Question #001-100

Question 1

Which of the following is not a component of contractual PII?
A. Scope of processing
B. Value of data
C. Location of data
D. Use of subcontractors

Answer 1

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The value of data itself has nothing to do with it being considered a part of contractua

Question 2

Which of the following concepts refers to a cloud customer paying only for the resources and offerings they use within a cloud environment, and only for the duration that they are consuming them?
A. Consumable service
B. Measured service
C. Billable service
D. Metered service

Answer 2

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Measured service is where cloud services are delivered and billed in a metered way, where the cloud customer only pays for those that they actually use, and for the duration of time that they use them.

Question 3

QUESTION 3
Which of the following roles involves testing, monitoring, and securing cloud services for an organization?
A. Cloud service integrator
B. Cloud service business manager
C. Cloud service user
D. Cloud service administrator

Answer 3

Correct Answer: D Section: (none) Explanation
Explanation/Reference:
Explanation:
The cloud service administrator is responsible for testing cloud services, monitoring services, administering security for services, providing usage reports on cloud services, and addressing problem reports

Question 4

Which data formats are most commonly used with the REST API?
A. JSON and SAML
B. XML and SAML
C. XML and JSON
D. SAML and HTML

Answer 4

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer (REST) API, and are typically implemented with caching for increased scalability and performance.

Question 5

Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks?
A. Injection
B. Missing function-level access control
C. Cross-site request forgery
D. Cross-site scripting

Answer 5

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
It is imperative that an application perform checks when each function or portion of the application is accessed, to ensure that the user is properly authorized to access it. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted.

Question 6

Which of the following roles involves overseeing billing, purchasing, and requesting audit reports for an organization within a cloud environment?
A. Cloud service user
B. Cloud service business manager
C. Cloud service administrator
D. Cloud service integrator

Answer 6

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The cloud service business manager is responsible for overseeing business and billing administration, purchasing cloud services, and requesting audit reports when necessary

Question 7

Which of the following cloud aspects complicates eDiscovery?
A. Resource pooling
B. On-demand self-service
C. Multitenancy
D. Measured service

Answer 7

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
With multitenancy, eDiscovery becomes more complicated because the data collection involves extra steps to ensure that only those customers or systems that are within scope are turned over to the requesting authority.

Question 8

What does the management plane typically utilize to perform administrative functions on the hypervisors that it has access to?
A. Scripts
B. RDP
C. APIs
D. XML

Answer 8

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The functions of the management plane are typically exposed as a series of remote calls and function executions and as a set of APIs. These APIs are typically leveraged through either a client or a web portal, with the latter being the most common.

Question 9

What is a serious complication an organization faces from the perspective of compliance with international operations?
A. Different certifications
B. Multiple jurisdictions
C. Different capabilities
D. Different operational procedures

Answer 9

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, and many times they might be in contention with one other or not clearly applicable. These requirements can include the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, as well as the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which might be multiple jurisdictions as well.

Question 10

Which of the following standards primarily pertains to cabling designs and setups in a data center?
A. IDCA
B. BICSI
C. NFPA
D. Uptime Institute

Answer 10

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The standards put out by Building Industry Consulting Service International (BICSI) primarily cover complex cabling designs and setups for data centers, but also include specifications on power, energy efficiency, and hot/cold aisle setups.

Question 11

Which of the following is NOT a criterion for data within the scope of eDiscovery?
A. Possession
B. Custody
C. Control
D. Archive

Answer 11

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: eDiscovery pertains to information and data that is in the possession, control, and custody of an organization.

Question 12

Which United States law is focused on accounting and financial practices of organizations?
A. Safe Harbor
B. GLBA
C. SOX
D. HIPAA

Answer 12

Correct Answer: C
Section: (none) Explanation
Explanation/Reference: Explanation:
The Sarbanes-Oxley (SOX) Act is not an act that pertains to privacy or IT security directly, but rather regulates accounting and financial practices used by organizations. It was passed to protect stakeholders and shareholders from improper practices and errors, and it sets forth rules for compliance, regulated and enforced by the Securities and Exchange Commission (SEC). The main influence on IT systems and operations is the requirements it sets for data retention, specifically in regard to what types of records must be preserved and for how long.

Question 13

Which of the following storage types is most closely associated with a database-type storage implementation?
A. Object
B. Unstructured
C. Volume
D. Structured

Answer 13

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Structured storage involves organized and categorized data, which most closely resembles and operates like a database system would.

Question 14

Which of the following roles is responsible for overseeing customer relationships and the processing of financial transactions?
A. Cloud service manager
B. Cloud service deployment
C. Cloud service business manager
D. Cloud service operations manager

Answer 14

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The cloud service business manager is responsible for overseeing business plans and customer relationships as well as processing financial transactions.

Question 15

What is the biggest benefit to leasing space in a data center versus building or maintain your own?
A. Certification
B. Costs
C. Regulation
D. Control

Answer 15

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
When leasing space in a data center, an organization can avoid the enormous startup and building costs associated with a data center, and can instead leverage economies of scale by grouping with other organizations and sharing costs.

Question 16

Which aspect of cloud computing will be most negatively impacted by vendor lock-in?
A. Elasticity
B. Reversibility
C. Interoperability
D. Portability

Answer 16

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A cloud customer utilizing proprietary APIs or services from one cloud provider that are unlikely to be available from another cloud provider will most negatively impact portability.

Question 17

Which of the following APIs are most commonly used within a cloud environment?
A. REST and SAML
B. SOAP and REST
C. REST and XML
D. XML and SAML

Answer 17

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) are the most commonly used APIs within a cloud environment. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data.

Question 18

Which of the following roles is responsible for obtaining new customers and securing contracts and agreements?
A. Inter-cloud provider
B. Cloud service broker
C. Cloud auditor
D. Cloud service developer

Answer 18

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The cloud service broker is responsible for obtaining new customers, analyzing the marketplace, and securing contracts and agreements.

Question 19

Which term relates to the application of scientific methods and practices to evidence?
A. Forensics
B. Methodical
C. Theoretical
D. Measured

Answer 19

Correct Answer: A
Section: (none) Explanation
Explanation/Reference: Explanation:
Forensics is the application of scientific and methodical processes to identify, collect, preserve, analyze, and summarize/report digital information and evidence.

Question 20

What is the primary reason that makes resolving jurisdictional conflicts complicated?
A. Different technology standards
B. Costs
C. Language barriers
D. Lack of international authority

Answer 20

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
With international operations, systems ultimately cross many jurisdictional boundaries, and many times, they conflict with each other. The major hurdle to overcome for an organization is the lack of an ultimate international authority to mediate such conflicts, with a likely result of legal efforts in each jurisdiction.

Question 21

GAAPs are created and maintained by which organization?
A. ISO/IEC
B. AICPA
C. PCI Council
D. ISO

Answer 21

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The AICPA is the organization responsible for generating and maintaining what are the Generally Accepted Accounting Practices in the United States.

Question 22

Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets?
A. Cloud service business manager
B. Cloud service deployment manager
C. Cloud service operations manager
D. Cloud service manager

Answer 22

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The cloud service operations manager is responsible for preparing systems for the cloud, administering and monitoring services, providing audit data as requested or required, and managing inventory and assets.

Question 23

Which protocol allows a system to use block-level storage as if it was a SAN, but over TCP network traffic instead?
A. SATA
B. iSCSI
C. TLS
D. SCSI

Answer 23

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
iSCSI is a protocol that allows for the transmission and use of SCSI commands and features over a TCP-based network. iSCSI allows systems to use block-level storage that looks and behaves as a SAN would with physical servers, but to leverage the TCP network within a virtualized environment and cloud.

Question 24

Which of the cloud deployment models is used by popular services such as iCloud, Dropbox, and OneDrive?
A. Hybrid
B. Public
C. Private
D. Community

Answer 24

Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
Popular services such as iCloud, Dropbox, and OneDrive are all publicly available and are open to any user for free, with possible add-on services offered for a cost.

Question 25

Which is the appropriate phase of the cloud data lifecycle for determining the data's classification? A. Create B. Use C. Share D. Store

Answer 25

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Any time data is created, modified, or imported, the classification needs to be evaluated and set from the earliest phase to ensure security is always properly maintained for the duration of its lifecycle.

Question 26

Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority? A. European Union B. Germany C. Russia D. United States

Answer 26

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The United States lacks a single comprehensive law at the federal level addressing data security and privacy, but there are multiple federal laws that deal with different industries.

Question 27

Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used? A. Security misconfiguration B. Insecure direct object references C. Sensitive data exposure D. Unvalidated redirects and forwards

Answer 27

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Sensitive data exposure occurs when information is not properly secured through encryption and secure transport mechanisms; it can quickly become an easy and broad method for attackers to compromise information. Web applications must enforce strong encryption and security controls on the application side, but secure methods of communications with browsers or other clients used to access the information are also required. Security misconfiguration occurs when applications and systems are not properly configured for security, often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, thus allowing spoofing for malware or phishing attacks.

Question 28

Which type of cloud model typically presents the most challenges to a cloud customer during the "destroy" phase of the cloud data lifecycle? A. IaaS B. DaaS C. SaaS D. PaaS

Answer 28

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: With many SaaS implementations, data is not isolated to a particular customer but rather is part of the overall application. When it comes to data destruction, a particular challenge is ensuring that all of a customer's data is completely destroyed while not impacting the data of other customers.

Question 29

hich of the following may unilaterally deem a cloud hosting model inappropriate for a system or application? A. Multitenancy B. Certification C. Regulation D. Virtualization

Answer 29

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Some regulations may require specific security controls or certifications be used for hosting certain types of data or functions, and in some circumstances they may be requirements that are unable to be met by any cloud provider.

Question 30

Which of the following is considered an internal redundancy for a data center? A. Power distribution units B. Network circuits C. Power substations D. Generators

Answer 30

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Power distribution units are internal to a data center and supply power to internal components such as racks, appliances, and cooling systems. As such, they are considered an internal redundancy.

Question 31

Which of the following represents a control on the maximum amount of resources that a single customer, virtual machine, or application can consume within a cloud environment? A. Share B. Reservation C. Provision D. Limit

Answer 31

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Limits are put in place to enforce a maximum on the amount of memory or processing a cloud customer can use. This can be done either on a virtual machine or as a comprehensive whole for a customer, and is meant to ensure that enormous cloud resources cannot be allocated or consumed by a single host or customer to the detriment of other hosts and customers.

Question 32

Which of the following roles is responsible for peering with other cloud services and providers? A. Cloud auditor B. Inter-cloud provider C. Cloud service broker D. Cloud service developer

Answer 32

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services.

Question 33

Which of the following does NOT relate to the hiding of sensitive data from data sets? A. Obfuscation B. Federation C. Masking D. Anonymization

Answer 33

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Federation pertains to authenticating systems between different organizations.

Question 34

Which of the following are the storage types associated with IaaS? A. Volume and object B. Volume and label C. Volume and container D. Object and target

Answer 34

Correct Answer: A Section: (none) Explanation Explanation/Reference:

Question 35

Which of the following represents a prioritization of applications or cloud customers for the allocation of additional requested resources when there is a limitation on available resources? A. Provision B. Limit C. Reservation D. Share

Answer 35

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The concept of shares within a cloud environment is used to mitigate and control the request for resource allocations from customers that the environment may not have the current capability to allow. Shares work by prioritizing hosts within a cloud environment through a weighting system that is defined by the cloud provider. When periods of high utilization and allocation are reached, the system automatically uses scoring of each host based on its share value to determine which hosts get access to the limited resources still available. The higher the value a particular host has, the more resources it will be allowed to utilize.

Question 36

Which of the following statements accurately describes VLANs? A. They are not restricted to the same data center or the same racks. B. They are not restricted to the name rack but restricted to the same data center. C. They are restricted to the same racks and data centers. D. They are not restricted to the same rack but restricted to same switches.

Answer 36

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: A virtual area network (VLAN) can span any networks within a data center, or it can span across different physical locations and data centers.

Question 37

What must be secured on physical hardware to prevent unauthorized access to systems? A. BIOS B. SSH C. RDP D. ALOM

Answer 37

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: BIOS is the firmware that governs the physical initiation and boot up of a piece of hardware. If it is compromised, an attacker could have access to hosted systems and make configurations changes to expose or disable some security elements on the system.

Question 38

What type of PII is regulated based on the type of application or per the conditions of the specific hosting agreement? A. Specific B. Contractual C. regulated D. Jurisdictional

Answer 38

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Contractual PII has specific requirements for the handling of sensitive and personal information, as defined at a contractual level. These specific requirements will typically document the required handling procedures and policies to deal with PII. They may be in specific security controls and configurations, required policies or procedures, or limitations on who may gain authorized access to data and systems.

Question 39

Which concept BEST describes the capability for a cloud environment to automatically scale a system or application, based on its current resource demands? A. On-demand self-service B. Resource pooling C. Measured service D. Rapid elasticity

Answer 39

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Rapid elasticity allows a cloud environment to automatically add or remove resources to or from a system or application based on its current demands. Whereas a traditional data center model would require standby hardware and substantial effort to add resources in response to load increases, a cloud environment can easily and rapidly expand to meet resources demands, so long as the application is properly implemented for it.

Question 40

If you're using iSCSI in a cloud environment, what must come from an external protocol or application? A. Kerberos support B. CHAP support C. Authentication D. Encryption

Answer 40

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: iSCSI does not natively support encryption, so another technology such as IPsec must be used to encrypt communications.

Question 41

Which of the following pertains to a macro level approach to data center design rather than the traditional tiered approach to data centers? A. IDCA B. NFPA C. BICSI D. Uptime Institute

Answer 41

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: The standards put out by the International Data Center Authority (IDCA) have established the Infinity Paradigm, which is intended to be a comprehensive data center design and operations framework. The Infinity Paradigm shifts away from many models that rely on tiered architecture for data centers, where each successive tier increases redundancy. Instead, it emphasizes data centers being approached at a macro level, without a specific and isolated focus on certain aspects to achieve tier status.

Question 42

Why does a Type 1 hypervisor typically offer tighter security controls than a Type 2 hypervisor? A. A Type 1 hypervisor also controls patching of its hosted virtual machines ensure they are always secure. B. A Type 1 hypervisor is tied directly to the bare metal and only runs with code necessary to perform its specific mission. C. A Type 1 hypervisor performs hardware-level encryption for tighter security and efficiency. D. A Type 1 hypervisor only hosts virtual machines with the same operating systems as the hypervisor.

Answer 42

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Type 1 hypervisors run directly on top of the bare metal and only contain the code and functions required to perform their purpose. They do not rely on any other systems or contain extra features to secure.

Question 43

What is the data encapsulation used with the SOAP protocol referred to? A. Packet B. Envelope C. Payload D. Object

Answer 43

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope and then leverages common communications protocols for transmission.

Question 44

What is the biggest negative to leasing space in a data center versus building or maintain your own? A. Costs B. Control C. Certification D. Regulation

Answer 44

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: When leasing space in a data center, an organization will give up a large degree of control as to how it is built and maintained, and instead must conform to the policies and procedures of the owners and operators of the data center.

Question 45

Which aspect of archiving must be tested regularly for the duration of retention requirements? A. Availability B. Recoverability C. Auditability D. Portability

Answer 45

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: In order for any archiving system to be deemed useful and compliant, regular tests must be performed to ensure the data can still be recovered and accessible, should it ever be needed, for the duration of the retention requirements.

Question 46

Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer? A. Reservation B. Share C. Limit D. Provision

Answer 46

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: A reservation is a minimum resource that is guaranteed to a customer within a cloud environment. Within a cloud, a reservation can pertain to the two main aspects of computing: memory and processor. With a reservation in place, the cloud provider guarantees that a cloud customer will always have at minimum the necessary resources available to power on and operate any of their services.

Question 47

Which of the following is the biggest concern or challenge with using encryption? A. Dependence on keys B. Cipher strength C. Efficiency D. Protocol standards

Answer 47

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: No matter what kind of application, system, or hosting model used, encryption is 100 percent dependent on encryption keys. Properly securing the keys and the exchange of them is the biggest and most important challenge of encryption systems.

Question 48

Which technology is NOT commonly used for security with data in transit? A. DNSSEC B. IPsec C. VPN D. HTTPS

Answer 48

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: DNSSEC relates to the integrity of DNS resolutions and the prevention of spoofing or redirection, and does not pertain to the actual security of transmissions or the protection of data.

Question 49

Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes? A. Cloud service business manager B. Cloud service operations manager C. Cloud service manager D. Cloud service deployment manager

Answer 49

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The cloud service deployment manager is responsible for gathering metrics on cloud services, managing cloud deployments and the deployment process, and defining the environments and processes.

Question 50

What is the first stage of the cloud data lifecycle where security controls can be implemented? A. Use B. Store C. Share D. Create

Answer 50

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: The "store" phase of the cloud data lifecycle, which typically occurs simultaneously with the "create" phase, or immediately thereafter, is the first phase where security controls can be implemented. In most case, the manner in which the data is stored will be based on its classification.

Question 51

QUESTION 51 What controls the formatting and security settings of a volume storage system within a cloud environment? A. Management plane B. SAN host controller C. Hypervisor D. Operating system of the host

Answer 51

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Once a storage LUN is allocated to a virtual machine, the operating system of that virtual machine will format, manage, and control the file system and security of the data on that LUN.

Question 52

QUESTION 52 From a legal perspective, what is the most important first step after an eDiscovery order has been received by the cloud provider? A. Notification B. Key identification C. Data collection D. Virtual image snapshots

Answer 52

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: The contract should include requirements for notification by the cloud provider to the cloud customer upon the receipt of such an order. This serves a few important purposes. First, it keeps communication and trust open between the cloud provider and cloud customers. Second, and more importantly, it allows the cloud customer to potentially challenge the order if they feel they have the grounds or desire to do so.

Question 53

QUESTION 53 Which of the following would make it more likely that a cloud provider would be unwilling to satisfy specific certification requirements? A. Resource pooling B. Virtualization C. Multitenancy D. Regulation

Answer 53

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: With cloud providers hosting a number of different customers, it would be impractical for them to pursue additional certifications based on the needs of a specific customer. Cloud environments are built to a common denominator to serve the greatest number of customers, and especially within a public cloud model, it is not possible or practical for a cloud provider to alter their services for specific customer demands.

Question 54

QUESTION 54 Which of the following pertains to fire safety standards within a data center, specifically with their enormous electrical consumption? A. NFPA B. BICSI C. IDCA D. Uptime Institute

Answer 54

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: The standards put out by the National Fire Protection Association (NFPA) cover general fire protection best practices for any type of facility, but also specific publications pertaining to IT equipment and data centers.

Question 55

QUESTION 55 Which technique involves replacing values within a specific data field to protect sensitive data? A. Anonymization B. Masking C. Tokenization D. Obfuscation

Answer 55

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Masking involves replacing specific data within a data set with new values. For example, with credit card fields, as most who have ever purchased anything online can attest, nearly the entire credit card number is masked with a character such as an asterisk, with the last four digits left visible for identification and confirmation.

Question 56

QUESTION 56 What expectation of data custodians is made much more challenging by a cloud implementation, especially with PaaS or SaaS? A. Data classification B. Knowledge of systems C. Access to data D. Encryption requirements

Answer 56

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Under the Federal Rules of Civil Procedure, data custodians are assumed and expected to have full and comprehensive knowledge of the internal design and architecture of their systems. In a cloud environment, especially with PaaS and SaaS, it is impossible for the data custodian to have this knowledge because those systems are controlled by the cloud provider and protected as proprietary knowledge.

Question 57

QUESTION 57 What type of PII is controlled based on laws and carries legal penalties for noncompliance with requirements? A. Contractual B. Regulated C. Specific D. Jurisdictional

Answer 57

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Regulated PII involves those requirements put forth by specific laws or regulations, and unlike contractual PII, where a violation can lead to contractual penalties, a violation of regulated PII can lead to fines or even criminal charges in some jurisdictions. PII regulations can depend on either the jurisdiction that applies to the hosting location or application or specific legislation based on the industry or type of data used.

Question 58

QUESTION 58 Which if the following is NOT one of the three components of a federated identity system transaction? A. Relying party B. Identity provider C. User D. Proxy relay

Answer 58

Correct Answer: D

Question 59

Which value refers to the amount of time it takes to recover operations in a BCDR situation to meet management's objectives? A. RSL B. RPO C. SRE D. RTO

Answer 59

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The recovery time objective (RTO) is a measure of the amount of time it would take to recover operations in the event of a disaster to the point where management's objectives are met for BCDR.

Question 60

QUESTION 60 Which of the cloud deployment models requires the cloud customer to be part of a specific group or organization in order to host cloud services within it? A. Community B. Hybrid C. Private D. Public

Answer 60

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: A community cloud model is where customers that share a certain common bond or group membership come together to offer cloud services to their members, focused on common goals and interests.

Question 61

QUESTION 61 What provides the information to an application to make decisions about the authorization level appropriate when granting access? A. User B. Relying party C. Federation D. Identity Provider

Answer 61

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Upon successful user authentication, the identity provider gives information about the user to the relying party that it needs to make authorization decisions for granting access as well as the level of access needed.

Question 62

QUESTION 62 What is a standard configuration and policy set that is applied to systems and virtual machines called? A. Standardization B. Baseline C. Hardening D. Redline

Answer 62

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: The most common and efficient manner of securing operating systems is through the use of baselines. A baseline is a standardized and understood set of base configurations and settings. When a new system is built or a new virtual machine is established, baselines will be applied to a new image to ensure the base configuration meets organizational policy and regulatory requirements.

Question 63

QUESTION 63 Which entity requires all collection and storing of data on their citizens to be done on hardware that resides within their borders? A. Russia B. France C. Germany D. United States

Answer 63

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Signed into law and effective starting on September 1, 2015, Russian Law 526-FZ establishes that any collecting, storing, or processing of personal information or data on Russian citizens must be done from systems and databases that are physically located with the Russian Federation.

Question 64

QUESTION 64 Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers? A. Reversibility B. Availability C. Portability D. Interoperability

Answer 64

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Portability is the ease with which a service or application can be moved between different cloud providers. Maintaining portability gives an organization great flexibility between cloud providers and the ability to shop for better deals or offerings.

Question 65

QUESTION 65 Which type of audit report is considered a "restricted use" report for its intended audience? A. SAS-70 B. SSAE-16 C. SOC Type 1 D. SOC Type 2

Answer 65

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: SOC Type 1 reports are considered "restricted use" reports. They are intended for management and stakeholders of an organization, clients of the service organization, and auditors of the organization. They are not intended for release beyond those audiences.

Question 66

QUESTION 66 Which of the following is the MOST important requirement and guidance for testing during an audit? A. Stakeholders B. Shareholders C. Management D. Regulations

Answer 66

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: During any audit, regulations are the most important factor and guidelines for what must be tested. Although the requirements from management, stakeholders, and shareholders are also important, regulations are not negotiable and pose the biggest risk to any organization for compliance failure.

Question 67

QUESTION 67 Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations? A. SRE B. RTO C. RPO D. RSL

Answer 67

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: The recovery point objective (RPO) is defined as the amount of data a company would need to maintain and recover in order to function at a level acceptable to management. This may or may not be a restoration to full operating capacity, depending on what management deems as crucial and essential.

Question 68

QUESTION 68 What must SOAP rely on for security? A. Encryption B. Tokenization C. TLS D. SSL

Answer 68

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Simple Object Access Protocol (SOAP) uses Extensible Markup Language (XML) for passing data, and it must rely on the encryption of those data packages for security.

Question 69

QUESTION 69 What type of data does data rights management (DRM) protect? A. Consumer B. PII C. Financial D. Healthcare

Answer 69

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: DRM applies to the protection of consumer media, such as music, publications, video, movies, and soon.

Question 70

QUESTION 70 Which type of testing uses the same strategies and toolsets that hackers would use? A. Penetration B. Dynamic C. Static D. Malicious

Answer 70

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities.

Question 71

QUESTION 71 Which of the following is NOT a focus or consideration of an internal audit? A. Certification B. Design C. Costs D. Operational efficiency

Answer 71

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: In order to obtain and comply with certifications, independent external audits must be performed and satisfied. Although some testing of certification controls can be part of an internal audit, they will not satisfy requirements.

Question 72

QUESTION 72 What process is used within a clustered system to provide high availability and load balancing? A. Dynamic balancing B. Dynamic clustering C. Dynamic optimization D. Dynamic resource scheduling

Answer 72

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Dynamic resource scheduling (DRS) is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes. From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.

Question 73

QUESTION 73 What changes are necessary to application code in order to implement DNSSEC? A. Adding encryption modules B. Implementing certificate validations C. Additional DNS lookups D. No changes are needed.

Answer 73

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: To implement DNSSEC, no additional changes are needed to applications or their code because the integrity checks are all performed at the system level

Question 74

QUESTION 74 Which type of controls are the SOC Type 1 reports specifically focused on? A. Integrity B. PII C. Financial D. Privacy

Answer 74

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: SOC Type 1 reports are focused specifically on internal controls as they relate to financial reporting.

Question 75

QUESTION 75 Which of the following is NOT a domain of the Cloud Controls Matrix (CCM)? A. Data center security B. Human resources C. Mobile security D. Budgetary and cost controls

Answer 75

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Budgetary and cost controls is not one of the domains outlined in the CCM.

Question 76

QUESTION 76 Which security concept, if implemented correctly, will protect the data on a system, even if a malicious actor gains access to the actual system? A. Sandboxing B. Encryption C. Firewalls D. Access control

Answer 76

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: In any environment, data encryption is incredibly important to prevent unauthorized exposure of data either internally or externally. If a system is compromised by an attack, having the data encrypted on the system will prevent its unauthorized exposure or export, even with the system itself being exposed.

Question 77

QUESTION 77 Which of the following is NOT a factor that is part of a firewall configuration? A. Encryption B. Port C. Protocol D. Source IP

Answer 77

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Firewalls take into account source IP, destination IP, the port the traffic is using, as well as the network protocol (UDP/TCP). Whether or not the traffic is encrypted is not something a firewall is concerned with.

Question 78

QUESTION 78 Which of the cloud deployment models involves spanning multiple cloud environments or a mix of cloud hosting models? A. Community B. Public C. Hybrid D. Private

Answer 78

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: A hybrid cloud model involves the use of more than one type of cloud hosting models, typically the mix of private and public cloud hosting models.

Question 79

QUESTION 79 Which of the following is NOT one of five principles of SOC Type 2 audits? A. Privacy B. Processing integrity C. Financial D. Security

Answer 79

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: The SOC Type 2 audits include five principles: security, privacy, processing integrity, availability, and confidentiality.

Question 80

QUESTION 80 Which aspect of cloud computing makes data classification even more vital than in a traditional data center? A. Interoperability B. Virtualization C. Multitenancy D. Portability

Answer 80

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: With multiple tenants within the same hosting environment, any failure to properly classify data may lead to potential exposure to other customers and applications within the same environment.

Question 81

QUESTION 81 What concept does the "T" represent in the STRIDE threat model? A. TLS B. Testing C. Tampering with data D. Transport

Answer 81

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation Any application that sends data to the user will face the potential that the user could manipulate or alter the data, whether it resides in cookies, GET or POST commands, or headers, or manipulates client-side validations. If the user receives data from the application, it is crucial that the application validate and verify any data that is received back from the user.

Question 82

QUESTION 82 Which of the following would be a reason to undertake a BCDR test? A. Functional change of the application B. Change in staff C. User interface overhaul of the application D. Change in regulations

Answer 82

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Any time a major functional change of an application occurs, a new BCDR test should be done to ensure the overall strategy and process are still applicable and appropriate.

Question 83

QUESTION 83 Which crucial aspect of cloud computing can be most threatened by insecure APIs? A. Automation B. Redundancy C. Resource pooling D. Elasticity

Answer 83

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment.

Question 84

QUESTION 84 Which of the following should NOT be part of the requirement analysis phase of the software development lifecycle? A. Functionality B. Programming languages C. Software platform D. Security requirements

Answer 84

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Security requirements should be incorporated into the software development lifecycle (SDLC) from the earliest requirement gathering stage and should be incorporated prior to the requirement analysis phase.

Question 85

QUESTION 85 Which of the cloud cross-cutting aspects relates to the assigning of jobs, tasks, and roles, as well as to ensuring they are successful and properly performed? A. Service-level agreements B. Governance C. Regulatory requirements D. Auditability

Answer 85

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Governance at its core is the idea of assigning jobs, takes, roles, and responsibilities and ensuring they are satisfactory performed.

Question 86

QUESTION 86 Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance? A. Virtualization B. Multitenancy C. Resource pooling D. Dynamic optimization

Answer 86

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Cloud environments will regularly change virtual machines as patching and versions are changed. Unlike a physical environment, there is little continuity from one period of time to another. It is very unlikely that the same virtual machines would be in use during a repeat audit.

Question 87

QUESTION 87 Which security concept would business continuity and disaster recovery fall under? A. Confidentiality B. Availability C. Fault tolerance D. Integrity

Answer 87

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Disaster recovery and business continuity are vital concerns with availability. If data is destroyed or compromised, having regular backup systems in place as well as being able to perform disaster recovery in the event of a major or widespread problem allows operations to continue with an acceptable loss of time and data to management. This also ensures that sensitive data is protected and persisted in the event of the loss or corruption of data systems or physical storage systems.

Question 88

QUESTION 88 Which of the following is NOT a function performed by the record protocol of TLS? A. Encryption B. Acceleration C. Authentication D. Compression

Answer 88

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: The record protocol of TLS performs the authentication and encryption of data packets, and in some cases compression as well. It does not perform any acceleration functions.

Question 89

QUESTION 89 What concept does the "R" represent with the DREAD model? A. Reproducibility B. Repudiation C. Risk D. Residual

Answer 89

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Reproducibility is the measure of how easy it is to reproduce and successful use an exploit. Scoring within the DREAD model ranges from 0, signifying a nearly impossibly exploit, up to 10, which signifies something that anyone from a simple function call could exploit, such as a URL.

Question 90

QUESTION 90 The SOC Type 2 reports are divided into five principles. Which of the five principles must also be included when auditing any of the other four principles? A. Confidentiality B. Privacy C. Security D. Availability

Answer 90

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Under the SOC guidelines, when any of the four principles other than security are being audited, which includes availability, confidentiality, processing integrity, and privacy, the security principle must also be included with the audit.

Question 91

QUESTION 91 How many additional DNS queries are needed when DNSSEC integrity checks are added? A. Three B. Zero C. One D. Two

Answer 91

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: DNSSEC does not require any additional DNS queries to be performed. The DNSSEC integrity checks and validations are all performed as part of the single DNS lookup resolution.

Question 92

QUESTION 92 Which of the following is a restriction that can be enforced by information rights management (IRM) that is not possible for traditional file system controls? A. Delete B. Modify C. Read D. Print

Answer 92

Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: IRM allows an organization to control who can print a set of information. This is not be possible under traditional file system controls, where if a user can read a file, they are able to print it as well.

Question 93

QUESTION 93 What type of security threat is DNSSEC designed to prevent? A. Account hijacking B. Snooping C. Spoofing D. Injection

Answer 93

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: DNSSEC is designed to prevent the spoofing and redirection of DNS resolutions to rogue sites.

Question 94

QUESTION 94 Which European Union directive pertains to personal data privacy and an individual's control over their personal data? A. 99 /9/EC B. 95 /46/EC C. 2000/1 /EC D. 2013/27001 /EC

Answer 94

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Directive 95/46/EC is titled "On the protection of individuals with regard to the processing of personal data and on the free movement of such data."

Question 95

QUESTION 95 Which data point that auditors always desire is very difficult to provide within a cloud environment? A. Access policy B. Systems architecture C. Baselines D. Privacy statement

Answer 95

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Cloud environments are constantly changing and often span multiple physical locations. A cloud customer is also very unlikely to have knowledge and insight into the underlying systems architecture in a cloud environment. Both of these realities make it very difficult, if not impossible, for an organization to provide a comprehensive systems design document.

Question 96

QUESTION 96 What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users? A. Proxy B. Bastion C. Honeypot D. WAF

Answer 96

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: A bastion host is a server that is fully exposed to the public Internet, but is extremely hardened to prevent attacks and is usually dedicated for a specific application or usage; it is not something that will serve multiple purposes. This singular focus allows for much more stringent security hardening and monitoring.

Question 97

QUESTION 97 Which of the cloud cross-cutting aspects relates to the requirements placed on the cloud provider by the cloud customer for minimum performance standards and requirements that must be met? A. Regulatory requirements B. SLAs C. Auditability D. Governance

Answer 97

Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Whereas a contract spells out general terms and costs for services, the SLA is where the real meat of the business relationship and concrete requirements come into play. The SLA spells out in clear terms the minimum requirements for uptime, availability, processes, customer service and support, security controls and requirements, auditing and reporting, and potentially many other areas that define the business relationship and the success of it.

Question 98

QUESTION 98 Which of the following service capabilities gives the cloud customer the most control over resources and configurations? A. Desktop B. Platform C. Infrastructure D. Software

Answer 98

Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: The infrastructure service capability gives the cloud customer substantial control in provisioning and configuring resources, including processing, storage, and network resources.

Question 99

QUESTION 99 At which stage of the BCDR plan creation phase should security be included in discussions? A. Define scope B. Analyze C. Assess risk D. Gather requirements

Answer 99

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Security should be included in discussions from the very first phase when defining the scope. Adding security later is likely to incur additional costs in time and money, or will result in an incomplete or inadequate plan.

Question 100

QUESTION 100 Which approach is typically the most efficient method to use for data discovery? A. Metadata B. Content analysis C. Labels D. ACLs

Answer 100

Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Metadata is data about data. It contains information about the type of data, how it is stored and organized, or information about its creation and use.