Which of the following is MOST important to consider when developing an effective threat model during the introduction of a new SaaS service into a customer organization's architecture? The threat model:

A. recognizes the shared responsibility for risk management between the customer and the CSP.

B. leverages SaaS threat models developed by peer organizations.

C. is developed by an independent third-party with expertise in the organization's industry sector.

D. considers the loss of visibility and control from transitioning to the cloud.

What is a sign of an organization that has adopted a shift-left concept of code release cycles?

A. A waterfall model to move resources through the development to release phases

B. Incorporation of automation to identify and address software code problems early

C. Maturity of start-up entities with high-iteration to low-volume code commits

D. Large entities with slower release cadences and geographical dispersed systems

Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud compliance program?

A. Cloud process owners

B. Internal control function

C. Legal functions

D. Cloud strategy owners

Which of the following controls framework should the cloud customer use to assess the overall security risk of a cloud provider?

A. SOC3 - Type2

B. Cloud Control Matrix (CCM)

C. SOC2 - Type1

D. SOC1 - Type1

What aspect of SaaS functionality and operations would the cloud customer be responsible for and should be audited?

A. Access controls

B. Vulnerability management

C. Source code reviews

D. Patching

A. The violation is agreed upon and documented.

B. Nothing can be done to enforce violations as this is a cloud service.

C. The violation is agreed to verbally by the CSP.

D. Violations will be automatically enforced so no action is needed.

To support customer's verification of the CSP claims regarding their responsibilities according to the shared responsibility model, which of the following tools and techniques is appropriate?

A. Contractual agreement

B. Internal audit

C. External audit

D. Security assessment

A. Plan --> Develop --> Release

B. Deploy --> Monitor --> Audit

C. Initiation --> Execution --> Monitoring and Controlling

D. Preparation --> Execution --> Peer Review and Publication

Which of the following is the common cause of misconfiguration in a cloud environment?

A. Absence of effective change control

B. Using multiple cloud service providers

C. New cloud computing techniques

D. Traditional change process mechanisms

Account design in the cloud should be driven by:

A. security requirements.

B. organizational structure.

C. business continuity policies.

D. management structure.