Domain 5: Cloud Security Operations

Question 1

What term is used to describe agreements between IT service providers and customers that describe service-level targets and responsibilities of the customer and provider?

A. OLA
B. SAC
C. SLA
D. SLR

Answer 1

Answer: C. SLA

A service-level agreement (SLA) defines service-level targets and the responsibilities of the IT service provider and customer. An OLA (operational level agreement) is an internal agreement between the IT service provider and another part of the same organization and
supports the service provider’s delivery of the service. Service acceptance criteria (SAC) are the criteria used to determine whether a service meets its quality and functionality goals.
Finally, a service-level requirement (SLR) defines the requirements of a service from the customer’s perspective.

Question 2

Sally is building her organization’s communication plans and knows that customers are an important group to include in the plan. What key function does proactive customer communication help with?

A. Notification of breaches
B. Regulatory compliance
C. Managing expectations
D. Problem management

Answer 2

Answer: C. Managing expectations

Proactive customer communications are key to managing expectations. Reactive communications are often used for data breach notification, regulatory compliance, and problem management.

Question 3

Juanita has discovered unexpected programs running on her freshly installed Linux system that was built using her cloud provider’s custom Linux distribution, but that did not allow connections from the internet yet. What is the most likely reason for this?

A. Juanita inadvertently installed additional tools during the installation process.
B. The version of Linux automatically downloads helper agents when installed.
C. Cloud vendors often install helper utilities in their own distributions.
D. Attackers have installed applications.

Answer 3

Answer: C. Cloud vendors often install helper utilities in their own distributions.

Juanita knows that the major cloud vendors provide their own customized versions of Linux that often include additional agents and tools to help them work better with the provider’s infrastructure. She should verify that this is the case, but it is the most likely scenario for a freshly built system as described.

Question 4

Ben wants to manage operating system and application patches for thousands of machines hosted in an infrastructure as a service vendor’s cloud. What should he do?

A. Use the cloud vendor’s native patch management tools.
B. Use the operating system vendor’s patch management tools.
C. Use manual update processes.
D. Write custom scripts to manage updates.

Answer 4

Answer: A. Use the cloud vendor’s native patch management tools.

When managing systems at scale in the cloud, Ben knows that the best option is often to use the cloud IaaS vendor’s tools, particularly because they are typically designed to handle both operating systems that may have special features to work in the vendor’s environment and applications.

Question 5

Jason’s organization is required to provide information about its cloud operating environment, including yearly audit information to regulators in his industry. What is he most likely to be able to provide to the regulators when they ask for a security audit of his hosted
environment?

A. A recent audit conducted by staff from Jason’s organization
B. A recent audit conducted by a third-party auditor hired by Jason’s organization
C. Direct audit permissions for the regulators to audit the cloud provider
D. A copy of the cloud provider’s third-party audit results

Answer 5

Answer: D. A copy of the cloud provider’s third-party audit results

Jason knows that cloud service providers typically do not allow direct or third-party audits of their systems and services, but that they do provide audit results to customers.

Question 6

Tracy has set up a cloud hardware security module (HSM) service for her organization in her cloud-hosted environment. What activity is she preparing for?

A. Securely storing and managing secrets
B. Ensuring end-to-end encryption between cloud and on-site systems
C. Managing the security of the underlying hardware in the environment
D. Detecting attacks against hosted systems

Answer 6

Answer: A. Securely storing and managing secrets

A cloud hardware security module (HSM) is used to create, store, and manage secrets.

Question 7

Charles wants to be able to create new servers as needed for his environment, using variables and configuration files to configure the systems to meet changing needs. What type of solution should he implement to help with this type of orchestration?

A. A CI/CD pipeline
B. Infrastructure as code
C. A check-in/checkout design
D. An application interface

Answer 7

Answer: B. Infrastructure as code

Charles knows that his situation calls for an infrastructure as code (IaaC) design, which uses code and configuration files or variables to allow rapid deployment using scripts and automated tools. A CI/CD pipeline will often leverage infrastructure as code and automation tools, but it doesn’t directly meet this need. APIs (application programming interfaces)
are used to access data from services, and check- in/checkout design was made up for this question.

Question 8

James wants to establish key performance indicators for his service continuity management practice based on ITIL. Which of the following is a useful KPI for service continuity management?

A. The number of business processes with continuity agreements
B. The number of vulnerabilities found in installed software per period of time
C. The number of patches installed per period of time
D. The number of natural disasters in the local area in a year

Answer 8

Answer: A. The number of business processes with continuity agreements

From a service continuity management perspective, the number of business processes with continuity agreements is the only relevant answer from this list. Understanding the number of business practices that have continuity planning in place and assessing which gaps in coverage are critical is a common practice to improve service continuity.

Question 9

Zoe wants to speed up her traditional release management process. What modern approach is best suited to an ITIL v4–based rapid-release-oriented organization?

A. Waterfall
B. Agile/DevOps
C. Spiral
D. RAD

Answer 9

Answer: B. Agile/DevOps

Agile and DevOps are well-suited to rapid release cycles, with continuous integration and continuous delivery processes. Waterfall and spiral both tend to take longer periods of time for each release, and RAD is not as widely adopted and not as release focused.

Question 10

ITIL v4 includes a seven-step continual improvement model. What item occurs at the end of the process before it starts again?

A. Determining the vision
B. Assessing results
C. Taking action
D. Determining the goal

Answer 10

Answer: B. Assessing results

Assessing results occurs at the end of the seven-step process, helping provide feedback into the next cycle’s vision determination phase.

Question 11

Tim puts a server in his virtualization environment into maintenance mode. Which of the following events will occur?

A. Migrates the running virtual machines to other hardware
B. Pauses all running VMs immediately
C. Sends a notification to users, then pauses running VMs
D. Marks the machine as unavailable for new VMs

Answer 11

Answer: A. Migrates the running virtual machines to other hardware

Maintenance mode migrates virtual machines to other hosts or waits until they are powered down to allow for hardware or other maintenance. Tim knows that he’ll need to ensure all VMs are migrated or shut down, and that he can then perform maintenance.

Question 12

Kathleen wants to centralize her log capture and analysis capabilities and use automated tools to help her identify likely security issues. What type of tool should she look for?

A. SIEM
B. IPS
C. CASB
D. MITRE

Answer 12

Answer: A. SIEM

Kathleen should look for a security information and event management (SIEM) tool. They’re used to centralized log collection, analysis, and detection capabilities and often have automated methods of finding issues and alerting on them. An IPS (intrusion prevention system) is used to detect and stop attacks, a CASB (cloud application security broker) is used to control and manage access to cloud services, and MITRE is a U.S. government–funded research organization with a heavy focus on security work.

Question 13

Elaine wants to ensure that traffic is encrypted in transit. What technology is commonly used to secure data in transit?

A. VLANs
B. TLS
C. DNSSEC
D. DHCP

Answer 13

Answer: B. TLS

TLS (Transport Layer Security) is an encryption protocol used to secure data in transit. VLANs are used to logically separate network segments, DNSSEC is intended to provide security to domain name system requests, and DHCP provides IP addresses and other network configuration information to systems automatically.

Question 14

Ujama wants to protect systems in his environment from being accessed via SSH. What should he do if he needs to leave the service available for local connections?

A. Block inbound connections to TCP port 3389 on his firewall.
B. Block outbound connections to TCP port 3389 on his firewall.
C. Block inbound connections to TCP port 22 on his firewall.
D. Block outbound connections to TCP port 22 on his firewall.

Answer 14

Answer: C. Block inbound connections to TCP port 22 on his firewall.

Blocking inbound connections to port 22, the default SSH port will stop attackers and third parties from outside of the network from accessing SSH as long as it hasn’t been changed to another port. TCP3389 is associated with RDP.

Question 15

Ron wants to use a central system to store information about system and software configurations and their relationships. What tool is often used for this to support standards-based configuration management practices like those found in ITIL v4?

A. CRM
B. CMDB
C. Configuration item
D. Change catalog

Answer 15

Answer: B. CMDB

A configuration management database (CMDB) is frequently used in mature standards-based configuration management environments where it stores both configuration management and information about relationships between configuration items (CIs). CRMs are customer relationship management tools and aren’t part of the CCSP exam. A change catalog was made up for this question.

Question 16

Maria’s manager is concerned about patching for the underlying cloud environment that her platform as a service (PaaS) vendor provides. What should Maria tell her manager?

A. Maria’s organization is responsible for patching and needs to set up a regular patch cycle.
B. The vendor is responsible for patching, and there is no patching that needs to be done by customers in a PaaS environment.
C. Negotiations need to be done with the vendor to determine which organization is responsible for patch management.
D. The contract will determine which organization is responsible for patch management.

Answer 16

Answer: B. The vendor is responsible for patching, and there is no patching that needs to be done by customers in a PaaS environment.

Maria knows that PaaS environments are patched by the vendor and that she does not need to perform patching of the software or cloud service. She may, however, have to decide when to adopt patches or versions— although she won’t be able to delay adopting new versions forever!

Question 17

ITIL v4 describes three subprocesses related to availability management. What are these three subprocesses?

A. Designing services for availability, disaster recovery testing, and determining availability targets
B. Availability management, availability metrics, and availability improvement
C. Designing services for availability, availability testing, availability monitoring, and reporting.
D. Availability planning, availability improvement, availability validation

Answer 17

Answer: C. Designing services for availability, availability testing, and availability monitoring and reporting.

The ITIL subprocesses for availability management are designing services for availability, availability testing, and availability monitoring and reporting. Even if you’re not familiar with ITIL, thinking about a standards-based approach to availability might help you design, testing, and monitoring are all logical steps in a process like this.

Question 18

Naomi’s organization has recently experienced a data breach. Which of the following parties is least likely to require notification based on existing contracts or regulations?

A. Customers
B. Vendors
C. Regulators
D. Partners

Answer 18

Answer: B. Vendors

Vendors are the least likely to have contractual or regulatory requirements that mean that they must be notified. Vendors often have to tell their customers about breaches, but customers typically do not need to tell their vendors!

Question 19

Megan is starting her organization’s change management practices. She has conducted an asset inventory. What step is typically next in a change management process?

A. Creating a baseline
B. Deploying new assets
C. Establishing a CMB
D. Documenting deviations from the baseline

Answer 19

Answer: A. Creating a baseline

Megan’s next step once she has an inventory is to create a baseline. With that in hand she can establish a CMB, deploy new assets configured to meet the baseline, and document deviations that the CMB approves if needed.

Question 20

Dan wants to use clipboard-based drag and drop between his virtualized desktops in a Type 2 hypervisor environment. Which of the following steps is most likely to allow him to access additional features that require virtualization environment integration to work?

A. Building the virtual machines as containers
B. Installing guest operating system virtualization tools
C. Installing virtualization environment orchestration tools
D. Building the containers as virtual machines

Answer 20

Answer: B. Installing guest operating system virtualization tools

Guest operating system virtualization tools add additional functionality like use of GPUs, shared clipboards, and drag and drop between guest operating systems, shared folders, and similar features that require additional integration between the guest OS and the underlying
hypervisor and hardware.

Question 21

Geoff knows that ITIL v4 focuses on four information security management practices. Which of these processes could involve an SOC 2 Type 2 audit?

A. Design of security controls
B. Security testing
C. Management of security incidents
D. Security review

Answer 21

Answer: D. Security review.

The security review objective focuses on whether security practices and procedures align to risk tolerance for the organization and includes verification and testing like an SOC 2 Type 2 audit does. Design, testing, and management of incidents involve the topics they describe.

Question 22

Eleanor wants to build her organization’s change management processes. What is the typical first step for change management efforts?

A. Policy creation
B. Baselining
C. Documentation creation
D. Vulnerability scanning

Answer 22

Answer: B. Baselining

Configuration management typically starts with baselining. While policies and documentation are important, creating a baseline allows organizations to understand what they have and what state it is in, a critical part of the change management practice.

Question 23

Theresa is building an automated CI/CD pipeline. She wants to ensure that code that passes through the pipeline is secure before it moves from staging to production. What is her best option if she wants to test the running application?

A. Manual static code review
B. Automated code review
C. Using a web application firewall
D. Using an IPS

Answer 23

Answer: B. Automated code review

Ensuring that the code itself is secure in an automated process requires a tool that can be run as part of the process. That means that the only option from the list that is viable is an automated review of code. Manual static code review isn’t a good fit for a CI/CD pipeline in
most cases due to speed requirements. WAFs and IPSs can help protect the application, but again, they don’t test the code or make the application itself more secure.

Question 24

The Cloud Security Alliance’s Cloud Incident Response (CIR) framework documents typical breakdowns for customer versus cloud provider responsibilities in incident response, including pointing to cloud providers as being responsible for almost all risks in an SaaS
environment. In an IaaS environment, who is responsible for network risks?

A. The customer
B. Both the customer and the service provider
C. The service provider
D. Third-party incident responders

Answer 24

Answer: B. Both the customer and the service provider

Since IaaS provides the customer with access to and control over some of the network, they must take responsibility for network-based risks. The IaaS provider provides services and infrastructure, and thus must take responsibility for some of the network-based risks as well. Third-party incident responders do not play a role in risk responsibility in this model.

Question 25

Juanita is responsible for a web application that is split between an on-site application environment and a cloud-hosted database. Juanita knows the application performs thousands of small database queries for some transactions. What performance monitoring option is most important to her application’s performance? A. The network routes between the datacenters B. Network throughput between the two datacenters C. The bandwidth between the two datacenters D. Network response time (latency) between the datacenters

Answer 25

**Answer: D. Network response time (latency) between the datacenters** Network latency is the critical factor when transaction volume is key. Bandwidth is less critical for small transactions, even when there are thousands of them. Routes may influence all of these options, but aren’t as critical as the impact they have on the traffic

Question 26

Kolin needs to collect forensic data from an Azure-hosted VM. What should he do to validate his forensic data after capturing disk snapshots for the VM’s OS and data disks? A. Compare the hashes of the VM’s OS and data disks and the snapshots of each. B. Make two copies of the snapshots and compare hashes between the snapshot hashes. C. Export the VM as a hash, then validate the hash. D. Export the VM as a disk image and compare the disk image’s digital signature to the original.

Answer 26

**Answer: A. Compare the hashes of the VM’s OS and data disks and the snapshots of each.** **Azure’s best practices suggest creating disk snapshots for both the VM’s operating system(OS) and data disks, safely storing the snapshots, then comparing hashes between the images and the originals.** Comparing the hashes of a snapshot to a copy won’t validate it against the original, VMs can’t be exported as hashes, and disk images aren’t signed in a way that makes sense for this type of forensic use. If you’d like to read the full practice document for more detail, you can find it at https://docs.microsoft.com/en- us/azure/architecture/example-scenario/forensics.

Question 27

Ilya wants to use an ITIL v4–based practice for capacity and performance management. Which of the following is not a typical subprocess for capacity and performance management under ITIL? A. Customer KPI oversight B. Service capacity management C. Component capacity management D. Capacity management reporting

Answer 27

**Answer: A. Customer KPI oversight** Businesses typically don’t manage customer capacity. Instead, they would assess their own capacity, known as business capacity management.

Question 28

Nick’s organization has experienced a data breach of their cloud-hosted environment. Which of the following is most likely to need to be communicated with based on regulations? A. Vendors B. Customers C. Partners D. Law enforcement

Answer 28

**Answer: B. Customers** Data breach regulations typically focus on customer notification. Nick should work with legal counsel to ensure that his organization is compliant with any notification requirements for his industry and location.

Question 29

Valerie has created disk images of virtual machines running in her cloud environment. What key digital forensic requirement should she ensure is handled properly if she believes that the information will be used for a legal case in the future? A. Legal hold B. Chain of custody C. Seizure requirements D. Disposal requirements

Answer 29

**Answer: B. Chain of custody** **Valerie should carefully document the chain of custody for the disk images so that they can be considered valid for potential legal action.** Legal hold is the process for preserving data for legal action, not for documenting actions taken with disk images and other forensic artifacts. Seizure is a type of acquisition but isn’t mentioned here, and disposal would occur after the potential legal case.

Question 30

Asha wants to take advantage of her cloud provider’s ability to schedule instances to match her business practices. What practice will help her handle a large number of instances with different scheduling requirements? A. Using a third-party scheduler B. Enabling auto-scheduling C. Tagging D. Disabling unused instances

Answer 30

**Answer: C. Tagging** **Tagging is a critical part of instance scheduling, but even more so for large numbers of instances.** It allows schedules to be easily applied to all instances with the proper tags. Since Asha wants to use her cloud provider’s scheduling, a third party does not meet her requirements. Auto-scheduling was made up for this question, and disabling unused instances helps with spend, but doesn’t help more than tagging would for scheduling.

Question 31

Which of the following is not an aspect of host hardening? A. Removing all unnecessary software and services B. Patching and updating as needed C. Adding new hardware to provide increased performance D. Installing a host-based firewall and an intrusion detection system (IDS)

Answer 31

**Answer: C. Adding new hardware to provide increased performance** **Adding new hardware to increase performance is not an element of hardening.** Hardening is the process of provisioning a specific element (in this case, a host) against attack. Audits don’t protect against attacks; they only detect and direct responses to attacks.

Question 32

Isabella has been asked to review her organization’s patch management scheme. The current process focuses on manual patch installation on a weekly window. Isabella is interested in moving to an automated patch deployment process on a more frequent basis. What risk is most commonly associated with automated patching systems? A. The potential to disrupt systems due to a patching issue or bad patch. B. The inability to report on patches that fail installation. C. The inability to report on patches that are not installed. D. The potential to increase patching speed and accuracy.

Answer 32

**Answer: A. The potential to disrupt systems due to a patching issue or bad patch.** Automated patching systems can cause disruptions if a bad patch is released or if there is an installation problem that is not detected. That means that a human is often in the loop for patching, or that patches are installed in nonproduction environments first where they can be validated prior to further installations. **Automated systems typically can report on patches that fail installation and on systems that do not have patches in place, and it is a desirable feature to speed patching and patch accuracy via automation.**

Question 33

To enhance virtual environment isolation and security, a best practice is to ___________________. A. Ensure that all virtual switches are not connected to the physical network B. Ensure that management systems are connected to a different physical network than the production systems C. Never connect a virtual switch to a physical host D. Connect physical devices only with virtual switches

Answer 33

**Answer: B. Ensure that management systems are connected to a different physical network than the production systems** The management systems control the entirety of the virtual environment, and are therefore extremely valuable and need to be protected accordingly. When possible, isolating those management systems, both physically and virtually, is optimum.

Question 34

Deployment management is a component of which service management practice in ITIL v4? A. Problem management B. Release management C. Change management D. IT asset management

Answer 34

**Answer: B. Release management** ITIL v4 categorizes deployment management as part of release management.

Question 35

Carlos wants to monitor CPU load, temperature, and voltages for his virtual machine. What should Carlos do to achieve this? A. Carlos cannot track temperature and voltages for his virtual system, but he can track load using the underlying hardware. B. Carlos cannot track load, but he can track temperature and voltages for his virtual system and should use the underlying hardware for the VM. C. Carlos cannot track temperature and voltages for a virtual CPU, but he can track load via the operating system. D. Carlos cannot track load and voltages, but he can install a thermal sensor to track his virtual machine’s temperature.

Answer 35

**Answer: C. Carlos cannot track temperature and voltages for a virtual CPU, but he can track load via the operating system.** Carlos knows that virtual machines use virtualized processors and that temperature and voltages can’t be tracked for virtual CPUs. He can track load, and most operating systems have a built-in method for doing so. If voltages and temperature are an ongoing concern, he will need to monitor them at the underlying operating system, hardware, or hypervisor level.

Question 36

Megan is responsible for ensuring that her organization’s continual service improvement efforts are meeting their goals. What formal role does Megan hold under ITIL? A. CSI manager B. Process architect C. Process owner D. Customer

Answer 36

**Answer: D. Customer** Megan is a process owner and is responsible for the fit-to-purpose for the continual service improvement effort. Continual service improvement managers (CSI managers) improve ITSM processes and services. Process architects ensure that processes work together and support each other effectively, and customers consume or purchase services.

Question 37

Felicia wants to apply rules to her Amazon AWS VPC to limit the IPs that can contact her servers. What feature should she use to do this? A. Honeypots B. IDS C. IPS D. Network security groups

Answer 37

**Answer: D. Network security groups** Felicia wants to perform firewall-like rules-based filtering, which is a function of network security groups. Honeypots are used to capture and observe attacker behaviors, and IDSs and IPSs are used to detect and, in the case of IPSs, potentially prevent attacks based on behaviors and signatures.

Question 38

Designing system redundancy into a cloud datacenter allows all the following capabilities except ___________________. A. Incorporating additional hardware into the production environment to support increased redundancy B. Preventing any chance of service interruption C. Load-sharing/balancing D. Planned, controlled failover during contingency operations

Answer 38

**Answer: B. Preventing any chance of service interruption** Risk can’t be entirely prevented, but it can be drastically reduced. **Hardware redundancy, local sharing and balancing, and failure mode design are all common practices when designing redundancy into cloud datacenters.**

Question 39

Raj is required to provide proof of PCI compliance to his acquiring bank. What should he ask for from his cloud service provider? A. An attestation of compliance B. An SOC 1 Type 1 audit C. An SOC 2 Type 2 audit D. To allow him to conduct a PCI audit of the vendor

Answer 39

**Answer: A. An attestation of compliance** **Cloud providers who are PCI-compliant will typically provide an attestation of compliance upon request. This type of documentation is important for regulators as part of compliance validation.** SOC audits don’t specifically test PCI compliance, and most vendors will not allow customers to conduct PCI assessments of their underlying infrastructure.

Question 40

Naomi wants to conduct a vulnerability scan of her cloud environment. What requirement is she likely to need to meet with her cloud service vendor for an IaaS environment? A. She can only scan her own internal systems. B. She will have to use the service provider’s scanning tools. C. She can only scan her own external systems. D. She will need to schedule a time and date for the scans.

Answer 40

**Answer: A. She can only scan her own internal systems.** IaaS vendors typically allow customers to scan their own internal systems, but may recommend that certain types of instances with lower resources are not scanned to avoid disruption. While vendors may provide scanning tools, they typically don’t require customers to use them in an IaaS environment. Since external scans can inadvertently impact other customers, external scanning is typically prohibited or limited, and scheduling a time and date may be required for more advanced or specialized testing.

Question 41

Naomi has completed her vulnerability scan and wants to remediate the systems she has discovered vulnerabilities on. What is a typical patching process for IaaS-hosted systems when concerns exist about the potential impact of patching? A. Use a script to patch each system. B. Stand up new, patched instances, then replace the unpatched systems using load balancers. C. Create new instances with the patches installed, shut down the existing instances, and assign new IP addresses for the new systems. D. Manually patch each system.

Answer 41

**Answer: B. Stand up new, patched instances, then replace the unpatched systems using load balancers.** **Using load balancing to drain load from existing systems and then replacing them with new, patched instances is a common best practice for cloud-hosted service environment patching.** Manual and scripted patching can cause outages, as could re-IPing as systems are swapped over.

Question 42

When putting a system into maintenance mode, it’s important to do all of the following except ___________________. A. Transfer any live virtual guests off the host B. Turn off logging C. Lock out the system from accepting any new connections D. Notify customers if there are any interruptions

Answer 42

**Answer: B. Turn off logging** Disabling logging would prevent administrators from diagnosing problems. Transferring users, preventing new connections, and notifying customers are all common practices when entering maintenance mode.

Question 43

The operating system that Jack wants to install in his cloud environment requires a cryptographic store as part of the boot process to ensure that the hardware has been validated. Which of the following tools will allow him to meet this requirement? A. Hardware HSM B. Cloud TPM C. Virtual TPM D. Cloud HSM

Answer 43

**Answer: C. Virtual TPM** **A virtual trusted platform module (vTPM) is the only solution that will meet Jack’s needs.** HSMs (hardware security modules) are used to create, store, and manage secrets, including cryptographic keys and certificates, but aren’t used for boot security. Cloud TPM was made up for this question, but hardware and cloud HSMs do exist.

Question 44

Yarif runs an operating system and then uses a hypervisor running on that operating system to run virtual machines. What type of hypervisor is he running? A. A classic hypervisor B. Type 1 C. An advanced hypervisor D. Type 2

Answer 44

**Answer: D. Type 2** Yarif is running a Type 2 hypervisor, which is defined as a hypervisor that runs on top of an operating system rather than on bare metal like a Type 1 hypervisor. Classic and advanced hypervisors are not commonly used terms.

Question 45

What key function is described by ITIL’s incident management practice? A. Engaging third-party responders based on best practices. B. Managing problem escalations. C. Restoring a service as soon as possible after an incident. D. Identifying incidents to allow response.

Answer 45

**Answer: C. Restoring a service as soon as possible after an incident.** While ITIL focuses on identification, containment, resolution, and maintenance, the overall goal is to restore service as soon as possible after an incident. It does not focus on third- party responders. Problem escalations to incidents are part of identification, but aren’t the main goal, nor is identifying incidents to allow response.

Question 46

Lucca has experienced an event that interrupts normal service in his organization. How would ITIL classify this? A. As an incident B. As an SLA violation C. As a problem D. As an MSA violation

Answer 46

**Answer: A. As an incident** Incidents are defined in ITIL as interruptions of normal service, including reductions in the quality of services that may violate an SLA. Problem management resolves the cause of problems, while incident response restores services to normal levels.

Question 47

What description best explains the relationship between problems and incidents? A. Every problem is the result of an incident, but not all incidents are problems. B. Problems and incidents are distinct and unrelated. C. Problems are handled by support desks, and incidents are handled by security professionals. D. Every incident is the result of a problem, but not all problems are incidents.

Answer 47

**Answer: D. Every incident is the result of a problem, but not all problems are incidents.** All problems are potential causes of incidents, but not all problems result in incidents.

Question 48

Olivia wants to establish key performance indicators compatible with ITIL for her availability management practice. Which of the following is not a useful availability KPI? A. Availability of the service relative to SLAs for the service B. The number of service interruptions C. The duration of the service interruptions D. The number of individuals impacted by service interruptions

Answer 48

**Answer: D. The number of individuals impacted by service interruptions** The number of individuals impacted is of interest to customers and management, but is not a useful KPI for availability.

Question 49

What underlies the information security management according to ITIL v4? A. Event filtering and correlation rules B. Security advisories C. Information security policies D. Security alerts

Answer 49

**Answer: C. Information security policies** Information security policies— particularly what ITIL calls “underpinning information security policies”— are the basis of security management in ITIL.

Question 50

Emily is in charge of her organization’s deployment management as part of a CI/CD pipeline. What process typically needs to occur for a deployment to occur? A. A change request must be approved. B. The change advisory board must review the change. C. Automated testing and validation must be completed successfully. D. The next version must enter the pipeline.

Answer 50

**Answer: C. Automated testing and validation must be completed successfully.** In a continuous integration/continuous delivery pipeline, automated testing is conducted, and the code must pass testing before code is released. Human intervention or approval is not typically required for CI/CD pipelines.

Question 51

Chris wants to capture forensic data in his cloud environment. What type of capture methodology will most likely be used for virtual machines in a cloud infrastructure as a service environment? A. Forensic image acquisition using a tool like DD B. Use of the provider’s snapshot tool C. Forensic image acquisition using a tool like DBAN D. Use of the provider’s file copy utilities

Answer 51

**Answer: B. Use of the provider’s snapshot tool** Snapshots are the most common means of capturing disk images from virtual machines in IaaS environments. Using forensic image acquisition tools can be challenging in cloud environments due to a lack of access to the underlying hardware. DBAN is a wiping tool, and file copy utilities often don’t provide a complete forensically sound copy, although they may be the only option in some cases.

Question 52

Tools like Terraform, CloudFormation, Ansible, Chef, and Puppet are often associated with what type of strategy? A. Incident response B. Agile SDLC C. Infrastructure as code D. Legal hold

Answer 52

**Answer: C. Infrastructure as code** These are examples of infrastructure- as- code (IaaS) tools. While Agile pipelines may use Terraform, they would do so as part of an infrastructure as code strategy. They aren’t specifically used for incident response or legal hold strategies, but could be leveraged for both, once again as part of an infrastructure as code solution.

Question 53

Alaina wants to align her organization’s service-level management to an ISO standard. Which ISO standard describes service management? A. ISO 20000- 1 B. ISO 27001 C. ITIL v4 D. COBIT

Answer 53

**Answer: A. ISO 20000- 1** ISO 20000-1 describes service management. ISO 27001 describes an information security management system. ITIL is not an ISO standard, nor is COBIT— in fact, they’re their own standards.

Question 54

Rene is an SOC manager and wants to centralize incident and log information. What type of tool should she acquire and implement? A. NOC B. SIEM C. IPS D. DLP

Answer 54

**Answer: B. SIEM** Security information and event manager (SIEM) is the ideal tool for this purpose. A network operations center (NOC) and an IPS (intrusion prevention system) won’t centralize logs and incident information, and DLP (data loss prevention) is intended to stop data from leaving an organization.

Question 55

Amanda wants to use logging from her IaaS cloud environment to determine if an external user is accessing one of her servers. What type of logging should she enable in her cloud provider’s environment to do so? A. System logging B. Performance logging C. Flow logging D. Storage bucket logging

Answer 55

**Answer: C. Flow logging** Turning on flow logging can provide the visibility Amanda wants. Flows show which IP address contacted another IP address, the source and destination ports, and the volume of data. None of the other types of logging listed will be as useful for this task.

Question 56

What risk does an IPS pose that an IDS does not? A. An IPS cannot use signature-based detection. B. An IPS can block legitimate traffic. C. An IPS cannot use behavior-based detection. D. An IPS can fail open, while an IDS cannot.

Answer 56

**Answer: B. An IPS can block legitimate traffic.** Unlike an IDS, an IPS needs to be placed in-line with traffic. This means that an IPS can block legitimate traffic if it is improperly identified or if the IPS fails in a closed state. An IDS cannot fail open or closed, as it is not in-line. Both IDSs and IPSs can use signature and behavior-based detection.

Question 57

Amanda wants to use her SIEM to detect attacks based on network traffic and behavior baselines that adapt to changes over time using learning techniques. What feature is she most likely to use for this purpose? A. AI B. Log correlation C. Threat intelligence D. Reporting

Answer 57

**Answer: A. AI** AI features in SIEM devices are often used to analyze and learn network traffic patterns, then use log correlation and threat intelligence features to identify unexpected and potentially malicious behavior while leveraging learning capabilities. Log correlation and threat intelligence alone will not do this; reporting is needed afterward.

Question 58

Kathleen knows that her cloud provider makes a DHCP service available to systems in their IaaS environment. What does she know that her systems will receive from the DHCP server? A. A default gateway, subnet mask, DNS server, and IP address B. A default route, a subnet mask, an IP address, and a MAC address C. An IP address and a MAC address D. An IP address, a subnet mask, a DNS server, and firewall rule definitions for the local network

Answer 58

**Answer: A. A default gateway, subnet mask, DNS server, and IP address** A typical DHCP response will provide a default gateway, a subnet mask, DNS server information, and an IP address for the host to use. It does not assign MAC addresses to systems— that’s a hardware-level setting, and it doesn’t define a default route, just a default gateway, nor does it provide firewall rule definitions.

Question 59

Ben wants to secure his virtualization environment. Which of the following is not a common security practice used to help protect virtualization infrastructure and systems? A. Enable secure boot. B. Disable cut and paste between the VM and console. C. Remove unnecessary hardware. D. Use the virtual machine console whenever possible.

Answer 59

**Answer: D. Use the virtual machine console whenever possible.** Using secure boot, disabling cut and paste between VMs and the console, and removing unnecessary hardware are all common security practices. Since the virtual machine console is equivalent to direct access to the system, use of the console should be limited to only critical actions, and the virtualization management platform should be used for the majority of actions.

Question 60

Chelsea wants to prevent network-based attacks against her cloud-hosted system. Which of the following is not an appropriate solution to stop attacks? A. Honeypots B. Firewalls C. Security groups D. Intrusion prevention systems

Answer 60

**Answer: A. Honeypots** Honeypots are used to capture attack traffic for study, but aren’t used to stop attacks. Firewalls, security groups, and IPSs are all used to stop attacks by preventing malicious traffic from entering a network.

Question 61

Methods for achieving high-availability cloud environments include all of the following except A. Using instances running on alternate CPU architectures B. Multiple system vendors for the same services C. Explicitly documented business continuity and disaster recovery (BC/DR) functions in the service-level agreement (SLA) or contract D. Failover capability back to the customer’s on-premises environment

Answer 61

**Answer: A. Using instances running on alternate CPU architectures ** Using alternate CPU architectures isn’t a common high availability technique. Using multiple vendors, having SLAs in place, and using self-hosted failover capabilities are all methods that can achieve this goal.

Question 62

Susan’s website is unable to be loaded by her customers due to a system outage. What ITIL practice should Susan invest in to ensure that this does not happen again? A. Availability management B. Deployment management C. Change management D. Capacity management

Answer 62

**Answer: A. Availability management** Susan’s outage points to a need for availability management. Susan may invest in redundant systems, additional monitoring, or other practices and design elements that can ensure her organization’s website will be more resilient and thus more available.

Question 63

Li’s organization uses a software as a service(SaaS) tool for their productivity work. After a recent compromise of user credentials, Li wants to perform digital forensics. What types of information can Li obtain for forensic analysis in an SaaS environment? A. Logs B. Disk images C. VM snapshots D. Network packet capture data

Answer 63

**Answer: A. Logs** The only data that Li is likely to be able to obtain for forensic investigation is log files. Disk images, VM snapshots, and network packet capture data require lower-level access to systems and the network that an SaaS provider will normally make available.

Question 64

What ISO/IEC 20000-1 capacity management subprocess is most closely aligned with SLAs with customers? A. Business capacity management B. Service capacity management C. Contract capacity management D. Component capacity management

Answer 64

**Answer: B. Service capacity management** Service capacity management measures performance and checks it against requirements set in SLAs and service-level requirements. Business capacity management involves inter preting business needs into requirements for services and architecture. Component capacity management focuses on the actual components of an infrastructure. Finally, contract capacity management is not an ISO/IEC 20000- 1 configuration management subprocess.

Question 65

Derek wants to set up a 24×7 team to monitor for and respond to security incidents. What should he implement? A. SIEM B. NAS C. SCCM D. SOC

Answer 65

**Answer: D. SOC** An SOC, or security operations center, can be physical or virtual, and typically consists of a team that monitors for security events on an ongoing basis. An SOC team is likely to use a SIEM (security information and event management) tool. NAS is network-attached storage, and SCCM is the name for Microsoft’s now-outmoded Systems Center Configuration Manager, now branded as Endpoint Configuration Manager.

Question 66

Hui’s organization uses a tool to automate the configuration, deployment, and coordination of hundreds of small IaaS instances that make up her organization’s application stack. What term best describes this type of tool? A. Scheduling B. Maintenance mode C. Orchestration D. Abstraction

Answer 66

**Answer: C. Orchestration** Hui’s organization is using a cloud orchestration technology to automate tasks in their cloud environment. That may include scheduling, but it covers a much broader set of tasks than just scheduling. Maintenance mode is used to remove running systems from a VM cluster to allow for hardware or software upgrades. Abstraction is a term that describes a means of hiding the details of a system, often as a way of making management or other tasks simpler.

Question 67

Megan’s organization uses a tool that captures a system and network behavioral baseline, then monitors for changes from that baseline that may indicate compromises. The tool uses the data it captures to update its model and to become more accurate in its detections. What type of tool is Megan using? A. IPS B. Artificial intelligence C. Log analysis D. Forensic data capture

Answer 67

**Answer: B. Artificial intelligence** Megan is using an artificial intelligence (AI)- based tool that learns from the data it is exposed to and improves its capabilities. An IPS looks for malicious or unwanted network traffic and can block it. Log analysis may be involved in Megan’s tasks, but the problem describes far more than log analysis, and forensic data capture is done as part of investigations.

Question 68

Jim has deployed a system that appears to be a vulnerable host on a network. The system is instrumented to capture attacker commands and tools. What type of network security control has Jim deployed? A. A honeypot B. A darknet C. A honeynet D. A bastion host

Answer 68

**Answer: A. A honeypot** Jim has deployed a honeypot, a system designed to capture attacker tools and techniques to allow for analysis. Honeynets are networks set up in a similar manner to detect network attacks and attack techniques. Darknets are unused IP ranges that are instrumented to look for unexpected traffic indicating probes by potential attackers. Bastion hosts are used to provide secure access from a lower security zone to a higher security zone.

Question 69

Olivia has identified data that she wants to capture as part of a digital forensics effort. What step typically comes after forensic artifacts are identified? A. Analysis B. Documentation C. Presentation D. Preservation

Answer 69

**Answer: D. Preservation** Olivia knows that once the data or artifacts have been identified, preservation is the next step. Even if you’re not familiar with digital forensics techniques, you can consider the flow for a likely forensic capture process. Analysis, documentation, and presentation can’t be done until data is captured!

Question 70

Mike’s organization is considering adopting an infrastructure as code (IaC) strategy. What should Mike identify as a potential risk in an IaC environment? A. IaC decreases consistency. B. IaC is not easily updated. C. IaC decreases speed. D. IaC can cause errors to spread quickly.

Answer 70

**Answer: D. IaC can cause errors to spread quickly.** IaC can cause errors to spread quickly. It actually helps increase consistency by removing opportunities for human error, it is easily updated, and it increases speed in most cases.

Question 71

Keith is preparing to implement a storage cluster for his organization. Which of the following is not a benefit that he can expect to come from using storage clusters? A. Lower cost B. Higher performance C. Greater availability D. Increased capacity

Answer 71

**Answer: A. Lower cost** The benefits of any clustered environment come at the cost of higher prices. Keith should expect to spend more money, but gain performance, availability and reliability, and capacity depending on his configuration and design choices.

Question 72

Lisa wants to maintain a configuration model for her organization that contains all of the information that the organization needs about their CIs(configuration items). What ITIL process should she follow? A. Configuration Control B. Configuration identification C. Configuration verification D. Configuration audit

Answer 72

**Answer: A. Configuration Control** ITIL’s configuration identification subprocess includes identifying and specifying the attributes for each configuration item type and subcomponent and the relationships between each CI or subcomponent and others in the organization. Configuration control focuses on managing changes in the configuration management system. Configuration verification and audit is a single subprocess, and validates that configurations match what is expected.

Question 73

Dan is considering what key data he should gather about systems in his IaaS environment. He is moving from a traditional on-site datacenter and has the following list of monitoring items he currently tracks. Which of the following will he still be able to track in an IaaS platform? A. CPU utilization B. Fan speed C. System temperature D. CPU voltage

Answer 73

**Answer: A. CPU utilization** The only metric among those listed that is typically available to customers in an infrastructure as a service environment is CPU utilization to help track usage.

Question 74

What term is used to describe a component or service that needs to be managed as part of configuration management efforts in an organization? A. Configuration model B. Configuration record C. Configuration item D. Service asset

Answer 74

**Answer: C. Configuration item** CIs (configuration items) are the components or services that are managed as part of a configuration management effort. Configuration models are used to evaluate changes and causes of incidents. Configuration records are the records that describe configuration item relationships and settings. Service assets include a range of things that allow organizations to deliver services, including third-party vendor services.

Question 75

Henry knows that his IaaS provider bills are based on usage for his instances. Which of the following is not usually a billable item for IaaS providers for their typical instances? A. Compute usage B. Network bandwidth usage C. Storage usage D. Latency

Answer 75

**Answer: D. Latency** While bandwidth, compute, and storage usage are all typically measured and billed, latency is usually not directly charged for. Instead, providers are likely to provide a distinct low-latency service if they charge for latency-related items.

Question 76

Charles wants to obtain forensic artifacts for his IaaS cloud-hosted systems. Which of the following is not an artifact typically captured for IaaS cloud-hosted systems? A. The hypervisor’s memory state B. Disk volumes C. The instance’s memory state D. Logs from the cloud environment

Answer 76

**Answer: A. The hypervisor’s memory state** Customers are typically unable to obtain forensic data from the underlying infrastructure as a service environment. Memory for instance, disk volumes, and logs are all common cloud forensic artifacts.

Question 77

Selah wants to conduct a vulnerability scan of her SaaS provider’s service as part of her ongoing security operations responsibility. What should she do? A. Contact the provider and ask about appropriate scan windows. B. Request vulnerability scan data from the vendor. C. Scan the provider on a regular basis whenever she wants to. D. Consider asking the SaaS provider about their own patching and scanning practices.

Answer 77

**Answer: D. Consider asking the SaaS provider about their own patching and scanning practices.** SaaS providers are unlikely to allow third parties to scan their production services. While Selah could just scan her provider anyway, this is often prohibited in contracts that customers sign with their provider. Instead, Selah should ask the vendor about their patching and scanning practices to determine if they are appropriate to her organization’s risk tolerance and to see if documentation or attestation of practices like an SOC audit is available.

Question 78

Which of the following has the highest impact in determining whether the business continuity and disaster recovery (BC/DR) effort has a chance of being successful? A. Perform an integrity check on archived data to ensure that the backup process is not corrupting the data. B. Encrypt all archived data to ensure that it can’t be exposed while at rest in the long term. C. Periodically restore from backups. D. Train all personnel on BC/DR actions they should take to preserve health and human safety.

Answer 78

**Answer: C. Periodically restore from backups.** If backups aren’t working properly, or cannot be restored, checking all of the other actions described won’t be of use.

Question 79

Chris wants to use an ISO standard for collecting, preserving, and identifying electronic evidence. What ISO standard should he select? A. ISO/IEC 27001:2012 B. ISO/IEC 27037:2012 C. ISO/IEC 9000:2016 D. ISO/IEC 27002:2022

Answer 79

**Answer: B. ISO/IEC 27037:2012** A number of ISO standards related to forensics exist, including 27037, 27041, 27043, and 27050-1. ISO 27001 covers the best practice standards for information security management, and 27002 describes security controls. The ISO 9000 series covers quality management.

Question 80

Melissa is responsible for establishing an SOC in her organization. Which of the following services is not a typical SOC offering? A. Vulnerability management B. Threat management C. Incident response D. eDiscovery

Answer 80

**Answer: D. eDiscovery** **Security operations centers typically do not provide eDiscovery services.** They take on threat and intelligence monitoring, incident response and recovery, threat and vulnerability management, and data protection tasks, among many others.

Question 81

Ryan wants to perform a backup of his GitHub-hosted code repository. What option should he choose to ensure that he has a backup he controls? A. Use GitHub’s built-in backup capability. B. Use the API to clone the repository. C. Use GitHub’s snapshot tool to clone the repository to another repo. D. Use a third-party GitHub repository copy.

Answer 81

**Answer: B. Use the API to clone the repository.** Ryan’s best option is to use GitHub’s APIs to download the repository and then to store it in a secure location. Relying on GitHub’s own backup practices leaves GitHub in control of the code and Ryan vulnerable to outages, and reliance on third-party sites doesn’t give Ryan control of the backups either.

Question 82

ISO/IEC 20000-1 includes three subprocesses for capacity management. Which of the following lists matches those three subprocesses? A. Business capacity management, service capacity management, component capacity management B. Staffing capacity management, service capacity management, component capacity management C. Business capacity management, service capacity management, organizational capacity management D. Staffing capacity management, business capacity management, and component capacity management

Answer 82

**Answer: A. Business capacity management, service capacity management, component capacity management ** ISO/IEC 20000- 1 focuses on business capacity management, service capacity management, and component capacity management.

Question 83

Maria is planning her organization’s ISO/IEC 20000-1–based release management plan. Which of the following elements is not typically part of an RDM plan? A. Risk assessment B. Build planning C. Testing D. Decommissioning

Answer 83

**Answer: D. Decommissioning** Release and deployment plans focus on creating and deploying releases. Lifecycle management is handled under other sections of the ISO standard and not within RDM plans.

Question 84

Hannah wants to align her information security management program to ISO/IEC 20000-1. According to the standard, what must be done with an information security policy? A. Establish, approve, and communicate an information security policy. B. Create and regularly update an information security policy. C. Adopt an ISO/IEC standard template-based information security policy. D. Undergo a third-party review of the organization’s security policy.

Answer 84

**Answer: A. Establish, approve, and communicate an information security policy.** ISO/IEC 20000- 1 requires that organizations establish, approve, and communicate their information security policy. If you’re not familiar with ISO/IEC 20000-1 or similar standards, review the list of answers for unlikely answers— like requirements for third-party review. Using a standardized template can help to narrow down answers for questions like these.

Question 85

Mike’s VMWare cluster moves virtual machines from heavily loaded hosts to hosts with lower loads. What technology is Mike using? A. Automatic instance management B. Distributed resource scheduling C. Round-robin load balancing D. Instance segregation

Answer 85

**Answer: B. Distributed resource scheduling** Distributed resource scheduling in VMWare moves virtual machines from heavily loaded hosts to those with more resources available to help balance the load across the cluster. Automatic instance management and instance segregation were made up for this question, and round-robin load balancing is a form of load balancing where requests are distributed to each server in a cluster as they come in based on a list.

Question 86

Which of the following is not commonly measured as part of a disk’s hardware monitoring? A. Powered-on time B. Drive temperature C. Drive health D. Used capacity

Answer 86

**Answer: D. Used capacity** The amount of data stored on a drive isn’t considered a hardware monitoring item. Powered-on time, temperature, and drive health are all elements of hardware monitoring.

Question 87

ITIL v4 defines four subprocesses for service-level management. Which of the following is not one of the four subprocesses? A. Maintenance of the service-level management framework B. Identification of service requirements C. Pricing structures and penalties D. Service-level monitoring and reporting

Answer 87

**Answer: C. Pricing structures and penalties** The missing fourth item should be agreement sign-off and service activation, including service-level agreements and the service acceptance criteria. Pricing is not part of ITIL v4 service management processes.

Question 88

Michelle wants to run an application from low-trust devices. What type of cloud-based solution could help her run the application in a secure way? A. Use a local virtual machine. B. Use a bastion host. C. Use a jumpbox. D. Use a virtual client.

Answer 88

**Answer: D. Use a virtual client.** Michelle should select a virtual client that allows her to run her application in a cloud-hosted environment. This will allow the application to run in a secure location while still allowing her to access it from lower-trust devices.

Question 89

Because most cloud environments rely heavily on virtualization, it is important to lock down or harden the virtualization software or any software involved in virtualization. Which of the following is not an element of hardening software? A. Removing unused services and libraries B. Maintaining a strict license catalog C. Patching and updating as necessary D. Removing default accounts

Answer 89

**Answer: B. Maintaining a strict license catalog** While maintaining a library of software licenses is important, it is not part of hardening practices.

Question 90

What key document in business continuity management practices ensures that organizations can return to a known, consistent state as well as to a working state? A. The business continuity strategy B. The recovery plan C. The IT service continuity report D. The disaster recovery invocation guideline

Answer 90

**Answer: B. The recovery plan** In ITIL the recovery plan includes detailed plans for returning systems and services to a working state and can also include recovering data to a known consistent state. The business continuity strategy sets the strategy for business functions. IT service continuity plans focus on how to ensure continuity during specified disasters for services and systems. Disaster Recovery invocation guidelines explain how and when to invoke the DR procedures.

Question 91

Jason’s company operates their small business in a cloud-hosted environment. After a recent breach, Jason wants to conduct forensics. What should Jason do to ensure his organization conducts proper forensic capture in a cloud environment if he is not a forensic practitioner? A. Follow ISO standards to identify and preserve the data. B. Engage third-party forensic professionals. C. Follow his cloud provider’s best practices to identify and preserve the data. D. Request that his cloud provider perform the forensic efforts.

Answer 91

**Answer: B. Engage third-party forensic professionals.** For many organizations, the best option to select when facing cloud forensic investigations is to engage a third party. In this case, without an internal expert and as a small company, Jason’s best bet is third-party experts.

Question 92

Which of the following factors would probably most affect the design of a cloud datacenter? A. Geographic location B. Proximity to population centers C. Cost D. Security requirements

Answer 92

**Answer: A. Geographic location** A facility’s geographic location influences both the requirements for things like HVAC as well as environmental threats like extreme weather. Proximity to population centers may have a secondary influence on utilities or staffing, and both cost and security requirements may influence the design, but the larger impact is from its geographic location.

Question 93

Rick is creating a policy defining his organization’s change management process. Which of the following is not a common change management policy element? A. Defining the composition of the change management board B. The change management process itself C. A requirement to prevent deviation from the baselines established in the policy D. Enforcement measures

Answer 93

**Answer: C. A requirement to prevent deviation from the baselines established in the policy** Change management practices and baselines need to include methods for handling deviations in reasonable ways. That means Rick should ensure that the policy includes an assignment of tasks, including deviation notification and documentation.

Question 94

Which of the following cloud datacenter functions do not have to be performed on isolated networks? A. Customer access provision B. Management system control interface C. Storage controller access D. Customer production activities

Answer 94

**Answer: D. Customer production activities** The production activities will make full use of pooled resources, so they will not be isolated unless the customer is paying for that specific characteristic of service. Provisioning, management, and access to storage should all be isolated to ensure the security of those functions.

Question 95

When cloud computing professionals use the phrases ping, power, pipe, which of the following characteristics is not being described? A. Logical connectivity B. Human interaction C. Electricity D. Facility space

Answer 95

**Answer: B. Human interaction** User interaction with the cloud is not described in this phrase. Ping, power, and pipe refers to connectivity, power, and facility space with services like HVAC.

Question 96

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own datacenter located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which tier of the Uptime Institute rating system should you be looking for, if minimizing cost is your ultimate goal? A. 1 B. 3 C. 4 D. 8

Answer 96

**Answer: A. 1** For the purposes described in the question, a Tier 1 datacenter should suffice; it is the cheapest, and you need it only for occasional backup purposes (as opposed to constant access). The details of location and market are irrelevant and just distractors.

Question 97

Isaac is the IT manager for a small surgical center. His organization is reviewing upgrade options for its current, on-premises datacenter. The organization wants to increase its disaster recovery and business continuity capabilities without making significant investments in staffing or technology. Which of the following options should Isaac recommend? A. Building a completely new datacenter B. Adding additional DR/BC capabilities to the existing datacenter C. Moving to a cloud-hosted datacenter D. Staying with the current datacenter

Answer 97

**Answer: C. Moving to a cloud-hosted datacenter** The most effective way for Isaac to acquire meaningful BC/DR capabilities is to move to a cloud-hosted datacenter. This means that his organization doesn’t have to make major investments in its datacenter to add capabilities. Of course, staying with the current datacenter doesn’t meet his needs already

Question 98

What does chain-of-custody documentation and tracking help with? A. Nonrepudiation B. Plausible deniability C. Data tampering by investigators D. Engaging with law enforcement

Answer 98

**Answer: A. Nonrepudiation** Creating and maintaining proper chain of custody documentation provides nonrepudiation for the process, ensuring that the handling will survive scrutiny at a later date. Data tampering by investigators could still occur, but would be identified in a properly documented chain. Chain of custody might be required by law enforcement, but it won’t help the company engage with them, and plausible deniability is not a forensic concept.

Question 99

Ben wants to provide logical separation between the two network segments. What technology is often used to define networks for this purpose? A. DHCP B. VLANs C. VPNs D. STP

Answer 99

**Answer: B. VLANs ** VLANs (virtual local area networks) are logical overlays used to segregate network devices. DHCP (Dynamic Host Control Protocol) provides a means of giving systems IP addresses and other important network information automatically when requested. VPNs (Virtual Private Networks) are used to create secure channels between networks, typically over untrusted networks, and STP (Spanning Tree Protocol) is used to prevent loops in networks.

Question 100

When designing a cloud datacenter, which of the following aspects is not necessary to ensure continuity of operations during contingency operations? A. Access to clean water B. Broadband data connection C. Extended battery backup D. Physical access to the datacenter

Answer 100

**Answer: C. Extended battery backup** Backup power does not have to be delivered by batteries; it can be fed to the datacenter through redundant utility lines or from a generator.