Legit CCAK Exam Download

 ISO/IEC 27017:2015 is a standard that provides guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002, as well as additional controls with implementation guidance that specifically relate to cloud services1. ISO/IEC 27017:2015 is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an information security management system based on ISO/IEC 270011. ISO/IEC 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.

ISO/IEC 27002 is a standard that provides a code of practice for information security controls, but it does not provide specific guidance for cloud services. NIST SP 800-146 is a publication that provides an overview of cloud computing, its characteristics, service models, deployment models, and security considerations, but it does not provide a standard for selecting controls for cloud services. CSA CCM is a framework that provides detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains, but it is not a standard that is based on ISO/IEC 27001. References:

ISO/IEC 27017:2015

[ISO/IEC 27001:2013]

[ISO/IEC 27002:2013]

[NIST SP 800-146]

[CSA CCM]

The most useful document for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution is the SaaS provider contract. The contract is the legal agreement that defines the terms and conditions of the cloud service, including the roles, responsibilities, and obligations of the parties involved1. The contract should also specify the service level agreements (SLAs), security and privacy requirements, data ownership and governance, incident response and reporting, audit rights and access, and subcontracting or outsourcing arrangements of the SaaS provider2. By reviewing the contract, the auditor can gain insight into the cloud supply chain and assess the risks, controls, and compliance of the SaaS solution.

The other options are not as useful as the SaaS provider contract. Payments made by the service owner are the financial transactions that reflect the fees or charges incurred by using the SaaS solution. They may indicate the usage or consumption of the cloud service, but they do not provide much information about the cloud supply chain or its security and compliance aspects3. SaaS vendor white papers are the marketing or educational materials that describe the features, benefits, or best practices of the SaaS solution. They may provide some general or technical information about the cloud service, but they are not legally binding or verifiable4. Cloud compliance obligations register is a tool that helps customers identify and track their compliance requirements and obligations for using cloud services. It may help customers understand their own responsibilities and risks in relation to the cloud service, but it does not necessarily reflect the compliance status or performance of the SaaS provider5.

References:

Cloud Services Due Diligence Checklist | Trust Center1, section on How to use the checklist

Cloud Computing Security Considerations | Cyber.gov.au2, section on Contractual arrangements

Cloud Computing Pricing Models: A Comparison - DZone Cloud3, section on Pricing Models

What is a White Paper? Definition from WhatIs.com4, section on White Paper

Cloud Compliance Obligations Register | Cyber.gov.au5, section on Cloud Compliance Obligations Register

According to the definition of regression testing, it is a type of software testing that confirms that a recent program or code change has not adversely affected existing features1 It involves re-running functional and non-functional tests to ensure that previously developed and tested software still performs as expected after a change2 If the software does not perform as expected, it is called a regression. Therefore, the most important goal of regression testing is to ensure new releases do not impact previous stable features.

The other options are not correct because:

Option A is not correct because the expected outputs are provided by the new features is not the goal of regression testing, but rather the goal of functional testing or acceptance testing. These types of testing aim to verify that the software meets the specified requirements and satisfies the user needs. Regression testing, on the other hand, focuses on checking that the existing features are not broken by the new features3

Option B is not correct because the system can handle a high number of users is not the goal of regression testing, but rather the goal of performance testing or load testing. These types of testing aim to evaluate the behavior and responsiveness of the software under various workloads and conditions. Regression testing, on the other hand, focuses on checking that the software functionality and quality are not degraded by code changes4

Option C is not correct because the system can be restored after a technical issue is not the goal of regression testing, but rather the goal of recovery testing or disaster recovery testing. These types of testing aim to assess the ability of the software to recover from failures or disasters and resume normal operations. Regression testing, on the other hand, focuses on checking that the software does not introduce new failures or defects due to code changes5

References: 1: Wikipedia. Regression testing - Wikipedia. [Online]. Available: 3. [Accessed: 14-Apr-2023]. 2: Katalon. What is Regression Testing? Definition, Tools, Examples - Katalon. [Online]. Available: 4. [Accessed: 14-Apr-2023]. 3: Guru99. What is Functional Testing? Types & Examples - Guru99. [Online]. Available: . [Accessed: 14-Apr-2023]. 4: Guru99. What is Performance Testing? Types & Examples - Guru99. [Online]. Available: . [Accessed: 14-Apr-2023]. 5: Guru99. What is Recovery Testing? with Example - Guru99. [Online]. Available: . [Accessed: 14-Apr-2023].

The primary purpose of the Open Certification Framework (OCF) for the CSA STAR program is to provide global, accredited, and trusted certification of the cloud service provider. According to the CSA website1, the OCF is an industry initiative to allow global, trusted independent evaluation of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification and/or attestation according to the Cloud Security Alliance’s industry leading security guidance and control framework. The OCF aims to address the gaps within the IT ecosystem that are inhibiting market adoption of secure and reliable cloud services. The OCF also integrates with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost. The OCF manages the foundation that runs and monitors the CSA STAR Certification program, which is an assurance framework that enables cloud service providers to embed cloud-specific security controls. The STAR Certification program has three levels of assurance, each based on a different type of audit or assessment: Level 1: Self-Assessment, Level 2: Third-Party Audit, and Level 3: Continuous Auditing. The OCF also oversees the CSA STAR Registry, which is a publicly accessible repository that documents the security controls provided by various cloud computing offerings2. The OCF helps consumers to evaluate and compare their providers’ resilience, data protection, privacy capabilities, and service portability. It also helps providers to demonstrate their compliance with industry standards and best practices.

References:

Open Certification Framework Working Group | CSA

STAR | CSA