The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?
Correct Answer: C
CCAK Exam Question 32
During a review, an IS auditor notes that an organization's marketing department has purchased a cloud-based software application without following the procurement process. What should the auditor do FIRST?
Correct Answer: B
CCAK Exam Question 33
How does running applications on distinct virtual networks and only connecting networksas needed help?
Correct Answer: C
CCAK Exam Question 34
In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:
Correct Answer: B
Explanation In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in both operating system and application infrastructure contained within the customer's instances. IaaS is a cloud service model that provides customers with access to virtualized computing resources, such as servers, storage, and networks, hosted by a cloud service provider (CSP). The customer is responsible for installing, configuring, and maintaining the operating system and application software on the virtual machines, while the CSP is responsible for managing the underlying physical infrastructure. Therefore, a vulnerability assessment will scan the customer's instances to detect any weaknesses or misconfigurations in the operating system and application layers that may expose them to potential threats. A vulnerability assessment can help the customer to prioritize and remediate the identified vulnerabilities, and to comply with relevant security standards and regulations12. References: Azure Security Control - Vulnerability Management | Microsoft Learn How to Implement Enterprise Vulnerability Assessment - Gartner
CCAK Exam Question 35
Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?
Correct Answer: B
Explanation An independent auditor report is a method that can be used by a cloud service provider (CSP) with a cloud customer that does not want to share security and control information. An independent auditor report is a document that provides assurance on the CSP's security and control environment, based on an audit conducted by a qualified third-party auditor. The audit can be based on various standards or frameworks, such as ISO 27001, SOC 2, CSA STAR, etc. The independent auditor report can provide the cloud customer with the necessary information to evaluate the CSP's security and control posture, without disclosing sensitive or proprietary details. The CSP can also use the independent auditor report to demonstrate compliance with relevant regulations or contractual obligations. References: ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 83-84. ISACA, Cloud Computing Audit Program, 2019, p. 6-7.
