When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:
When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:
Which of the following is the BEST tool to perform cloud security control audits?
What do cloud service providers offer to encourage clients to extend the cloud platform?
An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month.
Which of the following should be the BEST recommendation to reduce the provider's burden?
The BEST method to report continuous assessment of a cloud provider’s services to the Cloud Security Alliance (CSA) is through:
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls, and penetration testing?
Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?
Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?
After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data. In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?
When establishing cloud governance, an organization should FIRST test by migrating:
In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:
The FINAL decision to include a material finding in a cloud audit report should be made by the:
Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?
Which of the following is the MOST significant difference between a cloud risk management program and a traditional risk management program?
A contract containing the phrase "You automatically consent to these terms by using or logging into the service to which they pertain" is establishing a contract of:
In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?
Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?
To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:
To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:
In a situation where duties related to cloud risk management and control are split between an organization and its cloud service providers, which of the following would BEST help to ensure a coordinated approach to risk and control processes?
What legal documents should be provided to the auditors in relation to risk management?
Which of the following cloud service provider activities MUST obtain a client's approval?
To ensure a cloud service provider is complying with an organization's privacy requirements, a cloud auditor should FIRST review:
Which of the following provides the BEST evidence that a cloud service provider's continuous integration and continuous delivery (CI/CD) development pipeline includes checks for compliance as new features are added to its Software as a Service (SaaS) applications?
An auditor is reviewing an organization’s virtual machines (VMs) hosted in the cloud. The organization utilizes a configuration management (CM) tool to enforce password policies on its VMs. Which of the following is the BEST approach for the auditor to use to review the operating effectiveness of the password requirement?
Which of the following BEST ensures adequate restriction on the number of people who can access the pipeline production environment?
Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:
From a compliance perspective, which of the following artifacts should an assessor review when evaluating the effectiveness of Infrastructure as Code deployments?
When performing audits in relation to business continuity management and operational resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?
An organization that is utilizing a community cloud is contracting an auditor to conduct a review on behalf of the group of organizations within the cloud community. Of the following, to whom should the auditor report the findings?
Visibility to which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (laaS) deployments?
Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?
When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?
To ensure integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?
When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer
Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:
In a multi-level supply chain structure where cloud service provider A relies on other sub cloud services, the provider should ensure that any compliance requirements relevant to the provider are:
Which of the following methods can be used by a cloud service provider with a cloud customer that does not want to share security and control information?
DevSecOps aims to integrate security tools and processes directly into the software development life cycle and should be done:
Which of the following types of risk is associated specifically with the use of multi-cloud environments in an organization?
The PRIMARY purpose of Open Certification Framework (OCF) for the CSA STAR program is to:
Which of the following is a KEY benefit of using the Cloud Controls Matrix (CCM)?