ISACA CCAKテストエンジン練習テスト問題、試験問題集 [Q15-Q36]

ISACA CCAKテストエンジン練習テスト問題、試験問題集

100%無料CCAK日常練習試験には160問があります

質問 # 15
A client/server configuration will:

• A. keep track of all the clients using the IS facilities of a service organization.
• B. optimize system performance by having a server on a front-end and clients on a host.
• C. enhance system performance through the separation of front-end and back-end processes.
• D. limit the clients and servers relationship by limiting the IS facilities to a single hardware system.

正解：C

質問 # 16
Which of the following are the three MAIN phases of the Cloud Controls Matrix (CCM) mapping methodology?

• A. Preparation - Execution - Peer Review and Publication
• B. Initiation - Execution - Monitoring and Controlling
• C. Plan - Develop - Release

正解：A

解説：
The three main phases of the Cloud Controls Matrix (CCM) mapping methodology are preparation, execution, and peer review and publication. The CCM mapping methodology is a process to map the CCM controls to other standards, regulations, or frameworks that are relevant for cloud security. The mapping helps to identify the commonalities and differences between the CCM and the other standards, regulations, or frameworks, and to provide guidance for cloud service providers and customers on how to achieve compliance with multiple requirements using the CCM. The mapping methodology consists of the following phases1:
* Preparation: This phase involves defining the scope, objectives, and deliverables of the mapping project, as well as identifying the stakeholders, resources, and tools needed. This phase also includes conducting a preliminary analysis of the CCM and the other standard, regulation, or framework to be mapped, and establishing the mapping criteria and rules.
* Execution: This phase involves performing the actual mapping of the CCM controls to the other standard, regulation, or framework using a spreadsheet template. This phase also includes documenting the mapping results, providing explanations and justifications for each mapping decision, and resolving any issues or conflicts that may arise during the mapping process.
* Peer Review and Publication: This phase involves validating and verifying the quality and accuracy of the mapping results by conducting a peer review with subject matter experts from both the CCM working group and the other standard, regulation, or framework organization. This phase also includes finalizing and publishing the mapping document as a CSA artifact, and communicating and promoting the mapping to the relevant audiences.
References := Methodology for the Mapping of the Cloud Controls Matrix1

質問 # 17
Which of the following metrics are frequently immature?

• A. Metrics around Infrastructure as a Service (laaS) storage and network environments
• B. Metrics around specific Software as a Service (SaaS) application services
• C. Metrics around Platform as a Service (PaaS) development environments
• D. Metrics around Infrastructure as a Service (laaS) computing environments

正解：C

解説：
Metrics around Platform as a Service (PaaS) development environments are frequently immature, as PaaS is a relatively new and evolving cloud service model that offers various tools and platforms for developing, testing, deploying, and managing cloud applications. PaaS metrics are often not well-defined, standardized, or consistent across different providers and platforms, and may not capture the full value and performance of PaaS services. PaaS metrics may also be difficult to measure, monitor, and compare, as they depend on various factors, such as the type, complexity, and quality of the applications, the level of customization and integration, the usage patterns and demand, and the security and compliance requirements. Therefore, PaaS metrics may not provide sufficient insight or assurance to cloud customers and auditors on the effectiveness, efficiency, reliability, and security of PaaS services12.
References:
* Cloud Computing Service Metrics Description - NIST
* Cloud KPIs You Need to Measure Success - VMware Blogs

質問 # 18
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

• A. understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards.
• B. obtain the ISO/IEC 27001 certification from an accredited certification body (CB) following the ISO/IEC 17021-1 standard.
• C. determine whether the organization can be considered fully compliant with the mapped standards because of the implementation of every CCM Control Specification.

正解：A

解説：
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards. The Scope Applicability direct mapping is a worksheet within the CCM that maps the CCM control specifications to several standards within the ISO/IEC 27000 series, such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, and ISO/IEC
27018. The mapping helps the organization to identify the commonalities and differences between the CCM and the ISO/IEC standards, and to determine the level of compliance with each standard based on the implementation of the CCM controls. The mapping also helps the organization to avoid duplication of work and to streamline the compliance assessment process.12 References := What you need to know: Transitioning CSA STAR for Cloud Controls Matrix ...1; Cloud Controls Matrix (CCM) - CSA3

質問 # 19
The BEST way to deliver continuous compliance in a cloud environment is to:

• A. decrease the interval between attestations of compliance.
• B. combine point-in-time assurance approaches with continuous monitoring.
• C. combine point-in-time assurance approaches with continuous auditing.
• D. increase the frequency of external audits from annual to quarterly.

正解：B

質問 # 20
What is below the waterline in the context of cloud operationalization?

• A. The controls operated by the customer
• B. The controls operated by the cloud access security broker (CASB)
• C. The controls operated by both
• D. The controls operated by the cloud service provider

正解：D

解説：
In the context of cloud operationalization, "below the waterline" refers to the aspects of cloud services that are managed and controlled by the cloud service provider (CSP) rather than the customer. This analogy is often used to describe the shared responsibility model in cloud computing, where the CSP is responsible for the infrastructure's security and stability, akin to the submerged part of an iceberg that supports the structure above water. The customer, on the other hand, is responsible for managing the controls and security measures
"above the waterline," which include the applications, data, and access management they deploy in the cloud environment.
References = The information provided is based on standard cloud computing models and the shared responsibility concept, which is a fundamental principle discussed in cloud auditing and security literature, including the CCAK curriculum and related resources1.

質問 # 21
The MOST critical concept for managing the building and testing of code in DevOps is:

• A. continuous deployment.
• B. continuous integration.
• C. continuous delivery.
• D. continuous build.

正解：B

解説：
Continuous integration (CI) is the most critical concept for managing the building and testing of code in DevOps. CI is the practice of merging all developers' working copies of code to a shared mainline several times a day. This enables early detection and resolution of bugs, conflicts, and errors, as well as faster and more frequent feedback loops. CI also facilitates the automation of building, testing, and deploying code, which improves the quality, reliability, and security of the software delivery process. CI is a prerequisite for continuous delivery (CD) and continuous deployment (CD), which are the next stages of DevOps maturity that aim to deliver software to customers faster and more frequently. References:
* ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 114-115
* Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v4.0, 2021, DCS-01: Datacenter Security - Build and Test
* What is Continuous Integration?
* Continuous Integration vs Continuous Delivery vs Continuous Deployment

質問 # 22
Which of the following is MOST important to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions?

• A. Deploying new features using cloud orchestration tools
• B. Establishing responsibility in the vendor contract
• C. Implementing service level agreements (SLAs) around changes to baseline configurations
• D. Performing prior due diligence of the vendor

正解：C

解説：
Explanation
Implementing service level agreements (SLAs) around changes to baseline configurations is the most important way to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions. A service level agreement (SLA) is a contract or a part of a contract that defines the expected level of service, performance, and quality that a cloud vendor will provide to an organization. An SLA can also specify the roles and responsibilities, the communication channels, the escalation procedures, and the penalties or remedies for non-compliance12.
Implementing SLAs around changes to baseline configurations can help an organization to manage the risk from cloud vendors who might add new features to their solutions without proper testing, validation, or notification. Baseline configurations are the standard or reference settings for a system or a network that are used to measure and maintain its security and performance. Changes to baseline configurations can introduce new vulnerabilities, errors, or incompatibilities that can affect the functionality, availability, or security of the system or network34. Therefore, an SLA can help an organization to ensure that the cloud vendor follows a change management process that includes steps such as risk assessment, impact analysis, approval, documentation, notification, testing, and rollback. An SLA can also help an organization to monitor and verify the changes made by the cloud vendor and to report and resolve any issues or incidents that may arise from them.
The other options are not the most effective ways to manage the risk from cloud vendors who might add new features to their solutions. Option A, deploying new features using cloud orchestration tools, is not a good way to manage the risk because cloud orchestration tools are used to automate and coordinate the deployment and management of complex cloud services and resources. Cloud orchestration tools do not address the issue of whether the new features added by the cloud vendor are necessary, secure, or compatible with the organization's system or network. Option B, performing prior due diligence of the vendor, is not a good way to manage the risk because prior due diligence is a process that involves evaluating and verifying the background, reputation, capabilities, and compliance of a potential cloud vendor before entering into a contract with them. Prior due diligence does not address the issue of how the cloud vendor will handle changes to their solutions after the contract is signed. Option C, establishing responsibility in the vendor contract, is not a good way to manage the risk because establishing responsibility in the vendor contract is a process that involves defining and assigning the roles and obligations of both parties in relation to the cloud service delivery and performance. Establishing responsibility in the vendor contract does not address the issue of how the cloud vendor will communicate and coordinate with the organization about changes to their solutions. References := What is an SLA? Best practices for service-level agreements | CIO1 Service Level Agreements - Cloud Security Alliance2 What is Baseline Configuration? - Definition from Techopedia3 Baseline Configuration - Cloud Security Alliance4 Change Management - Cloud Security Alliance Incident Response - Cloud Security Alliance What is Cloud Orchestration? - Definition from Techopedia Due Diligence - Cloud Security Alliance Contractual Security Requirements - Cloud Security Alliance

質問 # 23
An auditor is assessing a European organization's compliance. Which regulation is suitable if health information needs to be protected?

• A. DPIA
• B. DPA
• C. GDPR
• D. HIPAA

正解：C

解説：
Explanation
The General Data Protection Regulation (GDPR) is the regulation that is suitable if health information needs to be protected in the European Union. The GDPR provides the legal framework for the protection of personal data, including health data, and sets out directly applicable rules for the processing of the personal data of individuals1. The GDPR defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status2. The GDPR applies to any organization that processes health data of individuals who are in the EU, regardless of where the organization is established3.
The other options are not correct. Option B, DPIA, is incorrect because DPIA stands for Data Protection Impact Assessment, which is a process that helps organizations to identify and minimize the data protection risks of a project or activity that involves processing personal data. A DPIA is not a regulation, but a tool or a requirement under the GDPR4. Option C, DPA, is incorrect because DPA stands for Data Protection Authority, which is an independent public authority that supervises, through investigative and corrective powers, the application of the data protection law. A DPA is not a regulation, but an institution or a body under the GDPR5. Option D, HIPAA, is incorrect because HIPAA stands for Health Insurance Portability and Accountability Act, which is a US federal law that provides data privacy and security provisions for safeguarding medical information. HIPAA does not apply to the EU, but to the US6. References := European Health Data Space1 Article 4 - Definitions | General Data Protection Regulation (GDPR)2 Article 3 - Territorial scope | General Data Protection Regulation (GDPR)3 Data protection impact assessment | European Commission4 Data protection authorities | European Commission5 What is HIPAA? - Definition from WhatIs.com6

質問 # 24
What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

• A. DAST can dynamically integrate with most continuous integration and continuous delivery (CI/CD) tools.
• B. Unlike SAST, DAST is a black box and programming language agnostic.
• C. DAST is slower but thorough.
• D. DAST delivers more false positives than SAST

正解：B

解説：
Explanation
Dynamic application security testing (DAST) is a method of testing the security of an application by simulating attacks from an external source. DAST does not require access to the source code or binaries of the application, unlike static application security testing (SAST), which analyzes the code for vulnerabilities.
Therefore, DAST is a black box testing technique, meaning that it does not need any knowledge of the internal structure, design, or implementation of the application. DAST is also programming language agnostic, meaning that it can test applications written in any language, framework, or platform. This makes DAST more flexible and adaptable to different types of applications and environments. However, DAST also has some limitations, such as being slower, less accurate, and more dependent on the availability and configuration of the application. References:
SAST vs. DAST: What's the Difference?
SAST vs DAST: What's the Difference?
SAST vs. DAST: Enhancing application security

質問 # 25
Which of the following should a cloud auditor recommend regarding controls for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse?

• A. Establishment of policies and procedures across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alteration, or destruction
• B. Assessment of contractual and regulatory requirements for customer access
• C. Testing in accordance with leading industry standards such as OWASP
• D. Data input and output integrity routines

正解：D

解説：
Explanation
The correct answer is C. Data input and output integrity routines (i.e., reconciliation and edit checks) are controls that can be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse. This is stated in the Cloud Controls Matrix (CCM) control AIS-03: Data Integrity123, which is part of the Application & Interface Security domain. The CCM is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program.
The other options are not directly related to the question. Option A refers to the CCM control AIS-02:
Customer Access Requirements2, which addresses the security, contractual, and regulatory requirements for customer access to data, assets, and information systems. Option B refers to the CCM control AIS-04: Data Security / Integrity2, which establishes policies and procedures to support data security across multiple system interfaces, jurisdictions, and business functions. Option D refers to the CCM control AIS-01: Application Security2, which requires applications and programming interfaces (APIs) to be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications).
References :=
Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 5: Cloud Assurance Frameworks What is the Cloud Controls Matrix (CCM)? - Cloud Security Alliance4 AIS-03: Data Integrity - CSF Tools - Identity Digital1 AIS: Application & Interface Security - CSF Tools - Identity Digital2 PR.DS-6: Integrity checking mechanisms are used to verify software ... - CSF Tools - Identity Digital

質問 # 26
Which of the following would be considered as a factor to trust in a cloud service provider?

• A. The level of proven technical skills
• B. The level of open source evidence available
• C. The level of exposure for public information
• D. The level of willingness to cooperate

正解：A

解説：
Trust in a cloud service provider is fundamentally based on the assurance that the provider can deliver secure and reliable services. The level of proven technical skills is a critical factor because it demonstrates the provider's capability to implement and maintain robust security measures, manage complex cloud infrastructures, and respond effectively to technical challenges. Technical expertise is essential for establishing trust, as it directly impacts the security and performance of the cloud services offered.
References = The importance of technical skills in establishing trust is supported by the resources provided by ISACA and the Cloud Security Alliance (CSA). These resources emphasize the need for cloud service providers to have a strong technical foundation to ensure the fulfillment of internal requirements, proper controls, and compliance with regulations, which are crucial for maintaining customer trust and mitigating risks1234.

質問 # 27
An important consideration when performing a remote vulnerability test of a cloud-based application is to

• A. Use techniques to evade cloud provider's detection systems
• B. Use application layer testing tools exclusively
• C. Obtain provider permission for test
• D. Use network layer testing tools exclusively
• E. Schedule vulnerability test at night

正解：C

質問 # 28
An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

• A. Directly audit the provider.
• B. Review third-party audit reports.
• C. Review the provider's published questionnaires.
• D. Send a supplier questionnaire to the provider.

正解：B

解説：
Explanation
The optimal and most efficient mechanism to assess the controls that the provider is responsible for is to review third-party audit reports. Third-party audit reports are independent and objective assessments of the provider's security, compliance, and performance, conducted by qualified and reputable auditors. Third-party audit reports can provide assurance and evidence that the provider meets the industry standards and best practices, as well as the contractual and legal obligations with the SaaS company. Third-party audit reports can also cover a wide range of controls, such as data security, encryption, identity and access management, incident response, disaster recovery, and service level agreements. Some examples of third-party audit reports are ISO 27001 certification, SOC 1/2/3 reports, CSA STAR certification, and FedRAMP authorization123.
Reviewing the provider's published questionnaires (A) may not be optimal or efficient, as the published questionnaires may not be comprehensive or up-to-date, and may not reflect the actual state of the provider's controls. The published questionnaires may also be biased or inaccurate, as they are produced by the provider themselves.
Directly auditing the provider may not be feasible or necessary, as the independent contractor may not have access to the provider's environment or data, and may not have the authority or expertise to conduct such an audit. The independent contractor should rely on the third-party audit reports and certifications to assess the provider's compliance with relevant standards and regulations.
Sending a supplier questionnaire to the provider (D) may not be optimal or efficient, as the supplier questionnaire may not cover all the aspects of the provider's controls, and may not provide sufficient evidence or assurance of the provider's security maturity. The supplier questionnaire may also take a long time to complete and verify, and may not be consistent with the industry standards and best practices. References := How to Evaluate Cloud Service Provider Security (Checklist) Cloud service review process - Cloud Adoption Framework How to choose a cloud service provider | Microsoft Azure

質問 # 29
When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

• A. Network intrusion detection
• B. Data retention, backup, and recovery
• C. Patch management process
• D. Return or destruction of information

正解：D

解説：
Explanation
When reviewing a third-party agreement with a cloud service provider, the greatest concern regarding customer data privacy is the return or destruction of information. This is because customer data may contain sensitive or personal information that needs to be protected from unauthorized access, use, or disclosure. The cloud service provider should have clear and transparent policies and procedures for returning or destroying customer data upon termination of the agreement or upon customer request. The cloud service provider should also provide evidence of the return or destruction of customer data, such as certificates of destruction, audit logs, or reports. The return or destruction of information should comply with applicable laws and regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA). The cloud service provider should also ensure that any subcontractors or affiliates that have access to customer data follow the same policies and procedures12.
References:
Cloud Services Agreements - Protecting Your Hosted Environment
CSP agreements, price lists, and offers - Partner Center

質問 # 30
Which of the following is the BEST recommendation to offer an organization's HR department planning to adopt a new public SaaS application to ease the recruiting process?

• A. Do not allow data to be in cleratext
• B. Implement a cloud access security broker
• C. Consult the legal department
• D. Ensure HIPAA compliance

正解：B

質問 # 31
Which of the following aspects of risk management involves identifying the potential reputational harm and/or financial harm when an incident occurs?

• A. Likelihood
• B. Residual risk
• C. Impact Analysis
• D. Mitigations

正解：C

質問 # 32
A cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when:

• A. the probability of error must be objectively quantified.
• B. the auditor wants to avoid sampling risk.
• C. the tolerable error rate cannot be determined.
• D. generalized audit software is unavailable.

正解：A

解説：
Explanation
According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, a cloud auditor should use statistical sampling rather than judgment (nonstatistical) sampling when the probability of error must be objectively quantified1. Statistical sampling is a sampling technique that uses random selection methods and mathematical calculations to draw conclusions about the population from the sample results. Statistical sampling allows the auditor to measure the sampling risk, which is the risk that the sample results do not represent the population, and to express the confidence level and precision of the sample1. Statistical sampling also enables the auditor to estimate the rate of exceptions or errors in the population based on the sample1.
The other options are not valid reasons for using statistical sampling rather than judgment sampling. Option A is irrelevant, as generalized audit software is a tool that can facilitate both statistical and judgment sampling, but it is not a requirement for either technique. Option B is incorrect, as statistical sampling does not avoid sampling risk, but rather measures and controls it. Option D is illogical, as the tolerable error rate is a parameter that must be determined before conducting any sampling technique, whether statistical or judgmental. References:
ISACA Cloud Auditing Knowledge Certificate Study Guide, page 17-18.

質問 # 33
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?

• A. Public
• B. Cloud service provider
• C. Shareholders and interested parties
• D. Management of the organization being audited

正解：D

解説：
According to the ISACA CCAK Study Guide, the auditor should report the findings to the management of the organization being audited, as they are the primary stakeholders and decision makers for the cloud service.
The management is responsible for ensuring that the cloud service meets the requirements and expectations of the community, as well as complying with any relevant laws and regulations. The auditor should also communicate the findings to the cloud service provider, as they are the secondary stakeholders and service providers for the cloud service. The cloud service provider should be aware of any issues or gaps identified by the auditor and work with the management to resolve them. The auditor should not report the findings to the public, shareholders, or interested parties, as they are not directly involved in the cloud service or its governance. The auditor should respect the confidentiality and privacy of the community and its data, and only disclose the findings to those who have a legitimate need to know. References :=
* ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 971
* ISACA, Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam, 2021, p. 36

質問 # 34
An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following What should be the BEST recommendation to reduce the provider's burden?

• A. The provider can answer each customer individually.
• B. The provider can schedule a call with each customer.
• C. The provider can direct all customer inquiries to the information in the CSA STAR registry.
• D. The provider can share all security reports with customers to streamline the process

正解：C

解説：
Explanation
The CSA STAR registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. The registry is based on the Cloud Controls Matrix (CCM), which is a framework of cloud-specific security best practices, and the GDPR Code of Conduct, which is a set of privacy principles for cloud service providers. The registry allows cloud customers to assess the security and compliance posture of cloud service providers, as well as to compare different providers based on their level of assurance. The registry also reduces the complexity and cost of filling out multiple customer questionnaires and requests for proposal (RFPs). Therefore, the best recommendation to reduce the provider's burden is to direct all customer inquiries to the information in the CSA STAR registry, which can demonstrate the provider's transparency, trustworthiness, and adherence to industry standards. The provider can also encourage customers to use the Consensus Assessments Initiative Questionnaire (CAIQ), which is a standardized set of questions based on the CCM, to evaluate the provider's security controls. Alternatively, the provider can pursue higher levels of assurance, such as third-party audits or continuous monitoring, to further validate their security and privacy practices and increase customer confidence.
References:
STAR Registry | CSA
STAR | CSA
CSA Security Trust Assurance and Risk (STAR) Registry Reaches Notable ...
Why CSA STAR Is Important for Cloud Service Providers - A-LIGN

質問 # 35
Which of the following cloud environments should be a concern to an organization s cloud auditor?

• A. The cloud service provider s data center is more than 100 miles away.
• B. The failover region of the cloud service provider is on another continent
• C. The technical team is trained on only one vendor Infrastructure as a Service (laaS) platform, but the organization has subscribed to another vendor's laaS platform as an alternative.
• D. The organization entirely depends on several proprietary Software as a Service (SaaS) applications.

正解：C

解説：
This situation poses a significant concern for a cloud auditor because it indicates a potential gap in the technical team's ability to effectively manage and secure the IaaS platform provided by the alternative vendor.
Without proper training on the specific features, security practices, and operational procedures of the new platform, the organization may face increased risks of misconfiguration, security vulnerabilities, and inefficiencies in cloud operations. It is crucial for the technical team to have a comprehensive understanding of all platforms in use to ensure they can maintain the security and performance standards required for a robust cloud environment.
References = The concern is based on common cloud auditing challenges, such as controlling and monitoring user access, and ensuring the IT team is equipped to manage the cloud environment effectively12. Additionally, best practices suggest that network segmentation, user authentication, and access control are critical areas to address in a cloud audit3. These principles are widely recognized in the field of cloud security and compliance.

質問 # 36
......

有効な問題最新版を試そうCCAKテスト解釈CCAK有効な試験ガイド：https://www.jpntest.com/shiken/CCAK-mondaishu

CCAK試験資料ISACA学習ガイド：https://drive.google.com/open?id=1nfaVVSSxngbTWUOILECDAvASt_tfJKmn