Domain 4: Compliance and Audit Management

Question 1

__________ existing regulation were written to account for virtualized environments or cloud deployments.
A. Most
B. No
C. Few
D. All

Answer 1

Answer: C
See page 54 of the CSA Cloud Security Guidance v4. Laws (and lawmakers) typically lag several years behind technological innovation and evolution.

Question 2

Which aspects of cloud computing make traditional audit approaches difficult [select two]?
A. resiliency
B. virtualized
C. self-service
D. metered service
E. distributed
F. physical

Answer 2

Answer: B and E
Because cloud computing resources are typically virtualized and distributed, traditional audit approaches may not be applicable. See page 54 of the CSA Cloud Security Guidance v4.
The self-service, resilient, and metered service aspects of cloud computing do not generally affect audit methodologies. Cloud computing services are not typically “physical” in the manner of traditional IT environments; this is the opposite of the correct answer.

Question 3

Audits typically may be __________ or __________.
A. fast or slow
B. internal or external
C. nocturnal or diurnal
D. legal or illegal

Answer 3

Answer: B
Typically, organizations might choose internal or external audits, or both.
The speed or hour that audits take place are not typically used to distinguish types of audits. Audits should not be illegal.

Question 4

In the cloud computing model, who is ultimately responsible for the ensuring customer compliance with a given standard/regulation?
A. the cloud provider
B. the cloud customer
C. the regulator
D. the data subject

Answer 4

Answer: B
The cloud customer is ultimately (legally) responsible for ensuring compliance with a given standard/regulation/law. See page 55 of the CSA Cloud Security Guidance v4.
The provider may perform some compliance actions on behalf of the customer, but the customer retains legal liability/responsibility. Regulators enforce and monitor compliance, but are not ultimately responsible for a customer’s compliance. The data subject is not responsible for compliance.

Question 5

Cloud customers will typically have to rely on __________ in order to understand a provider’s compliance alignment and gaps.
A. regulator reports
B. public news articles
C. personal investigation
D. third-party attestations

Answer 5

Answer: D
The cloud customer is generally not allowed to perform their own audit of a cloud provider’s environment, and probably should not trust the provider’s self-reporting (as it is inherently biased), so third-party attestation is perhaps the sole method of ensuring compliance in the cloud. See page 56 of the CSA Cloud Security Guidance v4.
Customers also cannot rely on regulators to perform this function on their behalf, nor the efforts of news media.

Question 6

Alice is the security manager for a mid-sized retail. Alice’s company contracts with a cloud provider for an IaaS environment, then builds an environment of virtual servers and an application to allow clientele to perform online ordering and credit card payment. The cloud provider has documentation proving that the provider is currently compliant with the Payment Card Industry Data Security Standard (PCI-DSS).
What is the term used to describe the relationship between Alice’s company and the provider, in terms of PCI-DSS compliance?
A. compliance inheritance
B. nonregulated inversion
C. regulatory capture
D. essential proffering

Answer 6

Answer: A
This is the definition of compliance inheritance, also known as a pass-through audit. See page 56 of the CSA Cloud Security Guidance v4.
Regulatory capture is the term used to describe conflicts of interest in relationships between regulators and the industry they are meant to regulate. The other two terms are meaningless in this context.

Question 7

Alice is the security manager for a mid-sized retail. Alice’s company contracts with a cloud provider for an IaaS environment, then builds an environment of virtual servers and an application to allow clientele to perform online ordering and credit card payment. The cloud provider has documentation proving that the provider is currently compliant with the Payment Card Industry Data Security Standard (PCI-DSS).
Who is responsible for ensuring that Alice’s company’s virtual machines and application are compliant with PCI-DSS?
A. the PCI Council
B. Alice’s company
C. the cloud provider
D. Alice’s ISP

Answer 7

Answer: B
The cloud customer remains responsible for regulatory compliance of their own environment/app when using inherited compliance/pass-through audits in the cloud. See page 56 of the CSA Cloud Security Guidance v4.

Question 8

Which of the following is not typically used for third-party attestation in the cloud?
A. the General Data Protection Regulation (GDPR) of the European Union (EU)
B. the Certified Information System Security Professional (CISSP) certification from ISC2
C. the Payment Card Industry Data Security Standard (PCI DSS)
D. the System and Organization Controls (SOC) reports of the American Institute of Certified Public Accountants (AICPA)

Answer 8

Answer: B
The CISSP is a certification for personnel, not cloud providers. All the others are often used as third-party attestations for pass-through compliance in the cloud. See page 56 of the CSA Cloud Security Guidance v4.

Question 9

Why is it crucial for cloud customers to understand the scope and limitations of each certification, audit, and attestation report offered by the cloud provider?
A. the customer may determine those are insufficient, and decide to perform their own audit of the cloud provider’s data center
B. some audits may be illegal in the customer’s jurisdiction
C. not all features and services within a given cloud provider are necessarily compliant and certified/audited with respect to all regulations and standards
D. the cloud provider may intend to deceive the customer, and the customer must protect themselves

Answer 9

Answer: C
See page 57 of the CSA Cloud Security Guidance v4.
Customers will not typically be allowed to audit cloud data centers. Audits are not illegal in any jurisdiction I am aware of. Cloud providers do not typically try to deceive customers.

Question 10

Which of the following is not typically included in an audit report?
A. vendor list for remediations
B. identified issues
C. compliance determination
D. risks

Answer 10

Answer: A
Auditors should, in general, not make vendor recommendations, as that creates the appearance of conflict of interest.
All the other responses are elements included in most audit reports. See page 57 of the CSA Cloud Security Guidance v4.

Question 11

Audit management typically includes all of the following activities except __________.
A. determining requirements
B. scoping
C. scheduling
D. payment

Answer 11

Answer: D
Payment is typically an accounting function, not usually included in audit management.
All the other responses are functions of audit management. See page 57 of the CSA Cloud Security Guidance v4.

Question 12

Prospective cloud customers may have to submit __________ in order to gain access to audit reports.
A. payment
B. a surety bond
C. a non-compete statement
D. a non-disclosure agreement

Answer 12

Answer: D
Audit reports may contain sensitive information about the target’s IT environment and/or security measures. See page 58 of the CSA Cloud Security Guidance v4.
Prospective customers should not have to pay to see audit results, and generally are not entering the same market as the provider, so the other answers are incorrect.

Question 13

If the customer wants to performer certain types of audits/assessments, they might require permission from the cloud provider. This is to distinguish the audit/assessment from __________.
A. competitive influence
B. an attack
C. an internal activity
D. normal customer operations

Answer 13

Answer: B
Some types of audits/assessments (such as vulnerability scans or penetration tests) may be mistaken for an attack if not coordinated with the provider in advance. See page 58 of the CSA Cloud Security Guidance v4.
“Competitive influence” suggests another cloud provider reviewing the target; this would be a form of attack, and B is the better, more general answer. The provider should be able to determine if a particular activity is internal or part of normal customer operations without prior coordination.

Question 14

What is the term typically used to describe the documents, logs, and other materials used in an audit?
A. stipulations
B. data
C. artifacts
D. ramifications

Answer 14

Answer: C
See page 58 of the CSA Cloud Security Guidance v4.

Question 15

Compliance, audit, and assurance should be __________.
A. entertaining
B. expensive
C. continuous
D. remote

Answer 15

Answer: C
See page 59 of the CSA Cloud Security Guidance v4.
Not all audits are entertaining, expensive, or remote (some are done on-site, most are dull, and a few are affordable).

Question 16

__________ should evaluate the provider’s third-party attestations and certifications, in order to align with compliance needs.
A. regulators
B. cloud providers
C. cloud customers
D. end users

Answer 16

Answer: C
It is the customer’s duty to ensure the provider’s third-party reports meet the customer’s needs. See page 59 of the CSA Cloud Security Guidance v4.

Question 17

Cloud customers should consider using the __________ in order to track and maintain a record of cloud providers the customer uses, and record the providers’ certification and compliance.
A. National Institute for Standards and Technology (NIST) Special Publication (SP) 800-145, Cloud Computing Definition
B. The American Institute of Certified Public Accountants (AICPA) Statement of Standards for Attestation Engagements (SSAE) 18
C. the General Data Protection Regulation (GDPR)
D. the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Answer 17

Answer: D
The CCM is useful for this purpose. See page 59 of the CSA Cloud Security Guidance v4.
The NIST SP 800-145 just defines cloud computing, the SSAE 18 is an audit standard (used by auditors), and the GDPR is a privacy law.

Question 18

Cloud providers should engage in continuous compliance activities in order to avoid __________.
A. additional financial penalties
B. technological obsolescence
C. creating compliance gaps
D. regulatory disapproval

Answer 18

Answer: C
Compliance gaps can expose customers to additional, unpredicted, risks. See page 59 of the CSA Cloud Security Guidance v4.
Continual compliance does not aid in reducing any of the elements mentioned in the other responses.

Question 19

Which of the following is a compliance artifact?
A. a copy of the contract between the cloud customer and the provider
B. a copy of administrative log data
C. a copy of the regulation used for oversight
D. a copy of the law that creates the regulatory environment for a certain industry

Answer 19

Answer: B
Logs are considered compliance artifacts. See pages 58 and 59 of the CSA Cloud Security Guidance v4.
Contracts, regulations, and laws are not considered compliance artifacts.

Question 20

Which of the following characteristics of cloud computing makes it unlikely that customers will be allowed to perform physical audits of cloud data centers?
A. virtualization
B. multitenancy
C. rapid elasticity
D. metered service

Answer 20

Answer: B
Cloud providers could not reasonably grant physical access to hundreds (or possibly thousands) of different customers. See page 58 of the CSA Cloud Security Guidance v4.

Question 21

Security practitioners aid the overall compliance effort of an organization by __________.
A. restricting physical access to the environment
B. defeating external attackers
C. evaluating and testing security controls
D. reviewing contracts from a security perspective

Answer 21

Answer: C
Security controls are often required for compliance, and the security practitioner is tasked with ensuring those controls are functioning properly and achieving the intended goal. See page 55 of the CSA Cloud Security Guidance v4.
The security practitioner may (and should) perform the other activities listed, but those activities are not as directly essential for compliance.

Question 22

Which of the following probably has the most effect on compliance?
A. jurisdictional differences
B. pricing models
C. marketing behavior
D. whether the cloud customer uses Windows, Apple, Linux/Unix, or another OS

Answer 22

Answer: A
The jurisdiction of both the cloud provider and customer will have significant impact on which standards/laws/regulations all parties are required to comply with. See page 54 of the CSA Cloud Security Guidance v4.
The other responses do not typically affect compliance requirements.

Question 23

What is the industry term for tools which are designed to aid in compliance assessment and reporting?
A. DLP: data leak prevention
B. GRC: governance, risk, and compliance
C. DRM: digital rights management
D. BCDR: business continuity and disaster recovery

Answer 23

Answer: B
This is the definition and purpose of GRC. The others are industry terms, but not relevant to this topic. See page 55 of the CSA Cloud Security Guidance v4.

Question 24

Which of the following is not a standard requiring audit and compliance?
A. the Payment Card Industry Data Security Standard (PCI-DSS)
B. the Health Information Portability and Accountability Act (HIPAA)
C. the X509 digital certificate standard
D. the General Data Protect Regulation (GDPR)

Answer 24

Answer: C
X509 is not a mandate, and an organization does not have to commission audits for it, unlike the other responses. Organizations follow the X509 standard because universal acceptance is mutually beneficial, not because a regulator will verify compliance.

Question 25

Audit and assurance are included in an organization’s ___________.
A. governance
B. profit margin
C. core competency
D. business continuity plan

Answer 25

Answer: A
Audit and assurance are part of organizational governance efforts. See page 57 of the CSA Cloud Security Guidance v4.