Pass CCAK Exam Guide

 In a multi-level supply chain structure, the cloud service provider should ensure that any compliance requirements relevant to the provider are passed to the sub cloud service providers, regardless of their geographic location. This is because the sub cloud service providers may have access to or process the data of the provider’s customers, and thus may affect the compliance status of the provider. The provider should also monitor and verify the compliance of the sub cloud service providers on a regular basis. This is part of the Cloud Control Matrix (CCM) domain COM-01: Regulatory Frameworks, which states that "The organization should identify and comply with applicable regulatory frameworks, contractual obligations, and industry standards."1 References := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 51

This control specification aligns with the concept of independent audits, which are crucial for verifying that an organization adheres to its established policies, standards, procedures, and compliance obligations. The requirement for these reviews and assessments to be performed at least annually ensures ongoing compliance and the ability to address any areas of nonconformity. Independent audits provide an objective assessment and are essential for maintaining transparency and trust in the cloud services provided.

References = The Cloud Controls Matrix (CCM) specifically mentions the need for independent assessments to be conducted annually as part of the Audit Assurance and Compliance domain, which is detailed in the CCM’s guidelines and related documents provided by the Cloud Security Alliance (CSA)12.

 The best way for the organization to take advantage of the supplier relationship feature of the Cloud Controls Matrix (CCM) is to leverage this feature to enable a smarter selection of the next cloud provider. The supplier relationship feature is a column in the CCM spreadsheet that indicates whether a control is influenced by contractual agreements between the cloud service provider and the cloud customer. This feature can help the organization to identify and compare the security and compliance capabilities of different cloud providers, as well as to negotiate and customize the terms of service (TOS) and service level agreements (SLA) according to their needs and requirements123.

The other options are not the best ways to use the supplier relationship feature. Option A, filter out only those controls directly influenced by contractual agreements, is not a good way to use the feature because it would exclude other important controls that are not influenced by contractual agreements, but still relevant for cloud security and governance. Option B, leverage this feature to enable the adoption of the Shared Responsibility Model, is not a good way to use the feature because the Shared Responsibility Model is defined by another column in the CCM spreadsheet, which indicates whether a control is applicable to the cloud service provider or the cloud customer. Option C, filter out only those controls having a direct impact on current TOS and SLA, is not a good way to use the feature because it would exclude other controls that may have an indirect or potential impact on the TOS and SLA, or that may be subject to change or negotiation in the future. References :=

What is CAIQ? | CSA - Cloud Security Alliance1

Understanding the Cloud Control Matrix | CloudBolt Software3

Cloud Controls Matrix (CCM) - CSA2

 The correct answer is C. Data input and output integrity routines (i.e., reconciliation and edit checks) are controls that can be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse. This is stated in the Cloud Controls Matrix (CCM) control AIS-03: Data Integrity123, which is part of the Application & Interface Security domain. The CCM is a cybersecurity control framework for cloud computing that can be used by cloud customers to build an operational cloud risk management program.

The other options are not directly related to the question. Option A refers to the CCM control AIS-02: Customer Access Requirements2, which addresses the security, contractual, and regulatory requirements for customer access to data, assets, and information systems. Option B refers to the CCM control AIS-04: Data Security / Integrity2, which establishes policies and procedures to support data security across multiple system interfaces, jurisdictions, and business functions. Option D refers to the CCM control AIS-01: Application Security2, which requires applications and programming interfaces (APIs) to be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications). References :=

Certificate of Cloud Auditing Knowledge (CCAK) Study Guide, Chapter 5: Cloud Assurance Frameworks

What is the Cloud Controls Matrix (CCM)? - Cloud Security Alliance4

AIS-03: Data Integrity - CSF Tools - Identity Digital1

AIS: Application & Interface Security - CSF Tools - Identity Digital2

PR.DS-6: Integrity checking mechanisms are used to verify software … - CSF Tools - Identity Digital