A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?
A. Double gray box
B. Tandem
C. Reversal
D. Double blind
Which of the following metrics are frequently immature?
A. Metrics around Infrastructure as a Service (IaaS) storage and network environments
B. Metrics around Platform as a Service (PaaS) development environments
C. Metrics around Infrastructure as a Service (IaaS) computing environments
D. Metrics around specific Software as a Service (SaaS) application services
Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?
A. PC-IDSS
B. CSA STAR Attestation
C. MTCS
D. BSI Criteria Catalogue C5
Which of the following is a direct benefit of mapping the Cloud Control Matrix (CCM) to other international standards and regulations?
A. CCM mapping entitles cloud service providers to be listed as an approved supplier for tenders and government contracts.
B. CCM mapping enables cloud service providers and customers alike to streamline their own compliance and security efforts.
C. CCM mapping enables an uninterrupted data flow and, in particular, the export of personal data across different jurisdictions.
D. CCM mapping entitles cloud service providers to be certified under the CSA STAR program.
A certification target helps in the formation of a continuous certification framework by incorporating:
A. CSA STAR level 2 attestation.
B. service level objective and service qualitative objective.
C. frequency of evaluating security attributes.
D. scope description and security attributes to be tested.
An organization deploying the Cloud Control Matrix (CCM) to perform a compliance assessment will encompass the use of the "Corporate Governance Relevance" feature to filter out those controls:
A. relating to policies, processes, laws, regulations, and institutions conditioning the way an organization is managed, directed, or controlled.
B. that can be either of a management or of a legal nature, therefore requiring an approval from the Change Advisory Board.
C. that require the prior approval from the Board of Directors to be funded (for either make or buy), implemented, and reported on.
D. that can be either of an administrative or of a technical nature, therefore requiring an approval from the Change Advisory Board.
In cloud computing, with whom does the responsibility and accountability for compliance lie?
A. The cloud service provider is responsible and accountable for compliance.
B. The cloud service provider is responsible for compliance, and the cloud service customer is accountable.
C. The cloud service customer is responsible and accountable for compliance.
D. The cloud service customer is responsible for compliance, and the cloud service provider is accountable.
To support customer's verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?
A. Contractual agreement
B. Internal audit
C. External audit
D. Security assessment
Which of the following would be a logical starting point for an auditor who has been engaged to assess the security of an organization's DevOps pipeline?
A. Verify the inclusion of security gates in the pipeline.
B. Conduct an architectural assessment.
C. Review the CI/CD pipeline audit logs.
D. Verify separation of development and production pipelines.
A. Plan --> Develop --> Release
B. Deploy --> Monitor --> Audit
C. Initiation --> Execution --> Monitoring and Controlling
D. Preparation --> Execution --> Peer Review and Publication
A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?
A. Role Based Access Control
B. Attribute Based Access Control
C. Policy Based Access Control
D. Rule Based Access Control
The BEST way to deliver continuous compliance in a cloud environment is to:
A. decrease the interval between attestations of compliance.
B. combine point-in-time assurance approaches with continuous monitoring.
C. increase the frequency of external audits from annual to quarterly.
D. combine point-in-time assurance approaches with continuous auditing.
You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure. Which of the following is your BEST option?
A. Implement ISO/IEC 27002 and complement it with additional controls from the CCM.
B. Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27017.
C. Implement ISO/IEC 27001 and complement it with additional controls from ISO/IEC 27002.
D. Implement ISO/IEC 27001 and complement it with additional controls from the NIST SP 800-145.
As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?
A. Within developer's laptop
B. Within the CI/CD server
C. Within version repositories
D. Within the CI/CD pipeline
What should be the control audit frequency for Business Continuity Management?
A. Quarterly
B. Annually
C. Monthly
D. Semi-annually