Isaca Updated CCAK Exam Questions and Answers by margaux

Attribute-based access control (ABAC) is a cloud-native solution that uses attributes (such as user role, location, or device) to dynamically control access. This method is highly flexible for the cloud, where user attributes and environmental factors vary, unlike traditional enterprise security models. ISACA’s CCAK emphasizes ABAC in cloud environments for its adaptability to multi-tenant architectures and complex access control requirements, aligning with CCM controls in Domain IAM-12 (Identity and Access Management) for flexible, secure access mechanisms.

=========================

To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of enterprise architecture (EA). EA is a holistic approach to aligning the business and IT objectives, processes, and resources of an organization. EA helps to define the current and future state of the organization, identify the gaps and opportunities, and design the roadmap and governance for the cloud migration. EA also helps to ensure that the cloud migration is consistent with the organization’s vision, mission, values, and strategy, and that it meets the requirements of the stakeholders, customers, and regulators. EA is part of the Cloud Control Matrix (CCM) domain GRC-01: Enterprise Risk Management, which states that "The organization should have a policy and procedures to identify, assess, manage, and monitor risks related to cloud services."1 References := CCAK Study Guide, Chapter 2: Cloud Governance, page 25

A centralized risk and controls dashboard is the best option for ensuring a coordinated approach to risk and control processes when duties are split between an organization and its cloud service providers. This dashboard provides a unified view of risk and control status across the organization and the cloud services it utilizes. It enables both parties to monitor and manage risks effectively and ensures that control activities are aligned and consistent. This approach supports proactive risk management and facilitates communication and collaboration between the organization and the cloud service provider.

References = The concept of a centralized risk and controls dashboard is supported by the Cloud Security Alliance (CSA) and ISACA, which emphasize the importance of visibility and coordination in cloud risk management. The CCAK materials and the Cloud Controls Matrix (CCM) provide guidance on establishing such dashboards as a means to manage and mitigate risks in a cloud environment12.

Traditional cloud compliance assurance approaches such as SOC2 attestations have the main limitation of providing a point-in-time snapshot of an organization’s compliance posture. This means that they only reflect the state of the organization’s security and compliance controls at a specific date or period, which may not be representative of the current or future state. Cloud environments are dynamic and constantly changing, and so are the threats and risks that affect them. Therefore, relying on traditional cloud compliance assurance approaches may not provide sufficient or timely assurance that the organization’s cloud services and data are adequately protected and compliant with the relevant requirements and standards.12

To overcome this limitation, some organizations adopt continuous cloud compliance assurance approaches, such as continuous monitoring, auditing, and reporting. These approaches enable the organization to collect, analyze, and report on the security and compliance status of its cloud environment in near real-time, using automated tools and processes. Continuous cloud compliance assurance approaches can help the organization to identify and respond to any changes, issues, or incidents that may affect its cloud security and compliance posture, and to maintain a high level of trust and transparency with its stakeholders, customers, and regulators.34

References := What is SOC 2? Complete Guide to SOC 2 Reports | CSA1; Guidance on cloud security assessment and authorization - ITSP.50.105 - Canadian Centre for Cyber Security2; Continuous Compliance: The Future of Cloud Security | CloudCheckr3; Continuous Compliance: How to Automate Cloud Security Compliance4