매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Certificate of Cloud Auditing Knowledge 온라인 연습
최종 업데이트 시간: 2025년06월06일
당신은 온라인 연습 문제를 통해 ISACA CCAK 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 CCAK 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 76개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
A dot release of the Cloud Controls Matrix (CCM) indicates a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release. A dot release is a minor update to the CCM that reflects the feedback from the cloud security community and the changes in the cloud technology landscape. A dot release does not change the domain structure or the overall scope of the CCM, but rather improves the clarity, accuracy, and relevance of the existing controls. A dot release is denoted by a decimal number after the major version number, such as CCM v4.1 or CCM v4.2. The current version of the CCM is v4.0, which was released in October 20211.
The other options are incorrect because:
A. a revision of the CCM domain structure: A revision of the CCM domain structure is a major change that affects the organization and categorization of the controls into different domains. A revision of the CCM domain structure requires a full release, not a dot release, and is denoted by an integer number, such as CCM v3 or CCM v42.
C. the introduction of new control frameworks mapped to previously published CCM controls: The introduction of new control frameworks mapped to previously published CCM controls is an additional feature that enhances the usability and applicability of the CCM. The introduction of new control frameworks mapped to previously published CCM controls does not require a dot release or a full release, but rather an update to the mapping table that shows the relationship between the CCM controls and other industry-accepted security standards, regulations, and frameworks3.
D. technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release: A technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release is a significant change that affects the content and scope of the CCM. A technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release requires a full release, not a dot release, and is denoted by an integer number, such as CCM v3 or CCM v42.
Reference: Cloud Controls Matrix (CCM) - CSA
The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar
Cloud Security Alliance Releases New Cloud Controls Matrix Auditing Guidelines
정답:
Explanation:
A cloud service provider (CSP) providing cloud services currently being used by the United States federal government should obtain FedRAMP Authorization to assure compliance to stringent government standards. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to leverage the security assessments of CSPs that have been approved by FedRAMP, and establishes a baseline set of security controls for cloud computing, based on NIST SP 800-53. FedRAMP also helps CSPs to demonstrate their compliance with relevant laws and regulations, such as FISMA, FIPS, and NIST standards. FedRAMP Authorization can be obtained through two paths: a provisional authorization from the Joint Authorization Board (JAB) or an authorization from an individual agency12.
The other options are incorrect because:
A. CSA STAR Level Certificate: CSA STAR is a program for security assurance in the cloud that encompasses key principles of transparency, rigorous auditing, and harmonization of standards. CSA STAR Level Certificate is one of the certification options offered by CSA STAR, which is based on the ISO/IEC 27001 standard and the CSA Cloud Controls Matrix (CCM). CSA STAR Level Certificate is not specific to the US federal government standards, and does not guarantee compliance with FedRAMP requirements3.
B. Multi-Tier Cloud Security (MTCS) Attestation: MTCS is a cloud security standard developed by the Singapore government to provide greater clarity and transparency on the level of security offered by different CSPs. MTCS defines three levels of security controls for CSPs: Level 1, Level 2, and Level 3, with Level 3 being the most stringent. MTCS Attestation is a voluntary self-disclosure scheme for CSPs to declare their conformance to the MTCS standard. MTCS Attestation is not applicable to the US federal government standards, and does not ensure compliance with FedRAMP requirements4. C. ISO/IEC 27001:2013 Certification: ISO/IEC 27001 is a standard for information security management systems that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. ISO/IEC 27001 Certification is an independent verification that an organization conforms to the ISO/IEC 27001 standard. ISO/IEC 27001 Certification is not exclusive to cloud computing or the US federal government standards, and does not cover all aspects of FedRAMP requirements5.
Reference: Learn What FedRAMP is All About | FedRAMP | FedRAMP.gov How to Become FedRAMP Authorized | FedRAMP.gov STAR | CSA
Multi-Tiered Cloud Security Standard (MTCS SS)
ISO - ISO/IEC 27001 ― Information security management
정답:
Explanation:
The BSI Criteria Catalogue C5 is a document that has been provided by the Federal Office for Information Security (BSI) in Germany to support customers in selecting, controlling, and monitoring their cloud service providers (CSPs). The C5 stands for Cloud Computing Compliance Criteria Catalogue and specifies minimum requirements for secure cloud computing. The C5 is primarily intended for professional CSPs, their auditors, and customers of the CSPs. The C5 covers 17 domains and 114 control objectives that address all key aspects of cloud security, such as data protection, identity and access management, encryption and key management, incident response, audit assurance, and compliance. The C5 also maps to other industry-accepted security standards, regulations, and frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, CSA Cloud Controls Matrix (CCM), COBIT, GDPR, etc. The C5 helps customers to evaluate and compare the security and compliance posture of different CSPs, and to verify that the CSPs meet their contractual obligations and legal requirements12.
Reference: BSI - C5 criteria catalogue - Federal Office for Information Security Germany C5 - Azure Compliance | Microsoft Learn
정답:
Explanation:
The correct answer is
A. To providing a standardized approach to security and risk assessment. This is the main purpose of FedRAMP, which is a government-wide program that promotes the adoption of secure cloud services across the federal government. FedRAMP provides a standardized methodology for assessing, authorizing, and monitoring the security of cloud products and services, and enables agencies to leverage the security assessments of cloud service providers (CSPs) that have been approved by FedRAMP. FedRAMP also establishes a baseline set of security controls for cloud computing, based on NIST SP 800-53, and provides guidance and templates for implementing and documenting the controls1.
The other options are incorrect because:
B. To provide agencies of the federal government a dedicated tool to certify Authority to Operate (ATO): FedRAMP does not provide a tool to certify ATO, but rather a process to obtain a provisional ATO (P-ATO) from the Joint Authorization Board (JAB) or an agency ATO from a federal agency. ATO is the official management decision given by a senior official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls2.
C. To enable 3PAOs to perform independent security assessments of cloud service providers: FedRAMP does not enable 3PAOs to perform independent security assessments of CSPs, but rather requires CSPs to use 3PAOs for conducting independent security assessments as part of the FedRAMP process. 3PAOs are independent entities that have been accredited by FedRAMP to perform initial and periodic security assessments of CSPs’ systems and provide evidence of compliance with FedRAMP requirements3.
D. To publish a comprehensive and official framework for the secure implementation of controls for cloud security: FedRAMP does not publish a comprehensive and official framework for the secure implementation of controls for cloud security, but rather adopts and adapts the existing framework of NIST SP 800-53, which provides a catalog of security and privacy controls for federal information systems and organizations. FedRAMP tailors the NIST SP 800-53 controls to provide a subset of controls that are specific to cloud computing, and categorizes them into low, moderate, and high impact levels based on FIPS 1994.
Reference: Learn What FedRAMP is All About | FedRAMP | FedRAMP.gov
Guide for Applying the Risk Management Framework to Federal Information Systems - NIST Third Party Assessment Organizations (3PAO) | FedRAMP.gov
Security and Privacy Controls for Federal Information Systems and Organizations - NIST
정답:
Explanation:
Metrics around Platform as a Service (PaaS) development environments are frequently immature, as PaaS is a relatively new and evolving cloud service model that offers various tools and platforms for developing, testing, deploying, and managing cloud applications. PaaS metrics are often not well-defined, standardized, or consistent across different providers and platforms, and may not capture the full value and performance of PaaS services. PaaS metrics may also be difficult to measure, monitor, and compare, as they depend on various factors, such as the type, complexity, and quality of the applications, the level of customization and integration, the usage patterns and demand, and the security and compliance requirements. Therefore, PaaS metrics may not provide sufficient insight or assurance to cloud customers and auditors on the effectiveness, efficiency, reliability, and security of PaaS services12.
Reference: Cloud Computing Service Metrics Description - NIST Cloud KPIs You Need to Measure Success - VMware Blogs
정답:
Explanation:
When reviewing a third-party agreement with a cloud service provider, the greatest concern regarding customer data privacy is the return or destruction of information. This is because customer data may contain sensitive or personal information that needs to be protected from unauthorized access, use, or disclosure. The cloud service provider should have clear and transparent policies and procedures for returning or destroying customer data upon termination of the agreement or upon customer request. The cloud service provider should also provide evidence of the return or destruction of customer data, such as certificates of destruction, audit logs, or reports. The return or destruction of information should comply with applicable laws and regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA). The cloud service provider should also ensure that any subcontractors or affiliates that have access to customer data follow the same policies and procedures12.
Reference: Cloud Services Agreements C Protecting Your Hosted Environment
CSP agreements, price lists, and offers - Partner Center
정답:
Explanation:
Transparent data encryption (TDE) is used for data and log files at rest. This means that TDE encrypts the database files on the disk and decrypts them when they are read into memory. TDE protects the data from unauthorized access or theft if the physical media, such as drives or backup tapes, are stolen or lost. TDE does not encrypt data across communication channels, data currently being processed, or data in random access memory (RAM). These types of data require different encryption methods, such as SSL/TLS, column encryption, or memory encryption12.
Reference: Transparent data encryption (TDE) - SQL Server | Microsoft Learn Transparent Data Encryption - Oracle Help Center
정답:
Explanation:
The CSA STAR Certification is based on criteria outlined in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to ISO/IEC 27001 implementation. The CCM is a cybersecurity control framework for cloud computing that covers 17 domains and 197 control objectives that address all key aspects of cloud technology. ISO/IEC 27001 is a standard for information security management systems that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. The CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas1. The CSA STAR Certification is a third-party independent assessment of the security of a cloud service provider and provides a high level of assurance and trust to customers2.
Reference: CSA STAR Certification - Azure Compliance | Microsoft Learn STAR | CSA
정답:
Explanation:
The first step to switch from the ISO/IEC 27002 control framework to the NIST 800-53 control framework is to map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities. This step can help the organization to understand the similarities and differences between the two frameworks, and to identify which controls are already implemented, which controls need to be added or modified, and which controls are no longer applicable. Mapping can also help the organization to leverage the existing work done under ISO/IEC 27002 and avoid starting from scratch or discarding valuable information. Mapping can also help the organization to align with both frameworks, as they are not mutually exclusive or incompatible. In fact, NIST SP 800-53, Revision 5 provides a mapping table between NIST 800-53 and ISO/IEC 27001 in Appendix H-21. ISO/IEC 27001 is a standard for information security management systems that is based on ISO/IEC 27002, which is a code of practice for information security controls2.
Reference: NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001 ISO - ISO/IEC 27002:2013 - Information technology ― Security techniques ― Code of practice for information security controls
정답:
Explanation:
Using a standardized control framework enables auditors to conduct gap analyses of what a cloud service provider (CSP) offers versus what the customer requires. A standardized control framework is a set of guidelines, best practices, and criteria that help to evaluate and improve the security, privacy, and compliance of cloud computing environments. Examples of standardized control frameworks include ISO/IEC 27001/27002/27017/27018, NIST SP 800-53, CSA Cloud Controls Matrix (CCM), COBIT, etc. By using a standardized control framework, auditors can compare the CSP’s policies, procedures, and practices with the customer’s expectations and requirements, and identify any gaps or discrepancies that may pose risks or issues. A gap analysis can help the auditors to provide recommendations and suggestions to the CSP and the customer on how to close the gaps and enhance the quality and performance of the cloud services12.
Reference: Cloud Controls Matrix (CCM) - CSA
Cloud Computing Audit Program - ISACA
정답:
Explanation:
A security categorization of the information systems should be performed first to properly implement the NIST SP 800-53 r4 control framework in an organization. Security categorization is the process of determining the potential impact on organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from a loss of confidentiality, integrity, or availability of an information system and the information processed, stored, or transmitted by that system. Security categorization is based on the application of FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, which defines three levels of impact: low, moderate, and high. Security categorization is the first step in the Risk Management Framework (RMF) described in NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Security categorization helps to identify the security requirements for the information system and to select an initial set of baseline security controls from NIST SP 800-53 r4, Security and Privacy Controls for Federal Information Systems and Organizations. The baseline security controls can then be tailored and supplemented as needed to address specific organizational needs, risk factors, and compliance obligations12.
Reference: SP 800-53 Rev. 4, Security & Privacy Controls for Federal Info Sys … SP 800-37 Rev. 2, Risk Management Framework for Information …
정답:
Explanation:
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) would be the best information security control framework to implement for a new company that has all its operations in the cloud.
The CCM is a cybersecurity control framework for cloud computing that is aligned to the CSA best practices and is considered the de-facto standard for cloud security and privacy. The CCM covers 17 domains and 197 control objectives that address all key aspects of cloud technology, such as data security, identity and access management, encryption and key management, incident response, audit assurance, and compliance. The CCM also maps to other industry-accepted security standards, regulations, and frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, PCI DSS, COBIT, FedRAMP, etc., which can help the company to achieve multiple compliance goals with one framework. The CCM also provides guidance on the shared responsibility model between cloud service providers and cloud customers, and helps to define the organizational relevance of each control12.
Reference: Cloud Controls Matrix (CCM) - CSA
Cloud Controls Matrix and CAIQ v4 | CSA - Cloud Security Alliance
정답:
Explanation:
When developing a cloud compliance program, the primary reason for a cloud customer to determine how those services will fit within its policies and procedures is to ensure that the cloud services are aligned with the customer’s business objectives, risk appetite, and compliance obligations. Cloud services may have different characteristics, features, and capabilities than traditional on-premises services, and may require different or additional controls to meet the customer’s security and compliance requirements. Therefore, the customer needs to assess how the cloud services will fit within its existing policies and procedures, such as data classification, data protection, access management, incident response, audit, and reporting. The customer also needs to identify any gaps or conflicts between the cloud services and its policies and procedures, and implement appropriate measures to address them. By doing so, the customer can ensure that the cloud services are used in a secure, compliant, and effective manner12.
Reference: ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 19-20.
Cloud Compliance Frameworks: What You Need to Know
정답:
Explanation:
Risk appetite and budget constraints have the most substantial impact on how aggressive or conservative the cloud approach of an organization will be. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Budget constraints are the limitations on the financial resources that an organization can allocate to its cloud initiatives. Both factors influence the organization’s strategic decisions on which cloud service models, deployment models, providers, and solutions to adopt, as well as the level of security, compliance, and performance to achieve. An organization with a high risk appetite and a large budget may opt for a more aggressive cloud approach, such as moving critical applications and data to a public cloud provider, while an organization with a low risk appetite and a small budget may opt for a more conservative cloud approach, such as keeping sensitive information on-premises or using a private cloud provider12.
Reference: ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 17-18.
CSA, Cloud Controls Matrix (CCM) v4.0, 2021, p. 63.
정답:
Explanation:
The most important factor to consider when implementing cloud-related controls is the shared responsibility model. The shared responsibility model is a framework that defines the roles and responsibilities of cloud service providers (CSPs) and cloud customers (CCs) in ensuring the security and compliance of cloud computing environments. The shared responsibility model helps to clarify which security tasks are handled by the CSP and which tasks are handled by the CC, depending on the type of cloud service model (IaaS, PaaS, SaaS) and the specific contractual agreements. The shared responsibility model also helps to avoid gaps or overlaps in security controls, and to allocate resources and accountability accordingly12.
Reference: Shared responsibility in the cloud - Microsoft Azure
Understanding the Shared Responsibilities Model in Cloud Services - ISACA