An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following What should be the BEST recommendation to reduce the provider's burden?
Correct Answer: B
Explanation The CSA STAR registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. The registry is based on the Cloud Controls Matrix (CCM), which is a framework of cloud-specific security best practices, and the GDPR Code of Conduct, which is a set of privacy principles for cloud service providers. The registry allows cloud customers to assess the security and compliance posture of cloud service providers, as well as to compare different providers based on their level of assurance. The registry also reduces the complexity and cost of filling out multiple customer questionnaires and requests for proposal (RFPs). Therefore, the best recommendation to reduce the provider's burden is to direct all customer inquiries to the information in the CSA STAR registry, which can demonstrate the provider's transparency, trustworthiness, and adherence to industry standards. The provider can also encourage customers to use the Consensus Assessments Initiative Questionnaire (CAIQ), which is a standardized set of questions based on the CCM, to evaluate the provider's security controls. Alternatively, the provider can pursue higher levels of assurance, such as third-party audits or continuous monitoring, to further validate their security and privacy practices and increase customer confidence. References: STAR Registry | CSA STAR | CSA CSA Security Trust Assurance and Risk (STAR) Registry Reaches Notable ... Why CSA STAR Is Important for Cloud Service Providers - A-LIGN
CCAK Exam Question 72
All cloud services utilize virtualization technologies.
Correct Answer: B
CCAK Exam Question 73
Which of the following defines the criteria designed by the American Institute of Certified Public Accountants (AICPA) to specify trusted services?
Correct Answer: D
CCAK Exam Question 74
Which of the following would be the MOST critical finding of an application security and DevOps audit?
Correct Answer: C
CCAK Exam Question 75
What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?
Correct Answer: B
Explanation Dynamic application security testing (DAST) is a method of testing the security of an application by simulating attacks from an external source. DAST does not require access to the source code or binaries of the application, unlike static application security testing (SAST), which analyzes the code for vulnerabilities. Therefore, DAST is a black box testing technique, meaning that it does not need any knowledge of the internal structure, design, or implementation of the application. DAST is also programming language agnostic, meaning that it can test applications written in any language, framework, or platform. This makes DAST more flexible and adaptable to different types of applications and environments. However, DAST also has some limitations, such as being slower, less accurate, and more dependent on the availability and configuration of the application. References: SAST vs. DAST: What's the Difference? SAST vs DAST: What's the Difference? SAST vs. DAST: Enhancing application security
