Which of the following cloud service models recommends building guardrails for developers and DevOps?

A. Infrastructure as a Service (IaaS)

B. Security as a Service (SecaaS)

C. Platform as a Service (PaaS)

D. Software as a Service (SaaS)]

Why are the fieldwork audit papers reviewed by an audit manager, even when the cloud auditor has many years of experience?

A. Internal quality requirements

B. Professional standards

C. Audit guidelines

D. Audit methodology

Which of the following enables auditors to conduct gap analysis?

A. The experience gained over the years

B. Using a standardized control framework

C. Understanding the customer risk profile

D. The as-is and to-be enterprise architecture (EA)

From a systems development life cycle perspective, where a Software as a Service (SaaS) provider follows a DevOps approach, it is MOST beneficial for continuous auditing controls to be:

A. designed natively into the software.

B. subjected to independent review.

C. integrated with external tools.

D. evaluated with high frequency.

Which of the following is the common cause of misconfiguration in a cloud environment?

A. Absence of effective change control

B. Using multiple cloud service providers

C. New cloud computing techniques

D. Traditional change process mechanisms

To support customer’s verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?

A. Contractual agreement

B. Internal audit

C. External audit

D. Security assessment

Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

A. Updated audit/work program

B. Documentation criteria for the audit evidence

C. Processes and systems to be audited

D. Testing procedure to be performed

Which of the following controls is MOST relevant for identifying cases of misuse when scripts are running in the background with minimal human oversight?

A. Additional manual testing

B. Segregation of duties

C. Increased regression testing

D. Additional monitoring

If a cloud agreement allows the cloud service provider to decommission any service within a set period, who is responsible for managing the risk introduced by this change?

A. Cloud service provider and risk manager

B. Regulator

C. Cloud service provider

D. Cloud customer

Changes to which of the following will MOST likely influence the expansion or reduction of controls required to remediate the risk arising from changes to an organization’s SaaS vendor?

A. Risk exceptions policy

B. Contractual requirements

C. Risk appetite

D. Board oversight

Which of the following cloud models prohibits penetration testing?

A. Hybrid Cloud

B. Private Cloud

C. Public Cloud

D. Community Cloud

A certification target helps in the formation of a continuous certification framework by incorporating:

A. CSA STAR level 2 attestation.

B. service level objective and service qualitative objective.

C. frequency of evaluating security attributes.

D. scope description and security attributes to be tested.

From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?

A. Process of security integration using automation in software development

B. Development standards for addressing integration, testing, and deployment issues

C. Operational framework that promotes software consistency through automation

D. Making software development simpler, faster, and easier using automation

Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud compliance program?

A. Cloud process owners

B. Internal control function

C. Legal functions

D. Cloud strategy owners

A cloud service provider does not allow audits using automated tools as these tools could be considered destructive techniques for the cloud environment. Which of the following aspects of the audit will be constrained?

A. Purpose

B. Objectives

C. Nature of relationship

D. Scope

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?

A. Service Level Objective (SLO)

B. Recovery Point Objectives (RPO)

C. Service Level Agreement (SLA)

D. Recovery Time Objectives (RTO)

Which of the following is KEY to an auditor’s evaluation of the completeness of an organization’s cloud compliance obligations?

A. Understanding the organization’s risk appetite and risk tolerance

B. A view of recent data breaches across the organization’s service providers

C. A view of obligations within contractual agreements with service providers

D. Understanding the organization’s business and operating environment

Which statement about compliance responsibilities and ownership of accountability is correct?

A. Organizations may be able to transfer their accountability for compliance with various regulatory requirements to their CSPs, but they retain the ownership of responsibility.

B. Organizations may be able to transfer their responsibility for compliance with various regulatory requirements to their CSPs, but they retain the ownership of accountability.

C. Organizations may transfer their responsibility and accountability for compliance with various regulatory requirements to their CSPs.

D. Organizations are not able to transfer their responsibility nor accountability for compliance with various regulatory requirements to their CSPs.

While using public cloud services, cloud users may cede direct control over:

A. anti-malware solutions.

B. encryption keys.

C. security patching.

D. penetration testing.

Prioritizing assurance activities for an organization’s cloud services portfolio depends PRIMARILY on an organization’s ability to:

A. schedule frequent reviews with high-risk cloud service providers.

B. develop plans using a standardized risk-based approach.

C. maintain a comprehensive cloud service inventory.

D. collate views from various business functions using cloud services.

How should an auditor deal with auditing a cloud service provider’s suppliers?

A. Share the responsibility with the cloud provider to audit the cloud provider’s suppliers.

B. No action is necessary, as any aspect of the cloud supplier program is the cloud provider’s responsibility.

C. Audit the effectiveness of the cloud provider’s supplier management program.

D. No action necessary, as the cloud provider’s suppliers are not part of the compliance program.

An organization should document the compliance responsibilities and ownership of accountability in a RACI chart or its informational equivalents in order to:

A. conform to the organization’s governance model.

B. define the cloud compliance requirements and how they interplay with the organization’s business strategy, goals, and other compliance requirements.

C. provide a holistic and seamless view of the enterprise’s responsibility for compliance with prevailing laws and regulations.

D. provide a holistic and seamless view of the cloud service provider’s responsibility for compliance with prevailing laws and regulations.

Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?

A. Network segmentation

B. Incident management

C. Privileged access monitoring

D. Data encryption

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.

B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.

C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.

D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

What type of termination occurs at the initiative of one party, and without the fault of the other party?

A. Termination for cause

B. Termination for convenience

C. Termination at the end of the term

D. Termination without the fault

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A. Development of the monitoring goals and requirements

B. Identification of processes, functions, and systems

C. Identification of the relevant laws, regulations, and standards

D. Identification of roles and responsibilities

Which of the following metrics are frequently immature?

A. Metrics around Infrastructure as a Service (IaaS) storage and network environments

B. Metrics around Platform as a Service (PaaS) development environments

C. Metrics around Infrastructure as a Service (IaaS) computing environments

D. Metrics around specific Software as a Service (SaaS) application services

Which of the following would be considered as a factor to trust in a cloud service provider?

A. The level of exposure for public information

B. The level of proved technical skills

C. The level of willingness to cooperate

D. The level of open source evidence available

When capturing compliance objectives within an organization’s cloud policy, it is MOST important for stakeholders to:

A. take into consideration the organization’s risk appetite.

B. measure the operating effectiveness of existing controls.

C. seek input from external subject matter experts.

D. follow a structured decision-making process.

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?

A. ISO/IEC 27017:2015

B. CSA Cloud Control Matrix (CCM)

C. NIST SP 800-146

D. ISO/IEC 27002

Which of the following is an important challenge in the design and building of a cloud compliance program?

A. Determining the total cost of all cloud components

B. Identifying all cloud components used in the organization

C. Assigning risk ownership for the cloud components

D. Understanding the cloud computing context

Who would be BEST suited to mitigate on a daily basis the risk related to development and operations practices in a public cloud?

A. Risk management team

B. DevOps team

C. Internal audit team

D. Cloud infrastructure team

What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

A. Unlike SAST, DAST is a blackbox and programming language agnostic.

B. DAST can dynamically integrate with most CI/CD tools.

C. DAST delivers more false positives than SAST.

D. DAST is slower but thorough.

Which of the following helps an organization to identify control gaps and shortcomings in the context of cloud computing?

A. Periodic documentation review

B. User security awareness training

C. Walk-through peer review

D. Monitoring effectiveness

A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?

A. Role Based Access Control

B. Attribute Based Access Control

C. Policy Based Access Control

D. Rule Based Access Control

Which of the following can help a cloud customer define provider evaluation criteria?

A. Service level agreement (SLA)

B. Adding agility

C. Disaster recovery procedures

D. Analyst opinion

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

A. Cloud service customer

B. Shared responsibility

C. Cloud service provider

D. Patching on hypervisor layer is not required

Which industry organization provides benchmarking for cloud providers, virtualization, and other categories?

A. The SANS Institute

B. The OWASP Foundation

C. Vendors of cloud technologies

D. Center for Internet Security (CIS)

Which of the following should be performed FIRST when an organization is considering a migration to the cloud?

A. Select the cloud deployment model.

B. Identify applicable laws and regulations to the organization.

C. Select a suitable control framework for the implementation.

D. Identify different suitable cloud service providers.

When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?

A. Cloud Service Provider encryption capabilities

B. The presence of PII

C. Organizational security policies

D. Cost-benefit analysis

In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

A. Service Provider control

B. Impact and Risk control

C. Data Inventory control

D. Compliance control

Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls. Which of the following controls BEST matches this control description?

A. Network Security

B. Change Detection

C. Virtual Instance and OS Hardening

D. Network Vulnerability Management

When using transparent database encryption, where does the encryption engine reside?

A. In a key management system

B. On the instances attached to the volume

C. At the application using the database

D. Within the database

Which of the following CSP activities requires a client’s approval?

A. Delete the guest account or test accounts

B. Delete the master account or subscription owner accounts

C. Delete the guest account or destroy test data

D. Delete the test accounts or destroy test data

To minimize the risk of noncompliance with regulatory equipment when switching to a new cloud service, it is MOST important to:

A. adopt a hard-cutover approach to minimize the risk of data loss.

B. test and validate that the new service meets predefined security targets.

C. seek assurances from peer organizations already using the proposed cloud service.

D. ensure the new service provider includes a pilot option of the cloud solution.

In which of the following risk scenarios should a cloud customer have the full responsibility in all cloud service models?

A. Infrastructure risk

B. Identity and access risk

C. Endpoint risk

D. Data classification risk

Organizations maintain mappings between the different control frameworks they adopt to:

A. help identify controls with common assessment status.

B. avoid duplication of work when assessing compliance.

C. help identify controls with different assessment status.

D. start a compliance assessment using latest assessment.

Which objective is MOST appropriate to measure the effectiveness of password policy?

A. The number of related incidents increases.

B. Attempts to log with weak credentials increases.

C. Newly created account credentials satisfy requirements.

D. The number of related incidents decreases.

The control domain feature within a Cloud Controls Matrix (CCM) represents:

A. CCM’s ability to scan and check Active Directory, LDAP, and x.500 directories for suspicious and/or privileged user accounts.

B. CCM’s ability to scan for anomalies in DNS zones in order to detect DNS spoofing, DNS hijacking, DNS cache poisoning, and similar threats.

C. a logical grouping of security controls addressing the same category of IT risks or information security concerns.

D. a set of application programming interfaces (APIs) that allows a cloud consumer to restrict the replication area within a well-defined jurisdictional perimeter.

Which of the following is a category of trust in cloud computing?

A. Reputation-based trust

B. Background-based trust

C. Loyalty-based trust

D. Transparency-based trust