One of the Cloud Control Matrix’s (CCM’s) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.” Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A. Audit planning

B. Information system and regulatory mapping

C. GDPR auditing

D. Independent audits

When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?

A. Cloud Service Provider encryption capabilities

B. The presence of PII

C. Organizational security policies

D. Cost-benefit analysis

An audit that can be achieved using real-time automated scripts or manual testing and that organizations continuously perform as part of operations to help them implement continuous assurance and compliance its:

A. a governance and strategy audit.

B. a compliance and controls audit.

C. access review.

D. configuration and activity monitoring.

While using public cloud services, cloud users may cede direct control over:

A. anti-malware solutions.

B. encryption keys.

C. security patching.

D. penetration testing.

With regard to the Cloud Control Matrix (CCM), the ‘Architectural Relevance’ is a feature that enables the filtering of security controls by:

A. relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF), and the Zachman Framework for Enterprise Architecture.

B. relevant delivery models such as Software as a Service, Platform as a Service, Infrastructure as a Service.

C. relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.

D. relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.

When capturing compliance objectives within an organization’s cloud policy, it is MOST important for stakeholders to:

A. take into consideration the organization’s risk appetite.

B. measure the operating effectiveness of existing controls.

C. seek input from external subject matter experts.

D. follow a structured decision-making process.

Which of the following is MOST relevant to determine whether an organization is a risk taker or is risk-averse?

A. Risk management methodology

B. Risk culture

C. Risk heat map

D. Risk appetite

Which of the following configuration change controls is acceptable to a cloud auditor?

A. Development, test and production are hosted in the same network environment.

B. Programmers have permanent access to production software.

C. The Head of Development approves changes requested to production.

D. Programmers cannot make uncontrolled changes to the source code production version.

From a systems development life cycle perspective, where a Software as a Service (SaaS) provider follows a DevOps approach, it is MOST beneficial for continuous auditing controls to be:

A. designed natively into the software.

B. subjected to independent review.

C. integrated with external tools.

D. evaluated with high frequency.

When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

A. Determine the impact on the controls that were selected by the organization to respond to identified risks.

B. Determine the impact on confidentiality, integrity and availability of the information system.

C. Determine the impact on the financial, operational, compliance and reputation of the organization.

D. Determine the impact on the physical and environmental security of the organization, excluding informational assets.

The FINAL decision to include a material finding in a cloud audit report should be made by the:

A. organization’s chief information security officer (CISO).

B. cloud auditor.

C. auditee’s senior management.

D. organization’s chief executive officer (CEO).

The BEST way to deliver continuous compliance in a cloud environment is to:

A. decrease the interval between attestations of compliance.

B. combine point-in-time assurance approaches with continuous monitoring.

C. increase the frequency of external audits from annual to quarterly.

D. combine point-in-time assurance approaches with continuous auditing.

After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data. In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?

A. As an integrity breach

B. As control breach

C. As an availability breach

D. As a confidentiality breach

A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP’s security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?

A. Double gray box

B. Tandem

C. Reversal

D. Double blind

A large organization recently migrated to the cloud and identified Function as a Service (FaaS) as a new service category that enhances the concept of:

A. beta testing.

B. fuzzing.

C. alpha testing.

D. scripting.

To identify key actors and requirements, which of the following MUST be considered when designing a cloud compliance program?

A. Cloud service provider, internal and external audit perspectives

B. Business/organizational, governance, cloud and risk perspectives

C. Enterprise risk management, data protection, privacy and legal perspectives

D. Key stakeholders, enterprise risk management, and Internal audit perspectives

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A. Policy based access control

B. Attribute based access control

C. Rule based access control

D. Role based access control

Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A. Development of the monitoring goals and requirements

B. Identification of processes, functions, and systems

C. Identification of the relevant laws, regulations, and standards

D. Identification of roles and responsibilities

In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

A. both operating system and application infrastructure contained within the CSP’s instances.

B. both operating system and application infrastructure contained within the customer’s instances

C. only application infrastructure contained within the CSP’s instances.

D. only application infrastructure contained within the customer’s instances.

A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider. The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

A. The provider does not maintain audit logs in their environment.

B. The customer cannot monitor its cloud subscription on its own and must rely on the provider for monitoring purposes.

C. The audit logs are overwritten every 30 days, and all past audit trail is lost.

D. The audit trails are backed up regularly, but the backup is not encrypted.

An example of a preventive control that may be identified in an Infrastructure as a Service (IaaS) service provider is:

A. privileged access monitoring.

B. threat hunting.

C. encryption for data at rest.

D. incident response.

Which of the following is a category of trust in cloud computing?

A. Reputation-based trust

B. Background-based trust

C. Loyalty-based trust

D. Transparency-based trust

A dot release of the Cloud Controls Matrix (CCM) indicates:

A. a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.

B. a revision of the CCM domain structure.

C. the introduction of new control frameworks mapped to previously published CCM controls.

D. a technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.

Which of the following helps an organization to identify control gaps and shortcomings in the context of cloud computing?

A. Periodic documentation review

B. User security awareness training

C. Walk-through peer review

D. Monitoring effectiveness

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

A. object-oriented architecture.

B. software architecture.

C. service-oriented architecture.

D. enterprise architecture.

Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?

A. No. CCM must be completed with definitions established by the CSP because of its relevance to service continuity.

B. Yes. CCM suffices since it maps a huge library of widely accepted frameworks.

C. Yes. When implemented in the right manner, CCM alone can help to measure, assess and monitor the risk associated with a CSP or a particular service.

D. No. CCM can serve as a foundation for a cloud assessment program, but it needs to be completed with requirements applicable to each company.

Which of the following is an example of compliance business impact?

A. A hacker using a stolen administrator identity brings down the Software as a Service (SaaS) sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

B. A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales.

C. While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

D. The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euros.

Why is it important for the individuals in charge of cloud compliance to understand the organization’s past?

A. To determine the risk profile of the organization

B. To determine the current state of the organization’s compliance

C. To verify whether the measures implemented from the lessons learned are effective

D. To address any open findings from previous external audits

Which of the following cloud service provider activities MUST obtain a client’s approval?

A. Deleting test accounts

B. Deleting subscription owner accounts

C. Deleting guest accounts

D. Destroying test data

What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

A. Unlike SAST, DAST is a blackbox and programming language agnostic.

B. DAST can dynamically integrate with most CI/CD tools.

C. DAST delivers more false positives than SAST.

D. DAST is slower but thorough.

During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor’s NEXT course of action?

A. Review the CSP audit reports.

B. Review the security white paper of the CSP.

C. Review the contract and DR capability.

D. Plan an audit of the CSP.

To support customer’s verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?

A. Contractual agreement

B. Internal audit

C. External audit

D. Security assessment

From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?

A. SOC reports

B. Logs

C. Evaluation summaries

D. Interviews

When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?

A. Validate if the strategy covers unavailability of all components required to operate the business-as-usual or in disrupted mode, in parts or total- when impacted by a disruption.

B. Validate if the strategy covers all aspects of Business Continuity and Resilience planning, taking inputs from the assessed impact and risks, to consider activities for before, during, and after a disruption.

C. Validate if the strategy covers all activities required to continue and recover prioritized activities within identified time frames and agreed capacity, aligned to the risk appetite of the organization including the invocation of continuity plans and crisis management capabilities.

D. Validate if the strategy is developed by both cloud service providers and cloud service consumers within the acceptable limits of their risk appetite.

Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action is MOST relevant?

A. Focusing on auditing high-risk areas

B. Testing the adequacy of cloud controls design

C. Relying on management testing of cloud controls

D. Testing the operational effectiveness of cloud controls

In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?

A. Incident management documentation

B. Database backup and replication guidelines

C. Operational manuals

D. System backup documentation

Which of the following cloud service models recommends building guardrails for developers and DevOps?

A. Infrastructure as a Service (IaaS)

B. Security as a Service (SecaaS)

C. Platform as a Service (PaaS)

D. Software as a Service (SaaS)]

Which of the following parties should have accountability for cloud compliance requirements?

A. Customer

B. Equally shared between customer and provider

C. Provider

D. Either customer or provider, depending on requirements

The MOST critical concept of managing the build and test of code in DevOps is:

A. continuous build.

B. continuous delivery.

C. continuous deployment.

D. continuous integration.

Which of the following BEST describes the Center for Internet Security (CIS) benchmarks applied to a cloud service provider?

A. Best practices for the tuning of performance in cloud service providers’ services

B. Best practices for the secure configuration of the cloud service provider services

C. Comparisons of the performance obtained from the cloud service providers

D. Comparisons of the security capabilities provided by the cloud service providers

Which of the following data destruction methods is the MOST effective and efficient?

A. Crypto-shredding

B. Degaussing

C. Multi-pass wipes

D. Physical destruction

When building a cloud governance model, which of the following requirements will focus more on the cloud service provider’s evaluation and control checklist?

A. Security requirements

B. Legal requirements

C. Compliance requirements

D. Operational requirements

An organization plans to migrate to an Infrastructure as a Service (IaaS) cloud service provider and performs an evaluation of the provider's security. What would be the BEST course of action for the cloud auditor to understand the provider's network security controls?

A. Perform an independent audit of the cloud service provider’s premises.

B. Ask the cloud service provider for a detailed network diagram.

C. Check the information provided by the cloud service provider.

D. Perform pen testing against the cloud service provider’s infrastructure.

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?

A. Service Level Objective (SLO)

B. Recovery Point Objectives (RPO)

C. Service Level Agreement (SLA)

D. Recovery Time Objectives (RTO)

When using a SaaS solution, who is responsible for application security?

A. The cloud service provider only

B. The cloud service consumer only

C. Both cloud consumer and the enterprise

D. Both cloud provider and the consumer

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

A. Cloud service customer

B. Shared responsibility

C. Cloud service provider

D. Patching on hypervisor layer is not required

Which of the following would be considered as a factor to trust in a cloud service provider?

A. The level of exposure for public information

B. The level of proved technical skills

C. The level of willingness to cooperate

D. The level of open source evidence available

An organization deploying the Cloud Controls Matrix (CCM) to perform a compliance assessment will encompass the use of the Corporate Governance Relevance feature to filter out those controls:

A. that are related to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.

B. that can be of either an administrative or a technical nature, therefore requiring an approval from the Change Advisory Board.

C. that can be of either a management or a legal nature, therefore requiring an approval from the Change Advisory Board.

D. that require prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.

Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?

A. Ensure HIPAA compliance

B. Implement a cloud access security broker

C. Consult the legal department

D. Do not allow data to be in cleratext

A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

A. The auditor should review the service providers’ security controls even more strictly, as they are further separated from the cloud customer.

B. The auditor should review the relationship between the cloud service provider and its service provider to help direct and estimate the level of effort and analysis the auditor should apply.

C. As the contract for the cloud service is between the cloud customer and the cloud service provider, there is no need for the auditor to review the services provided by the service providers.

D. As the relationship between the cloud service provider and its service providers is governed by separate contracts between them, there is no need for the auditor to review the services provided by the service providers.