In an organization, how are policy violations MOST likely to occur?

A. By accident

B. Deliberately by the ISP

C. Deliberately

D. Deliberately by the cloud provider

Organizations maintain mappings between the different control frameworks they adopt to:

A. help identify controls with common assessment status.

B. avoid duplication of work when assessing compliance.

C. help identify controls with different assessment status.

D. start a compliance assessment using latest assessment.

Which of the following metrics are frequently immature?

A. Metrics around Infrastructure as a Service (IaaS) storage and network environments

B. Metrics around Platform as a Service (PaaS) development environments

C. Metrics around Infrastructure as a Service (IaaS) computing environments

D. Metrics around specific Software as a Service (SaaS) application services

Which of the following attestation allows for immediate adoption of the Cloud Control Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

A. PC-IDSS

B. CSA STAR Attestation

C. MTCS

D. BSI Criteria Catalogue C5

Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?

A. SOC3 - Type2

B. Cloud Control Matrix (CCM)

C. SOC2 - Type1

D. SOC1 - Type1

In which control should a cloud service provider, upon request, inform customers of compliance impact and risk, especially if customer data is used as part of the services?

A. Service Provider control

B. Impact and Risk control

C. Data Inventory control

D. Compliance control

A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?

A. Role Based Access Control

B. Attribute Based Access Control

C. Policy Based Access Control

D. Rule Based Access Control

Which of the following parties should have accountability for cloud compliance requirements?

A. Customer

B. Equally shared between customer and provider

C. Provider

D. Either customer or provider, depending on requirements

An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

A. assess the existence and adequacy of a security awareness training program at the cloud service provider's organization as the cloud customer hired the auditor to review and cloud service.

B. assess the existence and adequacy of a security awareness training program at both the cloud customer's organization and the cloud service provider's organization.

C. assess the existence and adequacy of a security awareness training program at the cloud customer's organization as they hired the auditor.

D. not assess the security awareness training program as it is each organization's responsibility

A Dot Release of Cloud Control Matrix (CCM) indicates what?

A. The introduction of new control frameworks mapped to previously-published CCM controls.

B. A revision of the CCM domain structure.

C. A technical change (revision or addition or deletion) of a number of controls is smaller than 10% compared to the previous “Full” release.

D. A technical change (revision or addition or deletion) of a number of controls is greater than 10% compared to the previous “Full” release.