An auditor identifies that a CSP received multiple customer inquiries and RFPs during the last month. Which of the following should be the BEST recommendation to reduce the CSP burden?
A. CSP can share all security reports with customers to streamline the process.
B. CSP can schedule a call with each customer.
C. CSP can answer each customer individually.
D. CSP can direct all customers' inquiries to the information in the CSA STAR registry.
Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?
A. Blue team
B. White box
C. Gray box
D. Red team
The criteria for limiting services allowing non-critical services or services requiring high availability and resilience to be moved to the cloud is an important consideration to be included PRIMARILY in the:
A. risk management policy.
B. cloud policy.
C. business continuity plan.
D. information security standard for cloud technologies.
Which of the following would be considered as a factor to trust in a cloud service provider?
A. The level of exposure for public information
B. The level of proved technical skills
C. The level of willingness to cooperate
D. The level of open source evidence available
A CSP providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?
A. Multi-Tier Cloud Security (MTCS) Attestation
B. FedRAMP Authorization
C. ISO/IEC 27001:2013 Certification
D. CSA STAR Level Certificate
The BEST method to report continuous assessment of a cloud provider's services to the CSA is through:
A. a set of dedicated application programming interfaces (APIs).
B. SOC 2 Type 2 attestation.
C. CCM assessment by a third-party auditor on a periodic basis.
D. tools selected by the third-party auditor.
If the degree of verification for information shared with the auditor during an audit is low, the auditor should:
A. reject the information as audit evidence.
B. stop evaluating the requirement altogether and review other audit areas.
C. delve deeper to obtain the required information to decide conclusively.
D. use professional judgment to determine the degree of reliance that can be placed on the information as evidence.
Under GDPR, an organization should report a data breach within what time frame?
A. 72 hours
B. 2 weeks
C. 1 week
D. 48 hours
A. output from threat modeling exercises.
B. results from automated testing.
C. source code within build scripts.
D. service level agreements.
The PRIMARY objective for an auditor to understand the organization's context for a cloud audit is to:
A. determine whether the organization has carried out control self-assessment and validated audit reports of the cloud service providers (CSP).
B. validate an understanding of the organization's current state and how the cloud audit plan fits into the existing audit approach.
C. validate whether an organization has a cloud audit plan in place.
D. validate the organization's performance effectiveness utilizing cloud service providers (CSP) solutions.
