Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ag-Certified Cloud Security Professional (CCSP) > Chapter 7 Practice Exam 1 (Ben Malisow) > Flashcards

Chapter 7 Practice Exam 1 (Ben Malisow) Flashcards

(125 cards)

Start Studying
1
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. What is the term for this kind of arrangement?

A. Public-key infrastructure (PKI)
B. Portability
C. Federation
D. Repudiation

A

C. Federation

Explanation:
This is the definition of federation.
PKI is used to establish trust between parties across an untrusted medium, portability is the characteristic describing the likelihood if being able to move data away from one cloud provider to another and repudiation is when a party to a transaction can deny having taken part in that transaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. You want to connect your organization to 13 other organizations. You consider using the cross-certification model but then decide against it. What is the most likely reason for declining that option?

A. It is impossible to trust more than two organizations.
B. If you work for the government, the maximum parties allowed to share data is five.
C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.
D. Data shared among that many entities loses its inherent value.

A

C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.

Explanation:
In the cross-certification model, every participating organization has to review and approve every other organization; this does not scale well, and once the number of organizations gets fairly substantial, it becomes unwieldy

Option A is incorrect because it is possible to trust more than two organizations

Option B is not true.
There is no law/rule that limits the government to sharing data to five or less parties

Option D is incorrect.
Sharing data does not automatically affect the value of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. In order to pass the user IDs and authenticating credentials of each user among the organizations, what protocol, language, or technique will you most likely utilize?

A. Representational State Transfer (REST)
B. Security Assertion Markup Language (SAML)
C. Simple Object Access Protocol (SOAP)
D. Hypertext Markup Language (HTML)

A

B. Security Assertion Markup Language (SAML)

Explanation:
SAML 2.0 is currently the standard used to pass security assertions across the Internet.
REST and SOAP are ways of presenting data and executing operations on the Internet, and HTML is a way of displaying web pages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you don’t use cross-certification, what other model can you implement for this purpose?

A. Third-party identity broker
B. Cloud reseller
C. Intractable nuanced variance
D. Mandatory access control (MAC)

A

A. Third-party identity broker

Explanation:
A third party identity broker can serve the purpose of checking and approving all participants to the federation so that the participants dont have to perform that task.
A cloud reseller is an entity that sells cloud services without maintaining its own data center.
Option C is gibberish
MAC is used to define access relations betweens subjects and objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you are in the United States, one of the standards you should adhere to is _______________.

A. National Institute of Standards and Technology (NIST) 800-53
B. Payment Card Industry (PCI)
C. ISO 27014
D. European Union Agency for Network and Information Security (ENISA)

A

A. National Institute of Standards and Technology (NIST) 800-53

Explanation:
NIST Special Publication 800-53 pertains to US federal information systems, guiding the selection of controls according to the Risk Management Framework
PCI is a contractual standard for commercial entities that take credit card payments, not applicable to the government.
ENISA publishes a European standard, which is also not applicable to the United States
ISO is not required for government systems in the US

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you are in Canada, one of the standards you will have to adhere to is _______________.

A. FIPS 140-2
B. PIPEDA
C. HIPAA
D. EFTA

A

B. PIPEDA

Explanation:
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information.
The Federal Information Processing Standard (FIPS) 140-2 standard certifies cryptologic components for use by American federal government entities
The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers.
The European Free Trade Association (EFTA) is not a standard; it is a group of European countries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which of the following benefits will the CSA CCM offer your organization?

A. Simplifying regulatory compliance
B. Collecting multiple data streams from your log files
C. Ensuring that the baseline configuration is applied to all systems
D. Enforcing contract terms between your organization and the cloud provider

A

A. Simplifying regulatory compliance

Explanation:
The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks.
The CCM does not aid in collecting log files; that is the function of a security information and event management (SIEM), search engine marketing (SEM), or security information management (SIM) tool.
The CCM will not help ensure that the baseline is applied to systems; automated configuration tools are available for that purpose (Although this might be interpreted as desirable; the CCM will help you select appropriate controls for your baseline, but it wont check to see if those are applied)
Contract terms are not enforced by the CCM; the service-level agreement (SLA) should be the mechanism for that task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.
Which of the following regulatory frameworks is not covered by the CCM?

A. ISACA’s Control Objectives for Information and Related Technologies (COBIT)
B. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) privacy law
C. The ALL-TRUST framework from the environmental industry
D. The U.S. Federal Risk and Authorization Management Program (FedRAMP)

A

C. The ALL-TRUST framework from the environmental industry

Explanation:
Option C is a nonsense term made up as a distractor.
All the other frameworks are addressed in the CCM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selecting and applying the proper controls to meet your organization’s regulatory needs?

A. The Consensus Assessments Initiative Questionnaire (CAIQ)
B. The Open Web Application Security Project (OWASP) Top Ten
C. The Critical Security Controls (CSC) list
D., National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2

A

A. The Consensus Assessments Initiative Questionnaire (CAIQ)

Explanation:
The CAIQ is a self-administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls.
The OWASP Top Ten is used to indicate trends in poor design of web applications.
The CSC may be a useful tool for choosing and implementing appropriate controls, but it comes from the Center for Internet Security (CIS), not the CSA.
The FIPS 140-2 lists only approved cryptographic tools and is published by NIST.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. What is probably the best benefit offered by the CCM?

A. The low cost of the tool
B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort
C. Simplicity of control selection from the list of approved choices
D. Ease of implementation by choosing controls from the list of qualified vendors

A

B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort

Explanation:
The CCM allows you to note where specific controls (some of which you might already have in place) will address requirements listed in multiple regulatory and contractual standards, laws and guides.
Option A is a misnomer because the CCM is free of charge.
Options C and D are incorrect because the CCM does not list either specific controls or vendors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective is set up in such a way that the members own various pieces of the network themselves, pool resources and data, and communicate and share files via the Internet. This is an example of what cloud model?

A. Hydrogenous
B. Private
C. Public
D. Community

A

D. Community

Explanation:
This is a community cloud, because various parties own different elements of it for a common purpose.
A private cloud would typically be owned by a single entity, hosted at a cloud provider data center.
A public cloud would be open to anyone and everyone
Hydrogenous is a word that does not have relevant meaning in this context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective wants to create a single sign-on experience for all members of the collective, where assurance and trust in the various members are created by having each member review all the others’ policies, governance, procedures, and controls before allowing them to participate. This is an example of what kind of arrangement?

A. Security Assertion Markup Language (SAML)
B. Cross-certification federation
C. Third-party certification federation
D. JavaScript Object Notation (JSON)

A

B. Cross-certification federation

Explanation:
The cross-certification model of federated identity requires all participants to review and confirm all the others.
SAML is the format most used for identity assertions in a federated environment.
JSON is a communications format for exchanging objects online

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective exchanges music files in two forms: images of written sheet music and electronic copies of recordings. Both of these are protected by what intellectual property legal construct?

A. Trademark
B. Copyright
C. Patent
D. Trade Secret

A

B. Copyright

Explanation:
A copyright protects expressions of ideas, usually creative expression
Music, whether written or recorded, falls into this category.
Trademarks are for data that is associated with a bran of a company.
Patents are usually for processes or inventions.
Trade secrets are business elements kept from public disclosure - music would not usually fit into this category as its value is derived from its distribution in the marketplace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the participants in the collective using a third-party certification model, who would be the federated service provider(s) in that structure?

A. The third party
B. A cloud access security broker (CASB)
C. The various members of the collective
D. The cloud provider

A

C. The various members of the collective

Explanation:
In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers.
In a third-party certification model, the third party is the identity provider; this is often a CASB.
The cloud provider is neither a federated identity provider nor a federated service provider, unless the cloud provider is specifically chosen as the third party providing this function; in this question, option C is more general and requires no assumptions, so it is the correct choice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. You are fairly certain the complaint is not applicable and that the material in question does not belong to anyone else. What should you do in order to comply with the law?

A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.
B. Leave the material up, do an investigation, and post the results of the investigation alongside the material itself once the investigation is complete.
C. Ignore the complaint.
D. Leave the material up until such time as the complainant delivers an enforceable governmental request, such as a warrant or subpoena.

A

A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.

Explanation:
This is the correct process, according to the law.
The rest are not proper procedures for complying with the law and are therefore incorrect and inadvisable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. Upon investigation, you determine that the material in question is the sheet music for a concerto written in 1872. What should you do in order to comply with the law?

A. Contact the current owners of the copyright in order to get proper permissions to host and exchange the data.
B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.
C. Apply for a new copyright based on the new usage of the material.
D. Offer to pay the complainant for the usage of the material.

A

B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.

Explanation:
Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose.
This material certainly exceeds the time of any copyright protection.
All other options are invalid.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Bob is designing a data center to support his organization, a financial services firm. What Uptime Institute tier rating should Bob try to attain in order to meet his company’s needs without adding extraneous costs?

A. 1
B.2
C. 3
D. 4

A

C. 3

Explanation:
Tier 3 should probably suffice for Bobs purposes, providing sufficient redundancy and resiliency.
Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for organizations providing health and human services (hospitals and trauma centers, for instance)
Tiers 1 and Tiers 2 are probably not sufficient and might only be considered for non-constant situations, such as archiving and backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Bob is designing a data center to support his organization, a financial services firm. Bob’s data center will have to be approved by regulators using a framework under which law?

A. Health Industry Portability and Accountability Act (HIPPA)
B. Payment Card Industry (PCI)
C. Gramm–Leach–Bliley Act (GLBA)
D. Sarbanes–Oxley Act (SOX)

A

C. Gramm–Leach–Bliley Act (GLBA)

Explanation:
GLBA mandates requirements for securing personal account information in the financial and insurance industries; Bobs company provides financial services, so he will definitely need to comply with GLBA.
If Bobs company is publicly traded, he may have to comply with SOX, but we do not know enough about Bobs company from the question to choose that answer.
HIPAA is a requirement for only medical providers and their business associates.
PCI is not law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Bob is designing a data center to support his organization, a financial services firm. Which of the following actions would best enhance Bob’s efforts to create redundancy and resiliency in the data center?

A. Ensure that all entrances are secured with biometric-based locks.
B. Purchase uninterruptible power supplies (UPSs) from different vendors.
C. Include financial background checks in all personnel reviews for administrators.
d. Make sure all raised floors have at least 24 inches of clearance.

A

B. Purchase uninterruptible power supplies (UPSs) from different vendors.

Explanation:
Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing flaw, the other should not, if it comes from a different producer.
The other suggestions are all suitable but do not offer redundancy or resiliency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Bob is designing a data center to support his organization, a financial services firm. How long should the uninterruptible power supply (UPS) provide power to the systems in the data center?

A. 12 hours
B. An hour
C. 10 minutes
D. Long enough to perform graceful shutdown of the data center systems

A

D. Long enough to perform graceful shutdown of the data center systems

Explanation:
Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing electrical load that was previously handled by utility power.
However, the absolutely baseline for battery power is just long enough for all systems to complete their transactions without losing data

The other options are incorrect, because they use finite, specific durations; there is no single value that is optimum for all organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a _______________.

A. Functional requirement
B. Nonfunctional requirement
C. Regulatory issue
D. Third-party function

A

B. Nonfunctional requirement

Explanation:
It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering; you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement

If you were creating security products, security would be a functional requirement; games are not security products.
A game with security flaws is still a game and fulfills the purpose.
Option A is therefore incorrect (although hotly debated among IT security personnel - remember, the game can exist without a security department, but the security department couldn’t exist without games.
Thus far, regulations have not imposed particular security conditions on delivered products by statute
This does not obviate all liability from shipping defective products, of course; the need for due care and due diligence remains.
However, this is a much lower threshold than direct statutory guidance, which exists in fields other than software development (to date)
Option C is incorrect

Outsourcing may or may not be used when performing software security reviews; there is not enough information in the question to determine which method your company uses, so option D is too specific for the vague data provided.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of _______________.

A. Static testing
B. Dynamic testing
C. Code review
D. Open source review

A

B. Dynamic testing

Explanation:
Testing the product in a runtime context is dynamic testing
Because this is being done in runtime, it is neither code review nor static testing; options A and C are incorrect

Using a small pool of specified individuals is not truly open source, which would involve releasing the game to the public.

Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. To optimize this situation, the test will need to involve _______________.

A. Management oversight
B. A database administrator
C. A trained moderator
D. Members of the security team

A

C. A trained moderator

Explanation:
The moderator will serve to guide the experience in an objective, dispassionate manner, without influencing the test, as well as help document the outcomes

Having managers in attendance would present a form of unnecessary micromanagement; option A is wrong

There is no need for a database administrator (DBA) to be involved in the test; option B is wrong

The security team should use the data gathered from the test, but they do not need to be present for the testing; option D is incorrect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Of the parties listed, who should most be excluded from the test?

A. Management
B. Security personnel
C. Billing department representatives
D. The game developers

A

D. The game developers

Explanation:
It is absolutely essential that the developers are not present during the actual testing as they are likely to influence the test unduly, purposefully or otherwise

The other parties do not need to participate in the testing process but are not as undesirable as the developers; all the other options are incorrect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. It is absolutely crucial to include _______________ as part of this process. A. Managerial oversight B. Signed nondisclosure agreements C. Health benefits D. The programming team
B. Signed nondisclosure agreements Explanation: Having the test participants provide signed nondisclosure agreements is an absolutely essential part of this process; they will be exposed to proprietary material and need to be held accountable for any disclosures they might mike. Managerial oversight is not at all necessary at this level of development and would actually be a form of micromanagement; option A is incorrect Health benefits are in no way appropriate for temporary, unpaid testers; option C is only a distractor Programmers should be prevented from participating in testing as they have inherent bias and may unfuly influence the results
26
You are the IT security manager for a video game software development company. Which of the following is most likely to be your primary concern on a daily basis? A. Health and human safety B. Security flaws in your products C. Security flaws in your organization d. Regulatory compliance
C. Security flaws in your organization Explanation: The most grave concern to your company is the loss of proprietary information 0 that is, your games, which are your property and means of profit Security flaws in your organization could lead to a total loss of your property, which could end your business This is one of the very few questions where health and human safety is not the correct answer to a security issue; there just isnt much danger involved in either producing or consuming video games (aside from dated, anecdotal reports of seizures resulting from flashing images, which lacked scientific substantiation) Though this will be something you must consider (such as workplace violence issues), it will not be a daily activity Security flaws in your products will most likely not be critical or of grave impact; people who hack your game after shipping may be able to include additional functionality or violate some elements of copy protection, but this is not as threatening as pre-release exposure of the material Current laws do not dictate much in the way of either content or functionality for software (other than very specific industries, such as health care or financial services
27
You are the IT security manager for a video game software development company. Which type of intellectual property protection will your company likely rely upon for legally enforcing your rights? A. Trademark B. Patent C. Copyright D. Trade secret
C. Copyright Explanation: Software is protected by copyright All the other options are forms of intellectual property protections but not applicable to software for the most part (trademarked names and characters may be important, but not as important as the copyright)
28
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Results gathered from this activity are _______________. A. Useless B. Harmful C. Desirable D. Illegal
C. Desirable Explanation: This is a very pragmatic and helpful means of gathering inputs that are unpredictable and difficult to simulate and that mimic conditions under which the software will operate All the other options are incorrect
29
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Trying to replicate this phenomenon in a testbed environment with internal testing mechanisms is called _______________. A. Source code review B. Deep testing C. Fuzz testing D. White-box testing
C. Fuzz testing Explanation: Fuzz testing is the term used to describe the use of known bad or randomized inputs to determine what unintended results may occur Source code review, just like it sounds, is a review of the actual program code; option A is incorrect Deep testing is a made-up term; option B is incorrect White box testing is a term used to describe a form of code review; option D is incorrect
30
You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following methods could be used to determine if your ownership rights were violated? A. Physical surveillance of their property and personnel B. Communications tapping of their offices C. Code signing D. Subverting insiders
C. Code signing Explanation: Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes All the other options represent solutions that not only lack efficacy but are also often illegal
31
You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following legal methods are you likely able to exercise to defend your rights? A. Criminal prosecution B. Public hearings C. Civil court D. Arrest and detention
C. Civil court Explanation: Enforcement of copyright is usually a tortious civil action, as a conflict between private parties Only crimes involve arrest, detention and prosecution; most copyright cases such as this would not be tried as a crime, and the government would not be involved (other than in the form of the judge/court) Options A and D are incorrect Public hearings are not used t gain restitution for harmful acts; option B is incorrect
32
You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You suggest that a(n) _______________ service model will best meet this requirement. A. IaaS B. PaaS C. SaaS D. TaaS
B. PaaS Explanation: A platform as a service (PaaS) environment will likely provide the best option for testing the game; the provider will offer various OS platforms for the game to run on, giving your company the opportunity to reach as many customers (using various platforms) as possible, raising your potential for market penetration Although infrastructure as a service (IaaS) is not a terrible option and would give your team additional control of the entire test, it would also require the team to duplicate many platforms and OSs, requiring a much greater level of effort and additional expertise at what would likely be a much greater cost Option B is preferable to option A A software as a service (SaaS) model will not allow your team to install and run the game; option C is incorrect
33
You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You remind them that it is absolutely crucial that they perform _______________ before including any sample player or billing data. A. Vulnerability scans B. Intrusion detection C. Masking D. Malware scans
C. Masking Explanation: To attenuate the risks of inadvertent disclosure inherent in untested software, it is essential to obfuscate any raw production data (such as potential personally identifiable information (PII) before including it in any test environment The other options represent activity that is obviously beneficial but secondary to the importance of masking production data. Think of it this way: even if there is a vulnerability, breach, or malware in the test environment, if raw data is included something of value is lost; if dummy or masked data is the only content included, nothing of value is lost.
34
Which of the following is not an essential element defining cloud computing? A. Broad network access B. Metered service C. Off-site storage D. On-demand self-service
C. Off-site storage Explanation: Off-site storage is not intrinsic to the definition of cloud computing; all the other options are.
35
Which of the following is not an essential element defining cloud computing? A. Rapid elasticity B. Pooled resources C. On-demand self-service D. Immediate customer support
D. Immediate customer support Explanation: Immediate customer support may be an option offered by some cloud providers, but it is not a defining characteristic of the industry. All the other options are.
36
In what cloud computing service model is the customer responsible for installing and maintaining the operating system? A. IaaS B. PaaS C. SaaS D. QaaS
A. IaaS Explanation: In the infrastructure as a service (IaaS) model, the customer is responsible for everything up from the hardware layer In platform as a service (PaaS) and software as a service (SaaS), this will be performed by the provider; options B and C are incorrect QaaS is an invented term and not meaningful; option D is wrong
37
Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contract) for ending the contract at any point prior to the scheduled date. This is best described as an example of _______________. A. Favorable contract terms B. Strong negotiation C. Infrastructure as a service (IaaS) D. Vendor lock-in
D. Vendor lock-in Explanation: Vendor lock-in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer. These contract terms can be described as favorable only from the providers perspective; option D is preferable to option A for describing this situation There was no description of negotiation included in the question; option B is incorrect IaaS is a service model and doesnt really apply to anything in this context; option C is incorrect
38
There are two general types of smoke detectors. Which type uses a small portion of radioactive material? A. Photoelectric B. Ionization C. Electron pulse D. Integral field
B. Ionization Explanation: Ionization detectors usually use a small amount of americium in the detection chamber Photoelectric detectors use a light source instead. Option A is incorrect Options C and D are incorrect because they are meaningless in this context
39
You are the privacy data officer for a large hospital and trauma center. You are called on to give your opinion of the hospital’s plans to migrate all IT functions to a cloud service. Which of the following Uptime Institute tier-level ratings would you insist be included for any data center offered by potential providers? A. 1 B. 2 C. 3 D. 4
D. 4 Explanation: Because the nature of a life-support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes. All the other options are incorrect
40
What is the most important factor when considering the lowest temperature setting within a data center? A. System performance B. Health and human safety C. Risk of fire D. Regulatory issues
B. Health and human safety Explanation: Bare skin sticks to cold metal Most modern systems dont suffer performance degradation at the lower ends of the temperature spectrum; its the higher temperatures that are of concern for that aspect of the data center. Option B is preferable to Option A Similarly, high temperature invokes a greater risk of fire, not low temperature, and this environment aspect is perhaps the factor least impacting risk of fire anyway. Option C is incorrect Any regulatory issues stemming from a workplace that is too cold correlates directly with risks to health and human safety, so option B is still preferable to Option D.
41
Storage controllers will typically be involved with each of the following storage protocols except _______________. A. Internet Small Computer Systems Interface (iSCSI) B. RAID C. Fibre Channel D. Fibre Channel over Ethernet
B. RAID Explanation: This question might be susceptible to overthinking because it is simplistically straightforward: RAID is not a protocol - its a configuration mechanism All the other options are storage protocols that will involve storage controllers
42
When you’re using a storage protocol that involves a storage controller, it is very important that the controller be configured in accordance with _______________. A. Internal guidance B. Industry standards C. Vendor guidance D. Regulatory dictates
C. Vendor guidance Explanation: While it is important to follow internal policy, industry standards and regulations when they are applicable, vendor guidance will most often offer the most detailed, specific settings for the particular product in question; the other forms of guidance do not usually specify individual products/versions. This does not mean using the default configuration; the vendor will continue to publish suggestions and recommendations for optimizing performance and security of the product after it goes into distribution in order to meet evolving needs and threats
43
What is the importance of adhering to vendor guidance in configuration settings? A. Conforming with federal law B. Demonstrating due diligence C. Staying one step ahead of aggressors D. Maintaining customer satisfactionj
C. Staying one step ahead of aggressors Explanation: Applying vendor configurations is an excellent method for demonstrating due diligence in IT security efforts. Always remember that proper documentation of the action is also necessary Federal law rarely dictates application of vendor guidance, or any other specific security method for individual platforms; option A is incorrect Aggressors will almost always be on the offensive and adapt attack methodology faster than our industry creates defenses; even vendor guidance is usually repetitive. Option C is incorrect. Customers rarely have any idea of (or reason to know) configuration settings; option D is incorrect
44
Which of the following is a true statement about the virtualization management toolset? A. It can be regarded as something public facing. B. It must be on a distinct, isolated management network (virtual local area network [VLAN]). C. It connects physically to the specific storage area allocated to a given customer. D. The responsibility for securely installing and updating it falls on the customer.
B. It must be on a distinct, isolated management network (virtual local area network [VLAN]). Explanation: All management functions should take place on a highly secure, isolated network. The toolset may be available via remote access but is not in any way to be considered public facing; option A is incorrect. Resource pooling contradicts direct connections to any particular storage mechanism; option C is incorrect. Usually virtualization management will be a responsibility of the provider because it is a crucial element for all customers; option D is incorrect
45
In order to ensure proper _______________ in a secure cloud network environment, consider the use of Domain Name System Security Extensions (DNSSEC), Internet Protocol Security (IPSec), and Transport Layer Security (TLS). A. Isolation B. Motif C. Multitenancy D. Signal modulation
A. Isolation Explanation: Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies) In order to do this, the use of technologies like those listed in the question is warranted Options B and D have no meaning in this context and are therefore incorrect.
46
Domain Name System Security Extensions (DNSSEC) provides all of the following except _______________. A. Payload encryption B. Origin authority C. Data integrity D. Authenticated denial of existence
A. Payload encryption Explanation: DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer (the other options) This does not include payload encryption - confidentiality is not an aspect of DNSSEC
47
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________. A. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications B. Starting with a clean installation (hardware or virtual) of the desired OS C. Including only the default account credentials and nothing customized D. Halting or removing all unnecessary services
C. Including only the default account credentials and nothing customized Explanation: Default credentials are the bane of security, everywhere. This is definitely the correct answer because it should not be part of the baseline build. All the other options are actual baselining functions.
48
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________. A. Removing all nonessential programs from the baseline image B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems C. Including the baseline image in the asset inventory and configuration management database D. Configuring the host OS according to the baseline requirements
B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems Explanation: Baseline systems need current partches/configuration updates in order to be used to replicate production systems All the other options are actual baselining functions
49
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline, except _______________. A. Auditing the baseline to ensure that all configuration items have been included and applied correctly B. Imposing the baseline throughout the environment C. Capturing an image of the baseline system for future reference, versioning, and rollback purposes D. Documenting all baseline configuration elements and versioning data
B. Imposing the baseline throughout the environment Explanation: Beforer applying the baseline to the environment, it is important to determine if there are any offices/systems that will require exceptions; not all baselines meet all business needs. All the other options are actual baselining functions
50
You are the IT director for a small contracting firm. Your company is considering migrating to a cloud production environment. Which service model would best fit your needs if you wanted an option that reduced the chance of vendor lock-in but also did not require the highest degree of administration by your own personnel? A. IaaS B. PaaS C. SaaS D. TanstaafL
B. PaaS Explanation: With a platform as a service (PaaS), the cloud provider will administer both the hardware and the OS, but you will be in charge of managing t he applications and data. There is less likelihood of vendor lock-in with PaaS than software as a service (SaaS), because your data will not be put into any proprietary format (option B is preferable to option C) With infrastructure as a service (IaaS), your company will still retain a great deal of the administrative responsibility, so PaaS is a better option; option B is preferable to A Option D has no applicability in this context and is incorrect.
51
You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration and will return to operating fully on-premises after the period of increased activity. This is an example of _______________. A. Cloud framing B. Cloud enhancement C. Cloud fragility D. Cloud bursting
D. Cloud bursting Explanation: Cloud bursting is the industry term usually associated with this type of practice All the other options are not terms with any particular meaning in this context
52
You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which facet of cloud computing is most important for making this possible? A. Broad network access B. Rapid elasticity C. Metered service D. Resource pooling
B. Rapid elasticity Explanation: While all aspects of cloud computing are necessary to provide a true cloud service, this type of business flexibility is possible because of rapid (close to instant) elasticity, the means to scale your usage up and down as needed All the other options are facets of cloud computing but are not as pertinent to the question
53
You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which deployment model best describes this type of arrangement? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
D. Hybrid cloud Explanation: This is an excellent description of the hybrid model, where the customer owns elements of the infrastructure (the on-premises traditional environment) and the cloud provider owns other elements (the cloud environment used for the temporary additional demand) All the other options are cloud deployment models but do not suit this particular case
54
You are the security manager for a research and development firm. Your company does contract work for a number of highly sensitive industries, including aerospace and pharmaceuticals. Your company’s senior management is considering cloud migration and wants an option that is highly secure but still offers some of the flexibility and reduced overhead of the cloud. Which of the following deployment models do you recommend? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
A. Private cloud Explanation: A private cloud is the best option for work in highly regulated industries or industries that involve sensitive assets The other options simple are not preferable as option A for this question
55
You are the IT director for a small engineering services company. During the last year, one of your managing partners left the firm, and you lost several large customers, creating a cash flow problem. The remaining partners are looking to use a cloud environment as a means of drastically and quickly cutting costs, migrating away from the expense of operating an internal network. Which cloud deployment model would you suggest to best meet their needs? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
C. Public cloud Explanation: A public cloud will be the easiest, least expensive option and probably offer the simplest transition The other options are not as preferable as C for this question
56
You run an online club for antique piano enthusiasts. In order to better share photo files and other data online, you want to establish a cloud-based environment where all your members can connect their own devices and files to each other, at their discretion. You do not want to centralize payment for such services as Internet service provider (ISP) connectivity, and you want to leave that up to the members. Which cloud deployment model would best suit your needs? A. Private cloud B. Community cloud C. Public cloud D. Hybrid Cloud
B. Community cloud Explanation: This is an optimum situation for the use of a community cloud model The other options are not as preferable as B for this question
57
Full isolation of user activity, processes, and virtual network segments in a cloud environment is incredibly important because of risks due to _______________. A. Distributed denial of service (DDoS) B. Unencrypted packets C. Multitenancy D. Insider threat
C. Multitenancy Explanation: The fact that many various customers (including some that may be competitive with, or even hostile to, each other) will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud environment DDoS is an availability threat, not something to do with confidentiality, so isolation does not serve much purpose in reducing it. Option A is incorrect
58
You are the security manager for a small European appliance rental company. The senior management of your company is considering cloud migration for the production environment, which handles marketing, billing, and logistics. Which cloud deployment model should you be most likely to recommend? A. Private cloud B. Community cloud C. Public Cloud D. Hybrid Cloud
A. Private cloud Explanation: Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location The other options simply are not as preferable as A for this question
59
You are the security manager for a data analysis company. Your senior management is considering a cloud migration in order to use the greater capabilities of a cloud provider to perform calculations and computations. Your company wants to ensure that neither the contractual nor the technical setup of the cloud service will affect your data sets in any way so that you are not locked in to a single provider. Which of the following criteria will probably be most crucial for your choice of cloud providers? A. Portability B. Interoperability C. Resiliency D. Governance
A. Portability Explanation: Portability is the term used to describe the ease with which a customer can move from one cloud provider to another; the higher the portability, the less chance for vendor lock-in Interoperability describes how systems work together (or dont); because the question did not mention the use of your own companys system, interoperability does not seem to be a major concern in this case
60
Migrating to a cloud environment will reduce an organization’s dependence on _______________. A. Capital expenditures for B. IT Operational expenditures for C. IT Data-driven workflows D. Customer satisfaction
A. Capital expenditures for Explanation: As a cloud customer, the organization is not responsible for making up-front infrastructure purchases, which are capital expenditures Cloud customers do, however, make continual operational expenditures for IT resources, in modern business is driven by data as much as any other input, regardless of sector or industry; this does not change whether the organization operates in the cloud or in the traditional IT environment The cloud does not obviate the need to satisfy customers.
61
Firewalls, DLP (data loss prevention or data leak protection) and digital rights management (DRM) solutions, and security information and event management (SIEM) products are all examples of _______________ controls. A. Technical B. Administrative C. Physical D. Competing
A. Technical Explanation: These technical controls, automated system that perform security functions. An argument could be made that there is an administrative component to these controls as well: the firewall rules, the DLP data discovery strategy etc - these are expressed in the form of a list or set of criteria, which might be viewed as an administrative control. However, the system itself (which is what the question asked is still a technical control
62
Fiber-optic lines are considered part of Layer _______________ of the Open Systems Interconnection (OSI) model. A. 1 B. 3 C. 5 D. 7
A. 1 Explanation: The lines themselves are physical, which puts them at Layer 1 All the other options are simply incorrect
63
It is probably fair to assume that software as a service (SaaS) functions take place at Layer _______________ of the OSI model. A. 1 B. 3 C. 5 D. 7
D. 7 Explanation: Layer 7 is the applications entry point to networking All the other options are simply incorrect
64
Because of the nature of the cloud, all access is remote access. One of the preferred technologies employed for secure remote access is _______________. A. VPN B. HTML C. DEED D. DNS
A. VPN Explanation: A virtual private network (VPN) creates a trusted path across an untrusted (often public) network (such as the Internet It is highly recommended for cloud operations.
65
You are the security manager for a small retailer engaged in e-commerce. A large part of your sales is transacted through the use of credit and debit cards. You have determined that the costs of maintaining an encrypted storage capability in order to meet compliance requirements are prohibitive. What other technology can you use instead to meet those regulatory needs? A. Obfuscation B. Masking C. Tokenization D. Hashing
C. Tokenization Explanation: Tokenization is an approved alternative to encryption for complying with Payment Card Industry (PCI) requirements Obfuscation and making dont really serve the purpose because they obscure data, making it unreadable; storing payment information that is unreadable does not aid in the efficiency of future transactions. Moreover, neither technique meets PCI requirements. Hashing does not serve the purpose because it is a one-way conversion of data; there is no way to retrieve payment information for future transactions once it has been hashed.
66
Which of the following mechanisms cannot be used by a data loss prevention or data leak protection (DLP) solution to sort data? A. Labels B. Metadata C. Content strings D. Inverse signifiers
D. Inverse signifiers Explanation: This term has no meanining in this context and is only a distractor All the other mechanisms can be (and are) used by DLP solutions to sort data
67
You are the security manager for an online marketing company. Your company has recently migrated to a cloud production environment and has deployed a number of new cloud-based protection mechanisms offered by both third parties and the cloud provider, including data loss prevention or data leak protection (DLP) and security information and event management (SIEM) solutions. After one week of operation, your security team reports an inordinate amount of time responding to potential incidents that have turned out to only be false-positive reports. Management is concerned that the cloud migration was a bad idea and that it is too costly in terms of misspent security efforts. What do you recommend? A. Change the control set so that you use only security products not offered by the cloud provider. B. Change the control set so that you use only security products offered by the cloud provider. C. Wait three weeks before making a final decision. D. Move back to an on-premises environment as soon as possible to avoid additional wasted funds and effort.
C. Wait three weeks before making a final decision. Explanation: Many security solutions, particularly DLP and similar tools, require a learning curve as they become acustomed to a new sets/configurations in order to discriminate between false positives and actual data loss. One week is not enough time to get an accurate determination of the efficacy of these products, and waiting to gather more data over time is a good idea.
68
In a cloud context, who determines the risk appetite of your organization? A. The cloud provider B. Your Internet service provider (ISP) C. Federal regulators D. Senior management
D. Senior management Explanation: Senior management is always responsible for determining the risk appetite of any organization, regardless of where and how it operates Neither the cloud provider, nor the ISP, nor federal regulators determine the risk appetite of your organization
69
You are the security manager for a small application development company. Your company is considering the use of the cloud for software testing purposes. Which of the following traits of cloud functionality is probably the most crucial in terms of deciding which cloud provider you will choose? A. Portability B. Interoperability C. Resiliency D. Governance
B. Interoperability Explanation: Because you will be creating proprietary software, you will probably be most concerned with how it will function across many platforms, in a virtualized environment, and in an environment that you do not own or operate. Interoperability describes how well a system related to other systems
70
You are the security manager for a small application development company. Your company is considering the use of the cloud for software testing purposes. Which cloud service model is most likely to suit your needs? A. IaaS B. PaaS C. SaaS D. LaaS
B. PaaS Explanation: Platform as a service (PaaS) allows a software development team to test their product across multiple OSs and hosting platforms, without the need for the customer to manage each one. Although infrastructure as a service (IaaS) could offer similar cross-platform benefits, it would require additional effort and expertise on the part of the customer, which would not be nearly as appealing and efficient.
71
ISO 31000 is most similar to which of the following regulations, standards, guidelines, and frameworks? A. NIST 800-37 B. COBIT C. ITIL D. GDPR
A. NIST 800-37 Explanation: Both ISO 31000 and National Institute of Standards and Technology (NIST) 800-37 are risk management frameworks. Control Objectives for Information and Related Technology (COBIT) is ISACA's framework for managing IT and IT controls, largely from a process and governance perspective. Though it includes elements of risk management, NIST 800-37 is still closer in nature to ISO 31000, so option A is preferable to B ITIL (Information Technology Infrastructure Library) is a framework mostly focused on service delivery as opposed to risk management; option C is incorrect. The General Data Protection Regulation (GDPR) is a European Union Law regarding privacy information, not risk management
72
Which of the following entities publishes a cloud-centric set of risk-benefit recommendations that includes a “Top 8” list of security risks an organization might face during a cloud migration, based on likelihood and impact? A. National Institute of Standards and Technology (NIST) B. International Organization for Standardization (ISO) C. European Union Agency for Network and Information Security (ENISA) D. Payment Card Industry (PCI)
C. European Union Agency for Network and Information Security (ENISA) Explanation: The ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security is the publication All the other options are standards bodies but do not have a publication that matches the description in the question as well.
73
Which standards body depends heavily on contributions and input from its open membership base? A. National Institute of Standards and Technology (NIST) B. International Organization for Standardization (ISO) C. Internet Corporation for Assigned Names and Numbers (ICANN) D. Cloud Security Alliance (CSA)
D. Cloud Security Alliance (CSA) Explanation: The Cloud Security Alliance is a volunteer organization that includes members from various industries and sectors and is focused on cloud computing. It relies largely on member participation for developing standards. All the other options are standard bodies that involve a specific board or other centralized authority for publishing requirements
74
In regard to most privacy guidance, the data subject is _______________. A. The individual described by the privacy data B. The entity that collects or creates the privacy data C. The entity that uses privacy data on behalf of the controller D. The entity that regulates privacy data
A. The individual described by the privacy data Explanation: Option A is the definition of the data subject. All the other options define other privacy-related roles
75
In regard to most privacy guidance, the data controller is _______________. A. The individual described by the privacy data B. The entity that collects or creates the privacy data C. The entity that uses privacy data on behalf of the controller D. The entity that regulates privacy data
B. The entity that collects or creates the privacy data Explanation: Option B is the definition of the data controller. All the other options define other privacy related roles.
76
In regard to most privacy guidance, the data processor is _______________. A. The individual described by the privacy data B. The entity that collects or creates the privacy data C. The entity that uses privacy data on behalf of the controller D. The entity that regulates privacy data
C. The entity that uses privacy data on behalf of the controller Explanation: Option C is the definition of the data processor All the other options define other privacy-related roles
77
In most privacy-regulation situations, which entity is most responsible for deciding how a particular privacy-related data set will be used or processed? A. The data subject B. The data controller C. The data steward D. The data custodian
B. The data controller Explanation: The data controller makes the determination of purpose and scope of privacy related data sets. The other options are the names of other privacy-related roles
78
In most privacy-regulation situations, which entity is most responsible for the day-to-day maintenance and security of a privacy-related data set? A. The data subject B. The data controller C. The data steward D. The data custodian
D. The data custodian Explanation: The data custodian is usually tasked with securing and maintaining the privacy data on a regular basis, on behalf and under the guidance of the controller and steward The other options are the names of other privacy-related roles
79
You are the compliance officer for a medical device manufacturing firm. Your company maintains a cloud-based list of patients currently fitted with your devices for long-term care and quality assurance purposes. The list is maintained in a database that cross-references details about the hardware and some billing data. In this situation, who is likely to be considered the data custodian, under many privacy regulations and laws? A. You (the compliance officer) B. The cloud provider’s network security team C. Your company D. The database administrator
D. The database administrator Explanation: The custodian is usually that specific entity in charge of maintaining and securing the privacy-related data on a daily basis, as an element of the datas use. The compliance office might be considered a representative of the data controller (your company), or perhaps the data steward, depending on how much actual responsibility and interaction with the data you have on a regular basis. The cloud provider (and anyone working for the provider) would be considered the data processor under most privacy regulations Your company is the data controller, the legal entity ultimately responsible for the data
80
Which of the following is probably least suited for inclusion in the service-level agreement (SLA) between a cloud customer and cloud provider? A. Bandwidth B. Jurisdiction C. Storage space D. Availability
B. Jurisdiction Explanation: The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics Jurisdiction is usually dictated by location instead, which should be included in the contract but is probably not useful to include the SLA All the other options are excellent examples of items that can and should be included in the SLA.
81
Which of the following items, included in the contract between a cloud customer and cloud provider, can best aid in reducing vendor lock-in? A. Data format type and structure B. Availability C. Storage space D. List of available OSs
A. Data format type and structure Explanation: When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock-in Availability may be an aspect of portability; the ease and speed at which the customer can access their own data can influence how readily the data might be moved to another provider. However, this is less influential than the format and structure of the data; option A is preferable to option B Storage space little to do with vendor lock-in A list of OSs the provider offers might be influential for the customers decision of which provider to select, but it is not typically a constraining factor that would restrict portability.
82
Which of the following contract terms most incentivizes the cloud provider to meet the requirements listed in the service-level agreement (SLA)? A. Regulatory oversight B. Financial penalties C. Performance details D. Desire to maintain customer satisfaction
B. Financial penalties Explanation: The contract usually stipulates what kind of financial penalties are imposed when the provider fails to meet the SLAs This is a huge motivating element for the provider Regulatory oversight usually affecrs the customer, not the provider The performance details are often included in the SLA but arent the motivating factor In a perfect world, option D would be the correct answer; B is a better answer though
83
Which of the following contract terms most incentivizes the cloud customer to meet the requirements listed in the contract? A. Financial penalties B. Regulatory oversight C. Suspension of service D. Media attention
C. Suspension of service Explanation: The cloud provider is usually allowed to suspend service to the customer if the customer fails to meet the contract requirements (specifically, not paying for the service in accordance with the contract terms) This can be fatal to a customers operations and is a great motivation to make timely payments
84
Which of the following is not a reason for conducting audits? A. Regulatory compliance B. Enhanced user experience C. Determination of service quality D. Security assurance
B. Enhanced user experience Explanation: Audits dont really provide any perceptible effect on user experience All the other options are good reasons for performing audits
85
Which of the following is a tool that can be used to perform security control audits? A. Federal Information Processing Standard (FIPS) 140-2 B. General Data Protection Regulation (GDPR) C. ISO 27001 D. Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
D. Cloud Security Alliance Cloud Controls Matrix (CSA CCM) Explanation: The Cloud Controls Matrix is an excellent tool for determining completeness and possible replication of security controls FIPS 140-2 is a list of cryptographic system products approved for use by the US federal customers
86
Which of the following dictates the requirements for U.S. federal agencies operating in a cloud environment? A. ISO 27002 B. NIST SP 800-37 C. ENISA D. FedRAMP
D. FedRAMP Explanation: Federal Risk and Authorization Management program (FedRAMP) is the US program for federal entities operating in the cloud.
87
Which of the following common aspects of cloud computing can aid in audit efforts? A. Scalability B. Virtualization C. Multitenancy D. Metered Self-Service
B. Virtualization Explanation: A ubiquitous baseline configuration used in a virtualized environment can serve as an artifact for auditors and enhance the audit process. The other options are common facets of cloud computing but do not typically serve the purpose of auditing
88
Which of the following does not typically represent a means for enhanced authentication? A. Challenge questions B. Variable keystrokes C. Out-of-band identity confirmation D. Dynamic end-user knowledge
B. Variable keystrokes Explanation: Variable, in general, arent useful for authentication; authentication requires a match against a template or a known quantity.
89
Which of the following is not a common identity federation standard? A. WS-Federation B. OpenID C. OISame D. Security Assertion Markup Language (SAML)
C. OISame Explanation: This is a nonsense term, with no meaning in this context. All the other options are actual common identity federation standards
90
Multifactor authentication typically includes two or more of all the following elements except _______________. A. What you know B. Who you know C. What you are D. What you have
B. Who you know Explanation: Multifactor authentication doesnt typically utilize associative identification
91
Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts? A. Multitenancy B. Pooled resources C. Virtualization D. Remote access
D. Remote access Explanation: Because the cloud environment can be accessed for any location (assuming good connectivity), the cloud customer is not required to maintain an expensive operational facility, either for primary or backup purposes. All the other options are common aspects of cloud computing, but dont particularly serve BC/DR purposes.
92
Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts? A. Rapid elasticity B. Online collaboration C. Support of common regulatory frameworks D. Attention to customer service
A. Rapid elasticity Explanation: Rapid elasticity allows the cloud customer to scale cloud operations as necessary, including during contingency operations; this is extremely useful for BC/DR activities All the other options are common aspects of cloud computing but dont particularly serve BC/DR purposes
93
Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts? A. On-demand self-service B. Pooled resources C. Virtualization D. The control plane
A. On-demand self-service | Explanation: On-demand self-service allows the cloud customer to provision those production rersources during contingency without any delay in ordering or allocating those resources All the other options are common aspects of cloud computing but dont particularly serve BC/DR purposes
94
What functional process can aid business continuity and disaster recovery (BC/DR) efforts? A. The software development lifecycle (SDLC) B. Data classification C. Honeypots D. Identity management
B. Data classification Explanation: The data classification process is the organizations formal means of determining value of its assets; this is extremely important to BC/DR efforts in that it can be useful in determining the critical path to be maintain during contingency events The SDLC is a system development/acquisition tool; it doesnt particularly assist in BC/DR efforts. Honeypots are a threat intelligence tool; they dont serve any useful BC/DR purpose identity management is a part of the entitlement process but does not add any value to BC/DR efforts
95
Which common security tool can aid in the overall business continuity and disaster recovery (BC/DR) process? A. Honeypots B. Data loss prevention or data leak protection (DLP) C. Security information and event management (SIEM) D. Firewalls
B. Data loss prevention or data leak protection (DLP) Explanation: DLP solutions typically have the capability to aid in asset valuation and location, both important facets of the BC/DR process. All the other options are common security tools but dont really serve to enhance BC/DR Effortss
96
Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts? A. Geographical separation of data centers B. Hypervisor security C. Pooled resources D. Multitenancy
A. Geographical separation of data centers Explanation: Because cloud data is typically spread across more than one data center and these data centers can be geographically separated, a single natural disaster event may be less likely to reduce access to the data All the other options are common aspects of cloud computing but dont particularly serve BC/DR purposes
97
Which of the following is not typically used as an information source for business continuity and disaster recovery (BC/DR) event anticipation? A. Open source news B. Business threat intelligence C. Egress monitoring solutions D. Weather monitoring agencies
C. Egress monitoring solutions Explanation: Egress-monitoring solutions do not typically predict contingency-level events and are not useful for the purpose
98
Which of the following aspects of the business continuity and disaster recovery (BC/DR) process poses a risk to the organization? A. Premature return to normal operations B. Event anticipation information C. Assigning roles for BC/DR activities D. Preparing the continuity-of-operations plan
A. Premature return to normal operations Explanation: A hasty return to normal operations can put operations and personnel at risk if whatever caused the contingency situation has not yet been fully resolved
99
Which of the following aspects of the business continuity and disaster recovery (BC/DR) process poses a risk to the organization? A. Threat intelligence gathering B. Preplacement of response assets C. Budgeting for disaster D. Full testing of the plan
D. Full testing of the plan Explanation: A full test of the BC/DR plan can result in an actual disaster because it may involve interruption of service; the simulation can become the reality
100
In container virtualization, unlike standard virtualization, what is not included? A. Hardware emulation B. OS replication C. A single kernel D. The possibility for multiple containers
A. Hardware emulation Explanation: In containerization, the underlying hardware is not emulated; the containers run on the same underlying kernel, sharing the majority of the base OS.
101
Which of the following is not typically a phase in the software development lifecycle (SDLC)? A. Define B. Test C. Develop D. Sanitization
D. Sanitization Explanation: Secure sanititization is not included in all (or even many) SDLC models The other options are typically SDLC steps
102
An application programming interface (API) gateway can typically offer all of the following capabilities except _______________. A. Rate limiting B. Access control C. Hardware confirmation D. Logging
C. Hardware confirmation Explanation: Hardware confirmation is a meaningless term in this respect. All the other options represent common capabilities of API gateways
103
Cloud customers in a public cloud managed services environment can install all the following types of firewalls except _______________. A. Provider operated B. Host-based C. Third party D. Hardware
D. Hardware Explanation: Cloud customers, with rare exceptions, will not be allowed to add hardware to the cloud data center. All the other options are various types of firewalls that a customer could implement in a cloud managed services environment;
104
The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, who initiates the protocol? A. The server B. The client C. The certifying authority D. The Internet service provider (ISP)
B. The client Explanation: In a typical TLS handshake, the client sends the message (called ClientHello) that initiates the negotiation of the session
105
The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what is the usual means for establishing trust between the parties? A. Out-of-band authentication B. Multifactor authentication C. Public-key infrastructure (PKI) certificates D. Preexisting knowledge of each other
C. Public-key infrastructure (PKI) certificates Explanation: TLS usually relies on PKI certificates authenticated and issues by a third party
106
The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what form of cryptography is used for the session key? A. Symmetric key B. Asymmetric key pairs C. Hashing D. One asymmetric key pair
A. Symmetric key Explanation: In TLS, the parties will establish a shared secret, or symmetric key, for the duration of the session. All the other options are incorrect because they are not the form of cryptography used for the session keys in a TLS session
107
DevOps is a form of software development that typically joins the software development team with _______________. A. The production team B. The marketing team C. The security office D. Management
A. The production team Explanation: In DevOps, the programmers continually work in close conjunction with the production team to ensure that the project will meet their needs.
108
The Agile Manifesto for software development focuses largely on _______________. A. Secure build B. Thorough documentation C. Working prototypes D. Proper planning
C. Working prototypes Explanation: The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs. The Manifesto refutes all other elements of programming that slow down this effort, including documentation, planning, process and specific tools
109
When a program’s source code is open to review by the public, what is that software called? A. Freeware B. Malware C. Open source D. Shareware
C. Open source Explanation: Open source software includes programs where customers (or even the public) can view the softwares source code. Freeware and shareware are licensing arrangements and ways of distributing intellectual property. Malware is harmful software designed for attack purposes.
110
Why is Simple Object Access Protocol (SOAP) used for accessing web services instead of the Distributed Component Object Model (DCOM) and the Common Object Request Broker Architecture (CORBA)? A. SOAP provides a much more lightweight solution. B. SOAP replaces binary messaging with XML. C. SOAP is much more secure. D.SOAP is newer.
B. SOAP replaces binary messaging with XML. Explanation: XML works better over the Internet than the binary messaging of the older technologies. SOAP is not particularly lightweight; in fact, it is kind of cumbersome. SOAP is not especially more secure than DCOM or COBRA SOAP is newer than the other technologies; however, that is not the reason it is preferable in a web context.
111
How does representational state transfer (REST) make web service requests? A. XML B. SAML C. URIs D. TLS
C. URIs Explanation: REST calls web resources by using uniform resource identifiers (URIs)
112
Representational state transfer (REST) outputs often take the form of _______________. A. JavaScript Object Notation (JSON) B. Certificates C. Database entries D. WS-Policy
A. JavaScript Object Notation (JSON) Explanation: JSON outputs are common for REST applications. All the other options are incorrect because they are not the form of output one would expect from REST.
113
“Sensitive data exposure” is often included on the list of the Open Web Application Security Project (OWASP) Top Ten web application vulnerabilities. In addition to programming discipline and technological controls, what other approach is important for reducing this risk? A. Physical access control to the facility B. User training C. Crafting sophisticated policies D. Redundant backup power
B. User training Explanation: Sensitive data is often exposed inadventently because of user error of lack of knowledge about the material. User training can offset a significant portion of this risk by informing users about the value of data assets and the proper use of controls and behaviors. Physical access control is important, but less for controlling exposure and more for preventing theft. Option B is preferable to A in this context. Policies are crucial but dont actually offset the risk; they are the underlying structure for creating programs and methods for dealing with the risk.
114
During maintenance mode for a given node in a virtualized environment, which of the following conditions is not accurate? A. Generation of new instances is prevented. B. Admin access is prevented. C. Alerting mechanisms are suspended. D. Events are logged.
B. Admin access is prevented. Explanation: Administrators will access devices during maintenance mode; blocking admin access would be contrary to the entire point of the activity. All the other options are conditions that are true during maintenance mode.
115
How are virtual machines (VMs) moved from active hosts when the host is being put into maintenance mode? A. As a snapshotted image file B. In encrypted form C. As a live instance D. Via portable media
C. As a live instance Explanation: Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device. VMs are moved as image snapshots when they are transitioned from production to storage; option A is incorrect. During live migration, the VM moves in unencrypted form.
116
Which of the following is not a typical mechanism used by intrusion detection system (IDS) and intrusion prevention system (IPS) solutions to detect threats? A. Signature-based detection B. User input C. Statistical-based detection D. Heuristic detection
B. User input Explanation: IDS/IPS solutions do not elicit user input All the other options are mechanisms used by IDS/IPS solutions to detect threats
117
When you’re deploying a honeypot/honeynet, it is best to fill it with _______________ data. A.Masked B. Raw C. Encrypted D. Useless
D. Useless Explanation: Because the honeypot/honeynet is meant to be observed, production data in any form should not be included All the other options are insufficient for the question
118
The cloud provider should be required to make proof of vulnerability scans available to all of the following except _______________. A.Regulators B. The public C. Auditors D. The cloud customer
B. The public Explanation: The public does not have a need to know regarding proof of vulnerability scans. All the other options are legitimate recipients of proof of vulnerability scans.
119
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing. The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. This intellectual property is likely protected as a _______________. A. Copyright B. Trademark C. Patent D. Trade secret
B. Trademark Explanation: Logos and other identifying material are subject to trademark protections. The other options are also ways to protect intellectual properly, but they are not usually associated with logos.
120
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing. The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. This conflict will most likely have to be resolved with what legal method? A. Breach of contract lawsuit B. Criminal prosecution C. Civil suit D. Military tribunal
C. Civil suit Explanation: Intellectual property disputes are usually settled in civil court, as a conflict among private parties Because there was no agreement between your company and the competitor in question, there is no contract, so no breach of contract dispute is pertinent. Although statutes concerning intellectual property protections exist, they are usually in the form of torts (that is, laws that define how civil ac4tions can pursue restitution for private harm) This is not the government prosecuting someone in order to protect the public; criminal proceedings are rare when it comes to enforcing intellectual property rights. The military does not often get involved in intellectual property disputes and most often uses the civil courts when it does.
121
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing. The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. What will most likely affect the determination of who has ownership of the logo? A. Whoever first used the logo B. The jurisdiction where both businesses are using the logo simultaneously C. Whoever first applied for legal protection of the logo D. Whichever entity has the most customers who recognize the logo
C. Whoever first applied for legal protection of the logo Explanation: Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body. In the case of conflicting usage (or infringement), courts will take many criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth. But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question. All the other options may be factors the court takes into account when making its decision, but option C is the best answer.
122
Which Statement on Standards for Attestation Engagements (SSAE) 18 audit report is simply an attestation of audit results? A. Service Organization Control (SOC) 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3
D. SOC 3 Explanation: This is the definition of a SOC 3 All the other options are SSAE 18 reports but not the correct answer.
123
Which Statement on Standards for Attestation Engagements (SSAE) 18 report is purposefully designed for public release (for instance, to be posted on a company’s website)? A. Service Organization Control (SOC) 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3
D. SOC 3 Explanation: This is the purpose of the SOC 3 report. All the other options are SSAE 18 reports but not the correct answer
124
Which of the following countries has a national privacy law that conforms to European Union (EU) legislation? A. The United States B. Australia C. Jamaica D. Honduras
B. Australia Explanation: Both Australia and New Zealand have privacy laws that conform to EU privacy legislation All the other options are examples of countries that do not.
125
Which of the following countries has a national privacy law that conforms to European Union (EU) legislation? A. Japan B. Alaska C. Belize D. Madagascar
A. Japan Explanation: Japans privacy law is sufficient to meet EU legislative requirements Alaska is not a country - it is a state.

ag-Certified Cloud Security Professional (CCSP) (26 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions