Question #101-200 Flashcards
(100 cards)
1
Q
QUESTION 101
Which of the following features is a main benefit of PaaS over IaaS?
A. Location independence
B. High-availability
C. Physical security requirements
D. Auto-scaling
A
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
With PaaS providing a fully configured and managed framework, auto-scaling can be implemented to programmatically adjust resources based on the current demands of the environment.
2
Q
QUESTION 102
Which of the following service capabilities gives the cloud customer the least amount of control over configurations and deployments?
A. Platform
B. Infrastructure
C. Software
D. Desktop
A
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The software service capability gives the cloud customer a fully established application, where only minimal user configuration options are allowed.
3
Q
QUESTION 103
What does the “SOC” acronym refer to with audit reports?
A. Service Origin Confidentiality
B. System Organization Confidentiality
C. Service Organizational Control
D. System Organization Control
A
Correct Answer: C
4
Q
QUESTION 104
What does the REST API use to protect data transmissions?
A. NetBIOS
B. VPN
C. Encapsulation
D. TLS
A
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Representational State Transfer (REST) uses TLS for communication over secured channels. Although REST also supports SSL, at this point SSL has been phased out due to vulnerabilities and has been replaced by TLS.
5
Q
QUESTION 105
With software-defined networking, what aspect of networking is abstracted from the forwarding of traffic?
A. Routing
B. Session
C. Filtering
D. Firewalling
A
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
With software-defined networking (SDN), the filtering of network traffic is separated from the forwarding of network traffic so that it can be independently administered.
6
Q
QUESTION 106
Which of the following does NOT fall under the “IT” aspect of quality of service (QoS)?
A. Applications
B. Key performance indicators (KPIs)
C. Services
D. Security
A
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
KPIs fall under the “business” aspect of QoS, along with monitoring and measuring of events and business processes. Services, security, and applications are all core components and concepts of the “IT” aspect of QoS.
7
Q
QUESTION 107
What does dynamic application security testing (DAST) NOT entail?
A. Scanning
B. Probing
C. Discovery
D. Knowledge of the system
A
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Dynamic application security testing (DAST) is considered “black box” testing and begins with no inside knowledge of the application or its configurations. Everything about the application must be discovered during the testing.
8
Q
QUESTION 108
What type of masking strategy involves replacing data on a system while it passes between the data and application layers?
A. Dynamic
B. Static
C. Replication
D. Duplication
A
Correct Answer: A
Section: (none) Explanation
Explanation/Reference: Explanation:
With dynamic masking, production environments are protected with the masking process being implemented between the application and data layers of the application. This allows for a masking translation to take place live in the system and during normal application processing of data.
9
Q
QUESTION 109
Which aspect of security is DNSSEC designed to ensure?
A. Integrity
B. Authentication
C. Availability
D. Confidentiality
A
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
DNSSEC is a security extension to the regular DNS protocol and services that allows for the validation of the integrity of DNS lookups. It does not address confidentiality or availability at all. It allows for a DNS client to perform DNS lookups and validate both their origin and authority via the cryptographic signature that accompanies the DNS response.
10
Q
QUESTION 110
Other than cost savings realized due to measured service, what is another facet of cloud computing that will typically save substantial costs in time and money for an organization in the event of a disaster?
A. Broad network access
B. Interoperability
C. Resource pooling
D. Portability
A
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
With a typical BCDR solution, an organization would need some number of staff to quickly travel to the location of the BCDR site to configure systems and applications for recovery. With a cloud environment, everything is done over broad network access, with no need (or even possibility) to travel to a remote site at any time.
11
Q
QUESTION 111
Which of the following is NOT part of a retention policy?
A. Format
B. Costs
C. Accessibility
D. Duration
A
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The data retention policy covers the duration, format, technologies, protection, and accessibility of archives, but does not address the specific costs of its implementation and maintenance.
12
Q
QUESTION 112
Which of the cloud deployment models offers the easiest initial setup and access for the cloud customer?
A. Hybrid
B. Community
C. Private
D. Public
A
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Because the public cloud model is available to everyone, in most instances all a customer will need to do to gain access is set up an account and provide a credit card number through the service’s web portal. No additional contract negotiations, agreements, or specific group memberships are typically needed to get started.
13
Q
QUESTION 113
Which of the following is NOT something that an HIDS will monitor?
A. Configurations
B. User logins
C. Critical system files
D. Network traffic
A
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
A host intrusion detection system (HIDS) monitors network traffic as well as critical system files and configurations.
14
Q
QUESTION 114
What concept does the “A” represent in the DREAD model?
A. Affected users
B. Authentication
C. Affinity
D. Authorization
A
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Affected users refers to the percentage of users who would be impacted by a successful exploit. Scoring ranges from 0, which means no users are impacted, to 10, which means all users are impacted.
15
Q
QUESTION 115
What does static application security testing (SAST) offer as a tool to the testers?
A. Production system scanning
B. Injection attempts
C. Source code access
D. Live testing
A
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Static application security testing (SAST) is conducted with knowledge of the system, including source code, and is done against offline systems.
16
Q
QUESTION 116
What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed?
A. Dynamic clustering
B. Dynamic balancing
C. Dynamic resource scheduling
D. Dynamic optimization
A
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Dynamic optimization is the process through which the cloud environment is constantly maintained to ensure resources are available when and where needed, and that physical nodes do not become overloaded or near capacity, while others are underutilized.
17
Q
QUESTION 117
Which value refers to the percentage of production level restoration needed to meet BCDR objectives?
A. RPO
B. RTO
C. RSL
D. SRE
A
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The recovery service level (RSL) is a percentage measure of the total typical production service level that needs to be restored to meet BCDR objectives in the case of a failure.
18
Q
QUESTION 118
Over time, what is a primary concern for data archiving?
A. Size of archives
B. Format of archives
C. Recoverability
D. Regulatory changes
A
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Over time, maintaining the ability to restore and read archives is a primary concern for data archiving. As technologies change and new systems are brought in, it is imperative for an organization to ensure they are still able to restore and access archives for the duration of the required retention period.
19
Q
QUESTION 119
What is an often overlooked concept that is essential to protecting the confidentiality of data?
A. Strong password
B. Training
C. Security controls
D. Policies
A
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
While the main focus of confidentiality revolves around technological requirements or particular security methods, an important and often overlooked aspect of safeguarding data confidentiality is appropriate and comprehensive training for those with access to it. Training should be focused on the safe handling of sensitive information overall, including best practices for network activities as well as physical security of the devices or workstations used to access the application.
20
Q
QUESTION 120
Which of the cloud deployment models offers the most control and input to the cloud customer as to how the overall cloud environment is implemented and configured?
A. Public
B. Community
C. Hybrid
D. Private
A
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
A private cloud model, and the specific contractual relationships involved, will give a cloud customer the most level of input and control over how the overall cloud environment is designed and implemented. This would be even more so in cases where the private cloud is owned and operated by the same organization that is hosting services within it.
21
Q
QUESTION 121
Your boss has tasked your team with getting your legacy systems and applications connected with new cloud-based services that management has decided are crucial to customer service and offerings.
Which role would you be assuming under this directive?
A. Cloud service administrator
B. Cloud service user
C. Cloud service integrator
D. Cloud service business manager
A
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The cloud service integrator role is responsible for connecting and integrating existing services and applications with cloud-based services.A cloud service administrator is responsible for testing, monitoring, and securing cloud services, as well as providing usage reporting and dealing with service problems. The cloud service user is someone who consumes cloud services. The cloud service business manager is responsible for overseeing the billing, auditing, and purchasing of cloud services.
22
Q
QUESTION 122
One of the main components of system audits is the ability to track changes over time and to match these changes with continued compliance and internal processes.
Which aspect of cloud computing makes this particular component more challenging than in a traditional data center?
A. Portability
B. Virtualization
C. Elasticity
D. Resource pooling
A
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Cloud services make exclusive use of virtualization, and systems change over time, including the addition, subtraction, and reimaging of virtual machines. It is extremely unlikely that the exact same virtual machines and images used in a previous audit would still be in use or even available for a later audit, making the tracking of changes over time extremely difficult, or even impossible. Elasticity refers to the ability to add and remove resources from a system or service to meet current demand, and although it plays a factor in making the tracking of virtual machines very difficult over time, it is not the best answer in this case. Resource pooling pertains to a cloud environment sharing a large amount of resources between different customers and services. Portability refers to the ability to move systems or services easily between different cloud providers.
23
Q
QUESTION 123
In the wake of many scandals with major corporations involving fraud and the deception of investors and regulators, which of the following laws was passed to govern accounting and financial records and disclosures?
A. GLBA
B. Safe Harbor
C. HIPAA
D. SOX
A
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The Sarbanes-Oxley Act (SOX) regulates the financial and accounting practices used by organizations in order to protect shareholders from improper practices and accounting errors.The Health Insurance Portability and Accountability Act (HIPAA) pertains to the protection of patient medical records and privacy. The GrammLeach-Bliley Act (GLBA) focuses on the use of PII within financial institutions. The Safe Harbor program was designed by the US government as a way for American companies to comply with European Union privacy laws.
24
Q
QUESTION 124
Which one of the following threat types to applications and services involves the sending of requests that are invalid and manipulated through a user’s client to execute commands on the application under the user’s own credentials?
A. Injection
B. Missing function-level access control
C. Cross-site scripting
D. Cross-site request forgery
A
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user’s own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way of seeing the results of the commands, it does open other ways to compromise an application. Missing functionlevel access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site scripting occurs when an attacker is able to send untrusted data to a user’s browser without going through validation processes. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.
25
QUESTION 125
Which cloud service category would be most ideal for a cloud customer that is developing software to test its applications among multiple hosting providers to determine the best option for its needs?
A. DaaS
B. PaaS
C. IaaS
D. SaaS
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Platform as a Service would allow software developers to quickly and easily deploy their applications among different hosting providers for testing and validation in order to determine the best option. Although IaaS would also be appropriate for hosting applications, it would require too much configuration of application servers and libraries in order to test code. Conversely, PaaS would provide a ready-to-use environment from the onset. DaaS would not be appropriate in any way for software developers to use to deploy applications. IaaS would not be appropriate in this scenario because it would require the developers to also deploy and maintain the operating system images or to contract with another firm to do so. SaaS, being a fully functional software platform, would not be appropriate for deploying applications into.
26
QUESTION 126
Where is a DLP solution generally installed when utilized for monitoring data at rest?
A. Network firewall
B. Host system
C. Application server
D. Database server
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
To monitor data at rest appropriately, the DLP solution would be installed on the host system where the data resides. A database server, in some situations, may be an appropriate answer, but the host system is the best answer because a database server is only one example of where data could reside. An application server processes data and typically sits between the data and presentation zones, and as such, does not store data at rest. A network firewall would be more appropriate for data in transit because it is not a place where data would reside.
27
QUESTION 127
Which of the following aspects of security is solely the responsibility of the cloud provider?
A. Regulatory compliance
B. Physical security
C. Operating system auditing
D. Personal security of developers
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Regardless of the particular cloud service used, physical security of hardware and facilities is always the sole responsibility of the cloud provider. The cloud provider may release information about their physical security policies and procedures to ensure any particular requirements of potential customers will meet their regulatory obligations. Personal security of developers and regulatory compliance are always the responsibility of the cloud customer. Responsibility for operating systems, and the auditing of them, will differ based on the cloud service category used.
28
QUESTION 128
Humidity levels for a data center are a prime concern for maintaining electrical and computing resources properly as well as ensuring that conditions are optimal for top performance.
Which of the following is the optimal humidity level, as established by ASHRAE?
A. 20 to 40 percent relative humidity
B. 50 to 75 percent relative humidity
C. 40 to 60 percent relative humidity
D. 30 to 50 percent relative humidity
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends 40 to 60 percent relatively humidity for data centers. None of these options is the recommendation from ASHRAE.
29
QUESTION 129
Within a SaaS environment, what is the responsibility on the part of the cloud customer in regard to procuring the software used?
A. Maintenance
B. Licensing
C. Development
D. Purchasing
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Within a SaaS implementation, the cloud customer licenses the use of the software from the cloud provider because SaaS delivers a fully functional application to the customer. With SaaS, the cloud provider is responsible for the entire software application and any necessary infrastructure to develop, run, and maintain it. The purchasing, development, and maintenance are fully the responsibility of the cloud provider.
30
QUESTION 130
Implementing baselines on systems would take an enormous amount of time and resources if the staff had to apply them to each server, and over time, it would be almost impossible to keep all the systems in sync on an ongoing basis.
Which of the following is NOT a package that can be used for implementing and maintaining baselines across an enterprise?
A. Puppet
B. SCCM
C. Chef
D. GitHub
Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation:
GitHub is a software development platform that serves as a code repository and versioning system. It is solely used for software development and would not be appropriate for applying baselines to systems. Puppet is an open-source configuration management tool that runs on many platforms and can be used to apply and maintain baselines. The Software Center Configuration Manager (SCCM) was developed by Microsoft for managing systems across large groups of servers. Chef is also a system for maintaining large groups of systems throughout an enterprise.
31
QUESTION 131
From the perspective of compliance, what is the most important consideration when it comes to data center location?
A. Natural disasters
B. Utility access
C. Jurisdiction
D. Personnel access
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Jurisdiction will dictate much of the compliance and audit requirements for a data center. Although all the aspects listed are very important to security, from a strict compliance perspective, jurisdiction is the most important. Personnel access, natural disasters, and utility access are all important operational considerations for selecting a data center location, but they are not related to compliance issues like jurisdiction is.
32
QUESTION 132
The European Union is often considered the world leader in regard to the privacy of personal data and has declared privacy to be a "human right." In what year did the EU first assert this principle?
A. 1995
B. 2000
C. 2010
D. 1999
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The EU passed Directive 95/46 EC in 1995, which established data privacy as a human right. The other years listed are incorrect.
33
QUESTION 133
What type of storage structure does object storage employ to maintain files?
A. Directory
B. Hierarchical
C. tree
D. Flat
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Object storage uses a flat file system to hold storage objects; it assigns files a key value that is then used to access them, rather than relying on directories or descriptive filenames. Typical storage layouts such as tree, directory, and hierarchical structures are used within volume storage, whereas object storage maintains a flat structure with key values.
34
QUESTION 134
Which cloud storage type requires special consideration on the part of the cloud customer to ensure they do not program themselves into a vendor lock-in situation?
A. Unstructured
B. Object
C. Volume
D. Structured
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Structured storage is designed, maintained, and implemented by a cloud service provider as part of a PaaS offering. It is specific to that cloud provider and the way they have opted to implement systems, so special care is required to ensure that applications are not designed in a way that will lock the cloud customer into a specific cloud provider with that dependency. Unstructured storage for auxiliary files would not lock a customer into a specific provider. With volume and object storage, because the cloud customer maintains their own systems with IaaS, moving and replicating to a different cloud provider would be very easy.
35
QUESTION 135
Which cloud deployment model would be ideal for a group of universities looking to work together, where each university can gain benefits according to its specific needs?
A. Private
B. Public
C. Hybrid
D. Community
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
A community cloud is owned and maintained by similar organizations working toward a common goal. In this case, the universities would all have very similar needs and calendar requirements, and they would not be financial competitors of each other. Therefore, this would be an ideal group for working together within a community cloud. A public cloud model would not work in this scenario because it is designed to serve the largest number of customers, would not likely be targeted toward specific requirements for individual customers, and would not be willing to make changes for them. A private cloud could accommodate such needs, but would not meet the criteria for a group working together, and a hybrid cloud spanning multiple cloud providers would not fit the specifics of the question.
36
QUESTION 136
Which of the following threat types involves an application that does not validate authorization for portions of itself beyond when the user first enters it?
A. Cross-site request forgery
B. Missing function-level access control
C. Injection
D. Cross-site scripting
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
It is imperative that applications do checks when each function or portion of the application is accessed to ensure that the user is properly authorized. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.
37
QUESTION 137
Clustered systems can be used to ensure high availability and load balancing across individual systems through a variety of methodologies.
What process is used within a clustered system to ensure proper load balancing and to maintain the health of the overall system to provide high availability?
A. Distributed clustering
B. Distributed balancing
C. Distributed optimization
D. Distributed resource scheduling
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Distributed resource scheduling (DRS) is used within all clustered systems as the method for providing high availability, scaling, management, workload distribution, and the balancing of jobs and processes. None of the other choices is the correct term in this case.
38
QUESTION 138
Although the REST API supports a wide variety of data formats for communications and exchange, which data formats are the most commonly used?
A. SAML and HTML
B. XML and SAML
C. XML and JSON
D. JSON and SAML
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer
(REST) API and are typically implemented with caching for increased scalability and performance. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. HTML is used for authoring web pages for consumption by web browsers
39
QUESTION 139
The share phase of the cloud data lifecycle involves allowing data to leave the application, to be shared with external systems, services, or even other vendors/ contractors.
What technology would be useful for protecting data at this point?
A. IDS
B. DLP
C. IPS
D. WAF
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Data loss prevention (DLP) solutions allow for control of data outside of the application or original system. They can enforce granular control such as printing, copying, and being read by others, as well as forcing expiration of access. Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions are used for detecting and blocking suspicious and malicious traffic, respectively, whereas a web application firewall (WAF) is used for enforcing security or other controls on web-based applications.
40
QUESTION 140
Jurisdictions have a broad range of privacy requirements pertaining to the handling of personal data and information.
Which jurisdiction requires all storage and processing of data that pertains to its citizens to be done on hardware that is physically located within its borders?
A. Japan
B. United States
C. European Union
D. Russia
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The Russian government requires all data and processing of information about its citizens to be done solely on systems and applications that reside within the physical borders of the country. The United States, European Union, and Japan focus their data privacy laws on requirements and methods for the protection of data, rather than where the data physically resides.
41
QUESTION 141
Although the United States does not have a single, comprehensive privacy and regulatory framework, a number of specific regulations pertain to types of data or populations.
Which of the following is NOT a regulatory system from the United States federal government?
A. HIPAA
B. SOX
C. FISMA
D. PCI DSS
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry-regulatory standard, not a governmental one. The Sarbanes-Oxley Act (SOX) was passed in 2002 and pertains to financial records and reporting, as well as transparency requirements for shareholders and other stakeholders. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and pertains to data privacy and security for medical records. FISMA refers to the Federal Information Security Management Act of 2002 and pertains to the protection of all US federal government IT systems, with the exception of national security systems.
42
QUESTION 142
If you are running an application that has strict legal requirements that the data cannot reside on systems that contain other applications or systems, which aspect of cloud computing would be prohibitive in this case?
A. Multitenancy
B. Broad network access
C. Portability
D. Elasticity
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Multitenancy is the aspect of cloud computing that involves having multiple customers and applications running within the same system and sharing the same resources. Although considerable mechanisms are in place to ensure isolation and separation, the data and applications are ultimately using shared resources. Broad network access refers to the ability to access cloud services from any location or client. Portability refers to the ability to easily move cloud services between different cloud providers, whereas elasticity refers to the capabilities of a cloud environment to add or remove services, as needed, to meet current demand.
43
QUESTION 143
The REST API is a widely used standard for communications of web-based services between clients and the servers hosting them.
Which protocol does the REST API depend on?
A. HTTP
B. SSH
C. SAML
D. XML
Correct Answer: A
Section: (none) Explanation
Explanation/Reference: Explanation:
Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. Secure Shell client (SSH) is a secure method for allowing remote login to systems over a network.
44
QUESTION 144
Most APIs will support a variety of different data formats or structures.
However, the SOAP API will only support which one of the following data formats?
A. XML
B. XSLT
C. JSON
D. SAML
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The Simple Object Access Protocol (SOAP) protocol only supports the Extensible Markup Language (XML) data format. Although the other options are all data formats or data structures, they are not supported by SOAP.
45
QUESTION 145
Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data.
Which concept encapsulates this?
A. Validity
B. Integrity
C. Accessibility
D. Confidentiality
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Integrity refers to the trustworthiness of data and whether its format and values are true and have not been corrupted or otherwise altered through unauthorized means. Confidentiality refers to keeping data from being access or viewed by unauthorized parties. Accessibility means that data is available and ready when needed by a user or service. Validity can mean a variety of things that are somewhat similar to integrity, but it's not the most appropriate answer in this case.
46
QUESTION 146
Which of the following roles would be responsible for managing memberships in federations and the use and integration of federated services?
A. Inter-cloud provider
B. Cloud service business manager
C. Cloud service administrator
D. Cloud service integrator
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services. A cloud service administrator is responsible for testing, monitoring, and securing cloud services, as well as providing usage reporting and dealing with service problems. The cloud service integrator is responsible for connecting existing systems and services with a cloud. The cloud service business manager is responsible for overseeing the billing, auditing, and purchasing of cloud services.
47
QUESTION 147
If a cloud computing customer wishes to guarantee that a minimum level of resources will always be available, which of the following set of services would compromise the reservation?
A. Memory and networking
B. CPU and software
C. CPU and storage
D. CPU and memory
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
A reservation guarantees to a cloud customer that they will have access to a minimal level of resources to run their systems, which will help mitigate against DoS attacks or systems that consume high levels of resources. A reservation pertains to memory and CPU resources. Under the concept of a reservation, memory and CPU are the guaranteed resources, but storage and networking are not included even though they are core components of cloud computing. Software would be out of scope for a guarantee and doesn't really pertain to the concept.
48
QUESTION 148
With finite resources available within a cloud, even the largest cloud providers will at times need to determine which customers will receive additional resources first.
What is the term associated with this determination?
A. Weighting
B. Prioritization
C. Shares
D. Scoring
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Shares are used within a cloud environment to prioritize resource allocation when customer requests exceed the available resources. Cloud providers utilize shares by assigning a priority score to each customer and allocating resources to those with the highest scores first. Scoring is a component of shares that determines the actual order in which to allocate resources. Neither weighting nor prioritization is the correct term in this case.
49
QUESTION 149
Which phase of the cloud data lifecycle would be the MOST appropriate for the use of DLP technologies to protect the data?
A. Use
B. Store
C. Share
D. Create
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
During the share phase, data is allowed to leave the application for consumption by other vendors, systems, or services. At this point, as the data is leaving the security controls of the application, the use of DLP technologies is appropriate to control how the data is used or to force expiration. During the use, create, and store phases, traditional security controls are available and are more appropriate because the data is still internal to the application.
50
QUESTION 150
If a key feature of cloud computing that your organization desires is the ability to scale and expand without limit or concern about available resources, which cloud deployment model would you MOST likely be considering?
A. Public
B. Hybrid
C. Private
D. Community
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Public clouds, such as AWS and Azure, are massive systems run by major corporations, and they account for a significant share of Internet traffic and services. They are always expanding, offer enormous resources to customers, and are the least likely to run into resource constraints compared to the other deployment models. Private clouds would likely have the resources available for specific uses and could not be assumed to have a large pool of resources available for expansion. A community cloud would have the same issues as a private cloud, being targeted to similar organizations. A hybrid cloud, because it spans multiple clouds, would not fit the bill either, without the use of individual cloud models.
51
QUESTION 151
If a company needed to guarantee through contract and SLAs that a cloud provider would always have available sufficient resources to start their services and provide a certain level of provisioning, what would the contract need to refer to?
A. Limit
B. Reservation
C. Assurance
D. Guarantee
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
A reservation guarantees to a cloud customer that they will have access to a minimal level of resources to run their systems, which will help mitigate against DoS attacks or systems that consume high levels of resources. A limit refers to the enforcement of a maximum level of resources that can be consumed by or allocated to a cloud customer, service, or system. Both guarantee and assurance are terms that sound similar to reservation, but they are not correct choices.
52
QUESTION 152
Many aspects and features of cloud computing can make eDiscovery compliance more difficult or costly.
Which aspect of cloud computing would be the MOST complicating factor?
A. Measured service
B. Broad network access
C. Multitenancy
D. Portability
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
With multitenancy, multiple customers share the same physical hardware and systems. With the nature of a cloud environment and how it writes data across diverse systems that are shared by others, the process of eDiscovery becomes much more complicated. Administrators cannot pull physical drives or easily isolate which data to capture. They not only have to focus on which data they need to collect, while ensuring they find all of it, but they also have to make sure that other data is not accidently collected and exposed along with it. Measured service is the aspect of a cloud where customers only pay for the services they are actually using, and for the duration of their use. Portability refers to the ease with which an application or service can be moved among different cloud providers. Broad network access refers to the nature of cloud services being accessed via the public Internet, either with or without secure tunneling technologies. None of these concepts would pertain to eDiscovery.
53
QUESTION 153
A crucial decision any company must make is in regard to where it hosts the data systems it depends on. A debate exists as to whether it's best to lease space in a data center or build your own data center--and now with cloud computing, whether to purchase resources within a cloud.
What is the biggest advantage to leasing space in a data center versus procuring cloud services?
A. Regulations
B. Control
C. Security
D. Costs
Correct Answer: B Section: (none) Explanation
Explanation/Reference:
Explanation:
When leasing space in a data center versus utilizing cloud services, a customer has a much greater control over its systems and services, from both the hardware/ software perspective and the operational management perspective. Costs, regulations, and security are all prime considerations regardless of the hosting type selected. Although regulations will be the same in either hosting solution, in most instances, costs and security will be greater factors with leased space.
54
Which of the following systems is used to employ a variety of different techniques to discover and alert on threats and potential threats to systems and networks?
A. IDS
B. IPS
C. Firewall
D. WAF
Correct Answer: A
Section: (none) Explanation
Explanation/Reference: Explanation:
An intrusion detection system (IDS) is implemented to watch network traffic and operations, using predefined criteria or signatures, and alert administrators if anything suspect is found. An intrusion prevention system (IPS) is similar to an IDS but actually takes action against suspect traffic, whereas an IDS just alerts when it finds anything suspect. A firewall works at the network level and only takes into account IP addresses, ports, and protocols; it does not inspect the traffic for patterns or content. A web application firewall (WAF) works at the application layer and provides additional security via proxying, filtering service requests, or blocking based on additional factors such as the client and requests.
55
QUESTION 155
Which of the following is not a risk management framework?
A. COBIT
B. Hex GBL
C. ISO 31000:2009 D. NIST SP 800-37
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Hex GBL is a reference to a computer part in Terry Pratchett’s fictional Discworld universe. The rest are not.
56
QUESTION 156
In order to ensure ongoing compliance with regulatory requirements, which phase of the cloud data lifecycle must be tested regularly?
A. Archive
B. Share
C. Store
D. Destroy
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
In order to ensure compliance with regulations, it is important for an organization to regularly test the restorability of archived data. As technologies change and older systems are deprecated, the risk rises for an organization to lose the ability to restore data from the format in which it is stored. With the destroy, store, and share phases, the currently used technologies will be sufficient for an organization's needs in an ongoing basis, so the risk that is elevated with archived data is not present.
57
QUESTION 157
Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user’s valid credentials?
A. Injection
B. Missing function-level access control
C. Cross-site scripting
D. Cross-site request forgery
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation
Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or perhaps the code is not properly escaped from processing by the browser. The code is then executed on the user's browser with their own access and permissions, allowing the attacker to redirect the user's web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.
58
QUESTION 158
Digital investigations have adopted many of the same methodologies and protocols as other types of criminal or scientific inquiries.
What term pertains to the application of scientific norms and protocols to digital investigations?
A. Scientific
B. Investigative
C. Methodological
D. Forensics
Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation:
Forensics refers to the application of scientific methods and protocols to the investigation of crimes. Although forensics has traditionally been applied to well-known criminal proceedings and investigations, the term equally applies to digital investigations and methods. Although the other answers provide similar-sounding terms and ideas, none is the appropriate answer in this case.
59
QUESTION 159
Within a federated identity system, which entity accepts tokens from the identity provider?
A. Assertion manager
B. Servicing party
C. Proxy party
D. Relying party
Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation:
The relying party is attached to the application or service that a user is trying to access, and it accepts authentication tokens from the user's own identity provider in order to facilitate authentication and access. The other terms provided are all associated with federated systems, but none is the correct choice in this case.
60
QUESTION 160
Different types of audits are intended for different audiences, such as internal, external, regulatory, and so on.
Which of the following audits are considered "restricted use" versus being for a more broad audience?
A. SOC Type 2
B. SOC Type 1
C. SOC Type 3
D. SAS-70
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
SOC Type 1 reports are intended for restricted use, only to be seen by the actual service organization, its current clients, or its auditors. These reports are not intended for wider or public distribution.SAS-70 audit reports have been deprecated and are no longer in use, and both the SOC Type 2 and 3 reports are designed to expand upon the SOC Type 1 reports and are for broader audiences.
61
QUESTION 161
Although host-based and network-based IDSs perform similar functions and have similar capabilities, which of the following is an advantage of a network-based IDS over a host-based IDS, assuming all capabilities are equal?
A. Segregated from host systems
B. Network access
C. Scalability
D. External to system patching
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
A network-based IDS has the advantage of being segregated from host systems, and as such, it would not be open to compromise in the same manner a hostbased system would be. Although a network-based IDS would be external to system patching, this is not the best answer here because it is a minor concern compared to segregation due to possible host compromise. Scalability is also not the best answer because, although a network-based IDS does remove processing from the host system, it is not a primary security concern. Network access is not a consideration because both a host-based IDS and a network-based IDS would have access to network resources.
62
QUESTION 162
DNSSEC was designed to add a layer of security to the DNS protocol.
Which type of attack was the DNSSEC extension designed to mitigate?
A. Account hijacking
B. Snooping
C. Spoofing
D. Data exposure
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
DNSSEC is an extension to the regular DNS protocol that utilizes digital signing of DNS query results, which can be verified to come from an authoritative source. This verification mitigates the ability for a rogue DNS server to be used to spoof query results and to direct users to malicious sites. DNSSEC provides for the verification of the integrity of DNS queries. It does not provide any protection from snooping or data exposure. Although it may help lessen account hijacking by preventing users from being directed to rogue sites, it cannot by itself eliminate the possibility.
63
QUESTION 163
Which aspect of cloud computing pertains to cloud customers only paying for the resources and services they actually use?
A. Metered service
B. Measured billing
C. Metered billing
D. Measured service
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Measured service is the aspect of cloud computing that pertains to cloud services and resources being billed in a metered way, based only on the level of consumption and duration of the cloud customer. Although they sound similar to the correct answer, none of the other choices is the actual cloud terminology.
64
QUESTION 164
Many of the traditional concepts of systems and services for a traditional data center also apply to the cloud. Both are built around key computing concepts.
Which of the following compromise the two facets of computing?
A. CPU and software
B. CPU and storage
C. CPU and memory
D. Memory and networking
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The CPU and memory resources of an environment together comprise its "computing" resources. Cloud environments, especially public clouds, are enormous pools of resources for computing and are typically divided among a large number of customers with constantly changing needs and demands. Although storage and networking are core components of a cloud environment, they do not comprise its computing core. Software, much like within a traditional data center, is highly subjective based on the application, system, service, or cloud computing model used; however, it is not one of the core cloud components.
65
QUESTION 165
Within an IaaS implementation, which of the following would NOT be a metric used to quantify service charges for the cloud customer?
A. Memory
B. Number of users
C. Storage
D. CPU
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Within IaaS, where the cloud customer is responsible for everything beyond the physical network, the number of users on a system would not be a factor in billing or service charges. The core cloud services for IaaS are based on the memory, storage, and CPU requirements of the cloud customer. Because the cloud customer with IaaS is responsible for its own images and deployments, these components comprise the basis of its cloud provisioning and measured services billing.
66
QUESTION 166
Many different common threats exist against web-exposed services and applications. One attack involves attempting to leverage input fields to execute queries in a nested fashion that is unintended by the developers.
What type of attack is this?
A. Injection
B. Missing function-level access control
C. Cross-site scripting
D. Cross-site request forgery
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it can potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.
67
QUESTION 167
For service provisioning and support, what is the ideal amount of interaction between a cloud customer and cloud provider?
A. Half
B. Full
C. Minimal
D. Depends on the contract
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The goal with any cloud-hosting setup is for the cloud customer to be able to perform most or all its functions for service provisioning and configuration without any need for support from or interaction with the cloud provider beyond the automated tools provided. To fulfill the tenants of on-demand self-service, required interaction with the cloud provider--either half time, full time, or a commensurate amount of time based on the contract--would be in opposition to a cloud's intended use. As such, these answers are incorrect.
68
QUESTION 168
What does a cloud customer purchase or obtain from a cloud provider?
A. Services
B. Hosting
C. Servers
D. Customers
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
No matter what form they come in, "services" are obtained or purchased by a cloud customer from a cloud service provider. Services can come in many forms-virtual machines, network configurations, hosting setups, and software access, just to name a few. Hosting and servers--or, with a cloud, more appropriately virtual machines--are just two examples of "services" that a customer would purchase from a cloud provider. "Customers" would never be a service that's purchased.
69
QUESTION 169
You were recently hired as a project manager at a major university to implement cloud services for the academic and administrative systems. Because the load and demand for services at a university are very cyclical in nature, commensurate with the academic calendar, which of the following aspects of cloud computing would NOT be a primary benefit to you?
A. Measured service
B. Broad network access
C. Resource pooling
D. On-demand self-service
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Broad network access to cloud services, although it is an integral aspect of cloud computing, would not being a specific benefit to an organization with cyclical business needs. The other options would allow for lower costs during periods of low usage as well as provide the ability to expand services quickly and easily when needed for peak periods. Measured service allows a cloud customer to only use the resources it needs at the time, and resource pooling allows a cloud customer to access resources as needed. On-demand self-service enables the cloud customer to change its provisioned resources on its own, without the need to interact with the staff from the cloud provider.
70
QUESTION 170
Which cloud deployment model is MOST likely to offer free or very cheap services to users?
A. Hybrid
B. Community
C. Public
D. Private
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Public clouds offer services to anyone, regardless of affiliation, and are the most likely to offer free services to users. Examples of public clouds with free services include iCloud, Dropbox, and OneDrive. Private cloud models are designed for specific customers and for their needs, and would not offer services to the public at large, for free or otherwise. A community cloud is specific
71
cloud model would not fit the specifics of the question.
QUESTION 171
With IaaS, what is responsible for handling the security and control over the volume storage space?
A. Management plane
B. Operating system
C. Application
D. Hypervisor
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Volume storage is allocated via a LUN to a system and then treated the same as any traditional storage. The operating system is responsible for formatting and securing volume storage as well as controlling all access to it. Applications, although they may use volume storage and have permissions to write to it, are not responsible for its formatting and security. Both a hypervisor and the management plane are outside of an individual system and are not responsible for managing the files and storage within that system.
72
QUESTION 172
Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for?
A. Authentication mechanism
B. Branding
C. Training
D. User access
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The authentication mechanisms and implementations are the responsibility of the cloud provider because they are core components of the application platform and service. Within a SaaS implementation, the cloud customer will provision user access, deploy branding to the application interface (typically), and provide or procure training for its users.
73
QUESTION 173
Within a federated identity system, which of the following would you be MOST likely to use for sending information for consumption by a relying party?
A. XML
B. HTML
C. WS-Federation
D. SAML
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The Security Assertion Markup Language (SAML) is the most widely used method for encoding and sending attributes and other information from an identity provider to a relying party.WS-Federation, which is used by Active Directory Federation Services (ADFS), is the second most used method for sending information to a relying party, but it is not a better choice than SAML. XML is similar to SAML in the way it encodes and labels data, but it does not have all of the required extensions that SAML does. HTML is not used within federated systems at all.
74
QUESTION 174
Which data state would be most likely to use digital signatures as a security protection mechanism?
A. Data in use
B. Data in transit
C. Archived
D. Data at rest
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
During the data-in-use state, the information has already been accessed from storage and transmitted to the service, so reliance on a technology such as digital signatures is imperative to ensure security and complement the security methods used during previous states. Data in transit relies on technologies such as TLS to encrypt network transmission of packets for security. Data at rest primarily uses encryption for stored file objects. Archived data would be the same as data at rest.
75
QUESTION 175
Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes.
Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it?
A. SOC Type 2, one year
B. SOC Type 1, one year
C. SOC Type 2, one month
D. SOC Type 2, six months
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
SOC Type 2 audits are done over a period of time, with six months being the minimum duration. SOC Type 1 audits are designed with a scope that's a static point in time, and the other times provided for SOC Type 2 are incorrect.
76
QUESTION 176
With software-defined networking (SDN), which two types of network operations are segregated to allow for granularity and delegation of administrative access and functions?
A. Filtering and forwarding
B. Filtering and firewalling
C. Firewalling and forwarding
D. Forwarding and protocol
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
With SDN, the filtering and forwarding capabilities and administration are separated. This allows the cloud provider to build interfaces and management tools for administrative delegation of filtering configuration, without having to allow direct access to underlying network equipment. Firewalling and protocols are both terms related to networks, but they are not components SDN is concerned with.
77
QUESTION 177
Which aspect of SaaS will alleviate much of the time and energy organizations spend on compliance (specifically baselines)?
A. Maintenance
B. Licensing
C. Standardization
D. Development
Correct Answer: C
Section: (none) Explanation Explanation/Reference:
Explanation:
With the entire software platform being controlled by the cloud provider, the standardization of configurations and versioning is done automatically for the cloud customer. This alleviates the customer's need to track upgrades and releases for its own systems and development; instead, the onus is on the cloud provider. Although licensing is the responsibility of the cloud customer within SaaS, it does not have an impact on compliance requirements. Within SaaS, development and maintenance of the system are solely the responsibility of the cloud provider.
78
QUESTION 178
Where is an XML firewall most commonly and effectively deployed in the environment?
A. Between the application and data layers
B. Between the presentation and application layers
C. Between the IPS and firewall
D. Between the firewall and application server
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
An XML firewall is most commonly deployed in line between the firewall and application server to validate XML code before it reaches the application. An XML firewall is intended to validate XML before it reaches the application. Placing the XML firewall between the presentation and application layers, between the firewall and IPS, or between the application and data layers would not serve the intended purpose.
79
QUESTION 179
Modern web service systems are designed for high availability and resiliency. Which concept pertains to the ability to detect problems within a system, environment, or application and programmatically invoke redundant systems or processes for mitigation?
A. Elasticity
B. Redundancy
C. Fault tolerance
D. Automation
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Fault tolerance allows a system to continue functioning, even with degraded performance, if portions of it fail or degrade, without the entire system or service being taken down. It can detect problems within a service and invoke compensating systems or functions to keep functionality going. Although redundancy is similar to fault tolerance, it is more focused on having additional copies of systems available, either active or passive, that can take up services if one system goes down. Elasticity pertains to the ability of a system to resize to meet demands, but it is not focused on system failures. Automation, and its role in maintaining large systems with minimal intervention, is not directly related to fault tolerance.
80
QUESTION 180
On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources.
Which of the following is crucial to the orchestration and automation of networking resources within a cloud?
A. DNSSEC
B. DNS
C. DCOM
D. DHCP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Dynamic Host Configuration Protocol (DHCP) automatically configures network settings for a host so that these settings do not need to be configured on the host statically. Given the rapid and programmatic provisioning of resources within a cloud environment, this capability is crucial to cloud operations. Both DNS and its security-integrity extension DNSSEC provide name resolution to IP addresses, but neither is used for the configuration of network settings on a host. DCOM refers to the Distributed Compone
81
QUESTION 181
BCDR strategies do not typically involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of services that need to be recovered to meet BCDR objectives?
A. RSL
B. RTO
C. RPO
D. SRE
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the determined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. SRE is provided as an erroneous response.
82
QUESTION 182
During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.
A. Contractual requirements
B. Regulations
C. Vendor recommendations
D. Corporate policy
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Vendor recommendations would not be pertinent to the gap analysis after an audit. Although vendor recommendations will typically play a role in the development of corporate policies or contractual requirements, they are not required. Regulations, corporate policy, and contractual requirements all determine the expected or mandated controls in place on a system.
83
QUESTION 183
The GAPP framework was developed through a joint effort between the major Canadian and American professional accounting associations in order to assist their members with managing and preventing risks to the privacy of their data and customers.
Which of the following is the meaning of GAPP?
A. General accounting personal privacy
B. Generally accepted privacy practices
C. Generally accepted privacy principles
D. General accounting privacy policies
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
84
QUESTION 184
Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions?
A. IPSec
B. VPN
C. SSL
D. TLS
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
IPSec is a protocol for encrypting and authenticating packets during transmission between two parties and can involve any type of device, application, or service. The protocol performs both the authentication and negotiation of security policies between the two parties at the start of the connection and then maintains these policies throughout the lifetime of the connection. TLS operates at the application layer, not the network layer, and is widely used to secure communications between two parties. SSL is similar to TLS but has been deprecated. Although a VPN allows a secure channel for communications into a private network from an outside location, it's not a protocol.
85
QUESTION 185
When data discovery is undertaken, three main approaches or strategies are commonly used to determine what the type of data, its format, and composition are for the purposes of classification.
Which of the following is NOT one of the three main approaches to data discovery?
A. Content analysis
B. Hashing
C. Labels
D. Metadata
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Hashing involves taking a block of data and, through the use of a one-way operation, producing a fixed-size value that can be used for comparison with other data. It is used primarily for protecting data and allowing for rapid comparison when matching data values such as passwords. Labels involve looking for header information or other categorizations of data to determine its type and possible classifications. Metadata involves looking at information attributes of the data, such as creator, application, type, and so on, in determining classification. Content analysis involves examining the actual data itself for its composition and classification level.
86
QUESTION 186
There are many situations when testing a BCDR plan is appropriate or mandated.
Which of the following would not be a necessary time to test a BCDR plan?
A. After software updates
B. After regulatory changes
C. After major configuration changes
D. Annually
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Regulatory changes by themselves would not trigger a need for new testing of a BCDR plan. Any changes necessary for regulatory compliance would be accomplished through configuration changes or software updates, which in turn would then trigger the necessary new testing. Annual testing is crucial to any BCDR plan. Also, any time major configuration changes or software updates are done, the plan should be evaluated and tested to ensure it is still valid and complete.
87
QUESTION 187
Key maintenance and security are paramount within a cloud environment due to the widespread use of encryption for both data and transmissions.
Which of the following key-management systems would provide the most robust control over and ownership of the key-management processes for the cloud customer?
A. Remote key management service
B. Local key management service
C. Client key management service
D. Internal key management service
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
A remote key management system resides away from the cloud environment and is owned and controlled by the cloud customer. With the use of a remote service, the cloud customer can avoid being locked into a proprietary system from the cloud provider, but also must ensure that service is compatible with the services offered by the cloud provider. A local key management system resides on the actual servers using the keys, which does not provide optimal security or control over them. Both the terms internal key management service and client key management service are provided as distractors.
88
QUESTION 188
Security is a critical yet often overlooked consideration for BCDR planning.
At which stage of the planning process should security be involved?
A. Scope definition
B. Requirements gathering
C. Analysis
D. Risk assessment
Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Defining the scope of the plan is the very first step in the overall process. Security should be included from the very earliest stages and throughout the entire process. Bringing in security at a later stage can lead to additional costs and time delays to compensate for gaps in planning. Risk assessment, requirements gathering, and analysis are all later steps in the process, and adding in security at any of those points can potentially cause increased costs and time delays.
89
QUESTION 189
Which type of testing uses the same strategies and toolsets that hackers would use?
A. Static
B. Malicious
C. Penetration
D. Dynamic
C
Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities. Although the term malicious captures much of the intent of penetration testing from the perspective of an attacker, it is not the best answer. Static and dynamic are two types of system testing--where static is done offline and with knowledge of the system, and dynamic is done on a live system without any previous knowledge is associated-but neither describes the type of testing being asked for in the question.
90
QUESTION 190
Which ITIL component is focused on anticipating predictable problems and ensuring that configurations and operations are in place to prevent these problems from ever occurring?
A. Availability management
B. Continuity management
C. Configuration management
D. Problem management
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Problem management is focused on identifying and mitigating known problems and deficiencies before they are able to occur, as well as on minimizing the impact of incidents that cannot be prevented. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Configuration management tracks and maintains detailed information about all IT components within an organization.
91
QUESTION 191
When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations?
A. Firewall
B. Proxy
C. Honeypot
D. Bastion
D
A bastion is a system that is exposed to the public Internet to perform a specific function, but it is highly restricted and secured to just that function. Any nonessential services and access are removed from the bastion so that security countermeasures and monitoring can be focused just on the bastion's specific duties. A honeypot is a system designed to look like a production system to entice attackers, but it does not contain any real data. It is used for learning about types of attacks and enabling countermeasures for them. A firewall is used within a network to limit access between IP addresses and ports. A proxy server provides additional security to and rulesets for network traffic that is allowed to pass through it to a service destination.
92
QUESTION 191
When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations?
A. Firewall
B. Proxy
C. Honeypot
D. Bastion
D
A bastion is a system that is exposed to the public Internet to perform a specific function, but it is highly restricted and secured to just that function. Any nonessential services and access are removed from the bastion so that security countermeasures and monitoring can be focused just on the bastion's specific duties. A honeypot is a system designed to look like a production system to entice attackers, but it does not contain any real data. It is used for learning about types of attacks and enabling countermeasures for them. A firewall is used within a network to limit access between IP addresses and ports. A proxy server provides additional security to and rulesets for network traffic that is allowed to pass through it to a service destination.
93
QUESTION 192
With the rapid emergence of cloud computing, very few regulations were in place that pertained to it specifically, and organizations often had to resort to using a collection of regulations that were not specific to cloud in order to drive audits and policies.
Which standard from the ISO/IEC was designed specifically for cloud computing?
A. ISO/IEC 27001
B. ISO/IEC 19889
C. ISO/IEC 27001:2015
D. ISO/IEC 27018
Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
ISO/IEC 27018 was implemented to address the protection of personal and sensitive information within a cloud environment. ISO/IEC 27001 and its later 27001:2015 revision are both general-purpose data security standards. ISO/IEC 19889 is an erroneous answer.
94
QUESTION 193
Which component of ITIL pertains to planning, coordinating, executing, and validating changes and rollouts to production environments?
A. Release management
B. Availability management
C. Problem management
D. Change management
A
Release management involves planning, coordinating, executing, and validating changes and rollouts to the production environment. Change management is a higher-level component than release management and also involves stakeholder and management approval, rather than specifically focusing the actual release itself. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.
95
QUESTION 194
What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible?
A. Tokenization
B. Encryption
C. Anonymization
D. Masking
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Although masking refers to the overall approach of covering sensitive data, anonymization is the best answer here because it is more specific to exactly what is being asked.
Tokenization involves the replacement of sensitive data with a key value that can be matched back to the real value. However, it is not focused on indirect identifiers or preventing the matching to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.
96
QUESTION 195
Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance.
Which type of audit reports can be used for general public trust assurances?
A. SOC 2
B. SAS-70
C. SOC 3
D. SOC 1
Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
SOC Type 3 audit reports are very similar to SOC Type 2, with the exception that they are intended for general release and public audiences.SAS-70 audits have been deprecated. SOC Type 1 audit reports have a narrow scope and are intended for very limited release, whereas SOC Type 2 audit reports are intended for wider audiences but not general release.
97
QUESTION 196
Which of the following concepts is NOT one of the core components to an encryption system architecture?
A. Software
B. Network
C. Keys
D. Data
Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The network utilized is not one of the key components of an encryption system architecture. In fact, a network is not even required for encryption systems or the processing and protection of data. The data, software used for the encryption engine itself, and the keys used to implement the encryption are all core components of an encryption system architecture.
98
QUESTION 197
Which of the following is NOT a major regulatory framework?
A. PCI DSS
B. HIPAA
C. SOX
D. FIPS 140-2
Correct Answer: D
Section: (none) Explanation Explanation/Reference:
Explanation:
FIPS 140-2 is a United States certification standard for cryptographic modules, and it provides guidance and requirements for their use based on the requirements of the data classification. However, these are not actual regulatory requirements. The Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS) are all major regulatory frameworks either by law or specific to an industry.
99
QUESTION 198
An audit scope statement defines the limits and outcomes from an audit.
Which of the following would NOT be included as part of an audit scope statement?
A. Reports
B. Certification
C. Billing
D. Exclusions
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Billing for an audit, or other cost-related items, would not be part of an audit scope statement and would instead be handled prior to the actual audit as part of the contract between the organization and auditors. Reports, exclusions to the scope of the audit, and required certifications on behalf of the systems or auditors are all crucial elements of an audit scope statement.
100
QUESTION 200
Cloud systems are increasingly used for BCDR solutions for organizations.
What aspect of cloud computing makes their use for BCDR the most attractive?
A. On-demand self-service
B. Measured service
C. Portability
D. Broad network access
Correct Answer: B
Section: (none) Explanation
Explanation/Reference: Explanation:
Business continuity and disaster recovery (BCDR) solutions largely sit idle until they are actually needed. This traditionally has led to increased costs for an organization because physical hardware must be purchased and operational but is not used. By using a cloud system, an organization will only pay for systems when they are being used and only for the duration of use, thus eliminating the need for extra hardware and costs. Portability is the ability to easily move services among different cloud providers. Broad network access allows access to users and staff from anywhere and from different clients, and although this would be important for a BCDR situation, it is not the best answer in this case. On-demand self-service allows users to provision services automatically and when needed, and although this too would be important for BCDR situations, it is not the best answer because it does not address costs or the biggest benefits to an organization.
