Sample Exam Questions Flashcards

Question 1

Q

The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on __________.

A. Number of transactions per year
B. Dollar value of transactions per year
C. Geographic location
D. Jurisdiction

Answer

A

A: Number of transactions per year

The four merchant levels in PCI are distinguished by the number of transactions that merchant conducts in a year.

Question 2

Q

For business continuity and disaster recovery (BCDR) purposes, the contract between cloud provider and customer should include all of the following EXCEPT __________.

A. Which party will be responsible for initiating a BCDR response activity
B. How a BCDR response will be initiated
C. How soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service
D. How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event

Answer

A

D: How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event.

The contract between cloud customer and current cloud provider has no bearing on what the customer will have to pay a new provider.

Question 3

Q

Which of the following is NOT a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment?

A. Pooled resources in the cloud
B. Shifting from CapEx to OpEx to support IT expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected

Answer

A

D: Branding associated with which cloud provider might be selected

Brand value is not part of standard cost-benefit analysis.

Question 4

Q

Which of the following is an aspect of IT costs that should be reduced by moving to the cloud?

A. Personnel training
B. Personnel turnover
C. Loss due to depreciation of IT assets
D. Loss due to an internal data breach

Answer

A

C: Loss due to depreciation of IT assets

Constant reinvestment in IT assets (which are almost always obsolete by the time they’re marketed, much less by the time they’re deployed in operational environments) is plagued with losses due to depreciation the systems never retain the value of their initial price. Moving to cloud reduces this cost considerably.

Question 5

Q

Why might an organization choose to comply with NIST SP 800-series standards?

A. Price
B. Ease of implementation
C. International acceptance
D. Speed

Answer

A

A: Price

The NIST standards are not particularly easy or fast to implement (in fact, they require continual improvement), and they are not recognized or mandated outside of the US government federal sector.

Question 6

Q

Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?

A. ISO 27002
B. Payment Card Industry Data Security Standard (PCI DSS)
C. NIST SP 800-37
D. Health Insurance Portability and Accountability Act (HIPAA)

Answer

A

A: ISO 27002

ISO 27002 is used for choosing security controls in order to comply with the ISMS, which is contained in ISO 27001.

Question 7

Q

The Statement on Auditing Standards (SAS) 70, published by the American Institute of Certified Public Accountants (AICPA), was, for a long time, the definitive audit standard for data center customers. It was replaced in 2011 by the __________.

A. SABSA
B. SSAE 16
C. Biba
D. NIST SP 800-53

Answer

A

B: SSAE 16

SSAE 16 replaced SAS 70 as the preferred audit standard for data center customers in 2011; it is scheduled to be replaced by the end of 2018, by SSAE 18.

Question 8

Q

Which US federal law instigated the change from SAS 70 audit standard to SSAE 16?

A. NIST 800-53
B. HIPAA
C. Sarbanes-Oxley Act (SOX)
D. Gramm-Leach-Bliley Act (GLBA)

Answer

A

C: Sarbanes-Oxley Act (SOX)

This question is a bit more oblique than some of the others and requires the candidate to have some depth of understanding of laws, regulations, and standards. SOX was the congressional response to several high-profile scandals involving publicly traded corporations involved in nefarious activities, in collusion with or not truly addressed by the auditors who should have reported this behavior. As a result of SOX, the American Institute of Certified Public Accountants changed from SAS 70 standard to SSAE 16.

Question 9

Q

The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you MOST like to see?

A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

Answer

A

C: SOC 2, Type 2

The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

Question 10

Q

The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 16 audits and some haven’t, which SOC report might be the best to use for your initial review of several different cloud providers, in order to narrow down the field of potential services in a fast, easy way?

A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

Answer

A

D: SOC 3

The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

Question 11

Q

The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on __________.

A. Dollar value of transactions over the course of a year
B. Number of transactions over the course of a year
C. Location of the merchant or processor
D. Dollar value and number of transactions over the course of a year

Answer

A

B: Number of transactions over the course of a year

Question 12

Q

Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party?

A. 1
B. 3
C. 5
D. 7

Question 13

Q

What distinguishes the FIPS 140-2 security levels for cryptographic modules?

A. The level of sensitivity of data they can be used to protect
B. The amount of physical protection provided by the product, in terms of tamper resistance
C. The size of the IT environment the product can be used to protect
D. The geographic locations in which the product is permitted to be used

Answer

A

B: The amount of physical protection provided by the product, in terms of tamper resistance

The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts.

Question 14

Q

For the US government agencies, what level of data sensitivity / classification may be processed by cryptographic modules certified according to the FIPS 140-2 criteria?

A. Controlled Unclassified Information (CUI)
B. Secret
C. Top Secret
D. Sensitive Compartmentalized Information (SCI)

Answer

A

A: Controlled Unclassified Information (CUI)

FIPS 140-2 is only for sensitive but unclassified (SBU) data such as CUI.

Question 15

Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “insecure direct object references.” Which of these is a method to counter the risks of insecure direct object references?

A. Performing user security training
B. Check access each time a direct object reference is called by an untrusted source.
C. Install high-luminosity interior lighting throughout the facility.
D. Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.

Answer

A

B: Check access each time a direct object reference is called by an untrusted source.

Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object.

Question 16

Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “missing function level access control.” Which of these is a technique to reduce the potential for a missing function level access control?

A. Run a process as both user and privileged user, and determine similarity.
B. Run automated monitoring and audit scripts.
C. Include browser buttons / navigation elements to secure functions.
D. Enhance user training to include personnel.

Answer

A

A: Run a process as both user and privileged user, and determine similarity.

The above method will help you to determine if there are any functions that regular users should not have access to and thereby demonstrate that you are missing necessary controls.

Question 17

Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?

A. HTML escape all HTML attributes.
B. Train users to recognize unvalidated links.
C. Block all inbound resource requests.
D. Implement audit logging.

Answer

A

B: Train users to recognize unvalidated links.

Oddly enough, this may be a good topic to explain during user training; when an attacker is trying to conduct an attack by exploiting unvalidated redirects and forwards, it is often in conjunction with a social engineering / phishing attack.

Question 18

Q

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?

A. Don’t use redirects / forwards in your applications.
B. Refrain from storing credentials long term.
C. Implement security incident / event monitoring (security information and event management (SIEM) / security information management (SIM) / security event management (SEM) solutions.
D. Implement digital rights management (DRM) solutions.

Answer

A

A: Don’t use redirects / forwards in your applications.

Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid this problem altogether, and, redirects / forwards are not necessary for efficient use.

Question 19

Q

You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether your current applications in the on-premises environment will function properly with the providers’s hosted systems and tools. This is a(n) __________ issue.

A. Interoperability
B. Portability
C. Availability
D. Security

Answer

A

A: Interoperability

This is the definition of cloud migration interoperability challenges.

Question 20

Q

You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether the provider will have undue control over your data once it is within the provider’s data center; will the provider be able to hold your organization hostage because they have your data? This is a(n) __________ issue.

A. Interoperability
B. Portability
C. Availability
D. Security

Answer

A

B: Portability

This is the definition of cloud migration portability: the measure of how difficult is might be to move the organization’s systems / data from a given cloud host to another cloud host.

Question 21

Q

Privileged user account access should be _________.

A. Temporary
B. Pervasive
C. Thorough
D. Granular

Answer

A

A: Temporary

Privileged users should only have privileged access to specific systems / data for the duration necessary to perform their administrative function; any longer incurs more risk than value.

Question 22

Q

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all of the following data breach notification requirements EXCEPT __________.

A. Multiple state laws
B. Contractual notification requirements
C. All standards-based notification schemes
D. Any applicable federal regulations

Answer

A

C: All standards-based notification schemes

Question 23

Q

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is NOT an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider?

A. Ensuring that any legacy applications are not dependent on internal security controls before moving them to the cloud environment

B. Reviewing all contractual elements to appropriately define each party’s roles, responsibilities, and requirements

C. Assessing the provider’s financial standing and soundness

D. Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as legacy environment

Answer

A

D: Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as legacy environment

The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular level of control.

Question 24

Q

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they’ve selected goes out of business. What do we call this problem?

A. Vendor lock-in
B. Vendor lock-out
C. Vendor incapacity
D. Unscaled

Answer

A

B: Vendor lock-out

This is the definition of vendor lock-out.

Vendor lock-in is when data portability is limited, either through unfavorable contact language or technical limitations.

Vendor incapacity and unscaled are not meaningful terms and are used as distractors.

Question 25

Q

When should cloud providers allow PaaS customers shell access to the servers running their instances?

A. Never
B. Weekly
C. Only when the contract stipulates that requirement
D. Always

Answer

A

A: Never

According to (ISC)2 CCSP Training Guide (page 60), PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multi-tenant environment.

Question 26

Q

In PaaS environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on __________.

A. International standards
B. Federal regulations
C. Organizational policies
D. Federation directives

Answer

A

C: Organizational policies

Organizational policies dictate rules for access entitlement.

Question 27

Q

The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?

A. Confidentiality
B. Integrity
C. Availability
D. None

Answer

A

D: None

Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.

Question 28

Q

Your organization has migrated into a PaaS configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notification in accordance with all applicable laws?

A. The network admin responsible
B. The cloud provider
C. The regulators overseeing your deployment
D. Your organization

Answer

A

D: Your organization

The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider may be liable for financial costs… but those damages can only be recovered long after the notifications have been made by the cloud customer.

Question 29

Q

In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, “Does it seem as if this vendor is subject to any pending acquisitions or mergers?” In gather data to answer this question, what are you trying to avoid?

A. Vendor lockout
B. Due care
C. Third-party dependencies
D. Regulatory oversight

Answer

A

A: Vendor lockout

Vendor lockout can occur when your provider no longer offers the service for which you contracted; it is possible that a merger or acquisition of your provider might lead to that circumstance.

Question 30

Q

The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements.

The different merchant tier requirements will dictate __________.

A. Different types of audits each must conduct
B. Different amount of audits each must conduct
C. Different control sets based on tier level
D. Different cost of controls based on tier level

Answer

A

B: Different amount of audits each must conduct

Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.

Question 31

Q

The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements.

Approximately how many controls are listed in the PCI DSS?

A. Around a dozen
B. About 20
C. About 100
D. Over 200

Answer

A

D: Over 200

Question 32

Q

Which US federal government entity was the regulator for the American Safe Harbor program and is now in charge of administering the Privacy Shield program?

A. State Department
B. Privacy Protection Office
C. Federal Trade Commission
D. Department of Health and Human Services

Answer

A

C: Federal Trade Commission

Question 33

Q

Using cloud storage is considered __________ under most privacy frameworks and laws.

A. Illegal
B. Data collection
C. Opt-in
D. Processing

Answer

A

D: Processing

Processing includes any manipulation, use, movement, or alteration of data – i.e. pretty much anything that can be done with or to data is “processing” (including making and manipulating hard-copy versions of data).

Question 34

Q

The Safe Harbor program, while no longer used, allowed US companies to collect and process privacy information about EU citizens. The program was included in which law?

A. FISMA
B. The EU Data Directive
C. HIPAA
D. Sarbanes-Oxley Act

Answer

A

B: The EU Data Directive

Question 35

Q

Which of the following should NOT be true about any tests performed during forensic analysis?

A. tests should be repeatable by opposing attorneys
B. tests should be standard to the forensics industry
C. tests should be performed by trained, certified professionals
D. tests should be tailored and customized for specific purposes

Answer

A

D: tests should be tailored and customized for specific purposes

Question 36

Q

The Reporting phase of forensic investigation usually involves presenting findings to __________.

A. Senior management
B. Regulators
C. The court
D. Stakeholders

Answer

A

C: The court

Question 37

Q

You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrong-doing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection / analysis.

What should probably be your response?

A. Yes. You want it because it gives you the most granular and comprehensive view of the pertinent data.

B. Yes. You want to be able to inspect it before law enforcement has the opportunity to review it.

C. No. You don’t want the liability of possibly disclosing someone else’s privacy data

D. No. You don’t want the liability of possibly damaging someone else’s property

Answer

A

C: No. You don’t want the liability of possibly disclosing someone else’s privacy data.

In a mult-tenant environment, it is quite likely that any particular piece of hardware will contain data from many customers. In this case, your company may become liable for violating privacy laws for accessing privacy data belonging to another cloud customer, which would increase your company’s exposure (something that could be disastrous because the company is already under investigation).

Question 38

Q

__________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.

A. Due care
B. Due diligence
C. Liability
D. Reciprocity

Answer

A

B: Due diligence

Due care is about understanding and implementing common best practices (e.g. policies and standards); due diligence is the work of ensuring that these best practices are working as designed and are suited to your business. By looking to ensure that “protection is applied” – i.e. that best practices are working as designed – this is an example of due diligence.

Liability is the measure of responsibility an entity has for providing due care; option C is incorrect.

Answer D has no meaning in this context and is a distractor.

Question 39

Q

You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purpose, this make the data __________.

A. Inadmissible
B. Less believable, if the changes aren’t documented
C. Harder to control
D. Easily refutable

Answer

A

B: Less believable, if the changes aren’t documented

All forensics processes and activity should be documented with extreme scrutiny. It is very important for your actions to be documented and repeatable in order for them to remain credible.

Evidence is only inadmissible if it has no probative value; that is, if it has no bearing on the case. Modified data is still admissible, as long as the modification process was documented and presented along with the evidence.

Question 40

Q

In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper __________.

A. Training credential
B. License
C. Background check
D. Approved toolset

Answer

A

B: License

There are certain jurisdictions where forensic data / IT analysis requires licensure (the stats of Texas and Michigan, for example); it is important for you to determine whether this is the case in your jurisdiction before proceeding with any forensic efforts.

Question 41

Q

When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize ___________.

A. Electronic data
B. Hardware
C. Electronic data and the hardware on which it resides
D. Only data extracted from hardware

Answer

A

C: Electronic data and the hardware on which it resides

Courts can issue seizure orders for anything and everything – i.e. favor the answer with the most expansive authority.

A and B are too limited; D is absurd.

Question 42

Q

Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going to be very difficult to review for pertinence to the case.

Which security control mechanism may also be useful in the e-discovery effort?

A. Trained and aware personnel
B. An egress monitoring solution (DLP)
C. A digital rights management (DRM) solution
D. A multifactor authentication implementation

Answer

A

B: An egress monitoring solution (DLP)

Typically, a discovery tool is a primary component of a DLP solution. All other options describe important facets of an overall organizational security program but are not especially helpful in e-discovery efforts.

Question 43

Q

You are the security manager for a software company that uses PaaS in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company.

If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with __________ as well as the lawsuit.

A. Spoliation
B. Fraud
C. Jurisdiction
D. Recompositing

Answer

A

A: Spoliation

“Spoliation” is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the ground for another lawsuit.

Question 44

Q

You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month.

Which law is applicable in this instance?

A. Belgian law
B. The General Data Protection Act
C. NIST SP 800-53
D. The Federal Information Systems Management Act

Answer

A

B: The General Data Protection Act

Question 45

Q

You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft.

The prosecutor can use the material you delivered because of __________.

A. The doctrine of plain view
B. The silver platter doctrine
C. The General Data Protection Act
D. The Federal Information System Management Act

Answer

A

B: The silver platter doctrine

The “silver platter doctrine” allows law enforcement to act on probable cause when evidence of a crime is within their presence; option A is incorrect.

Question 46

Q

You are the security manager for a retail sales company that uses a SaaS public cloud service. One of your employees uploads sensitive information they were NOT authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefitting the administrator and causing harm to your organization.

After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$ 125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation.

If the jury determines that 25 percent of the evidence shows that the situation was your organization’s fault and 75 percent of the evidence shows that the situation was the cloud provider’s fault, what is the likely outcome?

A. Your organization owes the cloud provider $31,250
B. The cloud provider owes your organization $93,750
C. Neither side owes the other party anything
D. The cloud provider owes your organization $125,000

Answer

A

D: The cloud provider owes your organization $125,000

Except in jurisdictions where contributory negligence is a factor in the proceedings, civil courts use a standard of “preponderance of evidence,” so the entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of the breach.

Question 47

Q

What was the first international privacy standard specifically for cloud providers?

A. NIST SP 800-37
B. PIPEDA
C. PCI
D. ISO 27018

Answer

A

D: ISO 27018

ISO 27018 breaks down privacy requirements for cloud providers, including an annual audit mandate.

Question 48

Q

Who should perform the gap analysis following an audit?

A. The security office
B. The auditor
C. A department other than the audit target
D. An external audit body, other than the original auditor

Answer

A

C: A department other than the audit target

Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, where the personnel in the target department may be constrained by habit and tradition.

Question 49

Q

You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the CSA STAR program, the Uptime Institute’s Tier certification motif, and __________.

A. NIST Risk Management Framework (SP 800-37)
B. FedRAMP
C. ISO 27034
D. EuroCloud Star Audit program

Answer

A

D: EuroCloud Star Audit program

The ECSA is designed as a cloud service certification motif for organizations located in Europe.

NIST (which also administers FedRAMP) is designed specifically for federal agencies in the United States and is not applicable to European providers.

ISO 27034 deals with an organization’s use of security controls for software; while this may be pertinent to your organization, it is not a comprehensive view of cloud services and is not as beneficial or equivalent to the CSA STAR or Uptime Institute certification.

Question 50

Q

An audit against the __________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.

A. SAS 70 standard
B. SSAE 16 standard
C. ISO 27002 certification criteria
D. NIST SP 800-53

Answer

A

C: ISO 27002 certification criteria

The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001.

The SAS 70 and SSAE 16 are audit standards for service providers and include review of some security controls but does not constitute a cohesive program review – and, the SAS 70 is outdated.

NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37.

Question 51

Q

You’re a sophomore at a small, private, medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?

A. Sarbanes-Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Educational Rights and Privacy Act (FERPA)

Answer

A

A: Sarbanes-Oxley Act (SOX)

Question 52

Q

In the United States, who manages the Safe Harbor / Privacy Shield program for voluntary compliance with EU data privacy laws?

A. Department of State
B. Department of Interior
C. Department of Trade
D. Department of Commerce

Answer

A

D: Department of Commerce

Question 53

Q

Which of the following countries does NOT have a federal privacy law that complies with the EU Data Directive/Privacy Regulations?

A. Argentina
B. Israel
C. Australia
D. Brazil

Answer

A

D: Brazil

Question 54

Q

Which of the following is NOT a way in which an entity located outside the EU can be allowed to gather / process privacy data belonging to EU citizens?

A. Be located in a country with a nationwide law that complies with the EU laws

B. Appeal to the EU High Court for permission

C. Create binding contractual language that complies with the EU laws

D. Join the Safe Harbor / Privacy Shield program in its own country

Answer

A

B: Appeal to the EU High Court for permission

The EU Data Directive and General Privacy Regulation prohibit entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:

Their own country has nationwide laws that comply with the EU laws.

The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.

The entity voluntarily subscribes to its own nation’s Safe Harbor / Privacy Shield program.

There is no process for the entity to appeal to the EU for permission to do so, however.

Question 55

Q

The Organization for Economic Cooperation and Development (OECD) is a multinational entity that creates non-binding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the __________.

A. Transient data principle
B. Security safeguards principle
C. Longtrack resiliency principle
D. Arbitrary insulation principle

Answer

A

B: Security safeguards principle

The principles are:

Collection limitation principle
Data quality principle
Use limitation principle
Security safeguards principle
Openness principle
Individual participation principle
Accountability principle

Question 56

Q

Which one of the following technologies allows you to utilize your existing TCP / IP network to manage data storage elements using IP traffic?

A. Internet Small Computer System Interface (iSCSI)
B. Fibre Channel
C. Fibre Channel over Ethernet (FCoE)
D. Storage area networks (SAN)

Answer

A

A: Internet Small Computer System Interface (iSCSI)

Question 57

Q

The current American Institute of Certified Public Accountants (APICA) standard was created in reaction to what US federal law?

A. Gramm-Leach-Bliley Act (GLBA)
B. Sarbanes-Oxley Act (SOX)
C. Family Education Rights and Privacy Act (FERPA)
D. Payment Card Industry Data Security Standards (PCI DSS)

Answer

A

B: Sarbanes-Oxley Act (SOX)

SSAE 16 was created by the APICA in direct response to new guidance in SOX.

Question 58

Q

What is the PRIMARY incident response goal?

A. Remediating the incident
B. Reverting to the last known good state
C. Determining the scope of the possible loss
D. Outcomes dictated by business requirements

Answer

A

D: Outcomes dictated by business requirements

Not an easy question: Different industries and different organizations will have different goals. Each organization will determine for itself what the primary goal of incident response will be, and this might differ from incident to incident, depending on the nature of the incident itself.

Question 59

Q

You are in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements?

A. 10 inches
B. 8 inches
C. 18 inches
D. 2 feet

Answer

A

D: 2 feet

Question 60

Q

An event is something that can be measured within the environment. An incident is a(n) __________ event.

A. Deleterious
B. Negative
C. Unscheduled
D. Major

Answer

A

C: Unscheduled

All activity in the environment can be considered events. Any event that was not planned or known is an incident.

Question 61

Q

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes.

Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which of the following functionalities will you consider absolutely essential?

A. DDoS protections
B. Constant data mirroring
C. Encryption
D. Hashing

Answer

A

C: Encryption

If your company is involved in e-commerce, it is almost impossible that you are not using credit cards for online transactions; ergo, PCI DSS applies and encryption or tokenization will be required.

Question 62

Q

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes.

Your company has decided to expand its business to include selling and monitoring life-support equipment for medical providers. What characteristic do you need to ensure is offered by your cloud provider?

A. Full automation of security controls within the cloud data center
B. Tier 4 of the Uptime Institute certifications
C. Global remote access
D. Prevention of ransomware infections

Answer

A

B: Tier 4 of the Uptime Institute certifications

The changing nature of your business will require a much more stringent set of operating standards, to include an increase in Uptime Institute Tier levels; because you’re no longer just using the cloud for backup and long-term storage and are now using it in direct support of health and human safety, Tier 4 is required.

Question 63

Q

When designing a cloud data center, which of the following aspects is NOT necessary to ensure continuity of operations?

A. Access to clean water
B. Broadband data connection
C. Extended battery backup
D. Physical access to the data center

Answer

A

C: Extended battery backup

Backup powers does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator.

Question 64

Q

You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on-premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management?

A. Building a completely new data center
B. Leasing a data center that is currently owned by another firm
C. Renting private cloud space in a Tier 2 data center
D. Staying with the current data center

Answer

A

A: Building a completely new data center

This answer is arrived at through a process of elimination:

B is not optimal because of potential for vendor lock-in, restrictions on buildout, and privacy concerns.

C is not optimal because Tier 2 is not sufficient for medical use.

D is not optimal because there must be a reason to consider a new option.

Answer 64

A

D: Municipal codes

In any large metropolitan area, government restrictions on development and construction can severely limit how you use your property; this can be a significant limiting factor in building a data center.

Answer 65

A

D: Tight gaskets

When cables come up through a raised floor that is being used as a cold air feed, we don’t want cold air bleeding around the cables in an unplanned manner; this can cause inefficiencies in air flow control. Gaskets are required at all points where cable comes through the floor, to restrict air flow and reduce the possibility of cold air escaping.

Answer 66

A

C: Either hot aisle or cold aisle

Answer 67

A

A: Redundancy

Virtual switches are widely used in virtualized networks. Unlike physical switches, which only lose one connection if a connecting cable is lost, virtual switches can be connected to multiple VMs via a single cable; if a cable is lost in a virtualized network, that can affect tens or dozens of devices.

Answer 68

A

A: Using distinct ports and port groups for various VLANs on a virtual switch rather than running them through the same port

It’s possible to route multiple VLANs through a switch port (physical or virtual) with proper frame tagging. However, to optimize isolation of subnets and processes in a virtual network environment, it is better to use different ports instead.

Answer 69

A

D: Loss of data to law enforcement seizure of neighboring assets

Answer 70

A

A: The risk of transferring data from one customer to another is significant

Secure KVMs support drastically isolated operations; they cut down on the possibility of data being inadvertently shared from one customer to another.

Answer 71

A

A: Terminate a connection before creating a new connection

Referred to as “break before make,” these devices often take the form of manual push-button controls; as the button is pushed, the current connection is forced to physically separate, and when the button is fully engaged, the new connection is made.

Answer 72

A

D: Customer production activities

The production activities will make full use of pooled resources, so they will not be isolated (unless the customer is paying for that specific characteristic of service).

Answer 73

A

B: X.509 certificates

TLS uses X.509 certificates to establish a connection and create a symmetric key that lasts for only one session.

Answer 74

A

B: It can harm the environment

Halon does pose a threat to health and human safety; but, it was outlawed because, as a CFC (chlorofluorocarbon), it depletes ozone – i.e. harms the environment.

Answer 75

A

C: Electricity

Answer 76

A

C: Sufficient redundancy

Because updating the virtualization toolset may require server downtime, it is essential to have a sufficient amount of redundant machines to roll out the update over the environment without significant disruption of operations.

Answer 77

A

C: Vendor guidance

Toolset vendors will specify secure configurations of their products; these must be followed in order to fulfill due care requirements.

Answer 78

A

A: Capturing and storing an image of the baseline

An image of the baseline should be stored securely, preferably in more than one location. It is essential to have a copy on hand for reconstructing the environment during contingency operations, and it is also useful for audit / review purposes.

Answer 79

A

D: The performance and capacity in each node

In a loosely coupled storage cluster, each node acts as an independent data store that can be added or removed from the cluster without affecting other nodes. This, however, means that the overall cluster’s performance / capacity depends on each node’s own maximum performance / capacity.

Answer 80

A

B: Luring attackers

It is very important to distinguish the purpose of the honeypot: It is NOT for luring in attackers; a lure is an invitation and inviting an attack decreases the organizations ability to have the attacker prosecuted or conduct successful litigation against the attacker.

Answer 81

A

D: Detection systems

The honeypot is used to gather information about the attacker, the attacker’s tools, and the attacker’s techniques.

Answer 82

A

B: Put the patch through the formal change management process

In many cases, patches are released to deal with an imminent vulnerability / risk. Some organizations will give blanket pre-approval for applying these patches and having the formal change management process approve the patch after the fact.

Answer 83

A

C: VMs located physically in one location but operating in a different time zone

If patches are rolled out across an environment where users are operating VMs at different times, there is a possibility that VMs will not be patched uniformly, which could lead to data disruption.

Answer 84

A

C: It is more comprehensive

Synthetic agents can simulate user activity in a much faster, much broader, manner than real users; and, the agents perform these actions 24/7 without rest.

Synthetic or directed monitoring is a method to monitor your applications by simulating users – directing the path taken through the application.

Answer 85

A

B: Sufficient logging to reconstruct a narrative of events at some later date

Logging should suffice for the purpose of reconstructing the pertinent information (who, what, where, when, etc.) necessary to form a narrative of what transpired.

Answer 86

A

C: Clock

The clock needs to be synched throughout the environment so that all activity can be contextualize and mapped and the true narrative of events can be reconstructed later.

Answer 87

A

B: Qualitative

Qualitative risk assessments are preferable in situations where the organization has personnel who understand the IT environment but might not have a lot of experience with risk functions and where the organization does not have a great deal of time or money to spend on the project.

Answer 88

A

B: Historical data

While previous activity is not a great predictor of future outcomes (especially in the field of IT security), it is the best that we have.

Answer 89

A

D: The amount of product the plant creates

Answer 90

A

D: Certification

Certification and accreditation is a two-step process for security management / risk management of systems:

Step 1, Certification is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system; this process ensures that security threats are identified and plans for mitigation are in place.

Step 2, Accreditation is the process of accepting the residual risks associated with the continued operation of a system (net mitigation actions taken) and granting approval to operate the system for a specified period of time.

Answer 91

A

D: A shared secret

In symmetric encryption, a single key is used to both encrypt and decrypt a message – this is often referred to as a shared secret.

Answer 92

A

D: Forklifting

Answer 93

A

D: Security

Performance and security both need to be reviewed for adequacy.

Answer 94

A

D: Disposal

Answer 95

A

C: Encryption for data at rest and in motion

Legacy apps won’t usually require encryption in all phases of the data life cycle because data is protected in several stages in the legacy environment without the need for additional controls.

Answer 96

A

D: Combination of open source and proprietary

Obviously, using multiple forms of code review will produce more secure results than any one form of review, in the same way that having multiple forms of security controls will provide better security than just one type.

Answer 97

A

C: Data owners

The data owner is responsible for the disposition of the data under their control; this includes access decisions.

Answer 98

A

C: 7

A WAF is a layer 7 tool.

Answer 99

A

C: 7

A DAM is a layer 7 tool.

Answer 100

A

C: XML gateway

The XML gateway can provide this functionality; it acts as a reverse proxy and can perform content inspection on many traffic protocols.

Answer 101

A

C: Privacy, integrity

TLS provides authentication, encryption, and integrity:

Authentication allows each party to verify that the other party is who they claim to be.

Data is encrypted while being transmitted between the user agent and the server, in order to prevent it from being read and interpreted by unauthorized parties.

TLS ensures that between encrypting, transmitting, and decrypting the data, no information is lost, damaged, tampered with, or falsified.

Answer 102

A

B: A runtime state

DAST is preformed as the application is running – i.e. “a runtime state.”

Answer 103

A

A: Session initiation testing

While session management testing is included in the OWASP guide to active software security testing, session initiation is not.

Answer 104

A

B: The prevalent use of encryption in all data life cycle phases

Because cloud operations are so dependent on encryption protections in all data life cycle phases, developers will have to accommodate the additional overhead and interoperability encryption requires.

Answer 105

A

B: Masking

Masking allows customer service representatives to review clients’ sales and account information without revealing the entirety of those records.

Answer 106

A

A: Vulnerability assessments and penetration testing

Once a system is deployed operationally, continuous security monitoring, including periodic vulnerability assessments and penetration testing, is recommended.

Answer 107

A

D: Is an unnecessary expense

From a simple financial perspective, money spent on excessive anything is money wasted.

Answer 108

A

A: Gather more data about how users are utilizing the APIs and for what purposes.

Before taking any action that might impact operations, it would probably be best to figure out the actual user needs being met by the unapproved APIs and the severity of impact if they were removed from service.

Answer 109

A

B: Use additional antimalware detection capabilities on both user devices and the environment to which they connect

Because untrusted APIs may not be secured sufficiently, increased vigilance for the possibility of introducing malware into the production environment is essential.

Answer 110

A

A: Regular and widespread integrity checks on sampled data throughout the managed environment

In order to detect possible erroneous or malicious modification of the organization’s data by unauthorized or security-deficient APIs, it’s important to take representative samples of the production data on a continual basis and perform integrity checks.

Answer 111

A

C: Employ additional user training

Additional user training would be helpful in this situation particularly any information that helps users understand the reason APIs from unknown sources might be less secure and the potential impacts from using them.

Answer 112

A

A: Regulation

Answer 113

A

C: HTTP

WAFs apply rulesets to web traffic, which uses HTTP.

Answer 114

A

C: TtLp

This answer requires some thought about how the original data is displayed and its properties.

A, masks only one letter in a four-letter string.

B, like A, is too easy to break; it only reverses the content of the string

D, mixes numeric characters into what was originally only an alphabetic string

C, completely obscures the original content but retains the qualities of the original (all alpha). It may affect the use of the string by mixing uppercase and lowercase, but this is still the best choice of the four possible answers.

Answer 115

A

D: Malware analysis

Installing malware on systems owned by someone else may be illegal in many jurisdictions.

Answer 116

A

C: Application-level encryption

In application-level encryption, the application will encrypt data before it is placed in the database.

Answer 117

A

C: Save backup of second resulting keys

In crypto-shedding, the purpose is to make the data unrecoverable; saving a backup of the keys would attenuate that outcome because the keys would still exist for the purpose of recovering data.

Answer 118

A

A: With the cloud provider

Option A creates a conflict of interest and does not enforce separation of duties.

Answer 119

A

C: Erasure coding

Erasure coding is the practice of having sufficient data to replace a lost chunk in data dispersion, protecting against the possibility of a device failing while it holds a given chuck; parity bits serve the same purpose in the legacy RAID configuration.

Answer 120

A

D: Protecting against loss due to user error

Data dispersion can’t really aid in inadvertent loss caused by an errant user; if the user accidentally deletes / corrupts a file, that file will be deleted / corrupted across all the storage spaces where it is dispersed.

Answer 121

A

A: Automatic expiration

Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or to remove protections when intellectual property moves into the public domain.

Answer 122

A

D: It’s not actually a cycle

This is not truly a cycle because data does not continue after the Destroy phase – i.e. the same data or process does not go back to Create after Destroy.

Answer 123

A

D: Object storage

Object storage stores data as objects – often arranged in an hierarchical structure.

Answer 124

A

A: Volume storage

In volume storage, the user is assigned a logical drive space into which anything (such as raw data, objects, or applications) may be saved or installed, similar to a mounted drive on a legacy network.

Answer 125

A

C: Parity bits

Similar to parity bits in RAID, erasure coding is used in cloud data dispersion implementations to create a situation where data can still be recovered even if a segment or portion of the dispersed data is lost.

Answer 126

A

A: Getting signed user agreements from all users

This is a tricky question. In the cloud environment, we know that all users will be entering the environment through remote access; in may cases, this will include the user of their personal devices. In order for DLP solutions to function properly, all devices accessing the production environment must have local DLP agents installed, and, that requires signed user agreements.

Answer 127

A

D: Data of relief

Answer 128

A

B: Disgruntled users

An authorized user will still be able to access and decrypt the data for which they’ve been granted permissions, so encryption will not offer any protections for that threat.

Answer 129

A

D: Transport Layer Security (TLS)

TLS is encryption used in a communication session, not a storage volume.

Answer 130

A

B: Secure Sockets Layer (SSL)

SSL is encryption used in a communication session, not a storage volume.

Answer 131

A

D: Anywhere but with the cloud provider

Best practice is to not keep the encryption keys alongside the data they’ve been used to encrypt.

Answer 132

A

A: Detecting ambient heating / ventilation / air conditioning (HVAC) problems

Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the data center; also, some system monitoring metrics, such as CPU temperature, can directly indicate inadequate HVAC performance.

Answer 133

A

C: Deletion

While deletion is a very good way to avoid the possibility of inadvertently disclosing production data in a test environment, it also eliminates the usefulness of the data set as a plausible approximation of the production environment, greatly reducing the quality of the testing.

Answer 134

A

B: Real-time analytics

Real-time analytics allows for reactive and predictive operations (such as recommending other, related, products) based on a customer’s current and past shopping behavior.

Answer 135

A

D: Agile analytics / business intelligence

The Agile approach to data analysis offers greater insight and capabilities than previous generations of analytical technologies.

Answer 136

A

B: Flawed management decisions based on massaged displays

Because dashboards are often used for management purposes, management pressures often result in skewed data dash-boarding (‘no red!’), which can lead to the “data” being used for fallacious decisions.

Answer 137

A

D: Whatever the data owner decides

This is a difficult, and somewhat tricky, question. Each organization has to decide for itself how to classify / categorize its own data. With that said, there will be many factors that bear on this determination: external regulations and drivers, the type of industry in which the organization operates, and so forth. But the kinds of data that the organization uses and how that data is sorted will differ for every organization, and each must make its own determination with regards to how to best sort that data.

Answer 138

A

B: Labeling

This is another difficult question. Classification / categorization of data is an element of labeling, in so far as labeling is the grouping of data into discrete categories and types.

Answer 139

A

B: Virtualization

Data transforming from raw objects to virtualized instances to snapshotted images back into virtualized instances and then back out to users in the form of raw data may affect organization’s current classification methodology; classification techniques and tools that were suitable for the legacy environment might not withstand the standard cloud environment.

Answer 140

A

B: The United States

The EU regulations associated with PII belonging to EU citizens prohibit utilization of that data in any way in any country that does not have a national privacy law commensurate with the EU regulations. Of this list, only the United States has no such law.

Answer 141

A

D: Digital Millennium Copyright Act (DMCA)

The DMCA deals with intellectual property and not specifically with personal privacy.

Answer 142

A

A: A trusted device

DRM solutions are mainly designed to protect intellectual property assets (and mainly those covered by copyright, hence the name), but they can also be used to provide enhanced protection to other electronic information.

Answer 143

A

D: Business drivers

The CSA CCM does not deal with whether security controls are feasible or correct from a business decision, only whether they are applicable to an organization under certain regulations.

Answer 144

A

B: An access policy

For DRM to work properly, each resource needs to be outfitted with an access policy so only authorized entities may make use of that resource.

Answer 145

A

C: Automatic expiration

The question describes automatic expiration, one of the required traits for a DRM solution of any quality.

All the other answers are traits that should be included in DRM solutions but do not match the definition in the questions, so they are incorrect.

Answer 146

A

A: The data on which the policy will expire

Not all policies are temporary or have expected durations; usually, policy is an enduring piece of governance that will continue until such time as it is revoked.

Answer 147

A

D: The cloud is often a multitenant environment

Secure sanitization would affect storage resources where more than one customer stores their data; truly secure destructive measures would likely result in destroying data belonging to someone else.

Answer 148

A

D: Depends on the contract

Many cloud providers will offer archiving services as a features of the basic cloud service; realistically, most providers are already performing this function to avoid inadvertent loss of customer data, so marketing it is a logical step.

Answer 149

A

B: Good cryptographic key management

This is a difficult question that requires a great deal of thought. Option B is correct because appropriate cloud data security practices will required encrypting a great deal of the data, and having the keys will be necessary during contingency operations in order to access the backup; without the keys, you won’t be able to access your data.

Answer 150

A

B: SDN controllers; SDN applications

The northbound interface (NBI) usually handles traffic between the SDN controllers and SDN applications.

Answer 151

A

B: Object storage

Object storage is, literally, a means of storing objects in a hierarchy such as a file tree.

Answer 152

A

D: Use favorable contract language

The contract is probably the cloud customer’s best tool for avoiding vendor lock-in; contract terms will establish how easy it is to migrate your organization’s data to another provider in a timely , cost-effective manner.

Answer 153

A

A: The cloud provider

Because the cloud provider owns and operates the cloud data center, the provider will craft and promulgate the governance that determines the control selection and usage.

Answer 154

A

B: Guest escape

The questions describes guest escape.

Answer 155

A

A: Host escape

The question describes host escape.

Answer 156

A

D: Ease of use

Because most cloud users don’t see direct costs in creating new VM instances (the bills usually go to a single point of contact in the organization, not the user or the user’s office), they may tend to create additional VMs at a significant rate, without realizing the attendant cost.

Answer 157

A

A: Cross-certification

The cross-certification federation model is also known as a ‘web of trust.’

Answer 158

A

B: Proxy

In the proxy federation model, the third party acts on behalf of the member organizations, reviewing each to ensure that they are all acceptable to the others.

Answer 159

A

A: Each organization

In a web of trust federation model, all of the participating organizations are identity providers; each organization will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials.

Answer 160

A

C: Log file generation

Event logging is essential for incident management and resolutions; this can be set as an automated function of the CM tools.

Answer 161

A

C: Returning to normal operations too soon

A premature return to normal operations can jeopardize not only production, but personnel; if the contingency that caused the BCDR action is not fully complete / addressed, there may still be danger remaining.

Answer 162

A

C: Reduce the risk of regulatory noncompliance

ENISA’s approach to cloud risk assessments does not specifically address the type of assurance, probably because of the wide variety of possible regulators and the difficulty in crafting a risk assessment that would address them all.

Answer 163

A

D: Sending the data outside the legacy environment for collaborative purposes

The cloud greatly enhances opportunities for collaboration between organizations, mostly by giving external parties some limited access to the owner’s data in the cloud. While there is a risk in this situation, the truly comparable risk in the legacy environment would result from sending data outside the organization to external collaborators.

Answer 164

A

C: Strong contractual clauses

This is not an easy question; the simple answer seems to be option A, which is true for data stored / saved / migrated to the cloud (and property that already has been created in the cloud, but for new intellectual property created in the cloud, strong contract language in favor of the customer’s rights is very necessary.

Answer 165

A

B: Inference attacks

While it is possible that one guest VM seeing the resource calls of another VM could possibly allow one guest to see the other’s data, it’s much more likely that a users seeing another user’s use of resources, rather than raw data, would allow the viewer to infer something about the victim’s behavior / usage / assets.

Answer 166

A

B: The administration / support staff building

Administrative and support staff are usually not part of the critical path of a data center; they are nonfunctional-requirement elements, not functional requirements.

Answer 167

A

C: The risk of negative impact to both production and backup is too high

A recovery from backup into the production environment carries the risk of failure of both data sets – the production set and the backup set.

Answer 168

A

A: Create their own identity and access management (IAM) solutions

According to ENISA, custom IAM builds can become weak if not properly implemented.

Answer 169

A

D: SLA satisfaction survey from other (current and past) cloud customers

Of the listed options, knowing how other customers feel about a provider may be the most valuable data point; it is the most realistic depiction of whether an organization realized projected / anticipated benefits after a migration.

Answer 170

A

D: Social engineering

Performing live deception and trickery against employees of the cloud provider (or its suppliers / vendors) could be construed as unethical and possibly illegal, especially without their knowledge and / or consent.

Answer 171

A

B: The ease of transporting stolen virtual machine images

Because virtual machine images are stored as imaged files, an attacker able to access the stored files would have a much easier time transporting those files than transporting actual drives / machines.

Answer 172

A

C: Object

In object storage, data objects / files are saved in the storage space along with relevant metadata such as content type and creation date.

Answer 173

A

B: Not vulnerable to degaussing

Because SSDs do not use magnetic properties to store data, degaussing is not a suitable means of sanitizing SSDs.

Answer 174

A

C: Data dispersion / Encryption

Theoretically, all combinations of security controls are preferable to any one security control used by itself – this is the principle of layered defense. All of the potential responses are therefor true; however, of this list, the pairing that makes the most sense is option C.

Answer 175

A

C: In every building on the campus

Health and human safety is a paramount goal of security; all facilities must have multiple emergency egress points.

Answer 176

A

D: Mantrap structures

Usually, mantrap areas control access to sensitive locations within a facility, not an entrance to the facility.

Answer 177

A

B: Degrade performance

Security and productivity / operations are always trade-offs.

Answer 178

A

D: BCDR

When performing BCDR tests, it is useful to create scenarios that are unpredictable and vary from previous tests so as to better approximate conditions of an actual disaster.

Answer 179

A

C: Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.

Answer 180

A

C: The various members of the collective

This is the correct process, according to the law.

Answer 181

A

C: 3

Tier 3 should probably suffice for Bob’s purposes, providing sufficient redundancy and resiliency. Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for an organization providing health and human safety services.

^ This is ‘from the book.’ IMHO this question is problematic in that Tier 4 is required / essential for critical functions within critical infrastructure sectors – e.g. money movement in the financial services sector.

The key phrase in this question is ‘…without adding extraneous cost,’ which is intended to be interpreted as ‘what is the lowest level Bob could justify.’

Answer 182

A

C: Gramm-Leach-Bliley

GLBA states requirements for securing personal account information in the financial and insurance industries; Bob’s company provides financial services, so he will definitely have to comply with GLBA.

Answer 183

A

B: Purchase UPSs from different vendors

Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing flaw, the other should not, if it comes from a different producer. The other suggestions are all apt but do not offer redundancy or resiliency

Answer 184

A

D: Long enough to preform graceful shutdown of the data center systems

Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing the electrical load that was previously handled by utility power. However, the absolute baseline for battery power is just long enough for all systems to complete their transactions without losing data.

Answer 185

A

B: Dynamic testing

Testing the product in a runtime context is dynamic testing.

Answer 186

A

C: A trained moderator

The moderator will serve to guide the experience in an objective, dispassionate manner, without influencing the test, and will also help document the outcomes of testing.

Answer 187

A

D: The game developers

It is absolutely essential that the developers are not present during the actual testing as they are likely to influence the test purposefully or otherwise.

The other parties don’t need to participate in the testing process but are not as undesirable as the developers.

Answer 188

A

B: Health and human safety

Bare skin sticks to cold metal.

Most modern systems don’t suffer performance degradation at the lower ends of the temperature spectrum; it’s the higher temperatures that are of concern for that aspect of the data center. Option B is preferable to option A.

Answer 189

A

B: It must be on a distinct, isolated management network (VLAN)

All management functions should take place on a highly secure, isolated network.

Answer 190

A

A: Isolation

Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies). In order to do this, the use of technologies like those listed in the question is warranted.

Answer 191

A

A: Payload encryption

A DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer (the other options). This does not include payload encryption – confidentiality is not an aspect of DNSSEC.

Answer 192

A

B: Community cloud

This is an optimum situation for the use of a community cloud model.

Answer 193

A

A: Private cloud

Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location.

Answer 194

A

A: NIST 800-37

Both ISO 31000 and NIST 800-37 are risk management frameworks.

Answer 195

A

C: ENISA

The ENISA Cloud Computing: Benefits, Risks, and Recommendation for Information Security is the publication.

Answer 196

A

B: Jurisdiction

The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics. Jurisdiction is usually dictated by location instead, which should be included in the contact but is probably not useful to include in the SLA.

Answer 197

A

B: Virtualization

A ubiquitous baseline configuration used in a virtualized environment can serve as an artifact for auditors and enhance the audit process.

Answer 198

A

B: Variable keystrokes

Variables, in general, aren’t useful for authentication; authentication requires a match against a template or a known quantity.

Answer 199

A

B: DLP

DLP solutions typically have the capability to aid in asset valuation and locations, both important facets of the BCDR process.

Answer 200

A

C: Working prototypes

The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs. The Manifesto refutes all other elements of programming that slow down this effort, including documentation, planning, processes, and specific tools.

Answer 201

A

C: URIs

REST calls web resources by using Uniform Resource Identifiers (URIs).

Answer 202

A

C: As a live instance

Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device.

Answer 203

A

B: Content-based detection

IDS / IPS solutions do not often check the content of traffic.

Answer 204

A

C: Whoever first applied for legal protection of the logo

Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body.

In the case of conflicting usage (or infringement), courts will take may criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth.

But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question.

Answer 205

A

C: Cloud Reseller

A cloud reseller is a firm that contracts with both cloud providers and customer in order to arrange custom services.

Answer 206

A

B: The company operates proprietary software

A customer using proprietary software in a PaaS environment faces the risk that updates to the underlying OS(s) and / or hardware infrastructure will not be compatible with the customer’s software and will affect productivity.

Answer 207

A

C: Reduces cash flow risk

Spreading costs over time, a business can reduce the risk that there will be a lack of money at any given time, impacting operations.

Answer 208

A

A: 2

The virtualized NIC is part of the data-link layer.

Answer 209

A

B: GRE

Generic routing encapsulation (GRE) is a tunneling mechanism, specifically designed for the purpose.

Answer 210

A

B: Asymmetric, symmetric

TLS uses asymmetric encryption to create a symmetric session key.

Answer 211

A

D: Provides economical services to all customers, regardless of point of origin.

The TCI does not, specifically, require cost-effectiveness of cloud services.

Answer 212

A

A: Data format and type

In order to use the archive for recovery (either on a large scale for contingency operations or for granular recovery as a means of data discovery), the data needs to be of a format and type that can be utilized by the organization’s systems and environment. Saving data in the wrong format can be equivalent to losing the data.

Answer 213

A

C: The cloud providers’s policy

The cloud provider cannot typically require the destruction of the customer’s data simply because of its own (provider’s) policy. If this is an aspect of the contract between the provider and customer, that is another issue (and listed as another option in this question).

Answer 214

A

A: Content delivery network (CDN)

CDNs are often used in conjunction with SaaS services to deliver high-quality data of large sizes (often, multimedia).

Answer 215

A

B: Backdoors

Backdoors are a particularly prevalent risk in software development because programmers legitimately use backdoors for ease of use and speed of delivery but may mistakenly (or even purposefully) leave the backdoors in the software after development, creating a hidden and significant vulnerability.

Answer 216

A

B: VM sprawl

Because the cost of creating new instances in the cloud environment is transparent to many users / offices, there is a significant likelihood that users / offices will create many new virtual machine (VM) instances without the knowledge / oversight of management. this can result in a very expensive surprise at the end of the payment period, when the organization receives the bill from the cloud provider.

Answer 217

A

B: Secret sharing made short (SSMS)

Answer 218

A

C: Tabletop

Answer 219

A

B: Network-attached storage (NAS)

This is a description of a NAS device.

A SAN typically presents storage devices to users as attached / mounted drives.

An HSM is designed for encryption generation and management.

A CDN typically replicates multimedia content at multiple, geographically diverse locations to ensure hight quality for recipients.

Answer 220

A

C: Data disclosure through insufficiently isolated resources

Because of the multitenant nature of public cloud services, processes are resources that are not properly isolated may create a situation where data could be disclosed to other cloud customers (neighboring tenants).

Answer 221

A

A: Hot aisle containment

This is a description of hot aisle containment. Cold aisle containment is the opposite configuration (fronts of devices facing each other), and the other two options are distractors.

Answer 222

A

A: Reduces unproductive HVAC activity

Unused or poorly managed cabling can impede efficient air flow, increasing HVAC and energy costs and increasing the difficulty of optimizing temperature.

Answer 223

A

B: Pressure

Pressure detection is not a common detection technology.

Answer 224

A

B: Require re-verification of all user accounts

This action is pointless and excessive; all other options are actions the cloud provider should undertake when conducting scheduled maintenance.

Answer 225

A

C: Sandboxing

Sandboxing allows software to be run in an isolated environment, which can aid in error detection.

Answer 226

A

B: Open source review

Open source review can detect flaws that a structure testing method might not.

Answer 227

A

C: Members of the user group

Agile requires interaction between developers and those who will use the software.

Answer 228

A

A: SOAP

SOAP is a web service programming format that requires the use of XML.

REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect.

SAML is a protocol for passing identity assertions over the Internet; option C is incorrect.

DLP is a data egress monitoring tool; option D is incorrect.

Answer 229

A

D: Quality of service

Every additional security measure might reduce a potential threat but will definitely reduce productivity and quality of service. There is always an overhead cost of security.

Answer 230

A

C: Korea

Korea does not currently have a federal privacy law that conforms to EU legislation.

Answer 231

A

C: The individual must be able to request a purge of their data

This is an aspect of the current EU legislation, known colloquially as “the right to be forgotten” – it is not an aspect of the OECD principles.

Answer 232

A

B: CSA Cloud Controls Matrix

The CCM is a tool for determining control coverage for compliance with a variety of standards and regulations.

Answer 233

A

D: The specific amount of data that can be uploaded to the cloud environment in any given month

SLA elements should be objective measures (i.e. ‘specific amount’) that can be confirmed or denied at regular intervals (e.g. end of each month) to determine whether or not the SLA is being met.

B and C are useful elements to be included in the contract, but not specifically the SLA. And, A, is too ambiguous – ‘excellent’ is not a discrete value.

Answer 234

A

D: Senior management

Because of the costs, hazards, and risks involved with returning to normal operations, only senior management may decide to perform that function.

Answer 235

A

B: Corrective

Corrective controls involve physical, administrative, and technical measures designed to react to the detection of an incident in order to reduce or eliminate the opportunity for the unwanted event to occur.

Answer 236

A

A: Customers have explicit control of how their information is used

As per the shared responsibility model, the customer has explicit control of how their information is used.

Answer 237

A

C: Functions, actors, locations

After mapping the various data phases, along with data locations and device access, it is necessary to identify what can be done with the data (i.e., data functions) and who can access the data (i.e., the actors).

Answer 238

A

B: Management, control, and data plane

At the management plane all the business applications that manage the underlying control plane are exposed with northbound interfaces. Control of network functionality and programmability is directly made to devices at the control plane. OpenFlow was the original framework/protocol specified to interface with devices through southbound interfaces. The network switches and routers located at the data plane are associated with the infrastructure. The process of forwarding data is accomplished at this plane, so it can also be referred to as a forwarding plane.

Answer 239

A

B: Representational State Transfer (REST)

REST is broadly used as an alternative to SOAP because a URL can be used for making requests. Some specific scenarios may require additional information, but the majority of services found on the web today exclusively use REST and exchange all required information using a URL and four primary hypertext protocol calls: GET, POST, PUT, and DELETE.

Answer 240

A

A: Key exchange, server parameters, authentication

In the key exchange phase, the client sends the ClientHello message, which contains: a random nonce (ClientHello.random), its offered protocol versions, a list of symmetric cipher/HKDF hash pairs, either a set of Diffie–Hellman key shares, a set of pre-shared key labels, or both, and potentially additional extensions.

The server processes the ClientHello and determines the appropriate cryptographic parameters for the connection.

The server then responds with its own ServerHello, which indicates the negotiated connection parameters. The combination of the ClientHello and the ServerHello determines the shared keys.

Brainscape's Knowledge GenomeTM

Sample Exam Questions Flashcards

Test your knowledge and get to learn the style of the test makers.

Brainscape's Knowledge Genome^TM