Access controls are the aspect of Software as a Service (SaaS) functionality and operations that the cloud customer is responsible for and should be audited. Access controls refer to the methods and techniques that verify the identity and access rights of users or devices that access or use the SaaS application and its data. Access controls may include credentials, policies, roles, permissions, tokens, multifactor authentication, single sign-on, etc. The cloud customer is responsible for ensuring that only authorized and legitimate users or devices can access or use the SaaS application and its data, as well as for protecting the confidentiality, integrity, and availability of their data.The cloud customer should also monitor and audit the access and usage of the SaaS application and its data, as well as any incidents or issues that may affect them123.

Source code reviews (A) are not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Source code reviews refer to the processes and practices that examine the source code of software applications or systems to identify errors, bugs, vulnerabilities, or inefficiencies that may affect their quality, functionality, or security. Source code reviews are mainly under the responsibility of the cloud service provider, as they own and operate the software applications or systems that deliver SaaS services.The cloud customer has no access or control over these aspects123.

Patching (B) is not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Patching refers to the processes and practices that ensure the security, reliability, and performance of the cloud infrastructure, platform, or software. Patching involves the use of updates or fixes to address vulnerabilities, bugs, errors, or exploits that may compromise or affect the functionality of the cloud components. Patching is mainly under the responsibility of the cloud service provider, as they own and operate the cloud infrastructure, platform, or software.The cloud customer has limited or no access or control over these aspects123.

Vulnerability management (D) is not the aspect of SaaS functionality and operations that the cloud customer is responsible for and should be audited. Vulnerability management refers to the processes and practices that identify, assess, treat, monitor, and report on the risks that affect the security posture of an organization or a domain. Vulnerability management involves the use of tools or techniques to scan, analyze, prioritize, remediate, or mitigate vulnerabilities that may expose an organization or a domain to threats or attacks. Vulnerability management is mainly under the responsibility of the cloud service provider, as they own and operate the cloud infrastructure, platform, or software.The cloud customer has limited or no access or control over these aspects123.Reference:=

Cloud Audits: A Guide for Cloud Service Providers - Cloud Standards ...

Cloud Audits: A Guide for Cloud Service Customers - Cloud Standards ...

Cloud Auditing Knowledge: Preparing for the CCAK Certificate Exam

The CSA Cloud Controls Matrix (CCM) is the best tool to perform cloud security control audits, as it is a cybersecurity control framework for cloud computing that is aligned to the CSA best practices and is considered the de-facto standard for cloud security and privacy1.The CCM provides a set of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology, such as identity and access management, data security, encryption and key management, business continuity and disaster recovery, audit assurance and compliance, and risk management1.The CCM also maps the controls to various industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002/27017/27018, NIST SP 800-53, PCI DSS, GDPR, and others1.The CCM can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain1.The CCM also includes the Consensus Assessment Initiative Questionnaire (CAIQ), which provides a set of ''yes or no'' questions based on the security controls in the CCM that can be used to assess a cloud service provider2.

The other options are not the best tools to perform cloud security control audits, as they are either not specific to cloud computing or not comprehensive enough.GDPR is a regulation that aims to protect the personal data and privacy of individuals in the European Union and the European Economic Area3, but it does not provide a framework for cloud security controls. FIPS 140-2 is a standard that specifies the security requirements for cryptographic modules used by federal agencies in the United States, but it does not cover other aspects of cloud security. ISO 27001 is a standard that specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization, but it does not provide specific guidance for cloud services.Reference:

Cloud Controls Matrix (CCM) - CSA

Cloud Controls Matrix and CAIQ v4 | CSA - Cloud Security Alliance

General Data Protection Regulation - Wikipedia

[FIPS 140-2 - Wikipedia]

[ISO/IEC 27001:2013]

The objective that is most appropriate to measure the effectiveness of password policy is newly created account credentials satisfy requirements. This is because password policy is a set of rules and guidelines that define the characteristics and usage of passwords in a system or network. Password policy aims to enhance the security and confidentiality of the system or network by preventing unauthorized access, data breaches, and identity theft. Therefore, the best way to evaluate the effectiveness of password policy is to check whether the newly created account credentials meet the requirements of the policy, such as length, complexity, expiration, and history. This objective can be measured by conducting periodic audits, reviews, or tests of the account creation process and verifying that the passwords comply with the policy standards.This is part of the Cloud Control Matrix (CCM) domain IAM-02: User ID Credentials, which states that 'The organization should have a policy and procedures to manage user ID credentials for cloud services and data.'1Reference:= CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 76

When applying the Top Threats Analysis methodology following an incident, the scope of the technical impact identification step is to determine the impact on confidentiality, integrity, and availability of the information system. The Top Threats Analysis methodology is a process developed by the Cloud Security Alliance (CSA) to help organizations identify, analyze, and mitigate the top threats to cloud computing, as defined in the CSA Top Threats reports.The methodology consists of six steps1:

Scope definition: Define the scope of the analysis, such as the cloud service model, deployment model, and business context.

Threat identification: Identify the relevant threats from the CSA Top Threats reports that may affect the scope of the analysis.

Technical impact identification: Determine the impact on confidentiality, integrity, and availability of the information system caused by each threat. Confidentiality refers to the protection of data from unauthorized access or disclosure. Integrity refers to the protection of data from unauthorized modification or deletion. Availability refers to the protection of data and services from disruption or denial.

Business impact identification: Determine the impact on the business objectives and operations caused by each threat, such as financial loss, reputational damage, legal liability, or regulatory compliance.

Risk assessment: Assess the likelihood and severity of each threat based on the technical and business impacts, and prioritize the threats according to their risk level.

Risk treatment: Select and implement appropriate risk treatment options for each threat, such as avoidance, mitigation, transfer, or acceptance.

The technical impact identification step is important because it helps to measure the extent of damage or harm that each threat can cause to the information system and its components. This step also helps to align the technical impacts with the business impacts and to support the risk assessment and treatment steps.