How To Pass Certificate of Cloud Auditing Knowledge (CCAK) Exam?

test2021-12-24T06:08:07+00:00

The Certificate of Cloud Auditing Knowledge (CCAK) is the first credential available for industry professionals to demonstrate their expertise in the essential principles of auditing cloud computing systems. The CCAK credential and training program fills the gap in the market for technical education for cloud IT auditing.

Do you want to get CCAK certification and give your IT career a lift? If you are looking for CCAK Practice Test with Real Exam Questions, you are in the right place. FreeTestShare has the latest CCAK exam question bank from Actual Exams to help you memorize and pass your exam at the very first attempt. Here are CCAK practice exam questions with correct answers for you to test yourself! Get started now!

Try CCAK Free Questions To Test Yourself

Page 1 of 2

1. A cloud customer configured and developed a solution on top of the certified cloud services. Building on top of a compliant CSP:

means that the cloud customer is also compliant.

means that the cloud customer and client are both compliant.

means that the cloud customer is compliant but their client is not compliant.

does not necessarily mean that the cloud customer is also compliant.

2. Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel.

Which of the following controls BEST matches this control description?

Operations Maintenance

System Development Maintenance

Equipment Maintenance

System Maintenance

3. Which of the following is the BEST tool to perform cloud security control audits?

General Data Protection Regulation (GDPR)

ISO 27001

Federal Information Processing Standard (FIPS) 140-2

CSA Cloud Control Matrix (CCM)

4. Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

Blue team

White box

Gray box

Red team

5. Which of the following is MOST important to consider when an organization is building a compliance program for the cloud?

The rapidly changing service portfolio and architecture of the cloud.

Cloud providers should not be part of the compliance program.

The fairly static nature of the service portfolio and architecture of the cloud.

The cloud is similar to the on-premise environment in terms of compliance.

6. Cloud Control Matrix (CCM) controls can be used by cloud customers to:

develop new security baselines for the industry.

define different control frameworks for different cloud service providers.

facilitate communication with their legal department.

build an operational cloud risk management program.

7. What is the advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

Unlike SAST, DAST is a blackbox and programming language agnostic.

DAST can dynamically integrate with most CI/CD tools.

DAST delivers more false positives than SAS

DAST is slower but thorough.

8. Which of the following is a fundamental concept of FedRAMP that intends to save costs, time, and staff conducting superfluous agency security assessments?

A. Use often, provide many times

B. Be economical, act deliberately

C. Use existing, provide many times

D. Do once, use many times

9. Within an organization, which of the following functions should be responsible for defining the cloud adoption approach?

Audit committee

Compliance manager

IT manager

Senior management

10. To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

object-oriented architecture.

software architecture.

service-oriented architecture.

enterprise architecture.

Page 2 of 2

11. When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

Determine the impact on the controls that were selected by the organization to respond to identified risks.

Determine the impact on confidentiality, integrity and availability of the information system.

Determine the impact on the financial, operational, compliance and reputation of the organization.

Determine the impact on the physical and environmental security of the organization, excluding informational assets.

12. When using a SaaS solution, who is responsible for application security?

The cloud service provider only

The cloud service consumer only

Both cloud consumer and the enterprise

Both cloud provider and the consumer

13. The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:

risk management policy.

cloud policy.

business continuity plan.

information security standard for cloud technologies.

14. An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models.

Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?

Use of an established standard/regulation to map controls and use as the audit criteria

For efficiency reasons, use of its on-premises systems’ audit criteria to audit the cloud environment

As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.

Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage

15. In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

Service Provider control

Impact and Risk control

Data Inventory control

Compliance control

16. A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP’s security operation center is not notified in advance of the scope of the audit and the test vectors.

Which mode is selected by the CSP?

Double gray box

Tandem

Reversal

Double blind

17. SAST testing is performed by:

scanning the application source code.

scanning the application interface.

scanning all infrastructure components.

performing manual actions to gain control of the application.

18. Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

Design

Stakeholder identification

Development

Risk assessment

19. When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

To determine how those services will fit within its policies and procedures

To determine the total cost of the cloud services to be deployed

To confirm which vendor will be selected based on the compliance with security requirements

To confirm if the compensating controls implemented are sufficient for the cloud