Which concept is a mapping of an identity, including roles, personas, and attributes, to an authorization?
Correct Answer: C
Question 37
The BEST way to deliver continuous compliance in a cloud environment is to:
Correct Answer: C
Continuous auditing is a method of auditing that provides assurance on the current state of controls and compliance in a cloud environment, rather than relying on periodic snapshots or attestations. Continuous auditing can leverage continuous monitoring data and automated tools to collect and analyze evidence of compliance, as well as alert auditors and stakeholders of any deviations or issues. Continuous auditing can complement point-in-time assurance approaches, such as certifications or audits, by providing more timely and frequent feedback on the effectiveness of controls and compliance in a cloud environment. References := * ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 821 * ISACA, Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam, 2021, p. 30
Question 38
Why should the results of third-party audits and certification be relied on when analyzing and assessing the cybersecurity risks in the cloud?
Correct Answer: B
Explanation One possible reason why the results of third-party audits and certification should be relied on when analyzing and assessing the cybersecurity risks in the cloud is to contrast the risk generated by the loss of control. When an organization moves its data and processes to the cloud, it inevitably loses some degree of control over its security and compliance posture, as it depends on the cloud service provider (CSP) to implement and maintain adequate security measures and controls1 This loss of control can increase the organization's exposure to various cybersecurity risks, such as data breaches, unauthorized access, denial of service, malware infection, etc2 To mitigate these risks, the organization needs to have a clear understanding of the security and compliance level of the CSP, as well as the shared responsibility model that defines the roles and responsibilities of both parties3 Third-party audits and certification can provide some level of assurance that the CSP meets certain standards and requirements related to security and compliance, such as ISO/IEC 27001, CSA STAR, SOC 2, etc. These audits and certification can also help the organization compare and contrast the security posture of different CSPs in the market, as well as identify any gaps or weaknesses that need to be addressed or compensated. Therefore, relying on the results of third-party audits and certification can help the organization contrast the risk generated by the loss of control in the cloud, and make informed decisions about selecting and managing its cloud services. References: 1: Security in the Cloud: Are Audits and Certifications Really Enough?3 2: Understanding The Third-Party Impact On Cybersecurity Risk - Forbes2 3: Open Certification Framework | CSA - Cloud Security Alliance : Reducing Cybersecurity Security Risk From and to Third Parties - ISACA1 : Why your cloud services need the CSA STAR Registry listing
Question 39
Your cloud and on-premisesinfrastructures should always use the same network address ranges.
Correct Answer: B
Question 40
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?
Correct Answer: A
Explanation According to the ISACA CCAK Study Guide, the auditor should report the findings to the management of the organization being audited, as they are the primary stakeholders and decision makers for the cloud service. The management is responsible for ensuring that the cloud service meets the requirements and expectations of the community, as well as complying with any relevant laws and regulations. The auditor should also communicate the findings to the cloud service provider, as they are the secondary stakeholders and service providers for the cloud service. The cloud service provider should be aware of any issues or gaps identified by the auditor and work with the management to resolve them. The auditor should not report the findings to the public, shareholders, or interested parties, as they are not directly involved in the cloud service or its governance. The auditor should respect the confidentiality and privacy of the community and its data, and only disclose the findings to those who have a legitimate need to know. References := ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 971 ISACA, Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam, 2021, p. 36
