Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?
A. Operations Maintenance
B. System Development Maintenance
C. Equipment Maintenance
D. System Maintenance
Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization's architecture? The threat model:
A. recognizes the shared responsibility for risk management between the customer and the CSP.
B. leverages SaaS threat models developed by peer organizations.
C. is developed by an independent third-party with expertise in the organization's industry sector.
D. considers the loss of visibility and control from transitioning to the cloud.
Which of the following is an example of integrity technical impact?
A. The cloud provider reports a breach of customer personal data from an unsecured server.
B. A hacker using a stolen administrator identity alerts the discount percentage in the product database.
C. A DDoS attack renders the customer's cloud inaccessible for 24 hours.
D. An administrator inadvertently click on Phish bait exposing his company to a ransomware attack.
An organization is in the initial phases of cloud adoption. It is not very knowledgeable about cloud security and cloud shared responsibility models. Which of the following approaches is BEST suited for such an organization to evaluate its cloud security?
A. Use of an established standard/regulation to map controls and use as the audit criteria
B. For efficiency reasons, use of its on-premises systems' audit criteria to audit the cloud environment
C. As this is the initial stage, the ISO/IEC 27001 certificate shared by the cloud service provider is sufficient for audit and compliance purposes.
D. Development of the cloud security audit criteria based on its own internal audit test plans to ensure appropriate coverage
When using a SaaS solution, who is responsible for application security?
A. The cloud service provider only
B. The cloud service consumer only
C. Both cloud consumer and the enterprise
D. Both cloud provider and the consumer
Which of the following would be the GREATEST governance challenge to an organization where production is hosted in a public cloud and backups are held on the premises?
A. Aligning the cloud service delivery with the organization's objective
B. Aligning the cloud provider's SLA with the organization's policy
C. Aligning shared responsibilities between provider and customer
D. Aligning the organization's activity with the cloud provider's policy
To support customer's verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?
A. Contractual agreement
B. Internal audit
C. External audit
D. Security assessment
One of the Cloud Control Matrix's (CCM's) control specifications states that “Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.” Which of the following controls under the Audit Assurance and Compliance domain does this match to?
A. Audit planning
B. Information system and regulatory mapping
C. GDPR auditing
D. Independent audits
The MOST critical concept of managing the build and test of code in DevOps is:
A. continuous build.
B. continuous delivery.
C. continuous deployment.
D. continuous integration.
Account design in the cloud should be driven by:
A. security requirements.
B. organizational structure.
C. business continuity policies.
D. management structure.