CCAK Exam Prep
CCAK Exam Glossary - 40 Terms
Search the terminology pack for Certificate of Cloud Auditing Knowledge. Use these definitions with the study guide and practice questions.
A
- Accountability
- The obligation of an assigned party to answer for outcomes, decisions, and compliance performance.
- Attack methods
- Techniques and procedures used by adversaries to compromise systems or data.
C
- Cloud adoption approach
- The organizational strategy and plan for selecting, implementing, and governing cloud services.
- Cloud compliance program
- A structured set of policies, controls, roles, and processes to meet cloud-related legal and regulatory obligations.
- Cloud process owners
- Individuals responsible for business processes that rely on cloud services and the controls supporting them.
- Cloud provider certifications
- Formal attestations showing that a cloud service provider has been assessed against recognized standards.
- Cloud security controls
- Administrative, technical, and physical safeguards implemented to protect cloud systems, services, and data.
- Compliance risk
- The risk of legal, regulatory, or policy violations resulting from failure to meet applicable requirements.
- Continuous monitoring
- An ongoing process of collecting, analyzing, and acting on security and compliance information in near real time.
- Continuous review
- The ongoing assessment of controls to ensure they remain effective as threats and environments change.
- Control crosswalk
- A mapping between control frameworks used to identify overlaps, gaps, and differences during framework transition.
- Cross-jurisdictional data storage
- The storage of data across multiple legal or national boundaries, potentially subjecting it to multiple laws.
- Cryptographic keys
- Secret values used by cryptographic algorithms to encrypt, decrypt, sign, or verify data.
- Customer management interface
- The portal, API, or console customers use to administer and configure cloud services.
D
- Data breach
- An incident in which sensitive, protected, or confidential data is accessed or disclosed without authorization.
F
- Flow-down requirements
- Contractual or compliance obligations that must be passed from a primary provider to subcontractors.
G
- GDPR
- The General Data Protection Regulation, an EU law governing the protection and processing of personal data.
H
- Health information
- Sensitive personal data related to an individual’s physical or mental health, often subject to enhanced protection.
I
- Independent evidence
- Objective proof from a third party, such as audit reports or attestations, used to validate compliance.
- ISO/IEC 27002
- An international standard providing guidance on information security controls and best practices.
J
- Jurisdiction
- A legal territory or authority whose laws and regulations apply to data, services, or operations.
K
- Key rotation
- The periodic replacement of cryptographic keys to limit exposure if a key is compromised.
M
- Multi-level supply chain
- A service delivery structure in which providers rely on subcontractors or downstream providers.
N
- NIST SP 800-53
- A NIST catalog of security and privacy controls for information systems and organizations.
O
- Open Certification Framework (OCF)
- A layered framework used to standardize cloud service description, assessment, and certification practices.
P
- Personal data
- Any information relating to an identified or identifiable natural person.
- Policy violations
- Failures to follow established organizational rules, standards, or procedures, whether intentional or accidental.
- Public internet exposure
- The condition of a system or interface being reachable from the internet, increasing attack surface.
R
- RACI chart
- A responsibility assignment matrix that identifies who is Responsible, Accountable, Consulted, and Informed for activities.
- Real-time visibility
- Current operational awareness of system activity, events, and security status as they occur.
- Reputation-based trust
- A form of trust established from a provider’s past behavior, reliability, and feedback history.
- Risk reduction
- A risk treatment strategy that lowers the likelihood or impact of a risk through controls or process changes.
S
- Senior management
- Executive leadership responsible for strategic direction, governance, and major organizational decisions.
- Shared responsibility model
- A cloud governance model that defines which security and compliance responsibilities belong to the provider versus the customer.
- Software as a Service (SaaS)
- A cloud service model in which applications are hosted by a provider and accessed by users over a network.
- Subcontractors
- Third parties engaged by a provider to perform part of the contracted service or operational function.
T
- Threats
- Potential causes of unwanted incidents that can harm cloud assets, systems, or data.
- Transparency
- The degree to which a cloud provider clearly discloses controls, practices, and service characteristics.
V
- Vendor compliance
- The state of a supplier or provider meeting contractual, regulatory, and security obligations.
- Vulnerabilities
- Weaknesses in systems, processes, or configurations that can be exploited by threats.
About These Definitions
These definitions are loaded from the shared release pack. Use them with the study guide and practice questions to connect vocabulary to exam scenarios.