Which phase of the cloud data life cycle allows both read and process functions to be performed?
A Create
B Archive
C Store
D Share
A
Which phase of the cloud data security life cycle typically occurs simultaneously with creation?
A Share
B Store
C Use
D Destroy
B
Which phase of the cloud data life cycle uses content delivery networks?
A Destroy
B Archive
C Share
D Create
C
Which phase of the cloud data life cycle is associated with crypto-shredding?
A Share
B Use
C Destroy
D Store
C
Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security?
A Randomization
B Obfuscation
C Anonymization
D Tokenization
D
Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model?
A Sandbox encryption
B Polymorphic encryption
C Client-side encryption
D Whole-instance encryption
D
There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms.
Which platform as a service (PaaS) data type should be used?
A Short-term storage
B Structured
C Unstructured
D Long-term storage
B
Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files?
A Relational database
B Block
C Distributed
D Object
D
Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data?
A Dynamic masking
B Format-preserving encryption
C Proxy-based encryption
D Tokenization
B
Which encryption technique connects the instance to the encryption instance that handles all crypto operations?
A Database
B Proxy
C Externally managed
D Server-side
B
Which type of control should be used to implement custom controls that safeguard data?
A Public and internal sharing
B Options for access
C Management plane
D Application level
D
Which element is protected by an encryption system?
A Ciphertext
B Management engine
C Data
D Public key
C
A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data.
Which step should occur immediately before this action is taken?
A The tokenization server returns the token to the application.
B The tokenization server generates the token.
C The application collects a token.
D The application stores the token.
D
A company has recently defined classification levels for its data.
During which phase of the cloud data life cycle should this definition occur?
A Use
B Create
C Share
D Archive
B
Which jurisdictional data protection includes dealing with the international transfer of data?
A Financial modernization
B Secure choice authorization (SCA)
C Sarbanes-Oxley act (SOX)
D Privacy regulation
D
Which jurisdictional data protection controls the ways that financial institutions deal with the private information of individuals?
A Stored communications act (SCA)
B Health insurance portability and accountability act (HIPAA)
C Gramm-Leach-Bliley act (GLBA)
D Sarbanes-Oxley act (SOX)
C
Which jurisdictional data protection safeguards protected health information (PHI)?
A Directive 95/46/EC
B Safe harbor regime
C Personal Data Protection Act of 2000
D Health Insurance Portability and Accountability Act (HIPAA)
D
How is the compliance of the cloud service provider’s legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud?
A Contractual agreements
B Third-party audits and attestations
C e-Discovery process
D Researching data retention laws
B
Which security strategy is associated with data rights management solutions?
A Unrestricted replication
B Limited documents type support
C Static policy control
D Continuous auditing
D
Who retains final ownership for granting data access and permissions in a shared responsibility model?
A Customer
B Developer
C Manager
D Analyst
A
Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data?
A Backup
B Caching
C Archiving
D Saving
C
Which data retention method is stored with a minimal amount of metadata storage with the content?
A File system
B Redundant array
C Object-based
D Block-based
D
What is a key capability of security information and event management?
A Intrusion prevention capabilities
B Automatic remediation of issues
C Centralized collection of log data
D Secure remote access
C
Which data source provides auditability and traceability for event investigation as well as documentation?
A Storage files
B Packet capture
C Network interference
D Database tables
B
Which data source provides auditability and traceability for event investigation as well as documentation?
A Network segmentation
B Ephemeral storage
C Database schema
D Virtualization platform logs
D
Which technology is used to manage identity access management by building trust relationships between organizations?
A Single sign-on
B Multifactor authentication
C Federation
D Biometric authentication
C
Which term describes the action of confirming identity access to an information system?
A Coordination
B Concept
C Access
D Authentication
D
Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring?
A Data loss prevention (DLP)
B Content delivery network (CDN)
C Cloud access security broker (CASB)
D Web application firewall (WAF)
C
Which cloud computing technology unlocks business value through digital and physical access to maps?
A Multitenancy
B Cloud application
C Application programming interface
D On-demand self-service
C
Which cloud computing tool may help detect data migrations to cloud services?
A Uniform resource locator (URL) filtering
B Cloud security gateways
C Cloud data transfer
D Data loss prevention
D
What is a key component of the infrastructure as a service (IaaS) cloud service model?
A Allows choice and reduces lock-in
B Supports multiple languages and frameworks
C Ease of use and limited administration
D High reliability and resilience
D
What is a key capability of infrastructure as a service (IaaS)?
A Hosted application management
B Converged network and IT capacity pool
C Leased application and software licensing
D Multiple hosting environments
B
Which option should an organization choose if there is a need to avoid software ownership?
A Software as a service (SaaS)
B Platform as a service (PaaS)
C Containers as a service (CaaS)
D Infrastructure as a service (IaaS)
A
Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage?
A Infrastructure
B Platform
C Application
D Data
A
In which situation could cloud clients find it impossible to recover or access their own data if their cloud provider goes bankrupt?
A Vendor lock-in
B Multitenant
C Multicloud
D Vendor lock-out
D
Which cloud deployment model is operated for a single organization?
A Consortium
B Hybrid
C Public
D Private
D
Which cloud model provides data location assurance?
A Hybrid
B Private
C Community
D Public
B
Which cloud model allows the consumer to have sole responsibility for management and governance?
A Hybrid
B Community
C Private
D Public
C
Which technology allows an organization to control access to sensitive documents stored in the cloud?
A Digital rights management (DRM)
B Database activity monitoring (DAM)
C Identity and access management (IAM)
D Distributed resource scheduling (DRS)
A
Which security technology can provide secure network communications from on-site enterprise systems to a cloud platform?
A Domain name system security extensions (DNSSEC)
B Internet protocol security (IPSec) virtual private network (VPN)
C Web application firewall (WAF)
D Data loss prevention (DLP)
B
How do immutable workloads effect security overhead?
A They reduce the management of the hosts.
B They automatically perform vulnerability scanning as they launch.
C They restrict the amount of instances in a cluster.
D They create patches for a running workload.
A
Which document addresses CSP issues such as guaranteed uptime, liability, penalties, and dispute mediation process?
A General data protection regulation (GDPR)
B Service organization control 3 (SOC 3)
C Service level agreement (SLA)
D Common criteria assurance framework (CC)
C
Which design principle of secure cloud computing ensures that the business can resume essential operations in the event of an availability-affecting incident?
A Disaster recovery
B Resource pooling
C Access control
D Session management
A
Which design principle of secure cloud computing ensures that users can utilize data and applications from around the globe?
A Portability
B Scalability
C On-demand self-service
D Broad network access
D
Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure?
A Elasticity
B Resiliency
C Scalability
D Clustering
B
Which item should be part of the legal framework analysis if a company wishes to store prescription drug records in a SaaS solution?
A Sarbanes-Oxley Act
B Health Insurance Portability and Accountability Act
C Federal Information Security Modernization Act
D U.S. Patriot Act
B
Which standard addresses practices related to acquisition of forensic artifacts and can be directly applied to a cloud environment?
A NIST SP 500-291
B ISO/IEC 27001
C NIST SP 800-145
D ISO/IEC 27050-1
D
Which regulation in the United States defines the requirements for a CSP to implement and report on internal accounting controls?
A HIPAA
B SOX
C FERPA
D GDPR
B
Which legislation must a trusted cloud service adhere to when utilizing the data of EU citizens?
A GDPR
B EMTALA
C APPI
D SOX
A
Which logical design decision can be attributed to required regulation?
A Database writes/second
B Retention periods
C Retention formats
D Database reads/second
B
Which service model influences the logical design by using additional measures in the application to enhance security?
A Hybrid cloud
B Public cloud
C Software as a service (SaaS)
D Platform as a service (PaaS)
C
Which environmental consideration should be addressed when planning the design of a data center?
A Heating and ventilation
B Utility power availability
C Expansion possibilities and growth
D Telecommunications connections
A
Which result is achieved by removing all nonessential services and software of devices for secure configuration of hardware?
A Hardening
B Maintenance
C Patching
D Lockdown
A
What is a component of device hardening?
A Patching
B Unit testing
C Versioning
D Configuring VPN access
A
Which technology typically provides security isolation in infrastructure as a service (IaaS) cloud computing?
A Application instance
B System image repository
C Virtual machines
D Operating systems
C
Which technology an administrator to remotely manage a fleet of servers?
A KVM switch
B VPN concentrator
C Bastion host
D Management plane
D
What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks?
A Management orchestration software
B Management plane
C Identity access management
D Database management
B
Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems?
A Applying the steps of a cloud software development life cycle
B Providing developer access to supporting components and services
C Outsourcing the infrastructure and integration platform management
D Verifying the application has an appropriate level of confidentiality and integrity
A
Which type of agreement aims to negotiate policies with various parties in accordance with the agreed-upon targets?
A Privacy-level (PLA)
B Service-level (SLA)
C User license (ULA)
D Operation-level (OLA)
B
Which regulation requires a CSP to comply with copyright law for hosted content?
A SCA
B DMCA
C SOX
D GLBA
B
Which element is a cloud virtualization risk?
A Guest isolation
B Electronic discovery
C Licensing
D Jurisdiction
A
Which risk is related to interception of data in transit?
A Virtualization
B Man-in-the-middle
C Software vulnerabilities
D Traffic blocking
B
Which method is being used when a company evaluates the acceptable loss exposure associated with a cloud solution for a given set of objectives and resources?
A Business impact analysis
B Business continuity planning
C Risk appetite
D Risk management
C
The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization.
Which standard should be applied?
A International organization for standardization (ISO) 27050-1
B Sarbanes-Oxley Act (SOX)
C Cloud controls matrix (CCM)
D International electrotechnical commission (IEC) 27037
A
Which detection and analysis technique is performed to capture a point-in-time picture of the entire stack at the time of an incident?
A Collect metadata during alert
B Examine configuration data
C Create a snapshot using API calls
D Review data access logs
C
A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm.
Who is the CSP legally required to notify?
A Information commissioner
B Australian privacy foundation
C Asian-Pacific privacy control board
D Cloud Security Alliance
A
A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided.
Who is the CSP required to notify under the NIS directive?
A Data protection regulator
B Competent authorities
C Personal Information Protection Commission
D Provider’s services suppliers
B
A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident.
Which action facilitates this type of communication?
A Incorporating checks on API calls
B Using existing open standards
C Identifying key risk indicators (KRIs)
D Performing a vulnerability assessment
B
Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved?
A Platform
B Infrastructure
C Data
D Application
D
Which description characterizes the application programming interface (API) format known as representational state transfer (REST)?
A Supports only extensible markup language (XML)
B Provides a framework for developing scalable web applications
C Delivers a slower performance with complex scalability
D Tolerates errors at a high level
Which issue occurs when a web browser is sent data without proper validation?
A Insecure direct object access (IDOA)
B Cross-site request forgery (CSRF)
C Cross-site scripting (XXS)
D Lightweight directory access protocol (LDAP) injection
C
Which security testing approach is used to review source code and binaries without executing the application?
A Regression testing
B Dynamic application security testing
C Static application security testing
D Fuzz testing
C
Which issue can be detected with static application security testing (SAST)?
A Authentication
B Performance
C Threading
D Malware
C
Which approach is considered a black-box security testing method?
A Static application security testing
B Binary code inspection
C Dynamic application security testing
D Source code review
C
Which primary security control should be used by all cloud accounts, including individual users, in order to defend against the widest range of attacks?
A Multi-factor authentication
B Logging and monitoring
C Perimeter security
D Redundant infrastructure
A
Which cloud infrastructure is shared by several organizations and supports a specific population that has shared concerns (e.g., mission, security requirements, policy, compliance considerations)?
A Public
B Community
C Hybrid
D Private
B
Which problem is known as a common supply chain risk?
A Domain spoofing
B Runtime application self-protection
C Data breaches
D Source code design
C
Which phase of the software development life cycle includes determining the business and security requirements for the application to occur?
A Designing
B Developing
C Defining
D Testing
C
Which phase of the software development life cycle includes writing application code?
A Defining
B Designing
C Implementing
D Developing
D
Which method should the cloud consumer use to secure the management plane of the cloud service provider?
A Network access control list
B Disablement of management plane
C Agent-based security tooling
D Credential management
D
Which security threat occurs when a developer leaves an unauthorized access interface within an application after release?
A Deprecated API
B Easter egg
C Persistent backdoor
D Development operations
C
Which process prevents the environment from being over-controlled by security measures to the point where application performance is impacted?
A Trusted cloud initiative (TCI)
B Community cloud
C Quality of service (QoS)
D Private cloud
C
Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues?
A Direct object reference
B Cross-site scripting
C Denial-of-service
D Client-side injection
A
Which identity management process targets access to enterprise resources by ensuring that the identity of an entity is verified?
A Provisioning
B Federation
C Authentication
D Policy management
C
Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications?
A Whole-disk encryption
B Advanced application-specific integrated circuits (ASICs)
C Virtual private networks (VPNs)
D Volume encryption
B
Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords?
A Transaction authentication numbers
B Biometrics
C Hard tokens
D Out-of-band passwords
C
Which cloud infrastructure is shared by several organizations with common concerns, such as mission, policy, or compliance considerations?
A Private cloud
B Community cloud
C Public cloud
D Hybrid cloud
B
Which type of cloud deployment model is considered equivalent to a traditional IT architecture?
A Public
B Private
C Hybrid
D Community
B
Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy?
A Technological controls
B Contractual enforcement of policies
C Training programs
D Strong access controls
A
Which attack vector is associated with cloud infrastructure?
A Seizure and examination of a physical disk
B Licensing fees tied to the deployment of software based on a per-CPU licensing model
C Data storage locations in multiple jurisdictions
D Compromised API credentials
D
Which risk is associated with malicious and accidental dangers to a cloud infrastructure?
A Regulatory noncompliance
B Natural disasters
C Personnel threats
D External attacks
C
Which cloud-specific risk must be considered when moving infrastructure operations to the cloud?
A Natural disasters
B Lack of physical access
C Denial of service
D Regulatory violations
B
Which risk is controlled by implementing a private cloud?
A Eavesdropping
B Unauthorized access
C Denial-of-service (DoS)
D Physical security
D
Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage?
A Tier 2 network access providers
B Radio frequency interference (RFI) blocking devices
C Multiple and independent power circuits to all racks
D Automated license plate readers (ALPR) at entry points
C
Which countermeasure helps mitigate the risk of stolen credentials for cloud-based platforms?
A Key management
B Multifactor authentication
C Data sanitization
D Host lockdown
B
Which control helps mitigate the risk of sensitive information leaving the cloud environment?
A Web application firewall (WAF)
B Disaster recovery plan (DRP)
C Identity and access management (IAM)
D Data loss prevention (DLP)
D
Which countermeasure mitigates the risk of a rogue cloud administrator?
A Multifactor authentication
B Data encryption
C Platform orchestration
D Logging and monitoring
D
Which consideration should be taken into account when reviewing a cloud service provider’s risk of potential outage time?
A The type of database
B The amount of cloud service offerings
C The unique history of the provider
D The provider’s support services
C
Which cloud security control eliminates the risk of a virtualization guest escape from another tenant?
A Dedicated hosting
B Hardware hypervisor
C File integrity monitor
D Immutable virtual machines
A
Which cloud security control is a countermeasure for man-in-the-middle attacks?
A Backing up data offsite
B Reviewing log data
C Using block data storage
D Encrypting data in transit
D
Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived?
A Applicable regulation
B Data classification
C Enforcement
D Maintenance
A
Which disaster recovery (DR) site results in the quickest recovery in the event of a disaster?
A Hot
B Cold
C Reserve
D Passive
A
Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service?
A Local storage
B Cloud platform
C Company headquarters
D Tape drive
B
Which technology should be included in the disaster recovery plan to prevent data loss?
A Offsite backups
B Locked racks
C Video surveillance
D System patches
A
Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected?
A Maximum allowable downtime (MAD)
B Recovery point objective (RPO)
C Mean time to switchover (MTS)
D Recovery time objective (RTO)
A
Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan?
A Continuity planning
B Costs will remain the same
C Level of resiliency
D Provider’s history
C
An architect needs to constrain problems to a level that can be controlled when the problem exceeds the capabilities of disaster recovery (DR) controls.
Which aspect of the plan will provide this guarantee?
A Ensuring data backups
B Evaluating portability alternatives
C Managing plane controls
D Handling provider outages
D
Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider?
A Managing plane controls
B Ensuring resiliency
C Managing cloud provider outages
D Considering portability options
D
What is a key method associated with a risk-based approach to business continuity planning?
A Applying internal authentication and credential passing
B Leveraging software-defined networking
C Using existing network technology
D Considering the degree of continuity required for assets
D
Which testing method must be performed to demonstrate the effectiveness of a business continuity plan and procedures?
A Failover
B Penetration
C DAST
D SAST
A
Which process involves the use of electronic data as evidence in a civil or criminal legal case?
A eDiscovery investigations
B Due diligence
C Cloud governance
D Auditing in the cloud
A
Which standard addresses the privacy aspects of cloud computing for consumers?
A ISO 27018:2014
B ISO 27017:2015
C ISO 27001:2013
D ISO 19011:2011
A
Which international standard guide provides procedures for incident investigation principles and processes?
A ISO/IEC 27034-1:2011
B ISO/IEC 27037:2012
C ISO/IEC 27001:2013
D ISO/IEC 27043:2015
D
Which group is legally bound by the general data protection regulation (GDPR)?
A Only corporations located in countries that have adopted the GDPR standard
B Only corporations headquartered in the EU
C Only corporations that have operations in more than one EU nation
D Only corporations that processes the data of EU citizens
D
Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?
A Reporting to the supervisory authority
B Informing consumer credit reporting services
C Notifying the affected persons
D Suspending the processing operations
A
Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)?
A Penalty up to 2% of gross income
B Penalty up to 10 million Euros
C Penalty up to 5% of gross income
D Penalty up to 20 million Euros
D
Why is eDiscovery difficult in the cloud?
A The process is time consuming.
B The client may lack the credentials to access the required data.
C The customer is responsible for their data on a multitenant system.
D The cloud service provider may lack sufficient resources.
B
Which artifact may be required as a data source for a compliance audit in a cloud environment?
A Customer SLAs
B Quarterly revenue projections
C Change management details
D Annual actual-to-budgeted expense reports
C
Which artifact may be required as a data source for a regulatory compliance audit (i.e., HIPAA, PCI-DSS) in a cloud environment?
A System performance benchmarks
B Annual actual-to-budgeted expenses
C System configuration details
D Quarterly revenue projections
C
Which item would be a risk for an enterprise considering contracting with a cloud service provider?
A Suspension of service if payment is delinquent
B No SLA exclusion penalties
C 99.99% up time guarantees
D Very expensive SLA provider penalties
A
Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties?
A Authentication
B Discovery by design
C Native production
D Direct access
C
Which type of control is important in order to achieve compliance for risk management?
A Technical
B Validation
C Security
D Privacy
C
Which requirement is included when exceptions, restrictions, and potential risks are highlighted in a cloud services contract?
A Virtual machine and operating system
B Regulatory and compliance
C Load balancer algorithm
D Stockholder expectations
B
Which item is required in a cloud contract?
A Specifications for unit testing
B Penalties for failure to meet SLA
C Strategy for the SDLC
D Diagrams for data flow structures
B
Which factor exemplifies adequate cloud contract governance?
A The frequency with which contracts are renewed
B The emphasis of privacy controls in the contract
C The flexibility of data types in accordance with a contract
D The bandwidth that is contractually provided
A
All of the following can result in vendor lock-in except:
A Proprietary data formats
B Statutory compliance
C Unfavorable contract
D Insufficient bandwidth
B
When a cloud customer uploads PII to a cloud provider, who becomes ultimately responsible for the security of that PII?
A Cloud customer
B The individuals who are the subjects of the PII
C Cloud provider
D Regulators
A
The generally accepted definition of cloud computing includes all of the following characteristics except:
A On-demand services
B Measured or metered service
C Resource pooling
D Negating the need for backups
D
All of these are reasons because of which an organization may want to consider cloud migration, except:
A Reduced operational expenses
B Elimination of risks
C Reduced personnel costs
D Increased efficiency
B
The cloud deployment model that features organizational ownership of the hardware and infrastructure, and usage only by members of that organization, is known as:
A Public
B Hybrid
C Motive
D Private
D
All of these are features of cloud computing except:
A Rapid scaling
B On-demand self-service
C Broad network access
D Reversed charging configuration
D
Cloud Access Security Brokers (CASBs) might offer all the following services except:
A IAM
B BC/DR/COOP
C Single sign-on
D Key escrow
B
The cloud deployment model that features joint ownership of assets among an affinity group is known as:
A Community
B Hybrid
C Public
D Private
A
If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best?
A PaaS
B IaaS
C Hybrid
D SaaS
A
If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad?
A Availability
B Integrity
C Authentication
D Confidentiality
A
Which of the following is not a common cloud service model?
A Programming as a Service
B Software as a Service
C Platform as a Service
D Infrastructure as a Service
A
The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as:
A Private
B Public
C Hybrid
D Latent
B
Cloud vendors are held to contractual obligations with specified metrics by:
A Discipline
B SLAs
C Regulations
D Law
B
We use which of the following to determine the critical paths, processes, and assets of an organization?
A Business requirements
B BIA
C RMF
D CIA triad
B
If a cloud customer wants a bare-bones environment in which to replicate their own enterprise for BC/DR purposes, which cloud service model would probably be best?
A Hybrid
B IaaS
C PaaS
D SaaS
B
The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as:
A Vendor closure
B Vendor lock-out
C Vendor lock-in
D Vending route
B
If a cloud customer wants a fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best?
A Hybrid
B SaaS
C PaaS
D IaaS
B
All of these technologies have made cloud service viable except:
A Cryptographic connectivity
B Smart hubs
C Virtualization
D Widely available broadband
B
If a service or solution does not meet all of the specified key characteristics listed below, it is said to be not true cloud computing. Please select the valid cloud computing characteristics out of the terms identified below.
Each correct answer represents a complete solution. Choose all that apply.
1) Measured system
2) Broad network access
3) Resource pooling
4) Measured service
5) On-demand self-service
6) Selected self-service
7) Rapid expansion
A All but 1 & 6
B All but 2 & 5
A
_______ drive security decisions.
A Public opinion
B Business requirements
C Surveys
D Customer service responses
B
The process of hardening a device should include which of the following?
A Encrypting the OS
B Performing thorough personnel background checks
C Using video cameras
D Updating and patching the system
D
Which of the following is considered a physical control?
A Doors
B Ceilings
C Carpets
D Fences
D
The process of hardening a device should include all of the following, except:
A Improve default accounts
B Close unused ports
C Delete unnecessary services
D Strictly control administrator access
A
Which of the following is considered an administrative control?
A Keystroke logging
B Access control process
C Biometric authentication
D Door locks
B
All the following are ways of addressing risk, except:
A Mitigation
B Reversal
C Acceptance
D Transfer
B
In which cloud service model is the customer only responsible for the data?
A SaaS
B PaaS
C IaaS
D CaaS
A
In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?
A All of these
B Administrative
C Physical
D Technological
A
To protect data on user devices in a BYOD environment, the organization should consider requiring all of the following, except:
A DLP agents
B Local encryption
C Multifactor authentication
D Two-person integrity
D
Devices in the cloud datacenter should be secure against attack. All the following are means of hardening devices, except:
A Using a strong password policy
B Removing default passwords
C Strictly limiting physical access
D Removing all admin accounts
D
The BIA can be used to provide information about all of the following, except:
A BC/DR planning
B Secure acquisition
C Risk analysis
D Selection of security controls
B
The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified?
A Contract
B RMF
C BIA
D MOU
A
Which of the following is considered a technological control?
A Firing personnel
B Firewall software
C Fireproof safe
D Fire extinguisher
B
In which cloud service model is the customer required to maintain and update only the applications?
A SaaS
B CaaS
C IaaS
D PaaS
D
In a cloud environment, encryption should be used for all the following, except:
A Long-term storage of data
B Near-term storage of virtualized images
C Secure sessions/VPN
D Profile formatting
D
Gathering business requirements can aid the organization in determining all of this information about organizational assets, except:
A Criticality
B Value
C Usefulness
D Full inventory
C
What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?
A Polyinstantiation
B Quantum-state
C Gastronomic
D Homomorphic
D
In which cloud service model is the customer required to maintain the OS?
A SaaS
B PaaS
C IaaS
D CaaS
C
Risk appetite for an organization is determined by which of the following?
A Contractual agreement
B Legislative mandates
C Senior management
D Appetite evaluation
C
Which of the following best describes risk?
A Everlasting
B The likelihood that a threat will exploit a vulnerability
C Transient
D Preventable
B
What is the risk left over after controls and countermeasures are put in place?
A High
B Null
C Pertinent
D Residual
D
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Anonymization
XaaS refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on-premises.
Anything as a Service (XaaS)
An open source cloud computing and infrastructure as a service (IaaS) platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.
Apache CloudStack
A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust.
Application Normative Framework (ANF)
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
Application Programming Interfaces (APIs)
Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed.
Application Virtualization
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator.
Authentication
Establishes identity by asking who you are and determining whether you are a legitimate user.
Authentication
The granting of right of access to a user, program, or process.
Authorization
Eliminating the risk that is simply too high and cannot be compensated for with adequate control mechanism–a risk that exceeds the organization’s appetite.
Avoidance
Usually involves splitting up and storing encrypted information across different cloud storage services.
Bit Splitting
A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance.
Block storage
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.
Business Impact Analysis (BIA)
1 The identity of persons who handle evidence between the time of commission of the alleged offense and the ultimate disposition of the case. It is the responsibility of each transferee to ensure that the items are accounted for during the time they are in his possession, that they are properly protected, and that there is a record of the names of the persons from whom he received the items and to whom he delivered those items, together with the time and date of such receipt and delivery.
2 The control over evidence. Lack of control over evidence can lead to its being discredited completely. Chain of custody depends on being able to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence so that it cannot in any way be changed and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering.
Chain of Custody
Refers to a documentation that records all evidences need to be tracked and monitored from the time they are recognized as evidence and acquired for that purpose.
Chain of custody
A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary.
Cloud Access Security Broker (CASB)
This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).
Cloud Administrator
Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.
Cloud App (Cloud Application)
Typically responsible for adapting, porting, or deploying an application to a target cloud environment.
Cloud Application Architect
A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.
Cloud Application Management for Platforms (CAMP)
Someone who determines when and how a private cloud meets the policies and needs of an organization’s strategic goals and contractual requirements from a technical perspective.
Also responsible for designing the private cloud, being involved in hybrid cloud deployments and instances, and having a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components.
Cloud Architect
A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.
Cloud Backup Service Provider
Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.
Cloud Backup Solutions
A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications.
Cloud Computing
Accounting software that is hosted on remote servers.
Cloud Computing Accounting Software
Describes the main characteristics relevant to cloud computing and its customers.
Cloud computing certification
A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.
Cloud Computing Reseller
Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant service-level agreements (SLAs) and that the storage components are functioning according to their specified requirements.
Cloud Data Architect
A database accessible to clients from the cloud and delivered to users on demand via the Internet.
Cloud Database
Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements.
Cloud Developer
The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application.
Cloud Enablement
Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company’s cloud computing-based resources are working optimally and properly interacting with users and other services.
Cloud Management
The process of transitioning all or part of a company’s data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.
Cloud Migration
A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing.
Cloud Operating System (OS)
The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments.
The ability to move applications and associated data between one cloud provider and another, or between legacy and cloud environments.
Cloud Portability
A service provider who offers customers storage or software solutions available via a public network, usually the Internet.
Cloud provider
The deployment of a company’s cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud.
Cloud Provisioning
A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.
Cloud Server Hosting
Provides administrative assistance for the customer and the customer’s data and processing needs. Examples include Amazon Web Services, Rackspace, and Microsoft’s Azure.
Cloud Service Provider (CSP)
Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services.
Cloud Services Brokerage (CSB)
The storage of data online in the cloud, wherein a company’s data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.
Cloud Storage
Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.
Cloud Testing
Helps to review and analyze change and exception requests.
CMB meeting
In a community cloud configuration, resources are shared and dispersed among an affinity group.
Community cloud
The compute parameters of a cloud server are the number of central processing units (CPUs) and the amount of random access memory (RAM).
Compute
A service where data is replicated across the global Internet.
A form of data caching, usually near geophysical locations of high use demand, for copies of data commonly requested by users.
Content Delivery Network (CDN)
Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.
Control
The legal protection for expressions of ideas is known as “copyright” and it doesn’t include ideas, specific words, slogans, recipes, or formulae.
Copyright
The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
Corporate Governance
Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes.
Criminal law
The process of deliberately destroying the encryption keys that were used to encrypt the data originally.
Involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys.
Crypto-Shredding
A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns.
Data audit
Refers to the responsibility of the data owner which takes place in the Create phase and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset.
Data classification
Auditing and preventing unauthorized data exfiltration.
Data Loss Prevention (DLP)
A method of creating a structurally similar but inauthentic version of an organization’s data that can be used for purposes such as software testing and user training.
Data Masking
Describes the ease of moving information from one cloud provider to another or away from the cloud provider and back to a legacy enterprise environment.
Data portability
A legal activity that might result in a host machine being confiscated or inspected by law enforcement or plaintiffs’ attorneys.
Data seizure
Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps.
Database
A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs.
Database Activity Monitoring (DAM)
In essence, a managed database service.
Database as a Service (DBaaS)
Refers to a kind of data analysis which is an outgrowth of the possibilities offered by the regular use of the cloud, also known as “big data.”
Datamining
Entails multiple differing security controls protecting the same assets with a variety of technological levels.
Defense in depth
Using strong magnets for scrambling data on magnetic media such as hard drive and tapes.
Involves applying strong magnetic fields to the hardware and media where the data resides, effectively making them blank.
Degaussing
Isolates network elements such as email servers that, because they can be accessed from trustless networks, are exposed to external attacks.
Demilitarized Zone (DMZ)
Refers to any type of attack that could cause the application to be unavailable.
Denial of service
Removes or reduces the authority and execution of security controls in the environment.
Deployment model
A form of virtual desktop infrastructure (VDI) that a third party outsources and handles.
Desktop as a Service (DaaS)
Focuses on security and encryption to prevent unauthorized copying, thus limiting distribution to only those who pay.
Digital Rights Management (DRM)
Reflects all the modifications to the environment in the asset inventory.
Documentation
Describes the organization’s responses during the test and performs some minimal actions.
Dry run
The process of testing an application or software product in an operating state.
Dynamic Application Security Testing (DAST)
e-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence.
Refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes.
e-Discovery
An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext).
Offers a degree of assurance that nobody without authorization will be able to access your data in a meaningful way.
Encryption
A special mathematical code that allows encryption hardware and software to encode and then decipher an encrypted message.
Encryption Key
Software that a business uses to assist in solving problems.
Enterprise Application
The set of processes and structures to systematically manage all risks to the enterprise.
Enterprise Risk Management
Refers to the ability of any user to gain permissions above their authorized level.
Escalation of privilege
An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds.
Eucalyptus
A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security.
European Union Agency for Network and Information Security (ENISA)
A type of risk that includes malware, hacking, DoS/DDoS, man-in-the-middle attacks, and so on.
External threat
A National Institute of Standards and Technology (NIST) publication written to accredit and distinguish secure and well-architected cryptographic modules produced by private-sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified as top secret.
Federal Information Processing Standard (FIPS) 140-2
Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment.
Federal law
An arrangement that can be made among multiple enterprises allowing subscribers to use the same identification data to obtain access to the networks of all enterprises in the group.
Federated Identity Management (FIM)
A system that allows a single user authentication process across multiple information technology (IT) systems or even organizations. SSO is a subset of federated identity management (FIM), as it relates only to authentication and technical interoperability.
Federated Single Sign-On (SSO)
An association of organizations that facilitate the exchange of information and access to resources.
Federation
A tool which can be either hardware or software, or a combination of both, used to limit communications based on some criteria.
Firewall
An improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance.
Guest escape
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more.
Hardware Security Module (HSM)
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first.
Homomorphic Encryption
A developing technology that is intended to allow for processing of encrypted material without decrypting it first.
Homomorphic encryption
A tool used to detect, identify, isolate, and analyze attacks by attracting attackers.
Honeypot
A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise’s private cloud whereas other data is stored and accessible from a public cloud storage provider.
Hybrid Cloud Storage
The cloud provider creates and administers the hardware assets on which the customer’s programs and data will ride.
IaaS boundaries
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Identity and Access Management (IAM)
Responsible for (a) providing identifiers for users looking to interact with a system, (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider. This can be achieved via an authentication module that verifies a security token that can be accepted as an alternative to repeatedly and explicitly authenticating a user within a security realm.
Identity Provider
The directory services for the administration of user accounts and their associated attributes.
Identity repositories
The possibility that processing performed on one virtualized instance may be detected by other instances on the same host.
Information bleed
A model that provides a complete infrastructure (servers and internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices.
Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.
Infrastructure as a Service (IaaS)
Allows an individual to correct any of their own information if it is inaccurate.
Integrity
An issue in which the customer’s software may not function properly with each new adjustment in the environment if the OS is updated by the provider.
Interoperability issue
Takes defensive action when suspicious activity is recognized (such as closing ports and services), in addition to sending alerts.
Intrusion Prevention System (IPS)
Represents an overview of application security. It introduces definitions, concepts, principles, and processes involved in application security.
ISO/IEC 27034-1
The geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled.
Jurisdiction
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
Key Management
Entails a procedure that involves multiple people, each with access to only a portion of the key.
Key recovery
Describes those items that will be the first things that let you know something is inappropriate.
Key risk indicator
The practice of having multiple overlapping means of securing the environment with a variety of methods.
Layered defenses
Causes a wide variety of problems, including data loss, loss of control of devices, interruption of operations, and so forth.
Malware
The plane that controls the entire infrastructure. Because parts of it are exposed to customers independent of the network location, it is a prime resource to protect.
Management Plane
A weak form of confidentiality assurance that replaces the original information with asterisks or Xs.
A technique that hides the data with useless characters, e.g., showing only the last four digits of a social security number.
Masking
The measure of the average time between failures of a specific component or part of a system.
Mean time between failure (MTBF)
The measure of the average time it should take to repair a failed component or part of a system.
Mean time to repair (MTTR)
A process of taking steps to decrease the likelihood or the impact of the risk–this can take the form of controls/countermeasures and is usually where security practitioners are involved.
Mitigation
A form of cloud storage that applies to storing an individual’s mobile device data in the cloud and providing the individual with access to the data from anywhere.
Mobile Cloud Storage
A method of computer access control that a user can pass by successfully presenting authentication factors from two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).
Multifactor Authentication
The concept of sharing resources with other cloud customers simultaneously.
Multitenancy
Multiple customers using the same public cloud.
Multitenant
A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
National Institute of Standards and Technology (NIST) SP 800-53
Helps to check not only the hardware and the software but the distribution facets such as SDN control planes.
Network monitoring
A guide for implementing the risk management framework, which is a methodology for handling all organizational risks in a comprehensive manner.
NIST SP 800-37
The assurance that a specific author actually did create and send a specific item to a specific recipient and that it was successfully received. With assurance of nonrepudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it.
Nonrepudiation
Informs an individual that personal information about them is being gathered or created.
Notice
The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.
Obfuscation
Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI).
Stores all data in a filesystem and also gives access to the customers to the parts of the hierarchy to which they are assigned.
Object Storage
Allows a significant level of description, including the marking, labels, classification and categorization; it also enhances the opportunity for indexing capabilities.
Object-based storage
Leverages the Internet and cloud computing to create an attractive offsite storage solution with little hardware requirements for any business of any size.
Online Backup
A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization.
Organizational Normative Framework (ONF)
Used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters.
OS logging
The cloud provider is responsible for installing, maintaining, and administering the OS(s).
PaaS boundaries
What is the intellectual property protection for a useful manufacturing innovation?
A Trademark
B Trade secret
C Copyright
D Patent
D
A form of cloud storage that applies to storing an individual’s data in the cloud and providing the individual with access to the data from anywhere.
Personal Cloud Storage
Any information relating to an identified or identifiable data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
Personal Data
Information that can be traced back to an individual user, such as name, postal address, or email address. Personal user preferences tracked by a website via a cookie are also considered personally identifiable when linked to other PII you provide online.
Personally Identifiable Information (PII)
Provides increased level of robustness among personnel resources who administer and support the IT components.
Personnel redundancy
A malicious or negligent insider who can cause significant negative impact, as they have physical access to the resources.
Personnel threat
____________________ abstracts and provides development or application platforms, such as databases, application platforms (e.g. a place to run Python, PHP, or other code), file storage and collaboration, or even proprietary application processing (such as machine learning, big data processing, or direct API access to features of a full SaaS application). The key differentiator is that, with PaaS, you don’t manage the underlying servers, networks, or other infrastructure.
It contains everything included in IaaS, with the addition of OSs. This model is especially useful for software development operations (DevOps).
Platform as a Service (PaaS)
Provide a voice and expression to the strategic goals and objectives of management.
Policies
Serves as the enforcement arm of authentication and authorization and is established based on business needs and senior management decisions.
Policy management
Behooves the cloud provider to ensure that all communication lines are replicated on opposite sides of each building.
Power line redundancy
A private cloud configuration is a legacy configuration of a datacenter, often with distributed computing and BYOD capabilities.
Private cloud
Used by organizations to enable their information technology (IT) infrastructures to become more capable of quickly adapting to continually evolving business needs and requirements.
Private Cloud Project
A form of cloud storage in which the enterprise data and cloud storage resources reside within the enterprise’s data center and behind the firewall.
Private Cloud Storage
A form of cloud storage in which the enterprise and storage service provider are separate and the data is stored outside the enterprise’s data center.
Public Cloud Storage
Includes whether the information will be shared with any other entity.
Purpose
The capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, synchronous optical networking (SONET), and Internet protocol (IP)-routed networks that may use any or all of these underlying technologies.
Quality of Service (QoS)
A technique which allows the replacement of the data with random characters, leaving the other traits intact such as length of the string and character set.
Randomization
A data structure or collection of information that must be retained by an organization for legal, regulatory, or business reasons.
Record
An approach to using many low-cost drives as a group to improve performance. Also provides a degree of redundancy that makes the chance of data loss remote.
Redundant Array of Independent Disks (RAID)
A solicitation, often made through a bidding process by a company, looking to secure goods or services from an external vendor.
Request for Proposal
Programs and instances run by the customer that will operate on the same devices used by other customers, sometimes simultaneously.
Resource sharing
A policy that contains a description of how the data is actually archived, that is, what type of media it is stored on.
Retention format
Defines how long the data should be kept by an organization and is often expressed in a number of years.
Retention period
Refers to the level, amount, or type of risk that the organization finds acceptable.
Risk appetite
Defines as a response to the cost-benefit analysis when posed with a specific risk.
Risk avoidance
Individuals in an organization who together determine the organization’s overall risk profile.
Risk owner and player
Includes a survey of the various operations in which an organization is engaged in and public perception of the organization.
Risk profile
_________________ is the amount of risk that the leadership and stakeholders of an organization are willing to accept.
It varies based on asset value and the requirements of a particular asset.
Risk tolerance
A way to handle risk associated with an activity without accepting all the risks.
Risk transference
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.
Refers to including only departments or business units impacted by any cloud engagement.
Scoping
Reduces the likelihood of data leaking between computers that are connected through the KVM.
Secure data port
A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
Security Alliance’s Cloud Controls Matrix
A version of the SAML standard for exchanging authentication and authorization data between security domains.
Security Assertion Markup Language (SAML)
A method for analyzing risk in software systems.
Security Information and Event Management (SIEM)
A formal agreement between two or more organizations: one that provides a service and the other that is the recipient of the service. It may be a legal contract with incentives and penalties.
Service-Level Agreement (SLA)
Helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider.
Shared policy
A technique which uses different entries from within the same data set to represent the data.
Shuffling
Audits the financial reporting instruments of a corporation and consists of two subclasses
SOC 1
A type of report which is intended to report audits of controls on an organization’s security, availability, processing integrity, and privacy.
SOC 2
Contains no actual data about the security controls of the audit target and is also known as the “seal of approval”.
SOC 3
___________________ is a full application and distributed model that’s managed and hosted by the provider. Consumers access it with a web browser, mobile app, or a lightweight client app.
Includes everything listed in the previous Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models, with the addition of software programs.
Software as a Service (SaaS)
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.
Software-Defined Networking (SDN)
Includes day-to-day basis laws such as speed limits, state tax laws, the criminal code, and so on, which are enacted by a state legislature as opposed to those enacted at the national or federal level.
State law
SAST testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST).
Static Application Security Testing (SAST)
The collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.
Storage Cloud
Derived from an acronym for the following six threat categories: spoofing identity, tampering with data, repudiation, information disclosure, denial of service (DoS), and elevation of privilege.
STRIDE Threat Model
Reduces the likelihood of unauthorized users gaining access and restricts authorized users to permitted activities.
Strong authentication
Describes how the participants would perform their tasks in a given BC/DR scenario.
Tabletop testing
A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities. Allows them to plan a roadmap to meet the security needs of their business.
TCI Reference Architecture
A cloud provider who manages the administration of a user’s system and who is not under the user’s control.
Third-party admin
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Tokenization
Refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed by others.
Tort law
Protects the esteem and goodwill that an organization has built among the marketplace, especially in public perception.
Trademark
A risk management strategy that involves the contractual shifting of a risk from one organization to another.
Transference
Ensures the privacy of communication between applications.
Transport Layer Security (TLS)
Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.
Occurs in a situation where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.
Vendor Lock-In
The optimization of cloud computing and cloud services for a particular vertical (such as a specific industry) or specific-use application.
Vertical Cloud Computing
A VMI helps to mitigate risk and ensure that a virtual machine’s (VM’s) security baseline is not modified over time. It provides an agentless method to examine all aspects of a VM from its physical location and its network settings to the installed operating systems (OSs), patches, applications, and services being used.
Virtual Machine Introspection (VMI)
Creates a secure tunnel across untrusted networks that can aid in obviating man-in-the-middle attacks such as eavesdropping.
Virtual private network
A process of creating a virtual version of something, including virtual computer hardware platforms, operating systems, storage devices, and computer network resources.
Virtualization
Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocation of resources across multiple tenants and environments.
Virtualization Technologies
Encrypts only a part of a hard drive instead of the entire disk.
Volume encryption
Allocates a storage space within the cloud and this storage space is represented as an attached drive to the user’s virtual machine.
Volume storage
An appliance, server plug-in, or filter that applies a set of rules to a hypertext transfer protocol (HTTP) conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injections.
Web Application Firewall (WAF)
Which of the following standards sets out terms and definitions, principles, a framework, and a process for managing risk?
A ISO 31000:2009
B ISO 28000:2007
C ISO 27001:2013
D ISO/IEC 27037:2012
A
Which of the following are the virtualization risks?
Each correct answer represents a complete solution. Choose three.
1) Guest breakout
2) Resource exhaustion
3) Sprawl
4) Isolation control failure
5) Snapshot and image security
A 2,4,5
B 1,3,5
B
Which category does Rapid Provisioning and Scalability fall into?
A PaaS
B IaaS
C SaaS
D XaaS
A
Kim works as a project manager in ABC Inc. His organization requires an application to launch its products. For this, Kim performs the following activities:
-Discusses business requirements in terms of confidentiality, integrity, and availability
-Determines, creates, and identifies information to transmit or store
-Determines privacy requirements
Which of the following phases of SDLC includes the activities performed by Kim?
A Developing
B Testing
C Defining
D Designing
E Planning and requirements analysis
E
Which testing methodology is run against systems that can tune their focus of security?
A DAST
B REST
C RASP
D SAST
C
SOAP and REST are APIs that must run over SSL or TLS for security purposes.
A True
B False
A
Which is not a part of the Management Plane?
A Storage
B Software
C Hypervisor Type 1
D Hypervisor Type 2
B
The cloud model eliminates the need for a failover site.
A True
B False
B
What functions does the CCSP perform to obtain assurance and conduct auditing on the VMs and hypervisor?
Each correct answer represents a complete solution. Choose all that apply.
1) Verify configuration of hypervisor according to the organizational policy.
2) Verify systems are up to date and hardened according to best-practice standards.
3) Understand the virtualization management architecture.
4) Focus only on VMs and its associated hypervisors.
A 1,2,3
B 2,3,4
A
What are SOC 1/SOC 2/SOC 3?
A Audit reports
B Software development phases
C Risk management frameworks
D Access controls
A
You are a service provider who provides cloud-services and resources to a person using and subscribing them. There is an official commitment (i.e., service-level agreement) between the service provider and the user. Who verifies this official commitment?
A Cloud computing reseller
B Cloud backup service provider
C Cloud customer
D Cloud service auditor
D
Which of the following guidelines covers eDiscovery?
A ISO/IEC 27001
B ISO/IEC 27010
C ISO/IEC 27001 2013
D ISO/IEC 27050
D
As a cloud customer you have access to all logs regardless of the cloud model.
A True
B False
B
An attacker establishes themselves on a system in such a way to enable the stealing of data over time. What kind of attack is this?
A Data Breach
B Malicious Insider
C Advanced Persistent Threats
D Account Hijacking
C
Which of the following is a drawback of cloud computing in which a customer depends on a dealer for products and services due to technical or nontechnical constraints?
A Cryptographic erasure
B Vendor lock-in
C Resiliency
D Data overwriting
B
Which is not a principle of GAAP?
A Principle of Compensation
B Principle of Sincerity
C Principle of Regularity
D Principle of Consistency
A
HIPAA, SOX, and PCI DSS are examples of:
A Regulatory compliance
B Cloud security tools
C Governance
D SLAs
A
What is the biggest concern for migration of services during BCDR?
A Security
B Resources
C Location
D Vendor Lockin
C
IRM allows for the following except:
A Encryption
B Protection
C Auditing
D Policy Control
A
The following are Data States as referred to by DLP except:
A Data in Transit
B Data in use
C Data at rest
D Data in transmission
D
Which of the following will help achieve redundancy in virtual switches?
Each correct answer represents a complete solution. Choose all that apply.
1) Kerberos
2) CHAP
3) Port channeling
4) Physical NICs
A 3,4
B 1,2
A
Which is the correct order of the Cloud Secure Data Lifecycle?
A Create, Use, Store, Share, Archive, Destroy
B Create, Store, Share, Use, Archive, Destroy
C Create, Share, Store, Use, Archive, Destroy
D Create, Store, Use, Share, Archive, Destroy
D
Where would the monitoring engine be deployed when using a network-based DLP system?
A On a VLAN
B Near the organizational gateway
C In the storage system
D On a user’s workstation
B
Which body establishes optimal temperature and humidity levels?
A ASHAE
B ASHRAE
C ASHAPE
D ASHARE
B
What defines what is to be covered in the audit?
A Requirements for the Audit
B Audit Statement
C Audit report
D Scope of audit
D
Which of the following are the data classification categories?
Each correct answer represents a complete solution. Choose three.
1) Obligation for retention and preservation
2)Ownership
3) Data type
4) Parameter type
A 2,3,4
B 1,2,3
B
Which of the following are the key regulations applicable to the CSP facility?
Each correct answer represents a complete solution. Choose two.
1) COBRA
2) HITRUST CSF
3) PCI DSS
4) HIPAA
A 3,4
B 1,2
A
This device is used to offload processing of XML from the application:
A XML Processor
B XML Accelerator
C XML Broker
D XML Firewall
B
This is the amount of services that is required to be restored to meet the requirements of a BCDR plan:
A RTO
B RTL
C RPO
D RSL
D – Recovery Service Level
Assessing Risk
Monitoring Risk
Responding to Risk
Framing Risk
Components of the risk-management process
In which of the following components of the data retention policy do data-retention considerations depend heavily on the required compliance administration associated with the data type?
A Legislation, regulation, and standards requirements
B Data mapping
C Data classification
D Monitoring and maintenance
A
In which cloud deployment model are all infrastructure-level logs visible to the CCSP as detailed application logs?
A NaaS
B SaaS
C IaaS
D PaaS
C
Which of the following are required for improving the level of assurance in cloud computing?
Each correct answer represents a complete solution. Choose two.
1) Customer service
2) Service automation
3) Self-service
A 1,2
B 2,3
B
All of the following should be included in the audit scope definition except:
A Audit Duplication
B Audit Steps
C Change Controls
D Communications
A
A system capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network is known as:
A HIDS
B SIDS
C IPSec
D NIDS
A
Multitenancy
Virtualization technology
Cloud management plane
Characteristics of cloud computing that can affect the logical design of a data center
This system is provided by the CSP, but controlled and even hosted by the customer:
A Customer-Side KMS
B Client-Side KMS
C Remote KMS
D Internal KMS
B
Which of the following allows logical isolation of hosts on a network?
A DNS
B TLS
C VLAN
D IPSec
C
All versions of SSL and TLS are acceptable to secure Data in Transit.
A True
B False
B
Baseline compliance scanning should alert on any deviation from the baseline.
A True
B False
B
Applications with known vulnerabilities cannot be mitigated and should never be used.
A True
B False
B
Which component is among the highest risk component with respect to software vulnerabilities?
A Control plane
B Management plane
C User plane
D Data plane
B
Engaging with the users and IT personnel who will be impacted.
Extending risk management and enterprise risk management.
Objectively selecting the appropriate service and provider.
Stakeholder identification challenges
IaaS
PaaS
Cloud Models that use the Structured vs Unstructured storage types
Which of the following is a specification constructed for making the management of applications easy in terms of a PaaS (Platform as a Service) system?
A Vertical cloud computing
B CAMP
C Cloud provisioning
D Cloud server hosting
B – Cloud application management for platforms
Which Threat Model provides a standardized way of describing threats by their attributes?
STRIDE
A WAF typically parses which type of traffic?
A XML
B HTTP
C REST
D SOAP
B
All of the following are components of DLP except:
A Labeling
B Monitoring
C Enforcement
D Discovery and Classification
A
Where do the bare metal hypervisors run?
A On software
B On hardware
C On a host OS
D On a client OS
B
Which is not necessarily related directly privacy?
A Safe Harbor
B HIPPA
C GLBA
D SOX
D
In PaaS the customer has control over:
A Software
B OS
C Physical
D Platform
A
Vulnerability testing where you have knowledge of the systems involved is called?
A Hybrid
B DAST
C SAST
D Pen
C
When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed?
A The directive applies to data processed by a natural person in the course of purely personal activities.
B The directive applies to data processed by automated means and data contained in paper files.
C The directive applies to data processed by automated means in the course of purely personal activities.
D The directive applies to data processed in the course of an activity that falls outside the scope of community law, such as public safety.
B
An organization wants to preserve control of its IT environments and takes advantage of flexibility, scalability, and cost savings. Which cloud deployment model helps the organization do this?
A Private
B Hybrid
C Community
D Public
B
Which models allows the customer to choose\manage their software and operating systems?
A PaaS
B IaaS
C DBaaS
D SaaS
B
When using an IaaS solution, what is a key benefit provided to the customer?
A Transferred cost of ownership
B Metered and priced usage on the basis of units consumed
C The ability to scale up infrastructure services based on projected usage
D Increased energy and cooling system efficiencies
B
Which of the following is not an access control?
A Developer access
B Building access
C Random access
D Customer access
C
Which of the following cloud threats is described in the statement below?
“If a multitenant cloud service database is not properly designed, a flaw in one client’s application can allow an attacker access not only to that client’s data but to every other client’s data as well.”
A Insecure APIs
B Abuse of cloud services
C Data breach
D Insufficient due diligence
C
Which models requires the customer to perform their own patching of systems.
A SaaS
B PaaS
C IaaS
D DBaaS
C
This is the method of analyzing data for certain attributes to determine the appropriate controls to apply:
A Classification
B Data Discovery
C eDiscovery
D Categorization
A
Which determines the effectiveness of controls in an Audit?
A Lessons Learned
B Reporting
C A final Audit report
D Gap Analysis
C
Which of the following guidelines includes the given concepts?
-National privacy strategies
-Privacy management programs
-Data security breach notification
A OAuth
B ANF
C OECD
D ONF
C
Which of the following is a technology that provides a shared resource pool, managed to maximize the number of guest operating systems?
A Scalability
B Rapid elasticity
C Virtualization
D Hypervisor
C
Items of the evidence must be labeled with signatures and descriptions.
Records the signatures of people performing the transportation of items.
Records actions, process, test, and handling of an item with date and time.
Statements are true of chain of evidence
Biometric data
Telephone or Internet data
Sensitive data
Categories of the personal data that can be processed
A standard base of technologies and policies across different organizations is called:
A Regulations
B Standards
C Forests
D Federation
D
Proper identification and documentation of key stakeholders is vital to any IT system.
A True
B False
A
What are the six stages of the cloud secure data lifecycle?
A Create, archive, use, share, store, and destroy
B Create, use, store, share, archive, and destroy
C Create, store, use, share, archive, and destroy
D Create, share, store, archive, use, and destroy
C
Which process analyzes data for certain attributes and uses that to determine the appropriate controls and policies to apply to it?
A Classification
B Monitoring
C Discovery
D eDiscovery
A
What should configuration management always be tied to?
A Change management
B Financial management
C Business relationship management
D IT service management
A
Which of the following modes of encryption dependencies secures data while it navigates the CSP network or the Internet?
A Encryption of data at rest
B Encryption of data in transit
C Data obfuscation
B
Which is not associated with Federated ID Systems?
A SAML
B SAME
C OpenID
D OAuth
B
With whom does a service provider dictate both the technology and the operational procedures being made available to the cloud consumer?
A Cloud computing reseller
B Cloud service provider
C Cloud services brokerage
D Managed service provider
B
Which is the internationally accepted standard for eDiscovery?
A ISO\IEC 27055A
B ISO\IEC 20750A
C ISO\IEC 27050
D ISO\IEC 27055
C
All formatting, security, and usage of LUNs is handled by the storage device.
A True
B False
B
Which of the following components is not associated with encryption deployments?
A Encryption engine
B The data
C Encryption keys
D Encryption algorithm
D
What is lock-in in reference to cloud services?
A Access tools.
B Proprietary roadblocks to changing CSPs.
C Ability to change CSP with minimal changes to the environment.
D SLA Commitment.
B
Key management in a cloud environment is not very important.
A True
B False
B
Who publishes the optimal temperature and humidity levels for data centers?
A ASHR
B ASHRAE
C BICSI
D NFPA
B
To ensure that the service quality and availability are maintained.
To minimize the adverse impact on business operations.
To restore normal service operation as quickly as possible.
Three purposes of incident management
An organization will conduct a risk assessment to evaluate which of the following?
A Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the total risk
B Threats to its assets, vulnerabilities not present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the residual risk
C Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on another organization, and the residual risk
D Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the residual risk when appropriate controls are properly applied to lessen the vulnerability
D
Which of the following concerns does the “existing on-premise solution” BCDR scenario represent?
A Evaluating a cloud service provider’s BCDR
B Using cloud as BCDR
C Evaluating alternative CSP as BCDR
B
DAST is usually run against live systems and those running the test do not know anything about the system.
A True
B False
A
Broad network access.
On-demand self-service.
Essential characteristics of cloud computing
Which standard outlines the steps to create an ISMS?
A ISO\IEC 27018:2005
B ISO\IEC 27001:2005
C ISO\IEC 27001:2011
D ISO\IEC 27001:2013
D
Which of the following is the gathering of data as evidence?
A eDiscovery
B Data Collection
C Discovery
D eCollection
A
What are the four cloud deployment models?
A External, private, hybrid, and community
B Public, internal, hybrid, and community
C Public, private, hybrid, and community
D Public, private, joint, and community
C
This regulation allows American and EU PII exchange without requiring American Entities to follow EU PII Laws.
A EU
B HIPPA
C SOX
D Safe Harbor
D
Object Storage is usually accessed through:
A LUNs
B APIs
C Drives
D Management Plane
B
Volume Storage is split into pieces called:
A LUNs
B VLANs
C Units
D Drives
A
An insecure API could potentially put entire data sets at risk for loss or exposure.
A True
B False
A
The following are possible authentication factors except:
A Username\Password
B Token
C Biometric
D SSO
D
KPIs
Business Processes
Events
What business QoS focuses on measuring
Which helps to establish the identity of an entity with adequate assurance?
A Authentication
B Identity and access management
C Identification
D Authorization
A
How is data in the cloud typically sanitized?
A Destruction
B Shredding
C Overwriting
D Degaussing
C
Which of the following is used to distribute loads across physical devices?
A Clustering
B DRS
C DNS
D DO
B
Certain data sanitation methods may be required for different types of data.
A True
B False
A
McDonald’s is using a slogan “I’m lovin’ it” over the last five decades, which has a strong right or law attached to it. What is that right or law?
A Tort law
B The doctrine of the proper law
C Intellectual property right
D Restatement conflict of law
C
When using maintenance mode, which two items are disabled and which item remains enabled?
A Customer access and alerts are disabled while the ability to power on VMs remains enabled.
B Customer access and alerts are disabled while logging remains enabled.
C Customer access and logging are disabled while alerts remain enabled.
D Logging and alerts are disabled while the ability to deploy new VMs remains enabled.
B
The entitlement process begins with business and security requirements and translates these into a set of rules. What would be the next step of the process?
A Rules are then translated into component authorization decisions
B Rules are then applied to vendors and consumers
C Business and security requirements are updated
D Rules are then translated into component authentication decisions
A
Which method is more commonly used in federated identity environments?
A SAML
B WS
C OpenID
D OAuth
A
Which ISAE Report is run over a pre-defined period of time usually six months.
A Aged Reports
B Type 3 Reports
C Type 2 Reports
D Type 1 Reports
C
Which is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on an applied rule set?
A IPS
B Firewall
C IDS
D Honeypot
B
What is an association of organizations that come together to exchange appropriate information about their users and resources to enable collaborations and transactions called?
A Identity repository
B Federation
C DAST
D ONF
B
Which is not a Critical Success Factor?
A CSP responsibilities
B Order of restoration
C Identification of need to remove backups
D Customer responsibilities
C
Compensates victims for injuries suffered by the culpable action or inaction of others.
It justifies legal rights and interests that have been compromised, diminished, or emasculated.
Discourages injurious, careless, and risky behavior in the future.
Tort Law
What is the first international set of privacy controls in the cloud?
A ISO/IEC 27032
B ISO/IEC 27005
C ISO/IEC 27002
D ISO/IEC 27018
D
Cloud Portability Means:
A Ability to change providers
B Ability to use anywhere
C Ability to use with mobile devices
D Ability to use on multiple device types
A
Which of the following is the science of hiding information to protect sensitive information and communications from unauthorized access?
A Cryptography
B Social Engineering
C DDoS
D Phishing
A
In the tokenization architecture, which step should be performed after the tokenization server generates the token and stores it in the token database?
A An application collects or generates a piece of sensitive data.
B The tokenization server returns the token to the application.
C The application stores the token rather than the original data.
D Data is sent to the tokenization server; it is not stored locally.
B
In a federated environment, who is the relying party, and what does it do?
A The relying party is the service provider; it consumes the tokens that the customer generates.
B The relying party is the service provider; it consumes the tokens that the identity provider generates.
C The relying party is the customer; he consumes the tokens that the identity provider generates.
D The relying party is the identity provider; it consumes the tokens that the service provider generates.
B
In SOC 2 Auditing, how many categories make up the security principle?
A 1
B 3
C 5
D 7
D
Which kind of Data Obfuscation method replaces Data with random values that can be mapped to actual data?
A Transparency
B Tokenization
C Masking
D Encryption
B
Who is responsible for delivering, managing, and provisioning cloud services?
A Cloud service manager
B Cloud service business manager
C Network provider
D Inter-cloud provider
A
This concept affords the right to look at things anonymously and to be “forgotten” by a system when you leave.
A Integrity
B Access
C Privacy
D Confidentiality
C
This type of hypervisor is tied directly to the hardware or “Bare Metal”:
A Type 1
B Type 2
C Type 3
D Type 4
A
What is the key issue associated with the object storage type that the CCSP has to be aware of?
A Access control
B Data consistency, which is achieved only after change propagation to all replica instances has taken place
C Continuous monitoring
D Data consistency, which is achieved only after change propagation to a specified percentage of replica instances has taken place
B
Which is not a step in the BCDR continual process?
A Define Scope
B Auditing
C Analyze
D Assess Risk
B
Which is not part of the risk management process?
A Discovery
B Responding
C Framing
D Monitoring
A
As part of ITIL, what kind of ticket is created to make a change?
A RFCM
B CM
C RCM
D RFC
D
Which is a PII law specifically for financial institutions?
A GBLA
B PCI DSS
C GLBA
D GLIBA
C
No wasted resources
Easy and inexpensive setup
Scalability to meet customer needs
Benefits of the public cloud deployment model
Which of the following evaluates the risks and merits of various types of test scenarios?
A Test scenario
B Test plan
C Comprehensive test scenario
D Management
D
Which is a management control that is usually tied to hardware?
A Hypervisor Type 1
B Hypervisor Type 2
C Hypervisor Type 3
D Hypervisor Type 4
A
Data classification determines what controls should protect data.
A True
B False
A
A data center should always be geographically located in the same place as their headquarters for quick and easy access.
A True
B False
B
Who bears the ultimate responsibility for creating and controlling data?
A The Data Custodian
B System Administrator
C CSP
D The Data Owner
D
Which is NOT a benefit of PaaS?
A Cost Effectiveness
B Flexibility
C Choice of Environments
D High Cost
D
In which of the following policy and organization risks is the consumer not able to implement all required controls?
A Compliance risk
B Loss of governance
C Provider exit
D Provider lock-in
B
A user decides they need extra time to work on a project. They install a modem in their system to dial in and work from home. This is an example of what kind of threat?
A Account hijacker
B Insider
C Modem
D Advanced Persistent Threats
B
When does an XSS flaw occur?
A Whenever an application takes trusted data and sends it to a web browser without proper validation or escaping
B Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping
C Whenever an application takes trusted data and sends it to a web browser with proper validation or escaping
D Whenever an application takes untrusted data and sends it to a web browser with proper validation or escaping
B
Which of the following cloud services provides a key benefit for the developers that the services required by them can be obtained from diverse sources nationally or internationally?
A PaaS
B NaaS
C SaaS
D IaaS
A
Which of the following is strongly encouraged for managing access of the directory administrators?
A PIM
B Active Directory
C LDAP
D IAM
A – PIM (Privileged Identity Management)
Security
Services
Health
3 things IT QoS focuses on measuring
Complexity of fixes
Project delays
Reasons Security Scanning should be performed throughout the development process
The scope of an audit will change based on the cloud model used.
A True
B False
A
The Sarbanes-Oxley Act is enforced by:
A SPA
B FED
C SOX
D SEC
D
What are the four elements that a data retention policy should define?
A Retention periods, data formats, data security, and data destruction procedures
B Retention periods, data formats, data security, and data communication procedures
C Retention periods, data formats, data security, and data retrieval procedures
D Retention periods, data access methods, data security, and data retrieval procedures
C
Data in the destroy phase can be considered destroyed if it is made permanently inaccessible.
A True
B False
A
What defines what the audit will produce?
A Audit criteria for assessment
B Deliverables
C Scope of Audit
D Audit Scope
B
Cooling
Power Distribution
Outside Power Supply
Inside Power Supply
Items that should be redundant in a data center
This concept is the unauthorized exposure of data:
A Account Hijacking
B Data Breach
C Data Loss
D Data Access
B
Which of the following is an ongoing process and implemented throughout the system life cycle to keep track of identified risks?
A Risk assessment
B Framing risk
C Risk control
D Risk monitoring
D
ENISA (European Network and Information Security Agency)
NIST (National Institute of Standards and Technology)
ISO 31000:2009
Frameworks that are associated with risk
This includes policies focused on reducing threats and risks to IT and Data resources.
A ITIL
B ISMS
C ITSM
D MSIS
B
Sets up a baseline for the default Information Protection Policy.
Adds an extra layer of access controls on top of the data object.
Protects sensitive organization content.
Features of IRM
There may be extra costs associated with eDiscovery in a cloud environment.
A True
B False
A
What is a security-related concern for a PaaS solution?
A Data access and policies
B System and resource isolation
C Virtual machine attacks
D Web application security
B
Encryption
Overwriting
Methods for the safe disposal of electronic records in Cloud Environments
This type of attack attempts to identify known holes in the security systems.
A Pen Testing
B SAST
C DAST
D Vulnerability Scanning
D
Third-party e-discovery
Hosted e-discovery
SaaS-based e-discovery
Ways to conduct e-discovery investigations in cloud environments
Which standard outlines domains which establish frameworks for risk assessment?
A ISO\IEC 27018:2005
B ISO\IEC 27001:2005
C ISO\IEC 27001:2011
D ISO\IEC 27001:2013
D
Which of the following is not a cloud deployment model?
A Private
B Public
C Open
D Hybrid
C
Which data-at-rest encryption method encrypts all the data stored on the volume and all snapshots created from the volume?
A Whole instance encryption
B Volume encryption
C Directory encryptionWhole-instance encryption: Encrypts all of the system’s data at rest in one instance
A
Which of the following provides privacy protections for certain electronic communication and computing services from unauthorized access or interception?
A HIPAA
B SOX
C SCA
D GLBA
C – SCA (Stored Communications Act)
What are the phases of a software development lifecycle process model?
A Planning and requirements analysis, designing, defining, developing, testing, and maintenance
B Planning and requirements analysis, defining, designing, developing, testing, and maintenance
C Defining, planning and requirements analysis, designing, developing, testing, and maintenance
D Planning and requirements analysis, defining, designing, testing, developing, and maintenance
B
Which of the following are storage types used with an IaaS solution?
A Volume and block
B Volume and object
C Unstructured and ephemeral
D Structured and object
B
Which of the following cloud characteristics explains that a cloud provides services to serve multiple clients according to their priority?
A Measured service
B Resource pooling
C Rapid elasticity
D Broad network access
B
What are the five Trust Services principles?
A Security, Availability, Processing Integrity, Confidentiality, and Privacy
B Security, Availability, Processing Integrity, Confidentiality, and Nonrepudiation
C Security, Availability, Customer Integrity, Confidentiality, and Privacy
D Security, Auditability, Processing Integrity, Confidentiality, and Privacy
A
All of the following are part of a Federated Identity System except:
A Relaying Party
B User
C Identity Provider
D Relying Party
A
Single Sign On works by issuing:
A Passwords
B IDs
C Tickets
D Tokens
D
RFCs are approved by?
A Managers
B Committee
C CAB
D Supervisors
C – CAB (Change Advisory Board)
When using transparent encryption of a database, where does the encryption engine reside?
A Within the database
B At the application using the database
C On the instances attached to the volume
D In a key management system
A
Application and software licensing
Overall reduction of costs
Reduced support costs
Benefits provided by SaaS for the applications accessible by clients anywhere
This plugin parses HTTP traffic and applies a set of rules before sending it to the application server.
A WPA
B WAP
C WAS
D WAF
D – WAF (Web Application Firewall)
Ensure knowledge transfer.
Manage stakeholders.
Ensure the integrity of release packages.
Objectives of release and deployment management
Data in the Archive and Destroy phases may need to be handled according to regulations, standards, or policies.
A True
B False
A
Which is not a part of the BCDR Continual Process?
A Report
B Analyze
C Gather Resources
D Revise
C
Open Source Software is less secure than proprietary software and should not be used in a cloud environment.
A True
B False
B
The following are common vulnerabilities in a cloud environment except:
A DBSS
B XSS
C Injection
D Unvalidated Redirects
A
Which of the following allows consumers to obtain, remove, manage, and report on resources, without the need to engage or speak with resources internally or with the provider?
A Self-service and on-demand capacity
B Scale
C High reliability and resilience
D Converged network and IT capacity pool
A
Which step of the BCDR Continual Process uses the RPO and RTO to determine what is needed in BCDR planning?
A Asses Risk
B Gather Requirements
C Analyze
D Define Scope
B
Which SOC 2 report would be run to determine if security controls are suitable based on design and intent.
A Type 2 Reports
B Type 3 Reports
C Aged Reports
D Type 1 Reports
D
Which of the following are distinguishing characteristics of a managed service provider?
A Have some form of a help desk but no NOC.
B Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management.
C Have some form of a NOC but no help desk.
D Be able to remotely monitor and manage objects for the customer and reactively maintain these objects under management.
B
Automations can be used to monitor the baselines and remediation of servers.
A True
B False
A
Consider the following example:
“An artist gives an art gallery permission to represent the art of some other artist but he is not allowed to reproduce his work.”
Which law is applied in the given example that restricts the artist?
A Tort law
B The doctrine of the proper law
C Criminal law
D Copyright and piracy law
D
Which of the following Acts consists of the given sections?
-The financial privacy
-The safeguards rule
-The pretexting provisions
A SCA
B SOX
C HIPAA
D GLBA
D
Which of the following is considered a “white box” test?
A DAST
B SAST
C Port Scanning
D Pen Testing
B
In cloud development, which of the following is essential to success?
A Programming Languages
B Experience\knowledge of newer languages\methodologies
C Project Management
D Development Methodologies
B
RPO and RSL are used to establish when services and data are completely restored.
A True
B False
B
Who among the following adds and extends value to the cloud-based services for customers?
A Cloud services brokerage
B Cloud service auditor
C Cloud backup service provider
D Cloud service provider
A
Which is a management control that is usually tied to the host OS?
A Hypervisor Type 2
B Hypervisor Type 3
C Hypervisor Type 4
D Hypervisor Type 1
A
Host hardening
Host patching
Secure build
Secure initial configuration
Best practice recommendations to secure host servers within a cloud environment
Knowing that the cloud provider does vulnerability assessment is good enough.
A True
B False
B
Which STRIDE component involves disputes?
A Denial of Service
B Spoofing Identity
C Tampering with Data
D Repudiation
D
Confidentiality and Integrity are essentially the same thing.
A True
B False
B
STRIDE
DREAD
Examples of threat modeling
When using a PaaS solution, what is the capability provided to the customer?
To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
Data storage types that PaaS utilizes
Structured and Unstructured
Deployed on the local system
HIDS and HIPS
Which of the following is considered as white-box testing and analyzes application source code, byte code, and binaries for coding and design conditions that are revealing security vulnerabilities?
A Penetration testing
B RASP
C DAST
D SAST
D – SAST (static application security testing)
What input entities does the secondary set include for data classification with regard to P&DP?
Data breach constraints
Data retention constraints
Data location allowed
Which components must the CCSP review to ensure that the distributed IT model does not leave a negative impact on organizations?
Clear communications
Coordination and management of activities
Governance of processes and activities
Security reporting
Which of the following is a third-party entity that selects the best provider for each customer and monitors the services?
A Cloud service developer
B Cloud service business manager
C Cloud service provider
D Cloud service broker
D
Which of the following should be carried out first when seeking to perform a gap analysis?
A Conduct information gathering.
B Define scope and objectives.
C Identify potential risks.
D Obtain management support.
D
This type of storage is a virtual hard drive attached to a virtual host:
A Content and File Storage
B Information Storage and Management
C Structured
D Volume
D
What are the two biggest challenges associated with the use of IPSec in cloud computing environments?
A Auditability and governance
B Configuration management and performance
C Training customers on how to use IPSec and documentation
D Access control and patch management
B
In SOC 2 auditing, along with the security principle, how many of the other 4 principles must be included to complete a report?
A 1
B 7
C 5
D 3
A
PII is only protected in the United States.
A True
B False
B
This is the process which ensures resources are not over utilized or underutilized.
A Dynamic Optimization
B Auto-scaling
C Elasticity
D Dynamic Operations
A
Which of the following cloud deployment models may exist on or off premises?
Community
Private
Hybrid
Which is a cloud service model category?
A DBaaS
B XaaS
C BaaS
D PaaS
D
Which standard applies to Credit Card Processing?
A SOX
B PCI DSS
C PIC DSS
D HIPPA
B
Which of the following technologies does cloud computing use through a management interface?
Virtualization
Automation
Federated identity management
Which of the following software configuration management tools integrates during building, deploying, and managing infrastructure?
A Puppet
B SVN
C Chef
D CVS
C
Which of the following publishes the most commonly used standards for data center tiers and topologies?
A IDCA
B BICSI
C NFPA
D Uptime Institute
D
The “Data Center Site Infrastructure Tier Standard: Topology” document describes a four-tiered architecture for enterprises to rate their data center designs. What are the names of the four tiers?
Fault-Tolerant Site Infrastructure
Redundant Site Infrastructure Capacity Components
Basic Data Center Site Infrastructure
Concurrently Maintainable Site Infrastructure
The following are issues of Key Management except:
A ACL
B Trust
C Availability
D Integrity
A
What is a key characteristic of a honeypot?
A Composed of physical infrastructure
B Composed of virtualized infrastructure
C Isolated, monitored environment
D Isolated, nonmonitored environment
C
The key areas of performance metrics are:
A Storage and Processing
B CPU, Memory, Capacity, and Bandwidth
C CPU, Memory, Disk, and Networking
D Storage, Processing, Networking
C
While working with integrations in a cloud environment, which of the following can be an issue?
A Access to Logs
B Authorization
C Applications
D Repudiation
A
DLP to protect Data at Rest is installed:
A Near the Network Perimeter
B On the users’ device
C In the Application
D On the system holding the data
D
Which is not a security concept of customers of cloud computing?
A Physical Security
B Network Security
C Access Control
D Cryptography
A
These systems are controlled and maintained at the customer’s site
Remote KMS
Client-Side KMS
Which contractual components include a clear understanding of the permissible forms of data processing, transmission, and storage, along with any limitations or nonpermitted uses?
Scope of processing
Use of subcontractors
The following are toolsets and technology commonly used to secure data except:
A Anonymization
B Marking
C Masking
D Encryption
B
According to whose perspective, auditability provides processes to review, assess, and report user and systems activities?
Management
Stakeholder
Which two are threat models?
STRIDE
DREAD
Which of the following are attributes of cloud computing?
A Minimal management effort and shared resources
B High cost and unique resources
C Rapid provisioning and slow release of resources
D Limited access and service provider interaction
A
Auditing is only used to discover security holes.
A True
B False
B
In which of the following cloud deployment models does platform security come under enterprise responsibility?
A PaaS
B SaaS
C NaaS
D IaaS
D
Which of the following allows for agentless retrieval of the guest OS state, and is used for malware analysis, memory forensics, and process monitoring?
A Firewall
B VMI
C SIEM
D Honeypot
B – VMI (Virtual Machine Introspection)
If a patch is unavailable for a vulnerability, it may be advisable to turn off affected services or restrict access by other means.
A True
B False
A
Which term is defined as a percentage measurement of how much computing power is necessary on the basis of the required percentage of the production system during a disaster?
A RSL
B MTD
C RTO
D RPO
A
Data Classification is a core concept of PCI DSS.
A True
B False
A
Which Cloud Model uses mainly databases to store data?
A SaaS
B DBaaS
C PaaS
D IaaS
A
In which of the following scenarios is a CSP considered as the provider of alternative facilities?
A Cloud service consumer, primary provider BCDR
B On-premises, cloud as BCDR
C Cloud service consumer, alternative provider BCDR
B
What are the virtualization components governed by the management plane?
Storage
Network
Compute
All of the following should be included in the Audit Scope Statement except:
A Deliverables
B Cost
C Classification
D Reason
B
In SaaS the customer has control over:
A Data
B Software
C OS
D Platform
A
Which of the following are considered to be the building blocks of cloud computing?
A CPU, RAM, storage, and networking
B Data, CPU, RAM, and access control
C Data, access control, virtualization, and services
D Storage, networking, printing, and virtualization
A
Encryption ensures integrity of Data.
A True
B False
B
What is the difference between BC and BCM?
BC is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. BCM is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause. BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
What is the process of gathering evidence in a cloud environment?
A eDiscovery
B Discovery
C ISO/IEC 27050
D Forensics
A
Which of the following statements are true of software-defined networking?
Enables a user to execute the control plane software on general-purpose hardware
Allows for network control to become directly programmable and distinct from forwarding
Provides a clearly defined and separate network control plane to manage network traffic
This is a method of categorizing data by finding patterns and it relies on users to refine it:
A eDiscovery
B Data Discovery
C Categorization
D Databasing
B
A Type 1 Hypervisor resides on the Host Device i.e. VM Workstation.
A True
B False
B – False. A Type 1 Hypervisor typically resides on the Server side, i.e. ESX.
How many layers of encryption are typically available to a Database?
A 2
B 3
C 4
D 1
A
Which is an act enforced by the Securities Exchange Commission (SEC)?
A Safe Harbor
B SCA
C SOX
D SEC
C
What is Portability?
A Ability to use cloud services on Mobile Devices.
B Ability to change CSPs.
C Measurement of Size.
D Use of Cloud Services across multiple platforms.
B
Which models provides the least amount of configuration options?
A IaaS
B PaaS
C SaaS
D DBaaS
C
Which of the following are contractual components that the CCSP should review and understand fully when contracting with a CSP?
Scope of processing
Use of subcontractors
Which of the following is a plan to fix or mitigate all findings from an audit?
A Fixpack
B Mitigation
C Remediation
D Patching
C
This type of storage typically uses APIs or network requests:
A Structured
B Volume
C Object
D Unstructured
C
Multifactor authentication requires two of the following except:
A Something you know
B Something you are
C Something you have
D Something you do
D
This is the amount of data required to be maintained or restored in order to restore acceptable functionality:
A RPO
B RSL
C RTO
D RTL
A
Which of the following is application generated or imported through the application?
A Content and File Storage
B Information Storage and Management
C Structured
D Volume
B
What is the difference between contractual and regulated PII?
Contractual PII Exposure can lead to specified penalties or breach of contract.
Regulated PII Exposure can lead to fines and criminal charges.
In a federated system, which two components serve as its core?
The IdP (Identifying Party) and
The Relying Party
Which of the following are the challenges associated with key management?
Key storage
Access to the keys
Backup and replication
Refers to the organization purchasing, leasing, or renting cloud services
Cloud customer
Owns the datacenter, manages the resources, monitors services, and provides administrative assistance
Cloud Service Provider (CSP)
Offers independent identity and access management (IAM) services to CSPs and cloud customers
Cloud Access Security Broker (CASB)
Ensures organizations are in compliance with the framework for which they’re responsible
Regulator
This is the flexibility of allocating resources as needed for immediate usage, instead of purchasing resources according to other variables.
Elasticity
Usage and administration of cloud services ought to be transparent to cloud customers and users; from their perspective, a digital data service is paid for and can be used, with very little additional input other than what is necessary to perform their duties.
Simplicity
The organization’s computing needs won’t remain static: there will be new (and hopefully more) users, customers, and data as the organization continually matures.
Scalability
-Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.
IaaS
-Contains everything included in IaaS, with the addition of OSs.
-The vendor is responsible for patching, administering, and updating the OS as necessary, and the customer can install any software they deem useful.
-This model is especially useful for software development operations (DevOps)
-Some examples include systems already loaded with a hardened operating system such as Windows Server or Linux.
PaaS
-Includes everything listed in the previous two models, with the addition of software programs.
-The cloud vendor is responsible for administering, patching, and updating this software as well
-Some examples include: Google Docs, Microsoft’s Office 365, QuickBooks Online, and Customer Relationship Manager (CRM) software
SaaS
Owned by a single organization and is implemented on a cloud-based secure environment protected by a firewall
Private Cloud
Integrated arrangement of two or more cloud servers
Hybrid Cloud
Multi-tenant setup shared between organizations that belong to a specific group
Community Cloud
Delivers cloud services over a network that is open for free usage
Public Cloud
We determine a value for every asset (usually in terms of dollars), what it would cost the organization if we lost that asset (either temporarily or permanently), what it would cost to replace or repair that asset, and any alternate methods for dealing with that loss.
Business Impact Analysis (BIA)
Denotes those aspects of the organization without which the organization could not operate or exist. These could include tangible assets, intangible assets, specific business processes, data pathways, or even key personnel.
Criticality
The opposite of avoidance; the risk falls within the organization’s risk appetite, so the organization continues operations without any additional efforts regarding the risk.
Acceptance
The organization pays someone else to accept the risk, at a lower cost than the potential impact that would result from the risk being realized; this is usually in the form of INSURANCE.
Transferance
The provider is responsible for connectivity and power and the customer is in charge for installation of software.
IaaS
The provider is responsible for updates and administration of the OS and the customer monitors and reviews software events.
PaaS
The provider is responsible for system maintenance and the customer supplies and processes data to and in the system.
SaaS
-All guest accounts are removed
-No default passwords remain
-Systems are patched, maintained, and updated according to vendor guidance
-All unused ports are closed
-Physical access is severely limited and controlled
Ways for securing devices in the datacenter
The ______________ is any organization or person who manipulates, stores, or moves the data on behalf of the data owner.
data custodian
Collects or creates the data, and possesses the rights and the responsibilities of the data.
Data Owner
Manipulates, stores, or moves the data, and serves as a cloud provider.
Data Custodian
Used when the discovery effort is considered in response to a mandate with a specific purpose
Label-based Discovery
Used to collect all matching data elements for a certain purpose.
Metadata-based Discovery
Used to locate and identify specific kinds of data by delving into the datasets.
Content-based Discovery
Creates new data feeds from sets of data already existing within the environment.
Data analytics Discovery
Acts as a form of data caching, usually near geophysical locations of high use demand, improves bandwidth and provides quality
Content Delivery Network (CDN)
____________ are applied to existing systems and components, whereas upgrades are the replacement of older elements for new ones.
Updates
_____________ usually deals with modifications to the network, such as the acquisition and deployment of new systems and components and the disposal of those taken out of service.
Change management
__________ usually concerns modifications to a known set of parameters regarding each element of the network, including what settings each has, how the controls are implemented, and so forth.
Configuration management
The____________ is a general-purpose map of the network and systems, based on the required functionality as well as security
baseline
______________ efforts are concerned with maintaining critical operations during any interruption in service, whereas disaster recovery efforts are focused on the resumption of operations after an interruption due to disaster.
Business continuity
BC/DR Concept:
How long it would take for an interruption in service to kill an organization, measured in time. For instance, if a company would fail because it had to halt operations for a week.
MAD (Maximum Allowable Downtime)
BC/DR Concept:
The goal for recovery of operational capability after an interruption in service, measured in time.
RTO (Recovery Time Objective)
BC/DR Concept:
The goal of limiting the loss of data from an unplanned event. Confusingly, this is often measured in time. For instance, if an organization is doing full backups every day and is affected by some sort of disaster, that organization’s BC/DR plan might include a goal of resuming critical operations at an alternate operating site with the last full backup, and the time needed would be 24hrs
RPO (Recovery Point Objective)
______________ is an advisory organization for matters related to IT service.
Uptime Institute
Entails multiple differing security controls protecting the same assets with a variety of technological levels
Security redundancy
Provides increased level of robustness among personnel resources who administer and support the IT components
Personnel redundancy
Behooves the cloud provider to ensure that all communication lines are replicated on opposite sides of each building
Power line redundancy
The Brewer-Nash model, also known as the _____________________, seeks to ensure that mask the nature and details of a customer’s business from the administrators. This 1989 document distinguishes access and permissions of administrators based on policy.
Chinese Wall model
Clustered storage architectures can take one of two types: tightly coupled or loosely coupled.
A True
B False
A
A _________ is a network file server with a drive or group of drives, portions of which are assigned to users on that network. The user will see a NAS as a file server and can share files to it. NAS commonly uses TCP/IP.
NAS
A __________ is a group of devices connected to the network that provide storage space to users. Typically, the storage apportioned to the user is mounted to that user’s machine, like an empty drive. They mostly use iSCSI or Fibre Channel protocols.
SAN
Stores all the data on file system and also gives access to the customers to the parts of hierarchy to which they are assigned
Object storage
Allows greater flexibility and each node of the cluster is independent of others
Loosely coupled cluster
Allows data to be recovered in a more efficient manner because if one of the drives fails, the missing data can be filled in by the other drives
Resiliency
___________________ is the practice of viewing the application from the perspective of a potential attacker. Realistically, it involves more than just causing a breach or gaining access (the “penetration”)
Threat modeling
S (Spoofing): Any impersonation such as IP or user spoofing
T (Tampering): Attacks that make unauthorized modifications to actual data, affecting the integrity of information or communications.
R (Repudiation): When the inability to deny one’s action has been compromised
I (Information Disclosure): Data leakage or an outright breach
D (Denial of Service): Any attack that results in loss of availability to authorized entities.
E (Escalation of Privilege): The ability to elevate a user account privilege above the authorized level
STRIDE acronym
____________________ testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST).
Static application security testing (SAST)
___________________ is considered a black-box test since the code is not revealed and the test must look for problems and vulnerabilities while the application is running. It is most effective when used against standard HTTP and other HTML web application interfaces.
Dynamic application security testing (DAST)
While STRIDE is widely used in the software development community, other models exist as well. ______________ (and its associated tool) is an open source alternative offered by Octotrike and cited by OWASP
The Trike model
_________________ refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed by others and seeks to provide for the compensation of victims that suffered at the hand of others by shifting their costs to the person who caused them.
Tort law
The ________________ is a term used to describe the processes associated with determining what legal jurisdiction will hear a dispute when one occurs. An example would be when multiple jurisdictions are involved and courts must decide where a case must be heard and decided.
Doctrine of the Proper Law
Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes
Criminal law
Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment
Federal law
Deals with personal and community-based law such as marriage and divorce as opposed to a military law
Civil law
Includes speed limits laws, tax laws, and the criminal code laws
State law
This act often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.”
The Electronic Communication Privacy Act (ECPA) of 1986 backed by US Congress
Title II of the Electronic Communications Privacy Act of 1986, this act restricts the government from forcing ISPs to disclose customer data the ISP might possess.
The Stored Communications Act (SCA) of 1986 backed by US Congress
This act allows banks to merge with and own insurance companies and keeps customer account information private and secure. With that customers are allowed to opt-out of any information-sharing arrangements the bank or insurer might engage in.
Graham-Leach-Bliley Act (GLBA) of 1999 backed by FDIC
This act increases transparency into publicly traded corporations’ financial activities and includes provisions for securing data.
Sarbanes-Oxley Act (SOX) of 2002 backed by SEC
This act protects patient records and data, known as electronically protected health information (ePHI).
Health Insurance Portability and Accountability Act (HIPAA) of 1996 backed by DHHS
This act prevents academic institutions from sharing student data with anyone other than parents of students.
Family Educational Rights and Privacy Act (FERPA) of 1974 backed by Department of Education
This act grants copyright provisions to protect owned data in an Internet-enabled world and enables copyright holders to require any site on the Internet to remove content that may belong to the copyright holder.
The Digital Millennium Copyright Act (DMCA) of 1998 enacted by Bill Clinton
The ______________________ conforms to the EU Data Directive and Privacy Regulation. It provides guidelines which describe how businesses should manage the personal data in a commercial activity.
Personal Information Protection and Electronic Documents Act (PIPEDA)
____________ refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes. Determining which data in a set is pertinent can be difficult. Regardless of whether it is databases, records, email, or just simple files.
Electronic discovery (eDiscovery)
Guide for collecting, identifying, and preserving electronic evidence
ISO/IEC 27037:2012
Guide for incident investigations
ISO/IEC 27041:2015
Guide for digital evidence analysis
ISO/IEC 27042: 2015
Incident investigation principles and processes
ISO/IEC 27043:2015
Overview and principles for eDiscovery
ISO/IEC 27050-1:2016
______________ talks about personally identifiable information (PII) as a name, date of birth, and Social Security number. HIPAA calls this type of data “electronic protected health information” (ePHI), and it also includes any patient information, including medical records, and facial photos. GLBA includes customer account information such as account numbers and balances.
NIST Special Publication (SP) 800-122
To create an accurate frame of reference, a ____________ is conducted, which is a lightweight audit where generally findings of weaknesses or vulnerabilities, but the purpose is to identify those weaknesses so they can be remediated prior to any further actual audit work.
gap analysis
An audit engagement consisting of an examination of organizational financial reporting controls. For a cloud customer trying to determine the suitability of a cloud provider, it is useless, because it doesn’t tell us anything about data protection, configuration resiliency, or any other element the customer needs to know.
SOC 1
________ reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. This is the report of most use to cloud customers (to determine the suitability of cloud providers) and IT security practitioners.
SOC 2
The ________ report, on the other hand, is purely for public consumption and serves only as a seal of approval of sorts for public display without sharing any specific information regarding audit activity, control effectiveness, findings, and so on.
SOC 3
____________ specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
ISO/IEC 27001
Determines if the risks are minimal and the reward is substantial before choosing to take the risks
Risk Acceptance
Defines as a response to the cost-benefit analysis when posed with a specific risk
Risk avoidance
Handles risk associated with an activity without accepting all risks
Risk transference
Reduces risk to an acceptable level through the use of controls and countermeasures
Risk mitigation
An international standard that focuses on designing, implementing, and reviewing risk management processes and practices
ISO 31000:2009
A guide for implementing the risk management framework, which is a methodology for handling all organizational risk in a comprehensive manner
NIST SP 800-37
A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security
ENISA (European Union Agency for Network and Information Security)
The ___________ describes in detail exactly what both parties’ responsibilities are, what services are being contracted, and what provisions are in place for the safety, security, integrity, and availability of those same services.
contract
The _______ is the list of defined, specific, numerical metrics that will be used to determine whether the provider is sufficiently meeting the contract terms during each period of performance.
SLA
__________refers to include only departments or business units impacted by any cloud engagement.
Scoping
The Cloud Security Alliance ______________ program is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative. (Provides an independent level of program assurance for cloud consumers and offers a central repository for providers to publicly release these documents.
Security, Trust, and Assurance Registry (STAR)
Level One: Self-Assessment: Requires the release and publication of due diligence assessments against the CSA’s Consensus Assessment Initiative Questionnaire and/or Cloud Matrix (CCM)
Level Two: CSA STAR Attestation: Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC 2
Level Three: CSA STAR Continuous Monitoring: Requires the release and publication of results related to the security properties of monitoring based on the CloudTrust Protocol
The 3 Levels of CSA Security, Trust, and Assurance Registry (STAR)
The customer is concerned with data, whereas the provider is concerned with security and operation.
A True
B False
A
The customer’s ultimate legal liability for data it owns remains true even if the provider’s failure was the result of negligence.
A True
B False
A
To avoid lock-in, the organization has to think in terms of _____________ when considering migration. We use the term to describe the level of ease or difficulty when transferring data out of a provider’s datacenter.
portability
_________________ can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason. In these circumstances, the concern is whether the customer can still readily access and recover their data.
Vendor lock-out
Hypervisor _________ also called bare-metal or hardware hypervisor, resides directly on the host machine, often as bootable software.
Type 1
Hypervisor _________ is a software hypervisor, and it runs on top of the OS that runs on a host device.
Type 2
Attackers prefer Type 2 hypervisors because of the larger surface area.
A True
B False
A
Occurs on the hypervisor itself, the underlying OS, and the machine directly
Attacks on the hypervisor
An internal network with remote access capabilities
Threats:
Malware, man-in-the-middle attacks, and social engineering
Private cloud
Provides a cloud computing solution to a limited number of individuals
Threats:
Loss of policy control and physical control and lack of audit access
Community cloud
Includes a company that relies on a third-party for services
Threats:
Rogue administrator, escalation of privilege, and contractual failure
Public cloud
External attacker: Includes hardened devices, hypervisors, and virtual machines, with thorough configuration and change management protocols
Social engineering: Uses training and incentive programs to identify personnel who resist the attempts and bring them to the attention of the security office
Regulatory violation: Implements DRM solutions, hires knowledgeable, trained personnel with skillsets, and uses encryption, obfuscation, and masking
Natural disaster: Ensures multiple redundancies for all systems and services for the datacenter
Contractual failure: Considers full offsite backups, secured and kept by a customer, to protect against vendor lock-in/lock-out
Countermeasure methods that can be adopted to address each of the threats for each of the cloud models
Cloud computing magnifies the likelihood and impact of two existing risks: __________ and ____________.
internal personnel; remote access
BC/DR backup plan in which the customer decides when normal operations will cease and the backup will be utilized as the operational network.
Private architecture, cloud service as backup:
BC/DR backup plan in which the provider is responsible for determining the location and configuration of the backup and for assessing and declaring disaster events.
Cloud operations, cloud provider as backup:
BC/DR backup plan in which the cloud provider hosts regular operations and the customer opts for contingency operations to distribute risks.
Cloud operations, third-party cloud backup provider
-Security Governance, Risk and Compliance (GRC) and data security comes under enterprise responsibility.
-Physical security and infrastructure security comes under cloud provider responsibility.
Enterprise Responsibility Vs Cloud Provider Responsibility
The cloud provider maintains physical security control of the facility and the cloud customer provides all other security.
PaaS
The cloud provider maintains infrastructure’s physical security and the cloud customer is responsible for access and administration.
SaaS
The cloud provider is responsible for physical security of the facility and systems.
IaaS
Removing unnecessary services and libraries
Closing unused ports
Installing antimalware agents
Limiting administrator access
Ensuring event logging is enabled
Ways to harden Operating Systems
-Poor documentation is a slow, methodical process that does not add to functionality or performance.
-It allows tenants to access the organization’s data through inadvertent data bleeding.
-Even though some apps will eventually run successfully in the cloud, they may require configuration changes in order to work effectively.
Cloud application deployment pitfall issues
In the _______________of the Cloud SDLC, we are focused on identifying the business needs of the application, such as accounting, database, or customer relationship management.
definition phase
In the ____________ of the Cloud SDLC, we begin to develop user stories (what the user will want to accomplish and how to go about it), what the interface will look like, and whether it will require the use or development of any APIs.
design phase
The _______________ of the Cloud SDLC is where the code is written. The code takes into account the previously established definition and design parameters.
development phase
Business Context
Regulatory Context
Technical Context
Specifications
Roles, Responsibilities, and Qualifications
Processes
Application Security Control (ASC) Library
ISO/IEC 27034-1 standard categories
Often used in authorization with mobile apps, the _________ framework provides third-party applications limited access to HTTP services.
OAuth
This uses the term realms in explaining its capabilities to allow organizations to trust each other’s identity information across organizations.
WS-Federation
This is an interoperable authentication protocol based on the OAuth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords.
OpenID Connect
_______________ is a protocol specification providing for the exchange of structured information or data in web services. It also works over other protocols such as SMTP, FTP, and HTTP.
Standards-based
Reliant on XML
Highly intolerant of errors
Slower
Built-in error handling
Simple Object Access Protocol (SOAP)
Encrypts all of the system’s data at rest in one instance
Whole-instance encryption
Encrypts data transmission between servers
Secure sockets layer
What is the intellectual property protection for a very valuable set of sales leads?
A Trademark
B Trade secret
C Copyright
D Patent
B
What is the federal agency that accepts applications for new patents?
A SEC
B OSHA
C USPTO
D USDA
C – The U.S. Patent and Trademark Office
In the cloud motif, the data owner is usually:
A The cloud provider
B The cloud customer
C In another jurisdiction
D The cloud access security broker
B
All the following are data analytics modes, except:
A Refractory iterations
B Real-time analytics
C Datamining
D Agile business intelligence
A
DRM solutions should generally include all the following functions, except:
A Automatic self-destruct
B Automatic expiration
C Dynamic policy control
D Persistency
A
In the cloud motif, the data processor is usually:
A The cloud access security broker
B The cloud provider
C The cloud customer
D The party that assigns access rights
B
All of these are methods of data discovery, except:
A Content-based
B User-based
C Label-based
D Metadata-based
B
What is the intellectual property protection for the logo of a new video game?
A Copyright
B Trade secret
C Trademark
D Patent
C
All of the following regions have at least one country with an overarching, federal privacy law protecting personal data of its citizens, except:
A South America
B Europe
C Asia
D The United States
D
DRM tools use a variety of methods for enforcement of intellectual property rights. These include all the following, except:
A Media-present checks
B Support-based licensing
C Local agent enforcement
D Dip switch validity
D
Every security program and process should have which of the following?
A Homomorphic encryption
B Foundational policy
C Severe penalties
D Multifactor authentication
B
Data labels could include all the following, except:
A Handling restrictions
B Delivery vendor
C Source
D Jurisdiction
B
Data labels could include all the following, except:
A Distribution limitations
B Access restrictions
C Multifactor authentication
D Confidentiality level
C
Data labels could include all the following, except:
A Date data was created
B Data owner
C Data value
D Date of scheduled destruction
C
What is the intellectual property protection for a confidential recipe for muffins?
A Trademark
B Patent
C Copyright
D Trade secret
D
What is the aspect of the DMCA that has often been abused and places the burden of proof on the accused?
A Takedown notice
B Puppet plasticity
C Online service provider exemption
D Decryption program prohibition
A
All policies within the organization should include a section that includes all of the following, except:
A Policy review
B Policy enforcement
C Policy adjudication
D Policy maintenance
C
What is the intellectual property protection for the tangible expression of a creative idea?
A Copyright
B Trade secret
C Trademark
D Patent
A
The goals of SIEM solution implementation include all of the following, except:
A Performance enhancement
B Dashboarding
C Trend analysis
D Centralization of log streams
A
What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?
A AES
B Link encryption
C Homomorphic encryption
D One-time pads
C
What is a cloud storage architecture that manages the data in a hierarchy of files?
A File-based storage
B Object-based storage
C CDN
D Database
A
Tokenization requires two distinct ______________.
A Personnel
B Encryption keys
C Databases
D Authentication factors
C
Data masking can be used to provide all of the following functionality, except:
A Enforcing least privilege
B Test data in sandboxed environments
C Authentication of privileged users
D Secure remote access
C
DLP can be combined with what other security technology to enhance data controls?
A DRM
B Hypervisors
C Kerberos
D SIEM
A
What is a cloud storage architecture that manages the data in caches of copied content close to locations of high demand?
A Object-based storage
B CDN
C Database
D File-based storage
B – Cloud Data Network
Cryptographic keys should be secured ______________.
A In vaults
B By armed guards
C With two-person integrity
D To a level at least as high as the data they can decrypt
D
Proper implementation of DLP solutions for successful function requires which of the following?
A Accurate data categorization
B Physical access limitations
C USB connectivity
D Physical presence
A
Best practices for key management include all of the following, except:
A Maintain key security
B Pass keys out of band
C Ensure multifactor authentication
D Have key recovery processes
C
The goals of DLP solution implementation include all of the following, except:
A Data discovery
B Data Loss Mitigation
C Policy enforcement
D Elasticity
D
What are the U.S. State Department controls on technology exports known as?
A EAR
B EAL
C DRM
D ITAR
D – International Traffic in Arms Regulations
Cryptographic keys for encrypted data stored in the cloud should be ______________.
A Not stored with the cloud provider
B At least 128 bits long
C Generated with redundancy
D Split into groups
A
DLP solutions can aid in deterring loss due to which of the following?
A Natural disaster
B Inadvertent disclosure
C Randomization
D Device failure
B
All of the following are terms used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except:
A Obfuscation
B Masking
C Anonymization
D Data discovery
D
What are the U.S. Commerce Department controls on technology exports known as?
A EAL
B DRM
C ITAR
D EAR
D – Export Administration Regulations
When crafting plans and policies for data archiving, we should consider all of the following, except:
A The format of the data
B Immediacy of the technology
C Archive location
D The backup process
B
DLP solutions can aid in deterring loss due to which of the following?
A Power failure
B Malicious disclosure
C Performance issues
D Bad policy
B
What are third-party providers of IAM functions for the cloud environment?
A SIEMs
B AESs
C DLPs
D CASBs
D
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Mandatory vacation
B Separation of duties
C Least privilege
D Conflict of interest
D
A poorly negotiated cloud service contract could result in all the following detrimental effects except:
A Unfavorable terms
B Lack of necessary services
C Vendor lock-in
D Malware
D
Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except:
A The cloud provider’s resellers
B The cloud provider’s utilities
C The cloud provider’s vendors
D The cloud provider’s suppliers
A
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Broad contractual protections to ensure the provider is ensuring an extreme level of trust in its own personnel
B Scalability
C DLP solutions
D Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel
B
Benefits for addressing BC/DR offered by cloud operations include all of the following except:
A Distributed, remote processing, and storage of data
B Fast replication
C Regular backups offered by cloud providers
D Metered service
D
Because of multitenancy, specific risks in the public cloud that don’t exist in the other cloud service models include all the following except:
A DoS/DDoS
B Escalation of privilege
C Risk of loss/disclosure due to legal seizures
D Information bleed
A
All of the following methods can be used to attenuate the harm caused by escalation of privilege except:
A Extensive access control and authentication tools and techniques
B The use of automated analysis tools such as SIM, SIEM, and SEM solutions
C Periodic and effective use of cryptographic sanitization tools
D Analysis and review of all log data by trained, skilled personnel on a frequent basis
C
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Masking and obfuscation of data for all personnel without need to know for raw data
B Redundant ISPs
C Active electronic surveillance and monitoring
D Active physical surveillance and monitoring
B
All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except:
A Use DRM and DLP solutions widely throughout the cloud operation
B Avoid proprietary data formats
C Ensure favorable contract terms to support portability
D Ensure there are no physical limitations to moving
A
Which of the following is a technique used to attenuate risks to the cloud environment, resulting in loss or theft of a device used for remote access?
A Dual control
B Muddling
C Safe harbor
D Remote kill switch
D
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Extensive and comprehensive training programs, including initial, recurring, and refresher sessions
B Aggressive background checks
C Hardened perimeter devices
D Skills and knowledge testing
C
When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is:
A Many states have data breach notification laws.
B Breaches can cause the loss of proprietary data.
C Breaches can cause the loss of intellectual property.
D Legal liability can’t be transferred to the cloud provider.
D
The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement?
A Community cloud
B SaaS
C PaaS
D IaaS
D
Which hypervisor malicious attackers would prefer to attack?
A Type 1
B Type 4
C Type 3
D Type 2
D
After a cloud migration, the BIA should be updated to include a review of the new risks and impacts associated with cloud operations; this review should include an analysis of the possibility of vendor lock-in/lock-out. Analysis of this risk may not have to be performed as a new effort, because a lot of the material that would be included is already available from which of the following?
A Open source providers
B The cost-benefit analysis the organization conducted when deciding on cloud migration
C The cloud provider
D NIST
B
Countermeasures for protecting cloud operations against external attackers include all of the following except:
A Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines
B Detailed and extensive background checks
C Continual monitoring for anomalous activity
D Regular and detailed configuration/change management activities
B
Because PaaS implementations are so often used for software development, what is one of the vulnerabilities that should always be kept in mind?
A DoS/DDoS
B Malware
C Loss/theft of portable devices
D Backdoors
D
The various models generally available for cloud BC/DR activities include all of the following except:
A Cloud provider, backup from another cloud provider
B Cloud provider, backup from private provider
C Private architecture, cloud backup
D Cloud provider, backup from same provider
B
The cloud customer’s trust in the cloud provider can be enhanced by all of the following except:
A Audits
B SLAs
C Real-time video surveillance
D Shared administration
C
A honeypot should contain _________ data.
A Sensitive
B Useless
C Production
D Raw
B
In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?
A Security control matrix
B HIPAA
C Statutes
D The contract
D
User access to the cloud environment can be administered in all of the following ways except:
A Customer directly administers access
B Third party provides administration on behalf of the customer
C Provider provides administration on behalf of the customer
D Customer provides administration on behalf of the provider
D
Hardening the operating system refers to all of the following except:
A Closing unused ports
B Removing antimalware agents
C Limiting administrator access
D Removing unnecessary services and libraries
B
Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer’s trust in the provider?
A Site visit access
B Backend administrative access
C Audit and performance log data
D SOC 2 Type 2
C
In all cloud models, security controls are driven by which of the following?
A Business requirements
B Virtualization engine
C Hypervisor
D SLAs
A
What is the cloud service model in which the customer is responsible for administration of the OS?
A IaaS
B QaaS
C SaaS
D PaaS
A
Which kind of SSAE report comes with a seal of approval from a certified auditor?
A SOC 2
B SOC 3
C SOC 4
D SOC 1
B
As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as:
A GLBA
B SOX
C HIPAA
D FERPA
B
In all cloud models, the customer will be given access and ability to modify which of the following?
A Security controls
B User permissions
C OS
D Data
D
Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?
A SOC 2 Type 2
B SOC 1 Type 1
C SOC 3
D SOC 1 Type 2
C
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except:
A DLP solution results
B Security control administration
C Access to audit logs and performance data
D SIM, SEIM, and SEM logs
B
A firewall can use all of the following techniques for controlling traffic except:
A Behavior analysis
B Rule sets
C Randomization
D Content filtering
C
Which kind of SSAE audit reviews controls dealing with the organization’s controls for assuring the confidentiality, integrity, and availability of data?
A SOC 3
B SOC 4
C SOC 1
D SOC 2
D
Why will cloud providers be unlikely to allow physical access to their datacenters?
A They want to enhance exclusivity for their customers, so only an elite tier of higher-paying clientele will be allowed physical access.
B They want to enhance security by keeping information about physical layout and controls confidential.
C Most datacenters are inhospitable to human life, so minimizing physical access also minimizes safety concerns.
D They want to minimize traffic in those areas, to maximize efficiency of operational personnel.
B
Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?
A Database management software
B Open source software
C Secure software
D Proprietary software
B
In all cloud models, the _________ will retain ultimate liability and responsibility for any data loss or disclosure.
A State
B Customer
C Vendor
D Administrator
B
Which kind of SSAE audit report is most beneficial for a cloud customer, even though it’s unlikely the cloud provider will share it?
A SOC 1 Type 1
B SOC 3
C SOC 1 Type 2
D SOC 2 Type 2
D
Vulnerability assessments cannot detect which of the following?
A Zero-day exploits
B Defined vulnerabilities
C Malware
D Programming flaws
A
Which of the following is not a component of the of the STRIDE model?
A Repudiation
B Spoofing
C External pen testing
D Information disclosure
C
Which of the following best describes data masking?
A A method where the last few numbers in a dataset are not obscured. These are often used for authentication.
B A method for creating similar but inauthentic datasets used for software testing and user training.
C A method used to protect prying eyes from data such as social security numbers and credit card data.
D Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number.
B
Database activity monitoring (DAM) can be:
A Used in the place of encryption
B Used in place of data masking
C Host-based or network-based
D Server-based or client-based
C
SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP?
A Works over numerous protocols
B Standards-based
C Reliant on XML
D Extremely fast
D
Dynamic application security testing (DAST) is best described as which of the following?
A Masking
B Test performed on an application or software product while being consumed by cloud customers
C Test performed on an application or software product while it is being executed in memory in an operating system
D Test performed on an application or software product while it is using real data in production
C
Which of the following best describes SAML?
A A standard for exchanging usernames and passwords across devices
B A standard for exchanging authentication and authorization data between security domains
C A standard for developing secure application management logistics
D A standard used for directory synchronization
B
Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like:
A Syn floods
B Password cracking
C XSS and SQL injection
D Ransomware
C
The application normative framework is best described as which of the following?
A A superset of the ONF
B The complete ONF
C A stand-alone framework for storing security practices for the ONF
D A subset of the ONF
D
In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party?
A A contracted third party/the various member organizations of the federation
B Each member organization/each member organization
C Each member organization/a trusted third party
D The users of the various organizations within the federation/a CASB
A
Which of the following best describes the purpose and scope of ISO/IEC 27034-1?
A Provides an overview of network and infrastructure security designed to secure cloud applications
B Serves as a newer replacement for NIST 800-53 r4
C Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
D Describes international privacy standards for cloud computing
C
Which of the following best describes the Organizational Normative Framework (ONF)?
A A set of application security, and best practices, catalogued and leveraged by the organization
B A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization
C A container for components of an application’s security, best practices, catalogued and leveraged by the organization
D A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization
B
Which of the following best describes SAST?
A A set of technologies that analyze application bit code, and binaries for coding and design problems that would indicate a security problem or vulnerability
B A set of technologies that analyze application source code, and bit code for coding and design problems that would indicate a security problem or vulnerability
C A set of technologies that analyze application source code for coding and design problems that would indicate a security problem or vulnerability
D A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability
D
Which of the following is not one of the SDLC phases?
A Design
B Test
C Define
D Reject
D
Sandboxing provides which of the following?
A A testing environment that prevents isolated code from running in a nonproduction environment.
B A test environment that isolates untrusted code changes for testing in a production environment.
C A test environment that isolates untrusted code changes for testing in a nonproduction environment.
D A testing environment where new and experimental code can be tested in a nonproduction environment.
C
Which of the following best describes a sandbox?
A An isolated space where untested code and experimentation can safely occur separate from the production environment
B An isolated space where transactions are protected from malicious software
C A space where you can safely execute malicious code to see what it does
D An isolated space where untested code and experimentation can safely occur within the production environment
A
Which of the following best represents the definition of REST?
A Built on protocol standards
B Lightweight and scalable
C Relies heavily on XML
D Only supports XML output
B
Which of the following best describes data masking?
A Data masking is used in place of production data.
B Data masking is used in place of encryption for better performance.
C Data masking is used to hide PII.
D Data masking is used to create a similar, inauthentic dataset used for training and software testing.
D
APIs are defined as which of the following?
A A set of routines and tools for building software applications to access web-based software applications
B A set of protocols, and tools for building software applications to access a web-based software application or tool
C A set of standards for building software applications to access a web-based software application or tool
D A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool
D
Identity and access management (IAM) is a security discipline that ensures which of the following?
A That the right individual gets access to the right resources at the right time for the right reasons
B That all users are properly authorized
C That unauthorized users will get access to the right resources at the right time for the right reasons
D That all users are properly authenticated
A
Which of the following techniques for ensuring cloud datacenter storage resiliency uses encrypted chunks of data?
A RAID
B Data dispersion
C SAN
D Cloud-bursting
B
The Brewer-Nash security model is also known as which of the following?
A The Chinese Wall model
B MAC
C RBAC
D Preventive measures
A
Security training should not be:
A Documented
B Boring
C A means to foster a non-adversarial relationship between the security office and operations personnel
D Internal
B
Which of the following aids in the ability to demonstrate due diligence efforts?
A Bollards
B Security training documentation
C HVAC placement
D Redundant power lines
B
What should be the primary focus of datacenter redundancy and contingency planning?
A Power and HVAC
B Critical path/operations
C Health and human safety
D Infrastructure supporting the production environment
C
Which of the following is not an aspect of physical security that ought to be considered in the planning and design of a cloud datacenter facility?
A Vehicular approach/traffic
B Perimeter
C Elevation of dropped ceilings
D Fire suppression
C
Which of the following is not part of the STRIDE model?
A Spoofing
B Tampering
C Resiliency
D Information disclosure
C
Which of the following is not one of the three types of training?
A Initial
B Recurring
C Refresher
D Integral
D
Which of the following has not been attributed as the cause of lost capabilities due to DoS?
A Changing regulatory motif
B Squirrels
C Hackers
D Construction equipment
A
What is the lowest tier of datacenter redundancy, according to the Uptime Institute?
A V
B 1
C 4
D C
B
Which of the following techniques for ensuring cloud datacenter storage resiliency uses parity bits and disk striping?
A Cloud-bursting
B RAID
C Data dispersion
D SAN
B
What is the amount of fuel that should be on hand to power generators for backup datacenter power, in all tiers, according to the Uptime Institute?
A As much as needed to ensure all systems may be gracefully shut down and data securely stored
B 1
C 1,000 gallons
D 12 hours
D
Which of the following is part of the STRIDE model?
A Redundancy
B Resiliency
C Rijndael
D Repudiation
D
What type of redundancy can we expect to find in a datacenter of any tier?
A Full power capabilities
B All operational components
C All infrastructure
D Emergency egress
D
Which of the following is not a feature of SAST?
A Highly skilled, often expensive outside consultants
B “White-box” testing
C Team-building efforts
D Source code review
C
What is often a major challenge to getting both redundant power and communications utility connections?
A Expense
B Location of many datacenters
C Personnel deployment
D Carrying medium
B
Which kind of hypervisor would malicious actors prefer to attack, ostensibly because it offers a greater attack surface?
A Cat IV
B Converged
C Bare metal
D Type II
D
Which of the following is not a feature of a secure KVM component?
A Keystroke logging
B Sealed exterior case
C Welded chipsets
D Push-button selectors
A
Which of the following is not a feature of DAST?
A Testing in runtime
B User teams performing executable testing
C “Black-box” testing
D Binary inspection
D
Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations?
A Metered usage
B Cross-training
C Raised floors
D Proper placement of HVAC temperature measurements tools
B
The baseline should cover which of the following?
A All regulatory compliance requirements
B A process for version control
C Data breach alerting and reporting
D As many systems throughout the organization as possible
D
Which tool can reduce confusion and misunderstanding during a BC/DR response?
A Checklist
B Call tree
C Flashlight
D Controls matrix
A
In addition to battery backup, a UPS can offer which capability?
A Confidentiality
B Communication redundancy
C Line conditioning
D Breach alert
C
Which characteristic of liquid propane increases its desirability as a fuel for backup generators?
A Does not spoil
B Flavor
C Burn rate
D Price
A
Which form of BC/DR testing has the most impact on operations?
A Full test
B Dry run
C Tabletop
D Structured test
A
Which characteristic of automated patching makes it attractive?
A Cost
B Capability to recognize problems quickly
C Noise reduction
D Speed
D
How often should the CMB meet?
A Every week
B Often enough to address organizational needs and attenuate frustration with delay
C Whenever regulations dictate
D Annually
B
The CMB should include representations from all of the following offices except:
A Regulators
B Management
C Security office
D IT department
A
Deviations from the baseline should be investigated and ________.
A Revealed
B Encouraged
C Documented
D Enforced
C
Maintenance mode requires all of these actions except:
A Remove all active production instances
B Initiate enhanced security controls
C Prevent new logins
D Ensure logging continues
B
For performance purposes, OS monitoring should include all of the following except:
A Print spooling
B Disk space
C Disk I/O usage
D CPU usage
A
Which form of BC/DR testing has the least impact on operations?
A Full test
B Dry run
C Tabletop
D Structured test
C
Adhering to ASHRAE standards for humidity can reduce the possibility of ________.
A Static discharge
B Breach
C Inversion
D Theft
A
What is one of the reasons a baseline might be changed?
A Natural disaster
B Numerous change requests
C Power fluctuation
D To reduce redundancy
B
The BC/DR kit should include all of the following except:
A Hard drives
B Documentation equipment
C Flashlight
D Annotated asset inventory
A
A generator transfer switch should bring backup power online within what time frame?
A 10 seconds
B Before the recovery point objective is reached
C Before the UPS duration is exceeded
D Three days
C
When deciding whether to apply specific updates, it is best to follow ________, in order to demonstrate due care.
A Internal policy
B Competitors’ actions
C Regulations
D Vendor guidance
D
Generator fuel storage for a cloud datacenter should last for how long, at a minimum?
A 12 hours
B Indefinitely
C Three days
D 10 minutes
A
A localized incident or disaster can be addressed in a cost-effective manner by using which of the following?
A Strict adherence to applicable regulations
B Joint operating agreements
C Generators
D UPS
B
A UPS should have enough power to last how long?
A One day
B Long enough for graceful shutdown
C 12 hours
D 10 minutes
B
Which of the following laws resulted from a lack of independence in audit practices?
A SOX
B ISO 27064
C HIPAA
D GLBA
A
What is a key component of GLBA?
A The information security program
B The right to audit
C The right to be forgotten
D EU Data Directives
A
GAAPs are created and maintained by which organization?
A PCI Council
B AICPA
C ISO
D ISO/IEC
B
The right to be forgotten refers to which of the following?
A The right to have all of a data owner’s data erased
B Erasing criminal history
C The right to no longer pay taxes
D Masking
A
Which statute addresses security and privacy matters in the financial industry?
A GLBA
B FERPA
C SOX
D HIPAA
A
Which of the following report is most aligned with financial control audits?
A SOC 1
B SOC 2
C SOC 3
D SSAE 16
A
Gap analysis is performed for what reason?
A To assure proper accounting practices are being used
B To provide assurances to cloud customers
C To begin the benchmarking process
D To ensure all controls are in place and working properly
C
Which of the following is the primary purpose of an SOC 3 report?
A Seal of approval
B Absolute assurances
C Compliance with PCI/DSS
D HIPAA compliance
A
Which of the following SOC report subtypes spans a period of time?
A SOC 3
B SOC 1
C Type II
D SOC 2
C
Which of the following is the best advantage of external audits?
A Independence
B Oversight
C Cheaper
D Better results
A
Which of the following are not associated with HIPAA controls?
A Financial controls
B Physical controls
C Technical controls
D Administrative controls
A
Which of the following applies to the Stored Communications Act (SCA)?
A It’s in bad need of updating.
B It’s old.
C All of these
D It’s unclear with regard to current technologies.
C
The right to audit should be a part of what documents?
A PLA
B SLA
C Masking
D All cloud providers
B
Legal controls refer to which of the following?
A ISO 27001
B NIST 800-53r4
C Controls designed to comply with laws and regulations related to the cloud environment
D PCI DSS
C
SOX was enacted because of which of the following?
A All of these
B Poor financial controls
C Lack of independent audits
D Poor BOD oversight
A
Which of the following is the best example of a key component of regulated PII?
A Items that should be implemented
B PCI DSS
C Audit rights of subcontractors
D Mandatory breach reporting
D
Which of the following SOC report subtypes represents a point in time?
A Type I
B Type II
C SOC 3
D SOC 2
A
Which of the following is not a component of contractual PII?
A Scope of processing
B Value of data
C Location of data
D Use of subcontractors
B
Which of the following terms is not associated with cloud forensics?
A Analysis
B Plausibility
C Chain of custody
D eDiscovery
B
Which of the following reports is no longer used?
A SOC 3
B SOC 1
C SSAE 16
D SAS 70
D
Which of the following is the least challenging with regard to eDiscovery in the cloud?
A Complexities of International law
B Decentralization of data storage
C Forensic analysis
D Identifying roles such as data owner, controller, and processor
C
Which of the following is not associated with security?
A Integrity
B Availability
C Confidentiality
D Quality
D
What does the doctrine of the proper law refer to?
A The proper handling of eDiscovery materials
B The determination of what law will apply to a case
C The law that is applied after the first law is applied
D How jurisdictional disputes are settled
D
Which of the following is not an example of a highly regulated environment?
A Financial services
B Healthcare
C Public companies
D Wholesale or distribution
D
The Restatement (Second) Conflict of Law refers to which of the following?
A When judges restate the law in an opinion
B The basis for deciding which laws are most appropriate in a situation where conflicting laws exist
C Whether local or federal laws apply in a situation
D How jurisdictional disputes are settled
B
Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider?
A Redundant uplink grafts
B The physical layout of the datacenter
C Background checks for the provider’s personnel
D Use of subcontractors
D
Which of the following is a valid risk management metric?
A SLA
B KRI
C KPI
D SOC
B
Which of the following is not an example of an essential internal stakeholder?
A IT director
B CFO
C HR director
D IT analyst
D
Which of the following is not a way to manage risk?
A Mitigating
B Enveloping
C Transferring
D Accepting
B
Which of the following is not a risk management framework?
A Key risk indicators (KRI)
B European Union Agency for Network and Information Security (ENISA)
C NIST SP 800-37
D ISO 31000:2009
A
Which is the lowest level of the CSA STAR program?
A Self-assessment
B Continuous monitoring
C Attestation
D Hybridization
A
Which of the following best define risk?
A Threat coupled with a vulnerability
B Threat coupled with a breach
C Vulnerability coupled with an attack
D Threat coupled with a threat actor
A
Which of the following is not appropriate to include in an SLA?
A Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status
B The number of user accounts allowed during a specified period
C The time allowed to migrate from normal operations to contingency operations
D The amount of data allowed to be transmitted and received between the cloud provider and customer
A
What is the Cloud Security Alliance Cloud Controls Matrix (CCM)?
A An inventory of cloud service security controls that are arranged into separate security domains
B A set of software development life cycle requirements for cloud service providers
C A set of regulatory requirements for cloud service providers
D An inventory of cloud services security controls that are arranged into a hierarchy of security domains
A
Which of the following is not one of the types of controls?
A Transitional
B Physical
C Technical
D Administrative
A
The CSA STAR program consists of three levels. Which of the following is not one of those levels?
A SOC 2 audit certification
B Continuous monitoring based certification
C Self-assessment
D Third-party assessment-based certification
A
Which of the following is not a part of the ENISA Top 8 Security Risks of cloud computing?
A Availability
B Vendor lock-in
C Isolation failure
D Insecure or incomplete data deletion
A
Which ISO standard refers to addressing security risks in a supply chain?
A ISO 31000:2009
B ISO 27001
C ISO/IEC 28000:2007
D ISO 18799
C
Which of the following is a risk management option that halts a business function?
A Acceptance
B Transference
C Avoidance
D Mitigation
C
Which of the following frameworks focuses specifically on design implementation and management?
A NIST 800-92
B ISO 31000:2009
C HIPAA
D ISO 27017
B
Which of the following frameworks identifies the top 8 security risks based on likelihood and impact?
A NIST 800-53
B COBIT
C ENISA
D ISO 27000
C
Which of the following is not a risk management framework?
A ISO 31000:2009
B Hex GBL
C COBIT
D NIST SP 800-37
B
A data custodian is responsible for which of the following?
A Data context
B Data content
C Logging access and alerts
D The safe custody, transport, storage of the data, and implementation of business rules
D
Which of the following best describes a cloud carrier?
A The person or entity responsible for transporting data across the Internet
B A person or entity responsible for making a cloud service available to consumers
C The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers
D The person or entity responsible for keeping cloud services running for customers
C
Which of the following methods of addressing risk is most associated with insurance?
A Transference
B Avoidance
C Acceptance
D Mitigation
A
For which of the following cloud environments is the client-side key management approach used?
A XaaS
B DaaS
C PaaS
D SaaS
D
Who among the following acts as a middleman between CSPs and their customers to facilitate the customers with the best provider?
A Cloud service auditor
B Cloud computing reseller
C Cloud services brokerage
D Cloud backup service provider
C
Which of the following protocols provides encryption using cryptography for the data in transit?
A SSL (Secure Socket Layer)
B DNS (Domain Name System)
C HTTP (HyperText Transfer Protocol)
D MIME (Multipurpose Internet Mail Extension)
A
In a cloud environment, who ensures that various storage types and mechanisms meet and conform to the relevant SLAs?
A Cloud data architect
B Cloud administrator
C Cloud storage administrator
D Cloud operator
A
Which of the following cloud storages allows users to share and sync data stored on a mobile device?
A Public
B Private
C Personal
D Mobile
C
What is the goal of business continuity management?
A To recover elements of the business following a disaster
B To assure the business operation continuity in the event of a disruption
C To ensure that the business recover essential operations in the event of disaster
D To quickly establish affected areas of the business after a disaster
B
What is the process of allocating the cloud provider’s services and application to the customers for utilizing them?
A Cloud migration
B Cloud enablement
C Cloud provisioning
D Cloud portability
C
Which section of the CSA (Cloud Security Alliance) provides the ability to quantifiably measure return on investment (ROI) for the efficient use of resources?
A TOGAF (The Open Group Architecture Framework)
B ITIL (Information Technology Infrastructure Library)
C Jericho
D SABSA (Sherwood Applied Business Security Architecture)
A
Which cloud deployment model enhances cloud bursting that allows its users to utilize public cloud resources when the workload of private cloud reaches maximum capacity?
A Public
B Private
C Community
D Hybrid
D
Which expenditure has minimized an organization’s requirements of purchasing systems and resources?
A Revenue
B Deferred revenue
C Operational
D Capital
C
Among the following, whose responsibility is to organize the deployment and designing of an application in the cloud environment?
A Cloud service manager
B Cloud developer
C Cloud operator
D Cloud architect
D
Which of the following quality assurance tests signifies the highest level of evaluation?
A Formally verified design and tested
B Methodically tested and checked
C Functionally tested
D Methodically designed, tested, and reviewed
A
Which of the following is a part of the building blocks of a cloud computing system?
A CPU
B OS
C Applications
D ROM
A
Which cloud service allows its customers to deploy applications created using the tools supported by the provider onto the cloud infrastructure?
A SaaS
B XaaS
C IaaS
D PaaS
D
Which of the following security standards focuses on the protection of information assets and addresses the relevant risks by looking to the ISMS (Information Security Management System)?
A SOC 1/SOC 2/SOC 3
B ISO/IEC 27001:2013
C ISO/IEC 27002:2013
D ISO/IEC 27017:2015
B
Which of the following open web application security threats occurs when a suspicious data in an application is sent to the web browser without proper validation?
A Security Misconfiguration
B Cross-Site Request Forgery
C Injection
D Cross-Site Scripting
D
Which of the following is a Type 1 hypervisor?
A Virtual Box
B Citrix XenServer
C VMware Workstation
D VMware Fusion
B
Which phase forms the security and foundation for IAM (Identity and Access Management) within the cloud environment?
A Privileged user management
B Authentication and access management
C Provisioning and deprovisioning
D Centralized directory services
B
Which of the following threats occurs due to the loss of relevant encryption keys?
A Insider
B Service traffic hijacking
C Data loss
D Data breach
C
How many phases are there in the data lifecycle?
A 7
B 4
C 5
D 6
D
To which of the following phases of the data lifecycle is the process function mapped?
A Archive
B Create
C Destroy
D Store
B
Which of the following methods is used for implementing volume storage encryption in an IaaS environment?
A Application-level encryption
B Proxy-based encryption
C File-level encryption
D Transparent encryption
B
Which technology allows a user to operate encrypted data without the need of decrypting it?
A Data Anonymization
B Bit Splitting
C Secret Sharing Made Short
D Homomorphic Encryption
D
What responsibility does a customer hold in the SaaS cloud service?
A Determining data for processing
B Determining instruments of processing
C Controlling functions of tools
D Controlling operations of management
A
Which data protection technique involves twisting the information in such a way that it remains unintelligible, even if the source code is obtained?
A Tokenization
B Obfuscation
C Anonymization
D Encryption
B
In which phase of the data lifecycle the data leaves active use phase and enters into long-term storage?
A Share
B Archive
C Destroy
D Store
B
Where should the DLP (Data Leakage Prevention) engine be installed in a DIU (Data in use) topology of data lifecycle?
A On the file server
B On the gateway
C On a user’s workstation and endpoint devices
D On the application server
C
In which of the following encryption techniques does the encryption engine run on a secure machine that handles all the cryptographic actions?
A Instance-based
B Proxy-based
C File-level
D Application-level
B
Which of the following capabilities to IRM (Information Rights Management) solution confirms the content delivery and offers proof of compliance with an organization’s information security policy?
A Automatic expiration
B Dynamic policy control
C Persistent protection
D Continuous audit trail
D
A portable storage is vulnerable to which threat?
A Accidental loss
B Cross-site scripting
C Distributed denial-of-service
D Denial-of-service
A
Which of the following logs is used for event investigation and documentation in a SaaS environment?
A DNS server
B Virtual machine manager
C API access
D Webserver
D
Which process is conducted to ensure that policies are understood in the context of the risks introduced into an organization?
A Risk retention
B Risk avoidance
C Risk mitigation
D Risk analysis
D
Which technique helps to analyze the data itself in content analysis method?
A Using data masking
B Using tokenization technique
C Using hashing technique
D Using indexed sequential access method
C
Which of the following types of storage do cloud infrastructure services use?
A Structured
B Unstructured
C Content and file
D Volume
D
What is the function of a controller?
A To perform operations upon personal data
B To perform data-protection
C To determine the ways of processing personal data
D To replace sensitive data with unique symbols
C
Which data-protection policies moves data that is no longer used to a separate storage device for long-term maintenance?
A Data-retention
B Data classification
C Data-archiving
D Data-deletion
C
What is called as the process of intended permanent destruction of the data keys?
A Sanitization
B Encryption
C Crypto-shredding
D Degaussing
C
Which of the following statements is true of key management?
A Uses key management interoperability protocol to generate keys
B Includes generation of random number of keys
C Manages keys within an encryption engine
D Used in file-level encryption
B
What type of storage is used for swapping storage files?
A Raw
B Ephemeral
C Long-term
D Object
B
Which of the following input entities of data classification are required to follow a specific process of incident management activating measures to limit the damage to the concerned data?
A Data retention constraints
B Scope and purpose of the processing
C Data breach constraints
D Categories of users allowed
C
What is used to separate the physical architecture of an organization when the security controls applied by the virtualization components seem to be weak?
A Honeypot
B Demilitarized zone
C Intrusion detection system
D Intrusion prevention system
B
Which virtualization risk occurs when an OS on a VM outbursts to access a hypervisor?
A Provider lock-in
B Provider exit
C Sprawl
D Guest breakout
D
Who among the following has the privilege to access the management plane to remotely manage the hosts in a cloud environment?
A Server operator
B Power user
C Administrator
D Local user
C
Which of the following is a compute parameter of a cloud server?
A Number of hypervisor
B Amount of ROM
C Number of host
D Number of CPU
D
Which network functionality controls the amount of traffic sent or received as well as the number of API requests within a specified period?
A Bandwidth allocation
B Rate limiting
C Access control
D Filtering
B
What type of BCDR (Business Continuity and Disaster Recovery) strategy involves the selection of an additional deployment zone and recreation of the processing capacity on a different location?
A Data Replication
B Functionality Replication
C File Replication
D Database Replication
B
Who among the following allocates cloud service connection and transportation between the CSPs and the cloud service consumers?
A CSB
B Cloud carrier
C Cloud developer
D Cloud operator
B
Which of the following represents the amount of information that can be recovered and restored in the event of a disaster?
A RTA (Recovery Time Actual)
B RCO (Recovery Consistency Objective)
C RTO (Recovery Time Objective)
D RPO (Recovery Point Objective)
D
Which of the following security responsibilities are shared between an organization and its CSP in an IaaS cloud environment?
A Infrastructure Security
B Data Security
C Application Security
D Platform Security
A
In which cloud environment scenario does the business continuity strategy restore the service failover to another part of the same CSP infrastructure?
A Cloud service consumer, alternative provider BCDR
B Cloud service consumer, primary provider BCDR
C On-premises, cloud as BCDR
D Cloud user, alternative BCDR cloud provider
B
Which technology makes the network control programmable and dynamically adjusts the flow of traffic when the pattern of network consumption changes?
A Application-defined networking
B Network function virtualization
C Hardware-defined networking
D Software-defined networking
D
What is the purpose of using the Cloud Security Alliance cloud controls matrix?
A To assure that adequate risk controls exist
B To allow the cooperation in the CSPs and their customers
C To perform capacity planning activities
D To carry out session statistics usage information
B
In which of the following tests of the recovery plan are the industry workers mobilized to an alternative site to perform actual recovery process?
A Functional drill/parallel test
B Full-interruption/full-scale test
C Tabletop exercise/structured walk-through test
D Walk-through drill/simulation test
A
Which of the following is the software that manages the requests of multiple guest machines to access the resources of the host machine?
A Hypervisor
B VMware
C Hyper-V
D XenServer
A
In which type of cloud-specific risk can a malicious user affect the entire cloud infrastructure?
A Guest breakout
B Law enforcement
C Loss of governance
D Management plane breach
D
For what purpose is a compensating control used in a cloud environment?
A Providing extensive background checks and screening of initial controls
B Allowing update of initial components without failure
C Making initial controls resistant against any type of failure
D Creating an additional layer of monitoring the initial control
D
Which standard protocol is used in the public cloud environment for managing identification of various agents and devices?
A OAuth
B Kerberos
C RADIUS
D LDAP
A
What is the function of the BIA (Business Impact Analysis)?
A To identify procedures to minimize the RTO
B To measure the amount of computing power needed to recover the system
C To determine the business recovery strategy by calculating the RTO and RPO
D To evaluate the effects of business failover
C
Which of the following technologies is used to ensure that secure API (Application Programming Interface) access?
A Virtual private network
B Message-level crypto-access
C Data loss prevention
D ID.AM (Identity—Asset Management)
B
Which of the following is a type of multifactor authentication (MFA)?
A One-time password
B Fingerprint
C ID card
D Password
A
In which of the following threats does an illicit denial of an event occur?
A Denial of service
B Insiders
C Repudiation
D Insufficient due diligence
C
Which of the following activities takes place in a secure operations phase of the software development lifecycle?
A Static analysis
B Dynamic analysis
C Code review
D Acceptance testing
B
Which of the following encryption options establishes an encrypted link between a web server and a browser and ensures privacy and integrity of data on that link?
A Secure socket shell
B Secure socket layer
C Virtual private network
D IPsec gateway
B
What kind of relationship exists between organizational and application normative framework?
A Many-to-many
B One-to-one
C One-to-many
D Many-to-one
C
What is the main objective of applying cryptography to the data in a cloud?
A To ensure confidentiality
B To ensure secure authentication
C To manage authorization
D To maintain integrity
A
Which of the following processes involves migration of an application with minimal code changes?
A Sandboxing
B Data Masking
C Forklifting
D Tokenization
C
Which of the following processes seeks to exploit the vulnerabilities of a system by collecting the information related to system exposures?
A Dynamic application security testing
B Penetration testing
C Vulnerability scanning
D Vulnerability assessment
B
Which of the following testing is referred to as white-box testing and is used to determine the coding errors?
A DAST (Dynamic application security testing)
B RASP (Runtime application self-protection)
C Penetration testing
D SAST (Static application security testing)
D
Which of the following vulnerabilities exploits a user’s browser to generate unauthorized commands?
A Cross-site request forgery
B Cross-site scripting
C Sensitive data exposure
D Invalidated redirects and forwards
A
Which of the following is an application virtualization?
A Oracle virtual box
B Parallel workstation
C VMware workstation
D Microsoft App-V
D
Which of the following supplemental security devices implements the DLP (data loss prevention) security control?
A XML gateways
B API gateway
C Web application firewall
D Database activity monitoring
A
Which process verifies untested and untrusted codes in a controlled cloud environment?
A Application virtualization
B Sandboxing
C Data masking
D Supply chain management
B
Which of the following cloud-specific risks occurs when various applications are pushed to a cloud environment without a complete understanding of the CSP environment?
A Insufficient due diligence
B Insecure APIs
C Shared technology issues
D Abuse of cloud services
A
Who holds the identity of all the users and generates tokens for known users?
A Identity repository
B Federated identity provider
C Federated SSO (Single Sign-On)
D Identity management
B
Which of the following data formats does SOAP (Simple object access protocol) support?
A JSON (JavaScript Object Notation)
B YAML (Yet Another Multicolumn Layout)
C HTML (Hypertext Markup Language)
D XML (eXtensible Markup Language)
D
Which of the following federation standards is an XML-based framework that allows the authentication, entitlement, and attribute information of the users communicating in a cloud?
A OpenID Connect
B SAML (Security Assertion Markup Language)
C OAuth
D WS-Federation
B
In which of the following phases does an application enter after it has been implemented according to the principles of software development lifecycle?
A Testing
B Secure operations
C Disposal
D Defining
B
What is the purpose of using puppet configuration management system?
A To address the security of data while the data crosses the network
B To poll for latest state and policy of the network
C To plan the quality-assurance requirements and identify the risks related to the system
D To define the state of IT infrastructure and then automatically enforcing the correct state
D
What is the process of adding validation support to a section without changing the basic mechanism of a DNS query using DNSSEC?
A Zone signing
B DNS management
C Patch management
D Zone refining
A
Which of the following is tier IV for data center design according to “Data Center Site Infrastructure Tier Standard: Topology”?
A Concurrently maintainable site infrastructure
B Redundant site infrastructure capacity components
C Basic data center site infrastructure
D Fault-tolerant site infrastructure
D
In which phase of the digital forensics is the collected data forensically processed using a combination of manual and automated methods?
A Acquisition
B Examination
C Analysis
D Reporting
B
Which of the following practices for secure server configuration uses RBAC (Role-Based Access Control) to limit user access to a host?
A Host lockdown
B Host patching
C Host hardening
D Host mapping
A
Which agreement is negotiated between internal business units within an organization?
A Service-level
B Operational-level
C Underpinning contract
D Business-level
B
Which of the following services are accessible within SaaS cloud service model?
A Virtualization
B Networking
C Middleware
D Access control
D
In which of the following is customer access blocked and alert disabled?
A Hosted VM
B Maintenance mode
C Public cloud
D Hybrid cloud
B
What is the function of a secure kernel-based virtual machine?
A Monitors transmission between the server and computer
B Prevents data loss between the server and computer
C Provides complete data center protection
D Provides support to the virtual networking layer
B
Which of the following protocols uses the X.509 certificates for authenticating a connection and exchanging the symmetric keys over a network?
A DNS
B Kerberos
C TLS
D TCP
C
What is used to dynamically allocate the cloud resources to maximize their use?
A Cloud OS
B Cloud controller
C Virtual host
D Hypervisor
B
Which of the following management recognizes, examines, and corrects hazards to prevent their occurrence in the future?
A Problem Management
B Incident Management
C Continuity Management
D Change Management
B
How is the redundancy in virtual switches achieved in a VLAN network?
A Using port forwarding
B Using port channeling
C Using kernel-based virtual machine
D Increasing network traffic
B
Which assessment is carried out when appropriate amount of data is not available in an organization to assist the risk assessment, and estimates are used to express risk?
A Security assessment
B Vulnerability assessment
C Quantitative risk assessments
D Qualitative risk assessments
D
What should private and public CSPs do to get isolated from other tenants?
A Configure server and all the network devices.
B Enable all application environments, customer data, and communication.
C Enable virtual switches and storage controllers.
D Configure kernel-based virtual machine.
B
Which technique safeguards the system against newly found vulnerabilities to provide additional functionalities?
A Risk management
B Configuration management
C Patch management
D Change management
C
Which of the following protocols provides authentication for client/server application using secret-key cryptography?
A Challenge handshake authentication protocol
B Internet key exchange
C Secure remote password
D Kerberos
D
Which of the following does a virtualization vendor use to allow host clusters to scale and manage computing resources without service disruption?
A Resource scheduling
B Resource optimization
C Resource sharing
D Distributed resource scheduling
D
Which of the following operation managements ensures the protection of the integrity of the live environment and presents the correct components to the customers?
A Information security management
B Problem management
C Availability management
D Release and deployment management
D
Which of the following threats is a form of cache poisoning in which forged data is placed in the cache of the name server?
A Data modification
B Footprinting
C Redirection
D Spoofing
D
Which of the following actions are required to establish and maintain log management in an organization?
A Define log requirements and goals of an organization
B Define volume of log data to be processed
C Define security requirements for log management
D Monitor the operations in standard log management process
A
What type of security control alerts the administrator about the suspicious activities by monitoring the inbound and outbound packets from devices?
A Host-based software firewall
B Host intrusion detection system
C Intrusion prevention system
D Network intrusion detection system
B
When the partnership is aborted, which policy should be clearly documented and communicated to effectively and efficiently terminate the partner’s access to cloud-based resources?
A On-boarding
B Checkout
C Termination
D Off-boarding
D
Which intelligence agency’s website was attacked by LulzSec on June 15, 2011?
A FBI
B CIA
C NSA
D CBI
B
Who among the following is responsible for supervision, secure data storage, transport, and implementation of business rules?
A Data stewards
B Data controller
C Data processor
D Data custodians
D
Which act protects the general public and the shareholders from accounting errors and illegal practices in the enterprise?
A SOX
B HIPAA
C GLBA
D SCA
A
What are the five key principles of ISO/IEC 27018?
A Independent and yearly audit, collection, control, transparency, and quality
B Consent, control, transparency, communication, and independent and yearly audit
C Quality, collection, transparency, communication, and disclosure to third parties
D Management, quality, communication, choice and consent, and access
B
Which level of CSA STAR needs the release of results related to security-properties monitoring on the basis of CTP (Cloud Trust Protocol)?
A Level 3
B Level 4
C Level 1
D Level 2
A
Which process aims to identify the relevant risks that may affect the AIC (Availability, integrity, and confidentiality) of key information assets?
A Gap analysis
B Patch management
C Risk analysis
D Change management
A
Which of the following metrics provides the time required to finish the initiated or requested task?
A Mean-time to switchover
B Completion time
C Response time
D Instance startup time
B
Which of the following phases of audit planning assures that operational and business changes internally have been captured as part of the audit plan?
A Defining audit objective
B Refining the audit process
C Conducting audit
D Defining audit scope
D
Which of the following laws relieves a victim suffering of a wrongful act of others and seeks to clear the compromised or diminished legal rights?
A State
B Privacy
C Criminal
D Tort
D
Which framework provides guidance for cloud vendors and assists the cloud customers to assess the overall security risk of a CSP?
A CSA STAR
B CSA CCM
C ISO 28000:2007
D Common Criteria
B
Which program addresses that the U.S. does not have a regulatory framework in place that provides sufficient protection for personal data transferred from the EEA (European Economic Area)?
A HIPAA
B GLBA
C Directive 95/46 EC
D Safe Harbor
D
Which approach deals with reducing the probability of risk occurrence?
A Risk Mitigation
B Risk management probability
C Risk Avoidance
D Risk analysis
A
Which of the following laws decides which law is most appropriate in event of disputing laws in different states?
A Restatement (second) conflict of law
B International law
C Criminal law
D The doctrine of the proper law
A
What is defined as an information used for distinguishing and tracing the identity of an individual?
A e-Discovery
B IAM (identity and access management)
C IRM (information rights management)
D PII (personally identifiable information)
D
What should a CCSP do to assure and perform proper auditing on VMs and hypervisors?
A Understand configuration management architecture
B Verify system updates according to organizational policy
C Verify hypervisor configuration according to remote access policy
D Verify hypervisor configuration according to organizational policy
D
Which organization focuses on enhancing the need to protect privacy using personal data using a practical, risk-management-based approach?
A General Data Protection Regulation
B Asia-Pacific Economic Cooperation
C Organization for Economic Cooperation and Development
D EU data protection directive
C
Which type of audit report requires the details of the tests performed by the service auditor and is conducted according to the SSAE 16 (Statement on Standards for Attestation Engagement)?
SOC 1 & SOC 2
Who among the following is responsible to validate that all the relevant laws and statutes pertaining to their investigation are documented before starting the investigation?
A CSP
B CSB
C Cloud consumer
D CCSP
D
______________________ meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the client only paying for what they use.
Measured service
The key difference between cloud and traditional computing is the_________________, which includes the management plane components, which are network-enabled and remotely accessible. Another key difference is you tend to double up on each layer.
metastructure
In some cases, it may be necessary to obtain prior permission of the local Data Protection Commissioner before transferring data in or out of the country.
A True
B False
A
According to GDPR Policy, breaches must be reported within 72 hours of the company becoming aware of the incident.
A True
B False
A
___________ are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities.
Artifacts
Ensuring the use of data and information complies with organizational policies, standards, and strategy — including regulatory, contractual, and business objectives.
information/data governance
___________ abstracts the running of code (including operating systems) from the underlying hardware and most commonly refers to virtual machines.
Compute virtualization
