SAST testing is performed by:

A. scanning the application source code.

B. scanning the application interface.

C. scanning all infrastructure components.

D. performing manual actions to gain control of the application.

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

A. assess the existence and adequacy of a security awareness training program at the cloud service provider’s organization as the cloud customer hired the auditor to review and cloud service.

B. assess the existence and adequacy of a security awareness training program at both the cloud customer’s organization and the cloud service provider’s organization.

C. assess the existence and adequacy of a security awareness training program at the cloud customer’s organization as they hired the auditor.

D. not assess the security awareness training program as it is each organization’s responsibility

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.

B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.

C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.

D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

A. Unlike SAST, DAST is a blackbox and programming language agnostic.

B. DAST can dynamically integrate with most CI/CD tools.

C. DAST delivers more false positives than SAST.

D. DAST is slower but thorough.

Which of the following is the MOST feasible way to validate the performance of CSPs for the delivery of technology resources?

A. Cloud compliance program

B. Legacy IT compliance program

C. Internal audit program

D. Service organization controls report

Organizations maintain mappings between the different control frameworks they adopt to:

A. help identify controls with common assessment status.

B. avoid duplication of work when assessing compliance.

C. help identify controls with different assessment status.

D. start a compliance assessment using latest assessment.

Prioritizing assurance activities for an organization’s cloud services portfolio depends PRIMARILY on an organization’s ability to:

A. schedule frequent reviews with high-risk cloud service providers.

B. develop plans using a standardized risk-based approach.

C. maintain a comprehensive cloud service inventory.

D. collate views from various business functions using cloud services.

If the degree of verification for information shared with the auditor during an audit is low, the auditor should:

A. reject the information as audit evidence.

B. stop evaluating the requirement altogether and review other audit areas.

C. delve deeper to obtain the required information to decide conclusively.

D. use professional judgment to determine the degree of reliance that can be placed on the information as evidence.

Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud compliance program?

A. Cloud process owners

B. Internal control function

C. Legal functions

D. Cloud strategy owners

The cloud risk management process should:

A. evaluate only the cloud providers’ general maturity.

B. verify the provider’s policy aligns with the customer’s policy.

C. evaluate the specific cloud service features.

D. evaluate the services of the same security features.

Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization’s SaaS vendor?

A. Risk exceptions policy

B. Contractual requirements

C. Risk appetite

D. Board oversight

Which objective is MOST appropriate to measure the effectiveness of password policy?

A. The number of related incidents increases.

B. Attempts to log with weak credentials increases.

C. Newly created account credentials satisfy requirements.

D. The number of related incidents decreases.

Which of the following is MOST relevant to determine whether an organization is a risk taker or is risk-averse?

A. Risk management methodology

B. Risk culture

C. Risk heat map

D. Risk appetite

A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment. What additional control should the cloud auditor check?

A. Approval of the change by the change advisory board

B. Explicit documented approval from all customers whose data is affected

C. Training for the librarian

D. Verification that the hardware of the test and production environments are compatible

Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?

A. The rapidly changing service portfolio and architecture of the cloud.

B. Cloud providers should not be part of the compliance program.

C. The fairly static nature of the service portfolio and architecture of the cloud.

D. The cloud is similar to the on-premise environment in terms of compliance.

A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?

A. Role Based Access Control

B. Attribute Based Access Control

C. Policy Based Access Control

D. Rule Based Access Control

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

A. The provider does not maintain audit logs in their environment.

B. The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

C. The audit logs are overwritten every 30 days, and all past audit trail is lost.

D. The audit trails are backed up regularly, but the backup is not encrypted.

Which of the following should be performed FIRST when an organization is considering a migration to the cloud?

A. Select the cloud deployment model.

B. Identify applicable laws and regulations to the organization.

C. Select a suitable control framework for the implementation.

D. Identify different suitable cloud service providers.

What should an auditor do when assessing the business continuity plan (BCP) and disaster recovery (DR) of a cloud customer?

A. Evaluate the service level agreement (SLA) through a BCP/DR lens.

B. Get assurances from the cloud service provider that the service level agreement (SLA) can be met in a BCP/DR scenario.

C. Recommend auditing the BCP/DR planning under a separate engagement.

D. Limit the scope of the evaluation to security measures that are under the direct responsibility of the auditee.

During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor’s NEXT course of action?

A. Review the CSP audit reports.

B. Review the security white paper of the CSP.

C. Review the contract and DR capability.

D. Plan an audit of the CSP.

After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data. In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?

A. As an integrity breach

B. As control breach

C. As an availability breach

D. As a confidentiality breach

In which of the following risk scenarios should a cloud customer have the full responsibility in all cloud service models?

A. Infrastructure risk

B. Identity and access risk

C. Endpoint risk

D. Data classification risk

Which of the following configuration change controls is acceptable to a cloud auditor?

A. Development, test and production are hosted in the same network environment.

B. Programmers have permanent access to production software.

C. The Head of Development approves changes requested to production.

D. Programmers cannot make uncontrolled changes to the source code production version.

An organization plans to migrate to an Infrastructure as a Service (IaaS) cloud service provider and performs an evaluation of the provider's security. What would be the BEST course of action for the cloud auditor to understand the provider's network security controls?

A. Perform an independent audit of the cloud service provider’s premises.

B. Ask the cloud service provider for a detailed network diagram.

C. Check the information provided by the cloud service provider.

D. Perform pen testing against the cloud service provider’s infrastructure.

An audit that can be achieved using real-time automated scripts or manual testing and that organizations continuously perform as part of operations to help them implement continuous assurance and compliance its:

A. a governance and strategy audit.

B. a compliance and controls audit.

C. access review.

D. configuration and activity monitoring.

Which of the following is a category of trust in cloud computing?

A. Reputation-based trust

B. Background-based trust

C. Loyalty-based trust

D. Transparency-based trust

What should be the auditor’s PRIMARY objective while examining a cloud service provider’s (CSP’s) SLA?

A. Verifying whether commensurate compensation in the form of service credits is factored in if the CSC is unable to match its SLA obligations

B. Verifying whether the SLA includes all the operational matters which are material to the operation of the service

C. Verifying whether the SLA caters to the availability requirements of the cloud service customer (CSC)

D. Verifying whether the SLAs are well-defined and measurable

As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?

A. Within developer’s laptop

B. Within the CI/CD server

C. Within version repositories

D. Within the CI/CD pipeline

A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

A. The auditor should review the service providers’ security controls even more strictly, as they are further separated from the cloud customer.

B. The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.

C. As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.

D. As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services provided by the service providers.

Which of the following is the common cause of misconfiguration in a cloud environment?

A. Absence of effective change control

B. Using multiple cloud service providers

C. New cloud computing techniques

D. Traditional change process mechanisms

Which of the following enables auditors to conduct gap analyses of what a cloud service provider offers versus what the customer requires?

A. The as-is and to-be enterprise architecture (EA)

B. Using a standardized control framework

C. The experience gained over the years

D. Understanding the customer risk profile

An organization deploying the Cloud Controls Matrix (CCM) to perform a compliance assessment will encompass the use of the Corporate Governance Relevance feature to filter out those controls:

A. that are related to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.

B. that can be of either an administrative or a technical nature, therefore requiring an approval from the Change Advisory Board.

C. that can be of either a management or a legal nature, therefore requiring an approval from the Change Advisory Board.

D. that require prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.

The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

A. risk management policy.

B. cloud policy.

C. business continuity plan.

D. information security standard for cloud technologies.

The BEST way to deliver continuous compliance in a cloud environment is to:

A. decrease the interval between attestations of compliance.

B. combine point-in-time assurance approaches with continuous monitoring.

C. increase the frequency of external audits from annual to quarterly.

D. combine point-in-time assurance approaches with continuous auditing.

Which of the following metrics are frequently immature?

A. Metrics around Infrastructure as a Service (IaaS) storage and network environments

B. Metrics around Platform as a Service (PaaS) development environments

C. Metrics around Infrastructure as a Service (IaaS) computing environments

D. Metrics around specific Software as a Service (SaaS) application services

Supply chain agreements between CSP and cloud customers should, at minimum, include:

A. Organization chart of the CSP

B. Policies and procedures of the cloud customer

C. Audits, assessments and independent verification of compliance certifications with agreement terms

D. Regulatory guidelines impacting the cloud customer

Which best describes the difference between a type 1 and a type 2 SOC report?

A. A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.

B. A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.

C. A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.

D. There is no difference between a type 2 and type 1 SOC report.

The CSA STAR maturity model assessment should summarize:

A. the security posture of the cloud provider.

B. the effectiveness of operating controls.

C. the strengths and weaknesses of a cloud service provider’s processes.

D. ISO/IEC 27001:2013 control objective status.

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?

A. Highlighting the gap to the audit sponsor at the sponsor’s earliest possible availability

B. Asking the organization’s cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet

C. Documenting the finding in the audit report and sharing the gap with the relevant stakeholders

D. Informing the organization’s internal audit manager immediately about the gap

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

A. object-oriented architecture.

B. software architecture.

C. service-oriented architecture.

D. enterprise architecture.

The control domain feature within a Cloud Controls Matrix (CCM) represents:

A. CCM’s ability to scan and check Active Directory, LDAP, and x.500 directories for suspicious and/or privileged user accounts.

B. CCM’s ability to scan for anomalies in DNS zones in order to detect DNS spoofing, DNS hijacking, DNS cache poisoning, and similar threats.

C. a logical grouping of security controls addressing the same category of IT risks or information security concerns.

D. a set of application programming interfaces (APIs) that allows a cloud consumer to restrict the replication area within a well-defined jurisdictional perimeter.

A Dot Release of Cloud Control Matrix (CCM) indicates what?

A. The introduction of new control frameworks mapped to previously-published CCM controls.

B. A revision of the CCM domain structure.

C. A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.

D. A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.

Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?

A. SOC3 – Type2

B. Cloud Control Matrix (CCM)

C. SOC2 – Type1

D. SOC1 – Type1

As Infrastructure as a Service (IaaS) cloud service providers often do not allow the cloud service customers to perform on-premise audits, the BEST approach for the auditor should be to:

A. use other sources of available data for evaluating the customer’s controls.

B. refrain from auditing the provider’s security controls due to lack of cooperation.

C. escalate the lack of support from the provider to the regulatory authority.

D. recommend that the customer not use the services provided by the provider.

Which of the following is an example of integrity technical impact?

A. The cloud provider reports a breach of customer personal data from an unsecured server.

B. A hacker using a stolen administrator identity alerts the discount percentage in the product database.

C. A DDoS attack renders the customer’s cloud inaccessible for 24 hours.

D. An administrator inadvertently clicked on Phish bait exposing his company to a ransomware attack.

From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?

A. SOC reports

B. Logs

C. Evaluation summaries

D. Interviews

Which of the following enables auditors to conduct gap analysis?

A. The experience gained over the years

B. Using a standardized control framework

C. Understanding the customer risk profile

D. The as-is and to-be enterprise architecture (EA)

Which of the following CSP activities requires a client’s approval?

A. Delete the guest account or test accounts

B. Delete the master account or subscription owner accounts

C. Delete the guest account or destroy test data

D. Delete the test accounts or destroy test data

A dot release of the Cloud Controls Matrix (CCM) indicates:

A. a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.

B. a revision of the CCM domain structure.

C. the introduction of new control frameworks mapped to previously published CCM controls.

D. a technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.

When cloud customers are unable to satisfy their payment obligations, which type of termination is triggered by the cloud service provider?

A. Termination for the missed payment

B. Termination at the end of the term

C. Termination for convenience

D. Termination for cause