Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.

B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.

C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.

D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

Which of the following is an example of a corrective control?

A. A central anti-virus system installing the latest signature files before allowing a connection to the network

B. Unsuccessful access attempts being automatically logged for investigation

C. Privileged access to critical information systems requiring a second factor of authentication using soft token

D. All new employees having standard access rights until their manager approves privileged rights

When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?

A. Validate if the strategy covers unavailability of all components required to operate the business-as-usual or in disrupted mode, in parts or total- when impacted by a disruption.

B. Validate if the strategy covers all aspects of Business Continuity and Resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.

C. Validate if the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.

D. Validate if the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.

When performing audits in relation to the organizational incident management process, what should be requested from the cloud service provider?

A. Incident management and response policies and procedures

B. Information security policies and procedures

C. Provider cloud strategy and policy

D. Enterprise cloud security strategy

Which of the following are the three MAIN phases of the cloud controls matrix (CCM) mapping methodology?

A. Plan –> Develop –> Release

B. Deploy –> Monitor –> Audit

C. Initiation –> Execution –> Monitoring and Controlling

D. Preparation –> Execution –> Peer Review and Publication

An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?

A. Review third-party audit reports.

B. Review CSP’s published questionnaires.

C. Directly audit the CSP.

D. Send supplier questionnaire to the CSP.

When using transparent database encryption, where does the encryption engine reside?

A. In a key management system

B. On the instances attached to the volume

C. At the application using the database

D. Within the database

The BEST way to deliver continuous compliance in a cloud environment is to:

A. decrease the interval between attestations of compliance.

B. combine point-in-time assurance approaches with continuous monitoring.

C. increase the frequency of external audits from annual to quarterly.

D. combine point-in-time assurance approaches with continuous auditing.

What should an auditor do when assessing the business continuity plan (BCP) and disaster recovery (DR) of a cloud customer?

A. Evaluate the service level agreement (SLA) through a BCP/DR lens.

B. Get assurances from the cloud service provider that the service level agreement (SLA) can be met in a BCP/DR scenario.

C. Recommend auditing the BCP/DR planning under a separate engagement.

D. Limit the scope of the evaluation to security measures that are under the direct responsibility of the auditee.

While using public cloud services, cloud users may cede direct control over:

A. anti-malware solutions.

B. encryption keys.

C. security patching.

D. penetration testing.

Which of the following is the MOST efficient way for a customer organization to minimize the risk from a cloud service provider’s aggressive product release strategy that could cause the customer to deviate from its compliance obligations?

A. Including a break clause in the provider processing contract to be activated in the event of significant product change

B. Developing multiple lines of communication with the provider that provide visibility into upcoming changes to the product

C. Maintaining a failover processing agreement with another provider offering a similar product

D. Requiring that the source code for the provider product be held in escrow with an independent third party

Which of the following is a cloud-specific security standard?

A. ISO27017

B. ISO27701

C. ISO22301

D. ISO14001

Why are the fieldwork audit papers reviewed by an audit manager, even when the cloud auditor has many years of experience?

A. Internal quality requirements

B. Professional standards

C. Audit guidelines

D. Audit methodology

The BEST method to report continuous assessment of a cloud provider’s services to the CSA is through:

A. a set of dedicated application programming interfaces (APIs).

B. SOC 2 Type 2 attestation.

C. CCM assessment by a third-party auditor on a periodic basis.

D. tools selected by the third-party auditor.

What should be the auditor’s PRIMARY objective while examining a cloud service provider’s (CSP’s) SLA?

A. Verifying whether commensurate compensation in the form of service credits is factored in if the CSC is unable to match its SLA obligations

B. Verifying whether the SLA includes all the operational matters which are material to the operation of the service

C. Verifying whether the SLA caters to the availability requirements of the cloud service customer (CSC)

D. Verifying whether the SLAs are well-defined and measurable

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?

A. Operations Maintenance

B. System Development Maintenance

C. Equipment Maintenance

D. System Maintenance

Which best describes the difference between a type 1 and a type 2 SOC report?

A. A type 2 SOC report validates the operating effectiveness of controls whereas a type 1 SOC report validates the suitability of the design of the controls.

B. A type 2 SOC report validates the suitability of the design of the controls whereas a type 1 SOC report validates the operating effectiveness of controls.

C. A type 1 SOC report provides an attestation whereas a type 2 SOC report offers a certification.

D. There is no difference between a type 2 and type 1 SOC report.

In which of the following risk scenarios should a cloud customer have the full responsibility in all cloud service models?

A. Infrastructure risk

B. Identity and access risk

C. Endpoint risk

D. Data classification risk

What business continuity considerations does a cloud customer need when implementing a cloud-based infrastructure?

A. Frequent review of cloud backups to ensure business continuity when needed

B. Review of cloud service provider contractual commitments to the main continuity of the provisioned service

C. Conducting of business continuity plan (BCP) and disaster recovery (DR) tests on the cloud service provider

D. Requirement for 100% uptime commitment from the cloud service provider at all times

In an organization, how are policy violations MOST likely to occur?

A. By accident

B. Deliberately by the ISP

C. Deliberately

D. Deliberately by the cloud provider

An example of a preventive control that may be identified in an Infrastructure as a Service (IaaS) service provider is:

A. privileged access monitoring.

B. threat hunting.

C. encryption for data at rest.

D. incident response.

Organizations, including cloud service providers or cloud customers, must have methods for determining the disruption to processes, people, and technology. Which of the following processes can BEST help identify the issues?

A. Impact analysis

B. Research analysis

C. Predictive analysis

D. Disruption analysis

Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization’s DevOps pipeline?

A. Verify the inclusion of security gates in the pipeline.

B. Conduct an architectural assessment.

C. Review the CI/CD pipeline audit logs.

D. Verify separation of development and production pipelines.

One of the Cloud Control Matrix’s (CCM’s) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.” Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A. Audit planning

B. Information system and regulatory mapping

C. GDPR auditing

D. Independent audits

A contract containing the phrase “You automatically consent to these terms by using or logging into the service to which they pertain” is establishing a contract of:

A. exclusion.

B. adhesion.

C. exclusively.

D. execution.

Which statement about compliance responsibilities and ownership of accountability is correct?

A. Organizations may be able to transfer their accountability for compliance with various regulatory requirements to their CSPs, but they retain the ownership of responsibility.

B. Organizations may be able to transfer their responsibility for compliance with various regulatory requirements to their CSPs, but they retain the ownership of accountability.

C. Organizations may transfer their responsibility and accountability for compliance with various regulatory requirements to their CSPs.

D. Organizations are not able to transfer their responsibility nor accountability for compliance with various regulatory requirements to their CSPs.

Which of the following is a corrective control that may be identified in a SaaS service provider?

A. Log monitoring

B. Penetration testing

C. Incident response plans

D. Vulnerability scan

An audit that can be achieved using real-time automated scripts or manual testing and that organizations continuously perform as part of operations to help them implement continuous assurance and compliance its:

A. a governance and strategy audit.

B. a compliance and controls audit.

C. access review.

D. configuration and activity monitoring.

Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action is MOST relevant?

A. Focusing on auditing high-risk areas

B. Testing the adequacy of cloud controls design

C. Relying on management testing of cloud controls

D. Testing the operational effectiveness of cloud controls

Which of the following is KEY to an auditor’s evaluation of the completeness of an organization’s cloud compliance obligations?

A. Understanding the organization’s risk appetite and risk tolerance

B. A view of recent data breaches across the organization’s service providers

C. A view of obligations within contractual agreements with service providers

D. Understanding the organization’s business and operating environment

What documents should be provided by the infrastructure and platform operations team to the auditors in relation to auditing cloud data protection and life cycle management?

A. Backup and recovery policy, including evidence of the last review and update timeline and latest best results

B. Policies and procedures established around third-party risk assessments

C. Inventory of third-party attestation reports

D. Enterprise-cloud strategy and policy

From a systems development life cycle perspective, where a Software as a Service (SaaS) provider follows a DevOps approach, it is MOST beneficial for continuous auditing controls to be:

A. designed natively into the software.

B. subjected to independent review.

C. integrated with external tools.

D. evaluated with high frequency.

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

A. ISO/IЕС 27001: 2013 controls.

B. maturity model criteria.

C. all Cloud Control Matrix (CCM) controls and TSPC security principles.

D. Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls.

A cloud customer is involved in an acquisition that was done to consolidate different cloud services into a single relationship with a single cloud service provider. As a result, which type of termination is triggered by the cloud customer?

A. Termination for acquisition

B. Termination for convenience

C. Termination for cause

D. Termination at the end of the term

The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

A. risk management policy.

B. cloud policy.

C. business continuity plan.

D. information security standard for cloud technologies.

Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?

A. Aligning the cloud service delivery with the organization’s objective

B. Aligning the cloud provider’s SLA with the organization’s policy

C. Aligning shared responsibilities between provider and customer

D. Aligning the organization’s activity with the cloud provider’s policy

What is the PRIMARY mission of the FedRAMP Program Management Office (PMO)?

A. To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO)

B. To promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment

C. To publish a comprehensive and official framework for the secure implementation of controls for cloud security

D. To enable 3PAOs to perform independent security assessments of cloud service providers

When building a cloud governance model, which of the following requirements will focus more on the cloud service provider’s evaluation and control checklist?

A. Security requirements

B. Legal requirements

C. Compliance requirements

D. Operational requirements

How should an auditor deal with auditing a cloud service provider’s suppliers?

A. Share the responsibility with the cloud provider to audit the cloud provider’s suppliers.

B. No action is necessary, as any aspect of the cloud supplier program is the cloud provider’s responsibility.

C. Audit the effectiveness of the cloud provider’s supplier management program.

D. No action necessary, as the cloud provider’s suppliers are not part of the compliance program.

To identify key actors and requirements, which of the following MUST be considered when designing a cloud compliance program?

A. Cloud service provider, internal and external audit perspectives

B. Business/organizational, governance, cloud and risk perspectives

C. Enterprise risk management, data protection, privacy and legal perspectives

D. Key stakeholders, enterprise risk management, and Internal audit perspectives

Which of the following data destruction methods is the MOST effective and efficient?

A. Crypto-shredding

B. Degaussing

C. Multi-pass wipes

D. Physical destruction

In cloud computing, with whom does the responsibility and accountability for compliance lie?

A. The cloud service provider is responsible and accountable for compliance.

B. The cloud service provider is responsible for compliance, and the cloud service customer is accountable.

C. The cloud service customer is responsible and accountable for compliance.

D. The cloud service customer is responsible for compliance, and the cloud service provider is accountable.

Which industry organization provides benchmarking for cloud providers, virtualization, and other categories?

A. The SANS Institute

B. The OWASP Foundation

C. Vendors of cloud technologies

D. Center for Internet Security (CIS)

To support customer’s verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?

A. Contractual agreement

B. Internal audit

C. External audit

D. Security assessment

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

A. assess the existence and adequacy of a security awareness training program at the cloud service provider’s organization as the cloud customer hired the auditor to review and cloud service.

B. assess the existence and adequacy of a security awareness training program at both the cloud customer’s organization and the cloud service provider’s organization.

C. assess the existence and adequacy of a security awareness training program at the cloud customer’s organization as they hired the auditor.

D. not assess the security awareness training program as it is each organization’s responsibility

A Dot Release of Cloud Control Matrix (CCM) indicates what?

A. The introduction of new control frameworks mapped to previously-published CCM controls.

B. A revision of the CCM domain structure.

C. A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.

D. A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.

Who would be BEST suited to mitigate on a daily basis the risk related to development and operations practices in a public cloud?

A. Risk management team

B. DevOps team

C. Internal audit team

D. Cloud infrastructure team

An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the “Corporate Governance Relevance” feature to filter out those controls:

A. relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.

B. that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.

C. that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.

D. that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.

Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?

A. Network segmentation

B. Incident management

C. Privileged access monitoring

D. Data encryption

What is below the waterline in the context of cloud operationalization?

A. The controls operated by the cloud access security broker (CASB)

B. The controls operated by both

C. The controls operated by the customer

D. The controls operated by the cloud service provider