CCAK 시험 - ISACA실제시험문제와 답 - 76문항

Question No : 1

The MOST critical concept of managing the build and test of code in DevOps is:

A.continuous build.
B.continuous delivery.
C.continuous deployment.
D.continuous integration.

정답:
Explanation:
Reference: https://smartbear.com/blog/devops-testing-strategy-best-practices-tools/

Question No : 2

After finding a vulnerability in an internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite part of some files with random data.
In reference to the Top Threats Analysis methodology, how would you categorize the technical impact of this incident?

A.As an integrity breach
B.As control breach
C.As an availability breach
D.As a confidentiality breach

정답:

Question No : 3

To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

A.develop a cloud audit plan on the basis of a detailed risk assessment.
B.schedule the audits and monitor the time spent on each audit.
C.train the cloud audit staff on current technology used in the organization.
D.monitor progress of audits and initiate cost control measures.

정답:
Explanation:
It delivers value to the organization are the resources and efforts being dedicated to, and focused on, the higher-risk areas.

Question No : 4

An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP) .
What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?

A.Review third-party audit reports.
B.Review CSP’s published questionnaires.
C.Directly audit the CS
D.Send supplier questionnaire to the CS

정답:
Explanation:
Reference: https://www.sapidata.sm/img/cms/CAIQ_v3-1_2020-01-13.pdf

Question No : 5

In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

A.both operating system and application infrastructure contained within the CSP’s instances.
B.both operating system and application infrastructure contained within the customer’s instances
C.only application infrastructure contained within the CSP’s instances.
D.only application infrastructure contained within the customer’s instances.

정답:

Question No : 6

A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel .
Which access control method will allow IT personnel to be segregated across the various locations?

A.Role Based Access Control
B.Attribute Based Access Control
C.Policy Based Access Control
D.Rule Based Access Control

정답:

Question No : 7

Which of the following is a corrective control that may be identified in a SaaS service provider?

A.Log monitoring
B.Penetration testing
C.Incident response plans
D.Vulnerability scan

정답:

Question No : 8

In all three cloud deployment models, (IaaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

A.Cloud service customer
B.Shared responsibility
C.Cloud service provider
D.Patching on hypervisor layer is not required

정답:

Question No : 9

What areas should be reviewed when auditing a public cloud?

A.Patching, source code reviews, hypervisor, access controls
B.Identity and access management, data protection
C.Patching, configuration, hypervisor, backups
D.Vulnerability management, cyber security reviews, patching

정답:

Question No : 10

One of the Cloud Control Matrix’s (CCM’s) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.”
Which of the following controls under the Audit Assurance and Compliance domain does this match to?

A.Audit planning
B.Information system and regulatory mapping
C.GDPR auditing
D.Independent audits

정답:

Question No : 11

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

A.Blue team
B.White box
C.Gray box
D.Red team

정답:
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/planning-for-information-security-testinga-practical-approach

Question No : 12

Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

A.Design
B.Stakeholder identification
C.Development
D.Risk assessment

정답:

Question No : 13

You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure .
Which of the following is your BEST option?

A.Implement ISO/IEC 27002 and complement it with additional controls from the CC
B.Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.
C.Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.
D.Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.

정답:

Question No : 14

Which plan will guide an organization on how to react to a security incident that might occur on the organization’s systems, or that might be affecting one of their service providers?

A.Incident Response Plans
B.Security Incident Plans
C.Unexpected Event Plans
D.Emergency Incident Plans

정답:

Question No : 15

Which of the following contract terms is necessary to meet a company’s requirement that needs to move data from one CSP to another?

A.Drag and Drop
B.Lift and shift
C.Flexibility to move
D.Transition and data portability

정답:
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/past-issues/2014/data-owners-responsibilities-when-migrating-to-the-cloud

ISACA CCAK 시험