Valid CCAK Dumps shared by ExamDiscuss.com for Helping Passing CCAK Exam! ExamDiscuss.com now offer the newest CCAK exam dumps, the ExamDiscuss.com CCAK exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com CCAK dumps with Test Engine here:
Access CCAK Dumps Premium Version
(207 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question Next Question >>
Question 58/81
During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?
Correct Answer: C
The auditor's next course of action should be to review the contract and DR capability of the cloud service provider. This will help the auditor to verify if the provider has a DR plan that meets the organization's requirements and expectations, and if the provider has evidence of testing and validating the plan annually.
The auditor should also check if the contract specifies the roles and responsibilities of both parties, the RTO and RPO values, the SLA terms, and the penalties for non-compliance.
Reviewing the security white paper of the provider (option A) might give some information about the provider's security practices and controls, but it might not be sufficient or relevant to assess the DR plan.
Reviewing the provider's audit reports (option B) might also provide some assurance about the provider's compliance with standards and regulations, but it might not address the specific DR needs of the organization.
Planning an audit of the provider (option D) might be a possible course of action, but it would require more time and resources, and it might not be feasible or necessary if the contract and DR capability are already satisfactory. References:
* Disaster recovery planning guide
* Audit a Disaster Recovery Plan
* How to Maintain and Test a Business Continuity and Disaster Recovery Plan
The auditor should also check if the contract specifies the roles and responsibilities of both parties, the RTO and RPO values, the SLA terms, and the penalties for non-compliance.
Reviewing the security white paper of the provider (option A) might give some information about the provider's security practices and controls, but it might not be sufficient or relevant to assess the DR plan.
Reviewing the provider's audit reports (option B) might also provide some assurance about the provider's compliance with standards and regulations, but it might not address the specific DR needs of the organization.
Planning an audit of the provider (option D) might be a possible course of action, but it would require more time and resources, and it might not be feasible or necessary if the contract and DR capability are already satisfactory. References:
* Disaster recovery planning guide
* Audit a Disaster Recovery Plan
* How to Maintain and Test a Business Continuity and Disaster Recovery Plan
- Question List (81q)
- Question 1: As Infrastructure as a Service (laaS) cloud service provider...
- Question 2: Which of the following would be the MOST critical finding of...
- Question 3: Which of the following has been provided by the Federal Offi...
- Question 4: The BEST method to report continuous assessment of a cloud p...
- Question 5: The MOST important goal of regression testing is to ensure:...
- Question 6: What do cloud service providers offer to encourage clients t...
- Question 7: An auditor is assessing a European organization's compliance...
- Question 8: In the context of Infrastructure as a Service (laaS), a vuln...
- Question 9: The three layers of Open Certification Framework (OCF) PRIMA...
- Question 10: When an organization is moving to the cloud, responsibilitie...
- Question 11: Cloud Controls Matrix (CCM) controls can be used by cloud cu...
- Question 12: An auditor examining a cloud service provider's service leve...
- Question 13: The PRIMARY objective for an auditor to understand the organ...
- Question 14: A cloud service provider providing cloud services currently ...
- Question 15: Application programming interfaces (APIs) are likely to be a...
- Question 16: A contract containing the phrase "You automatically consent ...
- Question 17: Which of the following is the reason for designing the Conse...
- Question 18: A cloud service provider contracts for a penetration test to...
- Question 19: Which of the following aspects of risk management involves i...
- Question 20: A cloud service provider utilizes services of other service ...
- Question 21: An auditor identifies that a cloud service provider received...
- Question 22: Which of the following is MOST important to ensure effective...
- Question 23: What is an advantage of using dynamic application security t...
- Question 24: What legal documents should be provided to the auditors in r...
- Question 25: A cloud service customer is looking to subscribe to a financ...
- Question 26: Organizations maintain mappings between the different contro...
- Question 27: Which of the following is the BEST method to demonstrate ass...
- Question 28: Which of the following activities are part of the implementa...
- Question 29: What is a sign that an organization has adopted a shift-left...
- Question 30: In all three cloud deployment models, (laaS, PaaS, and SaaS)...
- Question 31: What areas should be reviewed when auditing a public cloud?...
- Question 32: Which of the following attestations allows for immediate ado...
- Question 33: One of the control specifications in the Cloud Controls Matr...
- Question 34: Supply chain agreements between a cloud service provider and...
- Question 35: Regarding suppliers of a cloud service provider, it is MOST ...
- Question 36: Which of the following is an example of availability technic...
- Question 37: Which of the following types of SOC reports BEST helps to en...
- Question 38: During the cloud service provider evaluation process, which ...
- Question 39: Which of the following can be used to determine whether acce...
- Question 40: An independent contractor is assessing the security maturity...
- Question 41: What does "The Egregious 11" refer to?...
- Question 42: Which of the following processes should be performed FIRST t...
- Question 43: Which of the following activities is performed outside infor...
- Question 44: When an organization is using cloud services, the security r...
- Question 45: Which of the following is MOST useful for an auditor to revi...
- Question 46: Which of the following cloud environments should be a concer...
- Question 47: Which of the following types of risk is associated specifica...
- Question 48: Which of the following is a category of trust in cloud compu...
- Question 49: From the perspective of a senior cloud security audit practi...
- Question 50: Which of the following BEST describes the difference between...
- Question 51: "Network environments and virtual instances shall be designe...
- Question 52: In a situation where duties related to cloud risk management...
- Question 53: Which of the following MOST enhances the internal stakeholde...
- Question 54: Which of the following is the MOST relevant question in the ...
- Question 55: Which of the following is the GREATEST risk associated with ...
- Question 56: Which of the following is a good candidate for continuous au...
- Question 57: During the planning phase of a cloud audit, the PRIMARY goal...
- Question 58: During an audit, it was identified that a critical applicati...
- Question 59: In cloud computing, which KEY subject area relies on measure...
- Question 60: Which of the following metrics are frequently immature?...
- Question 61: When mapping controls to architectural implementations, requ...
- Question 62: When applying the Top Threats Analysis methodology following...
- Question 63: Which objective is MOST appropriate to measure the effective...
- Question 64: Which of the following is an example of integrity technical ...
- Question 65: What is below the waterline in the context of cloud operatio...
- Question 66: Which of the following key stakeholders should be identified...
- Question 67: After finding a vulnerability in an Internet-facing server o...
- Question 68: In audit parlance, what is meant by "management representati...
- Question 69: What aspect of Software as a Service (SaaS) functionality an...
- Question 70: A dot release of the Cloud Controls Matrix (CCM) indicates:...
- Question 71: Which of the following is an example of reputational busines...
- Question 72: Who should define what constitutes a policy violation?...
- Question 73: Which of the following is a detective control that may be id...
- Question 74: In relation to testing business continuity management and op...
- Question 75: The MOST important factor to consider when implementing clou...
- Question 76: Which of the following should be an assurance requirement wh...
- Question 77: With regard to the Cloud Controls Matrix (CCM), the Architec...
- Question 78: What type of termination occurs at the initiative of one par...
- Question 79: DevSecOps aims to integrate security tools and processes dir...
- Question 80: Which of the following has the MOST substantial impact on ho...
- Question 81: An organization is using the Cloud Controls Matrix (CCM) to ...
