DOMAIN 4 - RIGHT TO AUDIT, AUDIT SCOPE, AUDITOR REQUIREMENTS Flashcards

1
Q

Reporting needs to include a compliance determination, as well as a list of identified issues, risks, and ________

A

remediation recommendation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Audits and assessments aren’t limited to information security, but those related to information security typically focus on evaluating the ______ of security management and controls.

A

effectiveness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

All ______ have variable scope and statement of applicability, which defines what is evaluated (e.g.,
all systems with financial data) and to which controls (e.g., an industry standard, custom scope, or both).

A

audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An _______ is a legal statement from a third party, which can be used as their statement of audit findings

A

attestation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

_________ includes the management of all activities related to audits and assessments, such as determining requirements, scope, scheduling, and responsibilities.

A

Audit management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Customers should understand that providers can (and often should) consider _______ audits a security risk when providing multitenant services

A

on-premises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Customers working with these providers will have to rely more on third-party attestations rather
than audits they perform themselves. Depending on the audit standard, actual results may only be releasable under a ________

A

nondisclosure agreement (NDA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Publishing certifications and attestations (to the degree legally allowed) will greatly assist cloud customers in evaluating providers. ________ offers a central repository for providers to publicly release these documents

A

The Cloud Security Alliance STAR Registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Some standards, such as ______, attest that documented controls work as designed/required. The
standard doesn’t necessarily define the scope of controls, so both are needed to perform a full evaluation.

A

SSAE 16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

It’s important to remember that attestations and certifications are ________

A

point-in-time activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

________are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities

A

Artifacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

______ are ultimately responsible for the artifacts to support their own audits, and thus need to know what the provider offers, and create their own artifacts to cover any gaps.

A

Customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly