CCAK Isaca Certificate of Cloud Auditing Knowledge Free Practice Exam Questions (2025 Updated)

A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours is an example of availability technical impact. Availability is the protection of data and services from disruption or denial, and it is one of the three dimensions of information security, along with confidentiality and integrity. Availability technical impact refers to the extent of damage or harm that a threat can cause to the availability of the information system and its components, such as servers, networks, applications, and data. A DDoS attack is a malicious attempt to overwhelm a target system with a large volume of traffic or requests from multiple sources, making it unable to respond to legitimate requests or perform its normal functions. A DDoS attack can cause a significant availability technical impact by rendering the customer’s cloud inaccessible for a prolonged period of time, resulting in loss of productivity, revenue, customer satisfaction, and reputation. References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 81; What is a DDoS Attack? | Cloudflare

The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. The Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches, misconfigurations, insufficient identity and access management, and account hijacking. The report also provides recommendations for security, compliance, risk and technology practitioners to mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of current literature and media reports. The report is intended to raise awareness of the risks and challenges associated with cloud computing and promote strong security practices.12 References := CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing: Egregious 11

Role-based access control (RBAC) is a method of restricting access to resources based on the roles of individual users within an organization1 RBAC can help ensure adequate restriction on the number of people who can access the pipeline production environment, as it can limit the permissions and actions that each user can perform on the pipeline resources, such as code, secrets, environments, etc. RBAC can also help enforce the principle of least privilege, which states that users should only have the minimum level of access required to perform their tasks2

The other options are not correct because:

Option A is not correct because ensuring segregation of duties in the production and development pipelines is not sufficient to ensure adequate restriction on the number of people who can access the pipeline production environment. Segregation of duties is a practice that aims to prevent fraud, errors, or conflicts of interest by dividing responsibilities among different people or teams3 However, segregation of duties does not necessarily limit the number of people who can access the pipeline resources, as it depends on how the roles and permissions are defined and assigned. Segregation of duties is also more relevant for preventing unauthorized changes or deployments to the production environment, rather than restricting access to it4

Option B is not correct because periodic review of the continuous integration and continuous delivery (CI/CD) pipeline audit logs to identify any access violations is not a proactive measure to ensure adequate restriction on the number of people who can access the pipeline production environment. Audit logs are records of events or activities that occur within a system or process5 Audit logs can help monitor and detect any unauthorized or suspicious access to the pipeline resources, but they cannot prevent or restrict such access in the first place. Audit logs are also dependent on the frequency and quality of the review process, which may not be timely or effective enough to mitigate the risks of access violations6

Option D is not correct because separation of production and development pipelines is not a direct way to ensure adequate restriction on the number of people who can access the pipeline production environment. Separation of production and development pipelines is a practice that aims to isolate and protect the production environment from any potential errors, bugs, or vulnerabilities that may arise from the development process. However, separation of pipelines does not automatically imply restriction of access, as it depends on how the roles and permissions are configured for each pipeline. Separation of pipelines may also introduce challenges such as synchronization, coordination, and communication among the pipeline teams and stakeholders.

References: 1: Wikipedia. Role-based access control - Wikipedia. [Online]. Available: 1. [Accessed: 14-Apr-2023]. 2: Microsoft Learn. Set pipeline permissions - Azure Pipelines | Microsoft Learn. [Online]. Available: 1. [Accessed: 14-Apr-2023]. 3: Investopedia. Segregation Of Duties Definition - Investopedia.com Blog. [Online]. Available: . [Accessed: 14-Apr-2023]. 4: Cider Security. Insufficient PBAC (Pipeline-Based Access Controls) - Cider Security Blog. [Online]. Available: . [Accessed: 14-Apr-2023]. 5: Wikipedia. Audit trail - Wikipedia. [Online]. Available: . [Accessed: 14-Apr-2023]. 6: Microsoft Learn. Securing Azure Pipelines - Azure Pipelines | Microsoft Learn. [Online]. Available: . [Accessed: 14-Apr-2023]. : AWS DevOps Blog. How to implement CI/CD with AWS CodePipeline - AWS DevOps Blog | Amazon Web Services Blog. [Online]. Available: . [Accessed: 14-Apr-2023]. : LambdaTest. What Is Parallel Testing? with Example - LambdaTest Blog. [Online]. Available: . [Accessed: 14-Apr-2023].

Regarding suppliers of a cloud service provider, it is most important for the auditor to be aware that the client organization has a clear understanding of the provider’s suppliers. This is because cloud services often involve multiple parties in the supply chain, such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering the cloud services and ensuring their quality, security, and compliance. Therefore, it is essential for the client organization to have visibility and assurance of the performance and compliance of the provider’s suppliers and to establish clear and transparent agreements with them regarding their roles, responsibilities, expectations, and obligations.12

An auditor should be aware of the importance of the client organization’s understanding of the provider’s suppliers because it provides a basis for assessing the risks and challenges associated with outsourcing services to a cloud provider and its supply chain. An auditor can use the client organization’s understanding of the provider’s suppliers to verify that the client organization has conducted a thorough due diligence of the provider’s suppliers and their capabilities, qualifications, certifications, and reputation. An auditor can also use the client organization’s understanding of the provider’s suppliers to evaluate whether the client organization has implemented adequate controls and processes to monitor, audit, or verify the security and compliance status of their cloud services and data across the supply chain. An auditor can also use the client organization’s understanding of the provider’s suppliers to identify any gaps or weaknesses in the client organization’s security management program and to provide recommendations for improvement.34

References := Practical Guide to Cloud Service Agreements Version 2.01; HIDDEN INTERDEPENDENCIES BETWEEN INFORMATION AND ORGANIZATIONAL …2; Cloud Computing: The Audit Challenge - ISACA3; Cloud Computing: Audit Considerations - AICPA4

 The best approach for an auditor to review the operating effectiveness of the password requirement is to review the configuration settings on the Configuration Management (CM) tool and verify that the CM tool agents are functioning correctly on the VMs. This method ensures that the password policies are being enforced as intended and that the CM tool is effectively managing the configurations across the organization’s virtual machines. It provides a balance between relying solely on automated tools and manual verification processes.

References = This approach is supported by best practices in cloud security and auditing, which recommend a combination of automated tools and manual checks to ensure the effectiveness of security controls123. The use of CM tools for enforcing password policies is a common practice, and their effectiveness must be regularly verified to maintain the security posture of cloud services.

 A DDoS attack renders the customer’s cloud inaccessible for 24 hours, resulting in millions in lost sales is an example of financial business impact. Financial business impact refers to the extent of damage or harm that a threat can cause to the financial objectives and performance of the organization, such as revenue, profit, cash flow, or market share. A DDoS attack can cause a significant financial business impact by disrupting the normal operations and transactions of the organization, leading to loss of sales, customers, contracts, or opportunities. According to a report by Kaspersky, the average cost of a DDoS attack for small and medium-sized businesses (SMBs) was $123,000 in 2019, while for enterprises it was $2.3 million.1 Therefore, it is important for organizations to implement appropriate security measures and contingency plans to prevent or mitigate the effects of a DDoS attack. References := The Future of Finance and the Global Economy: Facing Global … - IMF2; Kaspersky: Cost of a DDoS Attack1

Establishing ownership and accountability most enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization’s cloud compliance program. Cloud compliance refers to the principle that cloud-delivered systems must comply with the standards required by their customers. Compliance requirements may include data protection regulations such as HIPAA, PCI DSS, GDPR, ISO/IEC 27001, NIST, and SOX. A cloud compliance program is a set of policies, procedures, and controls that help an organization to achieve and maintain compliance with these requirements12.

A cloud compliance program involves identifying, assessing, prioritizing, and mitigating the risks associated with using cloud services. To effectively manage these risks, an organization needs to establish ownership and accountability for each risk and its remediation. Ownership and accountability mean assigning clear roles and responsibilities to the internal stakeholders who are involved in the cloud compliance program, such as the cloud service provider, the cloud customer, the cloud users, the cloud auditors, and the cloud regulators. By doing so, an organization can ensure that the internal stakeholders have the authority, resources, and incentives to make timely and informed decisions for the remediation of risks123.

The other options are not the most effective ways to enhance the internal stakeholder decision-making process for the remediation of risks. Option A, automating risk monitoring and reporting processes, is a good practice for improving the efficiency and accuracy of the cloud compliance program, but it does not address the issue of who is responsible for making decisions based on the monitoring and reporting results. Option B, reporting emerging threats to senior stakeholders, is a good practice for increasing the awareness and visibility of the cloud compliance program, but it does not address the issue of how to prioritize and respond to the emerging threats. Option D, monitoring key risk indicators (KRIs) for multi-cloud environments, is a good practice for measuring and tracking the performance and effectiveness of the cloud compliance program, but it does not address the issue of how to align and coordinate the decisions across different cloud environments123. References :=

Cloud Compliance Frameworks: What You Need to Know1

Cloud Compliance: What It Is + 8 Best Practices for Improving It2

Cloud Computing: Auditing Challenges - ISACA

Credential scanning is a technique that can be used to detect and prevent the exposure of access keys and other sensitive information in the source code or any other configuration files during development. Credential scanning tools can scan the code repositories, files, and commits for any hardcoded credentials, such as access keys, passwords, tokens, certificates, and connection strings. They can also alert the developers or security teams of any potential leaks and suggest remediation actions, such as rotating or revoking the compromised keys, removing the credentials from the code, or using secure storage mechanisms like vaults or environment variables. Credential scanning can be integrated into the development pipeline as part of the continuous integration and continuous delivery (CI/CD) process, or performed periodically as a security audit. Credential scanning can help reduce the risk of credential leakage, which can lead to unauthorized access, data breaches, or account compromise. References:

Protecting Source Code in the Cloud with DSPM

Best practices for managing service account keys

Protect your code repository

A centralized risk and controls dashboard is the best option for ensuring a coordinated approach to risk and control processes when duties are split between an organization and its cloud service providers. This dashboard provides a unified view of risk and control status across the organization and the cloud services it utilizes. It enables both parties to monitor and manage risks effectively and ensures that control activities are aligned and consistent. This approach supports proactive risk management and facilitates communication and collaboration between the organization and the cloud service provider.

References = The concept of a centralized risk and controls dashboard is supported by the Cloud Security Alliance (CSA) and ISACA, which emphasize the importance of visibility and coordination in cloud risk management. The CCAK materials and the Cloud Controls Matrix (CCM) provide guidance on establishing such dashboards as a means to manage and mitigate risks in a cloud environment12.

 Dynamic application security testing (DAST) is a method of testing the security of an application by simulating attacks from an external source. DAST does not require access to the source code or binaries of the application, unlike static application security testing (SAST), which analyzes the code for vulnerabilities. Therefore, DAST is a black box testing technique, meaning that it does not need any knowledge of the internal structure, design, or implementation of the application. DAST is also programming language agnostic, meaning that it can test applications written in any language, framework, or platform. This makes DAST more flexible and adaptable to different types of applications and environments. However, DAST also has some limitations, such as being slower, less accurate, and more dependent on the availability and configuration of the application. References:

SAST vs. DAST: What’s the Difference?

SAST vs DAST: What’s the Difference?

SAST vs. DAST: Enhancing application security

The three main phases of the Cloud Controls Matrix (CCM) mapping methodology are preparation, execution, and peer review and publication. The CCM mapping methodology is a process to map the CCM controls to other standards, regulations, or frameworks that are relevant for cloud security. The mapping helps to identify the commonalities and differences between the CCM and the other standards, regulations, or frameworks, and to provide guidance for cloud service providers and customers on how to achieve compliance with multiple requirements using the CCM. The mapping methodology consists of the following phases1:

Preparation: This phase involves defining the scope, objectives, and deliverables of the mapping project, as well as identifying the stakeholders, resources, and tools needed. This phase also includes conducting a preliminary analysis of the CCM and the other standard, regulation, or framework to be mapped, and establishing the mapping criteria and rules.

Execution: This phase involves performing the actual mapping of the CCM controls to the other standard, regulation, or framework using a spreadsheet template. This phase also includes documenting the mapping results, providing explanations and justifications for each mapping decision, and resolving any issues or conflicts that may arise during the mapping process.

Peer Review and Publication: This phase involves validating and verifying the quality and accuracy of the mapping results by conducting a peer review with subject matter experts from both the CCM working group and the other standard, regulation, or framework organization. This phase also includes finalizing and publishing the mapping document as a CSA artifact, and communicating and promoting the mapping to the relevant audiences.

References := Methodology for the Mapping of the Cloud Controls Matrix1

Shadow IT refers to the use of IT resources (hardware, software, or cloud services) within an organization without the explicit approval of the IT or governance team. This practice is often flagged in cloud audits due to potential risks of compliance violations and security threats. The CCAK documentation from ISACA highlights the need for visibility and governance over all IT assets, with specific controls listed in the CSA CCM for Cloud Governance (GOV-09). Shadow IT poses risks to data security, compliance, and can introduce vulnerabilities, as systems are not subject to organizational standards and oversight.

=========================

Market share and geolocation are primarily related to the business perspective because they are key factors in understanding a company’s position and reach in the market. Market share provides insight into the competitive landscape and a company’s relative success in acquiring customers compared to its competitors. Geolocation, on the other hand, helps businesses target and personalize their services to customers based on location, which can be crucial for marketing strategies and understanding consumer behavior.

References = The relevance of market share and geolocation to the business perspective is highlighted in resources provided by ISACA and the Cloud Security Alliance (CSA). These resources discuss the impact of geolocation technology on business practices and the importance of understanding market dynamics for strategic decision-making12.

 The best way for the organization to take advantage of the supplier relationship feature of the Cloud Controls Matrix (CCM) is to leverage this feature to enable a smarter selection of the next cloud provider. The supplier relationship feature is a column in the CCM spreadsheet that indicates whether a control is influenced by contractual agreements between the cloud service provider and the cloud customer. This feature can help the organization to identify and compare the security and compliance capabilities of different cloud providers, as well as to negotiate and customize the terms of service (TOS) and service level agreements (SLA) according to their needs and requirements123.

The other options are not the best ways to use the supplier relationship feature. Option A, filter out only those controls directly influenced by contractual agreements, is not a good way to use the feature because it would exclude other important controls that are not influenced by contractual agreements, but still relevant for cloud security and governance. Option B, leverage this feature to enable the adoption of the Shared Responsibility Model, is not a good way to use the feature because the Shared Responsibility Model is defined by another column in the CCM spreadsheet, which indicates whether a control is applicable to the cloud service provider or the cloud customer. Option C, filter out only those controls having a direct impact on current TOS and SLA, is not a good way to use the feature because it would exclude other controls that may have an indirect or potential impact on the TOS and SLA, or that may be subject to change or negotiation in the future. References :=

What is CAIQ? | CSA - Cloud Security Alliance1

Understanding the Cloud Control Matrix | CloudBolt Software3

Cloud Controls Matrix (CCM) - CSA2

 When establishing cloud governance, an organization should first test by migrating a few applications to the cloud. Cloud governance is the process of defining and implementing policies, procedures, standards, and controls to ensure the effective, efficient, secure, and compliant use of cloud services. Cloud governance requires a clear understanding of the roles, responsibilities, expectations, and objectives of both the cloud service provider and the cloud customer, as well as the alignment of the cloud strategy with the business strategy. Cloud governance also involves monitoring, measuring, and reporting on the performance, availability, security, compliance, and cost of cloud services.

Migrating a few applications to the cloud can help an organization to test and validate its cloud governance approach before scaling up to more complex or critical applications. Migrating a few applications can also help an organization to:

Identify and prioritize the business requirements, risks, and benefits of moving to the cloud.

Assess the readiness, suitability, and compatibility of the applications for the cloud.

Choose the appropriate cloud service model (such as SaaS, PaaS, or IaaS) and deployment model (such as public, private, hybrid, or multi-cloud) for each application.

Define and implement the necessary security, compliance, privacy, and data protection measures for each application.

Establish and enforce the roles and responsibilities of the cloud governance team and other stakeholders involved in the migration process.

Develop and execute a migration plan that includes testing, validation, verification, and rollback procedures for each application.

Monitor and measure the performance, availability, security, compliance, and cost of each application in the cloud.

Collect feedback and lessons learned from the migration process and use them to improve the cloud governance approach.

Migrating a few applications to the cloud can also help an organization to avoid some common pitfalls and challenges of cloud migration, such as:

Migrating legacy or incompatible applications that require significant re-engineering or refactoring to work in the cloud.

Migrating all applications at once without proper planning, testing, or governance, which can result in operational disruptions, data loss, security breaches, or compliance violations.

Migrating complex or critical applications without adequate testing or governance, which can increase the risk of failure or downtime.

Migrating applications without considering the impact on the end-users or customers, who may experience changes in functionality, performance, usability, or accessibility.

Therefore, migrating a few applications to the cloud is a recommended best practice for establishing cloud governance. It can help an organization to gain experience and confidence in using cloud services while ensuring that its cloud governance approach is effective, efficient, secure, and compliant.

References:

Migration environment planning checklist - Cloud Adoption Framework

Cloud Governance: What You Need To Know - Forbes

Cloud Governance: A Comprehensive Guide - BMC Blogs

Regression testing is a type of software testing that confirms that a recent program or code change has not adversely affected existing features1 It involves re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change2 Regression testing is suitable for large code sets in environments where time to completion is critical, as it can help detect and prevent defects, improve quality, and enable faster delivery of secure software. Regression testing can be automated to reduce manual errors, speed up feedback loops, and increase efficiency and reliability3

The other options are not correct because:

Option A is not correct because parallel testing is a type of software testing that involves testing multiple applications or subsystems concurrently to reduce the test time4 Parallel testing does not necessarily ensure the integration of security testing, as it depends on the quality and coverage of the test cases and scenarios used for each application or subsystem. Parallel testing may also introduce challenges such as synchronization, coordination, and communication among the testers and developers5

Option B is not correct because full application stack unit testing is a type of software testing that involves testing individual units or components of an application in isolation to verify their functionality, logic, interfaces, and performance6 Full application stack unit testing does not ensure the integration of security testing, as it does not consider the interactions and dependencies among the units or components, or the behavior of the application as a whole. Unit testing is typically performed by developers at an early stage of the software development life cycle, and may not cover all the security aspects or requirements of the application7

Option C is not correct because functional verification is a type of software testing that involves verifying that the software meets the specified requirements and satisfies the user needs. Functional verification does not ensure the integration of security testing, as it does not focus on how the software is designed or configured, or how it handles malicious or unexpected inputs. Functional verification is typically performed by quality assurance teams at a later stage of the software development life cycle, and may not detect all the security vulnerabilities or risks of the software.

References: 1: Wikipedia. Regression testing - Wikipedia. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 2: Katalon. What is Regression Testing? Definition, Tools, Examples - Katalon. [Online]. Available: 4. [Accessed: 14-Apr-2023]. 3: BMC Software. Shift Left Testing: What, Why & How To Shift Left – BMC Software | Blogs. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 4: Guru99. What is Parallel Testing? with Example - Guru99. [Online]. Available: . [Accessed: 14-Apr-2023]. 5: LambdaTest. Parallel Testing In Selenium WebDriver | LambdaTest Blog. [Online]. Available: . [Accessed: 14-Apr-2023]. 6: Guru99. What is Unit Testing? Types & Examples - Guru99. [Online]. Available: . [Accessed: 14-Apr-2023]. 7: Software Testing Help. Unit Testing Vs Integration Testing: Difference Between These Two - SoftwareTestingHelp.com Blog. [Online]. Available: . [Accessed: 14-Apr-2023]. : Guru99. What is Functional Testing? Types & Examples - Guru99. [Online]. Available: . [Accessed: 14-Apr-2023]. : Software Testing Help. Functional Testing Vs Non-Functional Testing - SoftwareTestingHelp.com Blog. [Online]. Available: . [Accessed: 14-Apr-2023].

 The reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ) is to help cloud service providers document their security and compliance controls. The CAIQ is a survey provided by the Cloud Security Alliance (CSA) that consists of a set of yes/no questions that correspond to the controls of the Cloud Controls Matrix (CCM), which is a cybersecurity framework for cloud computing. The CAIQ allows cloud service providers to demonstrate their security posture and compliance status to potential customers and auditors, as well as to identify any gaps or risks that need to be addressed. The CAIQ also enables cloud customers to assess the security capabilities of different cloud service providers and compare them based on their needs and requirements123.

The other options are not directly related to the question. Option A, cloud users can use CAIQ to sign statement of work (SOW) with cloud access security brokers (CASBs), is incorrect because CAIQ is not a contract or an agreement, but a questionnaire that provides information about the security controls of a cloud service provider. A statement of work (SOW) is a document that defines the scope, deliverables, and terms of a project or service. A cloud access security broker (CASB) is a software tool or service that acts as an intermediary between cloud users and cloud service providers, providing visibility, data security, threat protection, and compliance4. Option B, cloud service providers can document roles and responsibilities for cloud security, is incorrect because CAIQ is not designed to document roles and responsibilities, but security and compliance controls. Roles and responsibilities for cloud security are defined by the shared responsibility model, which outlines how the security tasks and obligations are divided between the cloud service provider and the cloud customer5. Option D, cloud service providers need the CAIQ to improve quality of customer service, is incorrect because CAIQ is not a measure of customer service quality, but a measure of security control transparency. Customer service quality refers to how well a cloud service provider meets or exceeds the expectations and satisfaction of its customers6. References :=

What is CASB? - Cloud Security Alliance4

What is CAIQ? | CSA - Cloud Security Alliance1

Shared Responsibility Model - Cloud Security Alliance5

What is CAIQ? - Panorays2

What is the Consensus Assessments Initiative Questionnaire (CAIQ …3

What Is Customer Service Quality? - Salesforce.com