A. Plan --> Develop --> Release
B. Deploy --> Monitor --> Audit
C. Initiation --> Execution --> Monitoring and Controlling
D. Preparation --> Execution --> Peer Review and Publication
Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?
A. Verify the inclusion of security gates in the pipeline.
B. Conduct an architectural assessment.
C. Review the CI/CD pipeline audit logs.
D. Verify separation of development and production pipelines.
A. Internal policies and technical standards
B. Risk scoring criteria
C. Applicable laws and regulations
D. Risk appetite and budget constraints
To support customer's verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?
A. Contractual agreement
B. Internal audit
C. External audit
D. Security assessment
The BEST method to report continuous assessment of a cloud provider's services to the CSA is through:
A. a set of dedicated application programming interfaces (APIs).
B. SOC 2 Type 2 attestation.
C. CCM assessment by a third-party auditor on a periodic basis.
D. tools selected by the third-party auditor.
With regard to the Cloud Control Matrix (CCM), the ‘Architectural Relevance’ is a feature that enables the filtering of security controls by:
A. relevant architecture frameworks such as the NIST Enterprise Architecture Model, the Federal Enterprise Architecture Framework (FEAF), The Open Group Architecture Framework (TOGAF), and the Zachman Framework for Enterprise Architecture.
B. relevant delivery models such as Software as a Service, Platform as a Service, Infrastructure as a Service.
C. relevant architectural paradigms such as Client-Server, Mainframe, Peer-to-Peer, and SmartClient-Backend.
D. relevant architectural components such as Physical, Network, Compute, Storage, Application, and Data.
In cloud computing, with whom does the responsibility and accountability for compliance lie?
A. The cloud service provider is responsible and accountable for compliance.
B. The cloud service provider is responsible for compliance, and the cloud service customer is accountable.
C. The cloud service customer is responsible and accountable for compliance.
D. The cloud service customer is responsible for compliance, and the cloud service provider is accountable.
Which of the following is a corrective control that may be identified in a SaaS service provider?
A. Log monitoring
B. Penetration testing
C. Incident response plans
D. Vulnerability scan
Which of the following configuration change controls is acceptable to a cloud auditor?
A. Development, test and production are hosted in the same network environment.
B. Programmers have permanent access to production software.
C. The Head of Development approves changes requested to production.
D. Programmers cannot make uncontrolled changes to the source code production version.
A. The violation is agreed upon and documented.
B. Nothing can be done to enforce violations as this is a cloud service.
C. The violation is agreed to verbally by the CSP.
D. Violations will be automatically enforced so no action is needed.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Isaca exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCAK exam preparations and Isaca certification application, do not hesitate to visit our Vcedump.com to find your solutions here.