What is below the waterline in the context of cloud operationalization?
Correct Answer: D
In the context of cloud operationalization, "below the waterline" refers to the aspects of cloud services that are managed and controlled by the cloud service provider (CSP) rather than the customer. This analogy is often used to describe the shared responsibility model in cloud computing, where the CSP is responsible for the infrastructure's security and stability, akin to the submerged part of an iceberg that supports the structure above water. The customer, on the other hand, is responsible for managing the controls and security measures "above the waterline," which include the applications, data, and access management they deploy in the cloud environment. References = The information provided is based on standard cloud computing models and the shared responsibility concept, which is a fundamental principle discussed in cloud auditing and security literature, including the CCAK curriculum and related resources1.
Question 107
It is MOST important for an auditor to be aware that an inventory of assets within a cloud environment:
Correct Answer: D
It is most important for an auditor to be aware that an inventory of assets within a cloud environment is fundamental for the security management program. An inventory of assets is a list of all the hardware, software, data, and services that are owned, used, or managed by an organization in the cloud. An inventory of assets helps the organization to identify, classify, and prioritize its cloud resources and to implement appropriate security controls and policies to protect them. An inventory of assets also helps the organization to comply with relevant regulations, standards, and contracts that may apply to its cloud environment.12 An auditor should be aware of the importance of an inventory of assets in the cloud because it provides a baseline for assessing the security posture and compliance status of the organization's cloud environment. An auditor can use the inventory of assets to verify that the organization has a clear and accurate understanding of its cloud resources and their characteristics, such as location, ownership, configuration, dependencies, vulnerabilities, and risks. An auditor can also use the inventory of assets to evaluate whether the organization has implemented adequate security measures and processes to protect its cloud resources from threats and incidents. An auditor can also use the inventory of assets to identify any gaps or weaknesses in the organization's security management program and to provide recommendations for improvement.34 References := Why is IT Asset Inventory Management Critical? - Fresh Security1; Use asset inventory to manage your resources' security posture2; The importance of asset inventory in cybersecurity3; The Importance Of Asset Inventory In Cyber Security And CMDB - Visore4
Question 108
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:
Correct Answer: C
Explanation An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards. The Scope Applicability direct mapping is a worksheet within the CCM that maps the CCM control specifications to several standards within the ISO/IEC 27000 series, such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, and ISO/IEC 27018. The mapping helps the organization to identify the commonalities and differences between the CCM and the ISO/IEC standards, and to determine the level of compliance with each standard based on the implementation of the CCM controls. The mapping also helps the organization to avoid duplication of work and to streamline the compliance assessment process.12 References := What you need to know: Transitioning CSA STAR for Cloud Controls Matrix ...1; Cloud Controls Matrix (CCM) - CSA3
Question 109
What legal documents should be provided to the auditors in relation to risk management?
Correct Answer: B
Contracts and SLAs are legal documents that define the roles, responsibilities, expectations, and obligations of both the cloud service provider (CSP) and the cloud customer. They also specify the terms and conditions for service delivery, performance, availability, security, compliance, data protection, incident response, dispute resolution, liability, and termination. An auditor should review these documents to assess the alignment of the CSP's services with the customer's business requirements and risk appetite, as well as to identify any gaps or inconsistencies that may pose legal risks. References: * ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 35-36 * Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v4.0, 2021, GRM-01: Contracts and SLAs
Question 110
Which of the following is the FIRST step of the Cloud Risk Evaluation Framework?
Correct Answer: D
The first step of the Cloud Risk Evaluation Framework is to identify key risk categories. Key risk categories are the broad areas or domains of cloud security and compliance that may affect the cloud service provider and the cloud service customer. Key risk categories may include data security, identity and access management, encryption and key management, incident response, disaster recovery, audit assurance and compliance, etc. Identifying key risk categories helps to scope and focus the cloud risk assessment process, as well as to prioritize and rank the risks based on their relevance and significance. Identifying key risk categories also helps to align and map the risks with the applicable standards, regulations, or frameworks that govern cloud security and compliance12. Analyzing potential impact and likelihood (A) is not the first step of the Cloud Risk Evaluation Framework, but rather the third step. Analyzing potential impact and likelihood is the process of estimating the consequences or effects of a risk event on the business objectives, operations, processes, or functions (impact), as well as the probability or frequency of a risk event occurring (likelihood). Analyzing potential impact and likelihood helps to measure and quantify the severity or magnitude of the risk event, as well as to prioritize and rank the risks based on their impact and likelihood12. Establishing cloud risk profile (B) is not the first step of the Cloud Risk Evaluation Framework, but rather the second step. Establishing cloud risk profile is the process of defining and documenting the expected level of risk that an organization is willing to accept or tolerate in relation to its cloud services (risk appetite), as well as the actual level of risk that an organization faces or encounters in relation to its cloud services (risk exposure). Establishing cloud risk profile helps to determine and communicate the objectives, expectations, and responsibilities of cloud security and compliance, as well as to align and integrate them with the business strategy and goals12. Evaluating and documenting the risks is not the first step of the Cloud Risk Evaluation Framework, but rather the fourth step. Evaluating and documenting the risks is the process of assessing and reporting on the effectiveness and efficiency of the controls or actions that are implemented or applied to prevent, avoid, transfer, or accept a risk event (risk treatment), as well as identifying and addressing any gaps or issues that may arise (risk monitoring). Evaluating and documenting the risks helps to ensure that the actual level of risk is aligned with the desired level of risk, as well as to update and improve the risk management strategy and plan12. References := * Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam * Cloud Risk-10 Principles and a Framework for Assessment - ISACA
