ISACA - CCAK – Final Exam
Which of the following approaches encompasses social engineering of staff, bypassing
of physical access controls and penetration testing?
A. Blue team
B. White box
C. Gray box
D. Red team
When applying the Top Threats Analysis methodology following an incident, what is the
scope of the technical impact identification step?
A. Determine the impact on the controls that were selected by the organization to
respond to identified risks.
B. Determine the impact on confidentiality, integrity and availability of the
information system.
C. Determine the impact on the financial, operational, compliance and reputation of the
organization.
D. Determine the impact on the physical and environmental security of the organization,
excluding informational assets.
When performing audits in relation to Business Continuity Management and
Operational Resilience strategy, what would be the MOST critical aspect to audit in
relation to the strategy of the cloud customer that should be formulated jointly with the
cloud service provider?
A. Validate if the strategy covers unavailability of all components required to operate
the business-as-usual or in disrupted mode, in parts or total- when impacted by a
disruption.
B. Validate if the strategy covers all aspects of Business Continuity and Resilience
planning, taking inputs from the assessed impact and risks, to consider activities for
before, during, and after a disruption.
,C. Validate if the strategy covers all activities required to continue and recover
prioritized activities within identified time frames and agreed capacity, aligned to
the risk appetite of the organization including the invocation of continuity plans
and crisis management capabilities.
D. Validate if the strategy is developed by both cloud service providers and cloud
service consumers within the acceptable limits of their risk appetite.
an organization, how are policy violations MOST likely to occur?
A. By accident
B. Deliberately by the ISP
C. Deliberately
D. Deliberately by the cloud provider
Which of the following is the BEST tool to perform cloud security control audits?
A. General Data Protection Regulation (GDPR)
B. ISO 27001
C. Federal Information Processing Standard (FIPS) 140-2
D. CSA Cloud Control Matrix (CCM)
Network environments and virtual instances shall be designed and configured to restrict
and monitor traffic between trusted and untrusted connections. These configurations
shall be reviewed at least annually, and supported by a documented justification for use
for all allowed services, protocols, ports, and by compensating controls. Which of the
following controls BEST matches this control description?
A. Network Security
B. Change Detection
C. Virtual Instance and OS Hardening
D. Network Vulnerability Management
After finding a vulnerability in an internet-facing server of an organization, a
cybersecurity criminal is able to access an encrypted file system and successfully
, manages to overwrite part of some files with random data. In reference to the Top
Threats Analysis methodology, how would you categorize the technical impact of this
incident?
A. As an integrity breach
B. As control breach
C. As an availability breach
D. As a confidentiality breach
Organizations maintain mappings between the different control frameworks they adopt
to:
A. help identify controls with common assessment status.
B. avoid duplication of work when assessing compliance.
C. help identify controls with different assessment status.
D. start a compliance assessment using latest assessment.
Changes to which of the following will MOST likely influence the expansion or reduction
of controls required to remediate the risk arising from changes to an organization's SaaS
vendor?
A. Risk exceptions policy
B. Contractual requirements
C. Risk appetite
D. Board oversight
A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor
engages the target with no prior knowledge of its defenses, assets, or channels. The
CSP's security operation center is not notified in advance of the scope of the audit and
the test vectors. Which mode is selected by the CSP?
A. Double gray box
B. Tandem
Which of the following approaches encompasses social engineering of staff, bypassing
of physical access controls and penetration testing?
A. Blue team
B. White box
C. Gray box
D. Red team
When applying the Top Threats Analysis methodology following an incident, what is the
scope of the technical impact identification step?
A. Determine the impact on the controls that were selected by the organization to
respond to identified risks.
B. Determine the impact on confidentiality, integrity and availability of the
information system.
C. Determine the impact on the financial, operational, compliance and reputation of the
organization.
D. Determine the impact on the physical and environmental security of the organization,
excluding informational assets.
When performing audits in relation to Business Continuity Management and
Operational Resilience strategy, what would be the MOST critical aspect to audit in
relation to the strategy of the cloud customer that should be formulated jointly with the
cloud service provider?
A. Validate if the strategy covers unavailability of all components required to operate
the business-as-usual or in disrupted mode, in parts or total- when impacted by a
disruption.
B. Validate if the strategy covers all aspects of Business Continuity and Resilience
planning, taking inputs from the assessed impact and risks, to consider activities for
before, during, and after a disruption.
,C. Validate if the strategy covers all activities required to continue and recover
prioritized activities within identified time frames and agreed capacity, aligned to
the risk appetite of the organization including the invocation of continuity plans
and crisis management capabilities.
D. Validate if the strategy is developed by both cloud service providers and cloud
service consumers within the acceptable limits of their risk appetite.
an organization, how are policy violations MOST likely to occur?
A. By accident
B. Deliberately by the ISP
C. Deliberately
D. Deliberately by the cloud provider
Which of the following is the BEST tool to perform cloud security control audits?
A. General Data Protection Regulation (GDPR)
B. ISO 27001
C. Federal Information Processing Standard (FIPS) 140-2
D. CSA Cloud Control Matrix (CCM)
Network environments and virtual instances shall be designed and configured to restrict
and monitor traffic between trusted and untrusted connections. These configurations
shall be reviewed at least annually, and supported by a documented justification for use
for all allowed services, protocols, ports, and by compensating controls. Which of the
following controls BEST matches this control description?
A. Network Security
B. Change Detection
C. Virtual Instance and OS Hardening
D. Network Vulnerability Management
After finding a vulnerability in an internet-facing server of an organization, a
cybersecurity criminal is able to access an encrypted file system and successfully
, manages to overwrite part of some files with random data. In reference to the Top
Threats Analysis methodology, how would you categorize the technical impact of this
incident?
A. As an integrity breach
B. As control breach
C. As an availability breach
D. As a confidentiality breach
Organizations maintain mappings between the different control frameworks they adopt
to:
A. help identify controls with common assessment status.
B. avoid duplication of work when assessing compliance.
C. help identify controls with different assessment status.
D. start a compliance assessment using latest assessment.
Changes to which of the following will MOST likely influence the expansion or reduction
of controls required to remediate the risk arising from changes to an organization's SaaS
vendor?
A. Risk exceptions policy
B. Contractual requirements
C. Risk appetite
D. Board oversight
A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor
engages the target with no prior knowledge of its defenses, assets, or channels. The
CSP's security operation center is not notified in advance of the scope of the audit and
the test vectors. Which mode is selected by the CSP?
A. Double gray box
B. Tandem
