Exam CCSK All QuestionsBrowse all questions from this exam
Go to Exam
Question 12

CCM: A hypothetical company called: `Health4Sure` is located in the United States and provides cloud based services for tracking patient health. The company is compliant with HIPAA/HITECH Act among other industry standards. Health4Sure decides to assess the overall security of their cloud service against the CCM toolkit so that they will be able to present this document to potential clients.

Which of the following approach would be most suitable to assess the overall security posture of Health4Sure's cloud service?

    Correct Answer: B

    The most suitable approach for Health4Sure to assess the overall security posture of their cloud service is to verify the CCM controls already covered as a result of their compliance with HIPAA/HITECH Act, and then assess the remaining controls thoroughly. This approach will save time while efficiently covering all necessary areas to ensure comprehensive security assessment.

Discussion
PetzaOption: B

CCM, which is part of the CSA Governance, Risk and Compliance (GRC) Stack, is mapped to multiple industry standards, regulations and frameworks that enterprises must follow, including ISO 27001/27002, PCI DSS, HIPAA and COBIT.

beazzlebubOption: B

The indicated answer here is clearly wrong, since the CCM controls are mapped to most of the cyber security frameworks and regulations, including HIPAA/Hitech. For me it's between A or B, and I feel B is a better answer and I would go for that.

Michael_B_Morell_CISSP

The answer is C. This is because the premise of the question is intentionally misleading. It wants you to concentrate on "Health", hence A and B appear like they would be right. But they are not concentrating on just health compliance. They want to be a CSP and in such, have the widest range of compliance against as many frameworks/standards as possible. This is so they can present the results of the CCM to their clients, and their clients can use it as a pass-thru. Now obviously in the real world the CCM in itself would not be given to a client by a CSP. The CSP would go thru the certification processes such as FedRAMP/ISO/HITRUST etc, and of course a SOC2 Type 2. When you go thru these sorts of long paragraph scenarios, a good trick is to break each sentence down until you get to the core topic of it. I take part in the CISSP exam writing workshops, and we intentionally will write misleading questions like this. Albeit I would hope not as poorly written.

assfedassfinishedOption: B

My thought is B. While I considered C for a while, I get a warm and fuzzy with B in consideration of the inclusion of the word "overall" on the question, as it relates to the security posture.

Michael_B_Morell_CISSPOption: C

This is a very poorly written question and even more confusing answers. Not impossible, just takes a lot of dissection and reading.

Michael_B_Morell_CISSP

The problem here is that the question is intentionally misleading. They make it look like it is just for Health, hence the repeated use of HIPAA/HITECH and "health" in the company name.

Michael_B_Morell_CISSP

But if you look a little more closely, regardless of their name, the goal of the company is to be a CSP and have the widest range of compliance of many frameworks. Not just HIPAA/HITECH. This is taken from this line "The company is compliant with HIPAA/HITECH Act among other industry standards."

Michael_B_Morell_CISSP

Next is the overall goal; a CSP wanting to give the results to their clients so that their clients can use it as "pass thru". Now, we won't debate whether or not the CCM in the real world, is a valid document to give to customers for true pass-thru purposes (it's not). Let's just assume for the sake of argument that it is.

Michael_B_Morell_CISSP

In that light, C would be the best answer because their goal is to have the widest compliance possible of many frameworks (scope applicability), not just for hipaa/hitech. A and B can be discounted simply because of their insistence on HIPAA/HITECH; whereas C says to use every control. hence giving the widest compliance results.

BigG83

But the Answer C has a fully false statement: "The CCM domains are not mapped to HIPAA/HITECH Act." So this C cannot be the correct answer.

A_Nevermind

IMHO the provided answer is correct. CCM v 4 is currently mapping ISO/IEC 27001/27002/27017/27018, CCM V3.0.1, AICPA TSC (2017), CIS Controls V8, NIST 800-53r5, and PCI DSSv3.2.1 and nothing else

JOKERO

yes, but the v3.0.1 is mapped with HIPAA. So i reckon the answer is B

Michael_B_Morell_CISSP

It's C, but not for the reason Nevermind gave. The point of the question is to make you think that all it cares about is "Health", when in reality they are a CSP wanting to show the widest set of compliance to as many frameworks/standards as possible. The repeated references to HIPAA/HITECH is meant to be a red herring.

CbtLOption: C

People are really overthinking this one. In the CCM v4, on the Scope Applicability (Mappings) tab, there is no HIPAA or HIPAA/HITECH section. This tab is the mappings of the controls in the domains to various other standards. Going with C because it seems to be simple enough.

BigG83Option: B

There are Domain Controls in CCM and those are mapped to a lot of standards among others to HIPAA/HITECH (Omnibus rule)

BiminiBoy_Cyber

As per the CSA Website: Which Security "DOMAINS" are covered by the CCM? Audit and Assurance, Application & Interface Security, Business Continuity... HIPAA/HITECH is not listed among the 17 domains. https://cloudsecurityalliance.org/research/cloud-controls-matrix/ I hope this helps.

iaciniOption: C

I would say C, because A is referring to CCM Columns and B to CCM Domain controls (there is no such thing) only C is referring to CCM Domains and I would go for that.

Selmed993Option: A

Since CCM v3.0 has HIPAA/HITECH mapped in columns and the company is compliant with HIPAA/HITECH, it can disregard CCM controls mapping with HIPAA/HITECH and test CCM controls which are not mapped with HIPAA/HITECH to comply with other standards to save time on testing.