Isaca Updated CCAK Exam Questions and Answers by amanda

The most important audit scope document when conducting a review of a cloud service provider is the document that defines the processes and systems to be audited. This document should clearly identify the objectives, criteria, and boundaries of the audit, as well as the roles and responsibilities of the audit team and the cloud service provider. The document should also specify the scope of the cloud service provider’s services, such as the service model, deployment model, geographic location, data classification, and compliance requirements. The document should also describe the scope of the audit evidence, such as the types, sources, methods, and sampling techniques of data collection and analysis. The document should also state the expected deliverables, timelines, and reporting formats of the audit. The document should be agreed upon by both parties before the audit commences.

The document that defines the processes and systems to be audited is essential for ensuring that the audit is relevant, reliable, consistent, and complete. It helps to establish a common understanding and expectation between the auditor and the auditee, as well as to avoid any misunderstandings or conflicts during or after the audit. It also helps to focus the audit on the key risks and controls related to the cloud service provider’s operations and performance. It also helps to ensure that the audit complies with the applicable standards, frameworks, and regulations.

References:

• Cloud Audits and Compliance: What You Need To Know - Linford & Company LLP
• How to audit the cloud | ICAEW
• Auditing Cloud Computing: A Security and Privacy Guide

Access controls are the aspect of Software as a Service (SaaS) functionality and operations that the cloud customer is responsible for and should be audited. Access controls refer to the methods and techniques that verify the identity and access rights of users or devices that access or use the SaaS application and its data. Access controls may include credentials, policies, roles, permissions, tokens, multifactor authentication, single sign-on, etc. The cloud customer is responsible for ensuring that only authorized and legitimate users or devices can access or use the SaaS application and its data, as well as for protecting the confidentiality, integrity, and availability of their data. The cloud customer should also monitor and audit the access and usage of the SaaS application and its data, as well as any incidents or issues that may affect them123.

Source code reviews (A) are not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Source code reviews refer to the processes and practices that examine the source code of software applications or systems to identify errors, bugs, vulnerabilities, or inefficiencies that may affect their quality, functionality, or security. Source code reviews are mainly under the responsibility of the cloud service provider, as they own and operate the software applications or systems that deliver SaaS services. The cloud customer has no access or control over these aspects123.

Patching (B) is not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Patching refers to the processes and practices that ensure the security, reliability, and performance of the cloud infrastructure, platform, or software. Patching involves the use of updates or fixes to address vulnerabilities, bugs, errors, or exploits that may compromise or affect the functionality of the cloud components. Patching is mainly under the responsibility of the cloud service provider, as they own and operate the cloud infrastructure, platform, or software. The cloud customer has limited or no access or control over these aspects123.

Vulnerability management (D) is not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Vulnerability management refers to the processes and practices that identify, assess, treat, monitor, and report on the risks that affect the security posture of an organization or a domain. Vulnerability management involves the use of tools or techniques to scan, analyze, prioritize, remediate, or mitigate vulnerabilities that may expose an organization or a domain to threats or attacks. Vulnerability management is mainly under the responsibility of the cloud service provider, as they own and operate the cloud infrastructure, platform, or software. The cloud customer has limited or no access or control over these aspects123. References :=

• Cloud Audits: A Guide for Cloud Service Providers - Cloud Standards …
• Cloud Audits: A Guide for Cloud Service Customers - Cloud Standards …
• Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam

 The cloud auditor should check if there is explicit documented approval from all customers whose data is affected by the transfer of production data to the test environment. This is because production data may contain sensitive or personal information that is subject to privacy and security regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Therefore, using production data for testing purposes without the consent of the data owners may violate their rights and expose the organization to legal and reputational risks. This is also stated in the Cloud Controls Matrix (CCM) control DSI-04: Production / Non-Production Environments12, which is part of the Data Security & Information Lifecycle Management domain. The CCM is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program.

The other options are not directly related to the question. Option A, approval of the change by the change advisory board, refers to the process of reviewing and authorizing changes to the system or software before they are implemented in the production environment. This is a good practice for ensuring the quality and reliability of the system or software, but it does not address the issue of using production data for testing purposes. Option C, training for the librarian, refers to the process of providing adequate education and awareness to the staff who are responsible for managing and transferring data between different environments. This is a good practice for ensuring the competence and accountability of the staff, but it does not address the issue of obtaining consent from the data owners. Option D, verification that the hardware of the test and production environments are compatible, refers to the process of ensuring that the system or software can run smoothly and consistently on both environments. This is a good practice for ensuring the performance and functionality of the system or software, but it does not address the issue of protecting the privacy and security of the production data. References :=

• Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 6: Cloud Security Controls
• Cloud Controls Matrix (CCM) - CSA3
• DSI-04: Production / Non-Production Environments - CSF Tools - Identity Digital1
• DSI: Data Security & Information Lifecycle Management - CSF Tools - Identity Digital

Continuous auditing is a method of auditing that provides assurance on the current state of controls and compliance in a cloud environment, rather than relying on periodic snapshots or attestations. Continuous auditing can leverage continuous monitoring data and automated tools to collect and analyze evidence of compliance, as well as alert auditors and stakeholders of any deviations or issues. Continuous auditing can complement point-in-time assurance approaches, such as certifications or audits, by providing more timely and frequent feedback on the effectiveness of controls and compliance in a cloud environment. References :=

• ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 821
• ISACA, Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam, 2021, p. 30