ExamTopics Logo
Mail Us[email protected]
Menu
Csa Discussions
exam questions

Exam CCSK All Questions

View all questions & answers for the CCSK exam
Go to Exam

Exam CCSK topic 1 question 12 discussion

Actual exam question from CSA's CCSK
Question #: 12
Topic #: 1
[All CCSK Questions]

CCM: A hypothetical company called: `Health4Sure` is located in the United States and provides cloud based services for tracking patient health. The company is compliant with HIPAA/HITECH Act among other industry standards. Health4Sure decides to assess the overall security of their cloud service against the CCM toolkit so that they will be able to present this document to potential clients.
Which of the following approach would be most suitable to assess the overall security posture of Health4Sure's cloud service?

  • A. The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls. This approach will save time.
  • B. The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act. They could then assess the remaining controls thoroughly. This approach saves time while being able to assess the company's overall security posture in an efficient manner.
  • C. The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the security posture of their cloud service against each and every control in the CCM. This approach will allow a thorough assessment of the security posture.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by beazzlebub at Oct. 8, 2022, 4:14 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Petza
Highly Voted 2 years, 6 months ago
Selected Answer: B
CCM, which is part of the CSA Governance, Risk and Compliance (GRC) Stack, is mapped to multiple industry standards, regulations and frameworks that enterprises must follow, including ISO 27001/27002, PCI DSS, HIPAA and COBIT.
upvoted 9 times
...
sanju249
Most Recent 6 months, 2 weeks ago
Selected Answer: B
One of the key strengths of the CCM is its alignment with leading standards, such as ISO/IEC 27001/27002, PCI Data Security Standard (DSS) (v3.2.1/v4.0), NIST, and so on. By harmonizing with these established frameworks, the CCM ensures that organizations can achieve compliance across multiple standards and regulations. Pg. 22 in study guide of V5
upvoted 1 times
...
assfedassfinished
1 year ago
Selected Answer: B
My thought is B. While I considered C for a while, I get a warm and fuzzy with B in consideration of the inclusion of the word "overall" on the question, as it relates to the security posture.
upvoted 2 times
...
CbtL
1 year, 1 month ago
Selected Answer: C
People are really overthinking this one. In the CCM v4, on the Scope Applicability (Mappings) tab, there is no HIPAA or HIPAA/HITECH section. This tab is the mappings of the controls in the domains to various other standards. Going with C because it seems to be simple enough.
upvoted 3 times
sfsc91
3 months ago
CCM maps to HIPPA/HITECH. https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-hipaa-us
upvoted 1 times
...
...
BigG83
1 year, 2 months ago
Selected Answer: B
There are Domain Controls in CCM and those are mapped to a lot of standards among others to HIPAA/HITECH (Omnibus rule)
upvoted 1 times
...
BiminiBoy_Cyber
1 year, 7 months ago
As per the CSA Website: Which Security "DOMAINS" are covered by the CCM? Audit and Assurance, Application & Interface Security, Business Continuity... HIPAA/HITECH is not listed among the 17 domains. https://cloudsecurityalliance.org/research/cloud-controls-matrix/ I hope this helps.
upvoted 1 times
...
iacini
1 year, 9 months ago
Selected Answer: C
I would say C, because A is referring to CCM Columns and B to CCM Domain controls (there is no such thing) only C is referring to CCM Domains and I would go for that.
upvoted 1 times
...
Selmed993
2 years, 1 month ago
Since CCM v3.0 has HIPAA/HITECH mapped in columns and the company is compliant with HIPAA/HITECH, it can disregard CCM controls mapping with HIPAA/HITECH and test CCM controls which are not mapped with HIPAA/HITECH to comply with other standards to save time on testing.
upvoted 1 times
...
Michael_B_Morell_CISSP
2 years, 4 months ago
Selected Answer: C
This is a very poorly written question and even more confusing answers. Not impossible, just takes a lot of dissection and reading.
upvoted 3 times
Michael_B_Morell_CISSP
2 years, 4 months ago
The problem here is that the question is intentionally misleading. They make it look like it is just for Health, hence the repeated use of HIPAA/HITECH and "health" in the company name.
upvoted 1 times
Michael_B_Morell_CISSP
2 years, 4 months ago
But if you look a little more closely, regardless of their name, the goal of the company is to be a CSP and have the widest range of compliance of many frameworks. Not just HIPAA/HITECH. This is taken from this line "The company is compliant with HIPAA/HITECH Act among other industry standards."
upvoted 1 times
Michael_B_Morell_CISSP
2 years, 4 months ago
Next is the overall goal; a CSP wanting to give the results to their clients so that their clients can use it as "pass thru". Now, we won't debate whether or not the CCM in the real world, is a valid document to give to customers for true pass-thru purposes (it's not). Let's just assume for the sake of argument that it is.
upvoted 1 times
Michael_B_Morell_CISSP
2 years, 4 months ago
In that light, C would be the best answer because their goal is to have the widest compliance possible of many frameworks (scope applicability), not just for hipaa/hitech. A and B can be discounted simply because of their insistence on HIPAA/HITECH; whereas C says to use every control. hence giving the widest compliance results.
upvoted 2 times
BigG83
1 year, 2 months ago
But the Answer C has a fully false statement: "The CCM domains are not mapped to HIPAA/HITECH Act." So this C cannot be the correct answer.
upvoted 1 times
...
...
...
...
...
...
A_Nevermind
2 years, 6 months ago
IMHO the provided answer is correct. CCM v 4 is currently mapping ISO/IEC 27001/27002/27017/27018, CCM V3.0.1, AICPA TSC (2017), CIS Controls V8, NIST 800-53r5, and PCI DSSv3.2.1 and nothing else
upvoted 2 times
JOKERO
2 years, 5 months ago
yes, but the v3.0.1 is mapped with HIPAA. So i reckon the answer is B
upvoted 3 times
Michael_B_Morell_CISSP
2 years, 4 months ago
It's C, but not for the reason Nevermind gave. The point of the question is to make you think that all it cares about is "Health", when in reality they are a CSP wanting to show the widest set of compliance to as many frameworks/standards as possible. The repeated references to HIPAA/HITECH is meant to be a red herring.
upvoted 1 times
...
...
...
beazzlebub
2 years, 6 months ago
The indicated answer here is clearly wrong, since the CCM controls are mapped to most of the cyber security frameworks and regulations, including HIPAA/Hitech. For me it's between A or B, and I feel B is a better answer and I would go for that.
upvoted 3 times
Michael_B_Morell_CISSP
2 years, 4 months ago
The answer is C. This is because the premise of the question is intentionally misleading. It wants you to concentrate on "Health", hence A and B appear like they would be right. But they are not concentrating on just health compliance. They want to be a CSP and in such, have the widest range of compliance against as many frameworks/standards as possible. This is so they can present the results of the CCM to their clients, and their clients can use it as a pass-thru. Now obviously in the real world the CCM in itself would not be given to a client by a CSP. The CSP would go thru the certification processes such as FedRAMP/ISO/HITRUST etc, and of course a SOC2 Type 2. When you go thru these sorts of long paragraph scenarios, a good trick is to break each sentence down until you get to the core topic of it. I take part in the CISSP exam writing workshops, and we intentionally will write misleading questions like this. Albeit I would hope not as poorly written.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago