Domain 4 - Compliance and Audit Management

Question 1

True/False: Organizations face new challenges as they migrate from traditional data centers to the cloud.
Delivering, measuring, and communicating compliance with a multitude of regulations across
multiple jurisdictions are among the largest of these challenges.

Answer 1

True

Question 2

_______ validates awareness of and adherence to corporate obligations (e.g., corporate
social responsibility, ethics, applicable laws, regulations, contracts, strategies and policies).

Answer 2

Compliance

Question 3

_______ are a key tool for proving (or disproving) compliance

Answer 3

Audits

Question 4

________ is a tool of governance; it is how an organization assesses, remediates, and proves it is meeting these internal and external obligations

Answer 4

Compliance management

Question 5

True/False: Customer is always ultimately responsible for their own compliance. These responsibilities are defined through contracts, audits/assessments, and specifics
of the compliance requirements.

Answer 5

True

Question 6

With _________ the cloud provider’s infrastructure is out of scope for a customer’s compliance audit, but everything the customer configures and builds on top of the certified services is still within scope.

Answer 6

compliance inheritance

Question 7

True/False: Not all features and services within a given cloud provider are necessarily compliant and certified/audited with respect to all regulations and standards. It is incumbent on the cloud provider to communicate
certifications and attestations clearly, and for customers to understand the scopes and limitations.

Answer 7

True

Question 8

True/False:Audits and assessments are mechanisms to document compliance with internal or external
requirements (or identify deficiencies). Reporting needs to include a compliance determination, as
well as a list of identified issues, risks, and remediation recommendations.

Answer 8

True

Question 9

An _______ is a legal statement from a third party, which can be used as their statement
of audit findings. it is a key tool when evaluating and working with cloud providers since
the cloud customer does not always get to perform their own assessments.

Answer 9

Attestation

Question 10

________ includes the management of all activities related to audits and assessments,
such as determining requirements, scope, scheduling, and responsibilities.

Answer 10

Audit management

Question 11

True/False:Multiple on-premises audits from large numbers
of cloud customers present clear logistical and security challenges, especially when the provider relies on
shared assets to create the resource pools.

Answer 11

True

Question 12

True/False: Customers working with these cloud providers will have to rely more on third-party attestations rather than audits they perform themselves

Answer 12

True

Question 13

Refers to Cloud Security Alliance central repository for providers to publicly release certifications and attestation documents.

Answer 13

CSA Star Registry

Question 14

True/False: It’s important to remember that attestations and certifications are point-in-time activities. An
attestation is a statement of an “over a period of time” assessment and may not be valid at any
future point

Answer 14

True

Question 15

______ are the logs, documentation, and
other materials needed for audits and
compliance; they are the evidence to support
compliance activities. Both providers and
customers have responsibilities for producing
and managing these.

Answer 15

Artifacts