Certificate of Cloud Auditing Knowledge (CCAK) — Question 248

An auditor is auditing the services provided by a cloud service provider. When evaluating the security of the cloud customer’s data in the cloud, which of the following should be of GREATEST concern to the auditor?

Answer options

• A. Personally identifiable information (PII) is pseudonymized but not fully encrypted.
• B. The cloud customer has encrypted the confidential data in the cloud using its own encryption keys.
• C. The confidential data stored in the cloud is encrypted using encryption keys that are managed by the provider.
• D. According to the cloud customer’s data handling policy, all confidential data should be encrypted, but the confidential data stored in the cloud is well segmented but not encrypted.

Correct answer: D

Explanation

The correct answer is D because it highlights that despite a data handling policy requiring encryption, the confidential data is not encrypted, which poses a significant risk. Options A, B, and C involve various levels of encryption, which provide some level of data protection, making them less concerning than unencrypted confidential data.