CCAK Online Practice Questions and Answers

Which of the following metrics are frequently immature?

A. Metrics around Infrastructure as a Service (IaaS) storage and network environments

B. Metrics around Platform as a Service (PaaS) development environments

C. Metrics around Infrastructure as a Service (IaaS) computing environments

D. Metrics around specific Software as a Service (SaaS) application services

Which of the following is an example of financial business impact?

A. A hacker using a stolen administrator identity brings down the SaaS sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

B. While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public, resulting in a loss of public confidence that led the board to replace all three.

C. A DDoS attack renders the customer's cloud inaccessible for 24 hours resulting in millions in lost sales.

D. The cloud provider fails to report a breach of customer personal data from an unsecured server, resulting in GDPR fines of 10 million euro.

When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

A. To determine how those services will fit within its policies and procedures

B. To determine the total cost of the cloud services to be deployed

C. To confirm which vendor will be selected based on the compliance with security requirements

D. To confirm if the compensating controls implemented are sufficient for the cloud

Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?

A. Service Level Objective (SLO)

B. Recovery Point Objectives (RPO)

C. Service Level Agreement (SLA)

D. Recovery Time Objectives (RTO)

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

A. Cloud service customer

B. Shared responsibility

C. Cloud service provider

D. Patching on hypervisor layer is not required

Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?

A. Verify the inclusion of security gates in the pipeline.

B. Conduct an architectural assessment.

C. Review the CI/CD pipeline audit logs.

D. Verify separation of development and production pipelines.

Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?

A. ISO/IEC 27017:2015

B. CSA Cloud Control Matrix (CCM)

C. NIST SP 800-146

D. ISO/IEC 27002

In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

A. both operating system and application infrastructure contained within the CSP's instances.

B. both operating system and application infrastructure contained within the customer's instances

C. only application infrastructure contained within the CSP's instances.

D. only application infrastructure contained within the customer's instances.

Which of the following data destruction methods is the MOST effective and efficient?

A. Crypto-shredding

B. Degaussing

C. Multi-pass wipes

D. Physical destruction

Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to specify trusted services?

A. Security, confidentiality, availability, privacy and processing integrity

B. Security, applicability, availability, privacy and processing integrity

C. Security, confidentiality, availability, privacy and trustworthiness

D. Security, data integrity, availability, privacy and processing integrity