Preparation: This phase involves defining the scope, objectives, and deliverables of the mapping
project, as well as identifying the stakeholders, resources, and tools needed. This phase also includes
conducting a preliminary analysis of the CCM and the other standard, regulation, or framework to be
mapped, and establishing the mapping criteria and rules.
Execution: This phase involves performing the actual mapping of the CCM controls to the other
standard, regulation, or framework using a spreadsheet template. This phase also includes
documenting the mapping results, providing explanations and justifications for each mapping
decision, and resolving any issues or conflicts that may arise during the mapping process.
Peer Review and Publication: This phase involves validating and verifying the quality and accuracy of
the mapping results by conducting a peer review with subject matter experts from both the CCM
working group and the other standard, regulation, or framework organization. This phase also
includes finalizing and publishing the mapping document as a CSA artifact, and communicating and
promoting the mapping to the relevant audiences.
Reference := Methodology for the Mapping of the Cloud Controls Matrix1
When applying the Top Threats Analysis methodology following an incident, what is the scope of the
technical impact identification step?
A
Explanation:
When applying the Top Threats Analysis methodology following an incident, the scope of the
technical impact identification step is to determine the impact on confidentiality, integrity, and
availability of the information system. The Top Threats Analysis methodology is a process developed
by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top
threats to cloud computing, as defined in the CSA Top Threats reports.
The methodology consists of
six steps1
:
Scope definition: Define the scope of the analysis, such as the cloud service model, deployment
model, and business context.
Threat identification: Identify the relevant threats from the CSA Top Threats reports that may affect
the scope of the analysis.
Technical impact identification: Determine the impact on confidentiality, integrity, and availability of
the information system caused by each threat. Confidentiality refers to the protection of data from
unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized
modification or deletion. Availability refers to the protection of data and services from disruption or
denial.
Business impact identification: Determine the impact on the business objectives and operations
caused by each threat, such as financial loss, reputational damage, legal liability, or regulatory
compliance.
Risk assessment: Assess the likelihood and severity of each threat based on the technical and
business impacts, and prioritize the threats according to their risk level.
Risk treatment: Select and implement appropriate risk treatment options for each threat, such as
avoidance, mitigation, transfer, or acceptance.
The technical impact identification step is important because it helps to measure the extent of
damage or harm that each threat can cause to the information system and its components. This step
also helps to align the technical impacts with the business impacts and to support the risk
assessment and treatment steps.
Reference := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM,
page 81