Who is responsible for the security of the physical infrastructure and virtualization platform?
Correct Answer: A
Question 17
A cloud auditor observed that just before a new software went live, the librarian transferred production data to the test environment to confirm the new software can work in the production environment. What additional control should the cloud auditor check?
Correct Answer: B
The cloud auditor should check if there is explicit documented approval from all customers whose data is affected by the transfer of production data to the test environment. This is because production data may contain sensitive or personal information that is subject to privacy and security regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Therefore, using production data for testing purposes without the consent of the data owners may violate their rights and expose the organization to legal and reputational risks. This is also stated in the Cloud Controls Matrix (CCM) control DSI-04: Production / Non-Production Environments12, which is part of the Data Security & Information Lifecycle Management domain. The CCM is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program. The other options are not directly related to the question. Option A, approval of the change by the change advisory board, refers to the process of reviewing and authorizing changes to the system or software before they are implemented in the production environment. This is a good practice for ensuring the quality and reliability of the system or software, but it does not address the issue of using production data for testing purposes. Option C, training for the librarian, refers to the process of providing adequate education and awareness to the staff who are responsible for managing and transferring data between different environments. This is a good practice for ensuring the competence and accountability of the staff, but it does not address the issue of obtaining consent from the data owners. Option D, verification that the hardware of the test and production environments are compatible, refers to the process of ensuring that the system or software can run smoothly and consistently on both environments. This is a good practice for ensuring the performance and functionality of the system or software, but it does not address the issue of protecting the privacy and security of the production data. References := * Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 6: Cloud Security Controls * Cloud Controls Matrix (CCM) - CSA3 * DSI-04: Production / Non-Production Environments - CSF Tools - Identity Digital1 * DSI: Data Security & Information Lifecycle Management - CSF Tools - Identity Digital
Question 18
SAST testing is performed by:
Correct Answer: A
Explanation SAST analyzes application code offline. SAST is generally a rules-based test that will scan software code for items such as credentials embedded into application code and a test of input validation, both of which are major concerns for application security.
Question 19
REST APIs are the standard for web-based services because they run over HTTPS and work well across diverse environments.
Correct Answer: A
Question 20
Which of the following is NOT a cloud computing characteristic that impacts incidence response?
