Question 1

Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?

Options :

A : SOC3 - Type2

B : Cloud Control Matrix (CCM)

C : SOC2 - Type1

D : SOC1 - Type1

Answer: C

Question 2

Why are the fieldwork audit papers reviewed by an audit manager, even when the cloud auditor has many years of experience?

Options :

A : Internal quality requirements

B : Professional standards

C : Audit guidelines

D : Audit methodology

Answer: B

Question 3

Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

Options :

A : German IDW PS 951

B : Multi-Tier Cloud Security (MTCS)

C : BSI Criteria Catalogue C5

D : BSI IT-basic protection catalogue

Answer: C

Question 4

An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?

Options :

A :

The auditor should not rely on the CM tool and its settings, and for thoroughness should review the password configuration on the set of sample VMs.

B :

Review the relevant configuration settings on the CM tool and check whether the CM tool agents are operating effectively on the sample VMs.

C :

As it is an automated environment, reviewing the relevant configuration settings on the CM tool would be sufficient.

D :

Review the incident records for any incidents relating to brute force attacks or password compromise in the last 12 months and investigate whether the root cause of the incidents was due to in appropriate password policy configured on the VMs.

Answer: B

Question 5

The MAIN difference between Cloud Control Matrix (CCM) and Consensus Assessment Initiative Questionnaire (CAIQ) is that:

Options :

A : CCM assesses the presence of controls, whereas CAIQ assesses overall security of a service.

B : CCM has a set of security questions, whereas CAIQ has a set of security controls.

C : CCM has 14 domains and CAIQ has 16 domains.

D : CCM provides a controls framework, whereas CAIQ provides industry-accepted ways to document which security controls exist in IaaS, PaaS, and SaaS offerings.

Answer: D