When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:
Correct Answer: C
Explanation According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the cloud customer is the entity that retains accountability for the business outcome of the system or the processes that are supported by the cloud service1. The cloud customer is also responsible for ensuring that the cloud service meets the legal, regulatory, and contractual obligations that apply to the customer's business context1. The cloud customer should also perform due diligence and risk assessment before selecting a cloud service provider, and establish a clear and enforceable contract that defines the roles and responsibilities of both parties1. The cloud user is the entity that uses the cloud service on behalf of the cloud customer, but it is not necessarily accountable for the compliance of the service1. The cloud service provider is the entity that makes the cloud service available to the cloud customer, but it is not accountable for the compliance of the customer's business context1. The certification authority (CA) is an entity that issues digital certificates to verify the identity or authenticity of other entities, but it is not accountable for the compliance of the cloud service2. References: ISACA Cloud Auditing Knowledge Certificate Study Guide, page 10-11. Certification authority - Wikipedia
Question 77
When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?
Correct Answer: A
When applying the Top Threats Analysis methodology following an incident, the scope of the technical impact identification step is to determine the impact on confidentiality, integrity, and availability of the information system. The Top Threats Analysis methodology is a process developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top threats to cloud computing, as defined in the CSA Top Threats reports. The methodology consists of six steps1: * Scope definition: Define the scope of the analysis, such as the cloud service model, deployment model, and business context. * Threat identification: Identify the relevant threats from the CSA Top Threats reports that may affect the * scope of the analysis. * Technical impact identification: Determine the impact on confidentiality, integrity, and availability of the information system caused by each threat. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial. * Business impact identification: Determine the impact on the business objectives and operations caused by each threat, such as financial loss, reputational damage, legal liability, or regulatory compliance. * Risk assessment: Assess the likelihood and severity of each threat based on the technical and business impacts, and prioritize the threats according to their risk level. * Risk treatment: Select and implement appropriate risk treatment options for each threat, such as avoidance, mitigation, transfer, or acceptance. The technical impact identification step is important because it helps to measure the extent of damage or harm that each threat can cause to the information system and its components. This step also helps to align the technical impacts with the business impacts and to support the risk assessment and treatment steps. References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 81
Question 78
Which of the following cloud deployment models would BEST meet the needs of a startup software development organization with limited initial capital?
Correct Answer: D
Question 79
To support customer's verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?
Correct Answer: A
Question 80
When mapping controls to architectural implementations, requirements define:
Correct Answer: B
Explanation Requirements define control activities, which are the actions, processes, or mechanisms that are implemented to achieve the control objectives1. Control objectives are the targets or desired conditions to be met that are designed to ensure that policy intent is met2. Guidelines are the recommended practices or advice that provide flexibility in how to implement a policy, standard, or control3. Policies are the statements of management's intent that establish the direction, purpose, and scope of an organization's internal control system4. References: COSO - Control Activities - Deloitte1, section on Control Activities Words Matter - Understanding Policies, Control Objectives, Standards ...2, section on Control Objectives Understanding Policies, Control Objectives, Standards, Guidelines ...3, section on Guidelines Internal Control Handbook4, section on Policies
