LearnZapp Practice 1 Flashcards

Question 1

Q

Which of the following is a feature of SAST?

A. Testing applications while running in RAM
B. Pentesting
C. Team building efforts
D. Source code review

Answer

A

D. Source code review

Explanation:
Static Application security testing examines source code while the application is not running

Question 2

Q

Which of the following takes advantage of the information developed in the business impact analysis?

A. Calculating ROI
B. Risk analysis
C. Calculating TCO
D. Securing asset acquisition

Answer

A

B. Risk analysis

Explanation:
Among other things, the BIA gathers asset valuation information that is crucial to risk management analysis and further selection of security controls

Question 3

Q

Which term best describes when a cloud provider goes out of business and leaves the customer unable to retrieve data?

A. Vendor lock in
B. Vendor lock out
C. Bankruptcy
D. Vendor closure

Answer

A

B. Vendor lockout

Explanation:
This is the definition of vendor lockout; when the cloud provider goes out of business and you can no longer access your data. This must be considered when you are determining whether to cloud migration

Question 4

Q

When monitoring for performance reasons, which of the following should not be included?

A. Free disk space
B. Disk IO
C. CPU Usage
D. Printer queue information

Answer

A

D. Printer queue information

Explanation:
Print spooling is not an accepted performance measure. All the others are critical to keeping the environment running at peak efficiency

Question 5

Q

Which of the following cloud service models requires the least amount of maintenance, administration and support by the cloud customer?

A. SaaS
B. PaaS
C. IaaS
D. DaaS

Answer

A

A. SaaS

Explanation:
The SaaS model requires the least intervention because the provider is responsible for maintaining the operating system, hardware and software

Question 6

Q

Of the following SOC reports, which is the most commonly advertised?

A. SOC 1
B. SOC 2 Type 2
C. SOC 2 Type 1
D. SOC 3

Answer

A

D. SOC 3

Explanation:
The SOC 3 report is merely an attestation by an auditor. It does not contain any confidential information and is therefore readily available upon request and often even advertised on websites

Question 7

Q

After a cloud migration, risks must be reviewed. However, a complete analysis is not necessary because much of the material has already been compiled in which of the following?

A. The cost benefit analysis completed prior to migration
B. The recent BIA
C. The last risk assessment
D. NIST 800-54r4

Answer

A

A. The cost benefit analysis completed prior to migration

Explanation:
Most of the risks associated with the cloud migration are examined in the cost benefit phase of evaluation and therefore do not need to be revisited

Question 8

Q

Compliance with ASHRAE data center standards for humidity can help reduce the risk of which of the following?

A. Static discharge
B. Malicious users
C. Increased power usage
D. Increased heating cooling expenses

Answer

A

A. Static discharge

Explanation:
The ASHRAE standards provide for humidity standards that reduce the chances of static discharge, which could be catastrophic in a data center environment

Question 9

Q

Egress monitoring solutions can aid in reducing the potential for loss due to

A. Data seizure
B. Crypto shredding
C. Malicous disclosure
D. Encryption

Answer

A

C. Malicious disclosure

Explanation:
Egress monitoring tools identify outbound traffic that violates an organizations policies, such as when a malicious user attempts data exfiltration

Question 10

Q

Of the following data center redundancy characteristics, which will be in place regardless of tier?

A. All hardware
B. Power
C. Emergency Egress
D. Cooling

Answer

A

C. Emergency Egress

Explanation:
Human life is always the first priority so all data centers must have an emergency egress. The other characteristics will only be in place and associated with specific tiers

Question 11

Q

Gathering business requirements aid in determining information about organizational assets. WHich of the following is not determined by this process?

A. Criticality
B. Robustness
C. Value
D. ROI

Answer

A

C. Robustness

Explanation:Robustness is not a trait measured by the process of reviewing business requirements

Question 12

Q

Of the following, which is a valid readon for a baseline to change?

A. New hardware
B. Numerous change requests
C. New hypervisor
D. New database

Answer

A

B. Numerous change requests

Explanation:
The best reason for changing a baseline is numerous change requests. If too many changes are being requested, it is a sign that the baseline needs to be reviewed and changed in order to meet these new demands

Question 13

Q

In which of the following does the customer have the most control of their data and systems while the cloud provider will have the least amount of responsibility?

A. PaaS
B. SaaS
C. IaaS
D. DaaS

Answer

A

B. IaaS

Explanation:
In the infrastructure as a service model, the provider offers and manages the physical plant and connectivity to underlying hardware. All systems and data are the responsibility of the customer

Question 14

Q

What term best describes a set of technologies that analyze application source code, byte code and binaries for coding and design problems that would indicate a security problem or vulnerability?

A. DAST
B. SAST
C. MFA
D. STRIDE

Answer

A

B. SAST

Explanation:
DAST stands for dynamic application security testing and cannot analyze source code as it analyzes code while it is running. MFA stands for multifactor authentication and STRIDE is a threat model concept

Question 15

Q

How long should an uninterruptable power supply be able to run during a sustained power outage?

A. Long enough for administrative intervention
B. Long enough to complete a graceful system shutdown
C. Until the power resumes
D. 4 hours

Answer

A

B. Long enough to complete a graceful system shutdown

Explanation:
A UPS is configured to safely shut down systems in order to save data in the event of a power failure

Question 16

Q

Poorly negotiated contacts can cause many problems. Of the following, which is not an example of what can happen when contracts are not properly negotiated?

A. Unfavorable terms
B. Malware
C.Vendor lock in
D. Paying for services not used

Answer

A

B. Malware

Explanation:
MAlware is not the result of a poorly negotiated cloud contract.

Question 17

Q

Which of the following is the most important mechanism to ensure trust in the cloud providers performance and duties?

A. The contract
B. Statutory Law
C. CSA Security Alliance Cloud Controls Matrix
D. SLA provisions

Answer

A

A. The contract

Explanation:
The contract between the provider and the customer provides trust between the two parties by holding the provider legally responsible for its contractual obligations

Question 18

Q

Of the following, whose advice should be given the most weight on the decision to patch a live production system?

A. Customer
B. Vendor
C. Internal Compliance
D. Supervisor

Answer

A

B. Vendor

Explanation:
The vendor should be the one advising when and how to patch a system as they will have the most up to date information and it will be their patches you are applying

Question 19

Q

What is the term used to describe the ease and efficiency of moving data from one provider to another?

A. Portability
B. Mobility
C. Forklifting
D. Vendor Lock Out

Answer

A

A. Portability

Explanation:
This is the term used to describe the ease and efficiency of moving data from one cloud provider to another

Question 20

Q

WHich of the following is not a countermeasure designed to protect against internal threats?

A. Separation of duties
B. Data masking
C. DLP Solutions
D. Scalability

Answer

A

D. Scalability

Explanation:
All except option D are designed to protect against unreliable personnel actions, including by cloud admins

Question 21

Q

Which of the following does not represnt an attack on a network?

A. Syn flood
B. Denial of Service
C. Nmap Scan
D. Brute force

Answer

A

C. Nmap scan

Explanation:
All of the rest of these options represent specific network attacks. Nmap is a relatively harmless scanning utility designed for network mapping. Although it can be used for info gathering

Question 22

Q

WHich of the following is not an acceptable practice for user access control administration?

A. Customer directly administers access
B. Provider provides administration on behalf of the customer
C. Customer provides access administration on behalf of provider
D. Third party provides administration on behalf of the customer

Answer

A

C. Customer provides access administration on behalf of the provider

Question 23

Q

How quickly should data center transfer switches bring backup power online in the event of a main failure?

A. 3 seconds
B. 1 minute
C. 5 minutes
D. Before the battery backup fails

Answer

A

D. Before the battery backup fails

Question 24

Q

Of the following, which would be used to protect a companys sales lead information?

A. Trademark
B. Copyright
C. Patent
D. Trade secret

Answer

A

D. Trade secret

Explanation:
Information specific to a company and that is unique to them would be covered under the term trade secret

Question 25

Q

What is the lowest tier of data center redundancy according to the Uptime Institute?

A. 1
B. 3
C. 5
D. 7

Answer

A

A. 1

Explanation:
There are four tiers of data center redundancy, with 1 being the lowest and 4 being the highest

Question 26

Q

Of the following, which would be most useful in a disaster that is primarily local, such as an interruption of communications service?

A. Joint operating agreements
B. Diesel Generators
C. Assistance from regulatory agencies
D. Assistance from local law enforcement

Answer

A

A. Joint operating agreements

Explanation:
Having a joint operating agreement with a sister facility can assist greatly when dealing with a local disaster that does not affect a large area

Question 27

Q

Which of the following is a technology solution for securing databases?

A. NIST
B. SAST
C. SAML
D. DAM

Answer

A

D. DAM

Explanation:
Database activity monitoring is a security technology used for monitoring and analyzing database activity that operates independently of the database management system. NIST is the National Institute of Technology, SAST is a type of application testing, and SAML is a technology used with identity access management

Question 28

Q

Of the following, which would be used to protect the intellectual property of a logo for a business?

A. Trademark
B. Copyright
C. Trade Secret
D. Patent

Answer

A

A. Trademark

Explanation:
Trademarks are designed to protect symbols such as company logo or trade name

Question 29

Q

Who is ultimately legally responsible for data loss or disclosure in the cloud?

A. Cloud service provider
B. Cloud broker
C. Cloud customer
D. Cloud admin

Answer

A

C. Cloud customer

Explanation:
The cloud customer, also the data owner, is always ultimately legally responsible for unauthorized disclosures

Question 30

Q

Regardless of cloud deployment or service model, the customer will always be allowed to access to which of the following?

A. Access controls
B. User permissions
C. Data
D. Hypervisor

Answer

A

C. Data

Explanation:
Regardless of model, the customer owns the data and will therefore always be allowed to access it

Question 31

Q

WHich of the following is the best example of a technical control?

A. Access control lists
B. Door locks
C. Overriding security policy
D. Configuration guidelines

Answer

A

A. Access control lists

Explanation:
Only access control lists are a technical control. All others are physical and administrative

Question 32

Q

In order for tokenization to properly work, which of the following must be in place?

A. MFA
B. Two databases
C. Asymmetric encryption keys
D. MFA Key Fobs

Answer

A

B. Two databases

Explanation:
Tokenization requires two databases one containing the raw, original data and a second that contains the tokens that map to the original data

Question 33

Q

Inability to remotely access a cloud provider impacts which of the three elements of the VIA triad?

A. Integrity
B. Availability
C. Confidentiality
D. Access Controls

Answer

A

B. Availability

Explanation:
The element of availability is impacted if a remote user cannot access the cloud provider

Question 34

Q

Which of the following is the best example of a SIEM function?

A. Performance enhancements
B. REST
C. SOAP
D. Centralization of log streams

Answer

A

D. Centralization of log streams

Explanation:
In addition to centralization of log streams, SIEMs provide the ability to do trend analysis and view dashboards of activity

Question 35

Q

Which of the following is not an example of encryption used in cloud computing?

A. Storage encryption
B. Session encryption
C. Data masking
D. TLS remote access

Answer

A

C. Data masking

Explanation:
Data masking is a technique whereby similar text strings are used in place of real data.

Question 36

Q

How long should the fuel that is stored for data center generators be able to keep the data center up?

A. 12 hours
B. 24 hours
C. 8 hours
D. 48 hours

Answer

A

A. 12 hours

Explanation:
Based on Uptime Institute guidelines, enough fuel should be on hand to keep the generator running for at least 12 hours regardless of the data center tier

Question 37

Q

When migrating to the cloud, which of the following dependencies are not important as part of the BIA review process?

A. Cloud providers suppliers
B. Cloud providers vendors
C. Cloud providers utilities
D. Cloud providers resellers and brokers

Answer

A

D. Cloud providers resellers and brokers

Explanation:
All options except D are important dependencies when reviewing the BIA

Question 38

Q

Of which of the following is not a feature of DAST?

A. Runtime testing
B. Executable testing by teams
C. Black box testing
D. Code review

Answer

A

D. Code review

Explanation:
All of the other items listed are features of dynamic application security testing

Question 39

Q

Which of the following is the term used for the intellectual property protection for the tangible expression of creative ideas?

A. Trademark
B. Registration
C. Copyright
D. Trade secret

Answer

A

C. Copyright

Explanation:
Copyrights are designed to protect the tangible expressions of creative works, like books, articles, music and so on

Question 40

Q

Of the following which is an example of a technical control?

A. Fire suppression equipment
B. Audit trails
C. Security policies
D. Configuration procedures

Answer

A

B.Audit trails

Explanation:
Audit trails are an example of a technical control. Fire suppression equipment, security policies and configuration procedures are all examples of administrative controls

Question 41

Q

In order to provide a secure environment for application testing, which service model would be the best fit?

A. PaaS
B. IaaS
C. SaaS
D. DaaS

Answer

A

A. PaaS

Explanation:
PaaS allows the customer to install and run any applications they want on any OS environment they may need

Question 42

Q

Which of the following is a technique used in hardening a device?

A. Use of SSL for communications
B. Patching and updating
C. PKI
D. OS Encryption

Answer

A

B. Patching and updating

Explanation:
Updating and keeping systems patched is one of he most effective ways to keep them secure. If you were to encrypt the OS, you would not be able to use the system, and SSL and PKI refer to ways of protecting communications

Question 43

Q

What is a good way to secure devices in a BYOD environments?

A. Encrypt device drives
B. Remove Java from all platforms
C. WAFs
D. Discontinue the use of Flash

Answer

A

A. Encrypt device drives

Question 44

Q

Which of the following is a term used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes?

A. Data discovery
B. Hashing
C. Masking
D. Public key infrastructure

Answer

A

C. Masking

Explanation:
Masking is a form of confidentiality assurance that often replaces the original information with asterisks or Xs

Question 45

Q

Of the following bodies, which does not have a comprehensive federal privacy law that protects its citizens personal data?

A. United States
B. Europe
C. Singapore
D, Argentina

Answer

A

A. United States

Explanation:
The US is the only entity in this list that does not have a comprehensive policy directed at protecting its citizens privacy

Question 46

Q

Which of the following is a service that provides a replication of data across various locations?

A. Software defined networking (SDN)
B. Virtual network
C. Content delivery network (CDN)
D. Local Area Network

Answer

A

C. Content delivery network

Question 47

Q

Which of the following is something you cannot do when dealing with risk?

A. Mitigation
B. Transfer
C. Reverse
D. Accept

Answer

A

C. Reverse

Explanation:
Risk cannot be reversed. It can only be mitigated, transferred or accepted

Question 48

Q

Which of the following is a characteristic of liquid propane gas that makes it attractive as a fuel for backup generators?

A. Does not spoil
B. Burn rate
C. Price
D. Ubiquitous

Answer

A

A. Does not spoil

Explanation:
One primary advantage of LP gas is that it does not spoil the way gasoline and diesel fuel can

Question 49

Q

Of the following, which tpe of SSAE audit report is the cloud provider most likely to be willing to share without any additional participation from the cloud customer?

A. SOC 1 Type 1
B. SOC 3
C. SOC 2 Type 1
D. SOC 3 Type 2

Answer

A

B. SOC 3

Explanation:
SOC 3 is the least detailed report, designed for public dissemination. There is no SOC 3 Type 2 report

Question 50

Q

Of the following, which is not a consideration when planning for physical security concerns?

A. Local language variations
B. CCTV coverage
C. Traffic patterns
D. Chance of natural disasters

Answer

A

A. Local language variations

Explanation:
Local languages having nothing to do with physical security. All the others are valid concerns

Question 51

Q

Which of the following would be used to learn the critical paths, processes and assets of an organization?

A. Business impact analysis
B. Business requirements
C. Risk assessment
D. Pentest

Answer

A

A. Business impact requirements

Explanation: BIA is designed to identify and ascertain the value of assets in addition to the critical paths and processes

Question 52

Q

Of the following, which does not rpepresent a level of the CSA STAR ceritfication program?

A. Self assessment
B. SOC 2 Type 3
C. Third party assessment based certs
D. Continuous monitoring based cert

Answer

A

B. SOC 2 Type 3

Explanation:
SOC 2 Type 3 is not an actual report format. All of the other options are part of the levels of the CSA STAR cert program

Question 53

Q

Which of the following is a characteristic of modern data center design?

A. Weak physical security
B. Located in metro areas
C. Located in desert climates
D. Power redundancy

Answer

A

D. Power redundancy

Explanation:
One of the foundational design characteristics in modern data center design involves ensuring redundant power systems. Data centers can be located anywhere, and typically have strong physical security

Question 54

Q

When you are designing redundancy and contingency planning in a data center, which of the following is the most important consideration?

A. Power availability
B. Health and human safety
C. HVAC Capabilities
D. Redundant telco providers

Answer

A

B. Health and human safety

Explanation:
While the other options are important, they are all subordinate to human health and safety, which is the first priority of any security programs

Question 55

Q

Which of the following best represent the three distinct levels of the CSA STAR program?

A. Third party assessment, attestation and ongoing monitoring
B. Self assessment, SOC 2, and ongoing monitoring
C. Self assessment, attestation and ongoing monitoring cert
D. Self assessment, attestation and cert

Answer

A

C. Self assessment, attestation and ongoing monitoring cert

Explanation:
Self assessment, attestation and ongoing monitoring cert are the three levels of STAR cert

Question 56

Q

Which of the following has increased the viability of cloud services?

A. Smart bus hubs
B. Virtualization
C. Agile development
D. High speed switching

Answer

A

B; Virtualization

Explanation:
Virtualization allows scalable resource allocation, which has in turn dramatically increased the viability of cloud services

Question 57

Q

With regard to PII stored in the cloud, who is ultimately responsible for the security of that PII?

A. Cloud provider
B. Cloud broker
C. Cloud customer
D. System admin

Answer

A

C. Cloud customer

Explanation:
The cloud customer is always the data owner and therefore ultimately responsible for the security of PII

Question 58

Q

Of the following, which cloud data storage process uses encrypted chunks of data?

A. Data dispersion
B. RAID 5
C. RAID 0
D. RAID 3

Answer

A

A. Data dispersion

Explanation:
Data dispersion uses chunks of data, erasure coding and encryption

Question 59

Q

IN which cloud service model is the customer required to maintain and update only the applications?

A. SaaS
B. IaaS
C. PaaS
D. DaaS

Answer

A

C. PaaS

Explanation:
In PaaS, the customer is paying for access to a virtual machine with an OS on which to install applications. Since the customer owns the applications, it is their responsibility to keep the applications up to date

Question 60

Q

What is a technology that may lead to the ability to process encrypted data without having to decrypt it first?

A. AES encryption
B. MD5 hashing
C. Message authentication
D. Homomorphic encryption

Answer

A

D. Homomorphic encryption

Explanation:
Homomorphic encryption is an experimental technology that would allow ciphertext to be manipulated in processes and still produce the same results as when the unencrypted plaintext of the same data is processed.

Question 61

Q

How should cryptographic keys be protected?

A. AES 256
B. To a level at least high as the data they are protecting
C. SHA 2
D. As high as is possible

Answer

A

B. To a level at least as high as the data they are protecting

Explanation:
Cryptographic keys should always be protected with safeguards at least as stringent, if not more, than the level of the data they are protecting

Question 62

Q

Which of the following is most important in a BC DR incident?

A. Checklists
B. Redundant power
C. Backups
D. Spare hardware

Answer

A

A. Checklists

Explanation:
A BCDR event is no time to be scrambling around trying to figure out what to do. Having a plan in place and executing it is dependent on everyone understanding the plan and checklists are the way we work through steps of the plan in order

Question 63

Q

Of the following elements, which is the primary driver of security decisions?

A. Location
B. Access
C. Resiliency
D. Business requirements

Answer

A

D. Business requirements

Explanation:
BUsiness requirements will and should always be what drives security decisions

Question 64

Q

Which of the following is the best example of a countermeasure used to protect cloud operations against external attackers?

A. Continual monitoring for anomalous activity
B. Detailed and extensive background checks
C. Use of generic hardware in the building infrastructure components
D. Cameras inside the data center

Answer

A

A. Continual monitoring for anomalous activity

Explanation:
Continual monitoring for anomalous activity is a great way to detect potential external attacks. The other answers having nothing to do with protecting cloud operations from external threats

Answer 65

A

B. Changes in regulations

Explanation:
A change in regulations has never resulted in a data center outage, but each of the other options has caused many outages

Answer 66

A

A. IaaS

Explanation:
Object and volume storage are both related to infrastructurew

Answer 67

A

A. Statutory Compliance

Explanation:
Statutory compliance refers to state and federal laws. They cannot force a customer to stay with a cloud provider. HOwever, all the rest are problems that can lead to vendor lock in

Answer 68

A

B. Data Discovery

Explanation:
Egress monitoring has nothing to do with elasticity, metered service or satellite links. However, egress monitoring tools often feature data discovery functions

Answer 69

A

C. Patent

Explanation:
Patent are designed to protect the intellectual property of processes

Answer 70

A

B. Business requirements

Explanation:
Security controls should always be based on the needs of the business. Regulations, state laws, and best practices may all shape the business requirements but are not direct drivers themselves

Answer 71

A

A. Tests performed on application or software product while it being executed in memory

Explanation:
Dynamic application security testing is testing conducted while the application is resident in memory and being executed

Answer 72

A

C. Redundant ISPs

Explanation:
Having redundant ISPs or carriers provides the data center with protection against such external threats as DDoS international fiber cuts, and similar effects

Answer 73

A

A. Over-subscription

Explanation:
The question is the definition of over subscription. This can happen in a multi tenant environment like cloud computing if not properly managed

Answer 74

A

C. Dual power supplies

Explanation:
While having secondary redundant power supplies helps with device redundancy, it has nothing to do with device hardening. Each of the other options helps in the hardening process.

Answer 75

A

A. 4

Explanation:
The Uptime Institute has four tiers of data center redundancy rating, with the highest being 4 and the lowest being 1

Answer 76

A

A. SOC 1

Explanation:
The SOC 1 report is primarily for reporting on financial controls

Answer 77

A

A. Trade secret

Explanation:
A recipe that is not secret could be protected by a patent

Answer 78

A

A. Media present checks

Explanation:
Media present checks look to see if protected media is present before allowing content to be played or distributed

Answer 79

A

A. Data classification

Explanation:
Data classification is vital in egress monitoring solutions. This typically occurs at the same time of data creation

Answer 80

A

A. eDiscovery

Answer 81

A

B. Senior management

Explanation:
Senior management determines the risk appetite of an organization

Answer 82

A

B. A TPM Chip

Explanation:
A TPM is a security device found on an individual machine and is designed to store encryption keys securely. Options A, C and D are all features of secure KVMs

Answer 83

A

A. Line conditioning

Explanation:
Battery backups also provide a critical function in that they condition the line. What this means is that they add and suppress power curves that are a part of normal minute by minute fluctuations in volytage and amperage delivered. THis smoothing out, or conditioning, helps equipment to last much longer since it is no longer subjected to varying voltages or amps

Answer 84

A

A. Storing them separately from data

Explanation:
You never want to store encryption keys with the data they are protecting, They should always be stored on a seprate system3

Answer 85

A

B. Programming as a Service

Explanation:
Programming as a Service is not a common offering; the others are ubiquitous throughout the industry

Answer 86

A

C. FedRAMP

Explanation:
FedRAMP is a US federal program that mandates a standardized approach to security assessments, authorization and continuous monitoring of cloud products and services

Answer 87

A

C. Independent (private) Labs

Explanation:
Vendors seeking HSM certs under FIPS 140-2 send their products to independent labs that have been validated as Cryptographic Module Testing Labs under the National Voluntary Lab Accreditation Program

Answer 88

A

C. Strict access control mechanisms

Explanation:
While physical controls that inhibit movement affect personnel, they are not regarded as personnel controls. All the other options are examples of personnel controls

Answer 89

A

B. The vendor/manufacturer

Explanation:
The vendor/manufacturer of a given product will pay to have it certified, with the premise that cert costs are offset by premium prices

Answer 90

A

A. Be less expensive to operate securely in the production environment

Explanation:
When security is created as an aspect of the software itself, there is less need to acquire and apply additional security controls to mitigate the risks after deployment

Answer 91

A

C. OLSame

Explanation:
This is a nonsense term with no meaning

Answer 92

A

A. The basis for deciding which laws are most appropriate in a situation where conflicting laws exist

Explanation:
The Restatement (Second) Conflict of Law is the basis used for determining which laws are most appropriate in a situation where conflicting laws exists

Answer 93

A

B. Type I

Explanation:
A SOC Type 1 report is designed around a specific point in time as opposed to a report of effectiveness over a period of time

Answer 94

A

A. The amount of expected loss due to any specific single incident

Explanation:
The single loss expectancy is the amount of expected damage or loss from any single specific security incident

Answer 95

A

A. Create

Explanation:
Data should be labeled and classified as soon as it is created/collected. All the other options are incorrect

Answer 96

A

A. Never

Explanation:
PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multitenant environment

Answer 97

A

D. PaaS

Explanation:
PaaS is what cloud customer use when they need to rent hardware, OS, storage and network capacity over the Internet

Answer 98

A

D. 12 hours

Explanation:
The Uptime Institute dictates 12 hours of generator fuel for all cloud datacenter tiers

Answer 99

A

A. Payload encryption

Explanation:
DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer. This does not include payload encryption - confidentiality is not an aspect of DNSSEC

Answer 100

A

D. Internet Engineering Task Force

Explanation:
The IETF is an international organization of network designers and architects who work together in establishing standards and protocols for the internet

Answer 101

A

B. Hardware security module (HSM)

Explanation:

Answer 102

A

A. Continuous audit trail

Explanation:
Capturing all relevant system events is the definition of a continuous audit trail, one of the required traits for a DRM solution of any quality.

Answer 103

A

C. IDS/IPS

Explanation:
IDSs/IPSs do not secure data, they detect attack activity

Answer 104

A

C. It connects physically to the specific storage area allocated to a given customer

Explanation:
All management functions should take palce on a highly secure, isoalted network

Answer 105

A

A. Automatic registration with the configuration management system

Explanation:
Version control can be difficult in a virtual environment because saved VMs dont receive updates. Ensuring that each VM is the correct version is a function of configuration management, and CM controls can be built into the baseline

Answer 106

A

D. Access to an IT environment usually via the Internet

Explanation:
Cloud providers offer customers access to an IT environment, usually via the Internet

Answer 107

A

C. Personal cloud storage

Explanation:
Personal cloud storage is the storage of a single users data in the cloud, allowing them access from anywhere on the Internet

Answer 108

A

C. Suspension of service

Explanation:
The cloud provider is usually allowed to suspend service to the customer if the customer fails to meet the contract requirements. This can be fatal to a customers operations and is a great motivation to make timely payments

Answer 109

A

B. Use Digital rights management and data loss prevention solutions widely throughout the cloud operation

Explanation:
DRM and DLP are used for increased authentication/access control and egress monitoring, respectively and would actually decrease portability instead of enhancing it

Answer 110

A

D. FEDRAMP

Explanation:
Federal Risk and Authorization Management Program is the US program for federal entities operating in the cloud

Answer 111

A

B. Encryption protocols

Explanation:
DHCP servers do not normally orchestrate encryption
All the other options are common functions of DHCP servers

Answer 112

A

B. GRE

Explanation:
Generic route encapsulation is a tunneling mechanism, specifically designed for the purpose of tunneling

Answer 113

A

C. Every organization

Explanation:
Every organization is responsible for performing its own risk assessment for its own particular business needs. Cloud providers will not perform risk assessments on behalf of their customers

Answer 114

A

B. The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers

Explanation:
A cloud carrier is the intermediary who provides connectivity and transport of cloud services between cloud providers and cloud customers

Answer 115

A

D. Authentication of privileged users

Explanation:
Data masking does not support authentication in any way. All the others are excellent use cases for data masking

Answer 116

A

C. Periodic and effective use of cryptographic sanitization tools

Explanation:
Cryptographic sanitization is a means of reducing the risks from data remnance, not a way to minimize escalation of privilege

Answer 117

A

A. The cloud provider also managing the organizations keys

Explanation:
Cryptoshredding relies on the eventual destruction of the final keys; if keys are not under the management of the customer, they may be replicated or difficult to dispose of.

Answer 118

A

C. Persistence

Explanation:
Access rights following the object in whatever form or location it might be or move to is the definition of persistence, one of the required traits for a DRM solution of any quality

Answer 119

A

B. The ability of internal personnel to trigger business continuity/ disaster recovery activities

Explanation:
The STRIDE threat model does not deal with business continuity and disaster recovery actions. All the other options are elements of STRIDE and therefore not correct

Answer 120

A

D. Voice Over Internet Protocol (VoIP) conversations

Explanation:
Commercial DLP products that monitor speech in real time and censor conversations are not yet widely available.

Answer 121

A

D. Elevation of dropped ceilings

Explanation:
The height of dropped ceilings is not a security concern, except in action moves. The rest of the answers are all aspects of physical security that should be taken into account when planning and designing a data center

Answer 122

A

A. They want to enhance security by keeping information about physical layout and controls confidential

Explanation:
‘

Answer 123

A

D. Function

Explanation:
Function is usually the functional requirement, describing what action the tool/process satisfies. All the others are nonfunctional requirements typically.

Answer 124

A

D. MFA

Explanation:
MFA offers additional protections for assets that are critical to the organization. All logins should utilize strong passwords, whether or not they are ciritcal.

Answer 125

A

B. International Organization Standardization (ISO) 28000:2007

Explanation:
ISO 28000-2007 applies to security controls in supply chains. The others are cloud computing standards but have little to do with supply chanin management

Answer 126

A

D. Payment Card Industry Data Security Standard (PCI DSS)

Explanation:
The PCI DSS is a voluntary standard, having only contractual obligation. All the other options are statues, created by law making bodies.

Answer 127

A

B. Real time analytics

Explanation:
Real time analytics allow for reactive and pmredictive operations (such as recommending other, related products_) based on customers current and past shopping behaviors

Answer 128

A

A. Number of transactions per year

Explanation:
The four merchant levels in PCI are distinguished by the number of transactions that merchant conduct in a year.

Answer 129

A

A. Integrity

Explanation:
Integrity ensures that data has not been altered by unauthorized activity. That includes being complete and accurate

Answer 130

A

C. Background checks for provider personnel

Explanation:
The SLA wont typically include direct mention of the sorts of personnel security measures undertaken by the cloud provider.

Answer 131

A

D. Encryption

Explanation:
Encrypted data may be impossible for egress monitoring solution to read, thereby making the tool useless

Answer 132

A

B. Secure Sockets Layer

Explanation:
SSL Is encryption used in a communication session, not a storage volume. All the other options are examples of database encryption options

Answer 133

A

D. Your organization

Explanation:
The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider might be liable for financial costs related to these responsibilities, but those damages can only be recovered long after the notifications have been made by the cloud customer

Answer 134

A

A. Anonymization

Explanation:
Anonymization is the act of permanently and completely removing personal identifiers from data

Answer 135

A

A. Prohibitions on port scanning and pentesting

Explanation:
Many cloud providers prohibit activities that are common for admin and security purposes but can also be construed/used for hacking; this includes port scanning and pentesting lllllll

Answer 136

A

A. 1

Explanation:
Option B describes another type of hypervisor; the other options are incorrect because there is no such thing as a 3 or 4 hypervisor

Answer 137

A

C. Deletion

Explanation:
While deletion is a very good way to avoid possibility of inadvertently disclosing production data in a test environment, it also eliminates the usefulness of the data set as a plausible

Answer 138

A

B. A tightly coupled cloud storage cluster

Explanation:
By definition, the tightly coupled cluster has a maximum capacity, whereas the loosely coupled cluster does not, The other options do not have a set maximum capacity and are therefore incorrect

Answer 139

A

B. Review all updates/lists/notifications for components your organization uses

Explanation:
Staying current with published vulnerability for your component is crucial. This might not be simple as there are many versions of design components and nomenclature is not always uniform

Answer 140

A

B. OWASP

Explanation:
The OWASP is a volunteer organization that devises standards and solutions for web application development. All the other options are common federation technologies

Answer 141

A

B. XML and open standards based

Explanation:
SAML is an XML based, open standard data format designed for the exchange of authentication and authorization data between parties

Answer 142

A

B. Criminal

Explanation:
Criminal law is set out in rules and statutes created by a government, prohibiting certain activities as a means of protecting the safety and well being of its citizens. Violations generally consists of both monetary and/or loss of liberty punishments

Answer 143

A

A. Remote kill switch

Explanation:
Dual control is not useful for remote access devices, because we would have to assign two people for every device, which would decrease efficiency and productivity.

Answer 144

A

C. Line conditioning

Explanation:
A UPS can provide line conditioning, adjusting power so that it is optimized for the device it serves and smoothing any power fluctuations; it does not offer any of the other listed functions

Answer 145

A

A. Data format type and structure

Explanation:
When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform agnostic data set is more portable and less subject to vendor lock in

Answer 146

A

A. Private

Explanation:

Answer 147

A

B. Less believable, if the changes are not documented

Explanation:
All forensic processes and activity should be documented with extreme scutinity. It is very important for your actions to be documented and repeatable in order for them to remain credible.

Answer 148

A

A. Egress monitoring solutions

Explanation:
Egress monitoring tools are specifically designed to seek out and identify data sets based on content; this is part of how they operate. They can be used for or in conjunction with content base data discovery efforts.
DRM is an additional access control solution for objects, so option B is incorrect

Answer 149

A

B. Object Storage

Explanation:
Object storage is a means of storing objects in a hierarchy such as a file tree. All the other options are terms used to describe cloud storage areas without file structures

Answer 150

A

D. Practice a restore from backup

Explanation:
There is no way to know if the backup actually serves the purpose until the organization tests a restoration. The other options are all backup options but do not actually demonstrate whether the backup is suitable for the business continuity and disaster recovery requirements

Answer 151

A

D. Data recovery procedures

Explanation:
All of the elements listed are important aspects of the data retention policy. However, using proper data retrieval procedures is the one without which all the others may become superfluous.

Answer 152

A

C. Human Resource

Explaniation:
Identification of personnel is usually verified during the hiring process, when HR checks identification documents such as passports or birth certs to confirm the applicants identity, often as part of a tax registration

Answer 153

A

C. Service model, deployment model

Explanation:
in order for developers to properly create and secure applications, they will need to understand the extent of resource sharing and level of control

Answer 154

A

A. Data format and type

Explanation:
In order to use the archive for recovery, the data needs to be of a format and type that can be utilized by the organizations system and environment. Saving data in the wrong format can be equivalent to losing the data

Answer 155

A

A. Each organization

Explanation:
In a web of trust federation model, all of the participating organizations are identity providers; each group will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials

Answer 156

A

A. The production team

Explanation:
In DevOps, the programmers continually work in close conjunction with the production team to ensure that the project will meet their needs

Answer 157

A

D. Tight gaskets

Explanation:
When cables come up through a raised floor used as a cold air feed, we do not want cold air bleeding around the cables in an unplanned manner; this can cause inefficiencies in airflow control.

Answer 158

A

B. Sharing account credentials between users and services

Explanation:
Users sharing account credentials is fairly common practice and one that can lead to significant misuse of the organizations resources and greatly increase risk to the organization.

Answer 159

A

C. Some risk to availability, depending on the implementation

Explanation:
Ironically, data dispersion can lead to some additional risk of loss of availabilty, depending on the method/breadth of the dispersion. If the data is spread across multiple cloud providers, there is a possibility that an outage at one provider will make the data set unavailable to users, regardless of location

Answer 160

A

D. Inaccurate or incomplete

Explanation:
A data discovery effort can only be as effective as the veracity and quality of the data it addresses. Bad data will result in ineffective data discovery. All the other answers do not impact data discovery efforts and are only distractors.

Answer 161

A

D. System and Organization Controls (SOC) reports

Explanation:
SOC reports are the audit reporting mechanisms dictated by SSAE 18. SOX is a federal law targeting publicly traded corporations in the US.

Answer 162

A

D. Secure Destruction

Answer 163

A

D. Community

Explanation

Answer 164

A

A. AWS

Explanation:

Answer 165

A

C. Sandboxing

Explanation:
Sandboxing allows software to be run in an isolated environment, which can aid in error detection

Answer 166

A

A. Define

Explanation:
The earlier security inputs are included in the project, the more efficient and less costly security controls are overall. The Define phase is the earliest part of the SDLC.

Answer 167

A

A. Store

Explanation:
The Cloud Secure Data Life cycle phases are in order Create, Store, Use, Share, Archive, Destroy

Answer 168

A

D. Source Code

Explanation:
In SAST, testers review the source code of an application in order to determine security flaws and operational errors

Answer 169

A

A. Vulnerability assessments and pentesting

Explanation:
Once the system is deployed operationally, continuous security monitoring including periodic vulnerability assessments and pentesting, is recommended. All the other options are security functions that should take place in phases prior to the systems deployment

Answer 170

A

A> Most of the cloud customers interaction with resources will be performed through APIs

Explanation:
Because a significant percentage of cloud customer interactions with the cloud environment will utilize APIs, the threat of insecure APIs is of great concern in cloud computing.

Answer 171

A

A. Business, security

Explanation:
Tracking and monitoring personnel training is absolutely vital in order to demonstrate regulatory requirements

Answer 172

A

C. SOC 1

Explanation:
The SOC 1 audit report is not for security controls; it is for financial reporting controls.

Answer 173

A

D. Chile

Explanation:
Chile does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do

Answer 174

A

D. Signing a personal check

Explanation:
The check involves

Answer 175

A

D. Randomization

Explanation:
Firewalls do use rules, behavior and/or content filtering in order to determine which traffic is allowable.

Answer 176

A

C. VMs located physically in one location but operating in different time zones

Explanation:
If patches are rolled out across an environment where users are operating virtual machine at different times, there is a possibility that VMs will not be patched in uniform, which could lead to data disruption

Answer 177

A

D. The grating of right of access to a user, program or process

Explanation:
Authorization is the granting of right of access to a user, program or process. All the other options are related to authentication

Answer 178

A

C. The concept of keeping information secret from anyone other than someone with authorized access

Explanation:
Confidentiality refers to the concept of keeping info secret from anyone other than someone with authorized access

Answer 179

A

D. Exhaust fans on racks facing exhaust fans on other racks

Explanation:
The preferred methid is cold aisle containment (hot aisle containment, where the inlets on racks face each other is all right too.

Answer 180

A

C. Does not spoil

Explanation:
Liquid propane does not spoil, which obviates necessity for continually refreshing and restocking it and might make it more cost effective

Answer 181

A

C. SSO allows a user to access multiple applications with a single set of creds for authentication and authorization

Explanation:
SSO allows a user to access multiple applications with a single set of credentials for authentication and authorization

Answer 182

A

D. The cloud customer

Explanation:
While the determination of what sorts of data need to be protected may come from external sources, the classification of data for each data owner/cloud customer will be specific to that entity

Answer 183

A

B. The brand or vendor of the cloud providers audit or logging tool

Explanation:
All the answers are processes or elements that should be included in the security operations procedures except for option B; the cloud customer will not get to select, or probably even know, what tools and devices the cloud provider has put into place, so this will not be included in the customers procedures

Answer 184

A

D. To determine whether the user is still performing well

Explanation:
Job performance is not a germance aspect of account review and maintenance; that is a management concern, not an access control issue.

Answer 185

A

C. Trademark

Explanation:
Logos and symbols and phrases and color schemes that describe brands are trademarks

Answer 186

A

C. Cold

Explanation:
Cold air is usually put through raised flooring because warm air naturally raises and using the riases flooring to conduct warm air would require an unnecessary and inefficient expenditure of energy

Answer 187

A

B. Vulnerability Signatures

Explanation:
Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities. Scans do not typically require admin access to function; option A is incorrect

Answer 188

A

A. Allows a single user to authenticate using a process that then allows access across multiple IT systems or even orgs

Explanation:
Federated SSO allows users to authenticate once but then be granted access to resources of other federated organizations within the federation

Answer 189

A

C. The average time it takes to repair a device that has failed or is in need of repair

Explanation:
Mean time to repair (MTTR) is the time required to repair a device that has failed or is in need of repair. The term mean indicates the average time as opposed to the actual or past exerpiences

Answer 190

A

D. Value of data

Explanation:
The value of data itself has nothing to do with it being considered part of contractual Personally Identifiable Information (PII) even though it may have value associated with it

Answer 191

A

C. Hard drives

Explanation:
While hard drives may be useful in the kit, they are not necesarrily required. All the other items should be included.

Answer 192

A

D. US Federal Agencies

Explanation
US federal entities are prohibited from using cryptosystems that are not compliant with FIPS 140-2

Answer 193

A

D. SSDs

Explanation:
SSDs are currently the most efficient and durable storage technology, so cloud providers will favor them.

Answer 194

A

C. Authorization

Explanation:

Answer 195

A

D. Availability

Explantion:
The ENISA Top 8 Security Risks of Cloud Computing does not include availability, even though it is certainly a risk that could be realized

Answer 196

A

C. Used to describe a profitability ratio

Explanation:
Return on investment is a term used to describe a profitiability ratio. It is generally calculated by dividing net profit by net assets

Answer 197

A

C. Cash

Explanation:
Although cash is important for a business to function in general, it is not one of the critical BCDR assets, which include personnel, systems and data

Answer 198

A

A. Extensible Markup Language (XML)

Explanation:
Security Assertion Markup Language is based on XML. HTTP us used for port 80 web traffic; HTML is used to present web pages. ASCII is the universal alphanumeric characterc set

Answer 199

A

A. Loss of governance, snapshot and image security and sprawl

Explanation:
The primary risks associated with virtualization are loss of governance, snapshot and image security and sprawl. Options B and C are incorrect. Public awareness and increased costs are not risks associated with virtualization.

Answer 200

A

B. Homomorphic encryption

Explanation:

Answer 201

A

B. SOC 2, Type 1

Explanation:
This is what a SOC 2, Type 1 report is for.
The SOC 1 is for financial reporting; the SOC 2, Type 2 is to review the implementation (not design) of controls; and the SOC 3 is just an attestation that an audit was performed. All these options are incorrect

Answer 202

A

A. Metered service

Explanation:
Metered service allows cloud customers to minimize expenses and only pay for what they need and use this has nothing to do with BCDR

Answer 203

A

B. Automatic or manual

Explanation:
An organization could implement an automated tool that assigns labels based on certain criteria (location of the source of the data, time, creator, content etc) much like metadata, or the organization could require that data creators/collectors assign labels when the data is first created/collected, according to a policy that includes discrete, objective classification guidance

Answer 204

A

A. Do not use customer authentication schemes

Explanation:
Authentication schema should be transparent to users, who will have little or no control over that element of communication.

Answer 205

A

D. Combination of open source and proprietary

Explanation:
Using multiple forms of code review will produce more secure results than any one form of review

Answer 206

A

D. More often than regular user account reviews

Explanation:
There is no specific rule for the timeliness of privileged user account reviews. However, as a matter of course, privileged user accounts should be reviewed more often than the accounts of regular users because privileged users can cause more damage and therefore entail more risk

Answer 207

A

B. Static discharge

Explanation:
A datacenter with less than optimum humidity can have a higher static electricity discharge rate. Humidity has no bearing on breaches or theft and inversion is a nonsense term used as a distraction

Answer 208

A

B> Firewall

Explanation:
A firewall is a type of network device that allows only authorized traffic to flow across its interfaces

Answer 209

A

D. Print spooling

Explanation:
Print spooling is not a metric for system performance; all the rest area

Answer 210

A

B. BCP/DR/COOP

Explanation:
CABs dont usually offer BCP/DR/COOP services; thats something typically offered by cloud providers

Answer 211

A

B. Backdoors

Explanation:
Backdoors are a particularly prevalent risk in software development because programmers legitimately use backdoors for ease of use and speed of delivery but may mistakenly or even purposefully leave the backdoors in

Answer 212

A

B. A testbed/sandbox

Explanation:
Cloud customers can test different hardware/software implementations in the cloud without affecting production environment and use this information to make decisions before investing in particular solutions

Answer 213

A

D. Auditability

Explanation:

Answer 214

A

C. Vendor guidance

Explanation:
While it is important to follow internal policy, industry standards and regulations when they are applicable, vendor guidance will most often offer the most detailed, specific settings for the particular

Answer 215

A

A. Use limitation principle

Explanation:
The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected

Answer 216

A

D. Less detailed audit trail

Explanation:
If anything, the audit trail for privileged users should be more detailed than that for regular users. All the other options are recommended techniques for privileged user management

Answer 217

A

D. Access

Explanation:
Federation allows users from multiple member organizations to access resources owned by various members. All the other answers are simply not correct

Answer 218

A

B. Inadvertent disclosure

Explanation:
DLP Solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure

Answer 219

A

D. Common Criteria

Explanation:
This is a framework for reviewing product security functions, as stated by the vendor

Answer 220

A

C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption

Explanation:
Technically, BC efforts are meant to ensure that critical business functions can continue during a disruptive event and DR efforts are supported to support the return to normal operations. However, in practice, efforts often coincide, use the same plans/personnel and have many of the same procedures

Answer 221

A

D. Long enough to perform a graceful shutdown of the data center systems

Explanation:
Traditionally, it would be optimum if the UPS latest as long as necessary until the generator is able to resume providing the electrical load that was previously handled by utility power.

Answer 222

A

A. Have another full backup of the production environment stored prior to the test

Explanation:
A full test will involve both the production environment and the backup data it is possible to create an actual disaster during a full test by ruining the availability of both. Therefore, it is crucial to have a full backup, distinct from the BCDR backup, in order to roll back from the test in case something goes horribly wrong

Answer 223

A

B. For high risk operations and data that is particularly sensitive

Explanation:
MFA should be considered for operations that have a significant risk or that deal with highly sensitive data

Answer 224

A

D. Magnetic swipe cards

Explanation;
The data on magnetic swipe cards isnt usually encrypted

Answer 225

A

B. Customer provides administration on behalf of the provider

Explanation:
The customer does not administer on behalf of the provider

Answer 226

A

A. SLA

Explanation:
The SLA is a formal agreement between two or more organizations that may or may not contain incentives or penalties. The primary use of the SLA is to determine if the provider is in fact providing services being purchased

Answer 227

A

B. Isolation failure

Explanation:
In the traditional environment, when all resources are owned, controlled and used by the organizations personnel, loss of isolation will only expose data to other members of the organization; isolation failure in the cloud enivronment may expose data to people outside the organization; a more significant impact

Answer 228

A

C. Availability issues prevent productivity in the cloud

Explanation:
If users cant access the cloud provider, then the operational environment is, for all intents and purposes, useless. DoS attacks that affect avaialbility of cloud services are therefore a great concern

Answer 229

A

B. Demonstrating due dilligence

Explanation:
Applying vendor configurations is an excellent method for demonstrating due dilligence in IT security efforts. Always remember that proper documentation of the action is also necessary.Cry

Answer 230

A

B. Two

Explanation:
The proper procedure for cryptoshredding requires two cryptosystems; one to encrypt the target data; the other to encrypt result data encryption keys

Answer 231

A

C. Civil suit

Explanation:
Intellectual property disputes are usually settled in civil court, as a conflict among private parties. Because there was no agreement between your company and the competitor in question, there is no contract, so no breach of contract dispute is perinent.

Answer 232

A

D. AES

Explanation:
AES is currently used to encrypt and protect US government sensitive and secret data.

Answer 233

A

C. Segmenting networks

Explanation:
Network segmentation allows providers to create zones of trust within the cloud environment, tailoring the available services to meet the needs of a variety of clients and markets

Answer 234

A

B. VM Sprawl

Explanation:
Because the cost of creating new instances in the cloud environment is transparent to many users/offices, there is a significant likelihood that users/officers will create many new virtual machine instances without the knowledge/oversight of management

Answer 235

A

A. Accurate data categorization

Explanation:
DLP tools need to be aware of which information to monitor and which requires categorization
DLPs can be implemented with or without physical access or presence.

Answer 236

A

B. 2

Explanation:
Level 2 of the CSA STAR program requires third party assessments of the provider

Answer 237

A

A. The customer absorsbs the cost

Explanation:
The customer will have to pay for the costs of modification requested by the customer, regardless of the purpose. The provider does not absorb the cost whgen the customers requests a modification of the SLA.

Answer 238

A

C. The individual must be able to request a purge of their data

Explanation:
This is an aspect of the EU legislation, known colloquially as the right to be forgottenn

Answer 239

A

A. In the application accessing the database

Explanation:
The application contains the encryption engine used in application level encryption. The OS is responsible for providing the resources an application needs and for running the applications

Answer 240

A

B. A PLA would force the provider to accept more liability

Explanation:
Under current laws and regulations, ultimate liability for the security of privacy data rests on the data controller, aka the cloud customer

Answer 241

A

D. Conflation

Explanation

Answer 242

A

C. Select an appropriate recovery time objective

Explanation:
The RTO must always be less than the MAD

Answer 243

A

D. Lower costs for the environment

Explanation:
Stand alone hosting will cost more than pooled resources and multitenancy

Answer 244

A

B. ONF

Explanation:
An Organization Normative Framework (ONF) is a framework of so called containers of application security best practices catalogued and leveraged by the organization and contains at least one or more subcomponents known as application normative frameworks

Answer 245

A

C. Privileged Users

Explanation:
The only the most trusted administrators and managers will have access to the cloud data centers management plane. These will usually be cloud provider employees, but some cloud customer personnel may be granted limited access to arrange their organizations cloud resources

Answer 246

A

C. Use another cloud provider for the BCDR backup

Explanation:
It is best to have your backup at another cloud provider in case whatever causes an interruption in service occurs throughout your primary providers environment; this will be more complicated and expensive, but it provides the best redundancy and resiliency

Answer 247

A

D. 4

Explanation:
Because the nature of a life support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes. All the other options are incorrect

Answer 248

A

C. It may deplete the earths ozone layer

Explanation:
FM 200 is used as a replaement for older Halon systems specifically because it does not deplete the ozone layer

Answer 249

A

C. Organizational policies

Explanation:
Organizational policies dictates rules for access entitlement.

Answer 250

A

B. The administration/support staff building

Explanation:
Administrative and suport staff are usually not part of the critical path of a data center; they are nonfunctional requirement elements, not functional requirements

Answer 251

A

D. Location of many datacenters

Explanation:
The location of many datacenters - rurally situated, distant from metro areas - may create challenges for finding multiple power utility providers and ISPs

Answer 252

A

B. Signed nondisclosure agreements

Explanation:
Having the test participants provide signed NDAs is an absolutely essential part of this process

Answer 253

A

D. Resource exhaustion

Explanation:
It is possible that a cloud provider will be unable to handle an increased load during contingency situations where all its customers are demanding additional resources far beyond their usual contracted rate

Answer 254

A

D. Mantrap structures

Explanation:
Usually, mantrap areas control access to sensitive locations within a facility, not an entrace to the facility.

Answer 255

A

D. RAID

Explanation:
Redundant array of indepedent disks is a way of using a group of smaller and usually less expensive disks as opposed to a single large disk.

Answer 256

A

B. The cloud customer

Explanation:
In IaaS model, the provider is only responsible for provisioning the devices and computing/storage capacity; the customer is responsible for everything else, including the security of the applications

Answer 257

A

D. Copyright

Explanation:
DRM is often deployed to ensure that copyrighted material is only delivered to and used by licensed recipients

Answer 258

A

C. BUsiness requirements

Explanation:
Seciroty is usually not a profit center; and is therefore beholden to business drivers; the purpose of security is to support the business

Answer 259

A

B. Not stored with the cloud provider

Explanation:
Cryptographic keys should not be stored along with the data they secure, regardless of the length.

Answer 260

A

D. AICPA

Explanation:
The American Institute of Certified Public Accountants publishes the SSAE 18 standard. NIST is a US government entity that publishes many standards for federal agencies

Answer 261

A

D. Threat modeling

Explanation:
Threat modeling is used specifically to identify points of vulnerability in order to implement countermeasures as part of the overall system protection activity

Answer 262

A

D. ALE

Explanation:
The term that best describes the amount an organization should expect to lose on an annual basis due to one type of incident is ALE and is calculated by multiplying the ARO by SLE

Answer 263

A

C. Checklist

Explanation:
Checklists serve as a reliable guide for BC/DR activity and should be straightforward enough to use that someone not already an expert or trained in BC/DR response could ostensibly accomplish the necessary tasks.

Answer 264

A

B. Luring attackers

Explanation:
It is important to distinguish the purpose of the honeypot. It is not for luring in attackers; a lure is an invitation, and inviting an attack decreases the organizations ability to have the attacker prosecured or conduct successful litigation against the attacker

Answer 265

A

A. Simplifying regulatory compliance

Explanation:
The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks. The CCM does not aid in collecting log files; that is the function of a SIEM

Answer 266

A

C. 3

Explanation:
Tier 3 should probably suffice for Bobs purposes; providing sufficient redundancy and resiliency

Answer 267

A

B. The dollar value of the asset

Explanation:
The monetary value of the asset is the most objective, discrete metric possible and the most accurate for the purposes of SLE determination

Brainscape's Knowledge GenomeTM

LearnZapp Practice 1 Flashcards

Brainscape's Knowledge Genome^TM