最新版無料体験を掴み取れ！ISACA CCAK問題集PDFは更新されたのは2022年 [Q40-Q62]

最新版無料体験を掴み取れ！ISACA CCAK問題集PDFは更新されたのは2022年

最新リリースのCCAK問題集はCloud Security Alliance認証済みです

質問 40
Your company is purchasing an application from a vendor. They do not allow you to perform an on-site audit on their information system. However, they say, they will provide the third-party audit attestation on the adequate control design within their environment. Which report is the vendor providing you?

A. SOC 2, TYPE 2
B. SOC 3
C. SOC 2, TYPE 1
D. SOC 1

正解: A

質問 41
The rapid and dynamic rate of changes found in a cloud environment affects the organization's:

A. risk scoring.
B. risk appetite.
C. risk communication.
D. risk profile.

正解: B

質問 42
Which of the following should be of GREATEST concern to an IS auditor reviewing actions taken during a forensic investigation?

A. The proper authorities were not notified.
B. An image copy of the attacked system was not taken.
C. The handling procedures of the attacked system are not documented.
D. The investigation report does not indicate a conclusion.

正解: A

質問 43
A CSP providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

A. ISO/IEC 27001:2013 Certification
B. CSA STAR Level Certificate
C. Multi-Tier Cloud Security (MTCS) Attestation
D. FedRAMP Authorization

正解: D

質問 44
From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?

A. Process of security integration using automation in software development
B. Operational framework that promotes software consistency through automation
C. Development standards for addressing integration, testing, and deployment issues
D. Making software development simpler, faster, and easier using automation

正解: C

質問 45
Organizations maintain mappings between the different control frameworks they adopt to:

A. start a compliance assessment using latest assessment.
B. help identify controls with common assessment status.
C. avoid duplication of work when assessing compliance.
D. help identify controls with different assessment status.

正解: D

質問 46
When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

A. Determine the impact on the financial, operational, compliance and reputation of the organization.
B. Determine the impact on the controls that were selected by the organization to respond to identified risks.
C. Determine the impact on confidentiality, integrity and availability of the information system.
D. Determine the impact on the physical and environmental security of the organization, excluding informational assets.

正解: D

質問 47
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

A. White box
B. Blue team
C. Gray box
D. Red team

正解: A

質問 48
What is the best way to ensure that all data has been removed from a public cloud environment including all media such as back-up tapes?

A. Practice Integration of Duties (IOD) so that everyone is able to delete the encrypted data.
B. Both B and D.
C. Keep the keys stored on the client side so that they are secure and so that the users have the ability to delete their own data.
D. Maintaining customer managed key management and revoking ordeleting keys from the key management system to prevent the data from being accessed again.
E. Allowing the cloud provider to manage your keys so that they have the ability to access and delete the data from the main and back-up storage.

正解: D

質問 49
A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?

A. Reversal
B. Double blind
C. Double gray box
D. Tandem

正解: B

質問 50
What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?

A. Annual
B. Quarterly
C. Monthly
D. Semi-annual

正解: A

質問 51
Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed.
Assuming that the situation is communicated in the cloud audit report which course of action is MOST relevant?

A. Focusing on auditing high-risk areas
B. Relying on management testing of cloud controls
C. Testing the adequacy of cloud controls design
D. Testing the operational effectiveness of cloud controls

正解: A

質問 52
Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A. Rule based access control
B. Attribute based access control
C. Role based access control
D. Policy based access control

正解: A

質問 53
What is the newer application development methodology and philosophy focused on automation of application development and deployment?

A. BusOps
B. DevOps
C. Scrum
D. SecDevOps
E. Agile

正解: B

質問 54
What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?

A. Vulnerability management
B. Source code reviews
C. Access controls
D. Patching

正解: C

質問 55
The PRIMARY objective of an audit initiation meeting with a cloud audit client is to:

A. discuss the scope of the cloud audit.
B. identify resource requirements of the cloud audit.
C. review requested evidence provided by the audit client.
D. select the methodology of an audit.

正解: A

質問 56
A defining set of rules composed of claims and attributes of the entities in a transaction, which is used to determine their level of access to cloud-based resources is called what?

A. An access log
B. A support table
C. A validation process
D. An entitlement matrix
E. An entrylog

正解: C

質問 57
What is known as a code execution environment running within an operating system that shares and uses the resources of the operating system?

A. Pod
B. Container
C. Virtual machine
D. Abstraction
E. Platform-basedWorkload

正解: B

質問 58
Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

A. Development of the monitoring goals and requirements
B. Identification of processes, functions, and systems
C. Identification of roles and responsibilities
D. Identification of the relevant laws, regulations, and standards

正解: B

質問 59
Which of the following is the risk associated with storing data in a cloud that crosses jurisdictions?

A. Provider administration risk
B. Virtualization risk
C. Audit risk
D. Compliance risk

正解: D

質問 60
How can virtual machine communications bypass network security controls?

A. Most network security systems do not recognize encrypted VM traffic
B. The guest OS can invoke stealth mode
C. VM images can contain rootkits programmed to bypass firewalls
D. Hypervisors depend upon multiple network interfaces
E. VM communications may use a virtual network on the same hardware host

正解: E

質問 61
The Cloud Octagon Model was developed to support organizations:

A. risk treatment methodology.
B. incident response methodology.
C. risk assessment methodology.
D. incident detection methodology.

正解: C

質問 62
......

ISACA CCAK 認定試験の出題範囲：

トピック	出題範囲
トピック 1	Continuous Assurance and Compliance Cloud Compliance Program
トピック 2	CCM and CAIQ: Goals, Objectives, and Structure CCM: Auditing Controls
トピック 3	A Threat Analysis Methodology for Cloud Using CCM Cloud Governance
トピック 4	Evaluating a Cloud Compliance Program Cloud Auditing