- (Exam Topic 2)
Which data point that auditors always desire is very difficult to provide within a cloud environment?

1. A. Access policy
2. B. Systems architecture
3. C. Baselines
4. D. Privacy statement

Correct Answer: B
Cloud environments are constantly changing and often span multiple physical locations. A cloud customer is also very unlikely to have knowledge and insight into the underlying systems architecture in a cloud environment. Both of these realities make it very difficult, if not impossible, for an organization to provide a comprehensive systems design document.

- (Exam Topic 2)
Which of the cloud cross-cutting aspects relates to the requirements placed on a system or application by law, policy, or requirements from standards?

1. A. regulatory requirements
2. B. Auditability
3. C. Service-level agreements
4. D. Governance

Correct Answer: A
Regulatory requirements are those imposed upon businesses and their operations either by law, regulation, policy, or standards and guidelines. These requirements are specific either to the locality in which the company or application is based or to the specific nature of the data and transactions conducted.

- (Exam Topic 4)
Upon completing a risk analysis, a company has four different approaches to addressing risk. Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.
Which of the following groupings correctly represents the four possible approaches?

1. A. Accept, avoid, transfer, mitigate
2. B. Accept, deny, transfer, mitigate
3. C. Accept, deny, mitigate, revise
4. D. Accept, dismiss, transfer, mitigate

Correct Answer: A
The four possible approaches to risk are as follows: accept (do not patch and continue with the risk), avoid (implement solutions to prevent the risk from occurring), transfer (take out insurance), and mitigate (change configurations or patch to resolve the risk). Each of these answers contains at least one incorrect approach name.

- (Exam Topic 4)
Which of the following is not a way to manage risk?

1. A. Transferring
2. B. Accepting
3. C. Mitigating
4. D. Enveloping

Correct Answer: D
Enveloping is a nonsense term, unrelated to risk management. The rest are not.

- (Exam Topic 4)
Which of the following provides assurance, to a predetermined acceptable level of certainty, that an entity is indeed who they claim to be?

1. A. Authentication
2. B. Identification
3. C. Proofing
4. D. Authorization

Correct Answer: A
Authentication goes a step further than identification by providing a means for proving an entity's identification. Authentication is most commonly done through mechanisms such as passwords. Identification involves ascertaining who the entity is, but without a means of proving it, such as a name or user ID. Authorization occurs after authentication and sets access permissions and other privileges within a system or application for the user. Proofing is not a term that is relevant to the question.