Flash Cards

Question 1

Who determines under what circumstances a private cloud meets the policies and needs of an organization’s strategic goals and contractual requirements (from a technical perspective)?

Answer 1

Cloud architect

Question 2

This open source IaaS platform was developed to assist IaaS cloud providers in creating, deploying, and managing services through a single “stack” of features for the cloud environment.

Answer 2

Apache CloudStack

Question 3

This term refers to the increasing diversity of cloud services available today as opposed to those same services being provided locally or on premise.

Answer 3

Anything-as-a-Service

Question 4

This form of cloud storage involves the enterprise and storage service being separate, with data stored outside the confines of the enterprise environment.

Answer 4

Public cloud storage

Question 5

This term refers to the idea of leveraging cloud computing as a way of creating offsite storage with little or no hardware requirements for the enterprise.

Answer 5

Online backup

Question 6

The purpose of this document is to ensure appropriate security requirements and controls are applied to all U.S. federal government information and information management systems.

Answer 6

NIST 800-53

Question 7

This form of cloud storage applies to storing mobile device data in the cloud while providing access to the stored data from anywhere.

Answer 7

Mobile cloud storage

Question 8

This type of cloud storage involves using both public cloud and enterprise private cloud storage.

Answer 8

Hybrid cloud storage

Question 9

This term describes software applications that help the business in solving enterprise problems.

Answer 9

Enterprise application

Question 10

This term refers to an open source platform for cloud computing and IaaS in a private cloud environment.

Answer 10

Eucalyptus

Question 11

This term refers to the accreditation used to distinguish between secure and well-established crypto modules produced in the private sector. It stands as a certification for those producers who need them to be used in regulated industries that typically collect, store, transfer, and share data that is deemed to be sensitive in nature but not classified.

Answer 11

FIPS 140-2

Question 12

What is the term used when a virtual desktop infrastructure is outsourced to a third party?

Answer 12

Desktop as a Service

Question 13

This term refers to the ability of individuals to store their data over the Internet using a storage service provider as opposed to the data being stored locally on a disk or tape backup.

Answer 13

Cloud backup solutions

Question 14

This term describes a kind of computing model that relies on sharing compute resources in a remote location as opposed to the use of local servers or personal devices to handle computing processes.

Answer 14

Cloud computing

Question 15

What is an organization that buys hosting services with the intent of reselling them to its own customers?

Answer 15

Cloud computing reseller

Question 16

The testing of load and performance capabilities on the services and applications provided by cloud computing providers is designed to ensure optimal performance and scalability under varying conditions. What is it called?

Answer 16

Cloud testing

Question 17

One type of hosting occurs when hosting services are made available on demand. As opposed to a single physical or virtual server, cloud services are set up to utilize multiple connected servers that are part of the cloud infrastructure.

Answer 17

Cloud server hosting

Question 18

This type of database is accessible from the cloud provider on demand over the Internet to the user/customer.

Answer 18

Cloud database

Question 19

This specification is engineered to ease the management of multiple applications, which include packaging and delivery across public and private cloud platforms.

Answer 19

Cloud Application Management for Platforms (CAMP)

Question 20

This term refers to the processes involved with making available cloud providers, clients, and applications, resulting in the creation of a public cloud computing environment.

Answer 20

Cloud enablement

Question 21

The term, often used in place of Platform as a Service (PaaS), describes an association with cloud computing.

Answer 21

Cloud OS

Question 22

What is the processes involved in the transitioning of a part or all of a company’s data, applications, and services from a traditional on-premises enterprise environment to one in the cloud where information can be accessed from anywhere, anytime?

Answer 22

Cloud migration

Question 23

The service provider that offers storage, computing, and/or software applications that are available across the Internet from anywhere, anytime.

Answer 23

Cloud provider

Question 24

The ability for a consumer or user to be able to move their associated applications and/or data between competing cloud providers or between public and private clouds.

Answer 24

Cloud portability

Question 25

Selecting which applications and services that will reside in the public cloud, and which will not, is the first stage in the process resulting in the deployment of a company’s cloud strategy. What is it known as?

Answer 25

Cloud provisioning

Question 26

The person who adapts, ports, and deploys applications to a target environment.

Answer 26

Cloud application architect

Question 27

The process of utilizing cloud management tools to ensure that cloud computing services are working properly through the use of software and technologies designed for operation and monitoring of cloud applications, data, and services.

Answer 27

Cloud management

Question 28

A shortened phrase used to describe applications accessed via the cloud. These applications are never installed locally and are always accessed over the Internet.

Answer 28

Cloud apps

Question 29

A type of storage whereby an organization’s data is stored in and accessible from any location of distributed and connected components of cloud computing.

Answer 29

Cloud storage

Question 30

This person is responsible for all for the implementation, monitoring, and maintenance of the cloud environment either within the organization or on behalf of an organization as a vendor.

Answer 30

Cloud administrator

Question 31

These individuals are tasked with development for the cloud infrastructure. Their development efforts may include client tools, solutions engagements, and system components.

Answer 31

Cloud developer

Question 32

A third party who manages and distributes remote, cloud-based data backup services, and solutions from a central datacenter location.

Answer 32

Cloud backup service provider

Question 33

Software that is hosted in the cloud on remote servers and performs accounting functions.

Answer 33

Cloud computing accounting software

Question 34

One type of cloud storage wherein cloud and enterprise storage both reside inside the enterprise behind the firewall.

Answer 34

Private cloud storage

Question 35

This enables the IT infrastructure to become more adaptive to changing business needs and requirements.

Answer 35

Cloud data architecture

Question 36

This service offers customers the ability to rent hardware, OS, storage, and network capacity over the Internet from a cloud service provider.

Answer 36

Infrastructure as a Service

Question 37

This form of cloud storage involves storing an individual’s data in the cloud, allowing that person access from anywhere, anytime

Answer 37

Personal cloud storage

Question 38

A collection of distributed and connected resources used for storing and managing data online in the cloud.

Answer 38

Storage cloud

Question 39

This model hosts software by a cloud vendor or service provider and is available to customers over network resources.

Answer 39

Software as a Service

Question 40

These technologies describe what enables cloud computing to be a real and highly scalable service offering due to decreased costs and resource sharing across multiple tenants and environments.

Answer 40

Virtualization technologies

Question 41

These cloud computing and services are designed for a particular vertical industry such as banking, healthcare, or some other specific-use application.

Answer 41

Vertical cloud computing

Question 42

This term describes what happens when a customer is unable to leave, migrate, or transfer to an alternate cloud provider due to technical or nontechnical constraints.

Answer 42

Vendor lock-in

Question 43

A model for examining the nature and severity of threats whose name is derived from and based on the following six categories: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.

Answer 43

STRIDE threat model

Question 44

This term refers to a type of testing environment where untested code changes and experimentation from the production can occur safely in isolation. It is usually used in the context of software development, including web development and revision control.

Answer 44

Sandbox

Question 45

When testing an application or software product in an operating state, we use this.

Answer 45

Dynamic application security testing (DAST)

Question 46

This method of computer access control uses authentication factors from at least two of three categories of knowledge factors; what the user knows, what the user has, and/or what the user is.

Answer 46

Multifactor authentication

Question 47

This term is used in describing capabilities of a network to differentiate and provide differing qualities of service to various types of network traffic over different communication technologies such as ATM, Ethernet, and IP routed networks.

Answer 47

Quality of service (QoS)

Question 48

The encapsulation of application software from the underlying operating system on which it is executed

Answer 48

Virtualization encapsulation

Question 49

This security discipline is about enabling the right individual’s access to the right resources at the right time for the right reasons.

Answer 49

Identity access management (IAM)

Question 50

This standard is designed for the exchange of authentication and authorization data between security domains.

Answer 50

Security Assertion Markup Language (SAML)

Question 51

Routines, standards, protocols, and tools for connecting software applications to web-based services, applications, or tools.

Answer 51

Application programming interface (API)

Question 52

This term identifies an arrangement among multiple enterprises that allows subscribers or users to use the same identification data or credentials, and to obtain access to the networks and all associated resources of the enterprises participating in the arrangement.

Answer 52

Federated identity management

Question 53

This type of filter, appliance, or server plug-in is used to apply a set of rules to HTTP conversations in real time as a way of protecting from common attacks such as cross-site scripting or SQL injection.

Answer 53

A web application firewall (WAF)

Question 54

This standard, which introduces definitions, concepts, principles, and processes involved in application security, provides an overview of application security.

Answer 54

ISO/IEC 27034-1

Question 55

This involves making a structurally similar yet inauthentic copy of an organization’s data that is then used strictly for purposes of software testing and user training

Answer 55

Data masking

Question 56

This subset of an ONF contains only information necessary for reaching a targeted level of trust for a specific business application.

Answer 56

Application Normative Framework (ANF)

Question 57

This is a set of technologies aimed at analyzing source code, byte code, and binaries for coding and design conditions that show indications of security vulnerabilities.

Answer 57

Static application security testing (SAST)

Question 58

A security technology used for the monitoring and analysis of database activity. It operates independently of the database management system (DBMS) and is independent of any native DBMS-resident auditing or native logs such as trace or transaction logs.

Answer 58

Database activity monitoring (DAM)

Question 59

When the number of users connected to a system or systems exceeds the number that can be fully supported simultaneously.

Answer 59

Oversubscription

Question 60

Using two or more storage servers in tandem in order to increase performance, capacity, and/or reliability. This technique also distributes the workloads and ensures access to all files from all servers at all times regardless of physical location of data.

Answer 60

Storage clusters

Question 61

The framework of items that contains all of the components of application security best practices that are catalogued and leveraged by the enterprise.

Answer 61

Organizational Normative Framework (ONF)

Question 62

This type of cloud offering is provisioned for open use by the public. It can be owned, managed, or operated by any combination such as a business, academic institution, or government organization and exists on the premises of the cloud provider.

Answer 62

Public cloud

Question 63

One phase of the SDLC where all functional features of the system used in development are described independently of any computer platform.

Answer 63

Logical design

Question 64

This international standard was developed to develop and maintain an information systems management system (ISMS), which is composed of interrelated elements that organizations use to manage information security risks and to support the CIA triad.

Answer 64

ISO/IEC 27001:2013

Question 65

These are often used as decoys and consist of a computer, data, or a network site that appear to be part of a legitimate network but are in fact bogus. They are isolated and monitored for activity in the hopes of discovering information about possible malicious attacks or attackers.

Answer 65

Honeypots

Question 66

The use of many smaller disks, as opposed to a single large one, that when configured allows the drives to be placed in a group, thereby increasing performance and redundancy and reducing the chances of data loss.

Answer 66

Redundant array of inexpensive disks (RAID)

Question 67

These devices are used to securely store and manage encryption keys. The keys can be used for such purposes as securing data transmissions and protecting log files.

Answer 67

Hardware Security Module (HSM)

Question 68

This configuration is used to isolate network components, such as web servers, that are accessible by untrusted networks and therefore external attacks.

Answer 68

Demilitarized zone (DMZ)

Question 69

A set of processes and structures used to effectively manage all risks to an enterprise.

Answer 69

Enterprise risk management

Question 70

This type of storage is broken down into objects, which include additional metadata (content type, redundancy required, creation dates, etc.) They are accessed through APIs and often a web interface.

Answer 70

Object storage

Question 71

This term describes the relationship between shareholders and stakeholders versus senior management of the corporation.

Answer 71

Corporate governance

Question 72

This controls the entire infrastructure. As such, part of it will be exposed to customers independent of their location, thus making it a highly valued asset to be protected.

Answer 72

Management plane

Question 73

This term describes the granting the right of access to a program, process, or user.

Answer 73

Authorization

Question 74

This term describes the process or act of verification of eligibility of a station, originator, or individual to access specific categories of information. It is also designed to protect against fraudulent transmissions by establishing validity of the transmission or its originator.

Answer 74

Authentication

Question 75

Still a developing concept, this partly addresses the management of network components, the objective of which is to provide a control plane that can manage network traffic via an abstraction layer as opposed to direct device management.

Answer 75

Software defined networking (SDN)

Question 76

This service replicates data across the global Internet.

Answer 76

Content delivery network (CDN)

Question 77

This framework is designed to enable cooperation between cloud consumers and provider in demonstrating appropriate risk management.

Answer 77

Security Alliance’s Cloud Control Matrix (CCM)

Question 78

A managed database service, usually stored and operated in the cloud.

Answer 78

Database as a Service

Question 79

This methodology and toolset allow security professionals to leverage a common set of solutions to fulfill common needs in assessing the status of both their internal IT and cloud provider’s security capabilities and to create a roadmap to meet those needs.

Answer 79

TCI Reference Architecture

Question 80

This type of risk assessment uses a set of methods, principles, and rules based on the use of numbers. It also supports cost–benefit analyses of alternative risk responses.

Answer 80

Quantitative risk assessment

Question 81

This monitors inbound and outbound data packets from the device on which it is installed and alerts users or admins only if suspicious activity is detected.

Answer 81

Host intrusion-detection systems (HIDS)

Question 82

This particular cloud infrastructure is composed of two or more distinct and different cloud infrastructures (private, community, or public) and still remains a unique entity while bound together by standardized or proprietary technologies that enables data and application portability (e.g., cloud bursting, for load balancing between clouds).

Answer 82

Hybrid cloud

Question 83

The database used for mapping DNS domain names to various types of data such as IP addresses. This hierarchical database permits us to use human-readable or “friendly” names, such as www.isc2.org, to locate computers and resources associated with that name without having to know the IP address associated with the object.

Answer 83

Domain Name System (DNS)

Question 84

A newer, more secure form of the original, that involves a suite of extensions to add security to the DNS protocol that enables DNS responses to be validated. Specifically, it provides for origin authority, data integrity in responses, and authenticated denial of existence.

Answer 84

Domain Name System Security Extensions (DNSSEC)

Question 85

This type of cloud infrastructure is provisioned for use by a single entity (organization, corporation, etc.) consisting of many consumers. It can be owned, operated, and/or managed by the organization itself, a third party, or some combination of the two and may exist either on or off premises.

Answer 85

Private cloud

Question 86

This type of cloud infrastructure is designed for use by a specific community of organizations with shared concerns (e.g., mission, security requirements, policy, and/or compliance considerations).

Answer 86

Community cloud

Question 87

This type of networking model for cloud deployments is designed with standard perimeter protection mechanisms, with the underlying storage and IP networks converged to maximize benefits for the cloud workload.

Answer 87

Converged networking model

Question 88

This term is often referred to as a device but is actually a method of analyzing risk in software systems. It involves a centralized collection and monitoring of security- and event-related logs from in-scope systems. It then provides for the correlation of different events and early detection of attacks.

Answer 88

Security information and event management (SIEM)

Question 89

This type of assessment typically employs methods, principles, or rules for assessing risk based on non-numerical values such as high, medium, and low.

Answer 89

Qualitative assessment

Question 90

This protocol allows separate channels to carry presentation data, serial device communication, licensing, and highly encrypted data (keyboard and mouse activity).

Answer 90

Remote Desktop Protocol (RDP)

Question 91

This networking model uses a layered approach with physical switches at the top layer and logical separation occurring at the hypervisor level.

Answer 91

Traditional networking model

Question 92

This term describes datacenter networks, logically divided into smaller, isolated networks that share the physical networking gear but operate separately without visibility into other logical networks.

Answer 92

Multitenancy

Question 93

This determines in which legal jurisdiction a dispute will be heard when a conflict of law occurs.

Answer 93

Doctrine of the Proper Law

Question 94

This particular SOC report on controls at service organizations is relevant to the user entities’ internal controls over financial reporting.

Answer 94

Service Organizations Controls 1 (SOC 1)

Question 95

This law was passed as a means to protect shareholders as well as the general public from accounting errors and fraudulent practices.

Answer 95

Sarbanes-Oxley Act (SOX)

Question 96

The process of identifying, collecting, documenting, structuring, and communicating information from various sources in order to enable educated and swift decision making to occur.

Answer 96

Information gathering

Question 97

This banking law was enacted as a way of controlling the ways that financial institutions safeguard the private information of individuals with whom they conduct business.

Answer 97

Gramm-Leach-Bliley Act (GLBA)

Question 98

The rules, statues, and body of law that define conduct that is prohibited by the government and are designed to protect the safety and well-being of the public.

Answer 98

Criminal law

Question 99

This term refers to processes involved where electronic data is sought, located, secured, and searched for with the intent of using it as evidence in criminal or civil proceedings.

Answer 99

eDiscovery

Question 100

This international law introduces significant changes for data processor and controllers, including the concept of consent, transfers abroad, the right to be forgotten, establishment of the role of “data protection officer” access requests, home state regulation, and increased sanctions.

Answer 100

EU General Data Protection (EGDP) Regulation 2012

Question 101

This law from 1986 was created as part of the Electronic Communications Privacy Act and provides for privacy protection of certain types of electronic communication and computing services from unauthorized access or interception.

Answer 101

Stored Communication Act

Question 102

This body of rights, obligations, and remedies describes the remedies and reliefs for anyone suffering harm as a result of the wrongful act or acts of another.

Answer 102

Tort law

Question 103

This report on Controls at a Service Organization are focused on the security, availability, processing integrity, confidentiality, and privacy of the organization and its controls.

Answer 103

Service Organization Controls 2 (SOC 2)

Question 104

This 1988 act relates to the regulation with respect to the handling of personal information about individuals, including the collection, use, storage, and disclosure of personal information, and access to and the ability to correct misinformation.

Answer 104

Australian Privacy Act 1988

Question 105

In 1996 this healthcare law was passed that provided national standards for electronic healthcare transactions, and national identifiers for providers, health plans, and employers

Answer 105

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Question 106

This process is a way of deliberately destroying the encryption keys used to originally encrypt data.

Answer 106

Crypto-shredding

Question 107

This technique involves the splitting up and storing of encrypted information across different cloud storage services. It is virtually impossible to reconstruct without the proper keys.

Answer 107

Bit splitting

Question 108

This important activity determines the impact of losing support of any particular resource to an organization, helps establish the escalation of that loss over time, identifies the minimum resources needed to recover the support or asset, and prioritizes the recovery processes and supporting systems.

Answer 108

Business impact analysis (BIA)

Question 109

This term refers to the security and encryption designed to prevent unauthorized copying and limitation of distribution to those who have purchased the rights.

Answer 109

Digital Rights Management (DRM)

Question 110

This activity is designed to prevent unauthorized data exfiltration.

Answer 110

Data loss prevention

Question 111

These mechanisms act to restrict a list of possible actions down to allowed or permitted actions.

Answer 111

Control

Question 112

This special mathematical code allows encryption hardware and/or software to encrypt and decipher encrypted messages.

Answer 112

Encryption key

Question 113

The overt or secret writing technique using a bidirectional mathematical algorithm that transforms plain text into unintelligible cipher text.

Answer 113

Encryption

Question 114

This method of erasure uses strong magnets for scrambling data on magnetic media such as hard drives and tape so that data is not recoverable.

Answer 114

Degaussing

Question 115

This special type of encryption or encryption technique allows encrypted data to be processed without first decrypting. It is extremely slow due to the intense mathematical calculations and as a result is not practical at this time.

Answer 115

Homomorphic encryption

Question 116

This cloud model provides a complete infrastructure and allows companies to install software on provisioned servers and control the configuration of all devices.

Answer 116

Infrastructure as a Service (IaaS)

Question 117

This activity revolves around the generation, storage, distribution, deletion, archiving, and application of keys in accordance with security policies.

Answer 117

Key management