DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Prepare Strategically for the CSA CCAK Exam with Practice Tests

SPOTO's CSA CCAK practice questions are invaluable assets for anyone preparing for the Certificate of Cloud Auditing Knowledge (CCAK) exam. These practice tests offer comprehensive exam questions and answers, closely mirroring the actual exam format. By regularly engaging with SPOTO's practice questions, candidates can simulate exam conditions, identify areas for improvement, and build confidence in their knowledge. SPOTO's mock exams, along with their extensive exam preparation resources and study materials, provide a solid foundation for success. With SPOTO's exam resources, candidates can effectively prepare and increase their chances of passing the CCAK exam successfully.
Take other online exams

Question #1
An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?
A. eview third-party audit reports
B. eview CSP?s published questionnaires
C. irectly audit the CSP
D. end supplier questionnaire to the CSP
View answer
Correct Answer: B
Question #2
What areas should be reviewed when auditing a public cloud?
A. atching, source code reviews, hypervisor, access controls
B. dentity and access management, data protection
C. atching, configuration, hypervisor, backups
D. ulnerability management, cyber security reviews, patching
View answer
Correct Answer: B
Question #3
Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud compliance program?
A. loud process owners
B. nternal control function
C. egal functions
D. loud strategy owners
View answer
Correct Answer: A
Question #4
Which of the following CSP activities requires a client’s approval?
A. elete the guest account or test accounts
B. elete the master account or subscription owner accounts
C. elete the guest account or destroy test data
D. elete the test accounts or destroy test data
View answer
Correct Answer: D
Question #5
A cloud service provider does not allow audits using automated tools as these tools could be considered destructive techniques for the cloud environment. Which of the following aspects of the audit will be constrained?
A. urpose
B. bjectives
C. ature of relationship
D. cope
View answer
Correct Answer: B
Question #6
An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud. Which of the following standards would BEST assist in identifying controls to consider for this migration?
A. SO/IEC 27701
B. SO/IEC 22301
C. SO/IEC 27002
D. SO/IEC 27017
View answer
Correct Answer: D
Question #7
An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models. Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?
A. se of an established standard/regulation to map controls and use as the audit criteria
B. or efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment
C. s this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes
D. evelopment of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage
View answer
Correct Answer: A
Question #8
Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?
A. OC3 - Type2
B. loud Control Matrix (CCM)
C. OC2 - Type1
D. OC1 - Type1
View answer
Correct Answer: C
Question #9
Which of the following aspects of risk management involves identifying the potential reputational harm and/or financial harm when an incident occurs?
A. itigations
B. esidual risk
C. ikelihood
D. mpact Analysis
View answer
Correct Answer: D
Question #10
When using a SaaS solution, who is responsible for application security?
A. he cloud service provider only
B. he cloud service consumer only
C. oth cloud consumer and the enterprise
D. oth cloud provider and the consumer
View answer
Correct Answer: A
Question #11
Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?
A. ligning the cloud service delivery with the organization’s objective
B. ligning the cloud provider’s SLA with the organization’s policy
C. ligning shared responsibilities between provider and customer
D. ligning the organization’s activity with the cloud provider’s policy
View answer
Correct Answer: A
Question #12
What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?
A. ccess controls
B. ulnerability management
C. ource code reviews
D. atching
View answer
Correct Answer: A
Question #13
The Open Certification Framework is structured on three levels of trust. Those three levels of trust are:
A. SA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Compliance
B. SA STAR Audit, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
C. SA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Monitoring and Control
D. SA STAR Self-Assessment, STAR Certification & Attestation (Third-party Assessment), STAR Continuous
View answer
Correct Answer: D
Question #14
Which of the following is a fundamental concept of FedRAMP that intends to save costs, time, and staff conducting superfluous agency security assessments?
A. se often, provide many times
B. e economical, act deliberately
C. se existing, provide many times
D. o once, use many times
View answer
Correct Answer: D
Question #15
Which of the following is the risk associated with storing data in a cloud that crosses jurisdictions?
A. ompliance risk
B. rovider administration risk
C. udit risk
D. irtualization risk
View answer
Correct Answer: A
Question #16
Since CCM allows cloud customers to build a detailed list of requirements and controls to be implemented by the CSP as part of their overall third-party risk management and procurement program, will CCM alone be enough to define all the items to be considered when operating/using cloud services?
A. o
B. es
C. es
D. o
View answer
Correct Answer: C
Question #17
During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization’s DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor’s NEXT course of action?
A. eview the CSP audit reports
B. eview the security white paper of the CSP
C. eview the contract and DR capability
D. lan an audit of the CSP
View answer
Correct Answer: B
Question #18
Which of the following is the BEST recommendation to offer an organization’s HR department planning to adopt a new public SaaS application to ease the recruiting process?
A. nsure HIPAA compliance
B. mplement a cloud access security broker
C. onsult the legal department
D. o not allow data to be in cleratext
View answer
Correct Answer: B
Question #19
In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?
A. ervice Provider control
B. mpact and Risk control
C. ata Inventory control
D. ompliance control
View answer
Correct Answer: A
Question #20
What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?
A. nlike SAST, DAST is a blackbox and programming language agnostic
B. AST can dynamically integrate with most CI/CD tools
C. AST delivers more false positives than SAST
D. AST is slower but thorough
View answer
Correct Answer: A
Question #21
Which of the following is a direct benefit of mapping the Cloud Control Matrix (CCM) to other international standards and regulations?
A. CM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts
B. CM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts
C. CM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions
D. CM mapping entitles cloud service providers to be certified under the CSA STAR program
View answer
Correct Answer: B
Question #22
The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:
A. isk management policy
B. loud policy
C. usiness continuity plan
D. nformation security standard for cloud technologies
View answer
Correct Answer: C
Question #23
Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?
A. esign
B. takeholder identification
C. evelopment
D. isk assessment
View answer
Correct Answer: C
Question #24
Customer management interface, if compromised over public internet, can lead to:
A. ustomer’s computing and data compromise
B. ccess to the RAM of neighboring cloud computer
C. ase of acquisition of cloud services
D. ncomplete wiping of the data
View answer
Correct Answer: A
Question #25
To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:
A. bject-oriented architecture
B. oftware architecture
C. ervice-oriented architecture
D. nterprise architecture
View answer
Correct Answer: C
Question #26
How should controls be designed by an organization?
A. y the internal audit team
B. sing the ISO27001 framework
C. y the cloud provider
D. sing the organization’s risk management framework
View answer
Correct Answer: A
Question #27
Which of the following quantitative measures is KEY for an auditor to review when assessing the implementation of continuous auditing of performance on a cloud system?
A. ervice Level Objective (SLO)
B. ecovery Point Objectives (RPO)
C. ervice Level Agreement (SLA)
D. ecovery Time Objectives (RTO)
View answer
Correct Answer: C
Question #28
Your company is purchasing an application from a vendor. They do not allow you to perform an on-site audit on their information system. However, they say, they will provide the third-party audit attestation on the adequate control design within their environment. Which report is the vendor providing you?
A. OC 3
B. OC 2, TYPE 2
C. OC 1
D. OC 2, TYPE 1
View answer
Correct Answer: B
Question #29
Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?
A. evelopment of the monitoring goals and requirements
B. dentification of processes, functions, and systems
C. dentification of the relevant laws, regulations, and standards
D. dentification of roles and responsibilities
View answer
Correct Answer: B
Question #30
Which of the following would be considered as a factor to trust in a cloud service provider?
A. he level of exposure for public information
B. he level of proved technical skills
C. he level of willingness to cooperate
D. he level of open source evidence available
View answer
Correct Answer: C
Question #31
When migrating to a cloud environment, which of the following should be the PRIMARY driver for the use of encryption?
A. loud Service Provider encryption capabilities
B. he presence of PII
C. rganizational security policies
D. ost-benefit analysis
View answer
Correct Answer: A
Question #32
A certification target helps in the formation of a continuous certification framework by incorporating:
A. SA STAR level 2 attestation
B. ervice level objective and service qualitative objective
C. requency of evaluating security attributes
D. cope description and security attributes to be tested
View answer
Correct Answer: B
Question #33
In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?
A. loud service customer
B. hared responsibility
C. loud service provider
D. atching on hypervisor layer is not required
View answer
Correct Answer: A
Question #34
Supply chain agreements between CSP and cloud customers should, at minimum, include:
A. rganization chart of the CSP
B. olicies and procedures of the cloud customer
C. udits, assessments and independent verification of compliance certifications with agreement terms
D. egulatory guidelines impacting the cloud customer
View answer
Correct Answer: C
Question #35
Which of the following contract terms is necessary to meet a company’s requirement that needs to move data from one CSP to another?
A. rag and Drop
B. ift and shift
C. lexibility to move
D. ransition and data portability
View answer
Correct Answer: D
Question #36
Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?
A. olicy based access control
B. ttribute based access control
C. ule based access control
D. ole based access control
View answer
Correct Answer: C
Question #37
The Cloud Octagon Model was developed to support organizations:
A. isk assessment methodology
B. isk treatment methodology
C. ncident response methodology
D. ncident detection methodology
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: