Regarding cloud service provider agreements and contracts, unless otherwise stated, the provider is

responsible only to the cloud customer. This means that the provider has a contractual obligation to

deliver the agreed-upon services and meet the service level agreements (SLAs) with the cloud

customer, who is the direct payer of the services. The provider is not responsible for any other

parties, such as the cloud customer’s clients, end users, or regulators, unless explicitly specified in

the contract. The cloud customer is responsible for ensuring that the provider’s services meet their

own compliance and security requirements, as well as those of their stakeholders12.

Reference:

Shared responsibility in the cloud - Microsoft Azure

Cloud security shared responsibility model - NCSC

The Egregious 11 refers to a list of top threats to cloud computing, as published by the Cloud Security

Alliance (CSA) in 2019. The CSA is a leading organization dedicated to defining standards,

certifications and best practices to help ensure a secure cloud computing environment. The

Egregious 11 report ranks the most critical and pressing cloud security issues, such as data breaches,

misconfigurations, insufficient identity and access management, and account hijacking. The report

also provides recommendations for security, compliance, risk and technology practitioners to

mitigate these threats. The Egregious 11 is based on a survey of industry experts and a review of

current literature and media reports. The report is intended to raise awareness of the risks and

challenges associated with cloud computing and promote strong security practices.12 Reference :=

CCAK Study Guide, Chapter 5: Cloud Auditing, page 961; CSA Top Threats to Cloud Computing:

Egregious 11

:

External attestation and certification audit reports are considered the best method to demonstrate

assurance in cloud services to multiple customers because they provide an independent verification

of the cloud service provider’s controls and practices. These reports are conducted by third-party

auditors and offer a level of transparency and trust that cannot be achieved through self-assessments

or internal documents. They help ensure that the cloud provider meets industry standards and

regulatory requirements, which is crucial for customers to assess the risk and compliance posture of

their cloud service providers.

Reference = The importance of external attestation and certification audit reports is supported by the

Cloud Security Alliance (CSA) and ISACA, which state that the CCAK credential prepares IT and

security professionals to ensure that the right controls are in place and to mitigate the risks and costs

of audit management and penalties for non-compliance1.

According to the CSA website, the primary purpose of the Open Certification Framework (OCF) for

the CSA STAR program is to provide global, accredited, trusted certification of cloud providers1 The

OCF is an industry initiative to allow global, trusted independent evaluation of cloud providers. It is a

program for flexible, incremental and multi-layered cloud provider certification and/or attestation

according to the Cloud Security Alliance’s industry leading security guidance and control

framework2 The OCF aims to address the gaps within the IT ecosystem that are inhibiting market

adoption of secure and reliable cloud services, such as the lack of simple, cost effective ways to

evaluate and compare providers’ resilience, data protection, privacy, and service portability2 The

OCF also aims to promote industry transparency and reduce complexity and costs for both providers

and customers3

The other options are not correct because:

Option A is not correct because facilitating an effective relationship between the cloud service

provider and cloud client is not the primary purpose of the OCF for the CSA STAR program, but rather

a potential benefit or outcome of it. The OCF can help facilitate an effective relationship between the

provider and the client by providing a common language and framework for assessing and

communicating the security and compliance posture of the provider, as well as enabling trust and

confidence in the provider’s capabilities and performance. However, this is not the main goal or

objective of the OCF, but rather a means to achieve it.

Option B is not correct because ensuring understanding of true risk and perceived risk by the cloud

service users is not the primary purpose of the OCF for the CSA STAR program, but rather a possible

implication or consequence of it. The OCF can help ensure understanding of true risk and perceived

risk by the cloud service users by providing objective and verifiable information and evidence about

the provider’s security and compliance level, as well as allowing comparison and benchmarking with

other providers in the market. However, this is not the main aim or intention of the OCF, but rather a

result or effect of it.

Option D is not correct because enabling the cloud service provider to prioritize resources to meet its

own requirements is not the primary purpose of the OCF for the CSA STAR program, but rather a

potential advantage or opportunity for it. The OCF can enable the cloud service provider to prioritize

resources to meet its own requirements by providing a flexible, incremental and multi-layered

approach to certification and/or attestation that allows the provider to choose the level of assurance

that suits their business needs and goals. However, this is not the main reason or motivation for the

OCF, but rather a benefit or option for it.

Reference: 1: Open Certification Framework Working Group | CSA 2: Open Certification Framework |

CSA - Cloud Security Alliance 3: Why your cloud services need the CSA STAR Registry listing

The objective that is most appropriate to measure the effectiveness of password policy is newly

created account credentials satisfy requirements. This is because password policy is a set of rules and

guidelines that define the characteristics and usage of passwords in a system or network. Password

policy aims to enhance the security and confidentiality of the system or network by preventing

unauthorized access, data breaches, and identity theft. Therefore, the best way to evaluate the

effectiveness of password policy is to check whether the newly created account credentials meet the

requirements of the policy, such as length, complexity, expiration, and history. This objective can be

measured by conducting periodic audits, reviews, or tests of the account creation process and

verifying that the passwords comply with the policy standards. This is part of the Cloud Control

Matrix (CCM) domain IAM-02: User ID Credentials, which states that "The organization should have a

policy and procedures to manage user ID credentials for cloud services and data."1 Reference :=

CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 76

Cryptography and authentication are good candidates for continuous auditing, as they are critical

aspects of cloud security that require constant monitoring and verification. Cryptography and

authentication refer to the methods and techniques that ensure the confidentiality, integrity, and

availability of data and communications in the cloud environment. Cryptography involves the use of

encryption algorithms and keys to protect data from unauthorized access or modification.

Authentication involves the use of credentials and tokens to verify the identity and access rights of

users or devices. Continuous auditing can help to assess the effectiveness and compliance of

cryptography and authentication controls, such as data encryption, key management, password

policies, multifactor authentication, single sign-on, etc. Continuous auditing can also help to detect

and alert any anomalies or issues that may compromise or affect cryptography and authentication,

such as data breaches, key leakage, password cracking, unauthorized access, etc123.

Procedures (A) are not good candidates for continuous auditing, as they are not specific or

measurable aspects of cloud security that can be easily automated or tested. Procedures refer to the

steps or actions that are performed to achieve a certain objective or result in a specific domain or

context. Procedures may vary depending on the type, nature, or complexity of the task or process

involved. Continuous auditing requires a clear and consistent definition of the expected outcome or

output, as well as the criteria or metrics to evaluate it. Procedures may not provide such a definition

or criteria, and may require human judgment or interpretation to assess their effectiveness or

compliance123.

Governance (B) is not a good candidate for continuous auditing, as it is not a specific or measurable

aspect of cloud security that can be easily automated or tested. Governance refers to the framework

or system that defines the roles, responsibilities, policies, standards, procedures, and practices for

managing and overseeing an organization or a domain. Governance may involve multiple

stakeholders, such as management, board of directors, regulators, auditors, customers, etc., who

have different interests, expectations, or perspectives. Continuous auditing requires a clear and

consistent definition of the expected outcome or output, as well as the criteria or metrics to evaluate

it. Governance may not provide such a definition or criteria, and may require human judgment or

interpretation to assess its effectiveness or compliance123.

Documentation quality (D) is not a good candidate for continuous auditing, as it is not a specific or

measurable aspect of cloud security that can be easily automated or tested. Documentation quality

refers to the degree to which the documents that describe or support an organization or a domain

are accurate, complete, consistent, relevant, and understandable. Documentation quality may

depend on various factors, such as the purpose, audience, format, style, language, structure,

content, etc., of the documents involved. Continuous auditing requires a clear and consistent

definition of the expected outcome or output, as well as the criteria or metrics to evaluate

it. Documentation quality may not provide such a definition or criteria, and may require human

judgment or interpretation to assess its effectiveness or compliance123. Reference :=

Cloud Audits: A Guide for Cloud Service Providers - Cloud Standards …

Cloud Audits: A Guide for Cloud Service Customers - Cloud Standards …

Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam

The organization should define what constitutes a policy violation. A policy violation refers to the

breach or violation of a written policy or rule of the organization. A policy or rule is a statement that

defines the expectations, standards, or requirements for the behavior, conduct, or performance of

the organization’s members, such as employees, customers, partners, or suppliers. Policies and rules

can be based on various sources, such as laws, regulations, contracts, agreements, principles, values,

ethics, or best practices12.

The organization should define what constitutes a policy violation because it is responsible for

establishing, communicating, enforcing, and monitoring its own policies and rules. The organization

should also define the consequences and remedies for policy violations, such as warnings, sanctions,

penalties, termination, or legal action. The organization should ensure that its policies and rules are

clear, consistent, fair, and aligned with its mission, vision, and goals12.

The other options are not correct. Option A, the external auditor, is incorrect because the external

auditor is an independent party that provides assurance or verification of the organization’s financial

statements, internal controls, compliance status, or performance. The external auditor does not

define the organization’s policies and rules, but evaluates them against relevant standards or

criteria3. Option C, the Internet service provider (ISP), is incorrect because the ISP is a company that

provides access to the Internet and related services to the organization. The ISP does not define the

organization’s policies and rules, but may have its own policies and rules that the organization has to

comply with as a customer4. Option D, the cloud provider, is incorrect because the cloud provider is a

company that provides cloud computing services to the organization. The cloud provider does not

define the organization’s policies and rules, but may have its own policies and rules that the

organization has to comply with as a customer5. Reference :=

Policy Violation Definition | Law Insider1

How to Write Policies and Procedures | Smartsheet2

What is an External Auditor? - Definition from Safeopedia3

What is an Internet Service Provider (ISP)? - Definition from Techopedia4

What is Cloud Provider? - Definition from Techopedia

Database backup and replication guidelines are essential for ensuring the availability and integrity of

data in the event of a disruption or disaster. They describe how the data is backed up, stored,

restored, and synchronized across different locations and platforms. An auditor should review these

guidelines to verify that they are aligned with the business continuity objectives, policies, and

procedures of the organization and the cloud service provider. The auditor should also check that the

backup and replication processes are tested regularly and that the results are documented and

reported. Reference:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 96

Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM) v4.0, 2021, BCR-01: Business Continuity

Planning/Resilience

Heat maps are graphical representations of data that use color-coding to show the relative intensity,

frequency, or magnitude of a variable1. Heat maps can be used to visualize the criticality of the cloud

services in an organization, along with their dependencies and risks, by mapping the cloud services

to different dimensions, such as business impact, availability, security, performance, cost, etc. Heat

maps can help auditors identify the most important or vulnerable cloud services, as well as the

relationships and trade-offs among them2.

For example, Azure Charts provides heat maps for various aspects of Azure cloud services, such as

updates, trends, pillars, areas, geos, categories, etc3. These heat maps can help auditors understand

the current state and dynamics of Azure cloud services and compare them across different

dimensions4.

Contractual documents of the cloud service provider are the legal agreements that define the terms

and conditions of the cloud service, including the roles, responsibilities, and obligations of the

parties involved. They may provide some information on the criticality of the cloud services in an

organization, but they are not as visual or comprehensive as heat maps. Data security process flow is

a diagram that shows the steps and activities involved in protecting data from unauthorized access,

use, modification, or disclosure. It may help auditors understand the data security controls and risks

of the cloud services in an organization, but it does not cover other aspects of criticality, such as

business impact or performance. Turtle diagram is a tool that helps analyze a process by showing its

inputs, outputs, resources, criteria, methods, and interactions. It may help auditors understand the

process flow and dependencies of the cloud services in an organization, but it does not show the

relative importance or risks of each process element.

Reference:

What is a Heat Map? Definition from WhatIs.com1, section on Heat Map

Cloud Computing Security Considerations | Cyber.gov.au2, section on Cloud service criticality

Azure Charts - Clarity for the Cloud3, section on Heat Maps

Azure Services Overview4, section on Heat Maps

Cloud Services Due Diligence Checklist | Trust Center, section on How to use the checklist

Data Security Process Flow - an overview | ScienceDirect Topics, section on Data Security Process

Flow

What is a Turtle Diagram? Definition from WhatIs.com, section on Turtle Diagram