Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization’s DevOps pipeline?

A. Verify the inclusion of security gates in the pipeline.

B. Conduct an architectural assessment.

C. Review the CI/CD pipeline audit logs.

D. Verify separation of development and production pipelines.

After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data. In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?

A. As an integrity breach

B. As control breach

C. As an availability breach

D. As a confidentiality breach

Organizations maintain mappings between the different control frameworks they adopt to:

A. help identify controls with common assessment status.

B. avoid duplication of work when assessing compliance.

C. help identify controls with different assessment status.

D. start a compliance assessment using latest assessment.

A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP’s security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?

A. Double gray box

B. Tandem

C. Reversal

D. Double blind

When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

A. Data retention, backup, and recovery

B. Patch management process

C. Return or destruction of information

D. Network intrusion detection

The FINAL decision to include a material finding in a cloud audit report should be made by the:

A. organization’s chief information security officer (CISO).

B. cloud auditor.

C. auditee’s senior management.

D. organization’s chief executive officer (CEO).

What is below the waterline in the context of cloud operationalization?

A. The controls operated by the cloud access security broker (CASB)

B. The controls operated by both

C. The controls operated by the customer

D. The controls operated by the cloud service provider

Why are the fieldwork audit papers reviewed by an audit manager, even when the cloud auditor has many years of experience?

A. Internal quality requirements

B. Professional standards

C. Audit guidelines

D. Audit methodology

Prioritizing assurance activities for an organization’s cloud services portfolio depends PRIMARILY on an organization’s ability to:

A. schedule frequent reviews with high-risk cloud service providers.

B. develop plans using a standardized risk-based approach.

C. maintain a comprehensive cloud service inventory.

D. collate views from various business functions using cloud services.

Supply chain agreements between CSP and cloud customers should, at minimum, include:

A. Organization chart of the CSP

B. Policies and procedures of the cloud customer

C. Audits, assessments and independent verification of compliance certifications with agreement terms

D. Regulatory guidelines impacting the cloud customer

From a systems development life cycle perspective, where a Software as a Service (SaaS) provider follows a DevOps approach, it is MOST beneficial for continuous auditing controls to be:

A. designed natively into the software.

B. subjected to independent review.

C. integrated with external tools.

D. evaluated with high frequency.

To identify key actors and requirements, which of the following MUST be considered when designing a cloud compliance program?

A. Cloud service provider, internal and external audit perspectives

B. Business/organizational, governance, cloud and risk perspectives

C. Enterprise risk management, data protection, privacy and legal perspectives

D. Key stakeholders, enterprise risk management, and Internal audit perspectives

Which of the following controls is MOST relevant for identifying cases of misuse when scripts are running in the background with minimal human oversight?

A. Additional manual testing

B. Segregation of duties

C. Increased regression testing

D. Additional monitoring

Which of the following is an example of financial business impact?

A. A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

B. While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

C. A DDoS attack renders the customer’s cloud inaccessible for 24 hours resulting in millions in lost sales.

D. The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euro.

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?

A. Service Level Objective (SLO)

B. Recovery Point Objectives (RPO)

C. Service Level Agreement (SLA)

D. Recovery Time Objectives (RTO)

Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

A. German IDW PS 951

B. Multi-Tier Cloud Security (MTCS)

C. BSI Criteria Catalogue C5

D. BSI IT-basic protection catalogue

An audit that can be achieved using real-time automated scripts or manual testing and that organizations continuously perform as part of operations to help them implement continuous assurance and compliance its:

A. a governance and strategy audit.

B. a compliance and controls audit.

C. access review.

D. configuration and activity monitoring.

Which of the following enables auditors to conduct gap analyses of what a cloud service provider offers versus what the customer requires?

A. The as-is and to-be enterprise architecture (EA)

B. Using a standardized control framework

C. The experience gained over the years

D. Understanding the customer risk profile

When capturing compliance objectives within an organization’s cloud policy, it is MOST important for stakeholders to:

A. take into consideration the organization’s risk appetite.

B. measure the operating effectiveness of existing controls.

C. seek input from external subject matter experts.

D. follow a structured decision-making process.

Why is it important for the individuals in charge of cloud compliance to understand the organization’s past?

A. To determine the risk profile of the organization

B. To determine the current state of the organization’s compliance

C. To verify whether the measures implemented from the lessons learned are effective

D. To address any open findings from previous external audits

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?

A. ISO/IEC 27017:2015

B. CSA Cloud Control Matrix (CCM)

C. NIST SP 800-146

D. ISO/IEC 27002

When cloud customers are unable to satisfy their payment obligations, which type of termination is triggered by the cloud service provider?

A. Termination for the missed payment

B. Termination at the end of the term

C. Termination for convenience

D. Termination for cause

A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

A. The auditor should review the service providers’ security controls even more strictly, as they are further separated from the cloud customer.

B. The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.

C. As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.

D. As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services provided by the service providers.

Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

A. Design

B. Stakeholder identification

C. Development

D. Risk assessment

Which of the following metrics are frequently immature?

A. Metrics around Infrastructure as a Service (IaaS) storage and network environments

B. Metrics around Platform as a Service (PaaS) development environments

C. Metrics around Infrastructure as a Service (IaaS) computing environments

D. Metrics around specific Software as a Service (SaaS) application services

An organization plans to migrate to an Infrastructure as a Service (IaaS) cloud service provider and performs an evaluation of the provider's security. What would be the BEST course of action for the cloud auditor to understand the provider's network security controls?

A. Perform an independent audit of the cloud service provider’s premises.

B. Ask the cloud service provider for a detailed network diagram.

C. Check the information provided by the cloud service provider.

D. Perform pen testing against the cloud service provider’s infrastructure.

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.

B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.

C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.

D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

A. both operating system and application infrastructure contained within the CSP’s instances.

B. both operating system and application infrastructure contained within the customer’s instances

C. only application infrastructure contained within the CSP’s instances.

D. only application infrastructure contained within the customer’s instances.

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?

A. Highlighting the gap to the audit sponsor at the sponsor’s earliest possible availability

B. Asking the organization’s cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet

C. Documenting the finding in the audit report and sharing the gap with the relevant stakeholders

D. Informing the organization’s internal audit manager immediately about the gap

An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. From the following, to whom should the auditor report the findings?

A. Public

B. Management of organization being audited

C. Shareholders/interested parties

D. Cloud service provider

Which of the following is the common cause of misconfiguration in a cloud environment?

A. Absence of effective change control

B. Using multiple cloud service providers

C. New cloud computing techniques

D. Traditional change process mechanisms

As part of cloud migration, who is responsible for defining and setting the applicable controls?

A. Cloud customer

B. Shared responsibility

C. Cloud auditor

D. Cloud provider

An audit that evaluates the organization’s framework for defining requirements, performing risk assessments, monitoring controls, reporting adherence, and developing a strategic plan for the cloud is:

A. a compliance and controls audit.

B. configuration and activity monitoring.

C. a governance and strategy audit.

D. access review

Which objective is MOST appropriate to measure the effectiveness of password policy?

A. The number of related incidents increases.

B. Attempts to log with weak credentials increases.

C. Newly created account credentials satisfy requirements.

D. The number of related incidents decreases.

If a cloud agreement allows the cloud service provider to decommission any service within a set period, who is responsible for managing the risk introduced by this change?

A. Cloud service provider and risk manager

B. Regulator

C. Cloud service provider

D. Cloud customer

Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

A. Exception reporting

B. Third-party vendor involvement

C. Application team internal review

D. Control self-assessment (CSA)

As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?

A. Within developer’s laptop

B. Within the CI/CD server

C. Within version repositories

D. Within the CI/CD pipeline

Which of the following enables auditors to conduct gap analysis?

A. The experience gained over the years

B. Using a standardized control framework

C. Understanding the customer risk profile

D. The as-is and to-be enterprise architecture (EA)

A Dot Release of Cloud Control Matrix (CCM) indicates what?

A. The introduction of new control frameworks mapped to previously-published CCM controls.

B. A revision of the CCM domain structure.

C. A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.

D. A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.

When using transparent database encryption, where does the encryption engine reside?

A. In a key management system

B. On the instances attached to the volume

C. At the application using the database

D. Within the database

What documents should be provided by the infrastructure and platform operations team to the auditors in relation to auditing cloud data protection and life cycle management?

A. Backup and recovery policy, including evidence of the last review and update timeline and latest best results

B. Policies and procedures established around third-party risk assessments

C. Inventory of third-party attestation reports

D. Enterprise-cloud strategy and policy

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

A. The provider does not maintain audit logs in their environment.

B. The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

C. The audit logs are overwritten every 30 days, and all past audit trail is lost.

D. The audit trails are backed up regularly, but the backup is not encrypted.

Which of the following report types includes prescriptive remediation recommendations along with details and action steps?

A. Internal

B. Audit

C. Limited

D. Public

What is the PRIMARY mission of the FedRAMP Program Management Office (PMO)?

A. To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO)

B. To promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment

C. To publish a comprehensive and official framework for the secure implementation of controls for cloud security

D. To enable 3PAOs to perform independent security assessments of cloud service providers

To ensure that integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

A. Parallel testing

B. Full application stack unit testing

C. Regression testing

D. Functional verification

In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

A. Service Provider control

B. Impact and Risk control

C. Data Inventory control

D. Compliance control

Who would be BEST suited to mitigate on a daily basis the risk related to development and operations practices in a public cloud?

A. Risk management team

B. DevOps team

C. Internal audit team

D. Cloud infrastructure team

Which of the following is an important challenge in the design and building of a cloud compliance program?

A. Determining the total cost of all cloud components

B. Identifying all cloud components used in the organization

C. Assigning risk ownership for the cloud components

D. Understanding the cloud computing context

Which of the following CSP activities requires a client’s approval?

A. Delete the guest account or test accounts

B. Delete the master account or subscription owner accounts

C. Delete the guest account or destroy test data

D. Delete the test accounts or destroy test data

Which of the following is a category of trust in cloud computing?

A. Reputation-based trust

B. Background-based trust

C. Loyalty-based trust

D. Transparency-based trust