Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CCSP-GratisEaxm > Question #201-300 > Flashcards

Question #201-300 Flashcards

(100 cards)

Start Studying
1
Q

QUESTION 201
What’s a potential problem when object storage versus volume storage is used within IaaS for application use and dependency?
A. Object storage is only optimized for small files.
B. Object storage is its own system, and data consistency depends on replication.
C. Object storage may have availability issues.
D. Object storage is dependent on access control from the host server.

A

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Object storage runs on its own independent systems, which have their own redundancy and distribution. To ensure data consistency, sufficient time is needed for objects to fully replicate to all potential locations before being accessed. Object storage is optimized for high availability and will not be any less reliable than any other virtual machine within a cloud environment. It is hosted on a separate system that does not have dependencies in local host servers for access control, and it is optimized for files of all different sizes and uses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

QUESTION 202
Many aspects of cloud computing bring enormous benefits over a traditional data center, but also introduce new challenges unique to cloud computing.
Which of the following aspects of cloud computing makes appropriate data classification of high importance?
A. Multitenancy
B. Interoperability
C. Portability
D. Reversibility

A

Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
With multitenancy, where different cloud customers all share the same physical systems and networks, data classification becomes even more important to ensure that the appropriate security controls are applied immediately to prevent any potential leakage or exposure to other customers. Portability refers to the ability to move easily from one cloud provider to another. Interoperability refers to the ability to reuse components and services for different uses. Reversibility refers to the ability of the cloud customer to quickly and completely remove all data and services from a cloud provider and to verify the removal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

QUESTION 203
Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost-effective services for which of the following concepts by moving to a cloud environment?
A. Regulatory

B. Security
C. Testing
D. Development

A

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Cloud environments, regardless of the specific deployment model used, have extensive and robust security controls in place, especially in regard to physical and infrastructure security. A small company can leverage the extensive security controls and monitoring provided by a cloud provider, which they would unlikely ever be able to afford on their own. Moving to a cloud would not result in any gains for development and testing because these areas require the same rigor regardless of where deployment and hosting occur. Regulatory compliance in a cloud would not be a gain for an organization because it would likely result in additional oversight and auditing as well as require the organization to adapt to a new environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

QUESTION 204
BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?
A. SRE
B. RPO
C. RSL
D. RTO

A

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. SRE is provided as an erroneous response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

QUESTION 205
Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit?
A. IPSec
B. HTTPS
C. VPN
D. DNSSEC

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
DNSSEC is used as a security extension to DNS lookup queries in order to ensure the authenticity and authoritativeness of hostname resolutions, in order to prevent spoofing and redirection of traffic. Although it is a very important concept to be employed for security practices, it is not used to secure or encrypt data transmissions. HTTPS is the most commonly used security mechanism for data communications between clients and websites and web services. IPSec is less commonly used, but is also intended to secure communications between servers. VPN is commonly used to secure traffic into a network area or subnet for developers and administrative users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

QUESTION 206
Which crucial aspect of cloud computing can be most threatened by insecure APIs?
A. Automation
B. Resource pooling
C. Elasticity
D. Redundancy

A

Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment. Resource pooling and elasticity could both be impacted by insecure APIs, as both require automation and orchestration to operate properly, but automation is the better answer here. Redundancy would not be directly impacted by insecure APIs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

QUESTION 207
The WS-Security standards are built around all of the following standards except which one?
A. SAML
B. WDSL
C. XML
D. SOAP

A

Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The WS-Security specifications, as well as the WS-Federation system, are built upon XML, WDSL, and SOAP. SAML is a very similar protocol that is used as an alternative to WS.XML, WDSL, and SOAP are all integral to the WS-Security specifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

QUESTION 208
Which protocol, as a part of TLS, handles negotiating and establishing a connection between two parties?
A. Record
B. Binding
C. Negotiation
D. Handshake

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables a secure communications channel to then handle data transmissions. The TLS record protocol is the actual secure communications method for transmitting data; it’s responsible for the encryption and authentication of packets throughout their transmission between the parties, and in some cases it also performs compression. Negotiation and binding are not protocols under TLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

QUESTION 209
BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the required amount of time to restore services to the predetermined level?
A. RPO
B. RSL
C. RTO
D. SRE

A

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. SRE is provided as an erroneous response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

QUESTION 210
Which data protection strategy would be useful for a situation where the ability to remove sensitive data from a set is needed, but a requirement to retain the ability to map back to the original values is also present?
A. Masking
B. Tokenization
C. Encryption
D. Anonymization

A

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Tokenization involves the replacement of sensitive data fields with key or token values, which can ultimately be mapped back to the original, sensitive data values. Masking refers to the overall approach to covering sensitive data, and anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

QUESTION 211
Which of the following is NOT one of the components of multifactor authentication?
A. Something the user knows
B. Something the user has
C. Something the user sends
D. Something the user is

A

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Multifactor authentication systems are composed of something the user knows, has, and/or is, not something the user sends. Multifactor authentication commonly uses something that a user knows, has, and/or is (such as biometrics or features).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

QUESTION 212
Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.
Which of the following is not a regulatory framework for more sensitive or specialized data?
A. FIPS 140-2
B. FedRAMP
C. PCI DSS
D. HIPAA

A

Correct Answer: A Section: (none) Explanation
Explanation/Reference:
Explanation:
The FIPS 140-2 standard pertains to the certification of cryptographic modules and is not a regulatory framework. The Payment Card Industry Data Security Standard (PCI DSS), the Federal Risk and Authorization Management Program (FedRAMP), and the Health Insurance Portability and Accountability Act (HIPAA) are all regulatory frameworks for sensitive or specialized data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

QUESTION 213
Which of the following could be used as a second component of multifactor authentication if a user has an RSA token?
A. Access card
B. USB thumb drive
C. Retina scan
D. RFID

A

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A retina scan could be used in conjunction with an RSA token because it is a biometric factor, and thus a different type of factor. An access card, RFID, and USB thumb drive are all items in possession of a user, the same as an RSA token, and as such would not be appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

QUESTION 214
Having a reservation in a cloud environment can ensure operations continue in the event of high utilization across the cloud.
Which of the following would NOT be a capability covered by reservations?
A. Performing business operations
B. Starting virtual machines
C. Running applications
D. Auto-scaling

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation:
A reservation will not guarantee auto-scaling is available because it involves the allocation of additional resources beyond what a cloud customer already has provisioned. Reservations will guarantee minimal resources are available to start virtual machines, run applications, and perform normal business operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

QUESTION 215
Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?
A. KVM
B. HTTPS
C. VPN
D. TLS

A

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A keyboard-video-mouse (KVM) system is commonly used for directly accessing server terminals in a data center. It is not a method that would be possible within a cloud environment, primarily due to the use virtualized systems, but also because only the cloud provider’s staff would be allowed the physical access to hardware systems that’s provided by a KVM. Hypertext Transfer Protocol Secure (HTTPS), virtual private network ( VPN), and Transport Layer Security (TLS) are all technologies and protocols that are widely used with cloud implementations for secure access to systems and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

QUESTION 216
Which protocol, as a part of TLS, handles the actual secure communications and transmission of data?
A. Negotiation
B. Handshake
C. Transfer
D. Record

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
The TLS record protocol is the actual secure communications method for transmitting data; it’s responsible for encrypting and authenticating packets throughout their transmission between the parties, and in some cases it also performs compression. The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables the secure communications channel to then handle data transmissions. Negotiation and transfer are not protocols under TLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

QUESTION 217
Which of the following terms is NOT a commonly used category of risk acceptance?
A. Moderate
B. Critical
C. Minimal
D. Accepted

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference: Explanation
Accepted is not a risk acceptance category. The risk acceptance categories are minimal, low, moderate, high, and critical.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

QUESTION 218
Many activities within a cloud environment are performed via programmatic means, where complex and distributed operations are handled without the need to perform each step individually.
Which of the following concepts does this describe?
A. Orchestration
B. Provisioning
C. Automation
D. Allocation

A

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Orchestration is the programmatic means of managing and coordinating activities within a cloud environment and allowing for a commensurate level of automation and self-service. Provisioning, allocation, and automation are all components of orchestration, but none refers to the overall concept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

QUESTION 219
Which of the following provides assurance, to a predetermined acceptable level of certainty, that an entity is indeed who they claim to be?
A. Authentication
B. Identification
C. Proofing
D. Authorization

A

Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
Authentication goes a step further than identification by providing a means for proving an entity’s identification. Authentication is most commonly done through mechanisms such as passwords. Identification involves ascertaining who the entity is, but without a means of proving it, such as a name or user ID. Authorization occurs after authentication and sets access permissions and other privileges within a system or application for the user. Proofing is not a term that is relevant to the question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

QUESTION 220
When an organization is considering the use of cloud services for BCDR planning and solutions, which of the following cloud concepts would be the most important?

A. Reversibility
B. Elasticity
C. Interoperability
D. Portability

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Portability is the ability for a service or system to easily move among different cloud providers. This is essential for using a cloud solution for BCDR because vendor lock-in would inhibit easily moving and setting up services in the event of a disaster, or it would necessitate a large number of configuration or component changes to implement. Interoperability, or the ability to reuse components for other services or systems, would not be an important factor for BCDR. Reversibility, or the ability to remove all data quickly and completely from a cloud environment, would be important at the end of a disaster, but would not be important during setup and deployment. Elasticity, or the ability to resize resources to meet current demand, would be very beneficial to a BCDR situation, but not as vital as portability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

QUESTION 221
What masking strategy involves the replacing of sensitive data at the time it is accessed and used as it flows between the data and application layers of a service?
A. Active
B. Static
C. Dynamic
D. Transactional

A

Correct Answer: C
Section: (none) Explanation
Explanation/Reference:
Explanation:
Dynamic masking involves the live replacing of sensitive data fields during transactional use between the data and application layers of a service. Static masking involves creating a full data set with the sensitive data fields masked, but is not done during live transactions like dynamic masking. Active and transactional are offered as similar types of answers but are not types of masking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

QUESTION 222
Which of the following would be considered an example of insufficient due diligence leading to security or operational problems when moving to a cloud?
A. Monitoring
B. Use of a remote key management system
C. Programming languages used
D. Reliance on physical network controls

A

Correct Answer: D
Section: (none) Explanation
Explanation/Reference:
Explanation:
Many organizations in a traditional data center make heavy use of physical network controls for security. Although this is a perfectly acceptable best practice in a traditional data center, this reliance is not something that will port to a cloud environment. The failure of an organization to properly understand and adapt to the difference in network controls when moving to a cloud will likely leave an application with security holes and vulnerabilities. The use of a remote key management system, monitoring, or certain programming languages would not constitute insufficient due diligence by itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

QUESTION 223
Upon completing a risk analysis, a company has four different approaches to addressing risk. Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.
Which of the following groupings correctly represents the four possible approaches?
A. Accept, avoid, transfer, mitigate
B. Accept, deny, transfer, mitigate
C. Accept, deny, mitigate, revise
D. Accept, dismiss, transfer, mitigate

A

Correct Answer: A
Section: (none) Explanation
Explanation/Reference:
Explanation:
The four possible approaches to risk are as follows: accept (do not patch and continue with the risk), avoid (implement solutions to prevent the risk from occurring), transfer (take out insurance), and mitigate (change configurations or patch to resolve the risk). Each of these answers contains at least one incorrect approach name.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

QUESTION 224
Which of the following is NOT a component of access control?
A. Accounting
B. Federation
C. Authorization
D. Authentication

A

Correct Answer: B
Section: (none) Explanation
Explanation/Reference:
Explanation:
Federation is not a component of access control. Instead, it is used to allow users possessing credentials from other authorities and systems to access services outside of their domain. This allows for access and trust without the need to create additional, local credentials. Access control encompasses not only the key concepts of authorization and authentication, but also accounting. Accounting consists of collecting and maintaining logs for both authentication and authorization for operational and regulatory requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
QUESTION 225 With an application hosted in a cloud environment, who could be the recipient of an eDiscovery order? A. Users B. Both the cloud provider and cloud customer C. The cloud customer D. The cloud provider
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Either the cloud customer or the cloud provider could receive an eDiscovery order, and in almost all circumstances they would need to work together to ensure compliance.
26
QUESTION 226 Which ITIL component focuses on ensuring that system resources, processes, and personnel are properly allocated to meet SLA requirements? A. Continuity management B. Availability management C. Configuration management D. Problem management
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Configuration management tracks and maintains detailed information about all IT components within an organization. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.
27
QUESTION 227 Which ITIL component is an ongoing, iterative process of tracking all deployed and configured resources that an organization uses and depends on, whether they are hosted in a traditional data center or a cloud? A. Problem management B. Continuity management C. Availability management D. Configuration management
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Configuration management tracks and maintains detailed information about all IT components within an organization. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.
28
QUESTION 228 When beginning an audit, both the system owner and the auditors must agree on various aspects of the final audit report. Which of the following would NOT be something that is predefined as part of the audit agreement? A. Size B. Format C. Structure D. Audience
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation The ultimate size of the audit report is not something that would ever be included in the audit scope or definition. Decisions about the content of the report should be the only factor that drives the ultimate size of the report. The structure, audience, and format of the audit report are all crucial elements that must be defined and agreed upon as part of the audit scope.
29
QUESTION 229 What concept does the D represent within the STRIDE threat model? A. Denial of service B. Distributed C. Data breach D. Data loss
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Any application can be a possible target of denial of service (DoS) attacks. From the application side, the developers should minimize how many operations are performed for unauthenticated users. This will keep the application running as quickly as possible and using the least amount of system resources to help minimize the impact of any such attacks. None of the other options provided is the correct term.
30
QUESTION 230 Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons? A. Cell blocking B. Sandboxing C. Pooling D. Fencing
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Sandboxing involves the segregation and isolation of information or processes from other information or processes within the same system or application, typically for security concerns. Sandboxing is generally used for data isolation (for example, keeping different communities and populations of users isolated from others with similar data). In IT terminology, pooling typically means bringing together and consolidating resources or services, not segregating or separating them. Cell blocking and fencing are both erroneous terms.
31
QUESTION 231 Which cloud service category most commonly uses client-side key management systems? A. Software as a Service B. Infrastructure as a Service C. Platform as a Service D. Desktop as a Service
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: SaaS most commonly uses client-side key management. With this type of implementation, the software for doing key management is supplied by the cloud provider, but is hosted and run by the cloud customer. This allows for full integration with the SaaS implementation, but also provides full control to the cloud customer. Although the cloud provider may offer software for performing key management to the cloud customers, with the Infrastructure, Platform, and Desktop as a Service categories, the customers would largely be responsible for their own options and implementations and would not be bound by the offerings from the cloud provider.
32
QUESTION 232 Which of the following types of data would fall under data rights management (DRM) rather than information rights management (IRM)? A. Personnel data B. Security profiles C. Publications D. Financial records
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Whereas IRM is used to protect a broad range of data, DRM is focused specifically on the protection of consumer media, such as publications, music, movies, and so on. IRM is used to protect general institution data, so financial records, personnel data, and security profiles would all fall under the auspices of IRM.
33
QUESTION 233 Different security testing methodologies offer different strategies and approaches to testing systems, requiring security personnel to determine the best type to use for their specific circumstances. What does dynamic application security testing (DAST) NOT entail that SAST does? A. Discovery B. Knowledge of the system C. Scanning D. Probing
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Dynamic application security testing (DAST) is considered "black-box" testing and begins with no inside knowledge of the application or its configurations. Everything about it must be discovered during its testing. As with most types of testing, dynamic application security testing (DAST) involves probing, scanning, and a discovery process for system information.
34
QUESTION 234 You need to gain approval to begin moving your company's data and systems into a cloud environment. However, your CEO has mandated the ability to easily remove your IT assets from the cloud provider as a precondition. Which of the following cloud concepts would this pertain to? A. Removability B. Extraction C. Portability D. Reversibility
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Reversibility is the cloud concept involving the ability for a cloud customer to remove all of its data and IT assets from a cloud provider. Also, processes and agreements would be in place with the cloud provider that ensure all removals have been completed fully within the agreed upon timeframe. Portability refers to the ability to easily move between different cloud providers and not be locked into a specific one. Removability and extraction are both provided as terms similar to reversibility, but neither is the official term or concept.
35
QUESTION 235 What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies? A. Live testing B. Source code access C. Production system scanning D. Injection attempts
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Static application security testing (SAST) is conducted against offline systems with previous knowledge of them, including their source code. Live testing is not part of static testing but rather is associated with dynamic testing. Production system scanning is not appropriate because static testing is done against offline systems. Injection attempts are done with many different types of testing and are not unique to one particular type. It is therefore not the best answer to the question.
36
QUESTION 236 Which of the following areas of responsibility always falls completely under the purview of the cloud provider, regardless of which cloud service category is used? A. Infrastructure B. Data C. Physical D. Governance
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. In many instances, the cloud provider will supply audit reports or some general information about their physical security practices, especially to those customers or potential customers that may have regulatory requirements, but otherwise the cloud customer will have very little insight into the physical environment. With IaaS, the infrastructure is a shared responsibility between
37
QUESTION 237 What type of masking would you employ to produce a separate data set for testing purposes based on production data without any sensitive information? A. Dynamic B. Tokenized C. Replicated D. Static
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Static masking involves taking a data set and replacing sensitive fields and values with non-sensitive or garbage data. This is done to enable testing of an application against data that resembles production data, both in size and format, but without containing anything sensitive. Dynamic masking involves the live and transactional masking of data while an application is using it. Tokenized would refer to tokenization, which is the replacing of sensitive data with a key value that can later be matched back to the original value, and although it could be used as part of the production of test data, it does not refer to the overall process. Replicated is provided as an erroneous answer, as replicated data would be identical in value and would not accomplish the production of a test set.
38
QUESTION 238 When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern? A. Self-service B. Resource pooling C. Availability D. Location
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: If an organization wants to use a cloud service for BCDR, the location of the cloud hosting becomes a very important security consideration due to regulations and jurisdiction, which could be dramatically different from the organization's normal hosting locations. Availability is a hallmark of any cloud service provider, and likely will not be a prime consideration when an organization is considering using a cloud for BCDR; the same goes for self-service options. Resource
39
among all cloud systems and would not be a concern when an organization is dealing with the provisioning of resources during a disaster. QUESTION 239 What type of solution is at the core of virtually all directory services? A. WS B. LDAP C. ADFS D. PKI
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: The Lightweight Directory Access Protocol (LDAP) forms the basis of virtually all directory services, regardless of the specific vendor or software package.WS is a protocol for information exchange between two systems and does not actually store the data. ADFS is a Windows component for enabling single sign-on for the operating system and applications, but it relies on data from an LDAP server. PKI is used for managing and issuing security certificates.
40
QUESTION 240 The different cloud service models have varying levels of responsibilities for functions and operations depending with the model's level of service. In which of the following models would the responsibility for patching lie predominantly with the cloud customer? A. DaaS B. SaaS C. PaaS D. IaaS
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: With Infrastructure as a Service (IaaS), the cloud customer is responsible for deploying and maintaining its own systems and virtual machines. Therefore, the customer is solely responsible for patching and any other security updates it finds necessary. With Software as a Service (SaaS), Platform as a Service (PaaS), and Desktop as a Service (DaaS), the cloud provider maintains the infrastructure components and is responsible for maintaining and patching them.
41
QUESTION 241 Which component of ITIL involves the creation of an RFC ticket and obtaining official approvals for it? A. Problem management B. Release management C. Deployment management D. Change management
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The change management process involves the creation of the official Request for Change (RFC) ticket, which is used to document the change, obtain the required approvals from management and stakeholders, and track the change to completion. Release management is a subcomponent of change management, where the actual code or configuration change is put into place. Deployment management is similar to release management, but it's where changes are actually implemented on systems. Problem management is focused on the identification and mitigation of known problems and deficiencies before they are able to occur.
42
QUESTION 242 Which of the following are attributes of cloud computing? A. Minimal management effort and shared resources B. High cost and unique resources C. Rapid provisioning and slow release of resources D. Limited access and service provider interaction
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
43
QUESTION 243 In a cloud environment, encryption should be used for all the following, except: A. Secure sessions/VPN B. Long-term storage of data C. Near-term storage of virtualized images D. Profile formatting
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: All of these activities should incorporate encryption, except for profile formatting, which is a made-up term.
44
QUESTION 244 When using an IaaS solution, what is the capability provided to the customer? A. To provision processing, storage, networks, and other fundamental computing resources when the consumer is able to deploy and run arbitrary software, which can include OSs and applications. B. To provision processing, storage, networks, and other fundamental computing resources when the auditor is able to deploy and run arbitrary software, which can include OSs and applications. C. To provision processing, storage, networks, and other fundamental computing resources when the provider is able to deploy and run arbitrary software, which can include OSs and applications. D. To provision processing, storage, networks, and other fundamental computing resources when the consumer is not able to deploy and run arbitrary software, which can include OSs and applications.
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: According to “The NIST Definition of Cloud Computing,” in IaaS, “the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
45
QUESTION 245 Which of the following is considered an administrative control? A. Keystroke logging B. Access control process C. Door locks D. Biometric authentication
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: A process is an administrative control; sometimes, the process includes elements of other types of controls (in this case, the access control mechanism might be a technical control, or it might be a physical control), but the process itself is administrative. Keystroke logging is a technical control (or an attack, if done for malicious purposes, and not for auditing); door locks are a physical control; and biometric authentication is a technological control.
46
QUESTION 246 In which cloud service model is the customer required to maintain the OS? A. Iaas B. CaaS C. PaaS D. SaaS
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer then is responsible for maintaining that OS. In the other models, the provider installs and maintains the OS.
47
QUESTION 247 When using a PaaS solution, what is the capability provided to the customer? A. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The provider does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. B. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. C. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the consumer supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. D. To deploy onto the cloud infrastructure provider-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: According to “The NIST Definition of Cloud Computing,” in PaaS, “the capability provided to the consumer is to deploy onto the cloud infrastructure consumercreated or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
48
QUESTION 248 What are SOC 1/SOC 2/SOC 3? A. Audit reports B. Risk management frameworks C. Access controls D. Software developments
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: An SOC 1 is a report on controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. An SOC 2 report is based on the existing SysTrust and WebTrust principles. The purpose of an SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 report is also based on the existing SysTrust and WebTrust principles, like a SOC 2 report. The difference is that the SOC 3 report does not detail the testing performed.
49
QUESTION 249 Gathering business requirements can aid the organization in determining all of this information about organizational assets, except: A. Full inventory B. Criticality C. Value D. Usefulness
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from the owners of those assets), and assess criticality; this collection of information does not tell us, objectively, how useful an asset is, however.
50
UESTION 250 Which of the following are cloud computing roles? A. Cloud service broker and user B. Cloud customer and financial auditor C. CSP and backup service provider D. Cloud service auditor and object
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: The following groups form the key roles and functions associated with cloud computing. They do not constitute an exhaustive list but highlight the main roles and functions within cloud computing: - Cloud customer: An individual or entity that utilizes or subscribes to cloud based services or resources. - CSP: A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations or individuals, usually for a fee; otherwise known to clients “as a service. - Cloud backup service provider: A third-party entity that manages and holds operational responsibilities for cloud-based data backup services and solutions to customers from a central data center. - CSB: Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple CSPs. It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. The CSB can be utilized as a “middleman” to broker the best deal and customize services to the customer’s requirements. May also resell cloud services. - Cloud service auditor: Third-party organization that verifies attainment of SLAs.
51
QUESTION 251 Which of the following are considered to be the building blocks of cloud computing? A. CPU, RAM, storage, and networking B. Data, CPU, RAM, and access control C. Data, access control, virtualization, and services D. Storage, networking, printing, and virtualization
Correct Answer: A Section: (none) Explanation Explanation/Reference:
52
QUESTION 252 Which of the following is considered a physical control? A. Fences B. Ceilings C. Carpets D. Doors
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control: the lock on the door would be a physical security control. Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct.
53
QUESTION 253 What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? A. Quantum-state B. Polyinstantiation C. Homomorphic D. Gastronomic
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.
54
QUESTION 254 To protect data on user devices in a BYOD environment, the organization should consider requiring all the following, except: A. Multifactor authentication B. DLP agents C. Two-person integrity D. Local encryption
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic, and, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices.
55
QUESTION 255 DLP can be combined with what other security technology to enhance data controls? A. DRM B. Hypervisor C. SIEM D. Kerberos
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.
56
QUESTION 256 What is the intellectual property protection for a confidential recipe for muffins? A. Patent B. Trademark C. Trade secret D. Copyright
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Confidential recipes unique to the organization are trade secrets. The other answers listed are answers to other questions.
57
QUESTION 257 Every security program and process should have which of the following? A. Severe penalties B. Multifactor authentication C. Foundational policy D. Homomorphic encryption
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Policy drives all programs and functions in the organization; the organization should not conduct any operations that don’t have a policy governing them. Penalties may or may not be an element of policy, and severity depends on the topic. Multifactor authentication and homomorphic encryption are red herrings here.
58
QUESTION 258 All policies within the organization should include a section that includes all of the following, except: A. Policy adjudication B. Policy maintenance C. Policy review D. Policy enforcement
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: All the elements except adjudication need to be addressed in each policy. Adjudication is not an element of policy.
59
QUESTION 259 What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? A. AES B. Link encryption C. One-time pads D. Homomorphic encryption
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.
60
QUESTION 260 Data labels could include all the following, except: A. Multifactor authentication B. Access restrictions C. Confidentiality level D. Distribution limitations
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.
61
QUESTION 261 The goals of DLP solution implementation include all of the following, except: A. Elasticity B. Policy enforcement C. Data discovery D. Loss of mitigation
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: DLP does not have anything to do with elasticity, which is the capability of the environment to scale up or down according to demand. All the rest are goals of DLP implementations.
62
QUESTION 262 What is the intellectual property protection for the tangible expression of a creative idea? A. Trade secret B. Copyright C. Trademark D. Patent
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Copyrights are protected tangible expressions of creative works. The other answers listed are answers to subsequent questions.
63
QUESTION 263 The goals of SIEM solution implementation include all of the following, except: A. Dashboarding B. Performance enhancement C. Trend analysis D. Centralization of log streams
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: SIEM does not intend to provide any enhancement of performance; in fact, a SIEM solution may decrease performance because of additional overhead. All the rest are goals of SIEM implementations.
64
QUESTION 264 All of the following are terms used to described the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except: A. Tokenization B. Masking C. Data discovery D. Obfuscation
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Data discovery is a term used to describe the process of identifying information according to specific traits or categories. The rest are all methods for obscuring data.
65
QUESTION 265 All the following are data analytics modes, except: A. Datamining B. Agile business intelligence C. Refractory iterations D. Real-time analytics
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: All the others are data analytics methods, but “refractory iterations” is a nonsense term thrown in as a red herring.
66
QUESTION 266 What are the U.S. State Department controls on technology exports known as? A. DRM B. ITAR C. EAR D. EAL
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: ITAR is a Department of State program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property.
67
QUESTION 267 DLP can be combined with what other security technology to enhance data controls? A. SIEM B. Hypervisors C. DRM D. Kerberos
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.
68
QUESTION 268 Data masking can be used to provide all of the following functionality, except: A. Test data in sandboxed environments B. Authentication of privileged users C. Enforcing least privilege D. Secure remote access
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Data masking does not support authentication in any way. All the others are excellent use cases for data masking.
69
QUESTION 269 Tokenization requires two distinct _________________ . A. Personnel B. Authentication factors C. Encryption keys D. Databases
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.
70
QUESTION 270 Best practices for key management include all of the following, except: A. Ensure multifactor authentication B. Pass keys out of band C. Have key recovery processes D. Maintain key security
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: We should do all of these except for requiring multifactor authentication, which is pointless in key management.
71
QUESTION 271 What is the correct order of the phases of the data life cycle? A. Create, Use, Store, Share, Archive, Destroy B. Create, Archive, Store, Share, Use, Destroy C. Create, Store, Use, Archive, Share, Destroy D. Create, Store, Use, Share, Archive, Destroy
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The other options are the names of the phases, but out of proper order.
72
QUESTION 272 What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? A. One-time pads B. Link encryption C. Homomorphic encryption D. AES
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.
73
QUESTION 273 What are third-party providers of IAM functions for the cloud environment? A. AESs B. SIEMs C. DLPs D. CASBs
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Data loss, leak prevention, and protection is a family of tools used to reduce the possibility of unauthorized disclosure of sensitive information. SIEMs are tools used to collate and manage log data. AES is an encryption standard.
74
QUESTION 274 Data labels could include all the following, except: A. Data value B. Data of scheduled destruction C. Date data was created D. Data owner
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: All the others might be included in data labels, but we don’t usually include data value, since it is prone to change frequently, and because it might not be information we want to disclose to anyone who does not have need to know.
75
QUESTION 275 All of these are methods of data discovery, except: A. Label-based B. User-based C. Content-based D. Metadata-based
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: All the others are valid methods of data discovery; user-based is a red herring with no meaning.
76
QUESTION 276 The various models generally available for cloud BC/DR activities include all of the following except: A. Private architecture, cloud backup B. Cloud provider, backup from another cloud provider C. Cloud provider, backup from same provider D. Cloud provider, backup from private provider
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: This is not a normal configuration and would not likely provide genuine benefit.
77
QUESTION 277 When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: A. Many states have data breach notification laws. B. Breaches can cause the loss of proprietary data. C. Breaches can cause the loss of intellectual property. D. Legal liability can’t be transferred to the cloud provider.
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: State notification laws and the loss of proprietary data/intellectual property pre-existed the cloud; only the lack of ability to transfer liability is new.
78
QUESTION 278 The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement? A. IaaS B. SaaS C. Community cloud D. PaaS
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: IaaS entails the cloud customer installing and maintaining the OS, programs, and data; PaaS has the customer installing programs and data; in SaaS, the customer only uploads data. In a community cloud, data and device owners are distributed.
79
QUESTION 279 Countermeasures for protecting cloud operations against external attackers include all of the following except: A. Continual monitoring for anomalous activity. B. Detailed and extensive background checks. C. Regular and detailed configuration/change management activities D. Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines.
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Background checks are controls for attenuating potential threats from internal actors; external threats aren’t likely to submit to background checks.
80
QUESTION 280 User access to the cloud environment can be administered in all of the following ways except: A. Provider provides administration on behalf the customer B. Customer directly administers access C. Third party provides administration on behalf of the customer D. Customer provides administration on behalf of the provider
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: The customer does not administer on behalf of the provider. All the rest are possible options.
81
QUESTION 281 Countermeasures for protecting cloud operations against internal threats include all of the following except: A. Extensive and comprehensive training programs, including initial, recurring, and refresher sessions B. Skills and knowledge testing C. Hardened perimeter devices D. Aggressive background checks
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Hardened perimeter devices are more useful at attenuating the risk of external attack.
82
QUESTION 282 Because of multitenancy, specific risks in the public cloud that don’t exist in the other cloud service models include all the following except: A. DoS/DDoS B. Information bleed C. Risk of loss/disclosure due to legal seizures D. Escalation of privilege
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: DoS/DDoS threats and risks are not unique to the public cloud model.
83
QUESTION 283 What is the cloud service model in which the customer is responsible for administration of the OS? A. QaaS B. SaaS C. PaaS D. IaaS
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: In IaaS, the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data. In PaaS and SaaS, the provider also owns the OS. There is no QaaS. That is a red herring.
84
QUESTION 284 All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except: A. Ensure there are no physical limitations to moving B. Use DRM and DLP solutions widely throughout the cloud operation C. Ensure favorable contract terms to support portability D. Avoid proprietary data formats
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: DRM and DLP are used for increased authentication/access control and egress monitoring, respectively, and would actually decrease portability instead of enhancing it.
85
enhancing it. QUESTION 285 Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? A. SOC 1 Type 1 B. SOC 2 Type 2 C. SOC 3 D. SOC 1 Type 2
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting, and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.
86
QUESTION 286 As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as: A. SOX B. HIPAA C. FERPA D. GLBA
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: Sarbanes-Oxley was a direct response to corporate scandals. FERPA is related to education. GLBA is about the financial industry. HIPAA is about health care.
87
QUESTION 287 The application normative framework is best described as which of the following? A. A superset of the ONF B. A stand-alone framework for storing security practices for the ONF C. The complete ONF D. A subnet of the ONF
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization). Therefore, the ANF is a subset of the ONF.
88
QUESTION 288 Which of the following best describes the Organizational Normative Framework (ONF)? A. A set of application security, and best practices, catalogued and leveraged by the organization B. A container for components of an application’s security, best practices catalogued and leveraged by the organization C. A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization D. A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization.
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Option B is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as D, making D the better choice. C suggests that the framework contains only “some” of the components, which is why B (which describes “all” components) is better
89
QUESTION 289 Which of the following best describes the purpose and scope of ISO/IEC 27034-1? A. Describes international privacy standards for cloud computing B. Serves as a newer replacement for NIST 800-52 r4 C. Provides on overview of network and infrastructure security designed to secure cloud applications. D. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security.
Correct Answer: D Section: (none) Explanation Explanation/Reference:
90
QUESTION 290 APIs are defined as which of the following? A. A set of protocols, and tools for building software applications to access a web-based software application or tool B. A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool C. A set of standards for building software applications to access a web-based software application or tool D. A set of routines and tools for building software applications to access web-based software applications
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: All the answers are true, but B is the most complete.
91
QUESTION 291 Which of the following best describes data masking? A. A method for creating similar but inauthentic datasets used for software testing and user training. B. A method used to protect prying eyes from data such as social security numbers and credit card data. C. A method where the last few numbers in a dataset are not obscured. These are often used for authentication. D. Data masking involves stripping out all digits in a string of numbers so as to obscure the original number.
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: All of these answers are actually correct, but A is the best answer, because it is the most general, includes the others, and is therefore the optimum choice. This is a good example of the type of question that can appear on the actual exam.
92
QUESTION 292 A localized incident or disaster can be addressed in a cost-effective manner by using which of the following? A. UPS B. Generators C. Joint operating agreements D. Strict adherence to applicable regulations
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: Joint operating agreements can provide nearby relocation sites so that a disruption limited to the organization’s own facility and campus can be addressed at a different facility and campus. UPS and generators are not limited to serving needs for localized causes. Regulations do not promote cost savings and are not often the immediate concern during BC/DR activities.
93
QUESTION 293 In addition to battery backup, a UPS can offer which capability? A. Breach alert B. Confidentiality C. Communication redundancy D. Line conditioning
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: A UPS can provide line conditioning, adjusting power so that it is optimized for the devices it serves and smoothing any power fluctuations; it does not offer any of the other listed functions.
94
QUESTION 294 For performance purposes, OS monitoring should include all of the following except: A. Disk space B. Disk I/O usage C. CPU usage D. Print spooling
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: Print spooling is not a metric for system performance; all the rest are.
95
QUESTION 295 Identity and access management (IAM) is a security discipline that ensures which of the following? A. That all users are properly authorized B. That the right individual gets access to the right resources at the right time for the right reasons. C. That all users are properly authenticated D. That unauthorized users will get access to the right resources at the right time for the right reasons
Correct Answer: B Section: (none) Explanation Explanation/Reference: Explanation: Options A and C are also correct, but included in B, making B the best choice. D is incorrect, because we don’t want unauthorized users gaining access.
96
QUESTION 296 Maintenance mode requires all of these actions except: A. Remove all active production instances B. Ensure logging continues C. Initiate enhanced security controls D. Prevent new logins
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: While the other answers are all steps in moving from normal operations to maintenance mode, we do not necessarily initiate any enhanced security controls.
97
QUESTION 297 What is one of the reasons a baseline might be changed? A. Numerous change requests B. To reduce redundancy C. Natural disaster D. Power fluctuation
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: If the CMB is receiving numerous change requests to the point where the amount of requests would drop by modifying the baseline, then that is a good reason to change the baseline. None of the other reasons should involve the baseline at all.
98
QUESTION 298 In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? A. The users of the various organizations within the federations within the federation/a CASB B. Each member organization/a trusted third party C. Each member organization/each member organization D. A contracted third party/the various member organizations of the federation
Correct Answer: D Section: (none) Explanation Explanation/Reference: Explanation: In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust. This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource providers that share resources based on approval from the third party).
99
QUESTION 299 Database activity monitoring (DAM) can be: A. Host-based or network-based B. Server-based or client-based C. Used in the place of encryption D. Used in place of data masking
Correct Answer: A Section: (none) Explanation Explanation/Reference: Explanation: We don’t use DAM in place of encryption or masking; DAM augments these options without replacing them. We don’t usually think of the database interaction as client-server, so A is the best answer.
100
QUESTION 300 The BC/DR kit should include all of the following except: A. Annotated asset inventory B. Flashlight C. Hard drives D. Documentation equipment
Correct Answer: C Section: (none) Explanation Explanation/Reference: Explanation: While hard drives may be useful in the kit (for instance, if they store BC/DR data such as inventory lists, baselines, and patches), they are not necessarily required. All the other items should be included.

CCSP-GratisEaxm (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions