Practice Free CCAK Exam Online Questions
Question #61
Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:
- A . regulatory guidelines impacting the cloud customer.
- B . audits, assessments, and independent verification of compliance certifications with agreement terms.
- C . the organizational chart of the provider.
- D . policies and procedures of the cloud customer
Correct Answer: B
B
Explanation:
Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include audits, assessments, and independent verification of compliance certifications with agreement terms. This is because cloud services involve multiple parties in the supply chain, such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering the cloud services and ensuring their quality, security, and compliance. Therefore, it is important for the cloud customers to have visibility and assurance of the performance and compliance of the cloud providers and their sub-providers. Audits, assessments, and independent verification of compliance certifications are methods to evaluate the effectiveness of the controls and processes implemented by the cloud providers and their sub-providers to meet the agreement terms. These methods can help the cloud customers to identify any gaps or risks in the supply chain and to take corrective actions if needed. This is part of the Cloud Control Matrix (CCM) domain COM-04: Audit Assurance & Compliance, which states that "The organization should have a policy and procedures to conduct audits and assessments of cloud services and data to verify compliance with applicable regulatory frameworks, contractual obligations, and industry standards."12
Reference: = CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 551; Practical Guide to Cloud Service Agreements Version 2.02
B
Explanation:
Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include audits, assessments, and independent verification of compliance certifications with agreement terms. This is because cloud services involve multiple parties in the supply chain, such as cloud providers, sub-providers, brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering the cloud services and ensuring their quality, security, and compliance. Therefore, it is important for the cloud customers to have visibility and assurance of the performance and compliance of the cloud providers and their sub-providers. Audits, assessments, and independent verification of compliance certifications are methods to evaluate the effectiveness of the controls and processes implemented by the cloud providers and their sub-providers to meet the agreement terms. These methods can help the cloud customers to identify any gaps or risks in the supply chain and to take corrective actions if needed. This is part of the Cloud Control Matrix (CCM) domain COM-04: Audit Assurance & Compliance, which states that "The organization should have a policy and procedures to conduct audits and assessments of cloud services and data to verify compliance with applicable regulatory frameworks, contractual obligations, and industry standards."12
Reference: = CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 551; Practical Guide to Cloud Service Agreements Version 2.02
Question #62
When performing audits in relation to the organizational strategy and governance, what should be requested from the cloud service provider?
- A . Enterprise cloud security strategy
- B . Enterprise cloud strategy and policy
- C . Attestation reports
- D . Policies and procedures
Correct Answer: C
Question #63
An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud.
Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?
- A . Filter out only those controls directly influenced by contractual agreements.
- B . Leverage this feature to enable the adoption of the Shared Responsibility Model.
- C . Filter out only those controls having a direct impact on current terms of service (TOS) and
service level agreement (SLA). - D . Leverage this feature to enable a smarter selection of the next cloud provider.
Correct Answer: D
D
Explanation:
The best way for the organization to take advantage of the supplier relationship feature of the Cloud Controls Matrix (CCM) is to leverage this feature to enable a smarter selection of the next cloud provider. The supplier relationship feature is a column in the CCM spreadsheet that indicates whether a control is influenced by contractual agreements between the cloud service provider and the cloud customer. This feature can help the organization to identify and compare the security and compliance capabilities of different cloud providers, as well as to negotiate and customize the terms of service (TOS) and service level agreements (SLA) according to their needs and requirements123. The other options are not the best ways to use the supplier relationship feature.
Option A, filter out only those controls directly influenced by contractual agreements, is not a good way to use the feature because it would exclude other important controls that are not influenced by contractual agreements, but still relevant for cloud security and governance.
Option B, leverage this feature to enable the adoption of the Shared Responsibility Model, is not a good way to use the feature because the Shared Responsibility Model is defined by another column in the CCM spreadsheet, which indicates whether a control is applicable to the cloud service provider or the cloud customer.
Option C, filter out only those controls having a direct impact on current TOS and SLA, is not a good way to use the feature because it would exclude other controls that may have an indirect or potential impact on the TOS and SLA, or that may be subject to change or negotiation in the future.
Reference: =
What is CAIQ? | CSA – Cloud Security Alliance1
Understanding the Cloud Control Matrix | CloudBolt Software3 Cloud Controls Matrix (CCM) – CSA2
D
Explanation:
The best way for the organization to take advantage of the supplier relationship feature of the Cloud Controls Matrix (CCM) is to leverage this feature to enable a smarter selection of the next cloud provider. The supplier relationship feature is a column in the CCM spreadsheet that indicates whether a control is influenced by contractual agreements between the cloud service provider and the cloud customer. This feature can help the organization to identify and compare the security and compliance capabilities of different cloud providers, as well as to negotiate and customize the terms of service (TOS) and service level agreements (SLA) according to their needs and requirements123. The other options are not the best ways to use the supplier relationship feature.
Option A, filter out only those controls directly influenced by contractual agreements, is not a good way to use the feature because it would exclude other important controls that are not influenced by contractual agreements, but still relevant for cloud security and governance.
Option B, leverage this feature to enable the adoption of the Shared Responsibility Model, is not a good way to use the feature because the Shared Responsibility Model is defined by another column in the CCM spreadsheet, which indicates whether a control is applicable to the cloud service provider or the cloud customer.
Option C, filter out only those controls having a direct impact on current TOS and SLA, is not a good way to use the feature because it would exclude other controls that may have an indirect or potential impact on the TOS and SLA, or that may be subject to change or negotiation in the future.
Reference: =
What is CAIQ? | CSA – Cloud Security Alliance1
Understanding the Cloud Control Matrix | CloudBolt Software3 Cloud Controls Matrix (CCM) – CSA2