Cartes mémoires CCAK (Seite 1 von 2)

Cartes-fiches	45
Langue	English
Catégorie	Technique
Niveau	Autres
Crée / Actualisé	29.11.2023 / 30.11.2023
Lien de web	https://card2brain.ch/box/20231129_ccak
Intégrer	<iframe src="https://card2brain.ch/box/20231129_ccak/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>

Some of the reasons to integrate security in the early stages of the systems development life cycle include (select all that apply):

It can help reduce costs, as security vulnerabilities can be identified before code is deployed in production, reducing the possibility of potential issues and costly fixes.

It helps remediate security vulnerabilities in the infrastructure layers.

It is difficult to understand application requests in order to detect and block attacks outside the application. It is more effective to fix vulnerable code and close off attack vectors.

It helps reduce time for development and deployment of code.

What are example benefits of including dynamic application security testing (DAST) in software security testing? (Select all that apply.)

DAST can simulate the actions of a malicious user trying to exploit undetected infrastructure vulnerabilities or low patch levels.

DAST can create an open source code inventory and a list of associated vulnerabilities.

DAST has a low rate of false positives.

DAST can simulate how an application reacts to various inputs.

Which of the following is not a primary function of a version control repository? (Select the BEST answer.)

IAM and approval processes

Source code management

Identifying vulnerabilities and exposures (CVEs) in code

Creating digital fingerprints of known good versions of code

What technology should be considered and assessed to manage the extensive credentials typically embedded and used by CI/CD pipelines?

A. Federated identity brokers to manage user connectivity.

B. Data encryption for the credential files

C. Secrets managers

D. Password managers

5. On what elements should the auditor rely for auditability and accountability in a DevSecOps approach? (Select all that apply.)

A. Major architectural decisions and changes being reflected in the version control system or the issue tracker

B. Logs of structural changes in the integration pipeline and logs of changes in the build jobs.

C. Logs of the continuous integration and continuous delivery servers.

D. Logs of modifications to the application once registry of the organization.

In continuous integration pipelines, pull requests refer to what type of operations?

Making changes to code and submitting for approval before deployment

Requesting sections of code for testing in development

Changing files that contain configurations or infrastructure templates

Committing changes to code bypassing the review and approval process

Which of the following is not primarily a security-specific type of test?

Fuzzing

Regression testing

Dynamic application security testing

Static application security testing

Which of the following is a key concept for auditors regarding testing in a continuous integration/continuous deployment (CI/CD) pipeline?

Verifying that required security gates exist

Verifying that security gates are located properly

Finding ways to speed up security testing

Ensuring that security testing is running in parallel

Which of the following is true when assessing a function as a service (serverless) functions in a public cloud provider environment?

Static application security testing is no longer possible.

Software composition analysis testing is no longer possible.

Dynamic application security testing is no longer possible.

Vulnerability scanning is no longer possible.

A technical control is one part of a broader set of mitigations. An organization should consider how a specific control mitigates the risk. Which of the following describes another consideration that will help determine whether a specific control is needed?

What is the life cycle of the control?

Can conformance testing be done on the control?

Is there a compensating control?

Can the risk be accepted to avoid the control?

Which of these elements are part of cloud policy?

Mandatory controls

Ability to perform service catalog

Relevant stakeholders

Types of data that are allowed to migrate to cloud

When evaluating a cloud provider’s maturity and ability to execute, the customer should consider which of the following?

Number of mergers and acquisitions

Transparency

Board involvement in security strategy

Fiscal performance

For cloud trust and transparency, what are some key considerations that the cloud customer needs to be aware of? (two)

CSP service contracts address all client security risk in an IaaS model

Loss of governance based on distributed services

Lack of adequate cloud services and resource testing

Inadequate transparency and auditability by CSPs

Considering that cloud security is based on the shared responsibility model, select the controls that are usually the responsibility of the cloud consumer:

Producing security scanning reports

Security of the hosts and hypervisor layers

External cloud backups

Granting or removing application user access

In SaaS, which risk has shared responsibility by both the cloud customer and CSP?

Identity and access

Data Classification

Application

Infrastructure

Which of these parties should be included in a CSP compliance scope?

Cloud customers

Employees

Subcloud service providers

Subcontractors

When reviewing proposed policies, what is the remit of a policy approval board?

Determine cloud technology strategy

Determine the fit within the existing policy framework

Consider the potential cost implication of implementation

Whether the implementation period is realistic

When obtaining assurances from providers, what differentiates cloud services providers from non-cloud providers?

Terms and conditions in the contracts

Third-party reports performed by an independent auditor

Customer directed and managed self-assessments

Customer directed, managed and controlled assessments of provider facilities and infrastructure

Which of the following uses public key infrastructure to provide trust in cloud computing?

Evidence-based trust

Service level agreement verification trust

Reputation-based trust

Policy-based trust

Which of the following describes valid methods for measuring cloud trust?

Experiential measurement and the CSA STAR initiative
Internal measurement and reported incidents
CSA STAR initiative and customer internal review
Customer internal review and internal measurement

1

2

3

4

Risk assessments performed on a business-critical software-as-a-service (SaaS) solution have identified inefficient access controls with weak authentication and authorization methods. Access control exploitations are expected to occur once every three months. According to the ENISA/risk treatment domain, which of the following options would the auditor recommend?

Ask the SaaS cloud service provider to fix the control weakness.
Develop and implement solutions.
Restrict the use of SaaS.
Identify alternatives to manage the risk.

1

2

3

4

What is the objective of a cloud compliance program? (Select the correct answer.)

A. To ensure all aspects related to the cloud adoption in an organization adhere to the requirements for which it is accountable.

B. To determine the risk appetite and risk tolerance of the organization.

C. To drive decisions for the measures put in place by the organization.

D. To validate the organization is aligned with their competition and can remain competitive.

A

B

C

D

2. What is the difference between legacy and cloud compliance programs?

A. There is no difference.

B. Cloud compliance relies on systems with defined boundaries.

C. Legacy compliance programs have complete control and responsibility for the infrastructure and all requirements that keep it secure.

D. Cloud compliance programs rely on third parties for the delivery of technology with complete control and influence over the quality, availability and reliability of the service being provided.

A

B

C

D

3. What is a cloud governance and strategy audit?

A. An audit that evaluates the framework of the organization for defining requirements, performing risk assessments, monitoring controls, reporting adherence and developing a strategic plan for the cloud.

B. An audit that covers logging, monitoring, scanning and alerting of a system, account or environment, and can be achieved using real-time automated scripts or manual testing.

C. A review of all user and service accounts, and permission within your information system boundaries, including on-premises systems, cloud environments and other applications.

D. An audit performed against technical, administrative and/or physical controls as defined in the organization policies and procedures.

A

B

C

D

4. Select ALL the correct statements concerning legal and regulatory requirements, standards and security frameworks in the cloud:

A. They serve to guide the cloud controls program of an organization.

B. They should be monitored to ensure that changes in the requirements are promptly reflected in the cloud compliance program.

C. They are important for when designing the cloud compliance program, but not so relevant during the execution phase.

D. The majority of the laws and regulations are cloud specific.

A

B

C

D

5. In a DevOps IT environment, the following team is responsible for mitigating and/or managing risk on a daily basis:

A. Internal Audit

B. Risk Management

C. DevOps

D. Quality Assurance

A

B

C

D

6. Due to the shared responsibility model, control operationalization in the cloud (select all that apply):

A. Is different from what it is in traditional on-premises IT environments.

B. Involves a combined effort from multiple parties.

C. Is simpler than control operationalization in traditional on-premises IT environments.

D. Should replicate the control environment of traditional on-premises IT environments.

A

B

C

D

7. What is a common way to come up with metrics that support a decision process?

Use the ISO/IEC 19086 standard.

Make sure that the SLA contains automated metrics.

Apply the Metric, Measurement, Decision feedback loop.

Apply the Goal, Question, Metric approach.

8. What is FedRAMP?

A US federal government program that provides a standardized approach to security assessment of cloud-based services.

A US federal government program that provides a risk management model that can be leveraged among US agencies for IT certification.

A US federal funding program that helps innovative startups in information security achieve ramping growth.

A collaboration between AICPA and the Canadian Institute of Chartered Accountants (CPA Canada) for a federated approach to attestations.

Which Domain is AIS?

Application and Interface Security

What domain is AAC?

Audit, Assurance and Compliance

What Domain is BCR?

Business Continuity and Operational Resilience

Which Domain is CCC?

Change control and configuration management

Which Domain is DSI?

Data Security and Information Lifecycle Management

Which domain is DCS

Data Center Security

Which domain is EKM

Encryption and Key Management

HRS?

Human Resources Security

IAM

Identity and Access Management

IVS

Infrastructure and Virtualization

GRM?

Governance and Risk Management

CCAK

Créer ou copier des fichiers d'apprentissage

Créer ou copier des fichiers d'apprentissage

Connecte-toi pour voir toutes les cartes.

SWITCHaai

Office 365

Edulog

Apple ID

Google