During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization's DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor's NEXT course of action?

• A.Review the security white paper of the CSP.
• B.Plan an audit of the CSP.
• C.Review the contract and DR capability.
• D.Review the CSP audit reports.

Comment: *

Name: *

Email: *

Verification: *

CCM: A hypothetical company called: "Health4Sure" is located in the United States and provides cloud based services fortracking patient health. The company is compliant with HIPAA/HITECH Act among other industry standards. Health4Sure decides to assess the overall security of their cloud service against the CCM toolkit so that they will be able to present this document topotential clients.
Which of the following approach would be most suitable to assess the overall security posture of Health4Sure's cloud service?

• A.The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls. This approach will save time.
• B.The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls thoroughly. This approach saves time while being able to assess the company's overall security posture in an efficient manner.
• C.The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the security posture of their cloud service against each and every control in the CCM. This approach will allow a thorough assessment of the security posture.

Comment: *

Name: *

Email: *

Verification: *

How is encryption managed on multi-tenant storage?

• A.C for data subject to the EU Data Protection Directive; B for all others
• B.One key per data owner
• C.The answer could be A, B, or C depending on the provider
• D.Multiple keys per data owner
• E.Single key for all data owners

Comment: *

Name: *

Email: *

Verification: *

What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?

• A.Semi-annual
• B.Quarterly
• C.Monthly
• D.Annual

Comment: *

Name: *

Email: *

Verification: *

Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintenance of several items ensuring continuity and availability of operations and support personnel. Which of the following controls BEST matches this control description?

• A.System Maintenance
• B.System Development Maintenance
• C.Equipment Maintenance
• D.Operations Maintenance

Comment: *

Name: *

Email: *

Verification: *