2025年02月実際に出るCCAK試験問題集には正確で更新された問題 [Q75-Q92]

Share

2025年02月実際に出るCCAK試験問題集には正確で更新された問題

CCAK試験問題集でPDF問題とテストエンジン


CCAK認定試験は、クラウドアーキテクチャ、クラウドセキュリティ、クラウドガバナンス、リスク管理など、クラウドコンピューティングに関連する幅広いトピックをカバーしています。クラウド環境の監査と評価における候補者の知識とスキルを検証し、クラウドコンピューティングに依存している組織に効果的な監査サービスを提供できるようにすることを目的としています。

 

質問 # 75
A defining set of rules composed of claims and attributes of the entities in a transaction, which is used to determine their level of access to cloud-based resources is called what?

  • A. An entrylog
  • B. An access log
  • C. A support table
  • D. A validation process
  • E. An entitlement matrix

正解:D


質問 # 76
A dot release of the Cloud Controls Matrix (CCM) indicates:

  • A. a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release.
  • B. technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release.
  • C. the introduction of new control frameworks mapped to previously published CCM controls.
  • D. a revision of the CCM domain structure.

正解:A

解説:
A dot release of the Cloud Controls Matrix (CCM) indicates a technical change (revision, addition, or deletion) of a number of controls that is smaller than 10% compared to the previous full release. A dot release is a minor update to the CCM that reflects the feedback from the cloud security community and the changes in the cloud technology landscape. A dot release does not change the domain structure or the overall scope of the CCM, but rather improves the clarity, accuracy, and relevance of the existing controls. A dot release is denoted by a decimal number after the major version number, such as CCM v4.1 or CCM v4.2. The current version of the CCM is v4.0, which was released in October 20211.
The other options are incorrect because:
* A. a revision of the CCM domain structure: A revision of the CCM domain structure is a major change that affects the organization and categorization of the controls into different domains. A revision of the CCM domain structure requires a full release, not a dot release, and is denoted by an integer number, such as CCM v3 or CCM v42.
* C. the introduction of new control frameworks mapped to previously published CCM controls: The introduction of new control frameworks mapped to previously published CCM controls is an additional feature that enhances the usability and applicability of the CCM. The introduction of new control frameworks mapped to previously published CCM controls does not require a dot release or a full release, but rather an update to the mapping table that shows the relationship between the CCM controls and other industry-accepted security standards, regulations, and frameworks3.
* D. technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release: A technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release is a significant change that affects the content and scope of the CCM. A technical change (revision, addition, or deletion) of a number of controls that is greater than 10% compared to the previous full release requires a full release, not a dot release, and is denoted by an integer number, such as CCM v3 or CCM v42.
References:
* Cloud Controls Matrix (CCM) - CSA
* The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar
* Cloud Security Alliance Releases New Cloud Controls Matrix Auditing Guidelines


質問 # 77
What is a sign that an organization has adopted a shift-left concept of code release cycles?

  • A. Maturity of start-up entities with high-iteration to low-volume code commits
  • B. Large entities with slower release cadences and geographically dispersed systems
  • C. A waterfall model remove resources through the development to release phases
  • D. Incorporation of automation to identify and address software code problems early

正解:D

解説:
Explanation
The shift-left concept of code release cycles is a practice that aims to integrate testing, quality, and performance evaluation early in the software development life cycle, often before any code is written. This helps to find and prevent defects, improve quality, and enable faster delivery of secure software. One of the key aspects of the shift-left concept is the incorporation of automation to identify and address software code problems early, such as using continuous integration, continuous delivery, and continuous testing tools. Automation can help reduce manual errors, speed up feedback loops, and increase efficiency and reliability123 The other options are not correct because:
Option A is not correct because large entities with slower release cadences and geographically dispersed systems are more likely to face challenges in adopting the shift-left concept, as they may have more complex and legacy systems, dependencies, and processes that hinder agility and collaboration. The shift-left concept requires a culture of continuous improvement, experimentation, and learning that may not be compatible with traditional or siloed organizations4 Option C is not correct because a waterfall model is the opposite of the shift-left concept, as it involves sequential phases of development, testing, and deployment that are performed late in the software development life cycle. A waterfall model does not allow for early detection and correction of defects, feedback, or changes, and can result in higher costs, delays, and risks5 Option D is not correct because maturity of start-up entities with high-iteration to low-volume code commits is not a sign of the shift-left concept, but rather a sign of the agile or lean software development methodologies. These methodologies focus on delivering value to customers by delivering working software in short iterations or sprints, with frequent feedback and adaptation. While these methodologies can support the shift-left concept by enabling faster testing and delivery cycles, they are not equivalent or synonymous with it6 References: 1: AWS. What is DevSecOps? - Developer Security Operations Explained - AWS.
[Online]. Available: 4. [Accessed: 14-Apr-2023]. 2: Dynatrace. Shift left vs shift right: A DevOps mystery solved - Dynatrace news. [Online]. Available: 2. [Accessed: 14-Apr-2023]. 3: BMC Software. Shift Left Testing: What, Why & How To Shift Left - BMC Software | Blogs. [Online]. Available: 3. [Accessed:
14-Apr-2023]. 4: GitLab. How to shift left with continuous integration | GitLab.
[Online]. Available: 4. [Accessed: 14-Apr-2023]. 5: DZone. DevOps and The Shift-Left Principle - DZone.
[Online]. Available: 5. [Accessed: 14-Apr-2023]. 6: Devopedia. Shift Left - Devopedia. [Online]. Available: 6.
[Accessed: 14-Apr-2023].


質問 # 78
The FINAL decision to include a material finding in a cloud audit report should be made by the:

  • A. organization's chief information security officer (CISO)
  • B. auditee's senior management.
  • C. cloud auditor.
  • D. organization's chief executive officer (CEO).

正解:C

解説:
According to the ISACA Cloud Auditing Knowledge Certificate Study Guide, the final decision to include a material finding in a cloud audit report should be made by the cloud auditor1. A material finding is a significant error or risk in the cloud service that could affect the achievement of the audit objectives or the cloud customer's business outcomes. The cloud auditor is responsible for identifying, evaluating, and reporting the material findings based on the audit criteria, methodology, and evidence. The cloud auditor should also communicate the material findings to the auditee and other relevant stakeholders, and obtain their feedback and responses.
The other options are not correct. Option A is incorrect, as the auditee's senior management is not in charge of the audit report, but rather the subject of the audit. The auditee's senior management should provide their perspective and action plans for the material findings, but they cannot decide whether to include or exclude them from the report. Option B is incorrect, as the organization's CEO is not involved in the audit process, but rather the ultimate recipient of the audit report. The organization's CEO should review and act upon the audit report, but they cannot influence the content of the report. Option D is incorrect, as the organization's CISO is not an independent party, but rather a stakeholder of the audit. The organization's CISO should support and collaborate with the cloud auditor, but they cannot make the final decision on the material findings. References
:
* ISACA Cloud Auditing Knowledge Certificate Study Guide, page 19-20.


質問 # 79
Which of the following metrics are frequently immature?

  • A. Metrics around Infrastructure as a Service (IaaS) storage and network environments
  • B. Metrics around specific Software as a Service (SaaS) application services
  • C. Metrics around Infrastructure as a Service (IaaS) computing environments
  • D. Metrics around Platform as a Service (PaaS) development environments

正解:A


質問 # 80
Which of the following is the MOST relevant question in the cloud compliance program design phase?

  • A. Who owns the cloud governance strategy?
  • B. Who owns the cloud portfolio strategy?
  • C. Who owns the cloud strategy?
  • D. Who owns the cloud services strategy?

正解:A

解説:
Explanation
The most relevant question in the cloud compliance program design phase is who owns the cloud governance strategy. Cloud governance is a method of information and technology (I&T) governance focused on accountability, defining decision rights and balancing benefit, risk and resources in an environment that embraces cloud computing. Cloud governance creates business-driven policies and principles that establish the appropriate degree of investments and control around the life cycle process for cloud computing services1.
Therefore, it is essential to identify who owns the cloud governance strategy in the organization, as this will determine the roles and responsibilities, decision-making authority, reporting structure, and escalation process for cloud compliance issues. The cloud governance owner should be a senior executive who has the vision, influence, and resources to drive the cloud compliance program and align it with the business objectives2.
References:
Building Cloud Governance From the Basics - ISACA
[Cloud Governance | Microsoft Azure]


質問 # 81
What legal documents should be provided to the auditors in relation to risk management?

  • A. Inventory of third-party attestation reports
  • B. Contracts and service level agreements (SLAs) of cloud service providers
  • C. Policies and procedures established around third-party risk assessments
  • D. Enterprise cloud strategy and policy

正解:B

解説:
Contracts and SLAs are legal documents that define the roles, responsibilities, expectations, and obligations of both the cloud service provider (CSP) and the cloud customer. They also specify the terms and conditions for service delivery, performance, availability, security, compliance, data protection, incident response, dispute resolution, liability, and termination. An auditor should review these documents to assess the alignment of the CSP's services with the customer's business requirements and risk appetite, as well as to identify any gaps or inconsistencies that may pose legal risks. References:
* ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 35-36
* Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v4.0, 2021, GRM-01: Contracts and SLAs


質問 # 82
All cloud services utilize virtualization technologies.

  • A. True
  • B. False

正解:A


質問 # 83
Which objective is MOST appropriate to measure the effectiveness of password policy?

  • A. The number of related incidents decreases.
  • B. Attempts to log with weak credentials increases.
  • C. Newly created account credentials satisfy requirements.
  • D. The number of related incidents increases.

正解:A


質問 # 84
Which of the following is a cloud-specific security standard?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:A

解説:
ISO/IEC 15027017 is a cloud-specific security standard that provides guidelines for information security controls applicable to the provision and use of cloud services. It is based on ISO/IEC 27002, which is a general standard for information security management, but it also includes additional controls and implementation guidance that specifically relate to cloud services. ISO/IEC 15027017 is intended to help both cloud service providers and cloud service customers to enhance the security and confidentiality of their cloud environment and to comply with relevant regulatory requirements and industry standards.12 Reference := ISO/IEC 27017:2015 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services1; Cloud Security Standards: ISO, PCI, GDPR and Your Cloud - Exabeam3; ISO/IEC 27017 - Wikipedia2


質問 # 85
In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

  • A. both operating system and application infrastructure contained within the cloud service provider's instances.
  • B. both operating system and application infrastructure contained within the customer's instances.
  • C. only application infrastructure contained within the cloud service provider's instances.
  • D. only application infrastructure contained within the customer's instance

正解:B

解説:
In the context of Infrastructure as a Service (IaaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in both operating system and application infrastructure contained within the customer's instances. IaaS is a cloud service model that provides customers with access to virtualized computing resources, such as servers, storage, and networks, hosted by a cloud service provider (CSP). The customer is responsible for installing, configuring, and maintaining the operating system and application software on the virtual machines, while the CSP is responsible for managing the underlying physical infrastructure. Therefore, a vulnerability assessment will scan the customer's instances to detect any weaknesses or misconfigurations in the operating system and application layers that may expose them to potential threats. A vulnerability assessment can help the customer to prioritize and remediate the identified vulnerabilities, and to comply with relevant security standards and regulations12.
References:
* Azure Security Control - Vulnerability Management | Microsoft Learn
* How to Implement Enterprise Vulnerability Assessment - Gartner


質問 # 86
organization should document the compliance responsibilities and ownership of accountability in a RACI chart or its informational equivalents in order to:

  • A. conform to the organization's governance model.
  • B. define the cloud compliance requirements and how they interplay with the organization's business strategy, goals, and other compliance requirements.
  • C. provide a holistic and seamless view of the cloud service provider's responsibility for compliance with prevailing laws and regulations.
  • D. provide a holistic and seamless view of the enterprise's responsibility for compliance with prevailing laws and regulations.

正解:D

解説:
A RACI chart is a tool used to clarify the roles and responsibilities in processes, projects, or operations. In the context of cloud compliance, documenting these responsibilities in a RACI chart ensures that all parties within the enterprise are aware of their specific obligations regarding compliance with laws and regulations.
This helps in creating a clear, organized view of how each part of the organization contributes to overall compliance, facilitating better coordination and accountability.
References = The answer is informed by general best practices in cloud compliance and governance, which recommend the use of RACI charts or similar tools to delineate responsibilities clearly. While I can't reference specific documents from the CCAK or related resources, these practices are widely accepted in the field of cloud security and compliance.


質問 # 87
The BEST way to deliver continuous compliance in a cloud environment is to:

  • A. increase the frequency of external audits from annual to quarterly.
  • B. decrease the interval between attestations of compliance
  • C. combine point-in-time assurance approaches with continuous monitoring.
  • D. combine point-in-time assurance approaches with continuous auditing.

正解:C

解説:
Continuous auditing is a method of auditing that provides assurance on the current state of controls and compliance in a cloud environment, rather than relying on periodic snapshots or attestations. Continuous auditing can leverage continuous monitoring data and automated tools to collect and analyze evidence of compliance, as well as alert auditors and stakeholders of any deviations or issues. Continuous auditing can complement point-in-time assurance approaches, such as certifications or audits, by providing more timely and frequent feedback on the effectiveness of controls and compliance in a cloud environment. Reference := ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 821 ISACA, Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam, 2021, p. 30


質問 # 88
What should be the auditor's PRIMARY objective when examining a cloud service provider's service level agreement (SLA)?

  • A. Verifying whether the SLA caters to the availability requirements of the cloud service customer
  • B. Verifying whether the SLAs are well defined and measurable
  • C. Verifying whether commensurate compensation in the form of service credits are factored in if the customer is unable to match its SLA obligations
  • D. Verifying whether the SLA includes all the operational matters that are material to the operation of the service

正解:B


質問 # 89
A cloud service provider does not allow audits using automated tools as these tools could be considered destructive techniques for the cloud environment. Which of the following aspects of the audit will be constrained?

  • A. Objectives
  • B. Nature of relationship
  • C. Purpose
  • D. Scope

正解:A


質問 # 90
During the cloud service provider evaluation process, which of the following BEST helps identify baseline configuration requirements?

  • A. Benchmark controls lists
  • B. Contract terms and conditions
  • C. Product benchmarks
  • D. Vendor requirements

正解:A

解説:
During the cloud service provider evaluation process, benchmark controls lists BEST help identify baseline configuration requirements. Benchmark controls lists are standardized sets of security and compliance controls that are applicable to different cloud service models, deployment models, and industry sectors1. They provide a common framework and language for assessing and comparing the security posture and capabilities of cloud service providers2. They also help cloud customers to define their own security and compliance requirements and expectations based on best practices and industry standards3.
Some examples of benchmark controls lists are:
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which is a comprehensive list of 133 control objectives that cover 16 domains of cloud security4.
The National Institute of Standards and Technology (NIST) Special Publication 800-53, which is a catalog of 325 security and privacy controls for federal information systems and organizations, including cloud-based systems5.
The International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27017, which is a code of practice that provides guidance on 121 information security controls for cloud services based on ISO/IEC 270026.
Reference:
CSA Security Guidance for Cloud Computing | CSA1, section on Identify necessary security and compliance requirements Evaluation Criteria for Cloud Infrastructure as a Service - Gartner2, section on Security Controls Checklist: Cloud Services Provider Evaluation Criteria | Synoptek3, section on Security Cloud Controls Matrix | CSA4, section on Overview NIST Special Publication 800-53 - NIST Pages5, section on Abstract ISO/IEC 27017:2015(en), Information technology - Security techniques ...6, section on Scope What is vendor management? Definition from WhatIs.com7, section on Vendor management What is Benchmarking? Definition from WhatIs.com8, section on Benchmarking What is Terms and Conditions? Definition from WhatIs.com9, section on Terms and Conditions


質問 # 91
To identify key actors and requirements, which of the following MUST be considered when designing a cloud compliance program?

  • A. Key stakeholders, enterprise risk management, and Internal audit perspectives
  • B. Enterprise risk management, data protection, privacy and legal perspectives
  • C. Cloud service provider, internal and external audit perspectives
  • D. Business/organizational, governance, cloud and risk perspectives

正解:D


質問 # 92
......


ISACA CCAK試験に合格すると、候補者はクラウド監査に関する知識と専門知識を示す証明書を受け取ります。認証は世界的に認識されており、業界で非常に尊敬されています。専門家がキャリアを前進させ、収益の可能性を高め、継続的な学習と専門能力開発へのコミットメントを実証するのに役立ちます。

 

合格させるISACA CCAK試験最速合格にはFast2test:https://jp.fast2test.com/CCAK-premium-file.html

CCAK問題集で必ず試験合格させる:https://drive.google.com/open?id=1D5SbOyNQLm5HapU04PVHMUa5Bfpd1CVV


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어