[2025年04月30日]CCAK試験問題集、CCAK練習テスト問題 [Q120-Q140]

[2025年04月30日]CCAK試験問題集、CCAK練習テスト問題

無料で使えるCCAK学習ガイド試験問題と解答

質問 # 120
An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

• A. Review the provider's published questionnaires.
• B. Review third-party audit reports.
• C. Directly audit the provider.
• D. Send a supplier questionnaire to the provider.

正解：B

解説：
The optimal and most efficient mechanism to assess the controls that the provider is responsible for is to review third-party audit reports. Third-party audit reports are independent and objective assessments of the provider's security, compliance, and performance, conducted by qualified and reputable auditors. Third-party audit reports can provide assurance and evidence that the provider meets the industry standards and best practices, as well as the contractual and legal obligations with the SaaS company. Third-party audit reports can also cover a wide range of controls, such as data security, encryption, identity and access management, incident response, disaster recovery, and service level agreements. Some examples of third-party audit reports are ISO 27001 certification, SOC 1/2/3 reports, CSA STAR certification, and FedRAMP authorization123.
Reviewing the provider's published questionnaires (A) may not be optimal or efficient, as the published questionnaires may not be comprehensive or up-to-date, and may not reflect the actual state of the provider's controls. The published questionnaires may also be biased or inaccurate, as they are produced by the provider themselves.
Directly auditing the provider © may not be feasible or necessary, as the independent contractor may not have access to the provider's environment or data, and may not have the authority or expertise to conduct such an audit. The independent contractor should rely on the third-party audit reports and certifications to assess the provider's compliance with relevant standards and regulations.
Sending a supplier questionnaire to the provider (D) may not be optimal or efficient, as the supplier questionnaire may not cover all the aspects of the provider's controls, and may not provide sufficient evidence or assurance of the provider's security maturity. The supplier questionnaire may also take a long time to complete and verify, and may not be consistent with the industry standards and best practices. Reference := How to Evaluate Cloud Service Provider Security (Checklist) Cloud service review process - Cloud Adoption Framework How to choose a cloud service provider | Microsoft Azure

質問 # 121
To promote the adoption of secure cloud services across the federal government by

• A. To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO)
• B. To providing a standardized approach to security and risk assessment
• C. To enable 3PAOs to perform independent security assessments of cloud service providers
• D. To publish a comprehensive and official framework for the secure implementation of controls for cloud security

正解：B

解説：
The correct answer is A. To providing a standardized approach to security and risk assessment. This is the main purpose of FedRAMP, which is a government-wide program that promotes the adoption of secure cloud services across the federal government. FedRAMP provides a standardized methodology for assessing, authorizing, and monitoring the security of cloud products and services, and enables agencies to leverage the security assessments of cloud service providers (CSPs) that have been approved by FedRAMP. FedRAMP also establishes a baseline set of security controls for cloud computing, based on NIST SP 800-53, and provides guidance and templates for implementing and documenting the controls1.
The other options are incorrect because:
* B. To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO): FedRAMP does not provide a tool to certify ATO, but rather a process to obtain a provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or an agency ATO from a federal agency. ATO is the official management decision given by a senior official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls2.
* C. To enable 3PAOs to perform independent security assessments of cloud service providers: FedRAMP does not enable 3PAOs to perform independent security assessments of CSPs, but rather requires CSPs to use 3PAOs for conducting independent security assessments as part of the FedRAMP process. 3PAOs are independent entities that have been accredited by FedRAMP to perform initial and periodic security assessments of CSPs' systems and provide evidence of compliance with FedRAMP requirements3.
* D. To publish a comprehensive and official framework for the secure implementation of controls for cloud security: FedRAMP does not publish a comprehensive and official framework for the secure implementation of controls for cloud security, but rather adopts and adapts the existing framework of NIST SP 800-53, which provides a catalog of security and privacy controls for federal information
* systems and organizations. FedRAMP tailors the NIST SP 800-53 controls to provide a subset of controls that are specific to cloud computing, and categorizes them into low, moderate, and high impact levels based on FIPS 1994.
References:
* Learn What FedRAMP is All About | FedRAMP | FedRAMP.gov
* Guide for Applying the Risk Management Framework to Federal Information Systems - NIST
* Third Party Assessment Organizations (3PAO) | FedRAMP.gov
* Security and Privacy Controls for Federal Information Systems and Organizations - NIST

質問 # 122
Which of the following is an example of a corrective control?

• A. Privileged access to critical information systems requiring a second factor of authentication using a soft token
• B. Unsuccessful access attempts being automatically logged for investigation
• C. A central antivirus system installing the latest signature files before allowing a connection to the network
• D. All new employees having standard access rights until their manager approves privileged rights

正解：B

解説：
A corrective control is a measure taken to correct or reduce the impact of an error, deviation, or unwanted activity1. Corrective control can be either manual or automated, depending on the type of control used. Corrective control can involve procedures, manuals, systems, patches, quarantines, terminations, reboots, or default dates1. A Business Continuity Plan (BCP) is an example of a corrective control.
Unsuccessful access attempts being automatically logged for investigation is an example of a corrective control because it is a response to a potential security incident that aims to identify and resolve the cause and prevent future occurrences2. Logging and investigating failed login attempts can help detect unauthorized or malicious attempts to access sensitive data or systems and take appropriate actions to mitigate the risk.
The other options are examples of preventive controls, which are designed to prevent problems from occurring in the first place3. Preventive controls can include:
* A central antivirus system installing the latest signature files before allowing a connection to the network: This is a preventive control because it prevents malware infection by blocking potentially harmful connections and updating the antivirus software regularly4.
* All new employees having standard access rights until their manager approves privileged rights: This is a preventive control because it prevents unauthorized access by enforcing the principle of least privilege and requiring approval for granting higher-level permissions5.
* Privileged access to critical information systems requiring a second factor of authentication using a soft token: This is a preventive control because it prevents credential theft or compromise by adding an extra layer of security to verify the identity of the user.
References:
* What is a corrective control? - Answers1, section on Corrective control
* Detective controls - SaaS Lens - docs.aws.amazon.com2, section on Unsuccessful login attempts
* Internal control: how do preventive and detective controls work?3, section on Preventive Controls
* What Are Security Controls? - F54, section on Preventive Controls
* The 3 Types of Internal Controls (With Examples) | Layer Blog5, section on Preventive Controls
* What are the 3 Types of Internal Controls? - RiskOptics - Reciprocity, section on Preventive Controls

質問 # 123
Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is:

• A. responsible to the cloud customer and its end users
• B. responsible to the cloud customer and its clients.
• C. not responsible at all to any external parties.
• D. responsible only to the cloud customer.

正解：D

解説：
Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is responsible only to the cloud customer. This means that the provider has a contractual obligation to deliver the agreed-upon services and meet the service level agreements (SLAs) with the cloud customer, who is the direct payer of the services. The provider is not responsible for any other parties, such as the cloud customer's clients, end users, or regulators, unless explicitly specified in the contract. The cloud customer is responsible for ensuring that the provider's services meet their own compliance and security requirements, as well as those of their stakeholders12.
References:
* Shared responsibility in the cloud - Microsoft Azure
* Cloud security shared responsibility model - NCSC

質問 # 124
Which plan guides an organization on how to react to a security incident that might occur on the organization's systems, or that might be affecting one of its service providers?

• A. Incident response plan
• B. Emergency incident plan
• C. Security incident plan
• D. Unexpected event plan

正解：A

質問 # 125
In cloud computing, with whom does the responsibility and accountability for compliance lie?

• A. The cloud service provider is responsible for compliance, and the cloud service customer is accountable.
• B. The cloud service customer is responsible for compliance, and the cloud service provider is accountable.
• C. The cloud service provider is responsible and accountable for compliance.
• D. The cloud service customer is responsible and accountable for compliance.

正解：B

質問 # 126
CCM: A hypothetical company called: "Health4Sure" is located in the United States and provides cloud based services fortracking patient health. The company is compliant with HIPAA/HITECH Act among other industry standards. Health4Sure decides to assess the overall security of their cloud service against the CCM toolkit so that they will be able to present this document topotential clients.
Which of the following approach would be most suitable to assess the overall security posture of Health4Sure's cloud service?

• A. The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls. This approach will save time.
• B. The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the security posture of their cloud service against each and every control in the CCM. This approach will allow a thorough assessment of the security posture.
• C. The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls thoroughly. This approach saves time while being able to assess the company's overall security posture in an efficient manner.

正解：B

質問 # 127
Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

• A. Turtle diagram
• B. Data security process flow
• C. Heat maps
• D. Contractual documents of the cloud service provider

正解：C

質問 # 128
An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP burden?

• A. CSP can answer each customer individually.
• B. CSP can direct all customers' inquiries to the information in the CSA STAR registry.
• C. CSP can schedule a call with each customer.
• D. CSP can share all security reports with customers to streamline the process.

正解：B

質問 # 129
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

• A. Documentation criteria for the audit evidence
• B. Updated audit work program
• C. Processes and systems to be audited
• D. Testing procedure to be performed

正解：C

解説：
The most important audit scope document when conducting a review of a cloud service provider is the document that defines the processes and systems to be audited. This document should clearly identify the objectives, criteria, and boundaries of the audit, as well as the roles and responsibilities of the audit team and the cloud service provider. The document should also specify the scope of the cloud service provider's services, such as the service model, deployment model, geographic location, data classification, and compliance requirements. The document should also describe the scope of the audit evidence, such as the types, sources, methods, and sampling techniques of data collection and analysis. The document should also state the expected deliverables, timelines, and reporting formats of the audit. The document should be agreed upon by both parties before the audit commences.
The document that defines the processes and systems to be audited is essential for ensuring that the audit is relevant, reliable, consistent, and complete. It helps to establish a common understanding and expectation between the auditor and the auditee, as well as to avoid any misunderstandings or conflicts during or after the audit. It also helps to focus the audit on the key risks and controls related to the cloud service provider's operations and performance. It also helps to ensure that the audit complies with the applicable standards, frameworks, and regulations.
Reference:
Cloud Audits and Compliance: What You Need To Know - Linford & Company LLP How to audit the cloud | ICAEW Auditing Cloud Computing: A Security and Privacy Guide

質問 # 130
Which of the following data destruction methods is the MOST effective and efficient?

• A. Physical destruction
• B. Degaussing
• C. Multi-pass wipes
• D. Crypto-shredding

正解：B

質問 # 131
An auditor is reviewing an organization's virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

• A. As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.
• B. Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to in appropriate password policy configured on the VMs.
• C. Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.
• D. The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.

正解：C

解説：
The best approach for an auditor to review the operating effectiveness of the password requirement is to review the configuration settings on the Configuration Management (CM) tool and verify that the CM tool agents are functioning correctly on the VMs. This method ensures that the password policies are being enforced as intended and that the CM tool is effectively managing the configurations across the organization's virtual machines. It provides a balance between relying solely on automated tools and manual verification processes.
Reference = This approach is supported by best practices in cloud security and auditing, which recommend a combination of automated tools and manual checks to ensure the effectiveness of security controls123. The use of CM tools for enforcing password policies is a common practice, and their effectiveness must be regularly verified to maintain the security posture of cloud services.

質問 # 132
The BEST way to deliver continuous compliance in a cloud environment is to:

• A. increase the frequency of external audits from annual to quarterly.
• B. combine point-in-time assurance approaches with continuous monitoring.
• C. decrease the interval between attestations of compliance.
• D. combine point-in-time assurance approaches with continuous auditing.

正解：B

質問 # 133
Which of the following is an example of financial business impact?

• A. A distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for
  24 hours, resulting in millions in lost sales.
• B. While the breach was reported in a timely manner to the CEO, the CFO and CISO blamed each other in public consulting in a loss of public confidence that led the board to replace all three.
• C. A hacker using a stolen administrator identity brings down the Software of a Service (SaaS) sales and marketing systems, resulting in the inability to process customer orders or manage customer relationships.

正解：A

解説：
An example of financial business impact is a distributed denial of service (DDoS) attack that renders the customer's cloud inaccessible for 24 hours, resulting in millions in lost sales. Financial business impact refers to the monetary losses or gains that an organization may experience as a result of a cloud security incident.
Financial business impact can be measured by factors such as revenue, profit, cost, cash flow, market share, and stock price .
Option A is an example of financial business impact because it shows how a DDoS attack, which is a type of cyberattack that overwhelms a system or network with malicious traffic and prevents legitimate users from accessing it, can cause direct and significant financial losses for the customer's organization due to the interruption of its cloud services and the inability to generate sales. Option A also implies that the customer's organization depends on the availability of its cloud services for its core business operations.
The other options are not examples of financial business impact. Option B is an example of operational business impact, which refers to the disruption or degradation of the organization's processes, functions, or activities as a result of a cloud security incident. Operational business impact can be measured by factors such as productivity, efficiency, quality, performance, and customer satisfaction . Option B shows how a hacker using a stolen administrator identity, which is a type of identity theft or impersonation attack that exploits the credentials or privileges of a legitimate user to access or manipulate a system or network, can cause operational business impact for the customer's organization by bringing down its SaaS sales and marketing systems, which are essential for its business functions.
Option C is an example of reputational business impact, which refers to the damage or enhancement of the organization's image, brand, or reputation as a result of a cloud security incident. Reputational business impact can be measured by factors such as trust, loyalty, satisfaction, awareness, and perception of the organization's stakeholders, such as customers, partners, investors, regulators, and media . Option C shows how a breach reported in a timely manner to the CEO, which is a good practice for ensuring transparency and accountability in the event of a cloud security incident, can still cause reputational business impact for the customer's organization due to the public blame game between the CFO and CISO, which reflects poorly on the organization's leadership and culture and leads to the board replacing all three. References :=
* Business Impact Analysis - Ready.gov
* Business Impact Analysis - Cloud Security Alliance
* What Is A Distributed Denial-of-Service (DDoS) Attack? | Cloudflare
* What is Identity Theft? - Cloud Security Alliance
* Incident Response - Cloud Security Alliance

質問 # 134
What areas should be reviewed when auditing a public cloud?

• A. Identity and access management, data protection
• B. Patching, source code reviews, hypervisor, access controls
• C. Vulnerability management, cyber security reviews, patching
• D. Patching, configuration, hypervisor, backups

正解：A

質問 # 135
Which of the following is an example of integrity technical impact?

• A. The cloud provider reports a breach of customer personal data from an unsecured server.
• B. An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.
• C. distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours.
• D. A hacker using a stolen administrator identity alters the discount percentage in the product database.

正解：D

解説：
An example of integrity technical impact refers to an event where the accuracy or trustworthiness of data is compromised. Option D, where a hacker uses a stolen administrator identity to alter the discount percentage in the product database, directly affects the integrity of the data. This action leads to unauthorized changes to data, which is a clear violation of data integrity. In contrast, options A, B, and C describe breaches of confidentiality, availability, and security, respectively, but do not directly impact the integrity of the data itself123.
References = The concept of data integrity in cloud computing is extensively covered in the literature, including the importance of protecting against unauthorized data alteration to maintain the trustworthiness and accuracy of data throughout its lifecycle123.

質問 # 136
An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime This is BEST zed as an application of.

• A. value chain analysis
• B. control self-assessment (CSA)
• C. balanced scorecard
• D. risk framework

正解：C

質問 # 137
Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

• A. Multi-Tier Cloud Security (MTCS)
• B. BSI Criteria Catalogue C5
• C. German IDW PS 951
• D. BSI IT-basic protection catalogue

正解：B

解説：
The BSI Criteria Catalogue C5 is a document that has been provided by the Federal Office for Information Security (BSI) in Germany to support customers in selecting, controlling, and monitoring their cloud service providers (CSPs). The C5 stands for Cloud Computing Compliance Criteria Catalogue and specifies minimum requirements for secure cloud computing. The C5 is primarily intended for professional CSPs, their auditors, and customers of the CSPs. The C5 covers 17 domains and 114 control objectives that address all key aspects of cloud security, such as data protection, identity and access management, encryption and key management, incident response, audit assurance, and compliance. The C5 also maps to other industry-accepted security standards, regulations, and frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, CSA Cloud Controls Matrix (CCM), COBIT, GDPR, etc. The C5 helps customers to evaluate and compare the security and compliance posture of different CSPs, and to verify that the CSPs meet their contractual obligations and legal requirements12.
References:
* BSI - C5 criteria catalogue - Federal Office for Information Security
* Germany C5 - Azure Compliance | Microsoft Learn

質問 # 138
To ensure that cloud audit resources deliver the best value to the organization, the FIRST step is to:

• A. train the cloud audit staff on current technology used in the organization.
• B. schedule the audits and monitor the time spent on each audit.
• C. develop a cloud audit plan on the basis of a detailed risk assessment.
• D. monitor progress of audits and initiate cost control measures.

正解：C

質問 # 139
An organization has an ISMS implemented, following ISO 27001 and Annex A controls. The CIO would like to migrate some of the infrastructure to the cloud. Which of the following standards would BEST assist in identifying controls to consider for this migration?

• A. ISO/IEC 27002
• B. ISO/IEC 27017
• C. ISO/IEC 22301
• D. ISO/IEC 27701

正解：B

解説：
ISO/IEC 27017 standard defines the requirements for an information security management system (ISMS). Note that the entire organization is not necessarily affected by the standard, because it all depends on the scope of the ISMS. The scope could be limited by the provider to one group within an organization, and there is no guarantee that any group outside of the scope has appropriate ISMSs in place. It is up to the auditor to verify that the scope of the engagement is "fit for purpose." As the customer, you are responsible for determining whether the scope of the certification is relevant for your purposes.

質問 # 140
......

CCAK試験問題集、CCAK練習テスト問題：https://www.jpntest.com/shiken/CCAK-mondaishu

検証済みCCAK問題集PDF資料 [2025年更新]：https://drive.google.com/open?id=1LVoojYMHyOQQ_viK9kkTpo0ubvaMRf-5