CCAK無料問題集「ISACA Certificate of Cloud Auditing Knowledge」

質問 1

Why should the results of third-party audits and certification be relied on when analyzing and assessing the cybersecurity risks in the cloud?

（A）To contrast the risk generated by the loss of control

（B）To establish an audit mindset within the organization

（C）To reinforce the role of the internal audit function

（D）To establish an accountability culture within the organization

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 2

Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

（A）Automating risk monitoring and reporting processes

（B）Monitoring key risk indicators (KRIs) for multi-cloud environments

（C）Establishing ownership and accountability

（D）Reporting emerging threats to senior stakeholders

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 3

A cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when:

（A）the tolerable error rate cannot be determined.

（B）the auditor wants to avoid sampling risk.

（C）generalized audit software is unavailable.

（D）the probability of error must be objectively quantified.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 4

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

（A）Review the provider's audit reports.

（B）Plan an audit of the provider.

（C）Review the security white paper of the provider.

（D）Review the contract and DR capability.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 5

Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is:

（A）responsible only to the cloud customer.

（B）responsible to the cloud customer and its end users

（C）responsible to the cloud customer and its clients.

（D）not responsible at all to any external parties.

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 6

What is a sign that an organization has adopted a shift-left concept of code release cycles?

（A）Large entities with slower release cadences and geographically dispersed systems

（B）Maturity of start-up entities with high-iteration to low-volume code commits

（C）Incorporation of automation to identify and address software code problems early

（D）A waterfall model to move resources through the development to release phases

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 7

The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

（A）Federal Office for Information Security in Germany (BSI) / Bundesamt fur Sicherheit in der Informationstechnik (BSI)

（B）National Security Agency (NSA)

（C）National Cybersecurity Agency of France (ANSSI) / Agency national de la securite des systems information (ANSSI)

（D）National Institute of Standards and Technology (NIST)

正解：A 解答を投票する

質問 8

An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

（A）Review the provider's published questionnaires.

（B）Send a supplier questionnaire to the provider.

（C）Directly audit the provider.

（D）Review third-party audit reports.

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 9

To promote the adoption of secure cloud services across the federal government by

（A）To enable 3PAOs to perform independent security assessments of cloud service providers

（B）To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO)

（C）To publish a comprehensive and official framework for the secure implementation of controls for cloud security

（D）To providing a standardized approach to security and risk assessment

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 10

Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

（A）Cloud service providers can document their security and compliance controls.

（B）Cloud service providers need the CAIQ to improve quality of customer service

（C）Cloud users can use CAIQ to sign statement of work (SOW) with cloud access security brokers (CASBs).

（D）Cloud service providers can document roles and responsibilities for cloud security.

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 11

Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?

（A）Aligning the cloud service delivery with the organization's objectives

（B）Aligning the organization's activity with the cloud provider's policy

（C）Aligning the cloud provider's service level agreement (SLA) with the organization's policy

（D）Aligning shared responsibilities between provider and customer

正解：D 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 12

A dot release of the Cloud Controls Matrix (CCM) indicates:

（A）a revision of the CCM domain structure.

（B）a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.

（C）the introduction of new control frameworks mapped to previously published CCM controls.

（D）technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.

正解：B 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 13

During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

（A）Review the provider's audit reports.

（B）Review the security white paper of the provider.

（C）Review the contract and DR capability.

（D）Plan an audit of the provider

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 14

What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

（A）Patching

（B）Vulnerability management

（C）Access controls

（D）Source code reviews

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 15

In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

（A）only application infrastructure contained within the customer's instance

（B）only application infrastructure contained within the cloud service provider's instances.

（C）both operating system and application infrastructure contained within the customer's instances.

（D）both operating system and application infrastructure contained within the cloud service provider's instances.

正解：C 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 16

An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework. Which of the following is the FIRST step to this change?

（A）Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.

（B）Discard all work done and start implementing NIST 800-53 from scratch.

（C）Recommend no change, since the scope of ISO/IEC 27002 is broader.

（D）Recommend no change, since NIST 800-53 is a US-scoped control framework.

正解：A 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

質問 17

Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?

（A）SOC 1 Type 1

（B）SOC 2 Type 2

（C）SOC 2 Type 1

（D）SOC 3 Type 2

正解：B 解答を投票する

解説: (JPNTest メンバーにのみ表示されます)

CCAK 無料問題集「ISACA Certificate of Cloud Auditing Knowledge」

弊社を連絡する

関連リンク

トップ試験