Free Isaca CCAK Exam Dumps and CCAK Exam Questions

Question No: 1

MultipleChoice

Which of the following is an example of a corrective control?

Options

AA central antivirus system installing the latest signature files before allowing a connection to the network

BAll new employees having standard access rights until their manager approves privileged rights

CUnsuccessful access attempts being automatically logged for investigation

DPrivileged access to critical information systems requiring a second factor of authentication using a soft token

Question No: 2

MultipleChoice

To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Options

Adevelop a cloud audit plan on the basis of a detailed risk assessment.

Bschedule the audits and monitor the time spent on each audit.

Ctrain the cloud audit staff on current technology used in the organization.

Dmonitor progress of audits and initiate cost control measures.

Question No: 3

MultipleChoice

Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

Options

APC-IDSS

BCSA STAR Attestation

CMTCS

DBSI Criteria Catalogue C5

Question No: 4

MultipleChoice

When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

Options

ATo determine how those services will fit within its policies and procedures

BTo determine the total cost of the cloud services to be deployed

CTo confirm which vendor will be selected based on the compliance with security requirements

DTo confirm if the compensating controls implemented are sufficient for the cloud

Question No: 5

MultipleChoice

While performing the audit, the auditor found that an object storage bucket containing PII could be accessed by anyone on the Internet. Given this discovery, what should be the most appropriate action for the auditor to perform?

Options

AHighlighting the gap to the audit sponsor at the sponsor's earliest possible availability

BAsking the organization's cloud administrator to immediately close the gap by updating the configuration settings and making the object storage bucket private and hence inaccessible from the Internet

CDocumenting the finding in the audit report and sharing the gap with the relevant stakeholders

DInforming the organization's internal audit manager immediately about the gap

Question No: 6

MultipleChoice

Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization's architecture? The threat model:

Options

Arecognizes the shared responsibility for risk management between the customer and the CSP.

Bleverages SaaS threat models developed by peer organizations.

Cis developed by an independent third-party with expertise in the organization's industry sector.

Dconsiders the loss of visibility and control from transitioning to the cloud.

Question No: 7

MultipleChoice

From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Options

AProcess of security integration using automation in software development

BDevelopment standards for addressing integration, testing, and deployment issues

COperational framework that promotes software consistency through automation

DMaking software development simpler, faster, and easier using automation

Question No: 8

MultipleChoice

The MAIN difference between Cloud Control Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ) is that:

Options

ACCM assesses the presence of controls, whereas CAIQ assesses overall security of a service.

BCCM has a set of security questions, whereas CAIQ has a set of security controls.

CCCM has 14 domains and CAIQ has 16 domains.

DCCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in IaaS, PaaS, and SaaS offerings.

Question No: 9

MultipleChoice

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

Options

ABlue team

BWhite box

CGray box

DRed team

Question No: 10

MultipleChoice

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?

Options

AOperations Maintenance

BSystem Development Maintenance

CEquipment Maintenance

DSystem Maintenance