Regarding suppliers of a cloud service provider, it is most important for the auditor to be aware that

the client organization has a clear understanding of the provider’s suppliers. This is because cloud

services often involve multiple parties in the supply chain, such as cloud providers, sub-providers,

brokers, carriers, and auditors. Each party may have different roles and responsibilities in delivering

the cloud services and ensuring their quality, security, and compliance. Therefore, it is essential for

the client organization to have visibility and assurance of the performance and compliance of the

provider’s suppliers and to establish clear and transparent agreements with them regarding their

roles, responsibilities, expectations, and obligations.12

An auditor should be aware of the importance of the client organization’s understanding of the

provider’s suppliers because it provides a basis for assessing the risks and challenges associated with

outsourcing services to a cloud provider and its supply chain. An auditor can use the client

organization’s understanding of the provider’s suppliers to verify that the client organization has

conducted a thorough due diligence of the provider’s suppliers and their capabilities, qualifications,

certifications, and reputation. An auditor can also use the client organization’s understanding of the

provider’s suppliers to evaluate whether the client organization has implemented adequate controls

and processes to monitor, audit, or verify the security and compliance status of their cloud services

and data across the supply chain. An auditor can also use the client organization’s understanding of

the provider’s suppliers to identify any gaps or weaknesses in the client organization’s security

management program and to provide recommendations for improvement.34

Reference := Practical Guide to Cloud Service Agreements Version 2.01; HIDDEN

INTERDEPENDENCIES BETWEEN INFORMATION AND ORGANIZATIONAL …2; Cloud Computing: The

Audit Challenge - ISACA3; Cloud Computing: Audit Considerations - AICPA4

When developing a cloud compliance program, the primary reason for a cloud customer to

determine how those services will fit within its policies and procedures is to ensure that the cloud

services are aligned with the customer’s business objectives, risk appetite, and compliance

obligations. Cloud services may have different characteristics, features, and capabilities than

traditional on-premises services, and may require different or additional controls to meet the

customer’s security and compliance requirements. Therefore, the customer needs to assess how the

cloud services will fit within its existing policies and procedures, such as data classification, data

protection, access management, incident response, audit, and reporting. The customer also needs to

identify any gaps or conflicts between the cloud services and its policies and procedures, and

implement appropriate measures to address them. By doing so, the customer can ensure that the

cloud services are used in a secure, compliant, and effective manner12.

Reference:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 19-20.

Cloud Compliance Frameworks: What You Need to Know

Rotating cryptographic keys regularly is a security best practice that helps to mitigate the risk of

unauthorized access to encrypted data. When keys are rotated, old keys are retired and replaced

with new ones, making any compromised keys useless to an attacker. This process helps to limit the

time window during which a stolen key can be used to breach data. Key rotation is a fundamental

aspect of key management lifecycle best practices, which include generating new key pairs, rotating

keys at set intervals, revoking access to keys, and destroying out-of-date or compromised keys.

Reference = The importance of key rotation is supported by various security standards and best

practices, including recommendations from the National Institute of Standards and Technology

(NIST)1 and the Cloud Security Alliance (CSA)23. These sources emphasize the need for periodic

renewal and decommissioning of old keys as part of a comprehensive key management strategy.

An example of integrity technical impact refers to an event where the accuracy or trustworthiness of

data is compromised. Option D, where a hacker uses a stolen administrator identity to alter the

discount percentage in the product database, directly affects the integrity of the data. This action

leads to unauthorized changes to data, which is a clear violation of data integrity. In contrast, options

A, B, and C describe breaches of confidentiality, availability, and security, respectively, but do not

directly impact the integrity of the data itself123.

Reference = The concept of data integrity in cloud computing is extensively covered in the literature,

including the importance of protecting against unauthorized data alteration to maintain the

trustworthiness and accuracy of data throughout its lifecycle123.

A cloud service provider (CSP) providing cloud services currently being used by the United States

federal government should obtain FedRAMP Authorization to assure compliance to stringent

government standards. FedRAMP is a government-wide program that provides a standardized

approach to security assessment, authorization, and continuous monitoring for cloud products and

services. FedRAMP enables agencies to leverage the security assessments of CSPs that have been

approved by FedRAMP, and establishes a baseline set of security controls for cloud computing, based

on NIST SP 800-53. FedRAMP also helps CSPs to demonstrate their compliance with relevant laws

and regulations, such as FISMA, FIPS, and NIST standards. FedRAMP Authorization can be obtained

through two paths: a provisional authorization from the Joint Authorization Board (JAB) or an

authorization from an individual agency12.

The other options are incorrect because:

A . CSA STAR Level Certificate: CSA STAR is a program for security assurance in the cloud that

encompasses key principles of transparency, rigorous auditing, and harmonization of standards. CSA

STAR Level Certificate is one of the certification options offered by CSA STAR, which is based on the

ISO/IEC 27001 standard and the CSA Cloud Controls Matrix (CCM). CSA STAR Level Certificate is not

specific to the US federal government standards, and does not guarantee compliance with FedRAMP

requirements3.

B . Multi-Tier Cloud Security (MTCS) Attestation: MTCS is a cloud security standard developed by the

Singapore government to provide greater clarity and transparency on the level of security offered by

different CSPs. MTCS defines three levels of security controls for CSPs: Level 1, Level 2, and Level 3,

with Level 3 being the most stringent. MTCS Attestation is a voluntary self-disclosure scheme for

CSPs to declare their conformance to the MTCS standard. MTCS Attestation is not applicable to the

US federal government standards, and does not ensure compliance with FedRAMP requirements4.

C . ISO/IEC 27001:2013 Certification: ISO/IEC 27001 is a standard for information security

management systems that specifies the requirements for establishing, implementing, maintaining,

and continually improving an information security management system within the context of the

organization. ISO/IEC 27001 Certification is an independent verification that an organization

conforms to the ISO/IEC 27001 standard. ISO/IEC 27001 Certification is not exclusive to cloud

computing or the US federal government standards, and does not cover all aspects of FedRAMP

requirements5.

Reference:

Learn What FedRAMP is All About | FedRAMP | FedRAMP.gov

How to Become FedRAMP Authorized | FedRAMP.gov

STAR | CSA

Multi-Tiered Cloud Security Standard (MTCS SS)

ISO - ISO/IEC 27001 — Information security management

During the cloud service provider evaluation process, benchmark controls lists BEST help identify

baseline configuration requirements. Benchmark controls lists are standardized sets of security and

compliance controls that are applicable to different cloud service models, deployment models, and

industry sectors1. They provide a common framework and language for assessing and comparing the

security posture and capabilities of cloud service providers2. They also help cloud customers to

define their own security and compliance requirements and expectations based on best practices

and industry standards3.

Some examples of benchmark controls lists are:

The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which is a comprehensive list of 133

control objectives that cover 16 domains of cloud security4.

The National Institute of Standards and Technology (NIST) Special Publication 800-53, which is a

catalog of 325 security and privacy controls for federal information systems and organizations,

including cloud-based systems5.

The International Organization for Standardization (ISO) / International Electrotechnical Commission

(IEC) 27017, which is a code of practice that provides guidance on 121 information security controls

for cloud services based on ISO/IEC 270026.

Vendor requirements, product benchmarks, and contract terms and conditions are not the best

sources for identifying baseline configuration requirements. Vendor requirements are the

specifications and expectations that the cloud service provider has for its customers, such as

minimum hardware, software, network, or support requirements7. Product benchmarks are the

measurements and comparisons of the performance, quality, or features of different cloud services

or products8. Contract terms and conditions are the legal agreements that define the rights,

obligations, and responsibilities of the parties involved in a cloud service contract9. These sources

may provide some information on the configuration requirements, but they are not as

comprehensive, standardized, or objective as benchmark controls lists.

Reference:

CSA Security Guidance for Cloud Computing | CSA1, section on Identify necessary security and

compliance requirements

Evaluation Criteria for Cloud Infrastructure as a Service - Gartner2, section on Security Controls

Checklist: Cloud Services Provider Evaluation Criteria | Synoptek3, section on Security

Cloud Controls Matrix | CSA4, section on Overview

NIST Special Publication 800-53 - NIST Pages5, section on Abstract

ISO/IEC 27017:2015(en), Information technology — Security techniques …6, section on Scope

What is vendor management? Definition from WhatIs.com7, section on Vendor management

What is Benchmarking? Definition from WhatIs.com8, section on Benchmarking

What is Terms and Conditions? Definition from WhatIs.com9, section on Terms and Conditions

This situation poses a significant concern for a cloud auditor because it indicates a potential gap in

the technical team’s ability to effectively manage and secure the IaaS platform provided by the

alternative vendor. Without proper training on the specific features, security practices, and

operational procedures of the new platform, the organization may face increased risks of

misconfiguration, security vulnerabilities, and inefficiencies in cloud operations. It is crucial for the

technical team to have a comprehensive understanding of all platforms in use to ensure they can

maintain the security and performance standards required for a robust cloud environment.

Reference = The concern is based on common cloud auditing challenges, such as controlling and

monitoring user access, and ensuring the IT team is equipped to manage the cloud environment

effectively12. Additionally, best practices suggest that network segmentation, user authentication,

and access control are critical areas to address in a cloud audit3. These principles are widely

recognized in the field of cloud security and compliance.

An independent auditor report is a method that can be used by a cloud service provider (CSP) with a

cloud customer that does not want to share security and control information. An independent

auditor report is a document that provides assurance on the CSP’s security and control environment,

based on an audit conducted by a qualified third-party auditor. The audit can be based on various

standards or frameworks, such as ISO 27001, SOC 2, CSA STAR, etc. The independent auditor report

can provide the cloud customer with the necessary information to evaluate the CSP’s security and

control posture, without disclosing sensitive or proprietary details. The CSP can also use the

independent auditor report to demonstrate compliance with relevant regulations or contractual

obligations.

Reference:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 83-84.

ISACA, Cloud Computing Audit Program, 2019, p. 6-7.

Risk appetite and budget constraints have the most substantial impact on how aggressive or

conservative the cloud approach of an organization will be. Risk appetite is the amount and type of

risk that an organization is willing to accept in pursuit of its objectives. Budget constraints are the

limitations on the financial resources that an organization can allocate to its cloud initiatives. Both

factors influence the organization’s strategic decisions on which cloud service models, deployment

models, providers, and solutions to adopt, as well as the level of security, compliance, and

performance to achieve. An organization with a high risk appetite and a large budget may opt for a

more aggressive cloud approach, such as moving critical applications and data to a public cloud

provider, while an organization with a low risk appetite and a small budget may opt for a more

conservative cloud approach, such as keeping sensitive information on-premises or using a private

cloud provider12.

Reference:

ISACA, Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, 2021, p. 17-18.

CSA, Cloud Controls Matrix (CCM) v4.0, 2021, p. 63.

The most significant difference between a cloud risk management program and a traditional risk

management program is the shared responsibility model. The shared responsibility model is the

division of security and compliance responsibilities between the cloud service provider and the cloud

service customer, depending on the type of cloud service model (IaaS, PaaS, SaaS). The shared

responsibility model implies that both parties have to collaborate and coordinate to ensure that the

cloud service meets the required level of security and compliance, as well as to identify and mitigate

any risks that may arise from the cloud environment123.

Virtualization of the IT landscape (A) is a difference between a cloud risk management program and a

traditional risk management program, but it is not the most significant one. Virtualization of the IT

landscape refers to the abstraction of physical IT resources, such as servers, storage, network, or

applications, into virtual ones that can be accessed and managed over the internet. Virtualization of

the IT landscape enables the cloud service provider to offer scalable, flexible, and efficient cloud

services to the cloud service customer. However, virtualization of the IT landscape also introduces

new risks, such as data leakage, unauthorized access, misconfiguration, or performance

degradation123.

Risk management practices adopted by the cloud service provider © are a difference between a

cloud risk management program and a traditional risk management program, but they are not the

most significant one. Risk management practices adopted by the cloud service provider refer to the

methods or techniques that the cloud service provider uses to identify, assess, treat, monitor, and

report on the risks that affect their cloud services. Risk management practices adopted by the cloud

service provider may include policies, standards, procedures, controls, audits, certifications, or

attestations that demonstrate their security and compliance posture. However, risk management

practices adopted by the cloud service provider are not sufficient or reliable on their own, as they

may not cover all aspects of cloud security and compliance, or may not align with the expectations or

requirements of the cloud service customer123.

Hosting sensitive information in the cloud environment (D) is a difference between a cloud risk

management program and a traditional risk management program, but it is not the most significant

one. Hosting sensitive information in the cloud environment refers to storing or processing data that

are confidential, personal, or valuable in the cloud infrastructure or platform that is owned and

operated by the cloud service provider. Hosting sensitive information in the cloud environment can

offer benefits such as cost savings, accessibility, availability, or backup. However, hosting sensitive

information in the cloud environment also poses risks such as data breaches, privacy violations,

compliance failures, or legal disputes123. Reference :=

Cloud Risk Management - ISACA

Cloud Risk Management: A Primer for Security Professionals - Infosec …

Cloud Risk Management: A Primer for Security Professionals - Infosec …