CCAK Online Practice Questions and Answers

A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?

A. Double gray box

B. Tandem

C. Reversal

D. Double blind

Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

A. Blue team

B. White box

C. Gray box

D. Red team

To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:

A. ISO/I 27001: 2013 controls.

B. maturity model criteria.

C. all Cloud Control Matrix (CCM) controls and TSPC security principles.

D. Cloud Control Matrix (CCM) and ISO/IEC 27001:2013 controls.

Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

A. PC-IDSS

B. CSA STAR Attestation

C. MTCS

D. BSI Criteria Catalogue C5

What areas should be reviewed when auditing a public cloud?

A. Patching, source code reviews, hypervisor, access controls

B. Identity and access management, data protection

C. Patching, configuration, hypervisor, backups

D. Vulnerability management, cyber security reviews, patching

Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

A. Policy based access control

B. Attribute based access control

C. Rule based access control

D. Role based access control

A. Updated audit/work program

B. Documentation criteria for the audit evidence

C. Processes and systems to be audited

D. Testing procedure to be performed

When establishing cloud governance, an organization should FIRST test by migrating:

A. all applications at once to the cloud.

B. complex applications to the cloud.

C. legacy applications to the cloud.

D. a few applications to the cloud.

When building a cloud governance model, which of the following requirements will focus more on the cloud service provider's evaluation and control checklist?

A. Security requirements

B. Legal requirements

C. Compliance requirements

D. Operational requirements

Under GDPR, an organization should report a data breach within what time frame?

A. 72 hours

B. 2 weeks

C. 1 week

D. 48 hours