What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?
Correct Answer:
A
According to the cloud shared responsibility model, the cloud customer is responsible for managing the access controls for the SaaS functionality and operations, and this should be audited by the cloud auditor12. Access controls are the mechanisms that restrict and regulate who can access and use the SaaS applications and data, and how they can do so. Access controls include identity and access management, authentication, authorization, encryption, logging, and monitoring. The cloud customer is responsible for defining and enforcing the access policies, roles, and permissions for the SaaS users, as well as ensuring that the access controls are aligned with the security and compliance requirements of the customer??s business context12.
The other options are not the aspects of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Option B is incorrect, as vulnerability management is the process of identifying, assessing, and mitigating the security weaknesses in the SaaS applications and infrastructure, and this is usually handled by the cloud service provider12. Option C is incorrect, as patching is the process of updating and fixing the SaaS applications and infrastructure to address security issues or improve performance, and this is also usually handled by the cloud service provider12. Option D is incorrect, as source code reviews are the process of examining and testing the SaaS applications?? source code to detect errors or vulnerabilities, and this is also usually handled by the cloud service provider12. References:
✑ Shared responsibility in the cloud - Microsoft Azure
✑ The Customer??s Responsibility in the Cloud Shared Responsibility Model - ISACA
Which of the following is the MOST important strategy and governance documents to provide to the auditor prior to a cloud service provider review?
Correct Answer:
C
The best approach for an auditor to review the operating effectiveness of the password requirement is to review the configuration settings on the Configuration Management (CM) tool and verify that the CM tool agents are functioning correctly on the VMs. This method ensures that the password policies are being enforced as intended and that the CM tool is effectively managing the configurations across the organization??s virtual machines. It provides a balance between relying solely on automated tools and manual verification processes.
References = This approach is supported by best practices in cloud security and auditing, which recommend a combination of automated tools and manual checks to ensure the effectiveness of security controls123. The use of CM tools for enforcing password policies is a common practice, and their effectiveness must be regularly verified to maintain the security posture of cloud services.
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:
Correct Answer:
C
An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to understand which controls encompassed by the CCM may already be partially or fully implemented because of the compliance with other standards. The Scope Applicability direct mapping is a worksheet within the CCM that maps the CCM control specifications to several standards within the ISO/IEC 27000 series, such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, and ISO/IEC 27018. The mapping helps the organization to identify the commonalities and differences between the CCM and the ISO/IEC standards, and to determine the level of compliance with each standard based on the implementation of the CCM controls. The mapping also helps the organization to avoid duplication of work and to streamline the
compliance assessment process.12 References := What you need to know: Transitioning CSA STAR for Cloud Controls Matrix ??1; Cloud Controls Matrix (CCM) - CSA3
The CSA STAR Certification is based on criteria outlined the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to:
Correct Answer:
A
The CSA STAR Certification is based on criteria outlined in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) in addition to ISO/IEC 27001 implementation. ISO/IEC 27001 is an international standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The CSA STAR Certification is a third-party independent assessment of the security of a cloud service provider, which demonstrates the alignment of the provider??s ISMS with the CCM best practices. The CSA STAR Certification has three levels: Level 1 (STAR Certification), Level 2 (STAR Attestation), and
Level 3 (STAR Continuous Monitoring).1 [2][2] References := CCAK Study Guide, Chapter 5: Cloud Auditing, page 971; CSA STAR Certification, Overview[2][2]
The BEST method to report continuous assessment of a cloud provider??s services to the Cloud Security Alliance (CSA) is through:
Correct Answer:
D
The best method to report continuous assessment of a cloud provider??s services to the Cloud Security Alliance (CSA) is through a set of dedicated application programming interfaces (APIs). According to the CSA website1, the STAR Continuous program is a component of the STAR certification that allows cloud service providers to validate their security posture on an ongoing basis. The STAR Continuous program leverages a set of APIs that can integrate with the cloud provider??s existing tools and processes, such as security information and event management (SIEM), governance, risk management, and compliance (GRC), or continuous monitoring systems. The APIs enable the cloud provider to collect, analyze, and report security-related data to the CSA STAR registry in near real-time. The APIs also allow the CSA to verify the data and provide feedback to the cloud provider and the customers. The STAR Continuous program aims to provide more transparency, assurance, and trust in the cloud ecosystem by enabling continuous visibility into the security performance of cloud services.
The other methods listed are not suitable for reporting continuous assessment of a cloud provider??s services to the CSA. The Cloud Controls Matrix (CCM) assessment by a third- party auditor on a periodic basis is part of the STAR Certification Level 2 program, which provides a point-in-time validation of the cloud provider??s security controls. However, this method does not provide continuous assessment or reporting, as it only occurs once every 12 or 24 months2. The tools selected by the third-party auditor may vary depending on the scope, criteria, and methodology of the audit, and they may not be compatible or consistent with the CSA??s standards and frameworks. Moreover, the tools may not be able to report the audit results to the CSA STAR registry automatically or frequently. The SOC 2 Type 2 attestation is an independent audit report that evaluates the cloud provider??s security controls based on the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. However, this report is not specific to cloud computing and does not
cover all aspects of the CCM. Furthermore, this report is not intended to be shared publicly or reported to the CSA STAR registry3.
References:
✑ STAR Continuous | CSA
✑ STAR Certification | CSA
✑ SOC 2 vs CSA STAR: Which One Should You Choose?