Domain 5 Cloud Security Operations Wiley

Question 1

What term is used to describe agreements between IT service providers and customers that describe service level targets and responsibilities of the customer and provider?

A. OLA
B. SAC
C. SLA
D. SLR

Answer 1

C. SLA

Explanation:
Service level agreement defines service level targets and the responsibilities of the IT service provider and customer.
An OLA (operational level agreement) is an internal agreement between the IT service provider and another part of the same organization and supports the service providers delivery of the service.
Service Acceptance Criteria (SAC) are the criteria used to determine whether a service meets its quality and functionality goals.
Finally, a service level requirement (SLR) defines the requirements of a service from the customers perspective

Question 2

Sally is building her organizations communication plans and knows that customers are an important group to include in the plan. What key function does proactive customer communication help with?

A. Notification of breaches
B. Regulatory compliance
C. Managing expectations
D. Problem management

Answer 2

C. Managing expectations

Explanation:
Proactive customer communications is key to managing expectations. Reactive communications are often used for data breach notification, regulatory compliance and problem management

Question 3

Juanita has discovered unexpected programs running on her freshly installed Linux system that was built using her cloud providers custom Linux distribution but that did not allow connections from the internet yet. What is the most likely reason for this?

A. Juanita inadvertently installed additional tools during the installation process
B. The version of Linux automatically downloads helper agents when installed.
C. Cloud vendors often install helper utilities in their own distributions
D. Attackers have installed applications

Answer 3

C. Cloud vendors often install helper utilities in their own distributions

Explanation:
Juanita knows that the major cloud vendors provide their own customized versions of Linux that often include additional agents and tools to help them work better with the providers infrastructure. She should verify that this is the case, but it is the most likely scenario for a freshly built system as described

Question 4

Ben wants to manage OS and application patches for thousands of machines hosted in an IaaS vendors cloud. What should he do?

A. Use the cloud vendors native patch management tools
B. Use the OS vendors patch management tools
C. Use manual update processes
D. Write custom scripts to manage updates

Answer 4

A. Use the cloud vendors native patch management tools

Explanation:
When managing systems at scale in the cloud, Ben knows that the best option is to use the cloud IaaS vendors tools, particularly because they are typically designed to handle both OS that may have special features to work in the vendors environment and applications

Question 5

Jasons organization is required to provide information about its cloud operating environment, including yearly audit information to regulators in his industry. What is he most likely to be able to provide to the regulators when they ask for a security audit of his hosted environment?

A. A recent audit conducted by staff from Jason’s organization
B. A recent audit conducted by a third party auditor hired by Jasons organization
C. Direct audit permissions for the regulators to audit the cloud provider
D. A copy of the cloud providers third party audit results

Answer 5

D. A copy of the cloud providers third party audit results

Explanation:
Jason knows that cloud service providers typically do not allow direct or third party audits of their systems and services but they do provide audit results to customers

Question 6

Tracy has set up a cloud hardware security module service for her organization in her cloud hosted environment. What activity is she preparing for?

A. Securely storing and managing secrets
B. Ensuring end to end encryption between cloud and on site systems
C. Managing the security of the underlying hardware in the environment
D. Detecting attacks against hosted systems

Answer 6

A. Securely storing and managing secrets

Explanation:
A cloud hardware security module (HSM) is used to create, store and manage secrets

Question 7

Charles wants to be able to create new servers as needed for his environment using variables and configuration files to configure the systems to meet changing needs. What type of solution should he implement to help with this type of orchestration?

A. A CI/CD pipeline
B. Infrastructure as code
C. A check in/check out design
D. An application interface

Answer 7

B. Infrastructure as code

Explanation:
Charles knows that his situation calls for an infrastructure as code design, which uses code and configuration files or variables to allow rapid deployment using scripts and automated tools. A CI/CD pipeline will often leverage infrastructure as code and automation tools, but it doesnt directly meet this need. APIs (application programming interfaces) are used to access data from services and check in/checkout design was made up for this question

Question 8

James wants to establish key performance indicators for his service continuity management practice based on ITIL. Which of the following is a useful KPI for service continuity management?

A. The number of business processes with continuity agreements
B. The number of vulnerabilities found in installed software per period of time
C. The number of patches installed per period of time
D. The number of natural disasters in the local area in a year

Answer 8

A. The number of business processes with continuity agreements

Explanation:
From a service continuity management perspective, the number of business processes with continuity agreements is the only relevant answer from this list. Understanding the number of business practices that have continuity planning in place and assessing which gaps in coverage are critical is a common practice to improve service continuity

Question 9

Zoe wants to speed up her traditional release management process. What modern approach is best suited to an ITIL v4 based rapid release oriented organization?

A. Waterfall
B. Agile/DevOps
C. Spiral
D. RAID

Answer 9

B. Agile/DevOps

Explanation:
Agile and DevOps are well suited to rapid release cycles, with continuous integration and continuous delivery processes. Waterfall and spiral both tend to take longer periods of time for each release, and RAD is not as widely adopted and not as release focused.

Question 10

ITIL v4 includes a seven step continual improvement model. What item occurs at the end of the process before it starts again?

A. Determining the vision
B. Assessing results
C. Taking action
D. Determining the goal

Answer 10

B. Assessing results

Explanation:
Assessing results occurs at the end of the seven step process, helping provide feedback into the next cycles vision determination phase

Question 11

Tim puts a server in his virtualization environment into maintenance mode. Which of the following events will occur?

A. Migrates the running virtual machines to other hardware
B. Pauses all running VMs immediate
C. Sends a notification to users, then pauses running VMs
D. Mark the machine as unavailable for new VMs

Answer 11

A. Migrates the running virtual machines to other hardware

Explanation:
Maintenance mode migrates virtual machines to other hosts or waits until they are powered down to allow for hardware or other maintenance. Tim knows that he will need to ensure all VMs are migrated or shut down and that he can then perform maintenance

Question 12

Kathleens wants to centralize her log capture and analysis capabilities and use automated tools to help her identify likely security issues. What type of tool should she look for?

A. SIEM
B. IPS
C. CASB
D. MITRE

Answer 12

A. SIEM

Explanation:
Kathleen should look for a security information and event management (SIEM) tool. They are used to centralized log collection, analysis, and detection capabilities and often have automated methods of ding issues and alerting on them. An IPS is used to detect and stop attacks, a CASB is used to control and manage access to cloud services and MITRE is a US government funded research organization with a heavy focus on security work

Question 13

Elaine wants to ensure that traffic is encrypted in transit. What technology is commonly used to secure data in transit?

A. VLANs
B. TLS
C. DNSSEC
D. DHCP

Answer 13

B. TLS

Explanation:
TLS is an encryption protocol used to secure data in transit. VLANs are used to logically separate network segments, DNSSEC is intended to provide security to domain name system requests, and DHCP provides IP addresses and other network configuration information to systems automatically

Question 14

Ujama wants to protect systems in his environment from being accessed via SSH. What should he do if he needs to leave the service available for local connections?

A. Block inbound connections to TCP port 3389 on his firewall
B. Block outbound connections to TCP port 3389 on his firewall
C. Block inbound connections to TCP port 22 on his firewall
D. Block outbound connections to TCP port 22 on his firewall

Answer 14

C. Block inbound connections to TCP port 22 on his firewall

Explanation:
Blocking inbound connections to port 22, the default SSH port will stop attackers and third parties from outside of the network from accessing SSH as long as it hasnt been changed to another port. TCP 3389 is associated with RDP

Question 15

Ron wants to use a central system to store information about system and software configurations and their relationships. What tool is often used for this support standards based configuration management practices like those found in ITIL v4?

A. CRM
B. CMDB
C. Configuration item
D. Change catalog

Answer 15

B. CMDB

Explanation:
A configuration management database (CMDB) is frequently used in mature standards based configuration management environments where it stores both configuration management and information about relationships between configuration items (CIs). CRMs are customer relationship management tools and arent part of the CCSP exam. A change catalog was made up for this question

Question 16

Maria’s manager is concerned about patching for the underlying cloud environment that her PaaS vendor provides. What should Maria tell her manager?

A. Maria’s organization is responsible for patching and needs to set up a regular patch cycle
B. The vendor is responsible for patching and there is no patching that needs to be done by customers in a PaaS environment
C. Negotiations need to be done with the vendor to determine which organization is responsible for patch management
D. The contract will determine which organization is responsible for patch management

Answer 16

B. The vendor is responsible for patching and there is no patching that needs to be done by customers in a PaaS environment

Explanation:
Maria knows that PaaS environments are patched by the vendor and that she does not need to perform patching of the software or cloud service. She may, however, have to decide when to adopt patches or versions - although she wont be able to delay adopting new versions forever

Question 17

ITIL v4 describes three sub-processes related to availability management. What are these three sub-processes?

A. Designing services for availability, disaster recovery testing, determining availability targets
B. Availability management, availability metrics, and availability improvement
C. Designing services for availability, availability testing, and availability monitoring and reporting
D. Availability planning, availability improvement, availability validation

Answer 17

C. Designing services for availability, availability testing, and availability monitoring and reporting

Explanation:
The ITIL sub-processes for availability management are designing services for availability, availability testing and availability monitoring and reporting. Even if you’re not familiar with ITIL, thinking about a standards based approach to availability might help you - design, testing and monitoring are all logical steps in a process like this

Question 18

Naomis organization has recently experienced a data breach. Which of the following parties is least likely to require notification based on existing contracts or regulations?

A. Customers
B. Vendors
C. Regulators
D. Partners

Answer 18

B. Vendors

Explanation:
Vendors are the least likely to have contractual or regulatory requirements that mean they must be notified. Vendors often have to tell their customers about breaches, but customers typically do not need to tell their vendors

Question 19

Megan is starting her organization’s change management practices. She has conduced an asset inventory. What step is typically next in a change management process?

A. Create a baseline
B. Deploy new assets
C. Establishing a CMB
D> Documenting deviations from the baseline

Answer 19

A. Create a baseline

Explanation:
Megan’s next step once she has an inventory is to create a baseline. With that in hand she can establish a CMB, deploy new assets configured to meet the baseline and document deviations that the CMB approves if needed

Question 20

Dan wants to use clipboard based drag and drop between his virtualized desktops in a Type 2 hypervisor environment. Which of the following steps is most likely to allow him to access additional features that require virtualization environment integration to work?

A. Building the virtual machines as containers
B. Installing guest operating system virtualization tools
C. Installing virtualization environment orchestration tools
D. Building the containers as virtual machines

Answer 20

B. Installing guest operating system virtualization tools

Explanation:
Guest operating system virtualization tools add additional functionality like use of GPUs, shared clipboards, and drag and drop between guest OS, shared folders and similar features that require additional integration between the guest OS and the underlying hypervisor and hardware

Question 21

Geoff knows that ITIL v4 focuses on four information security management policies. Which of these processes could involve an SOC 2 Type 2 audit?

A. Design of security controls
B. Security testing
C. Management of security incidents
D. Security Review

Answer 21

D. Security Review

Explanation:
The security review objective focuses on whether security practices and procedures align to risk tolerance for the organization and includes verification and testing like an SOC 2 Type 2 audit does. Design, testing and management of incidents involve the topics they describe

Question 22

Theresa is building an automated CI/CD pipeline. She wants to ensure that code that passes through the pipeline is secure before it moves from staging to production. What is her best option if she wants to test the running application?

A. Manual static code review
B. Automated code review
C. Using a web application firewall
D. Using an IPS

Answer 22

B. Automated code review

Explanation:
Ensuring that the code itself is secure in an automated process requires a tool that can be run as part of the process. That means that the only option from the list that is viable is an automated review of code. Manual static code review isnt a good fit for a CI/CD pipeline in most cases due to speed requirements. WAFs and IPS scan help protection the application but again they do not test the code or make the application itself more secure

Question 23

The Cloud Security Alliance’s Cloud Incident Response (CIR) framework documents typical breakdowns for customers versus cloud provider responsibilities in incident response, including point to cloud provider as being responsible for almost all risks in an SaaS environment, who is responsible for network risks?

A. The customer
B. Both the customer and the service provider
C. The service provider
D. Third party incident responders

Answer 23

B. Both the customer and the service provider

Explanation:
Since IaaS provides the customer with access to and control over some of the network, they must take responsibility for network based risks. The IaaS provider provides services and infrastructure, and thus must take responsibility for some of the network based risks as well. Third party incident responders do not play a role in risk responsibility in this model

Question 24

Eleanor wants to build her organizations change management processes. What is the typical first step for change management efforts?

A. Policy creation
B. Baselining
C. Documentation creation
D. Vulnerability scanning

Answer 24

B. Baselining

Explanation:
Configuration management typically starts with baselining. While policies and documentation are important, creating a baseline allows organizations to understand what they have and what state it is in, a critical part of the change management practice

Question 25

Juanita is responsible for a web application that is split between an on site application environment and a cloud hosted database. Juanita knows the application performs thousands of small database queries for some transactions. What performance monitoring option is most important to her applications performance?

A. The network routes between datacenters
B. Network throughput between the two datacenters
C. The bandwdith between the two datacenters
D. Network response time (latency) between the datacenters

Answer 25

D. Network response time (latency) between the datacenters

Explanation:
Network latency is the critical factor when transaction volume is key. Bandwidth is less critical for small transactions, even when there are thousands of them. Routes may influence all of these options but arent as critical as the impact they have on the traffic.

Question 26

Kolin needs to collect forensic data from an Azure hosted VM. What should he do to validate his forensic data after capturing disk snapshots for the VMs OS and data disks?

A. Compare hashes of the VMs OS and data disks and the snapshots of each
B. Make two copies of the snapshots and compare hashes between the snapshot hashes
C. Export the VM as a hash, then validate the hash
D. Export the VM as a disk image and compare the disk image’s digital signature to the original

Answer 26

A. Compare hashes of the VMs OS and data disks and the snapshots of each

Explanation:
Azure’s best practices suggest creating disk snapshots for both the VMs OS and data disks, safely storing the snapshots, then comparing hashes between the images and the originals. Comparing the hashes of a snapshot to a copy wont validate it against the original, VMs cant be exported as hashes, and disk images arent signed in a way that makes sense for this type of forensic use.

Question 27

Ilya wants to use an ITIL v4-based practice for capacity and performance management. Which of the following is not a typical subprocess for capacity and performance management under ITIL?

A. Customer KPI oversight
B. Service capacity management
C. Component capacity management
D. Capacity management reporting

Answer 27

A. Customer KPI oversight

Explanation:
Businesses typically dont manage customer capacity. Instead, they would assess their own capacity, know as business capacity management

Question 28

Nick’s organization has experienced a data breach of their cloud hosted environment. Which of the following is most likely to need to be communicated with based on regulations?

A. Vendors
B. Customers
C. Partners
D. Law enforcement

Answer 28

B. Customers

Explanation:
Data breach regulations typically focus on customer notification. Nick should work with legal counsel to ensure that his organization is compliant with any notification requirements for his industry and location

Question 29

Valerie has created disk images of virtual machines running in her cloud environment. What key digital forensic requirement should she ensure is handled properly if she believes that the information be used for a legal case in the future?

A. Legal hold
B. Chain of custody
C. Seizure requirements
D. Disposal requirements

Answer 29

B. Chain of custody

Explanation:
Valerie should carefully document the chain of custody for the disk images so that they can be considered valid for potential legal action. Legal hold is the process for preserving data for legal action, not for documenting actions taken with disk images and other forensic artifacts. Seizure is a type of acquisition but isnt mentioned here, and disposal would occur after the potential legal case

Question 30

Asha wants to take advantage of her cloud providers ability to schedule instances to match her business practices. What practice will help her handle a large number of instances with different scheduling requirements?

A. Using a third party scheduler
B. Enabling auto scheduling
C. Tagging
D. Disabling unused instances

Answer 30

C. Tagging

Explanation:
Tagging is a critical part of instance scheduling, but even more so for large numbers of instances. It allows schedules to be easily applied to all instances with the proper tags. Since Asha wants to use her cloud providers scheduling, a third party does not meet her requirements. Autoscheduling was made up for this question, and disabling unused instances help with spend but doesnt help more than tagging would for scheduling

Question 31

Which of the following is not an aspect of host hardening?

A. Removing all unnecessary software and services
B. Patching and updating as needed
C. Adding a new hardware to provide increased performance
D. Installing a host based firewall and an intrusion detection system

Answer 31

C. Adding a new hardware to provide increased performance

Explanation:
Adding new hardware to increase performance is not an element of hardening. Hardening is the process of provisioning a specific element (in this case, a host) against attack. Audits don’t protect against attacks; they only detect and direct responses to attacks

Question 32

Isabell has been asked to review her organizations patch management scheme. The current process focuses on manual patch installation on a weekly window. Isabella is interested in moving to an automated patch deployment process on a more frequent basis. What risk is commonly associated with automated patching systems?

A. The potential to disrupt systems due a t patching issue or bad patch
B. The inability to report on patches that fail installation
C. The inability to report on patches that are not installed
D. The potential to increase patching speed and accuracy

Answer 32

A. The potential to disrupt systems due a t patching issue or bad patch

Explanation:
Automated patching systems can cause disruptions if a bad patch is released or if there is an installation problem that is not detected. That means that a human is often in the loop for patching, or that patches are installed in nonproduction environments first where they can be validated prior to further installation and on systems that do not have patches in place, and it is a desirable feature to speed patching and patch accuracy via automation

Question 33

In order to enhance virtual environment isolation and security, a best practice is to:

A. Ensure that all virtual switches are not connected to the physical network
B. Ensure that management systems are connected to a different physical network than the production systems
C. Never connect a virtual switch to a physical host
D. Connect physical devices only with virtual switches

Answer 33

B. Ensure that management systems are connected to a different physical network than the production systems

Explanation:
The management systems control the entirety of the virtual environment and are therefore extremely valuable and need to be protected accordingly. When possible, isolating those management systems, both physically and virtually, is optimum

Question 34

Deployment management is a component of which service management practice in ITIL v4?

A. Problem management
B. Release management
C. Change Management
D. IT Asset Management

Answer 34

B. Release management

Explanation:
ITIL v4 categorizes deployment management as part of release management

Question 35

Carlos wants to monitor CPU load, temperature and voltages for his virtual machine. What should Carlos do to achieve this?

A. Carlos cannot track temperature and voltages for his virtual system, but he can track load using the underlying hardware
B. Carlos cannot track load, but he can track temperature and voltages for his virtual system and should use the underlying hardware for the VM
C. Carlos cannot track temperature and voltages for a virtual CPU, but he can track load via the OS
D. Carlos cannot track load and voltages, but he can install a thermal sensor to track his virtual machine’s temperature

Answer 35

C. Carlos cannot track temperature and voltages for a virtual CPU, but he can track load via the OS

Explanation:
Carlos knows the virtual machines use virtualized processors and that temperature and voltages cant be tracked for virtual CPUs. He can track load and most operating systems have a built in method for doing so. If voltages and temperature are an ongoing concern, he will need to monitor them at the underlying operating system, hardware or hypervisor level

Question 36

Megan is responsible for ensuring that her organizations continual service improvement efforts are meeting their goals. What formal role does Megan hold under ITIL?

A. CSI Manager
B. Process architect
C. Process owner
D. Customer

Answer 36

C. Process owner

Explanation:
Megan is a process owner and is responsible for the fit to purpose for the continual service improvement effort. Continual service improvement managers (CSI Managers) improve ITSM processes and services. Process architects ensure that processes work together and support each other effectively, and customers consume or purchase services

Question 37

Felicia wants to apply rules to her Amazon AWS VPC to limit the IPs that can contact her servers. What feature should she use to do this?

A. Honeypots
B. IDS
C. IPS
D. Network Security Groups

Answer 37

D. Network Security Groups

Explanation:
Felicia wants to perform firewall like rules based filtering, which is a function of network security groups

Question 38

Designing system redundancy into a cloud data center allows all the following capabilities except:

A. Incorporating additional hardware into the production environment to support increased redundancy
B. Preventing any chance of service interruption
C. Load sharing/balancing
D. Planned, controlled failover during contingency operations

Answer 38

B. Preventing any chance of service interruption

Explanation:
Risk cant be entirely prevented, but it can be drastically reduced. Hardware redundancy, local sharing and balancing and failure mode design are all common practices when designing redundancy into cloud datacenters

Question 39

Raj is required to provide proof of PCI compliance to his acquiring bank. What should he ask for from his cloud service provider?

A. An attestation of compliance
B. An SOC 1 Type 1 Audit
C. An SOC 2 Type 2 Audit
D. To allow him to conduct a PCI audit of the vendor

Answer 39

A. An attestation of compliance

Explanation:
Cloud providers who are PCI-compliant will typically provide an attestation of compliance upon request. This type of documentation is important for regulators as part of compliance validation. SOC audits dont specifically test PCI compliance, and most vendors will not allow customers to conduct PCI assessments of their underlying infrastructure

Question 40

Naomi wants to conduct a vulnerability scan of her cloud environment. What requirement is she likely to need to meet with her cloud service vendor for an IaaS environment?

A. She can only scan her own internal systems
B. She will have to use the service provider’s scanning tools
C. She can only scan her own external systems
D. She will need to schedule a time and date for the scans

Answer 40

A. She can only scan her own internal systems

Explanation:
IaaS vendors typically allow customers to scan their own internal systems but may recommend that certain types of instances with lower resources are not scanned to avoid disruption. While vendors may provide scanning tools, they typically dont require customers to use them in an IaaS environment. Since external scans can inadvertently impact other customers, external scanning is typically prohibited or limited, and scheduling a time and date may be required for more advanced or specialized testing

Question 41

Naomi has completed her vulnerability scan and wants to remediate the systems she has discovered vulnerabilities on. What is a typical patching process for IaaS hosted systems when concerns exist about the potential impact of patching?

A. Use a script to patch each system
B. Stand up new, patched instances, then replace the unpatched systems using load balancers
C. Create new instances with the patches installed, shut down the existing instances, and assign new IP addresses for new systems.
D. Manually patch each system

Answer 41

B. Stand up new, patched instances, then replace the unpatched systems using load balancers

Explanation:
Using load balancing to drain load from existing systems and then replacing them with new, patched instances is a common best practice for cloud hosted service environment patching. Manual and scripted patching can cause outages, as could reIPing as systems are swapped over

Question 42

When putting a system into maintenance mode, its important to do all of the following except:

A. Transfer any live virtual guests off the host
B. Turn off logging
C. Lock out the system from accepting any new connections
D. Notify customers if there are any interruptions

Answer 42

B. Turn off logging

Explanation:
Disabling logging would prevent admins from diagnosing problems. Transferring users, preventing new connections and notifying customers are all common practices when entering maintenance mode

Question 43

The operating system that Jack wants to install in his cloud environment requires a cryptographic store as part of the boot process to ensure that the hardware has been validated. Which of the following tools will allow him to meet this requirement?

A. Hardware HSM
B. Cloud TPM
C. Virtual TPM
D. Cloud HSM

Answer 43

C. Virtual TPM

Explanation:
A virtual trusted platform module (vTPM) is the only solution that will meet Jacks needs. HSMs are used to create, store and manage secrets, including cryptographic keys and certs, but arent used for boot security. Cloud TPM was made up for this question

Question 44

Yarif runs an OS and then uses a hypervisor running on the OS to run virtual machines. What type of hypervisor is he running?

A. A classic hypervisor
B. Type 1
C. An advanced hypervisor
D. Type 2

Answer 44

D. Type 2

Explanation:
Yarif is running a Type 2 hypervisor, which is defined as a hypervisor that runs on top of an OS rather than on bare metal like a Type 1 Hypervisor.

Question 45

What key function is describes by ITIL’s incident management practice?

A. Engaging third party responders based on best practices
B. Managing problem escalations
C. Restoring a service as soon as possible after an incident
D. Identifying incidents to allow response

Answer 45

C. Restoring a service as soon as possible after an incident

Explanation:
While ITIL focuses on identification, containment, resolution, and maintenance, the overall goal is restore service as soon as possible after an incident. It does not focus on third party responders. Problem escalations to incidents are part of identification but arent the main goal, nor is identifying incidents to allow response

Question 46

Lucca has experienced an event that interrupts normal service in his organization. How would ITIL classify this?

A. As an incident
B. As an SLA violation
C. As a problem
D. As an MSA violation

Answer 46

A. As an incident

Explanation:
Incidents are defined in ITIL as interruptions of normal service, including reductions in the quality of services that may violate an SLA. Problem management resolve the cause of problems while incident response restores services to normal levels

Question 47

What description best explains the relationship between problems and incidents?

A. Every problem is the result of an incident, but not all incidents are problems
B. Problems and incidents are distinct and unrelated
C. Problems are handled by support desks, and incidents are handled by security professionals
D. Every incident is the result of a problem, but not all problems are incidents

Answer 47

D. Every incident is the result of a problem, but not all problems are incidents

Explanation:
All problems are potential causes of incidents, but not all problems result in incidents

Question 48

Olivia wants to establish key performance indicators compatible with ITIl for her availability management practice. Which of the following is not a useful availability KPI?

A. Availability of the service relative to SLAs for the service
B. The number of service interruptions
C. The duration of the service interruptions
D. The number of individuals impacted by service interruptions

Answer 48

D. The number of individuals impacted by service interruptions

Explanation:
The number of individuals impacted is of interest to customers and management but is not a useful KPI for availability

Question 49

What underlies the information security management according to ITIL v4?

A. Event filtering and correlation rules
B. Security advisories
C. Information security policies
D. Security alerts

Answer 49

C. Information security policies

Explanation:
Information security policies - particularly what ITIL calls underpinning information security policies - are the basis of security management in ITIL

Question 50

Emily is in charge of her organizations deployment management as part of a CI/CD pipeline. What process typically needs to occur for a deployment to occur?

A. A change request must be approved
B. The change advisory board must review the change
C. Automated testing and validation must complete successfully
D. The next version must enter the pipeline

Answer 50

C. Automated testing and validation must complete successfully

Explanation:
In a continuous integration/continuous delivery pipeline, automated testing is conducted and the code must pass testing before code is released. Human intervention or approval is not typically required for CI/CD pipelines

Question 51

Chris wants tp capture forensic data in his cloud environment. What type of capture methodlogy is most likely to be used for virtual machines in a cloud infrastructure as a service environment?

A. Forensic image acquisition using a tool like DD
B. Use of the providers snapshot tool
C. Forensic image acquisition using a tool like DBAN
D. Use of the providers file copy utilities

Answer 51

B. Use of the providers snapshot tool

Explanation:
Snapshots are the most common means of capturing disk images from virtual machines in an IaaS environments. Using forensic image acquisition tools can be challenging in cloud environments due to a lack of access to the underlying hardware. DBAN is a wiping tool, and file copy utilities often don’t provide a complete forensically sound copy, although they may be the only option in some cases

Question 52

Tools like Terraform, CloudFormation, Ansible, Chef, and Puppet are often associated with what type of strategy?

A. Incident Response
B. Agile SDLC
C. Infrastructure as Code
D. Legal Hold

Answer 52

C. Infrastructure as Code

Explanation:
These are examples of infrastructure as code tools. While Agile pipelines may use Terraform they would do so as part of an infrastructure as code strategy. They arent specifically used for incident response or legal hold strategies but could be leveraged for both, once again as part of an infrastructure as code solution

Question 53

Aliana wants to align her organizations service level management to an ISO standard. Which ISO standard describes service management?

A. ISO 20000-1
B. ISO 27001
C. ITIL v4
D. COBIT

Answer 53

A. ISO 20000-1

Explanation:
ISO 20000-1 describes service management. ISO 27001 describes an information security management system. ITIL is not an ISO standard, nor is COBIT - in fact they are their own standards

Question 54

Rene is a SOC manager and wants to centralize incident and log information. What type of tool should she acquire and implement?

A. NOC
B. SIEM
C. IPS
D. DLP

Answer 54

B. SIEM

Explanation:
A SIEM is the ideal tool for this purpose. A NOC and IPS wont centralize logs and incident information and DLP is intended to stop data from leaving an organization

Question 55

What risk does an IPS pose that an IDS does not?

A. AN IPS cannot use signature based detection
B. An IPS can block legit traffic
C. An IPS cannot use behavior based detection
D. An IPS can fail open, while an IDS cannot

Answer 55

B. An IPS can block legit traffic

Explanation:
Unlike an IDS, an IPS needs to be placed in line with traffic. THis means that an IPS can block legit traffic if it is improperly identified or if the IPS fails in a closed state. An IDS cannot fail open or closed, as it is not in lin.e Both IDSs and OPSs can use signature and behavior based detections

Question 56

Amanda wants to use logging from her IaaS cloud environment to determine if an external user is accessing one of her servers. What type of logging should she enable in her cloud providers environment to do so?

A. System Logging
B. Performance Logging
C. Flow Logging
D. Storage Bucket Logging

Answer 56

C. Flow Logging

Explanation:
Turning on flow logging can provide the visibility Amanda wants. Flows show which IP address contacted another IP address, the source and destination ports, and the volume of data. None of the other types of logging listed will be as useful for this tasks

Question 57

Amanda wants to user her SIEM to detect attacks based on network traffic and behavior baselines that adapt to changes over time using learning techniques. What feature is she most likely to use for this purpose?

A. AI
B. Log Correlation
C. Threat Intelligence
D. Reporting

Answer 57

A. AI

Explanation:
AI features in SIEM devices are often used to analyze and learn network traffic patterns, then use log correlation and threat intelligence features to identify unexpected and potentially malicious behavior while leveraging learning capabilities. Log correlation and threat intelligence alone will not do this, and reporting is needed afterward

Question 58

Kathleen knows that her cloud provider makes a DHCP service available to systems in their IaaS environment. What does she know that her systems will receive from the DHCP server?

A. Default gateway, subnet mask, DNS server and IP address
B. A default route, a subnet mask, an IP address, and a MAC address
C. An IP address and a MAC address
D. An IP address, a subnet mask, a DNS server and firewall rule definitions for the local network

Answer 58

A. Default gateway, subnet mask, DNS server and IP address

Explanation:
A typical DHCP response will provide a default gateway, a subnet mask, DNS server information and an IP address for the host to use. It does not assign MAC addresses to systems - thats a hardware level setting and it doesnt define a default route, just a default gateway, nor does it provide firewall rule definitions

Question 59

Ben wants to secure his virtualization environment. WHich of the following is not a common security practice used to help protect virtualization infrastructure and system?

A. Enable secure boot
B. Disable cut and pase between the VM and console
C. Remove unnecessary hardware
D. Use the virtual machine console whenever possible

Answer 59

D. Use the virtual machine console whenever possible

Explanation:
Using secure boot, disabling cut and paste between VMs and the console and removing unnecessary hardware are all common security practices. SInce the virtual machine console is equivalent to direct access to the system, use of the console should be limited to only critical actions and the virtualization management platform should be used for the majority of actions

Question 60

Chelsea wants to prevent network based attacks against her cloud hosted system. Which of the following is not an appropriate solution to stop attacks?

A. Honeypots
B. Firewalls
C. Security Groups
D. IDS

Answer 60

A. Honeypots

Explanation:
Honeypots are used to capture attack traffic for study but arent used to stop attacks.. Firewalls, security groups and IPSs are all used to stop attacks by preventing malicious traffic from entering a network

Question 61

Methods for achieving high availability cloud environments include all of the following except:

A. Using instances running on alternate CPU architecture
B. Multiple system vendors for the same services
C. Explicitly documented business continuity and disaster recovery functions iun the SLA or contract
D .Failover capability back to the customers on premises environment

Answer 61

A. Using instances running on alternate CPU architecture

Explanation:
Using alternate CPU architectures isnt a common high availability technique. Using multiple vendors, having SLAs in place and using self hosted failover capabilities are all methods that can achieve this goal

Question 62

Susan’s website is unable to be loaded by her customers due to a system outage. What ITIL practice should Susan invest in to ensure that this does not happen again?

A. Availability management
B. Deployment management
C. Change management
D. Capacity management

Answer 62

A. Availability management

Explanation:
Susan’s outage points to a need for availability management. Susan may invest in redundant systems, additional monitoring, or other practices and design elements that can ensure her organizations website will be more resilient and thus more available

Question 63

Li’s organization uses a software as a service tool for their productivity work. After a recent compromise of user credentials, Li wants to perform digital forensics. What types of information can Li obtain for forensic analysis in an SaaS environment?

A. Logs
B. Disk Images
C. VM Snapshots
D. Network packet capture data

Answer 63

A. Logs

Explanation:
The only data that Li is likely to be able to obtain for forensic investigation is log files. Disk images, VM snapshots and network packet capture data require lower level access to systems and the network that an SaaS provider will normally make available

Question 64

What ISO/IEC 20000-1 capacity management subprocess is most closely aligned with SLAs with customers?

A. Business capacity management
B. Service capacity management
C. Contract capacity management
D. Component Capacity management

Answer 64

B. Service capacity management

Explanation:
Service capacity management measures performance and checks it against requirements set in SLAs and service level requirements. Business capacity management involves interpreting business needs into requirements for services and architecture. Component capacity management focuses on the actual components of an infrastructure. Finally, contract capacity management is not an ISO/IEC 20000-1 configuration management subprocess

Question 65

Derek wants to set up a 24/7 team to monitor for and respond to security incidents. What should he implement?

A. SIEM
B. NAS
C. SCCM
D. SOC

Answer 65

D. SOC

Explanation:
A SOC can be physical or virtual and typically consists of a team that monitors for security events on an ongoing basis

Question 66

Hui’s organization uses a tool to automate the configuration, deployment and coordination of hundreds of small IaaS instances that make up her organizations application stack. What term best describes this type of tool?

A. Scheduling
B. Maintenance Mode
C. Orchestration
D. Abstraction

Answer 66

C. Orchestration

Explanation:
They are using orchestration technology to automate tasks in their cloud environment.

Question 67

Megans organization uses a tool that captures a system and network behavioral baseline, then monitors for changes from that baseline that may indicate compromises. The tool uses the data it captures to update its model and to become more accurate in its detection. What type of tool is Megan using?

A. IPS
B. AI
C. Log analysis
D. Forensic data capture

Answer 67

B. AI

Explanation:
Megan is using AI based tool that learns from the data it is exposed to and improves its capabilities

Question 68

Jim has deployed a system that appears to be vulnerable host on a network. The system is instrumented to capture attacker commands and tools. What type of network security control has Jim deployed?

A. A honeypot
B. A darknet
C. A honeynet
D. A bastion host

Answer 68

A. A honeypot

Explanation:
Jim has deployed a honeypot, a system designed to capture attacker tools and techniques to allow for analysis. Honeynets are networks set up in a similar manner to detect networks set up in a similar manner to detect network attacks and attack techniques.

Question 69

Olivia has identified data that she wants to capture as part of a digital forensics effort. What step typically comes after forensic artifacts are identified?

A. Analysis
B. Documentation
C. Presentation
D. Preservation

Answer 69

D. Preservation

Explanation:
Olivia knows that once the data or artifacts have been identified, preservation is the next step.

Question 70

Mikes organization is considering adopting an infrastructure as code (IaC) strategy. What should Mike identify as potential risk in an IaC environment?

A. IaC decreases consistency
B. IaC is not easily updated
C. IaC decreases speed
D. IaC can cause errors to spread quickly

Answer 70

D. IaC can cause errors to spread quickly

Explanation:
IaC can cause errors to spread quickly.

Question 71

Keith is preparing to implement a storage cluster for his organization. Which of the following is not a benefit that he can expect to come from using storage clusters?

A. Lower costs
B. Higher performance
C. Greater availability
D. Increased capacity

Answer 71

A. Lower costs

Explanation:
The benefits of any clustered environment come at the cost of higher prices. Keith should expect to spend more money, but gain performance, availability and reliability and capacity depending on his configuration and design choices

Question 72

Lisa wants to maintain a configuration model for her organization that contains all of the information that the organization needs about their CIs (configuration items). What ITIL process should she follow?

A. Configuration Control
B. Configuration identification
C. Configuration verification
D. Configuration audit

Answer 72

A. Configuration Control

Explanation:
ITILs configuration identification sub-process includes identifying and specifying the attributes for each configuration item type and sub-component and the relationships between each CI or sub-component and others in the organization

Question 73

Dan is considering what key data he should gather about systems in his IaaS environment. He is moving from a traditional on site data center and has the following list of monitoring items he currently tracks. Which of the following will he still be able to track in an IaaS platform?

A. CPU utilization
B. Fan speed
C. System temperature
D. CPU Voltage

Answer 73

A. CPU utilization

Explanation:
The only metric among those listed that is typically available to customers in an IaaS environment is CPU utilization to help track usage

Question 74

What term is used to describe a component or service that needs to be managed as part of configuration management efforts in an organization?

A. Configuration Model
B. Configuration Record
C .Configuration item
D. Service asset

Answer 74

C .Configuration item

Explanation:
CIs (configuration items) are the components or services that are managed as part of a configuration management effort.
Configuration models are used to evaluate changes and causes of incidents. Configuration records are the records that describe configuration item relationships and settings. Service assets include a range of things that allow organizations to deliver services including third party vendor services

Question 75

Henry knows that his IaaS provider bills are based on usage for his instances. Which of the following is not usually a billable item for IaaS providers for their typical instances?

A. Compute usage
B. Network bandwidth usage
C. Storage usage
D. Latency

Answer 75

D. Latency

Explanation:
While bandwidth, compute and storage are all typically measured and billed, latency is usually not directly charged for. Instead, providers are likely to provide a distinct low latency service if they charge for latency related items

Question 76

Charles want to obtain forensic artifacts for his IaaS cloud hosted systems. Which of the following is not an artifact typically captured for IaaS cloud hosted systems?

A. The hypervisors memory state
B. Disk volumes
C. The instances memory state
D. Logs from cloud environment

Answer 76

A. The hypervisors memory state

Explanation:
Customers are typically unable to obtain forensic data from the underlying IaaS as a service environment. Memory for the instance, disk volumes and logs are all common cloud forensic artifacts

Question 77

Selah wants to conduct a vulnerability scan of her SaaS providers service as part of her ongoing security operations responsibility. What should he do?

A. Contact the provider and ask about appropriate scan windows
B. Request vulnerability scan data from the vendor
C. Scan the provider on a regular basis whenever she wants to
D. Consider asking the SaaS provider about their own patching and scanning practices

Answer 77

D. Consider asking the SaaS provider about their own patching and scanning practices

Explanation:
SaaS providers are unlikely to allow third parties to scan their production services. While Selah could just scan her provider anyway, this is often prohibited in contracts that customers sign with their provider. Instead, Selah should ask the vendor about their patching and scanning practices to determine if they are appropriate to her organizations risk tolerance and to see if documentation or attestation of practices like an SOC audit is available

Question 78

Which of the following has the highest impact in determining whether the business BC/DR effort has a chance of being successful?

A. Perform an integrity check on archived data to ensure that the backup process is not corrupting the data
B. Encrypt all archived data to ensure that it cant be exposed while at rest in the long term
C. Periodically restore from backups
D. Train all personnel on BC/DR actions they should take preserve health and human safety

Answer 78

C. Periodically restore from backups

Explanation:
If backups arent working properly, or cannot be restored, checking all of the other actions described wont be of use

Question 79

Chris wants to use an ISO standard for collecting, preserving and identifying electronic evidence. What ISO standard should he select?

A. ISO/IEC 27001:2012
B. ISO/IEC 27037:2012
C. ISO/IEC 9000:2016
D. ISO/IEC 27002:2022

Answer 79

B. ISO/IEC 27037:2012

Explanation:
A number of ISO standard related to forensic exist, including 27037, 27041, 27043, and 27050-1. ISO 27001 covers the best practice standards for information security management, and 27002 describes security controls. The ISO 9000 series covers quality management

Question 80

Melissa is responsible for establishing an SOC in her organization. Which of the following services is not typical SOC offering?

A. Vulnerability management
B. Threat management
C. Incident response
D. eDiscovery

Answer 80

D. eDiscovery

Explanation:
SOCs typically do not provide eDiscovery services

Question 81

Ryan wants to perform a backup of his GitHub hosted code repo. What option should he choose to ensure that he has a backup he controls?

A. Use GitHubs built in backup capability
B. Use the API to clone the repo
C. Use GitHUbs snapshot tool to clone the repo to another repo
D. Use a third party GitHUb repo copy

Answer 81

B. Use the API to clone the repo

Explanation:
Ryans best option is to use GitHub APIs to download the rpeo and then to store it in a secure location. Relying on Githubs own backup practices leave GitHub in control of the code and Ryan vulnerable to outages and reliance on third party sites doesnt give Ryan control of the backups either

Question 82

ISO/IEC 20000-1 includes three sub-processes for capacity management. Which of the following lists matches those three sub-processes?

A. Business capacity management, service capacity management, component capacity management
B. Staffing capacity management, service capacity management, component capacity management
C. Business capacity management, service capacity management, organizational capacity management
D. Staffing capacity management, business capacity management and component capacity management

Answer 82

B. Staffing capacity management, service capacity management, component capacity management

Explanation:
ISO/IEC 20000-1 focuses on business capacity management, service capacity management and component capacity management

Question 83

Maria is planning her organizations ISO/IEC 20000-1 based relase management plan. Which of the following elements is not typically part of an RDM plan?

A. Risk assessment
B. Build planning
C. Testing
D. Decommissioning

Answer 83

D. Decommissioning

Explanation:
Release and deployment plans focus on creating and deploying releases. Lifecycle management is handled under other sections of the ISO standard and not within RDM plans

Question 84

Hannah wants to align her ifnormation security management program to ISO/IEC 20000-1. According to the standard, what must be done with an information security policy?

A. Establish, approve and communicate and information security policy
B. Create and regularly update an information security policy
C. Adopt an ISO/IEC standard template based information security policy
D. Undergo a third party review of the organizations security policy

Answer 84

A. Establish, approve and communicate and information security policy

Explanation:
ISO/IEC 20000-1 requires that organizations establish, approve and communicate their information security policy. If youre not familiar with ISO/IEC 20000-1 or similar standards, review the list of answers for unlikely answers - like requirements for third party review. Using a standardized template can help to narrow down answers for questions like these

Question 85

Mikes VMware cluser moves virtual machines from heavily loaded hosts to hosts with lower loads. What technology is Mike using?

A. Automatic instance management
B. Distributed resource scheduling
C. Round robin load balancing
D. Instance segregation

Answer 85

B. Distributed resource scheduling

Explanation:
Distributed resource scheduling in VMware moves virtual machines from heavily loaded hosts to those with more resources available to help balance the load across the cluster.

Question 86

Which of the following is not commonly measured as part of a disks hardware monitoring?

A. Powered on time
B. Drive temperature
C. Drive health
D. Used capacity

Answer 86

D. Used capacity

Explanation:
The amount of data stored on a drive isnt considered a hardware monitoring item. Powered on time, temperature and drive health are all elements of hardware monitoring

Question 87

ITIL v4 defines four subprocesses for service level management. Which of the following is not one of the four subprocesses?

A. Maintenance of service level management framework
B. Identification of service requirements
C. Pricing structures and penalties
D. Service level monitoring and reporting

Answer 87

C. Pricing structures and penalties

Explanation:
The missing fourth item should be agreement sign off and service activation, including SLA and service acceptance criteria. Pricing is not part of ITIL v4 service management processes

Question 88

Michelle wants to run an application from low trust devices. What type of cloud based solution could help her run the application in a secure way?

A. Use a local virtual machine
B. Use a bastion host
C. Use a jumpbox
D. Use a virtual client

Answer 88

D. Use a virtual client

Explanation:
Michelle should select a virtual client that allows her to run her application in a cloud hosted environment. This will allow the application to run in a secure location while still allowing her to access it from lower trust devices

Question 89

Because most cloud environments rely heavily on virtualization, it is important to lock down or harden the virtualization software, or any software involved in virtualization. Which of the following is not an element of hardening software?

A. Removing unused services and libraries
B. Maintaining a strict licensing catalog
C. Patching and updating as necessary
D. Removing default accounts

Answer 89

B. Maintaining a strict licensing catalog

Explanation:
While maintaining a library of software licenses is important, it is not part of hardening practices

Question 90

What key document in business continuity management practices ensures that organizations can return to a known consistent state as well as to a working state?

A. The business continuity strategy
B. The recovery plan
C. The IT service continuity report
D. The disaster recovery invocation guideline

Answer 90

B. The recovery plan

Explanation
In ITIL the recovery plan includes detailed plans for returning any systems and services to a working state and can also include recovering data to a known consistent state. The business continuity strategy sets the strategy for business functions. IT service continuity during specified disasters for services and systems

Question 91

Jasons company operates their small business in a cloud hosted environment. After a recent breach, Jason wants to conduct forensics. What should Jason do to ensure his organization conducts proper forensic capture in a cloud environment if he is not a forensic practitioner?

A. Follow ISO standards to identify and preserve the data
B. Engage third party forensic professionals
C. Follow his cloud providers best practices to identify and preserve the data
D. Request that his cloud provider perform the forensic efforts

Answer 91

B. Engage third party forensic professionals

Explanation:
For many organizations the best option to select when facing cloud forensic investigations is to engage a third party. In this case, without an internal expert and as a small company, Jasons best bet is third party experts

Question 92

Which of the following factors would probably most affect the design of a cloud datacenter?

A. Geographic location
B. Proximity to population centers
C. Cost
D. Security Requirements

Answer 92

A. Geographic location

Explanation:
A facilitys geographic location influences both the requirements for things like HVAC as well as environmental threats like extreme weather. Proximity to population centers may have secondary influences on utilities or staffing, and both cost and security requirements may influence the design, but the larger impact is from its geographic location

Question 93

Rick is creating a policy defining his organizations change management process. Which of the following is not a common change management policy element?

A. Defining the composition of the change management board
B. The change management process itself
C. A requirement to prevent deviation from the baselines established in the policy
D. Enforcement measures

Answer 93

C. A requirement to prevent deviation from the baselines established in the policy

Explanation:
Change management practices and baselines need to include methods for handling deviations in reasonable ways. That means Rick should ensure that the policy includes an assignment of tasks, including deviation notification and documentation

Question 94

Which of the following cloud datacenter functions do not have to be performed on isolated networks?

A. Customer access provision
B. Management system control interface
C. Storage controller access
D. Customer production activities

Answer 94

D. Customer production activities

Explanation:
The production activities will make full use of pooled resources, so they will not be isolated unless the customer is paying for that specific characteristic of service. Provisioning, management and access to storage should all be isolated to ensure security of those functions

Question 95

When cloud computing professionals use the phrase, ping, power, pipe, which of the following characteristics is not being described?

A. Logical connectivity
B. Human interaction
C. Electricity
D. Facility space

Answer 95

B. Human interaction

Explanation:
User interaction with the cloud is not described in this phrase. Ping, power, and pipe refers to connectivity, power and facility space with services like HVAC

Question 96

You are the security manager for a small retail business involved mainly in direct e commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own datacenter located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which tier of the Uptime Institute rating system should you be looking for, if minimizing cost is your ultimate goal?

A. 1
B. 3
C. 4
D. 8

Answer 96

A. 1

Explanation:
For the purposes described in the question, a Tier 1 datacenter should suffice; it is the cheapest and you need it only for occasional backup purposes (as opposed to constant access). The details of location and market are irrelevant

Question 97

Isaac is the IT manager for a small surgical center. His organization is reviewing upgrade options for its current, on premises datacenter. The organization wants to increase its disaster recovery and business continuity capabilities without making significant investments in staffing or technology. Which of the following options should Isaac recommend?

A. Building a completely new datacenter
B. Adding additional DR/BC capabilities to the existing datacenter
C. Moving to a cloud hosted datacenter
D. Staying with the current datacenter

Answer 97

C. Moving to a cloud hosted datacenter

Explanation:
The most effective way for Isaac to acquire meaningful BC/DR capabilities is to move to a cloud hosted datacenter. This means that his organization doesnt have to make major investments in their datacenter to add capabilities. Of course, staying with the current datacenter doesnt meet his needs already

Question 98

What does chain of custody documentation and tracking help with?

A. Nonrepudiation
B. Plausible deniability
C. Data tampering by investigators
D. Engaging with law enforcement

Answer 98

A. Nonrepudiation

Explanation:
Creating and maintaining proper chain of custody documentation provides non repudiation for the process, ensuring that the handling will survive scrutiny at a later date

Question 99

Ben wants to provide logical separation between two network segments. What technology is often used to define networks for this purpose?

A. DHCP
B. VLANs
C. VPNs
D. STP

Answer 99

B. VLANs

Explanation:
VLANs are logical overlays used to segregate network devices

Question 100

When designing a cloud datacenter, which of the following aspects is not necessary to ensure continuity of operations during contingency operations?

A. Access to clear water
B. Broadband data connection
C. Extended battery backup
D. Physical access to the datacenter

Answer 100

C. Extended battery backup

Explantion:
Backup power does not have to delivered to batteries; it can be fed to the datacenter through redundant utility lines or from a generator