If a customer management interface is compromised over the public Internet, it can lead to:
Correct Answer: B
Explanation Customer management interfaces are the web portals or applications that allow customers to access and manage their cloud services, such as provisioning, monitoring, billing, etc. These interfaces are exposed to the public Internet and may be vulnerable to attacks such as phishing, malware, denial-of-service, or credential theft. If an attacker compromises a customer management interface, they can potentially access and manipulate the customer's cloud resources, data, and configurations, leading to computing and data compromise for customers. This can result in data breaches, service disruptions, unauthorized transactions, or other malicious activities. References: Cloud Computing - Security Benefits and Risks | PPT - SlideShare1, slide 10 Cloud Security Risks: The Top 8 According To ENISA - CloudTweaks2, section on Management Interface Compromise Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, section 2.3.2.1 : https://www.isaca.org/-/media/info/ccak/ccak-study-guide.pdf
Question 77
When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?
Correct Answer: A
Explanation When applying the Top Threats Analysis methodology following an incident, the scope of the technical impact identification step is to determine the impact on confidentiality, integrity, and availability of the information system. The Top Threats Analysis methodology is a process developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top threats to cloud computing, as defined in the CSA Top Threats reports. The methodology consists of six steps1: Scope definition: Define the scope of the analysis, such as the cloud service model, deployment model, and business context. Threat identification: Identify the relevant threats from the CSA Top Threats reports that may affect the scope of the analysis. Technical impact identification: Determine the impact on confidentiality, integrity, and availability of the information system caused by each threat. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial. Business impact identification: Determine the impact on the business objectives and operations caused by each threat, such as financial loss, reputational damage, legal liability, or regulatory compliance. Risk assessment: Assess the likelihood and severity of each threat based on the technical and business impacts, and prioritize the threats according to their risk level. Risk treatment: Select and implement appropriate risk treatment options for each threat, such as avoidance, mitigation, transfer, or acceptance. The technical impact identification step is important because it helps to measure the extent of damage or harm that each threat can cause to the information system and its components. This step also helps to align the technical impacts with the business impacts and to support the risk assessment and treatment steps. References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 81
Question 78
In cloud computing, which KEY subject area relies on measurement results and metrics?
Correct Answer: D
SLAs in cloud computing define performance metrics and uptime commitments, making them crucial for monitoring and measuring service delivery against predefined benchmarks. Metrics from SLAs help in tracking service performance, compliance with contractual obligations, and cloud service provider accountability. ISACA's CCAK outlines the importance of SLAs for cloud governance and risk management, as they provide a measurable baseline that informs cloud audit activities (referenced in CCM under Governance, Risk, and Compliance - GOV-05).
Question 79
To qualify for CSA STAR attestation for a particular cloud system, the SOC 2 report must cover:
Correct Answer: B
Question 80
Cloud Controls Matrix (CCM) controls can be used by cloud customers to:
Correct Answer: C
Explanation The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program. The CCM provides guidance on which security controls should be implemented by which actor within the cloud supply chain, and maps the controls to industry-accepted security standards, regulations, and frameworks. The CCM can help cloud customers to assess the security posture of their cloud service providers, document their own responsibilities and requirements, and establish a baseline for cloud security assurance and compliance. References := Cloud Controls Matrix (CCM) - CSA1 What is the Cloud Controls Matrix (CCM)? - Cloud Security Alliance2 Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 5: Cloud Assurance Frameworks
