Practice Free CCAK Exam Online Questions
Question #51
Which of the following helps an organization to identify control gaps and shortcomings in the context of cloud computing?
- A . Walk-through peer review
- B . Periodic documentation review
- C . User security awareness training
- D . Monitoring effectiveness
Correct Answer: B
B
Explanation:
Periodic documentation review is a critical process that helps organizations identify control gaps and shortcomings, particularly in the context of cloud computing. This process involves regularly examining the documentation of processes, controls, and policies to ensure they are up-to-date and effective. It allows an organization to verify that the controls are operating as intended and to discover any areas where the controls may not fully address the organization’s requirements or the unique risks associated with cloud services. By conducting these reviews, organizations can maintain compliance with relevant regulations and standards, and ensure continuous improvement in their cloud security posture.
Reference = The significance of periodic documentation review is highlighted in cloud auditing and security best practices, as outlined by the Cloud Security Alliance (CSA) and the Certificate of Cloud Auditing Knowledge (CCAK) program12. These resources emphasize the importance of regular reviews as part of a comprehensive cloud governance and compliance strategy.
B
Explanation:
Periodic documentation review is a critical process that helps organizations identify control gaps and shortcomings, particularly in the context of cloud computing. This process involves regularly examining the documentation of processes, controls, and policies to ensure they are up-to-date and effective. It allows an organization to verify that the controls are operating as intended and to discover any areas where the controls may not fully address the organization’s requirements or the unique risks associated with cloud services. By conducting these reviews, organizations can maintain compliance with relevant regulations and standards, and ensure continuous improvement in their cloud security posture.
Reference = The significance of periodic documentation review is highlighted in cloud auditing and security best practices, as outlined by the Cloud Security Alliance (CSA) and the Certificate of Cloud Auditing Knowledge (CCAK) program12. These resources emphasize the importance of regular reviews as part of a comprehensive cloud governance and compliance strategy.
Question #52
Which of the following would be the MOST critical finding of an application security and DevOps audit?
- A . Certifications with global security standards specific to cloud are not reviewed, and the impact of noted findings are not assessed.
- B . Application architecture and configurations did not consider security measures.
- C . Outsourced cloud service interruption, breach, or loss of stored data occurred at the cloud service
provider. - D . The organization is not using a unified framework to integrate cloud compliance with regulatory requirements
Correct Answer: B
B
Explanation:
According to the web search results, the most critical finding of an application security and DevOps audit would be that the application architecture and configurations did not consider security measures. This finding indicates a serious lack of security by design and security by default principles, which are essential for ensuring the confidentiality, integrity, and availability of the application and its data. If the application architecture and configurations are not secure, they could expose the application to various threats and vulnerabilities, such as unauthorized access, data breaches, denial-of-service attacks, injection attacks, cross-site scripting attacks, and others. This finding could also result in non-compliance with relevant security standards and regulations, such as ISO 27001, PCI DSS, GDPR, and others. Therefore, this finding should be addressed with high priority and urgency by implementing appropriate security measures and controls in the application architecture and configurations.
The other options are not as critical as option
B.
Option A is a moderate finding that indicates a lack
of awareness and assessment of the global security standards specific to cloud, such as ISO 27017,
ISO 27018, CSA CCM, NIST SP 800-53, and others. This finding could affect the security and
compliance of the cloud services used by the application, but it does not directly impact the
application itself.
Option C is a severe finding that indicates a major incident that occurred at the
cloud service provider level, such as a service interruption, breach, or loss of stored data. This finding
could affect the availability, confidentiality, and integrity of the application and its data, but it is not
caused by the application itself.
Option D is a minor finding that indicates a lack of efficiency and
consistency in integrating cloud compliance with regulatory requirements. This finding could affect
the compliance posture of the application and its data, but it does not directly impact the security or
functionality of the application.
Reference: [Application Security Best Practices – OWASP]
[DevSecOps: What It Is and How to Get Started – ISACA]
[Cloud Security Standards: What to Expect & What to Negotiate – CSA] [Cloud Computing Security Audit – ISACA] [Cloud Computing Incident Response – ISACA]
[Cloud Compliance: A Framework for Using Cloud Services While Maintaining Compliance – ISACA]
B
Explanation:
According to the web search results, the most critical finding of an application security and DevOps audit would be that the application architecture and configurations did not consider security measures. This finding indicates a serious lack of security by design and security by default principles, which are essential for ensuring the confidentiality, integrity, and availability of the application and its data. If the application architecture and configurations are not secure, they could expose the application to various threats and vulnerabilities, such as unauthorized access, data breaches, denial-of-service attacks, injection attacks, cross-site scripting attacks, and others. This finding could also result in non-compliance with relevant security standards and regulations, such as ISO 27001, PCI DSS, GDPR, and others. Therefore, this finding should be addressed with high priority and urgency by implementing appropriate security measures and controls in the application architecture and configurations.
The other options are not as critical as option
B.
Option A is a moderate finding that indicates a lack
of awareness and assessment of the global security standards specific to cloud, such as ISO 27017,
ISO 27018, CSA CCM, NIST SP 800-53, and others. This finding could affect the security and
compliance of the cloud services used by the application, but it does not directly impact the
application itself.
Option C is a severe finding that indicates a major incident that occurred at the
cloud service provider level, such as a service interruption, breach, or loss of stored data. This finding
could affect the availability, confidentiality, and integrity of the application and its data, but it is not
caused by the application itself.
Option D is a minor finding that indicates a lack of efficiency and
consistency in integrating cloud compliance with regulatory requirements. This finding could affect
the compliance posture of the application and its data, but it does not directly impact the security or
functionality of the application.
Reference: [Application Security Best Practices – OWASP]
[DevSecOps: What It Is and How to Get Started – ISACA]
[Cloud Security Standards: What to Expect & What to Negotiate – CSA] [Cloud Computing Security Audit – ISACA] [Cloud Computing Incident Response – ISACA]
[Cloud Compliance: A Framework for Using Cloud Services While Maintaining Compliance – ISACA]
Question #53
What does “The Egregious 11" refer to?
- A . The OWASP Top 10 adapted to cloud computing
- B . A list of top shortcomings of cloud computing
- C . A list of top breaches in cloud computing
- D . A list of top threats to cloud computing
Correct Answer: D
D
Explanation:
The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. The Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches, misconfigurations, insufficient identity and access management, and account hijacking. The report also provides recommendations for security, compliance, risk and technology practitioners to mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of current literature and media reports. The report is intended to raise awareness of the risks and challenges associated with cloud computing and promote strong security practices.12
Reference: = CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing: Egregious 11
D
Explanation:
The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. The Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches, misconfigurations, insufficient identity and access management, and account hijacking. The report also provides recommendations for security, compliance, risk and technology practitioners to mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of current literature and media reports. The report is intended to raise awareness of the risks and challenges associated with cloud computing and promote strong security practices.12
Reference: = CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing: Egregious 11
Question #54
Which of the following attestations allows for immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?
- A . BSI Criteria Catalogue C5
- B . PCI-DSS
- C . MTCS
- D . CSA STAR Attestation
Correct Answer: D
D
Explanation:
The CSA STAR Attestation allows for the immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria alongside the AICPA Trust Service Criteria. It also offers the flexibility to update the criteria as technology and market requirements evolve. This is because the CSA STAR Attestation is a combination of SOC 2 and additional cloud security criteria from the CSA CCM, providing guidelines for CPAs to conduct SOC 2 engagements using criteria from both the AICPA and the CSA Cloud Controls Matrix.
Reference = The information is supported by the Cloud Security Alliance’s resources, which explain that the CSA STAR Attestation integrates SOC 2 with additional criteria from the CCM, allowing for a comprehensive approach to cloud security that aligns with evolving technologies and market needs1.
D
Explanation:
The CSA STAR Attestation allows for the immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria alongside the AICPA Trust Service Criteria. It also offers the flexibility to update the criteria as technology and market requirements evolve. This is because the CSA STAR Attestation is a combination of SOC 2 and additional cloud security criteria from the CSA CCM, providing guidelines for CPAs to conduct SOC 2 engagements using criteria from both the AICPA and the CSA Cloud Controls Matrix.
Reference = The information is supported by the Cloud Security Alliance’s resources, which explain that the CSA STAR Attestation integrates SOC 2 with additional criteria from the CCM, allowing for a comprehensive approach to cloud security that aligns with evolving technologies and market needs1.
Question #55
As Infrastructure as a Service (laaS) cloud service providers often do not allow the cloud service customers to perform on-premise audits, the BEST approach for the auditor should be to:
- A . use other sources of available data for evaluating the customer’s controls.
- B . recommend that the customer not use the services provided by the provider.
- C . refrain from auditing the provider’s security controls due to lack of cooperation.
- D . escalate the lack of support from the provider to the regulatory authority.
Correct Answer: A
A
Explanation:
In situations where Infrastructure as a Service (IaaS) cloud service providers do not permit on-premise audits, auditors must adapt by utilizing alternative sources of data to evaluate the customer’s controls. This can include using automated tools, third-party certifications, and other forms of assurance provided by the service provider. This approach ensures that the auditor can still assess the security posture and compliance of the cloud services without direct physical access to the provider’s infrastructure.
Reference = The Cloud Security Alliance (CSA) provides guidelines on effective cloud auditing
practices, including the use of alternative data sources when on-premise audits are not
feasible1. Additionally, discussions on the Certificate of Cloud Auditing Knowledge (CCAK) highlight the importance of adapting audit strategies to the cloud environment2.
A
Explanation:
In situations where Infrastructure as a Service (IaaS) cloud service providers do not permit on-premise audits, auditors must adapt by utilizing alternative sources of data to evaluate the customer’s controls. This can include using automated tools, third-party certifications, and other forms of assurance provided by the service provider. This approach ensures that the auditor can still assess the security posture and compliance of the cloud services without direct physical access to the provider’s infrastructure.
Reference = The Cloud Security Alliance (CSA) provides guidelines on effective cloud auditing
practices, including the use of alternative data sources when on-premise audits are not
feasible1. Additionally, discussions on the Certificate of Cloud Auditing Knowledge (CCAK) highlight the importance of adapting audit strategies to the cloud environment2.
Question #56
Which of the following is an example of availability technical impact?
- A . A distributed denial of service (DDoS) attack renders the customer’s cloud inaccessible for 24 hours.
- B . The cloud provider reports a breach of customer personal data from an unsecured server.
- C . An administrator inadvertently clicked on phish bait, exposing the company to a ransomware attack.
- D . A hacker using a stolen administrator identity alters the discount percentage in the product database
Correct Answer: A
A
Explanation:
An example of availability technical impact is a distributed denial of service (DDoS) attack that renders the customer’s cloud inaccessible for 24 hours. Availability technical impact refers to the effect of a cloud security incident on the protection of data and services from disruption or denial. Availability is one of the three security properties of an information system, along with confidentiality and integrity.
Option A is an example of availability technical impact because it shows how a DDoS attack, which is a type of cyberattack that overwhelms a system or network with malicious traffic and prevents legitimate users from accessing it, can cause a severe and prolonged disruption of the customer’s cloud services.
Option A also implies that the customer’s organization depends on the availability of its cloud services for its core business operations.
The other options are not examples of availability technical impact.
Option B is an example of confidentiality technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized access or disclosure.
Option B shows how a breach of customer personal data from an unsecured server, which is a type of data leakage or exposure attack that exploits the lack of proper security controls on a system or network, can cause a violation of the privacy and security of the customer’s data.
Option C is an example of integrity technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized modification or deletion.
Option C shows how an administrator inadvertently clicking on phish bait, which is a type of social engineering or phishing attack that tricks a user into clicking on a malicious link or attachment, can expose the company to a ransomware attack, which is a type of malware or encryption attack that locks or encrypts the data and demands a ransom for its release.
Option D is also an example of integrity technical impact, as it shows how a hacker using a stolen administrator identity, which is a type of identity theft or impersonation attack that exploits the credentials or privileges of a legitimate user to access or manipulate a system or network, can alter the discount percentage in the product database, which is a type of data tampering or corruption attack that affects the accuracy and reliability of the data.
Reference: =
OWASP Risk Rating Methodology | OWASP Foundation1
OEE Factors: Availability, Performance, and Quality | OEE2
The Effects of Technological Developments on Work and Their …
A
Explanation:
An example of availability technical impact is a distributed denial of service (DDoS) attack that renders the customer’s cloud inaccessible for 24 hours. Availability technical impact refers to the effect of a cloud security incident on the protection of data and services from disruption or denial. Availability is one of the three security properties of an information system, along with confidentiality and integrity.
Option A is an example of availability technical impact because it shows how a DDoS attack, which is a type of cyberattack that overwhelms a system or network with malicious traffic and prevents legitimate users from accessing it, can cause a severe and prolonged disruption of the customer’s cloud services.
Option A also implies that the customer’s organization depends on the availability of its cloud services for its core business operations.
The other options are not examples of availability technical impact.
Option B is an example of confidentiality technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized access or disclosure.
Option B shows how a breach of customer personal data from an unsecured server, which is a type of data leakage or exposure attack that exploits the lack of proper security controls on a system or network, can cause a violation of the privacy and security of the customer’s data.
Option C is an example of integrity technical impact, which refers to the effect of a cloud security incident on the protection of data from unauthorized modification or deletion.
Option C shows how an administrator inadvertently clicking on phish bait, which is a type of social engineering or phishing attack that tricks a user into clicking on a malicious link or attachment, can expose the company to a ransomware attack, which is a type of malware or encryption attack that locks or encrypts the data and demands a ransom for its release.
Option D is also an example of integrity technical impact, as it shows how a hacker using a stolen administrator identity, which is a type of identity theft or impersonation attack that exploits the credentials or privileges of a legitimate user to access or manipulate a system or network, can alter the discount percentage in the product database, which is a type of data tampering or corruption attack that affects the accuracy and reliability of the data.
Reference: =
OWASP Risk Rating Methodology | OWASP Foundation1
OEE Factors: Availability, Performance, and Quality | OEE2
The Effects of Technological Developments on Work and Their …
Question #57
Which of the following is the BEST tool to perform cloud security control audits?
- A . Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- B . General Data Protection Regulation (GDPR)
- C . Federal Information Processing Standard (FIPS) 140-2
- D . ISO 27001
Correct Answer: A
A
Explanation:
The CSA Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a cybersecurity control framework for cloud computing that is aligned to the CSA best practices and is considered the de-facto standard for cloud security and privacy1. The CCM provides a set of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology, such as identity and access management, data security, encryption and key management, business continuity and disaster recovery, audit assurance and compliance, and risk management1. The CCM also maps the controls to various industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, PCI DSS, GDPR, and others1. The CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain1. The CCM also includes the Consensus Assessment Initiative Questionnaire (CAIQ), which provides a set of “yes or no” questions based on the security controls in the CCM that can be used to assess a cloud service provider2.
The other options are not the best tools to perform cloud security control audits, as they are either not specific to cloud computing or not comprehensive enough. GDPR is a regulation that aims to protect the personal data and privacy of individuals in the European Union and the European Economic Area3, but it does not provide a framework for cloud security controls. FIPS 140-2 is a standard that specifies the security requirements for cryptographic modules used by federal agencies in the United States, but it does not cover other aspects of cloud security. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization, but it does not provide specific guidance for cloud services.
Reference: Cloud Controls Matrix (CCM) – CSA
Cloud Controls Matrix and CAIQ v4 | CSA – Cloud Security Alliance General Data Protection Regulation – Wikipedia
[FIPS 140-2 – Wikipedia]
[ISO/IEC 27001:2013]
A
Explanation:
The CSA Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a cybersecurity control framework for cloud computing that is aligned to the CSA best practices and is considered the de-facto standard for cloud security and privacy1. The CCM provides a set of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology, such as identity and access management, data security, encryption and key management, business continuity and disaster recovery, audit assurance and compliance, and risk management1. The CCM also maps the controls to various industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, PCI DSS, GDPR, and others1. The CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain1. The CCM also includes the Consensus Assessment Initiative Questionnaire (CAIQ), which provides a set of “yes or no” questions based on the security controls in the CCM that can be used to assess a cloud service provider2.
The other options are not the best tools to perform cloud security control audits, as they are either not specific to cloud computing or not comprehensive enough. GDPR is a regulation that aims to protect the personal data and privacy of individuals in the European Union and the European Economic Area3, but it does not provide a framework for cloud security controls. FIPS 140-2 is a standard that specifies the security requirements for cryptographic modules used by federal agencies in the United States, but it does not cover other aspects of cloud security. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization, but it does not provide specific guidance for cloud services.
Reference: Cloud Controls Matrix (CCM) – CSA
Cloud Controls Matrix and CAIQ v4 | CSA – Cloud Security Alliance General Data Protection Regulation – Wikipedia
[FIPS 140-2 – Wikipedia]
[ISO/IEC 27001:2013]
Question #58
Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?
- A . Processes and systems to be audited
- B . Updated audit work program
- C . Documentation criteria for the audit evidence
- D . Testing procedure to be performed
Correct Answer: A
A
Explanation:
According to the definition of audit scope, it is the extent and boundaries of an audit, which include the audit objectives, the activities and documents covered, the time period and locations audited, and the related activities not audited1 Audit scope determines how deeply an audit is performed and may vary depending on the type of audit. Audit scope can also mean the examination of a person or the inspection of the books, records, or accounts of a person for tax purposes1
The most important audit scope document when conducting a review of a cloud service provider is the processes and systems to be audited. This document defines the specific areas and aspects of the cloud service provider that will be subject to the audit, such as the cloud service delivery model, the cloud deployment model, the cloud security domains, the cloud service level agreements, the cloud governance framework, etc2 The processes and systems to be audited document also helps to identify the risks, controls, criteria, and objectives of the audit, as well as the roles and responsibilities of the auditors and the auditees3 The processes and systems to be audited document is essential for planning and performing an effective and efficient audit of a cloud service provider. The other options are not correct because:
Option B is not correct because the updated audit work program is not an audit scope document, but rather an audit planning document. The audit work program is a set of detailed instructions or procedures that guide the auditor in conducting the audit activities4. The audit work program is based on the audit scope, but it does not define it. The audit work program may also change during the course of the audit, depending on the findings and issues encountered by the auditor4
Option C is not correct because the documentation criteria for the audit evidence is not an audit scope document, but rather an audit quality document. The documentation criteria for the audit evidence is a set of standards or guidelines that specify what constitutes sufficient and appropriate evidence to support the auditor’s conclusions and opinions5 The documentation criteria for the audit evidence is derived from the audit scope, but it does not determine it. The documentation criteria for the audit evidence may also vary depending on the nature and source of the evidence collected by the auditor5
Option D is not correct because the testing procedure to be performed is not an audit scope document, but rather an audit execution document. The testing procedure to be performed is a set of steps or actions that describe how to test or verify a specific control or process within the cloud service provider6. The testing procedure to be performed is aligned with the audit scope, but it does not establish it. The testing procedure to be performed may also differ depending on the type and level of testing required by the auditor6
Reference: 1: AUDIT SCOPE DEFINITION – VentureLine 2: Audit Scope and Criteria – Auditor Training
Online 3: Open Certification Framework | CSA – Cloud Security Alliance 4: Audit Work Program
Definition – Audit Work Program Example 5: INTERNATIONAL STANDARD ON AUDITING 230 AUDIT
DOCUMENTATION CONTENTS – IFAC 6: What are Testing Procedures? – Definition from Techopedia
A
Explanation:
According to the definition of audit scope, it is the extent and boundaries of an audit, which include the audit objectives, the activities and documents covered, the time period and locations audited, and the related activities not audited1 Audit scope determines how deeply an audit is performed and may vary depending on the type of audit. Audit scope can also mean the examination of a person or the inspection of the books, records, or accounts of a person for tax purposes1
The most important audit scope document when conducting a review of a cloud service provider is the processes and systems to be audited. This document defines the specific areas and aspects of the cloud service provider that will be subject to the audit, such as the cloud service delivery model, the cloud deployment model, the cloud security domains, the cloud service level agreements, the cloud governance framework, etc2 The processes and systems to be audited document also helps to identify the risks, controls, criteria, and objectives of the audit, as well as the roles and responsibilities of the auditors and the auditees3 The processes and systems to be audited document is essential for planning and performing an effective and efficient audit of a cloud service provider. The other options are not correct because:
Option B is not correct because the updated audit work program is not an audit scope document, but rather an audit planning document. The audit work program is a set of detailed instructions or procedures that guide the auditor in conducting the audit activities4. The audit work program is based on the audit scope, but it does not define it. The audit work program may also change during the course of the audit, depending on the findings and issues encountered by the auditor4
Option C is not correct because the documentation criteria for the audit evidence is not an audit scope document, but rather an audit quality document. The documentation criteria for the audit evidence is a set of standards or guidelines that specify what constitutes sufficient and appropriate evidence to support the auditor’s conclusions and opinions5 The documentation criteria for the audit evidence is derived from the audit scope, but it does not determine it. The documentation criteria for the audit evidence may also vary depending on the nature and source of the evidence collected by the auditor5
Option D is not correct because the testing procedure to be performed is not an audit scope document, but rather an audit execution document. The testing procedure to be performed is a set of steps or actions that describe how to test or verify a specific control or process within the cloud service provider6. The testing procedure to be performed is aligned with the audit scope, but it does not establish it. The testing procedure to be performed may also differ depending on the type and level of testing required by the auditor6
Reference: 1: AUDIT SCOPE DEFINITION – VentureLine 2: Audit Scope and Criteria – Auditor Training
Online 3: Open Certification Framework | CSA – Cloud Security Alliance 4: Audit Work Program
Definition – Audit Work Program Example 5: INTERNATIONAL STANDARD ON AUDITING 230 AUDIT
DOCUMENTATION CONTENTS – IFAC 6: What are Testing Procedures? – Definition from Techopedia
Question #59
An organization currently following the ISO/IEC 27002 control framework has been charged by a new CIO to switch to the NIST 800-53 control framework.
Which of the following is the FIRST step to this change?
- A . Discard all work done and start implementing NIST 800-53 from scratch.
- B . Recommend no change, since the scope of ISO/IEC 27002 is broader.
- C . Recommend no change, since NIST 800-53 is a US-scoped control framework.
- D . Map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities.
Correct Answer: D
D
Explanation:
The first step to switch from the ISO/IEC 27002 control framework to the NIST 800-53 control framework is to map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities. This step can help the organization to understand the similarities and differences between the two frameworks, and to identify which controls are already implemented, which controls need to be added or modified, and which controls are no longer applicable. Mapping can also help the organization to leverage the existing work done under ISO/IEC 27002 and avoid starting from scratch or discarding valuable information. Mapping can also help the organization to align with both frameworks, as they are not mutually exclusive or incompatible. In fact, NIST SP 800-53, Revision 5 provides a mapping table between NIST 800-53 and ISO/IEC 27001 in Appendix H-21. ISO/IEC 27001 is a standard for information security management systems that is based on ISO/IEC 27002, which is a code of practice for information security controls2.
Reference: NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001 ISO – ISO/IEC 27002:2013 – Information technology ― Security techniques ― Code of practice for information security controls
D
Explanation:
The first step to switch from the ISO/IEC 27002 control framework to the NIST 800-53 control framework is to map ISO/IEC 27002 and NIST 800-53 and detect gaps and commonalities. This step can help the organization to understand the similarities and differences between the two frameworks, and to identify which controls are already implemented, which controls need to be added or modified, and which controls are no longer applicable. Mapping can also help the organization to leverage the existing work done under ISO/IEC 27002 and avoid starting from scratch or discarding valuable information. Mapping can also help the organization to align with both frameworks, as they are not mutually exclusive or incompatible. In fact, NIST SP 800-53, Revision 5 provides a mapping table between NIST 800-53 and ISO/IEC 27001 in Appendix H-21. ISO/IEC 27001 is a standard for information security management systems that is based on ISO/IEC 27002, which is a code of practice for information security controls2.
Reference: NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001 ISO – ISO/IEC 27002:2013 – Information technology ― Security techniques ― Code of practice for information security controls
Question #60
Which of the following metrics are frequently immature?
- A . Metrics around specific Software as a Service (SaaS) application services
- B . Metrics around Infrastructure as a Service (laaS) computing environments
- C . Metrics around Infrastructure as a Service (laaS) storage and network environments
- D . Metrics around Platform as a Service (PaaS) development environments
Correct Answer: D
D
Explanation:
Metrics around Platform as a Service (PaaS) development environments are frequently immature, as PaaS is a relatively new and evolving cloud service model that offers various tools and platforms for developing, testing, deploying, and managing cloud applications. PaaS metrics are often not well-defined, standardized, or consistent across different providers and platforms, and may not capture the full value and performance of PaaS services. PaaS metrics may also be difficult to measure, monitor, and compare, as they depend on various factors, such as the type, complexity, and quality of the applications, the level of customization and integration, the usage patterns and demand, and the security and compliance requirements. Therefore, PaaS metrics may not provide sufficient insight or assurance to cloud customers and auditors on the effectiveness, efficiency, reliability, and security of PaaS services12.
Reference: Cloud Computing Service Metrics Description – NIST Cloud KPIs You Need to Measure Success – VMware Blogs
D
Explanation:
Metrics around Platform as a Service (PaaS) development environments are frequently immature, as PaaS is a relatively new and evolving cloud service model that offers various tools and platforms for developing, testing, deploying, and managing cloud applications. PaaS metrics are often not well-defined, standardized, or consistent across different providers and platforms, and may not capture the full value and performance of PaaS services. PaaS metrics may also be difficult to measure, monitor, and compare, as they depend on various factors, such as the type, complexity, and quality of the applications, the level of customization and integration, the usage patterns and demand, and the security and compliance requirements. Therefore, PaaS metrics may not provide sufficient insight or assurance to cloud customers and auditors on the effectiveness, efficiency, reliability, and security of PaaS services12.
Reference: Cloud Computing Service Metrics Description – NIST Cloud KPIs You Need to Measure Success – VMware Blogs