Which phase of the cloud data life cycle allows both read and process functions to be performed?
A Create
B Archive
C Store
D Share
A
Which phase of the cloud data security life cycle typically occurs simultaneously with creation?
A Share
B Store
C Use
D Destroy
B
Which phase of the cloud data life cycle uses content delivery networks?
A Destroy
B Archive
C Share
D Create
C
Which phase of the cloud data life cycle is associated with crypto-shredding?
A Share
B Use
C Destroy
D Store
C
Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security?
A Randomization
B Obfuscation
C Anonymization
D Tokenization
D
Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model?
A Sandbox encryption
B Polymorphic encryption
C Client-side encryption
D Whole-instance encryption
D
There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms.
Which platform as a service (PaaS) data type should be used?
A Short-term storage
B Structured
C Unstructured
D Long-term storage
B
Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files?
A Relational database
B Block
C Distributed
D Object
D
Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data?
A Dynamic masking
B Format-preserving encryption
C Proxy-based encryption
D Tokenization
B
Which encryption technique connects the instance to the encryption instance that handles all crypto operations?
A Database
B Proxy
C Externally managed
D Server-side
B
Which type of control should be used to implement custom controls that safeguard data?
A Public and internal sharing
B Options for access
C Management plane
D Application level
D
Which element is protected by an encryption system?
A Ciphertext
B Management engine
C Data
D Public key
C
A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data.
Which step should occur immediately before this action is taken?
A The tokenization server returns the token to the application.
B The tokenization server generates the token.
C The application collects a token.
D The application stores the token.
D
A company has recently defined classification levels for its data.
During which phase of the cloud data life cycle should this definition occur?
A Use
B Create
C Share
D Archive
B
Which jurisdictional data protection includes dealing with the international transfer of data?
A Financial modernization
B Secure choice authorization (SCA)
C Sarbanes-Oxley act (SOX)
D Privacy regulation
D
Which jurisdictional data protection controls the ways that financial institutions deal with the private information of individuals?
A Stored communications act (SCA)
B Health insurance portability and accountability act (HIPAA)
C Gramm-Leach-Bliley act (GLBA)
D Sarbanes-Oxley act (SOX)
C
Which jurisdictional data protection safeguards protected health information (PHI)?
A Directive 95/46/EC
B Safe harbor regime
C Personal Data Protection Act of 2000
D Health Insurance Portability and Accountability Act (HIPAA)
D
How is the compliance of the cloud service provider’s legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud?
A Contractual agreements
B Third-party audits and attestations
C e-Discovery process
D Researching data retention laws
B
Which security strategy is associated with data rights management solutions?
A Unrestricted replication
B Limited documents type support
C Static policy control
D Continuous auditing
D
Who retains final ownership for granting data access and permissions in a shared responsibility model?
A Customer
B Developer
C Manager
D Analyst
A
Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data?
A Backup
B Caching
C Archiving
D Saving
C
Which data retention method is stored with a minimal amount of metadata storage with the content?
A File system
B Redundant array
C Object-based
D Block-based
D
What is a key capability of security information and event management?
A Intrusion prevention capabilities
B Automatic remediation of issues
C Centralized collection of log data
D Secure remote access
C
Which data source provides auditability and traceability for event investigation as well as documentation?
A Storage files
B Packet capture
C Network interference
D Database tables
B
Which data source provides auditability and traceability for event investigation as well as documentation?
A Network segmentation
B Ephemeral storage
C Database schema
D Virtualization platform logs
D
Which technology is used to manage identity access management by building trust relationships between organizations?
A Single sign-on
B Multifactor authentication
C Federation
D Biometric authentication
C
Which term describes the action of confirming identity access to an information system?
A Coordination
B Concept
C Access
D Authentication
D
Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring?
A Data loss prevention (DLP)
B Content delivery network (CDN)
C Cloud access security broker (CASB)
D Web application firewall (WAF)
C
Which cloud computing technology unlocks business value through digital and physical access to maps?
A Multitenancy
B Cloud application
C Application programming interface
D On-demand self-service
C
Which cloud computing tool may help detect data migrations to cloud services?
A Uniform resource locator (URL) filtering
B Cloud security gateways
C Cloud data transfer
D Data loss prevention
D
What is a key component of the infrastructure as a service (IaaS) cloud service model?
A Allows choice and reduces lock-in
B Supports multiple languages and frameworks
C Ease of use and limited administration
D High reliability and resilience
D
What is a key capability of infrastructure as a service (IaaS)?
A Hosted application management
B Converged network and IT capacity pool
C Leased application and software licensing
D Multiple hosting environments
B
Which option should an organization choose if there is a need to avoid software ownership?
A Software as a service (SaaS)
B Platform as a service (PaaS)
C Containers as a service (CaaS)
D Infrastructure as a service (IaaS)
A
Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage?
A Infrastructure
B Platform
C Application
D Data
A
In which situation could cloud clients find it impossible to recover or access their own data if their cloud provider goes bankrupt?
A Vendor lock-in
B Multitenant
C Multicloud
D Vendor lock-out
D
Which cloud deployment model is operated for a single organization?
A Consortium
B Hybrid
C Public
D Private
D
Which cloud model provides data location assurance?
A Hybrid
B Private
C Community
D Public
B
Which cloud model allows the consumer to have sole responsibility for management and governance?
A Hybrid
B Community
C Private
D Public
C
Which technology allows an organization to control access to sensitive documents stored in the cloud?
A Digital rights management (DRM)
B Database activity monitoring (DAM)
C Identity and access management (IAM)
D Distributed resource scheduling (DRS)
A
Which security technology can provide secure network communications from on-site enterprise systems to a cloud platform?
A Domain name system security extensions (DNSSEC)
B Internet protocol security (IPSec) virtual private network (VPN)
C Web application firewall (WAF)
D Data loss prevention (DLP)
B
How do immutable workloads effect security overhead?
A They reduce the management of the hosts.
B They automatically perform vulnerability scanning as they launch.
C They restrict the amount of instances in a cluster.
D They create patches for a running workload.
A
Which document addresses CSP issues such as guaranteed uptime, liability, penalties, and dispute mediation process?
A General data protection regulation (GDPR)
B Service organization control 3 (SOC 3)
C Service level agreement (SLA)
D Common criteria assurance framework (CC)
C
Which design principle of secure cloud computing ensures that the business can resume essential operations in the event of an availability-affecting incident?
A Disaster recovery
B Resource pooling
C Access control
D Session management
A
Which design principle of secure cloud computing ensures that users can utilize data and applications from around the globe?
A Portability
B Scalability
C On-demand self-service
D Broad network access
D
Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure?
A Elasticity
B Resiliency
C Scalability
D Clustering
B
Which item should be part of the legal framework analysis if a company wishes to store prescription drug records in a SaaS solution?
A Sarbanes-Oxley Act
B Health Insurance Portability and Accountability Act
C Federal Information Security Modernization Act
D U.S. Patriot Act
B
Which standard addresses practices related to acquisition of forensic artifacts and can be directly applied to a cloud environment?
A NIST SP 500-291
B ISO/IEC 27001
C NIST SP 800-145
D ISO/IEC 27050-1
D
Which regulation in the United States defines the requirements for a CSP to implement and report on internal accounting controls?
A HIPAA
B SOX
C FERPA
D GDPR
B
Which legislation must a trusted cloud service adhere to when utilizing the data of EU citizens?
A GDPR
B EMTALA
C APPI
D SOX
A
Which logical design decision can be attributed to required regulation?
A Database writes/second
B Retention periods
C Retention formats
D Database reads/second
B
Which service model influences the logical design by using additional measures in the application to enhance security?
A Hybrid cloud
B Public cloud
C Software as a service (SaaS)
D Platform as a service (PaaS)
C
Which environmental consideration should be addressed when planning the design of a data center?
A Heating and ventilation
B Utility power availability
C Expansion possibilities and growth
D Telecommunications connections
A
Which result is achieved by removing all nonessential services and software of devices for secure configuration of hardware?
A Hardening
B Maintenance
C Patching
D Lockdown
A
What is a component of device hardening?
A Patching
B Unit testing
C Versioning
D Configuring VPN access
A
Which technology typically provides security isolation in infrastructure as a service (IaaS) cloud computing?
A Application instance
B System image repository
C Virtual machines
D Operating systems
C
Which technology an administrator to remotely manage a fleet of servers?
A KVM switch
B VPN concentrator
C Bastion host
D Management plane
D
What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks?
A Management orchestration software
B Management plane
C Identity access management
D Database management
B
Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems?
A Applying the steps of a cloud software development life cycle
B Providing developer access to supporting components and services
C Outsourcing the infrastructure and integration platform management
D Verifying the application has an appropriate level of confidentiality and integrity
A
Which type of agreement aims to negotiate policies with various parties in accordance with the agreed-upon targets?
A Privacy-level (PLA)
B Service-level (SLA)
C User license (ULA)
D Operation-level (OLA)
B
Which regulation requires a CSP to comply with copyright law for hosted content?
A SCA
B DMCA
C SOX
D GLBA
B
Which element is a cloud virtualization risk?
A Guest isolation
B Electronic discovery
C Licensing
D Jurisdiction
A
Which risk is related to interception of data in transit?
A Virtualization
B Man-in-the-middle
C Software vulnerabilities
D Traffic blocking
B
Which method is being used when a company evaluates the acceptable loss exposure associated with a cloud solution for a given set of objectives and resources?
A Business impact analysis
B Business continuity planning
C Risk appetite
D Risk management
C
The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization.
Which standard should be applied?
A International organization for standardization (ISO) 27050-1
B Sarbanes-Oxley Act (SOX)
C Cloud controls matrix (CCM)
D International electrotechnical commission (IEC) 27037
A
Which detection and analysis technique is performed to capture a point-in-time picture of the entire stack at the time of an incident?
A Collect metadata during alert
B Examine configuration data
C Create a snapshot using API calls
D Review data access logs
C
A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm.
Who is the CSP legally required to notify?
A Information commissioner
B Australian privacy foundation
C Asian-Pacific privacy control board
D Cloud Security Alliance
A
A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided.
Who is the CSP required to notify under the NIS directive?
A Data protection regulator
B Competent authorities
C Personal Information Protection Commission
D Provider’s services suppliers
B
A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident.
Which action facilitates this type of communication?
A Incorporating checks on API calls
B Using existing open standards
C Identifying key risk indicators (KRIs)
D Performing a vulnerability assessment
B
Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved?
A Platform
B Infrastructure
C Data
D Application
D
Which description characterizes the application programming interface (API) format known as representational state transfer (REST)?
A Supports only extensible markup language (XML)
B Provides a framework for developing scalable web applications
C Delivers a slower performance with complex scalability
D Tolerates errors at a high level
Which issue occurs when a web browser is sent data without proper validation?
A Insecure direct object access (IDOA)
B Cross-site request forgery (CSRF)
C Cross-site scripting (XXS)
D Lightweight directory access protocol (LDAP) injection
C
Which security testing approach is used to review source code and binaries without executing the application?
A Regression testing
B Dynamic application security testing
C Static application security testing
D Fuzz testing
C
Which issue can be detected with static application security testing (SAST)?
A Authentication
B Performance
C Threading
D Malware
C
Which approach is considered a black-box security testing method?
A Static application security testing
B Binary code inspection
C Dynamic application security testing
D Source code review
C
Which primary security control should be used by all cloud accounts, including individual users, in order to defend against the widest range of attacks?
A Multi-factor authentication
B Logging and monitoring
C Perimeter security
D Redundant infrastructure
A
Which cloud infrastructure is shared by several organizations and supports a specific population that has shared concerns (e.g., mission, security requirements, policy, compliance considerations)?
A Public
B Community
C Hybrid
D Private
B
Which problem is known as a common supply chain risk?
A Domain spoofing
B Runtime application self-protection
C Data breaches
D Source code design
C
Which phase of the software development life cycle includes determining the business and security requirements for the application to occur?
A Designing
B Developing
C Defining
D Testing
C
Which phase of the software development life cycle includes writing application code?
A Defining
B Designing
C Implementing
D Developing
D
Which method should the cloud consumer use to secure the management plane of the cloud service provider?
A Network access control list
B Disablement of management plane
C Agent-based security tooling
D Credential management
D
Which security threat occurs when a developer leaves an unauthorized access interface within an application after release?
A Deprecated API
B Easter egg
C Persistent backdoor
D Development operations
C
Which process prevents the environment from being over-controlled by security measures to the point where application performance is impacted?
A Trusted cloud initiative (TCI)
B Community cloud
C Quality of service (QoS)
D Private cloud
C
Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues?
A Direct object reference
B Cross-site scripting
C Denial-of-service
D Client-side injection
A
Which identity management process targets access to enterprise resources by ensuring that the identity of an entity is verified?
A Provisioning
B Federation
C Authentication
D Policy management
C
Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications?
A Whole-disk encryption
B Advanced application-specific integrated circuits (ASICs)
C Virtual private networks (VPNs)
D Volume encryption
B
Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords?
A Transaction authentication numbers
B Biometrics
C Hard tokens
D Out-of-band passwords
C
Which cloud infrastructure is shared by several organizations with common concerns, such as mission, policy, or compliance considerations?
A Private cloud
B Community cloud
C Public cloud
D Hybrid cloud
B
Which type of cloud deployment model is considered equivalent to a traditional IT architecture?
A Public
B Private
C Hybrid
D Community
B
Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy?
A Technological controls
B Contractual enforcement of policies
C Training programs
D Strong access controls
A
Which attack vector is associated with cloud infrastructure?
A Seizure and examination of a physical disk
B Licensing fees tied to the deployment of software based on a per-CPU licensing model
C Data storage locations in multiple jurisdictions
D Compromised API credentials
D
Which risk is associated with malicious and accidental dangers to a cloud infrastructure?
A Regulatory noncompliance
B Natural disasters
C Personnel threats
D External attacks
C
Which cloud-specific risk must be considered when moving infrastructure operations to the cloud?
A Natural disasters
B Lack of physical access
C Denial of service
D Regulatory violations
B
Which risk is controlled by implementing a private cloud?
A Eavesdropping
B Unauthorized access
C Denial-of-service (DoS)
D Physical security
D
Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage?
A Tier 2 network access providers
B Radio frequency interference (RFI) blocking devices
C Multiple and independent power circuits to all racks
D Automated license plate readers (ALPR) at entry points
C
Which countermeasure helps mitigate the risk of stolen credentials for cloud-based platforms?
A Key management
B Multifactor authentication
C Data sanitization
D Host lockdown
B
Which control helps mitigate the risk of sensitive information leaving the cloud environment?
A Web application firewall (WAF)
B Disaster recovery plan (DRP)
C Identity and access management (IAM)
D Data loss prevention (DLP)
D
Which countermeasure mitigates the risk of a rogue cloud administrator?
A Multifactor authentication
B Data encryption
C Platform orchestration
D Logging and monitoring
D
Which consideration should be taken into account when reviewing a cloud service provider’s risk of potential outage time?
A The type of database
B The amount of cloud service offerings
C The unique history of the provider
D The provider’s support services
C
Which cloud security control eliminates the risk of a virtualization guest escape from another tenant?
A Dedicated hosting
B Hardware hypervisor
C File integrity monitor
D Immutable virtual machines
A
Which cloud security control is a countermeasure for man-in-the-middle attacks?
A Backing up data offsite
B Reviewing log data
C Using block data storage
D Encrypting data in transit
D
Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived?
A Applicable regulation
B Data classification
C Enforcement
D Maintenance
A
Which disaster recovery (DR) site results in the quickest recovery in the event of a disaster?
A Hot
B Cold
C Reserve
D Passive
A
Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service?
A Local storage
B Cloud platform
C Company headquarters
D Tape drive
B
Which technology should be included in the disaster recovery plan to prevent data loss?
A Offsite backups
B Locked racks
C Video surveillance
D System patches
A
Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected?
A Maximum allowable downtime (MAD)
B Recovery point objective (RPO)
C Mean time to switchover (MTS)
D Recovery time objective (RTO)
A
Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan?
A Continuity planning
B Costs will remain the same
C Level of resiliency
D Provider’s history
C
An architect needs to constrain problems to a level that can be controlled when the problem exceeds the capabilities of disaster recovery (DR) controls.
Which aspect of the plan will provide this guarantee?
A Ensuring data backups
B Evaluating portability alternatives
C Managing plane controls
D Handling provider outages
D
Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider?
A Managing plane controls
B Ensuring resiliency
C Managing cloud provider outages
D Considering portability options
D
What is a key method associated with a risk-based approach to business continuity planning?
A Applying internal authentication and credential passing
B Leveraging software-defined networking
C Using existing network technology
D Considering the degree of continuity required for assets
D
Which testing method must be performed to demonstrate the effectiveness of a business continuity plan and procedures?
A Failover
B Penetration
C DAST
D SAST
A
Which process involves the use of electronic data as evidence in a civil or criminal legal case?
A eDiscovery investigations
B Due diligence
C Cloud governance
D Auditing in the cloud
A
Which standard addresses the privacy aspects of cloud computing for consumers?
A ISO 27018:2014
B ISO 27017:2015
C ISO 27001:2013
D ISO 19011:2011
A
Which international standard guide provides procedures for incident investigation principles and processes?
A ISO/IEC 27034-1:2011
B ISO/IEC 27037:2012
C ISO/IEC 27001:2013
D ISO/IEC 27043:2015
D
Which group is legally bound by the general data protection regulation (GDPR)?
A Only corporations located in countries that have adopted the GDPR standard
B Only corporations headquartered in the EU
C Only corporations that have operations in more than one EU nation
D Only corporations that processes the data of EU citizens
D
Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?
A Reporting to the supervisory authority
B Informing consumer credit reporting services
C Notifying the affected persons
D Suspending the processing operations
A
Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)?
A Penalty up to 2% of gross income
B Penalty up to 10 million Euros
C Penalty up to 5% of gross income
D Penalty up to 20 million Euros
D
Why is eDiscovery difficult in the cloud?
A The process is time consuming.
B The client may lack the credentials to access the required data.
C The customer is responsible for their data on a multitenant system.
D The cloud service provider may lack sufficient resources.
B
Which artifact may be required as a data source for a compliance audit in a cloud environment?
A Customer SLAs
B Quarterly revenue projections
C Change management details
D Annual actual-to-budgeted expense reports
C
Which artifact may be required as a data source for a regulatory compliance audit (i.e., HIPAA, PCI-DSS) in a cloud environment?
A System performance benchmarks
B Annual actual-to-budgeted expenses
C System configuration details
D Quarterly revenue projections
C
Which item would be a risk for an enterprise considering contracting with a cloud service provider?
A Suspension of service if payment is delinquent
B No SLA exclusion penalties
C 99.99% up time guarantees
D Very expensive SLA provider penalties
A
Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties?
A Authentication
B Discovery by design
C Native production
D Direct access
C
Which type of control is important in order to achieve compliance for risk management?
A Technical
B Validation
C Security
D Privacy
C
Which requirement is included when exceptions, restrictions, and potential risks are highlighted in a cloud services contract?
A Virtual machine and operating system
B Regulatory and compliance
C Load balancer algorithm
D Stockholder expectations
B
Which item is required in a cloud contract?
A Specifications for unit testing
B Penalties for failure to meet SLA
C Strategy for the SDLC
D Diagrams for data flow structures
B
Which factor exemplifies adequate cloud contract governance?
A The frequency with which contracts are renewed
B The emphasis of privacy controls in the contract
C The flexibility of data types in accordance with a contract
D The bandwidth that is contractually provided
A
All of the following can result in vendor lock-in except:
A Proprietary data formats
B Statutory compliance
C Unfavorable contract
D Insufficient bandwidth
B
When a cloud customer uploads PII to a cloud provider, who becomes ultimately responsible for the security of that PII?
A Cloud customer
B The individuals who are the subjects of the PII
C Cloud provider
D Regulators
A
The generally accepted definition of cloud computing includes all of the following characteristics except:
A On-demand services
B Measured or metered service
C Resource pooling
D Negating the need for backups
D
All of these are reasons because of which an organization may want to consider cloud migration, except:
A Reduced operational expenses
B Elimination of risks
C Reduced personnel costs
D Increased efficiency
B
The cloud deployment model that features organizational ownership of the hardware and infrastructure, and usage only by members of that organization, is known as:
A Public
B Hybrid
C Motive
D Private
D
All of these are features of cloud computing except:
A Rapid scaling
B On-demand self-service
C Broad network access
D Reversed charging configuration
D
Cloud Access Security Brokers (CASBs) might offer all the following services except:
A IAM
B BC/DR/COOP
C Single sign-on
D Key escrow
B
The cloud deployment model that features joint ownership of assets among an affinity group is known as:
A Community
B Hybrid
C Public
D Private
A
If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best?
A PaaS
B IaaS
C Hybrid
D SaaS
A
If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad?
A Availability
B Integrity
C Authentication
D Confidentiality
A
Which of the following is not a common cloud service model?
A Programming as a Service
B Software as a Service
C Platform as a Service
D Infrastructure as a Service
A
The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as:
A Private
B Public
C Hybrid
D Latent
B
Cloud vendors are held to contractual obligations with specified metrics by:
A Discipline
B SLAs
C Regulations
D Law
B
We use which of the following to determine the critical paths, processes, and assets of an organization?
A Business requirements
B BIA
C RMF
D CIA triad
B
If a cloud customer wants a bare-bones environment in which to replicate their own enterprise for BC/DR purposes, which cloud service model would probably be best?
A Hybrid
B IaaS
C PaaS
D SaaS
B
The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as:
A Vendor closure
B Vendor lock-out
C Vendor lock-in
D Vending route
B
If a cloud customer wants a fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best?
A Hybrid
B SaaS
C PaaS
D IaaS
B
All of these technologies have made cloud service viable except:
A Cryptographic connectivity
B Smart hubs
C Virtualization
D Widely available broadband
B
If a service or solution does not meet all of the specified key characteristics listed below, it is said to be not true cloud computing. Please select the valid cloud computing characteristics out of the terms identified below.
Each correct answer represents a complete solution. Choose all that apply.
1) Measured system
2) Broad network access
3) Resource pooling
4) Measured service
5) On-demand self-service
6) Selected self-service
7) Rapid expansion
A All but 1 & 6
B All but 2 & 5
A
_ drive security decisions.
A Public opinion
B Business requirements
C Surveys
D Customer service responses
B
The process of hardening a device should include which of the following?
A Encrypting the OS
B Performing thorough personnel background checks
C Using video cameras
D Updating and patching the system
D
Which of the following is considered a physical control?
A Doors
B Ceilings
C Carpets
D Fences
D
The process of hardening a device should include all of the following, except:
A Improve default accounts
B Close unused ports
C Delete unnecessary services
D Strictly control administrator access
A
Which of the following is considered an administrative control?
A Keystroke logging
B Access control process
C Biometric authentication
D Door locks
B
All the following are ways of addressing risk, except:
A Mitigation
B Reversal
C Acceptance
D Transfer
B
In which cloud service model is the customer only responsible for the data?
A SaaS
B PaaS
C IaaS
D CaaS
A
In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?
A All of these
B Administrative
C Physical
D Technological
A
To protect data on user devices in a BYOD environment, the organization should consider requiring all of the following, except:
A DLP agents
B Local encryption
C Multifactor authentication
D Two-person integrity
D
Devices in the cloud datacenter should be secure against attack. All the following are means of hardening devices, except:
A Using a strong password policy
B Removing default passwords
C Strictly limiting physical access
D Removing all admin accounts
D
The BIA can be used to provide information about all of the following, except:
A BC/DR planning
B Secure acquisition
C Risk analysis
D Selection of security controls
B
The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified?
A Contract
B RMF
C BIA
D MOU
A
Which of the following is considered a technological control?
A Firing personnel
B Firewall software
C Fireproof safe
D Fire extinguisher
B
In which cloud service model is the customer required to maintain and update only the applications?
A SaaS
B CaaS
C IaaS
D PaaS
D
In a cloud environment, encryption should be used for all the following, except:
A Long-term storage of data
B Near-term storage of virtualized images
C Secure sessions/VPN
D Profile formatting
D
Gathering business requirements can aid the organization in determining all of this information about organizational assets, except:
A Criticality
B Value
C Usefulness
D Full inventory
C
What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?
A Polyinstantiation
B Quantum-state
C Gastronomic
D Homomorphic
D
In which cloud service model is the customer required to maintain the OS?
A SaaS
B PaaS
C IaaS
D CaaS
C
Risk appetite for an organization is determined by which of the following?
A Contractual agreement
B Legislative mandates
C Senior management
D Appetite evaluation
C
Which of the following best describes risk?
A Everlasting
B The likelihood that a threat will exploit a vulnerability
C Transient
D Preventable
B
What is the risk left over after controls and countermeasures are put in place?
A High
B Null
C Pertinent
D Residual
D
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Anonymization
XaaS refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on-premises.
Anything as a Service (XaaS)
An open source cloud computing and infrastructure as a service (IaaS) platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.
Apache CloudStack
A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust.
Application Normative Framework (ANF)
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.
Application Programming Interfaces (APIs)
Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed.
Application Virtualization
The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator.
Authentication
Establishes identity by asking who you are and determining whether you are a legitimate user.
Authentication
The granting of right of access to a user, program, or process.
Authorization
Eliminating the risk that is simply too high and cannot be compensated for with adequate control mechanism–a risk that exceeds the organization’s appetite.
Avoidance
Usually involves splitting up and storing encrypted information across different cloud storage services.
Bit Splitting
A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance.
Block storage
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.
Business Impact Analysis (BIA)
1 The identity of persons who handle evidence between the time of commission of the alleged offense and the ultimate disposition of the case. It is the responsibility of each transferee to ensure that the items are accounted for during the time they are in his possession, that they are properly protected, and that there is a record of the names of the persons from whom he received the items and to whom he delivered those items, together with the time and date of such receipt and delivery.
2 The control over evidence. Lack of control over evidence can lead to its being discredited completely. Chain of custody depends on being able to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence so that it cannot in any way be changed and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering.
Chain of Custody
Refers to a documentation that records all evidences need to be tracked and monitored from the time they are recognized as evidence and acquired for that purpose.
Chain of custody
A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary.
Cloud Access Security Broker (CASB)
This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).
Cloud Administrator
Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.
Cloud App (Cloud Application)
Typically responsible for adapting, porting, or deploying an application to a target cloud environment.
Cloud Application Architect
A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.
Cloud Application Management for Platforms (CAMP)
Someone who determines when and how a private cloud meets the policies and needs of an organization’s strategic goals and contractual requirements from a technical perspective.
Also responsible for designing the private cloud, being involved in hybrid cloud deployments and instances, and having a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components.
Cloud Architect
A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.
Cloud Backup Service Provider
Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.
Cloud Backup Solutions
A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications.
Cloud Computing
Accounting software that is hosted on remote servers.
Cloud Computing Accounting Software
Describes the main characteristics relevant to cloud computing and its customers.
Cloud computing certification
A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.
Cloud Computing Reseller
Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant service-level agreements (SLAs) and that the storage components are functioning according to their specified requirements.
Cloud Data Architect
A database accessible to clients from the cloud and delivered to users on demand via the Internet.
Cloud Database
Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements.
Cloud Developer
The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application.
Cloud Enablement
Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company’s cloud computing-based resources are working optimally and properly interacting with users and other services.
Cloud Management
The process of transitioning all or part of a company’s data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.
Cloud Migration
A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing.
Cloud Operating System (OS)
The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments.
The ability to move applications and associated data between one cloud provider and another, or between legacy and cloud environments.
Cloud Portability
A service provider who offers customers storage or software solutions available via a public network, usually the Internet.
Cloud provider
The deployment of a company’s cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud.
Cloud Provisioning
A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.
Cloud Server Hosting
Provides administrative assistance for the customer and the customer’s data and processing needs. Examples include Amazon Web Services, Rackspace, and Microsoft’s Azure.
Cloud Service Provider (CSP)
Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services.
Cloud Services Brokerage (CSB)
The storage of data online in the cloud, wherein a company’s data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.
Cloud Storage
Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.
Cloud Testing
Helps to review and analyze change and exception requests.
CMB meeting
In a community cloud configuration, resources are shared and dispersed among an affinity group.
Community cloud
The compute parameters of a cloud server are the number of central processing units (CPUs) and the amount of random access memory (RAM).
Compute
A service where data is replicated across the global Internet.
A form of data caching, usually near geophysical locations of high use demand, for copies of data commonly requested by users.
Content Delivery Network (CDN)
Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.
Control
The legal protection for expressions of ideas is known as “copyright” and it doesn’t include ideas, specific words, slogans, recipes, or formulae.
Copyright
The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.
Corporate Governance
Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes.
Criminal law
The process of deliberately destroying the encryption keys that were used to encrypt the data originally.
Involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys.
Crypto-Shredding
A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns.
Data audit
Refers to the responsibility of the data owner which takes place in the Create phase and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset.
Data classification
Auditing and preventing unauthorized data exfiltration.
Data Loss Prevention (DLP)
A method of creating a structurally similar but inauthentic version of an organization’s data that can be used for purposes such as software testing and user training.
Data Masking
Describes the ease of moving information from one cloud provider to another or away from the cloud provider and back to a legacy enterprise environment.
Data portability
A legal activity that might result in a host machine being confiscated or inspected by law enforcement or plaintiffs’ attorneys.
Data seizure
Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps.
Database
A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs.
Database Activity Monitoring (DAM)
In essence, a managed database service.
Database as a Service (DBaaS)
Refers to a kind of data analysis which is an outgrowth of the possibilities offered by the regular use of the cloud, also known as “big data.”
Datamining
Entails multiple differing security controls protecting the same assets with a variety of technological levels.
Defense in depth
Using strong magnets for scrambling data on magnetic media such as hard drive and tapes.
Involves applying strong magnetic fields to the hardware and media where the data resides, effectively making them blank.
Degaussing
Isolates network elements such as email servers that, because they can be accessed from trustless networks, are exposed to external attacks.
Demilitarized Zone (DMZ)
Refers to any type of attack that could cause the application to be unavailable.
Denial of service
Removes or reduces the authority and execution of security controls in the environment.
Deployment model
A form of virtual desktop infrastructure (VDI) that a third party outsources and handles.
Desktop as a Service (DaaS)
Focuses on security and encryption to prevent unauthorized copying, thus limiting distribution to only those who pay.
Digital Rights Management (DRM)
Reflects all the modifications to the environment in the asset inventory.
Documentation
Describes the organization’s responses during the test and performs some minimal actions.
Dry run
The process of testing an application or software product in an operating state.
Dynamic Application Security Testing (DAST)
e-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence.
Refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes.
e-Discovery
An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext).
Offers a degree of assurance that nobody without authorization will be able to access your data in a meaningful way.
Encryption
A special mathematical code that allows encryption hardware and software to encode and then decipher an encrypted message.
Encryption Key
Software that a business uses to assist in solving problems.
Enterprise Application
The set of processes and structures to systematically manage all risks to the enterprise.
Enterprise Risk Management
Refers to the ability of any user to gain permissions above their authorized level.
Escalation of privilege
An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds.
Eucalyptus
A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security.
European Union Agency for Network and Information Security (ENISA)
A type of risk that includes malware, hacking, DoS/DDoS, man-in-the-middle attacks, and so on.
External threat
A National Institute of Standards and Technology (NIST) publication written to accredit and distinguish secure and well-architected cryptographic modules produced by private-sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified as top secret.
Federal Information Processing Standard (FIPS) 140-2
Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment.
Federal law
An arrangement that can be made among multiple enterprises allowing subscribers to use the same identification data to obtain access to the networks of all enterprises in the group.
Federated Identity Management (FIM)
A system that allows a single user authentication process across multiple information technology (IT) systems or even organizations. SSO is a subset of federated identity management (FIM), as it relates only to authentication and technical interoperability.
Federated Single Sign-On (SSO)
An association of organizations that facilitate the exchange of information and access to resources.
Federation
A tool which can be either hardware or software, or a combination of both, used to limit communications based on some criteria.
Firewall
An improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance.
Guest escape
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more.
Hardware Security Module (HSM)
Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first.
Homomorphic Encryption
A developing technology that is intended to allow for processing of encrypted material without decrypting it first.
Homomorphic encryption
A tool used to detect, identify, isolate, and analyze attacks by attracting attackers.
Honeypot
A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise’s private cloud whereas other data is stored and accessible from a public cloud storage provider.
Hybrid Cloud Storage
The cloud provider creates and administers the hardware assets on which the customer’s programs and data will ride.
IaaS boundaries
The security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
Identity and Access Management (IAM)
Responsible for (a) providing identifiers for users looking to interact with a system, (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider. This can be achieved via an authentication module that verifies a security token that can be accepted as an alternative to repeatedly and explicitly authenticating a user within a security realm.
Identity Provider
The directory services for the administration of user accounts and their associated attributes.
Identity repositories
The possibility that processing performed on one virtualized instance may be detected by other instances on the same host.
Information bleed
A model that provides a complete infrastructure (servers and internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices.
Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.
Infrastructure as a Service (IaaS)
Allows an individual to correct any of their own information if it is inaccurate.
Integrity
An issue in which the customer’s software may not function properly with each new adjustment in the environment if the OS is updated by the provider.
Interoperability issue
Takes defensive action when suspicious activity is recognized (such as closing ports and services), in addition to sending alerts.
Intrusion Prevention System (IPS)
Represents an overview of application security. It introduces definitions, concepts, principles, and processes involved in application security.
ISO/IEC 27034-1
The geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled.
Jurisdiction
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
Key Management
Entails a procedure that involves multiple people, each with access to only a portion of the key.
Key recovery
Describes those items that will be the first things that let you know something is inappropriate.
Key risk indicator
The practice of having multiple overlapping means of securing the environment with a variety of methods.
Layered defenses
Causes a wide variety of problems, including data loss, loss of control of devices, interruption of operations, and so forth.
Malware
The plane that controls the entire infrastructure. Because parts of it are exposed to customers independent of the network location, it is a prime resource to protect.
Management Plane
A weak form of confidentiality assurance that replaces the original information with asterisks or Xs.
A technique that hides the data with useless characters, e.g., showing only the last four digits of a social security number.
Masking
The measure of the average time between failures of a specific component or part of a system.
Mean time between failure (MTBF)
The measure of the average time it should take to repair a failed component or part of a system.
Mean time to repair (MTTR)
A process of taking steps to decrease the likelihood or the impact of the risk–this can take the form of controls/countermeasures and is usually where security practitioners are involved.
Mitigation
A form of cloud storage that applies to storing an individual’s mobile device data in the cloud and providing the individual with access to the data from anywhere.
Mobile Cloud Storage
A method of computer access control that a user can pass by successfully presenting authentication factors from two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).
Multifactor Authentication
The concept of sharing resources with other cloud customers simultaneously.
Multitenancy
Multiple customers using the same public cloud.
Multitenant
A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
National Institute of Standards and Technology (NIST) SP 800-53
Helps to check not only the hardware and the software but the distribution facets such as SDN control planes.
Network monitoring
A guide for implementing the risk management framework, which is a methodology for handling all organizational risks in a comprehensive manner.
NIST SP 800-37
The assurance that a specific author actually did create and send a specific item to a specific recipient and that it was successfully received. With assurance of nonrepudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it.
Nonrepudiation
Informs an individual that personal information about them is being gathered or created.
Notice
The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.
Obfuscation
Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI).
Stores all data in a filesystem and also gives access to the customers to the parts of the hierarchy to which they are assigned.
Object Storage
Allows a significant level of description, including the marking, labels, classification and categorization; it also enhances the opportunity for indexing capabilities.
Object-based storage
Leverages the Internet and cloud computing to create an attractive offsite storage solution with little hardware requirements for any business of any size.
Online Backup
A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization.
Organizational Normative Framework (ONF)
Used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters.
OS logging
The cloud provider is responsible for installing, maintaining, and administering the OS(s).
PaaS boundaries
What is the intellectual property protection for a useful manufacturing innovation?
A Trademark
B Trade secret
C Copyright
D Patent
D
A form of cloud storage that applies to storing an individual’s data in the cloud and providing the individual with access to the data from anywhere.
Personal Cloud Storage
Any information relating to an identified or identifiable data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.
Personal Data
Information that can be traced back to an individual user, such as name, postal address, or email address. Personal user preferences tracked by a website via a cookie are also considered personally identifiable when linked to other PII you provide online.
Personally Identifiable Information (PII)
Provides increased level of robustness among personnel resources who administer and support the IT components.
Personnel redundancy
A malicious or negligent insider who can cause significant negative impact, as they have physical access to the resources.
Personnel threat
________ abstracts and provides development or application platforms, such as databases, application platforms (e.g. a place to run Python, PHP, or other code), file storage and collaboration, or even proprietary application processing (such as machine learning, big data processing, or direct API access to features of a full SaaS application). The key differentiator is that, with PaaS, you don’t manage the underlying servers, networks, or other infrastructure.
It contains everything included in IaaS, with the addition of OSs. This model is especially useful for software development operations (DevOps).
Platform as a Service (PaaS)
Provide a voice and expression to the strategic goals and objectives of management.
Policies
Serves as the enforcement arm of authentication and authorization and is established based on business needs and senior management decisions.
Policy management
Behooves the cloud provider to ensure that all communication lines are replicated on opposite sides of each building.
Power line redundancy
A private cloud configuration is a legacy configuration of a datacenter, often with distributed computing and BYOD capabilities.
Private cloud
Used by organizations to enable their information technology (IT) infrastructures to become more capable of quickly adapting to continually evolving business needs and requirements.
Private Cloud Project
A form of cloud storage in which the enterprise data and cloud storage resources reside within the enterprise’s data center and behind the firewall.
Private Cloud Storage
A form of cloud storage in which the enterprise and storage service provider are separate and the data is stored outside the enterprise’s data center.
Public Cloud Storage
Includes whether the information will be shared with any other entity.
Purpose
The capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, synchronous optical networking (SONET), and Internet protocol (IP)-routed networks that may use any or all of these underlying technologies.
Quality of Service (QoS)
A technique which allows the replacement of the data with random characters, leaving the other traits intact such as length of the string and character set.
Randomization
A data structure or collection of information that must be retained by an organization for legal, regulatory, or business reasons.
Record
An approach to using many low-cost drives as a group to improve performance. Also provides a degree of redundancy that makes the chance of data loss remote.
Redundant Array of Independent Disks (RAID)
A solicitation, often made through a bidding process by a company, looking to secure goods or services from an external vendor.
Request for Proposal
Programs and instances run by the customer that will operate on the same devices used by other customers, sometimes simultaneously.
Resource sharing
A policy that contains a description of how the data is actually archived, that is, what type of media it is stored on.
Retention format
Defines how long the data should be kept by an organization and is often expressed in a number of years.
Retention period
Refers to the level, amount, or type of risk that the organization finds acceptable.
Risk appetite
Defines as a response to the cost-benefit analysis when posed with a specific risk.
Risk avoidance
Individuals in an organization who together determine the organization’s overall risk profile.
Risk owner and player
Includes a survey of the various operations in which an organization is engaged in and public perception of the organization.
Risk profile
_____ is the amount of risk that the leadership and stakeholders of an organization are willing to accept.
It varies based on asset value and the requirements of a particular asset.
Risk tolerance
A way to handle risk associated with an activity without accepting all the risks.
Risk transference
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.
Refers to including only departments or business units impacted by any cloud engagement.
Scoping
Reduces the likelihood of data leaking between computers that are connected through the KVM.
Secure data port
A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
Security Alliance’s Cloud Controls Matrix
A version of the SAML standard for exchanging authentication and authorization data between security domains.
Security Assertion Markup Language (SAML)
A method for analyzing risk in software systems.
Security Information and Event Management (SIEM)
A formal agreement between two or more organizations: one that provides a service and the other that is the recipient of the service. It may be a legal contract with incentives and penalties.
Service-Level Agreement (SLA)
Helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider.
Shared policy
A technique which uses different entries from within the same data set to represent the data.
Shuffling
Audits the financial reporting instruments of a corporation and consists of two subclasses
SOC 1
A type of report which is intended to report audits of controls on an organization’s security, availability, processing integrity, and privacy.
SOC 2
Contains no actual data about the security controls of the audit target and is also known as the “seal of approval”.
SOC 3
_______ is a full application and distributed model that’s managed and hosted by the provider. Consumers access it with a web browser, mobile app, or a lightweight client app.
Includes everything listed in the previous Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models, with the addition of software programs.
Software as a Service (SaaS)
A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.
Software-Defined Networking (SDN)
Includes day-to-day basis laws such as speed limits, state tax laws, the criminal code, and so on, which are enacted by a state legislature as opposed to those enacted at the national or federal level.
State law
SAST testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST).
Static Application Security Testing (SAST)
The collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.
Storage Cloud
Derived from an acronym for the following six threat categories: spoofing identity, tampering with data, repudiation, information disclosure, denial of service (DoS), and elevation of privilege.
STRIDE Threat Model
Reduces the likelihood of unauthorized users gaining access and restricts authorized users to permitted activities.
Strong authentication
Describes how the participants would perform their tasks in a given BC/DR scenario.
Tabletop testing
A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities. Allows them to plan a roadmap to meet the security needs of their business.
TCI Reference Architecture
A cloud provider who manages the administration of a user’s system and who is not under the user’s control.
Third-party admin
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Tokenization
Refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed by others.
Tort law
Protects the esteem and goodwill that an organization has built among the marketplace, especially in public perception.
Trademark
A risk management strategy that involves the contractual shifting of a risk from one organization to another.
Transference
Ensures the privacy of communication between applications.
Transport Layer Security (TLS)
Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.
Occurs in a situation where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.
Vendor Lock-In
The optimization of cloud computing and cloud services for a particular vertical (such as a specific industry) or specific-use application.
Vertical Cloud Computing
A VMI helps to mitigate risk and ensure that a virtual machine’s (VM’s) security baseline is not modified over time. It provides an agentless method to examine all aspects of a VM from its physical location and its network settings to the installed operating systems (OSs), patches, applications, and services being used.
Virtual Machine Introspection (VMI)
Creates a secure tunnel across untrusted networks that can aid in obviating man-in-the-middle attacks such as eavesdropping.
Virtual private network
A process of creating a virtual version of something, including virtual computer hardware platforms, operating systems, storage devices, and computer network resources.
Virtualization
Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocation of resources across multiple tenants and environments.
Virtualization Technologies
Encrypts only a part of a hard drive instead of the entire disk.
Volume encryption
Allocates a storage space within the cloud and this storage space is represented as an attached drive to the user’s virtual machine.
Volume storage
An appliance, server plug-in, or filter that applies a set of rules to a hypertext transfer protocol (HTTP) conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injections.
Web Application Firewall (WAF)
Which of the following standards sets out terms and definitions, principles, a framework, and a process for managing risk?
A ISO 31000:2009
B ISO 28000:2007
C ISO 27001:2013
D ISO/IEC 27037:2012
A
Which of the following are the virtualization risks?
Each correct answer represents a complete solution. Choose three.
1) Guest breakout
2) Resource exhaustion
3) Sprawl
4) Isolation control failure
5) Snapshot and image security
A 2,4,5
B 1,3,5
B
Which category does Rapid Provisioning and Scalability fall into?
A PaaS
B IaaS
C SaaS
D XaaS
A
Kim works as a project manager in ABC Inc. His organization requires an application to launch its products. For this, Kim performs the following activities:
-Discusses business requirements in terms of confidentiality, integrity, and availability
-Determines, creates, and identifies information to transmit or store
-Determines privacy requirements
Which of the following phases of SDLC includes the activities performed by Kim?
A Developing
B Testing
C Defining
D Designing
E Planning and requirements analysis
E
Which testing methodology is run against systems that can tune their focus of security?
A DAST
B REST
C RASP
D SAST
C
SOAP and REST are APIs that must run over SSL or TLS for security purposes.
A True
B False
A
Which is not a part of the Management Plane?
A Storage
B Software
C Hypervisor Type 1
D Hypervisor Type 2
B
The cloud model eliminates the need for a failover site.
A True
B False
B
What functions does the CCSP perform to obtain assurance and conduct auditing on the VMs and hypervisor?
Each correct answer represents a complete solution. Choose all that apply.
1) Verify configuration of hypervisor according to the organizational policy.
2) Verify systems are up to date and hardened according to best-practice standards.
3) Understand the virtualization management architecture.
4) Focus only on VMs and its associated hypervisors.
A 1,2,3
B 2,3,4
A
What are SOC 1/SOC 2/SOC 3?
A Audit reports
B Software development phases
C Risk management frameworks
D Access controls
A
You are a service provider who provides cloud-services and resources to a person using and subscribing them. There is an official commitment (i.e., service-level agreement) between the service provider and the user. Who verifies this official commitment?
A Cloud computing reseller
B Cloud backup service provider
C Cloud customer
D Cloud service auditor
D
Which of the following guidelines covers eDiscovery?
A ISO/IEC 27001
B ISO/IEC 27010
C ISO/IEC 27001 2013
D ISO/IEC 27050
D
As a cloud customer you have access to all logs regardless of the cloud model.
A True
B False
B
An attacker establishes themselves on a system in such a way to enable the stealing of data over time. What kind of attack is this?
A Data Breach
B Malicious Insider
C Advanced Persistent Threats
D Account Hijacking
C
Which of the following is a drawback of cloud computing in which a customer depends on a dealer for products and services due to technical or nontechnical constraints?
A Cryptographic erasure
B Vendor lock-in
C Resiliency
D Data overwriting
B
Which is not a principle of GAAP?
A Principle of Compensation
B Principle of Sincerity
C Principle of Regularity
D Principle of Consistency
A
HIPAA, SOX, and PCI DSS are examples of:
A Regulatory compliance
B Cloud security tools
C Governance
D SLAs
A
What is the biggest concern for migration of services during BCDR?
A Security
B Resources
C Location
D Vendor Lockin
C
IRM allows for the following except:
A Encryption
B Protection
C Auditing
D Policy Control
A
The following are Data States as referred to by DLP except:
A Data in Transit
B Data in use
C Data at rest
D Data in transmission
D
Which of the following will help achieve redundancy in virtual switches?
Each correct answer represents a complete solution. Choose all that apply.
1) Kerberos
2) CHAP
3) Port channeling
4) Physical NICs
A 3,4
B 1,2
A
Which is the correct order of the Cloud Secure Data Lifecycle?
A Create, Use, Store, Share, Archive, Destroy
B Create, Store, Share, Use, Archive, Destroy
C Create, Share, Store, Use, Archive, Destroy
D Create, Store, Use, Share, Archive, Destroy
D
Where would the monitoring engine be deployed when using a network-based DLP system?
A On a VLAN
B Near the organizational gateway
C In the storage system
D On a user’s workstation
B
Which body establishes optimal temperature and humidity levels?
A ASHAE
B ASHRAE
C ASHAPE
D ASHARE
B
What defines what is to be covered in the audit?
A Requirements for the Audit
B Audit Statement
C Audit report
D Scope of audit
D
Which of the following are the data classification categories?
Each correct answer represents a complete solution. Choose three.
1) Obligation for retention and preservation
2)Ownership
3) Data type
4) Parameter type
A 2,3,4
B 1,2,3
B
Which of the following are the key regulations applicable to the CSP facility?
Each correct answer represents a complete solution. Choose two.
1) COBRA
2) HITRUST CSF
3) PCI DSS
4) HIPAA
A 3,4
B 1,2
A
This device is used to offload processing of XML from the application:
A XML Processor
B XML Accelerator
C XML Broker
D XML Firewall
B
This is the amount of services that is required to be restored to meet the requirements of a BCDR plan:
A RTO
B RTL
C RPO
D RSL
D – Recovery Service Level
Assessing Risk
Monitoring Risk
Responding to Risk
Framing Risk
Components of the risk-management process
In which of the following components of the data retention policy do data-retention considerations depend heavily on the required compliance administration associated with the data type?
A Legislation, regulation, and standards requirements
B Data mapping
C Data classification
D Monitoring and maintenance
A
In which cloud deployment model are all infrastructure-level logs visible to the CCSP as detailed application logs?
A NaaS
B SaaS
C IaaS
D PaaS
C
Which of the following are required for improving the level of assurance in cloud computing?
Each correct answer represents a complete solution. Choose two.
1) Customer service
2) Service automation
3) Self-service
A 1,2
B 2,3
B
All of the following should be included in the audit scope definition except:
A Audit Duplication
B Audit Steps
C Change Controls
D Communications
A
A system capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network is known as:
A HIDS
B SIDS
C IPSec
D NIDS
A
Multitenancy
Virtualization technology
Cloud management plane
Characteristics of cloud computing that can affect the logical design of a data center
This system is provided by the CSP, but controlled and even hosted by the customer:
A Customer-Side KMS
B Client-Side KMS
C Remote KMS
D Internal KMS
B
Which of the following allows logical isolation of hosts on a network?
A DNS
B TLS
C VLAN
D IPSec
C
All versions of SSL and TLS are acceptable to secure Data in Transit.
A True
B False
B
Baseline compliance scanning should alert on any deviation from the baseline.
A True
B False
B
Applications with known vulnerabilities cannot be mitigated and should never be used.
A True
B False
B
Which component is among the highest risk component with respect to software vulnerabilities?
A Control plane
B Management plane
C User plane
D Data plane
B
Engaging with the users and IT personnel who will be impacted.
Extending risk management and enterprise risk management.
Objectively selecting the appropriate service and provider.
Stakeholder identification challenges
IaaS
PaaS
Cloud Models that use the Structured vs Unstructured storage types
Which of the following is a specification constructed for making the management of applications easy in terms of a PaaS (Platform as a Service) system?
A Vertical cloud computing
B CAMP
C Cloud provisioning
D Cloud server hosting
B – Cloud application management for platforms
Which Threat Model provides a standardized way of describing threats by their attributes?
STRIDE
A WAF typically parses which type of traffic?
A XML
B HTTP
C REST
D SOAP
B
All of the following are components of DLP except:
A Labeling
B Monitoring
C Enforcement
D Discovery and Classification
A
Where do the bare metal hypervisors run?
A On software
B On hardware
C On a host OS
D On a client OS
B
Which is not necessarily related directly privacy?
A Safe Harbor
B HIPPA
C GLBA
D SOX
D
In PaaS the customer has control over:
A Software
B OS
C Physical
D Platform
A
Vulnerability testing where you have knowledge of the systems involved is called?
A Hybrid
B DAST
C SAST
D Pen
C
When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed?
A The directive applies to data processed by a natural person in the course of purely personal activities.
B The directive applies to data processed by automated means and data contained in paper files.
C The directive applies to data processed by automated means in the course of purely personal activities.
D The directive applies to data processed in the course of an activity that falls outside the scope of community law, such as public safety.
B
An organization wants to preserve control of its IT environments and takes advantage of flexibility, scalability, and cost savings. Which cloud deployment model helps the organization do this?
A Private
B Hybrid
C Community
D Public
B
Which models allows the customer to choose\manage their software and operating systems?
A PaaS
B IaaS
C DBaaS
D SaaS
B
When using an IaaS solution, what is a key benefit provided to the customer?
A Transferred cost of ownership
B Metered and priced usage on the basis of units consumed
C The ability to scale up infrastructure services based on projected usage
D Increased energy and cooling system efficiencies
B
Which of the following is not an access control?
A Developer access
B Building access
C Random access
D Customer access
C
Which of the following cloud threats is described in the statement below?
“If a multitenant cloud service database is not properly designed, a flaw in one client’s application can allow an attacker access not only to that client’s data but to every other client’s data as well.”
A Insecure APIs
B Abuse of cloud services
C Data breach
D Insufficient due diligence
C
Which models requires the customer to perform their own patching of systems.
A SaaS
B PaaS
C IaaS
D DBaaS
C
This is the method of analyzing data for certain attributes to determine the appropriate controls to apply:
A Classification
B Data Discovery
C eDiscovery
D Categorization
A
Which determines the effectiveness of controls in an Audit?
A Lessons Learned
B Reporting
C A final Audit report
D Gap Analysis
C
Which of the following guidelines includes the given concepts?
-National privacy strategies
-Privacy management programs
-Data security breach notification
A OAuth
B ANF
C OECD
D ONF
C
Which of the following is a technology that provides a shared resource pool, managed to maximize the number of guest operating systems?
A Scalability
B Rapid elasticity
C Virtualization
D Hypervisor
C
Items of the evidence must be labeled with signatures and descriptions.
Records the signatures of people performing the transportation of items.
Records actions, process, test, and handling of an item with date and time.
Statements are true of chain of evidence
Biometric data
Telephone or Internet data
Sensitive data
Categories of the personal data that can be processed
A standard base of technologies and policies across different organizations is called:
A Regulations
B Standards
C Forests
D Federation
D
Proper identification and documentation of key stakeholders is vital to any IT system.
A True
B False
A
What are the six stages of the cloud secure data lifecycle?
A Create, archive, use, share, store, and destroy
B Create, use, store, share, archive, and destroy
C Create, store, use, share, archive, and destroy
D Create, share, store, archive, use, and destroy
C
Which process analyzes data for certain attributes and uses that to determine the appropriate controls and policies to apply to it?
A Classification
B Monitoring
C Discovery
D eDiscovery
A
What should configuration management always be tied to?
A Change management
B Financial management
C Business relationship management
D IT service management
A
Which of the following modes of encryption dependencies secures data while it navigates the CSP network or the Internet?
A Encryption of data at rest
B Encryption of data in transit
C Data obfuscation
B
Which is not associated with Federated ID Systems?
A SAML
B SAME
C OpenID
D OAuth
B
With whom does a service provider dictate both the technology and the operational procedures being made available to the cloud consumer?
A Cloud computing reseller
B Cloud service provider
C Cloud services brokerage
D Managed service provider
B
Which is the internationally accepted standard for eDiscovery?
A ISO\IEC 27055A
B ISO\IEC 20750A
C ISO\IEC 27050
D ISO\IEC 27055
C
All formatting, security, and usage of LUNs is handled by the storage device.
A True
B False
B
Which of the following components is not associated with encryption deployments?
A Encryption engine
B The data
C Encryption keys
D Encryption algorithm
D
What is lock-in in reference to cloud services?
A Access tools.
B Proprietary roadblocks to changing CSPs.
C Ability to change CSP with minimal changes to the environment.
D SLA Commitment.
B
Key management in a cloud environment is not very important.
A True
B False
B
Who publishes the optimal temperature and humidity levels for data centers?
A ASHR
B ASHRAE
C BICSI
D NFPA
B
To ensure that the service quality and availability are maintained.
To minimize the adverse impact on business operations.
To restore normal service operation as quickly as possible.
Three purposes of incident management
An organization will conduct a risk assessment to evaluate which of the following?
A Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the total risk
B Threats to its assets, vulnerabilities not present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the residual risk
C Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on another organization, and the residual risk
D Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the residual risk when appropriate controls are properly applied to lessen the vulnerability
D
Which of the following concerns does the “existing on-premise solution” BCDR scenario represent?
A Evaluating a cloud service provider’s BCDR
B Using cloud as BCDR
C Evaluating alternative CSP as BCDR
B
DAST is usually run against live systems and those running the test do not know anything about the system.
A True
B False
A
Broad network access.
On-demand self-service.
Essential characteristics of cloud computing
Which standard outlines the steps to create an ISMS?
A ISO\IEC 27018:2005
B ISO\IEC 27001:2005
C ISO\IEC 27001:2011
D ISO\IEC 27001:2013
D
Which of the following is the gathering of data as evidence?
A eDiscovery
B Data Collection
C Discovery
D eCollection
A
What are the four cloud deployment models?
A External, private, hybrid, and community
B Public, internal, hybrid, and community
C Public, private, hybrid, and community
D Public, private, joint, and community
C
This regulation allows American and EU PII exchange without requiring American Entities to follow EU PII Laws.
A EU
B HIPPA
C SOX
D Safe Harbor
D
Object Storage is usually accessed through:
A LUNs
B APIs
C Drives
D Management Plane
B
Volume Storage is split into pieces called:
A LUNs
B VLANs
C Units
D Drives
A
An insecure API could potentially put entire data sets at risk for loss or exposure.
A True
B False
A
The following are possible authentication factors except:
A Username\Password
B Token
C Biometric
D SSO
D
KPIs
Business Processes
Events
What business QoS focuses on measuring
Which helps to establish the identity of an entity with adequate assurance?
A Authentication
B Identity and access management
C Identification
D Authorization
A
How is data in the cloud typically sanitized?
A Destruction
B Shredding
C Overwriting
D Degaussing
C
Which of the following is used to distribute loads across physical devices?
A Clustering
B DRS
C DNS
D DO
B
Certain data sanitation methods may be required for different types of data.
A True
B False
A
McDonald’s is using a slogan “I’m lovin’ it” over the last five decades, which has a strong right or law attached to it. What is that right or law?
A Tort law
B The doctrine of the proper law
C Intellectual property right
D Restatement conflict of law
C
When using maintenance mode, which two items are disabled and which item remains enabled?
A Customer access and alerts are disabled while the ability to power on VMs remains enabled.
B Customer access and alerts are disabled while logging remains enabled.
C Customer access and logging are disabled while alerts remain enabled.
D Logging and alerts are disabled while the ability to deploy new VMs remains enabled.
B
The entitlement process begins with business and security requirements and translates these into a set of rules. What would be the next step of the process?
A Rules are then translated into component authorization decisions
B Rules are then applied to vendors and consumers
C Business and security requirements are updated
D Rules are then translated into component authentication decisions
A
Which method is more commonly used in federated identity environments?
A SAML
B WS
C OpenID
D OAuth
A
Which ISAE Report is run over a pre-defined period of time usually six months.
A Aged Reports
B Type 3 Reports
C Type 2 Reports
D Type 1 Reports
C
Which is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on an applied rule set?
A IPS
B Firewall
C IDS
D Honeypot
B
What is an association of organizations that come together to exchange appropriate information about their users and resources to enable collaborations and transactions called?
A Identity repository
B Federation
C DAST
D ONF
B
Which is not a Critical Success Factor?
A CSP responsibilities
B Order of restoration
C Identification of need to remove backups
D Customer responsibilities
C
Compensates victims for injuries suffered by the culpable action or inaction of others.
It justifies legal rights and interests that have been compromised, diminished, or emasculated.
Discourages injurious, careless, and risky behavior in the future.
Tort Law
What is the first international set of privacy controls in the cloud?
A ISO/IEC 27032
B ISO/IEC 27005
C ISO/IEC 27002
D ISO/IEC 27018
D
Cloud Portability Means:
A Ability to change providers
B Ability to use anywhere
C Ability to use with mobile devices
D Ability to use on multiple device types
A
Which of the following is the science of hiding information to protect sensitive information and communications from unauthorized access?
A Cryptography
B Social Engineering
C DDoS
D Phishing
A
In the tokenization architecture, which step should be performed after the tokenization server generates the token and stores it in the token database?
A An application collects or generates a piece of sensitive data.
B The tokenization server returns the token to the application.
C The application stores the token rather than the original data.
D Data is sent to the tokenization server; it is not stored locally.
B
In a federated environment, who is the relying party, and what does it do?
A The relying party is the service provider; it consumes the tokens that the customer generates.
B The relying party is the service provider; it consumes the tokens that the identity provider generates.
C The relying party is the customer; he consumes the tokens that the identity provider generates.
D The relying party is the identity provider; it consumes the tokens that the service provider generates.
B
In SOC 2 Auditing, how many categories make up the security principle?
A 1
B 3
C 5
D 7
D
Which kind of Data Obfuscation method replaces Data with random values that can be mapped to actual data?
A Transparency
B Tokenization
C Masking
D Encryption
B
Who is responsible for delivering, managing, and provisioning cloud services?
A Cloud service manager
B Cloud service business manager
C Network provider
D Inter-cloud provider
A
This concept affords the right to look at things anonymously and to be “forgotten” by a system when you leave.
A Integrity
B Access
C Privacy
D Confidentiality
C
This type of hypervisor is tied directly to the hardware or “Bare Metal”:
A Type 1
B Type 2
C Type 3
D Type 4
A
What is the key issue associated with the object storage type that the CCSP has to be aware of?
A Access control
B Data consistency, which is achieved only after change propagation to all replica instances has taken place
C Continuous monitoring
D Data consistency, which is achieved only after change propagation to a specified percentage of replica instances has taken place
B
Which is not a step in the BCDR continual process?
A Define Scope
B Auditing
C Analyze
D Assess Risk
B
Which is not part of the risk management process?
A Discovery
B Responding
C Framing
D Monitoring
A
As part of ITIL, what kind of ticket is created to make a change?
A RFCM
B CM
C RCM
D RFC
D
Which is a PII law specifically for financial institutions?
A GBLA
B PCI DSS
C GLBA
D GLIBA
C
No wasted resources
Easy and inexpensive setup
Scalability to meet customer needs
Benefits of the public cloud deployment model
Which of the following evaluates the risks and merits of various types of test scenarios?
A Test scenario
B Test plan
C Comprehensive test scenario
D Management
D
Which is a management control that is usually tied to hardware?
A Hypervisor Type 1
B Hypervisor Type 2
C Hypervisor Type 3
D Hypervisor Type 4
A
Data classification determines what controls should protect data.
A True
B False
A
A data center should always be geographically located in the same place as their headquarters for quick and easy access.
A True
B False
B
Who bears the ultimate responsibility for creating and controlling data?
A The Data Custodian
B System Administrator
C CSP
D The Data Owner
D
Which is NOT a benefit of PaaS?
A Cost Effectiveness
B Flexibility
C Choice of Environments
D High Cost
D
In which of the following policy and organization risks is the consumer not able to implement all required controls?
A Compliance risk
B Loss of governance
C Provider exit
D Provider lock-in
B
A user decides they need extra time to work on a project. They install a modem in their system to dial in and work from home. This is an example of what kind of threat?
A Account hijacker
B Insider
C Modem
D Advanced Persistent Threats
B
When does an XSS flaw occur?
A Whenever an application takes trusted data and sends it to a web browser without proper validation or escaping
B Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping
C Whenever an application takes trusted data and sends it to a web browser with proper validation or escaping
D Whenever an application takes untrusted data and sends it to a web browser with proper validation or escaping
B
Which of the following cloud services provides a key benefit for the developers that the services required by them can be obtained from diverse sources nationally or internationally?
A PaaS
B NaaS
C SaaS
D IaaS
A
Which of the following is strongly encouraged for managing access of the directory administrators?
A PIM
B Active Directory
C LDAP
D IAM
A – PIM (Privileged Identity Management)
Security
Services
Health
3 things IT QoS focuses on measuring
Complexity of fixes
Project delays
Reasons Security Scanning should be performed throughout the development process
The scope of an audit will change based on the cloud model used.
A True
B False
A
The Sarbanes-Oxley Act is enforced by:
A SPA
B FED
C SOX
D SEC
D
What are the four elements that a data retention policy should define?
A Retention periods, data formats, data security, and data destruction procedures
B Retention periods, data formats, data security, and data communication procedures
C Retention periods, data formats, data security, and data retrieval procedures
D Retention periods, data access methods, data security, and data retrieval procedures
C
Data in the destroy phase can be considered destroyed if it is made permanently inaccessible.
A True
B False
A
What defines what the audit will produce?
A Audit criteria for assessment
B Deliverables
C Scope of Audit
D Audit Scope
B
Cooling
Power Distribution
Outside Power Supply
Inside Power Supply
Items that should be redundant in a data center
This concept is the unauthorized exposure of data:
A Account Hijacking
B Data Breach
C Data Loss
D Data Access
B
Which of the following is an ongoing process and implemented throughout the system life cycle to keep track of identified risks?
A Risk assessment
B Framing risk
C Risk control
D Risk monitoring
D
ENISA (European Network and Information Security Agency)
NIST (National Institute of Standards and Technology)
ISO 31000:2009
Frameworks that are associated with risk
This includes policies focused on reducing threats and risks to IT and Data resources.
A ITIL
B ISMS
C ITSM
D MSIS
B
Sets up a baseline for the default Information Protection Policy.
Adds an extra layer of access controls on top of the data object.
Protects sensitive organization content.
Features of IRM
There may be extra costs associated with eDiscovery in a cloud environment.
A True
B False
A
What is a security-related concern for a PaaS solution?
A Data access and policies
B System and resource isolation
C Virtual machine attacks
D Web application security
B
Encryption
Overwriting
Methods for the safe disposal of electronic records in Cloud Environments
This type of attack attempts to identify known holes in the security systems.
A Pen Testing
B SAST
C DAST
D Vulnerability Scanning
D
Third-party e-discovery
Hosted e-discovery
SaaS-based e-discovery
Ways to conduct e-discovery investigations in cloud environments
Which standard outlines domains which establish frameworks for risk assessment?
A ISO\IEC 27018:2005
B ISO\IEC 27001:2005
C ISO\IEC 27001:2011
D ISO\IEC 27001:2013
D
Which of the following is not a cloud deployment model?
A Private
B Public
C Open
D Hybrid
C
Which data-at-rest encryption method encrypts all the data stored on the volume and all snapshots created from the volume?
A Whole instance encryption
B Volume encryption
C Directory encryptionWhole-instance encryption: Encrypts all of the system’s data at rest in one instance
A
Which of the following provides privacy protections for certain electronic communication and computing services from unauthorized access or interception?
A HIPAA
B SOX
C SCA
D GLBA
C – SCA (Stored Communications Act)
What are the phases of a software development lifecycle process model?
A Planning and requirements analysis, designing, defining, developing, testing, and maintenance
B Planning and requirements analysis, defining, designing, developing, testing, and maintenance
C Defining, planning and requirements analysis, designing, developing, testing, and maintenance
D Planning and requirements analysis, defining, designing, testing, developing, and maintenance
B
Which of the following are storage types used with an IaaS solution?
A Volume and block
B Volume and object
C Unstructured and ephemeral
D Structured and object
B
Which of the following cloud characteristics explains that a cloud provides services to serve multiple clients according to their priority?
A Measured service
B Resource pooling
C Rapid elasticity
D Broad network access
B
What are the five Trust Services principles?
A Security, Availability, Processing Integrity, Confidentiality, and Privacy
B Security, Availability, Processing Integrity, Confidentiality, and Nonrepudiation
C Security, Availability, Customer Integrity, Confidentiality, and Privacy
D Security, Auditability, Processing Integrity, Confidentiality, and Privacy
A
All of the following are part of a Federated Identity System except:
A Relaying Party
B User
C Identity Provider
D Relying Party
A
Single Sign On works by issuing:
A Passwords
B IDs
C Tickets
D Tokens
D
RFCs are approved by?
A Managers
B Committee
C CAB
D Supervisors
C – CAB (Change Advisory Board)
When using transparent encryption of a database, where does the encryption engine reside?
A Within the database
B At the application using the database
C On the instances attached to the volume
D In a key management system
A
Application and software licensing
Overall reduction of costs
Reduced support costs
Benefits provided by SaaS for the applications accessible by clients anywhere
This plugin parses HTTP traffic and applies a set of rules before sending it to the application server.
A WPA
B WAP
C WAS
D WAF
D – WAF (Web Application Firewall)
Ensure knowledge transfer.
Manage stakeholders.
Ensure the integrity of release packages.
Objectives of release and deployment management
Data in the Archive and Destroy phases may need to be handled according to regulations, standards, or policies.
A True
B False
A
Which is not a part of the BCDR Continual Process?
A Report
B Analyze
C Gather Resources
D Revise
C
Open Source Software is less secure than proprietary software and should not be used in a cloud environment.
A True
B False
B
The following are common vulnerabilities in a cloud environment except:
A DBSS
B XSS
C Injection
D Unvalidated Redirects
A
Which of the following allows consumers to obtain, remove, manage, and report on resources, without the need to engage or speak with resources internally or with the provider?
A Self-service and on-demand capacity
B Scale
C High reliability and resilience
D Converged network and IT capacity pool
A
Which step of the BCDR Continual Process uses the RPO and RTO to determine what is needed in BCDR planning?
A Asses Risk
B Gather Requirements
C Analyze
D Define Scope
B
Which SOC 2 report would be run to determine if security controls are suitable based on design and intent.
A Type 2 Reports
B Type 3 Reports
C Aged Reports
D Type 1 Reports
D
Which of the following are distinguishing characteristics of a managed service provider?
A Have some form of a help desk but no NOC.
B Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management.
C Have some form of a NOC but no help desk.
D Be able to remotely monitor and manage objects for the customer and reactively maintain these objects under management.
B
Automations can be used to monitor the baselines and remediation of servers.
A True
B False
A
Consider the following example:
“An artist gives an art gallery permission to represent the art of some other artist but he is not allowed to reproduce his work.”
Which law is applied in the given example that restricts the artist?
A Tort law
B The doctrine of the proper law
C Criminal law
D Copyright and piracy law
D
Which of the following Acts consists of the given sections?
-The financial privacy
-The safeguards rule
-The pretexting provisions
A SCA
B SOX
C HIPAA
D GLBA
D
Which of the following is considered a “white box” test?
A DAST
B SAST
C Port Scanning
D Pen Testing
B
In cloud development, which of the following is essential to success?
A Programming Languages
B Experience\knowledge of newer languages\methodologies
C Project Management
D Development Methodologies
B
RPO and RSL are used to establish when services and data are completely restored.
A True
B False
B
Who among the following adds and extends value to the cloud-based services for customers?
A Cloud services brokerage
B Cloud service auditor
C Cloud backup service provider
D Cloud service provider
A
Which is a management control that is usually tied to the host OS?
A Hypervisor Type 2
B Hypervisor Type 3
C Hypervisor Type 4
D Hypervisor Type 1
A
Host hardening
Host patching
Secure build
Secure initial configuration
Best practice recommendations to secure host servers within a cloud environment
Knowing that the cloud provider does vulnerability assessment is good enough.
A True
B False
B
Which STRIDE component involves disputes?
A Denial of Service
B Spoofing Identity
C Tampering with Data
D Repudiation
D
Confidentiality and Integrity are essentially the same thing.
A True
B False
B
STRIDE
DREAD
Examples of threat modeling
When using a PaaS solution, what is the capability provided to the customer?
To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
Data storage types that PaaS utilizes
Structured and Unstructured
Deployed on the local system
HIDS and HIPS
Which of the following is considered as white-box testing and analyzes application source code, byte code, and binaries for coding and design conditions that are revealing security vulnerabilities?
A Penetration testing
B RASP
C DAST
D SAST
D – SAST (static application security testing)
What input entities does the secondary set include for data classification with regard to P&DP?
Data breach constraints
Data retention constraints
Data location allowed
Which components must the CCSP review to ensure that the distributed IT model does not leave a negative impact on organizations?
Clear communications
Coordination and management of activities
Governance of processes and activities
Security reporting
Which of the following is a third-party entity that selects the best provider for each customer and monitors the services?
A Cloud service developer
B Cloud service business manager
C Cloud service provider
D Cloud service broker
D
Which of the following should be carried out first when seeking to perform a gap analysis?
A Conduct information gathering.
B Define scope and objectives.
C Identify potential risks.
D Obtain management support.
D
This type of storage is a virtual hard drive attached to a virtual host:
A Content and File Storage
B Information Storage and Management
C Structured
D Volume
D
What are the two biggest challenges associated with the use of IPSec in cloud computing environments?
A Auditability and governance
B Configuration management and performance
C Training customers on how to use IPSec and documentation
D Access control and patch management
B
In SOC 2 auditing, along with the security principle, how many of the other 4 principles must be included to complete a report?
A 1
B 7
C 5
D 3
A
PII is only protected in the United States.
A True
B False
B
This is the process which ensures resources are not over utilized or underutilized.
A Dynamic Optimization
B Auto-scaling
C Elasticity
D Dynamic Operations
A
Which of the following cloud deployment models may exist on or off premises?
Community
Private
Hybrid
Which is a cloud service model category?
A DBaaS
B XaaS
C BaaS
D PaaS
D
Which standard applies to Credit Card Processing?
A SOX
B PCI DSS
C PIC DSS
D HIPPA
B
Which of the following technologies does cloud computing use through a management interface?
Virtualization
Automation
Federated identity management
Which of the following software configuration management tools integrates during building, deploying, and managing infrastructure?
A Puppet
B SVN
C Chef
D CVS
C
Which of the following publishes the most commonly used standards for data center tiers and topologies?
A IDCA
B BICSI
C NFPA
D Uptime Institute
D
The “Data Center Site Infrastructure Tier Standard: Topology” document describes a four-tiered architecture for enterprises to rate their data center designs. What are the names of the four tiers?
Fault-Tolerant Site Infrastructure
Redundant Site Infrastructure Capacity Components
Basic Data Center Site Infrastructure
Concurrently Maintainable Site Infrastructure
The following are issues of Key Management except:
A ACL
B Trust
C Availability
D Integrity
A
What is a key characteristic of a honeypot?
A Composed of physical infrastructure
B Composed of virtualized infrastructure
C Isolated, monitored environment
D Isolated, nonmonitored environment
C
The key areas of performance metrics are:
A Storage and Processing
B CPU, Memory, Capacity, and Bandwidth
C CPU, Memory, Disk, and Networking
D Storage, Processing, Networking
C
While working with integrations in a cloud environment, which of the following can be an issue?
A Access to Logs
B Authorization
C Applications
D Repudiation
A
DLP to protect Data at Rest is installed:
A Near the Network Perimeter
B On the users’ device
C In the Application
D On the system holding the data
D
Which is not a security concept of customers of cloud computing?
A Physical Security
B Network Security
C Access Control
D Cryptography
A
These systems are controlled and maintained at the customer’s site
Remote KMS
Client-Side KMS
Which contractual components include a clear understanding of the permissible forms of data processing, transmission, and storage, along with any limitations or nonpermitted uses?
Scope of processing
Use of subcontractors
The following are toolsets and technology commonly used to secure data except:
A Anonymization
B Marking
C Masking
D Encryption
B
According to whose perspective, auditability provides processes to review, assess, and report user and systems activities?
Management
Stakeholder
Which two are threat models?
STRIDE
DREAD
Which of the following are attributes of cloud computing?
A Minimal management effort and shared resources
B High cost and unique resources
C Rapid provisioning and slow release of resources
D Limited access and service provider interaction
A
Auditing is only used to discover security holes.
A True
B False
B
In which of the following cloud deployment models does platform security come under enterprise responsibility?
A PaaS
B SaaS
C NaaS
D IaaS
D
Which of the following allows for agentless retrieval of the guest OS state, and is used for malware analysis, memory forensics, and process monitoring?
A Firewall
B VMI
C SIEM
D Honeypot
B – VMI (Virtual Machine Introspection)
If a patch is unavailable for a vulnerability, it may be advisable to turn off affected services or restrict access by other means.
A True
B False
A
Which term is defined as a percentage measurement of how much computing power is necessary on the basis of the required percentage of the production system during a disaster?
A RSL
B MTD
C RTO
D RPO
A
Data Classification is a core concept of PCI DSS.
A True
B False
A
Which Cloud Model uses mainly databases to store data?
A SaaS
B DBaaS
C PaaS
D IaaS
A
In which of the following scenarios is a CSP considered as the provider of alternative facilities?
A Cloud service consumer, primary provider BCDR
B On-premises, cloud as BCDR
C Cloud service consumer, alternative provider BCDR
B
What are the virtualization components governed by the management plane?
Storage
Network
Compute
All of the following should be included in the Audit Scope Statement except:
A Deliverables
B Cost
C Classification
D Reason
B
In SaaS the customer has control over:
A Data
B Software
C OS
D Platform
A
Which of the following are considered to be the building blocks of cloud computing?
A CPU, RAM, storage, and networking
B Data, CPU, RAM, and access control
C Data, access control, virtualization, and services
D Storage, networking, printing, and virtualization
A
Encryption ensures integrity of Data.
A True
B False
B
What is the difference between BC and BCM?
BC is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. BCM is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause. BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
What is the process of gathering evidence in a cloud environment?
A eDiscovery
B Discovery
C ISO/IEC 27050
D Forensics
A
Which of the following statements are true of software-defined networking?
Enables a user to execute the control plane software on general-purpose hardware
Allows for network control to become directly programmable and distinct from forwarding
Provides a clearly defined and separate network control plane to manage network traffic
This is a method of categorizing data by finding patterns and it relies on users to refine it:
A eDiscovery
B Data Discovery
C Categorization
D Databasing
B
A Type 1 Hypervisor resides on the Host Device i.e. VM Workstation.
A True
B False
B – False. A Type 1 Hypervisor typically resides on the Server side, i.e. ESX.
How many layers of encryption are typically available to a Database?
A 2
B 3
C 4
D 1
A
Which is an act enforced by the Securities Exchange Commission (SEC)?
A Safe Harbor
B SCA
C SOX
D SEC
C
What is Portability?
A Ability to use cloud services on Mobile Devices.
B Ability to change CSPs.
C Measurement of Size.
D Use of Cloud Services across multiple platforms.
B
Which models provides the least amount of configuration options?
A IaaS
B PaaS
C SaaS
D DBaaS
C
Which of the following are contractual components that the CCSP should review and understand fully when contracting with a CSP?
Scope of processing
Use of subcontractors
Which of the following is a plan to fix or mitigate all findings from an audit?
A Fixpack
B Mitigation
C Remediation
D Patching
C
This type of storage typically uses APIs or network requests:
A Structured
B Volume
C Object
D Unstructured
C
Multifactor authentication requires two of the following except:
A Something you know
B Something you are
C Something you have
D Something you do
D
This is the amount of data required to be maintained or restored in order to restore acceptable functionality:
A RPO
B RSL
C RTO
D RTL
A
Which of the following is application generated or imported through the application?
A Content and File Storage
B Information Storage and Management
C Structured
D Volume
B
What is the difference between contractual and regulated PII?
Contractual PII Exposure can lead to specified penalties or breach of contract.
Regulated PII Exposure can lead to fines and criminal charges.
In a federated system, which two components serve as its core?
The IdP (Identifying Party) and
The Relying Party
Which of the following are the challenges associated with key management?
Key storage
Access to the keys
Backup and replication
Refers to the organization purchasing, leasing, or renting cloud services
Cloud customer
Owns the datacenter, manages the resources, monitors services, and provides administrative assistance
Cloud Service Provider (CSP)
Offers independent identity and access management (IAM) services to CSPs and cloud customers
Cloud Access Security Broker (CASB)
Ensures organizations are in compliance with the framework for which they’re responsible
Regulator
This is the flexibility of allocating resources as needed for immediate usage, instead of purchasing resources according to other variables.
Elasticity
Usage and administration of cloud services ought to be transparent to cloud customers and users; from their perspective, a digital data service is paid for and can be used, with very little additional input other than what is necessary to perform their duties.
Simplicity
The organization’s computing needs won’t remain static: there will be new (and hopefully more) users, customers, and data as the organization continually matures.
Scalability
-Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.
IaaS
-Contains everything included in IaaS, with the addition of OSs.
-The vendor is responsible for patching, administering, and updating the OS as necessary, and the customer can install any software they deem useful.
-This model is especially useful for software development operations (DevOps)
-Some examples include systems already loaded with a hardened operating system such as Windows Server or Linux.
PaaS
-Includes everything listed in the previous two models, with the addition of software programs.
-The cloud vendor is responsible for administering, patching, and updating this software as well
-Some examples include: Google Docs, Microsoft’s Office 365, QuickBooks Online, and Customer Relationship Manager (CRM) software
SaaS
Owned by a single organization and is implemented on a cloud-based secure environment protected by a firewall
Private Cloud
Integrated arrangement of two or more cloud servers
Hybrid Cloud
Multi-tenant setup shared between organizations that belong to a specific group
Community Cloud
Delivers cloud services over a network that is open for free usage
Public Cloud
We determine a value for every asset (usually in terms of dollars), what it would cost the organization if we lost that asset (either temporarily or permanently), what it would cost to replace or repair that asset, and any alternate methods for dealing with that loss.
Business Impact Analysis (BIA)
Denotes those aspects of the organization without which the organization could not operate or exist. These could include tangible assets, intangible assets, specific business processes, data pathways, or even key personnel.
Criticality
The opposite of avoidance; the risk falls within the organization’s risk appetite, so the organization continues operations without any additional efforts regarding the risk.
Acceptance
The organization pays someone else to accept the risk, at a lower cost than the potential impact that would result from the risk being realized; this is usually in the form of INSURANCE.
Transferance
The provider is responsible for connectivity and power and the customer is in charge for installation of software.
IaaS
The provider is responsible for updates and administration of the OS and the customer monitors and reviews software events.
PaaS
The provider is responsible for system maintenance and the customer supplies and processes data to and in the system.
SaaS
-All guest accounts are removed
-No default passwords remain
-Systems are patched, maintained, and updated according to vendor guidance
-All unused ports are closed
-Physical access is severely limited and controlled
Ways for securing devices in the datacenter
The __ is any organization or person who manipulates, stores, or moves the data on behalf of the data owner.
data custodian
Collects or creates the data, and possesses the rights and the responsibilities of the data.
Data Owner
Manipulates, stores, or moves the data, and serves as a cloud provider.
Data Custodian
Used when the discovery effort is considered in response to a mandate with a specific purpose
Label-based Discovery
Used to collect all matching data elements for a certain purpose.
Metadata-based Discovery
Used to locate and identify specific kinds of data by delving into the datasets.
Content-based Discovery
Creates new data feeds from sets of data already existing within the environment.
Data analytics Discovery
Acts as a form of data caching, usually near geophysical locations of high use demand, improves bandwidth and provides quality
Content Delivery Network (CDN)
__ are applied to existing systems and components, whereas upgrades are the replacement of older elements for new ones.
Updates
_ usually deals with modifications to the network, such as the acquisition and deployment of new systems and components and the disposal of those taken out of service.
Change management
__ usually concerns modifications to a known set of parameters regarding each element of the network, including what settings each has, how the controls are implemented, and so forth.
Configuration management
The____________ is a general-purpose map of the network and systems, based on the required functionality as well as security
baseline
__ efforts are concerned with maintaining critical operations during any interruption in service, whereas disaster recovery efforts are focused on the resumption of operations after an interruption due to disaster.
Business continuity
BC/DR Concept:
How long it would take for an interruption in service to kill an organization, measured in time. For instance, if a company would fail because it had to halt operations for a week.
MAD (Maximum Allowable Downtime)
BC/DR Concept:
The goal for recovery of operational capability after an interruption in service, measured in time.
RTO (Recovery Time Objective)
BC/DR Concept:
The goal of limiting the loss of data from an unplanned event. Confusingly, this is often measured in time. For instance, if an organization is doing full backups every day and is affected by some sort of disaster, that organization’s BC/DR plan might include a goal of resuming critical operations at an alternate operating site with the last full backup, and the time needed would be 24hrs
RPO (Recovery Point Objective)
__ is an advisory organization for matters related to IT service.
Uptime Institute
Entails multiple differing security controls protecting the same assets with a variety of technological levels
Security redundancy
Provides increased level of robustness among personnel resources who administer and support the IT components
Personnel redundancy
Behooves the cloud provider to ensure that all communication lines are replicated on opposite sides of each building
Power line redundancy
The Brewer-Nash model, also known as the _________, seeks to ensure that mask the nature and details of a customer’s business from the administrators. This 1989 document distinguishes access and permissions of administrators based on policy.
Chinese Wall model
Clustered storage architectures can take one of two types: tightly coupled or loosely coupled.
A True
B False
A
A _ is a network file server with a drive or group of drives, portions of which are assigned to users on that network. The user will see a NAS as a file server and can share files to it. NAS commonly uses TCP/IP.
NAS
A __ is a group of devices connected to the network that provide storage space to users. Typically, the storage apportioned to the user is mounted to that user’s machine, like an empty drive. They mostly use iSCSI or Fibre Channel protocols.
SAN
Stores all the data on file system and also gives access to the customers to the parts of hierarchy to which they are assigned
Object storage
Allows greater flexibility and each node of the cluster is independent of others
Loosely coupled cluster
Allows data to be recovered in a more efficient manner because if one of the drives fails, the missing data can be filled in by the other drives
Resiliency
_______ is the practice of viewing the application from the perspective of a potential attacker. Realistically, it involves more than just causing a breach or gaining access (the “penetration”)
Threat modeling
S (Spoofing): Any impersonation such as IP or user spoofing
T (Tampering): Attacks that make unauthorized modifications to actual data, affecting the integrity of information or communications.
R (Repudiation): When the inability to deny one’s action has been compromised
I (Information Disclosure): Data leakage or an outright breach
D (Denial of Service): Any attack that results in loss of availability to authorized entities.
E (Escalation of Privilege): The ability to elevate a user account privilege above the authorized level
STRIDE acronym
________ testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST).
Static application security testing (SAST)
_______ is considered a black-box test since the code is not revealed and the test must look for problems and vulnerabilities while the application is running. It is most effective when used against standard HTTP and other HTML web application interfaces.
Dynamic application security testing (DAST)
While STRIDE is widely used in the software development community, other models exist as well. __ (and its associated tool) is an open source alternative offered by Octotrike and cited by OWASP
The Trike model
_____ refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed by others and seeks to provide for the compensation of victims that suffered at the hand of others by shifting their costs to the person who caused them.
Tort law
The ____ is a term used to describe the processes associated with determining what legal jurisdiction will hear a dispute when one occurs. An example would be when multiple jurisdictions are involved and courts must decide where a case must be heard and decided.
Doctrine of the Proper Law
Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes
Criminal law
Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment
Federal law
Deals with personal and community-based law such as marriage and divorce as opposed to a military law
Civil law
Includes speed limits laws, tax laws, and the criminal code laws
State law
This act often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.”
The Electronic Communication Privacy Act (ECPA) of 1986 backed by US Congress
Title II of the Electronic Communications Privacy Act of 1986, this act restricts the government from forcing ISPs to disclose customer data the ISP might possess.
The Stored Communications Act (SCA) of 1986 backed by US Congress
This act allows banks to merge with and own insurance companies and keeps customer account information private and secure. With that customers are allowed to opt-out of any information-sharing arrangements the bank or insurer might engage in.
Graham-Leach-Bliley Act (GLBA) of 1999 backed by FDIC
This act increases transparency into publicly traded corporations’ financial activities and includes provisions for securing data.
Sarbanes-Oxley Act (SOX) of 2002 backed by SEC
This act protects patient records and data, known as electronically protected health information (ePHI).
Health Insurance Portability and Accountability Act (HIPAA) of 1996 backed by DHHS
This act prevents academic institutions from sharing student data with anyone other than parents of students.
Family Educational Rights and Privacy Act (FERPA) of 1974 backed by Department of Education
This act grants copyright provisions to protect owned data in an Internet-enabled world and enables copyright holders to require any site on the Internet to remove content that may belong to the copyright holder.
The Digital Millennium Copyright Act (DMCA) of 1998 enacted by Bill Clinton
The __________ conforms to the EU Data Directive and Privacy Regulation. It provides guidelines which describe how businesses should manage the personal data in a commercial activity.
Personal Information Protection and Electronic Documents Act (PIPEDA)
__ refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes. Determining which data in a set is pertinent can be difficult. Regardless of whether it is databases, records, email, or just simple files.
Electronic discovery (eDiscovery)
Guide for collecting, identifying, and preserving electronic evidence
ISO/IEC 27037:2012
Guide for incident investigations
ISO/IEC 27041:2015
Guide for digital evidence analysis
ISO/IEC 27042: 2015
Incident investigation principles and processes
ISO/IEC 27043:2015
Overview and principles for eDiscovery
ISO/IEC 27050-1:2016
__ talks about personally identifiable information (PII) as a name, date of birth, and Social Security number. HIPAA calls this type of data “electronic protected health information” (ePHI), and it also includes any patient information, including medical records, and facial photos. GLBA includes customer account information such as account numbers and balances.
NIST Special Publication (SP) 800-122
To create an accurate frame of reference, a __ is conducted, which is a lightweight audit where generally findings of weaknesses or vulnerabilities, but the purpose is to identify those weaknesses so they can be remediated prior to any further actual audit work.
gap analysis
An audit engagement consisting of an examination of organizational financial reporting controls. For a cloud customer trying to determine the suitability of a cloud provider, it is useless, because it doesn’t tell us anything about data protection, configuration resiliency, or any other element the customer needs to know.
SOC 1
__ reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. This is the report of most use to cloud customers (to determine the suitability of cloud providers) and IT security practitioners.
SOC 2
The __ report, on the other hand, is purely for public consumption and serves only as a seal of approval of sorts for public display without sharing any specific information regarding audit activity, control effectiveness, findings, and so on.
SOC 3
__ specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
ISO/IEC 27001
Determines if the risks are minimal and the reward is substantial before choosing to take the risks
Risk Acceptance
Defines as a response to the cost-benefit analysis when posed with a specific risk
Risk avoidance
Handles risk associated with an activity without accepting all risks
Risk transference
Reduces risk to an acceptable level through the use of controls and countermeasures
Risk mitigation
An international standard that focuses on designing, implementing, and reviewing risk management processes and practices
ISO 31000:2009
A guide for implementing the risk management framework, which is a methodology for handling all organizational risk in a comprehensive manner
NIST SP 800-37
A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security
ENISA (European Union Agency for Network and Information Security)
The _ describes in detail exactly what both parties’ responsibilities are, what services are being contracted, and what provisions are in place for the safety, security, integrity, and availability of those same services.
contract
The _ is the list of defined, specific, numerical metrics that will be used to determine whether the provider is sufficiently meeting the contract terms during each period of performance.
SLA
__________refers to include only departments or business units impacted by any cloud engagement.
Scoping
The Cloud Security Alliance __ program is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative. (Provides an independent level of program assurance for cloud consumers and offers a central repository for providers to publicly release these documents.
Security, Trust, and Assurance Registry (STAR)
Level One: Self-Assessment: Requires the release and publication of due diligence assessments against the CSA’s Consensus Assessment Initiative Questionnaire and/or Cloud Matrix (CCM)
Level Two: CSA STAR Attestation: Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC 2
Level Three: CSA STAR Continuous Monitoring: Requires the release and publication of results related to the security properties of monitoring based on the CloudTrust Protocol
The 3 Levels of CSA Security, Trust, and Assurance Registry (STAR)
The customer is concerned with data, whereas the provider is concerned with security and operation.
A True
B False
A
The customer’s ultimate legal liability for data it owns remains true even if the provider’s failure was the result of negligence.
A True
B False
A
To avoid lock-in, the organization has to think in terms of _ when considering migration. We use the term to describe the level of ease or difficulty when transferring data out of a provider’s datacenter.
portability
_____ can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason. In these circumstances, the concern is whether the customer can still readily access and recover their data.
Vendor lock-out
Hypervisor _ also called bare-metal or hardware hypervisor, resides directly on the host machine, often as bootable software.
Type 1
Hypervisor _ is a software hypervisor, and it runs on top of the OS that runs on a host device.
Type 2
Attackers prefer Type 2 hypervisors because of the larger surface area.
A True
B False
A
Occurs on the hypervisor itself, the underlying OS, and the machine directly
Attacks on the hypervisor
An internal network with remote access capabilities
Threats:
Malware, man-in-the-middle attacks, and social engineering
Private cloud
Provides a cloud computing solution to a limited number of individuals
Threats:
Loss of policy control and physical control and lack of audit access
Community cloud
Includes a company that relies on a third-party for services
Threats:
Rogue administrator, escalation of privilege, and contractual failure
Public cloud
External attacker: Includes hardened devices, hypervisors, and virtual machines, with thorough configuration and change management protocols
Social engineering: Uses training and incentive programs to identify personnel who resist the attempts and bring them to the attention of the security office
Regulatory violation: Implements DRM solutions, hires knowledgeable, trained personnel with skillsets, and uses encryption, obfuscation, and masking
Natural disaster: Ensures multiple redundancies for all systems and services for the datacenter
Contractual failure: Considers full offsite backups, secured and kept by a customer, to protect against vendor lock-in/lock-out
Countermeasure methods that can be adopted to address each of the threats for each of the cloud models
Cloud computing magnifies the likelihood and impact of two existing risks: _ and ___.
internal personnel; remote access
BC/DR backup plan in which the customer decides when normal operations will cease and the backup will be utilized as the operational network.
Private architecture, cloud service as backup:
BC/DR backup plan in which the provider is responsible for determining the location and configuration of the backup and for assessing and declaring disaster events.
Cloud operations, cloud provider as backup:
BC/DR backup plan in which the cloud provider hosts regular operations and the customer opts for contingency operations to distribute risks.
Cloud operations, third-party cloud backup provider
-Security Governance, Risk and Compliance (GRC) and data security comes under enterprise responsibility.
-Physical security and infrastructure security comes under cloud provider responsibility.
Enterprise Responsibility Vs Cloud Provider Responsibility
The cloud provider maintains physical security control of the facility and the cloud customer provides all other security.
PaaS
The cloud provider maintains infrastructure’s physical security and the cloud customer is responsible for access and administration.
SaaS
The cloud provider is responsible for physical security of the facility and systems.
IaaS
Removing unnecessary services and libraries
Closing unused ports
Installing antimalware agents
Limiting administrator access
Ensuring event logging is enabled
Ways to harden Operating Systems
-Poor documentation is a slow, methodical process that does not add to functionality or performance.
-It allows tenants to access the organization’s data through inadvertent data bleeding.
-Even though some apps will eventually run successfully in the cloud, they may require configuration changes in order to work effectively.
Cloud application deployment pitfall issues
In the _______________of the Cloud SDLC, we are focused on identifying the business needs of the application, such as accounting, database, or customer relationship management.
definition phase
In the __ of the Cloud SDLC, we begin to develop user stories (what the user will want to accomplish and how to go about it), what the interface will look like, and whether it will require the use or development of any APIs.
design phase
The ___ of the Cloud SDLC is where the code is written. The code takes into account the previously established definition and design parameters.
development phase
Business Context
Regulatory Context
Technical Context
Specifications
Roles, Responsibilities, and Qualifications
Processes
Application Security Control (ASC) Library
ISO/IEC 27034-1 standard categories
Often used in authorization with mobile apps, the _ framework provides third-party applications limited access to HTTP services.
OAuth
This uses the term realms in explaining its capabilities to allow organizations to trust each other’s identity information across organizations.
WS-Federation
This is an interoperable authentication protocol based on the OAuth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords.
OpenID Connect
___ is a protocol specification providing for the exchange of structured information or data in web services. It also works over other protocols such as SMTP, FTP, and HTTP.
Standards-based
Reliant on XML
Highly intolerant of errors
Slower
Built-in error handling
Simple Object Access Protocol (SOAP)
Encrypts all of the system’s data at rest in one instance
Whole-instance encryption
Encrypts data transmission between servers
Secure sockets layer
What is the intellectual property protection for a very valuable set of sales leads?
A Trademark
B Trade secret
C Copyright
D Patent
B
What is the federal agency that accepts applications for new patents?
A SEC
B OSHA
C USPTO
D USDA
C – The U.S. Patent and Trademark Office
In the cloud motif, the data owner is usually:
A The cloud provider
B The cloud customer
C In another jurisdiction
D The cloud access security broker
B
All the following are data analytics modes, except:
A Refractory iterations
B Real-time analytics
C Datamining
D Agile business intelligence
A
DRM solutions should generally include all the following functions, except:
A Automatic self-destruct
B Automatic expiration
C Dynamic policy control
D Persistency
A
In the cloud motif, the data processor is usually:
A The cloud access security broker
B The cloud provider
C The cloud customer
D The party that assigns access rights
B
All of these are methods of data discovery, except:
A Content-based
B User-based
C Label-based
D Metadata-based
B
What is the intellectual property protection for the logo of a new video game?
A Copyright
B Trade secret
C Trademark
D Patent
C
All of the following regions have at least one country with an overarching, federal privacy law protecting personal data of its citizens, except:
A South America
B Europe
C Asia
D The United States
D
DRM tools use a variety of methods for enforcement of intellectual property rights. These include all the following, except:
A Media-present checks
B Support-based licensing
C Local agent enforcement
D Dip switch validity
D
Every security program and process should have which of the following?
A Homomorphic encryption
B Foundational policy
C Severe penalties
D Multifactor authentication
B
Data labels could include all the following, except:
A Handling restrictions
B Delivery vendor
C Source
D Jurisdiction
B
Data labels could include all the following, except:
A Distribution limitations
B Access restrictions
C Multifactor authentication
D Confidentiality level
C
Data labels could include all the following, except:
A Date data was created
B Data owner
C Data value
D Date of scheduled destruction
C
What is the intellectual property protection for a confidential recipe for muffins?
A Trademark
B Patent
C Copyright
D Trade secret
D
What is the aspect of the DMCA that has often been abused and places the burden of proof on the accused?
A Takedown notice
B Puppet plasticity
C Online service provider exemption
D Decryption program prohibition
A
All policies within the organization should include a section that includes all of the following, except:
A Policy review
B Policy enforcement
C Policy adjudication
D Policy maintenance
C
What is the intellectual property protection for the tangible expression of a creative idea?
A Copyright
B Trade secret
C Trademark
D Patent
A
The goals of SIEM solution implementation include all of the following, except:
A Performance enhancement
B Dashboarding
C Trend analysis
D Centralization of log streams
A
What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?
A AES
B Link encryption
C Homomorphic encryption
D One-time pads
C
What is a cloud storage architecture that manages the data in a hierarchy of files?
A File-based storage
B Object-based storage
C CDN
D Database
A
Tokenization requires two distinct __.
A Personnel
B Encryption keys
C Databases
D Authentication factors
C
Data masking can be used to provide all of the following functionality, except:
A Enforcing least privilege
B Test data in sandboxed environments
C Authentication of privileged users
D Secure remote access
C
DLP can be combined with what other security technology to enhance data controls?
A DRM
B Hypervisors
C Kerberos
D SIEM
A
What is a cloud storage architecture that manages the data in caches of copied content close to locations of high demand?
A Object-based storage
B CDN
C Database
D File-based storage
B – Cloud Data Network
Cryptographic keys should be secured __.
A In vaults
B By armed guards
C With two-person integrity
D To a level at least as high as the data they can decrypt
D
Proper implementation of DLP solutions for successful function requires which of the following?
A Accurate data categorization
B Physical access limitations
C USB connectivity
D Physical presence
A
Best practices for key management include all of the following, except:
A Maintain key security
B Pass keys out of band
C Ensure multifactor authentication
D Have key recovery processes
C
The goals of DLP solution implementation include all of the following, except:
A Data discovery
B Data Loss Mitigation
C Policy enforcement
D Elasticity
D
What are the U.S. State Department controls on technology exports known as?
A EAR
B EAL
C DRM
D ITAR
D – International Traffic in Arms Regulations
Cryptographic keys for encrypted data stored in the cloud should be __.
A Not stored with the cloud provider
B At least 128 bits long
C Generated with redundancy
D Split into groups
A
DLP solutions can aid in deterring loss due to which of the following?
A Natural disaster
B Inadvertent disclosure
C Randomization
D Device failure
B
All of the following are terms used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except:
A Obfuscation
B Masking
C Anonymization
D Data discovery
D
What are the U.S. Commerce Department controls on technology exports known as?
A EAL
B DRM
C ITAR
D EAR
D – Export Administration Regulations
When crafting plans and policies for data archiving, we should consider all of the following, except:
A The format of the data
B Immediacy of the technology
C Archive location
D The backup process
B
DLP solutions can aid in deterring loss due to which of the following?
A Power failure
B Malicious disclosure
C Performance issues
D Bad policy
B
What are third-party providers of IAM functions for the cloud environment?
A SIEMs
B AESs
C DLPs
D CASBs
D
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Mandatory vacation
B Separation of duties
C Least privilege
D Conflict of interest
D
A poorly negotiated cloud service contract could result in all the following detrimental effects except:
A Unfavorable terms
B Lack of necessary services
C Vendor lock-in
D Malware
D
Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except:
A The cloud provider’s resellers
B The cloud provider’s utilities
C The cloud provider’s vendors
D The cloud provider’s suppliers
A
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Broad contractual protections to ensure the provider is ensuring an extreme level of trust in its own personnel
B Scalability
C DLP solutions
D Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel
B
Benefits for addressing BC/DR offered by cloud operations include all of the following except:
A Distributed, remote processing, and storage of data
B Fast replication
C Regular backups offered by cloud providers
D Metered service
D
Because of multitenancy, specific risks in the public cloud that don’t exist in the other cloud service models include all the following except:
A DoS/DDoS
B Escalation of privilege
C Risk of loss/disclosure due to legal seizures
D Information bleed
A
All of the following methods can be used to attenuate the harm caused by escalation of privilege except:
A Extensive access control and authentication tools and techniques
B The use of automated analysis tools such as SIM, SIEM, and SEM solutions
C Periodic and effective use of cryptographic sanitization tools
D Analysis and review of all log data by trained, skilled personnel on a frequent basis
C
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Masking and obfuscation of data for all personnel without need to know for raw data
B Redundant ISPs
C Active electronic surveillance and monitoring
D Active physical surveillance and monitoring
B
All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except:
A Use DRM and DLP solutions widely throughout the cloud operation
B Avoid proprietary data formats
C Ensure favorable contract terms to support portability
D Ensure there are no physical limitations to moving
A
Which of the following is a technique used to attenuate risks to the cloud environment, resulting in loss or theft of a device used for remote access?
A Dual control
B Muddling
C Safe harbor
D Remote kill switch
D
Countermeasures for protecting cloud operations against internal threats include all of the following except:
A Extensive and comprehensive training programs, including initial, recurring, and refresher sessions
B Aggressive background checks
C Hardened perimeter devices
D Skills and knowledge testing
C
When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is:
A Many states have data breach notification laws.
B Breaches can cause the loss of proprietary data.
C Breaches can cause the loss of intellectual property.
D Legal liability can’t be transferred to the cloud provider.
D
The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement?
A Community cloud
B SaaS
C PaaS
D IaaS
D
Which hypervisor malicious attackers would prefer to attack?
A Type 1
B Type 4
C Type 3
D Type 2
D
After a cloud migration, the BIA should be updated to include a review of the new risks and impacts associated with cloud operations; this review should include an analysis of the possibility of vendor lock-in/lock-out. Analysis of this risk may not have to be performed as a new effort, because a lot of the material that would be included is already available from which of the following?
A Open source providers
B The cost-benefit analysis the organization conducted when deciding on cloud migration
C The cloud provider
D NIST
B
Countermeasures for protecting cloud operations against external attackers include all of the following except:
A Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines
B Detailed and extensive background checks
C Continual monitoring for anomalous activity
D Regular and detailed configuration/change management activities
B
Because PaaS implementations are so often used for software development, what is one of the vulnerabilities that should always be kept in mind?
A DoS/DDoS
B Malware
C Loss/theft of portable devices
D Backdoors
D
The various models generally available for cloud BC/DR activities include all of the following except:
A Cloud provider, backup from another cloud provider
B Cloud provider, backup from private provider
C Private architecture, cloud backup
D Cloud provider, backup from same provider
B
The cloud customer’s trust in the cloud provider can be enhanced by all of the following except:
A Audits
B SLAs
C Real-time video surveillance
D Shared administration
C
A honeypot should contain _ data.
A Sensitive
B Useless
C Production
D Raw
B
In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?
A Security control matrix
B HIPAA
C Statutes
D The contract
D
User access to the cloud environment can be administered in all of the following ways except:
A Customer directly administers access
B Third party provides administration on behalf of the customer
C Provider provides administration on behalf of the customer
D Customer provides administration on behalf of the provider
D
Hardening the operating system refers to all of the following except:
A Closing unused ports
B Removing antimalware agents
C Limiting administrator access
D Removing unnecessary services and libraries
B
Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer’s trust in the provider?
A Site visit access
B Backend administrative access
C Audit and performance log data
D SOC 2 Type 2
C
In all cloud models, security controls are driven by which of the following?
A Business requirements
B Virtualization engine
C Hypervisor
D SLAs
A
What is the cloud service model in which the customer is responsible for administration of the OS?
A IaaS
B QaaS
C SaaS
D PaaS
A
Which kind of SSAE report comes with a seal of approval from a certified auditor?
A SOC 2
B SOC 3
C SOC 4
D SOC 1
B
As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as:
A GLBA
B SOX
C HIPAA
D FERPA
B
In all cloud models, the customer will be given access and ability to modify which of the following?
A Security controls
B User permissions
C OS
D Data
D
Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?
A SOC 2 Type 2
B SOC 1 Type 1
C SOC 3
D SOC 1 Type 2
C
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except:
A DLP solution results
B Security control administration
C Access to audit logs and performance data
D SIM, SEIM, and SEM logs
B
A firewall can use all of the following techniques for controlling traffic except:
A Behavior analysis
B Rule sets
C Randomization
D Content filtering
C
Which kind of SSAE audit reviews controls dealing with the organization’s controls for assuring the confidentiality, integrity, and availability of data?
A SOC 3
B SOC 4
C SOC 1
D SOC 2
D
Why will cloud providers be unlikely to allow physical access to their datacenters?
A They want to enhance exclusivity for their customers, so only an elite tier of higher-paying clientele will be allowed physical access.
B They want to enhance security by keeping information about physical layout and controls confidential.
C Most datacenters are inhospitable to human life, so minimizing physical access also minimizes safety concerns.
D They want to minimize traffic in those areas, to maximize efficiency of operational personnel.
B
Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?
A Database management software
B Open source software
C Secure software
D Proprietary software
B
In all cloud models, the _ will retain ultimate liability and responsibility for any data loss or disclosure.
A State
B Customer
C Vendor
D Administrator
B
Which kind of SSAE audit report is most beneficial for a cloud customer, even though it’s unlikely the cloud provider will share it?
A SOC 1 Type 1
B SOC 3
C SOC 1 Type 2
D SOC 2 Type 2
D
Vulnerability assessments cannot detect which of the following?
A Zero-day exploits
B Defined vulnerabilities
C Malware
D Programming flaws
A
Which of the following is not a component of the of the STRIDE model?
A Repudiation
B Spoofing
C External pen testing
D Information disclosure
C
Which of the following best describes data masking?
A A method where the last few numbers in a dataset are not obscured. These are often used for authentication.
B A method for creating similar but inauthentic datasets used for software testing and user training.
C A method used to protect prying eyes from data such as social security numbers and credit card data.
D Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number.
B
Database activity monitoring (DAM) can be:
A Used in the place of encryption
B Used in place of data masking
C Host-based or network-based
D Server-based or client-based
C
SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP?
A Works over numerous protocols
B Standards-based
C Reliant on XML
D Extremely fast
D
Dynamic application security testing (DAST) is best described as which of the following?
A Masking
B Test performed on an application or software product while being consumed by cloud customers
C Test performed on an application or software product while it is being executed in memory in an operating system
D Test performed on an application or software product while it is using real data in production
C
Which of the following best describes SAML?
A A standard for exchanging usernames and passwords across devices
B A standard for exchanging authentication and authorization data between security domains
C A standard for developing secure application management logistics
D A standard used for directory synchronization
B
Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like:
A Syn floods
B Password cracking
C XSS and SQL injection
D Ransomware
C
The application normative framework is best described as which of the following?
A A superset of the ONF
B The complete ONF
C A stand-alone framework for storing security practices for the ONF
D A subset of the ONF
D
In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party?
A A contracted third party/the various member organizations of the federation
B Each member organization/each member organization
C Each member organization/a trusted third party
D The users of the various organizations within the federation/a CASB
A
Which of the following best describes the purpose and scope of ISO/IEC 27034-1?
A Provides an overview of network and infrastructure security designed to secure cloud applications
B Serves as a newer replacement for NIST 800-53 r4
C Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
D Describes international privacy standards for cloud computing
C
Which of the following best describes the Organizational Normative Framework (ONF)?
A A set of application security, and best practices, catalogued and leveraged by the organization
B A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization
C A container for components of an application’s security, best practices, catalogued and leveraged by the organization
D A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization
B
Which of the following best describes SAST?
A A set of technologies that analyze application bit code, and binaries for coding and design problems that would indicate a security problem or vulnerability
B A set of technologies that analyze application source code, and bit code for coding and design problems that would indicate a security problem or vulnerability
C A set of technologies that analyze application source code for coding and design problems that would indicate a security problem or vulnerability
D A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability
D
Which of the following is not one of the SDLC phases?
A Design
B Test
C Define
D Reject
D
Sandboxing provides which of the following?
A A testing environment that prevents isolated code from running in a nonproduction environment.
B A test environment that isolates untrusted code changes for testing in a production environment.
C A test environment that isolates untrusted code changes for testing in a nonproduction environment.
D A testing environment where new and experimental code can be tested in a nonproduction environment.
C
Which of the following best describes a sandbox?
A An isolated space where untested code and experimentation can safely occur separate from the production environment
B An isolated space where transactions are protected from malicious software
C A space where you can safely execute malicious code to see what it does
D An isolated space where untested code and experimentation can safely occur within the production environment
A
Which of the following best represents the definition of REST?
A Built on protocol standards
B Lightweight and scalable
C Relies heavily on XML
D Only supports XML output
B
Which of the following best describes data masking?
A Data masking is used in place of production data.
B Data masking is used in place of encryption for better performance.
C Data masking is used to hide PII.
D Data masking is used to create a similar, inauthentic dataset used for training and software testing.
D
APIs are defined as which of the following?
A A set of routines and tools for building software applications to access web-based software applications
B A set of protocols, and tools for building software applications to access a web-based software application or tool
C A set of standards for building software applications to access a web-based software application or tool
D A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool
D
Identity and access management (IAM) is a security discipline that ensures which of the following?
A That the right individual gets access to the right resources at the right time for the right reasons
B That all users are properly authorized
C That unauthorized users will get access to the right resources at the right time for the right reasons
D That all users are properly authenticated
A
Which of the following techniques for ensuring cloud datacenter storage resiliency uses encrypted chunks of data?
A RAID
B Data dispersion
C SAN
D Cloud-bursting
B
The Brewer-Nash security model is also known as which of the following?
A The Chinese Wall model
B MAC
C RBAC
D Preventive measures
A
Security training should not be:
A Documented
B Boring
C A means to foster a non-adversarial relationship between the security office and operations personnel
D Internal
B
Which of the following aids in the ability to demonstrate due diligence efforts?
A Bollards
B Security training documentation
C HVAC placement
D Redundant power lines
B
What should be the primary focus of datacenter redundancy and contingency planning?
A Power and HVAC
B Critical path/operations
C Health and human safety
D Infrastructure supporting the production environment
C
Which of the following is not an aspect of physical security that ought to be considered in the planning and design of a cloud datacenter facility?
A Vehicular approach/traffic
B Perimeter
C Elevation of dropped ceilings
D Fire suppression
C
Which of the following is not part of the STRIDE model?
A Spoofing
B Tampering
C Resiliency
D Information disclosure
C
Which of the following is not one of the three types of training?
A Initial
B Recurring
C Refresher
D Integral
D
Which of the following has not been attributed as the cause of lost capabilities due to DoS?
A Changing regulatory motif
B Squirrels
C Hackers
D Construction equipment
A
What is the lowest tier of datacenter redundancy, according to the Uptime Institute?
A V
B 1
C 4
D C
B
Which of the following techniques for ensuring cloud datacenter storage resiliency uses parity bits and disk striping?
A Cloud-bursting
B RAID
C Data dispersion
D SAN
B
What is the amount of fuel that should be on hand to power generators for backup datacenter power, in all tiers, according to the Uptime Institute?
A As much as needed to ensure all systems may be gracefully shut down and data securely stored
B 1
C 1,000 gallons
D 12 hours
D
Which of the following is part of the STRIDE model?
A Redundancy
B Resiliency
C Rijndael
D Repudiation
D
What type of redundancy can we expect to find in a datacenter of any tier?
A Full power capabilities
B All operational components
C All infrastructure
D Emergency egress
D
Which of the following is not a feature of SAST?
A Highly skilled, often expensive outside consultants
B “White-box” testing
C Team-building efforts
D Source code review
C
What is often a major challenge to getting both redundant power and communications utility connections?
A Expense
B Location of many datacenters
C Personnel deployment
D Carrying medium
B
Which kind of hypervisor would malicious actors prefer to attack, ostensibly because it offers a greater attack surface?
A Cat IV
B Converged
C Bare metal
D Type II
D
Which of the following is not a feature of a secure KVM component?
A Keystroke logging
B Sealed exterior case
C Welded chipsets
D Push-button selectors
A
Which of the following is not a feature of DAST?
A Testing in runtime
B User teams performing executable testing
C “Black-box” testing
D Binary inspection
D
Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations?
A Metered usage
B Cross-training
C Raised floors
D Proper placement of HVAC temperature measurements tools
B
The baseline should cover which of the following?
A All regulatory compliance requirements
B A process for version control
C Data breach alerting and reporting
D As many systems throughout the organization as possible
D
Which tool can reduce confusion and misunderstanding during a BC/DR response?
A Checklist
B Call tree
C Flashlight
D Controls matrix
A
In addition to battery backup, a UPS can offer which capability?
A Confidentiality
B Communication redundancy
C Line conditioning
D Breach alert
C
Which characteristic of liquid propane increases its desirability as a fuel for backup generators?
A Does not spoil
B Flavor
C Burn rate
D Price
A
Which form of BC/DR testing has the most impact on operations?
A Full test
B Dry run
C Tabletop
D Structured test
A
Which characteristic of automated patching makes it attractive?
A Cost
B Capability to recognize problems quickly
C Noise reduction
D Speed
D
How often should the CMB meet?
A Every week
B Often enough to address organizational needs and attenuate frustration with delay
C Whenever regulations dictate
D Annually
B
The CMB should include representations from all of the following offices except:
A Regulators
B Management
C Security office
D IT department
A
Deviations from the baseline should be investigated and __.
A Revealed
B Encouraged
C Documented
D Enforced
C
Maintenance mode requires all of these actions except:
A Remove all active production instances
B Initiate enhanced security controls
C Prevent new logins
D Ensure logging continues
B
For performance purposes, OS monitoring should include all of the following except:
A Print spooling
B Disk space
C Disk I/O usage
D CPU usage
A
Which form of BC/DR testing has the least impact on operations?
A Full test
B Dry run
C Tabletop
D Structured test
C
Adhering to ASHRAE standards for humidity can reduce the possibility of __.
A Static discharge
B Breach
C Inversion
D Theft
A
What is one of the reasons a baseline might be changed?
A Natural disaster
B Numerous change requests
C Power fluctuation
D To reduce redundancy
B
The BC/DR kit should include all of the following except:
A Hard drives
B Documentation equipment
C Flashlight
D Annotated asset inventory
A
A generator transfer switch should bring backup power online within what time frame?
A 10 seconds
B Before the recovery point objective is reached
C Before the UPS duration is exceeded
D Three days
C
When deciding whether to apply specific updates, it is best to follow __, in order to demonstrate due care.
A Internal policy
B Competitors’ actions
C Regulations
D Vendor guidance
D
Generator fuel storage for a cloud datacenter should last for how long, at a minimum?
A 12 hours
B Indefinitely
C Three days
D 10 minutes
A
A localized incident or disaster can be addressed in a cost-effective manner by using which of the following?
A Strict adherence to applicable regulations
B Joint operating agreements
C Generators
D UPS
B
A UPS should have enough power to last how long?
A One day
B Long enough for graceful shutdown
C 12 hours
D 10 minutes
B
Which of the following laws resulted from a lack of independence in audit practices?
A SOX
B ISO 27064
C HIPAA
D GLBA
A
What is a key component of GLBA?
A The information security program
B The right to audit
C The right to be forgotten
D EU Data Directives
A
GAAPs are created and maintained by which organization?
A PCI Council
B AICPA
C ISO
D ISO/IEC
B
The right to be forgotten refers to which of the following?
A The right to have all of a data owner’s data erased
B Erasing criminal history
C The right to no longer pay taxes
D Masking
A
Which statute addresses security and privacy matters in the financial industry?
A GLBA
B FERPA
C SOX
D HIPAA
A
Which of the following report is most aligned with financial control audits?
A SOC 1
B SOC 2
C SOC 3
D SSAE 16
A
Gap analysis is performed for what reason?
A To assure proper accounting practices are being used
B To provide assurances to cloud customers
C To begin the benchmarking process
D To ensure all controls are in place and working properly
C
Which of the following is the primary purpose of an SOC 3 report?
A Seal of approval
B Absolute assurances
C Compliance with PCI/DSS
D HIPAA compliance
A
Which of the following SOC report subtypes spans a period of time?
A SOC 3
B SOC 1
C Type II
D SOC 2
C
Which of the following is the best advantage of external audits?
A Independence
B Oversight
C Cheaper
D Better results
A
Which of the following are not associated with HIPAA controls?
A Financial controls
B Physical controls
C Technical controls
D Administrative controls
A
Which of the following applies to the Stored Communications Act (SCA)?
A It’s in bad need of updating.
B It’s old.
C All of these
D It’s unclear with regard to current technologies.
C
The right to audit should be a part of what documents?
A PLA
B SLA
C Masking
D All cloud providers
B
Legal controls refer to which of the following?
A ISO 27001
B NIST 800-53r4
C Controls designed to comply with laws and regulations related to the cloud environment
D PCI DSS
C
SOX was enacted because of which of the following?
A All of these
B Poor financial controls
C Lack of independent audits
D Poor BOD oversight
A
Which of the following is the best example of a key component of regulated PII?
A Items that should be implemented
B PCI DSS
C Audit rights of subcontractors
D Mandatory breach reporting
D
Which of the following SOC report subtypes represents a point in time?
A Type I
B Type II
C SOC 3
D SOC 2
A
Which of the following is not a component of contractual PII?
A Scope of processing
B Value of data
C Location of data
D Use of subcontractors
B
Which of the following terms is not associated with cloud forensics?
A Analysis
B Plausibility
C Chain of custody
D eDiscovery
B
Which of the following reports is no longer used?
A SOC 3
B SOC 1
C SSAE 16
D SAS 70
D
Which of the following is the least challenging with regard to eDiscovery in the cloud?
A Complexities of International law
B Decentralization of data storage
C Forensic analysis
D Identifying roles such as data owner, controller, and processor
C
Which of the following is not associated with security?
A Integrity
B Availability
C Confidentiality
D Quality
D
What does the doctrine of the proper law refer to?
A The proper handling of eDiscovery materials
B The determination of what law will apply to a case
C The law that is applied after the first law is applied
D How jurisdictional disputes are settled
D
Which of the following is not an example of a highly regulated environment?
A Financial services
B Healthcare
C Public companies
D Wholesale or distribution
D
The Restatement (Second) Conflict of Law refers to which of the following?
A When judges restate the law in an opinion
B The basis for deciding which laws are most appropriate in a situation where conflicting laws exist
C Whether local or federal laws apply in a situation
D How jurisdictional disputes are settled
B
Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider?
A Redundant uplink grafts
B The physical layout of the datacenter
C Background checks for the provider’s personnel
D Use of subcontractors
D
Which of the following is a valid risk management metric?
A SLA
B KRI
C KPI
D SOC
B
Which of the following is not an example of an essential internal stakeholder?
A IT director
B CFO
C HR director
D IT analyst
D
Which of the following is not a way to manage risk?
A Mitigating
B Enveloping
C Transferring
D Accepting
B
Which of the following is not a risk management framework?
A Key risk indicators (KRI)
B European Union Agency for Network and Information Security (ENISA)
C NIST SP 800-37
D ISO 31000:2009
A
Which is the lowest level of the CSA STAR program?
A Self-assessment
B Continuous monitoring
C Attestation
D Hybridization
A
Which of the following best define risk?
A Threat coupled with a vulnerability
B Threat coupled with a breach
C Vulnerability coupled with an attack
D Threat coupled with a threat actor
A
Which of the following is not appropriate to include in an SLA?
A Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status
B The number of user accounts allowed during a specified period
C The time allowed to migrate from normal operations to contingency operations
D The amount of data allowed to be transmitted and received between the cloud provider and customer
A
What is the Cloud Security Alliance Cloud Controls Matrix (CCM)?
A An inventory of cloud service security controls that are arranged into separate security domains
B A set of software development life cycle requirements for cloud service providers
C A set of regulatory requirements for cloud service providers
D An inventory of cloud services security controls that are arranged into a hierarchy of security domains
A
Which of the following is not one of the types of controls?
A Transitional
B Physical
C Technical
D Administrative
A
The CSA STAR program consists of three levels. Which of the following is not one of those levels?
A SOC 2 audit certification
B Continuous monitoring based certification
C Self-assessment
D Third-party assessment-based certification
A
Which of the following is not a part of the ENISA Top 8 Security Risks of cloud computing?
A Availability
B Vendor lock-in
C Isolation failure
D Insecure or incomplete data deletion
A
Which ISO standard refers to addressing security risks in a supply chain?
A ISO 31000:2009
B ISO 27001
C ISO/IEC 28000:2007
D ISO 18799
C
Which of the following is a risk management option that halts a business function?
A Acceptance
B Transference
C Avoidance
D Mitigation
C
Which of the following frameworks focuses specifically on design implementation and management?
A NIST 800-92
B ISO 31000:2009
C HIPAA
D ISO 27017
B
Which of the following frameworks identifies the top 8 security risks based on likelihood and impact?
A NIST 800-53
B COBIT
C ENISA
D ISO 27000
C
Which of the following is not a risk management framework?
A ISO 31000:2009
B Hex GBL
C COBIT
D NIST SP 800-37
B
A data custodian is responsible for which of the following?
A Data context
B Data content
C Logging access and alerts
D The safe custody, transport, storage of the data, and implementation of business rules
D
Which of the following best describes a cloud carrier?
A The person or entity responsible for transporting data across the Internet
B A person or entity responsible for making a cloud service available to consumers
C The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers
D The person or entity responsible for keeping cloud services running for customers
C
Which of the following methods of addressing risk is most associated with insurance?
A Transference
B Avoidance
C Acceptance
D Mitigation
A
For which of the following cloud environments is the client-side key management approach used?
A XaaS
B DaaS
C PaaS
D SaaS
D
Who among the following acts as a middleman between CSPs and their customers to facilitate the customers with the best provider?
A Cloud service auditor
B Cloud computing reseller
C Cloud services brokerage
D Cloud backup service provider
C
Which of the following protocols provides encryption using cryptography for the data in transit?
A SSL (Secure Socket Layer)
B DNS (Domain Name System)
C HTTP (HyperText Transfer Protocol)
D MIME (Multipurpose Internet Mail Extension)
A
In a cloud environment, who ensures that various storage types and mechanisms meet and conform to the relevant SLAs?
A Cloud data architect
B Cloud administrator
C Cloud storage administrator
D Cloud operator
A
Which of the following cloud storages allows users to share and sync data stored on a mobile device?
A Public
B Private
C Personal
D Mobile
C
What is the goal of business continuity management?
A To recover elements of the business following a disaster
B To assure the business operation continuity in the event of a disruption
C To ensure that the business recover essential operations in the event of disaster
D To quickly establish affected areas of the business after a disaster
B
What is the process of allocating the cloud provider’s services and application to the customers for utilizing them?
A Cloud migration
B Cloud enablement
C Cloud provisioning
D Cloud portability
C
Which section of the CSA (Cloud Security Alliance) provides the ability to quantifiably measure return on investment (ROI) for the efficient use of resources?
A TOGAF (The Open Group Architecture Framework)
B ITIL (Information Technology Infrastructure Library)
C Jericho
D SABSA (Sherwood Applied Business Security Architecture)
A
Which cloud deployment model enhances cloud bursting that allows its users to utilize public cloud resources when the workload of private cloud reaches maximum capacity?
A Public
B Private
C Community
D Hybrid
D
Which expenditure has minimized an organization’s requirements of purchasing systems and resources?
A Revenue
B Deferred revenue
C Operational
D Capital
C
Among the following, whose responsibility is to organize the deployment and designing of an application in the cloud environment?
A Cloud service manager
B Cloud developer
C Cloud operator
D Cloud architect
D
Which of the following quality assurance tests signifies the highest level of evaluation?
A Formally verified design and tested
B Methodically tested and checked
C Functionally tested
D Methodically designed, tested, and reviewed
A
Which of the following is a part of the building blocks of a cloud computing system?
A CPU
B OS
C Applications
D ROM
A
Which cloud service allows its customers to deploy applications created using the tools supported by the provider onto the cloud infrastructure?
A SaaS
B XaaS
C IaaS
D PaaS
D
Which of the following security standards focuses on the protection of information assets and addresses the relevant risks by looking to the ISMS (Information Security Management System)?
A SOC 1/SOC 2/SOC 3
B ISO/IEC 27001:2013
C ISO/IEC 27002:2013
D ISO/IEC 27017:2015
B
Which of the following open web application security threats occurs when a suspicious data in an application is sent to the web browser without proper validation?
A Security Misconfiguration
B Cross-Site Request Forgery
C Injection
D Cross-Site Scripting
D
Which of the following is a Type 1 hypervisor?
A Virtual Box
B Citrix XenServer
C VMware Workstation
D VMware Fusion
B
Which phase forms the security and foundation for IAM (Identity and Access Management) within the cloud environment?
A Privileged user management
B Authentication and access management
C Provisioning and deprovisioning
D Centralized directory services
B
Which of the following threats occurs due to the loss of relevant encryption keys?
A Insider
B Service traffic hijacking
C Data loss
D Data breach
C
How many phases are there in the data lifecycle?
A 7
B 4
C 5
D 6
D
To which of the following phases of the data lifecycle is the process function mapped?
A Archive
B Create
C Destroy
D Store
B
Which of the following methods is used for implementing volume storage encryption in an IaaS environment?
A Application-level encryption
B Proxy-based encryption
C File-level encryption
D Transparent encryption
B
Which technology allows a user to operate encrypted data without the need of decrypting it?
A Data Anonymization
B Bit Splitting
C Secret Sharing Made Short
D Homomorphic Encryption
D
What responsibility does a customer hold in the SaaS cloud service?
A Determining data for processing
B Determining instruments of processing
C Controlling functions of tools
D Controlling operations of management
A
Which data protection technique involves twisting the information in such a way that it remains unintelligible, even if the source code is obtained?
A Tokenization
B Obfuscation
C Anonymization
D Encryption
B
In which phase of the data lifecycle the data leaves active use phase and enters into long-term storage?
A Share
B Archive
C Destroy
D Store
B
Where should the DLP (Data Leakage Prevention) engine be installed in a DIU (Data in use) topology of data lifecycle?
A On the file server
B On the gateway
C On a user’s workstation and endpoint devices
D On the application server
C
In which of the following encryption techniques does the encryption engine run on a secure machine that handles all the cryptographic actions?
A Instance-based
B Proxy-based
C File-level
D Application-level
B
Which of the following capabilities to IRM (Information Rights Management) solution confirms the content delivery and offers proof of compliance with an organization’s information security policy?
A Automatic expiration
B Dynamic policy control
C Persistent protection
D Continuous audit trail
D
A portable storage is vulnerable to which threat?
A Accidental loss
B Cross-site scripting
C Distributed denial-of-service
D Denial-of-service
A
Which of the following logs is used for event investigation and documentation in a SaaS environment?
A DNS server
B Virtual machine manager
C API access
D Webserver
D
Which process is conducted to ensure that policies are understood in the context of the risks introduced into an organization?
A Risk retention
B Risk avoidance
C Risk mitigation
D Risk analysis
D
Which technique helps to analyze the data itself in content analysis method?
A Using data masking
B Using tokenization technique
C Using hashing technique
D Using indexed sequential access method
C
Which of the following types of storage do cloud infrastructure services use?
A Structured
B Unstructured
C Content and file
D Volume
D
What is the function of a controller?
A To perform operations upon personal data
B To perform data-protection
C To determine the ways of processing personal data
D To replace sensitive data with unique symbols
C
Which data-protection policies moves data that is no longer used to a separate storage device for long-term maintenance?
A Data-retention
B Data classification
C Data-archiving
D Data-deletion
C
What is called as the process of intended permanent destruction of the data keys?
A Sanitization
B Encryption
C Crypto-shredding
D Degaussing
C
Which of the following statements is true of key management?
A Uses key management interoperability protocol to generate keys
B Includes generation of random number of keys
C Manages keys within an encryption engine
D Used in file-level encryption
B
What type of storage is used for swapping storage files?
A Raw
B Ephemeral
C Long-term
D Object
B
Which of the following input entities of data classification are required to follow a specific process of incident management activating measures to limit the damage to the concerned data?
A Data retention constraints
B Scope and purpose of the processing
C Data breach constraints
D Categories of users allowed
C
What is used to separate the physical architecture of an organization when the security controls applied by the virtualization components seem to be weak?
A Honeypot
B Demilitarized zone
C Intrusion detection system
D Intrusion prevention system
B
Which virtualization risk occurs when an OS on a VM outbursts to access a hypervisor?
A Provider lock-in
B Provider exit
C Sprawl
D Guest breakout
D
Who among the following has the privilege to access the management plane to remotely manage the hosts in a cloud environment?
A Server operator
B Power user
C Administrator
D Local user
C
Which of the following is a compute parameter of a cloud server?
A Number of hypervisor
B Amount of ROM
C Number of host
D Number of CPU
D
Which network functionality controls the amount of traffic sent or received as well as the number of API requests within a specified period?
A Bandwidth allocation
B Rate limiting
C Access control
D Filtering
B
What type of BCDR (Business Continuity and Disaster Recovery) strategy involves the selection of an additional deployment zone and recreation of the processing capacity on a different location?
A Data Replication
B Functionality Replication
C File Replication
D Database Replication
B
Who among the following allocates cloud service connection and transportation between the CSPs and the cloud service consumers?
A CSB
B Cloud carrier
C Cloud developer
D Cloud operator
B
Which of the following represents the amount of information that can be recovered and restored in the event of a disaster?
A RTA (Recovery Time Actual)
B RCO (Recovery Consistency Objective)
C RTO (Recovery Time Objective)
D RPO (Recovery Point Objective)
D
Which of the following security responsibilities are shared between an organization and its CSP in an IaaS cloud environment?
A Infrastructure Security
B Data Security
C Application Security
D Platform Security
A
In which cloud environment scenario does the business continuity strategy restore the service failover to another part of the same CSP infrastructure?
A Cloud service consumer, alternative provider BCDR
B Cloud service consumer, primary provider BCDR
C On-premises, cloud as BCDR
D Cloud user, alternative BCDR cloud provider
B
Which technology makes the network control programmable and dynamically adjusts the flow of traffic when the pattern of network consumption changes?
A Application-defined networking
B Network function virtualization
C Hardware-defined networking
D Software-defined networking
D
What is the purpose of using the Cloud Security Alliance cloud controls matrix?
A To assure that adequate risk controls exist
B To allow the cooperation in the CSPs and their customers
C To perform capacity planning activities
D To carry out session statistics usage information
B
In which of the following tests of the recovery plan are the industry workers mobilized to an alternative site to perform actual recovery process?
A Functional drill/parallel test
B Full-interruption/full-scale test
C Tabletop exercise/structured walk-through test
D Walk-through drill/simulation test
A
Which of the following is the software that manages the requests of multiple guest machines to access the resources of the host machine?
A Hypervisor
B VMware
C Hyper-V
D XenServer
A
In which type of cloud-specific risk can a malicious user affect the entire cloud infrastructure?
A Guest breakout
B Law enforcement
C Loss of governance
D Management plane breach
D
For what purpose is a compensating control used in a cloud environment?
A Providing extensive background checks and screening of initial controls
B Allowing update of initial components without failure
C Making initial controls resistant against any type of failure
D Creating an additional layer of monitoring the initial control
D
Which standard protocol is used in the public cloud environment for managing identification of various agents and devices?
A OAuth
B Kerberos
C RADIUS
D LDAP
A
What is the function of the BIA (Business Impact Analysis)?
A To identify procedures to minimize the RTO
B To measure the amount of computing power needed to recover the system
C To determine the business recovery strategy by calculating the RTO and RPO
D To evaluate the effects of business failover
C
Which of the following technologies is used to ensure that secure API (Application Programming Interface) access?
A Virtual private network
B Message-level crypto-access
C Data loss prevention
D ID.AM (Identity—Asset Management)
B
Which of the following is a type of multifactor authentication (MFA)?
A One-time password
B Fingerprint
C ID card
D Password
A
In which of the following threats does an illicit denial of an event occur?
A Denial of service
B Insiders
C Repudiation
D Insufficient due diligence
C
Which of the following activities takes place in a secure operations phase of the software development lifecycle?
A Static analysis
B Dynamic analysis
C Code review
D Acceptance testing
B
Which of the following encryption options establishes an encrypted link between a web server and a browser and ensures privacy and integrity of data on that link?
A Secure socket shell
B Secure socket layer
C Virtual private network
D IPsec gateway
B
What kind of relationship exists between organizational and application normative framework?
A Many-to-many
B One-to-one
C One-to-many
D Many-to-one
C
What is the main objective of applying cryptography to the data in a cloud?
A To ensure confidentiality
B To ensure secure authentication
C To manage authorization
D To maintain integrity
A
Which of the following processes involves migration of an application with minimal code changes?
A Sandboxing
B Data Masking
C Forklifting
D Tokenization
C
Which of the following processes seeks to exploit the vulnerabilities of a system by collecting the information related to system exposures?
A Dynamic application security testing
B Penetration testing
C Vulnerability scanning
D Vulnerability assessment
B
Which of the following testing is referred to as white-box testing and is used to determine the coding errors?
A DAST (Dynamic application security testing)
B RASP (Runtime application self-protection)
C Penetration testing
D SAST (Static application security testing)
D
Which of the following vulnerabilities exploits a user’s browser to generate unauthorized commands?
A Cross-site request forgery
B Cross-site scripting
C Sensitive data exposure
D Invalidated redirects and forwards
A
Which of the following is an application virtualization?
A Oracle virtual box
B Parallel workstation
C VMware workstation
D Microsoft App-V
D
Which of the following supplemental security devices implements the DLP (data loss prevention) security control?
A XML gateways
B API gateway
C Web application firewall
D Database activity monitoring
A
Which process verifies untested and untrusted codes in a controlled cloud environment?
A Application virtualization
B Sandboxing
C Data masking
D Supply chain management
B
Which of the following cloud-specific risks occurs when various applications are pushed to a cloud environment without a complete understanding of the CSP environment?
A Insufficient due diligence
B Insecure APIs
C Shared technology issues
D Abuse of cloud services
A
Who holds the identity of all the users and generates tokens for known users?
A Identity repository
B Federated identity provider
C Federated SSO (Single Sign-On)
D Identity management
B
Which of the following data formats does SOAP (Simple object access protocol) support?
A JSON (JavaScript Object Notation)
B YAML (Yet Another Multicolumn Layout)
C HTML (Hypertext Markup Language)
D XML (eXtensible Markup Language)
D
Which of the following federation standards is an XML-based framework that allows the authentication, entitlement, and attribute information of the users communicating in a cloud?
A OpenID Connect
B SAML (Security Assertion Markup Language)
C OAuth
D WS-Federation
B
In which of the following phases does an application enter after it has been implemented according to the principles of software development lifecycle?
A Testing
B Secure operations
C Disposal
D Defining
B
What is the purpose of using puppet configuration management system?
A To address the security of data while the data crosses the network
B To poll for latest state and policy of the network
C To plan the quality-assurance requirements and identify the risks related to the system
D To define the state of IT infrastructure and then automatically enforcing the correct state
D
What is the process of adding validation support to a section without changing the basic mechanism of a DNS query using DNSSEC?
A Zone signing
B DNS management
C Patch management
D Zone refining
A
Which of the following is tier IV for data center design according to “Data Center Site Infrastructure Tier Standard: Topology”?
A Concurrently maintainable site infrastructure
B Redundant site infrastructure capacity components
C Basic data center site infrastructure
D Fault-tolerant site infrastructure
D
In which phase of the digital forensics is the collected data forensically processed using a combination of manual and automated methods?
A Acquisition
B Examination
C Analysis
D Reporting
B
Which of the following practices for secure server configuration uses RBAC (Role-Based Access Control) to limit user access to a host?
A Host lockdown
B Host patching
C Host hardening
D Host mapping
A
Which agreement is negotiated between internal business units within an organization?
A Service-level
B Operational-level
C Underpinning contract
D Business-level
B
Which of the following services are accessible within SaaS cloud service model?
A Virtualization
B Networking
C Middleware
D Access control
D
In which of the following is customer access blocked and alert disabled?
A Hosted VM
B Maintenance mode
C Public cloud
D Hybrid cloud
B
What is the function of a secure kernel-based virtual machine?
A Monitors transmission between the server and computer
B Prevents data loss between the server and computer
C Provides complete data center protection
D Provides support to the virtual networking layer
B
Which of the following protocols uses the X.509 certificates for authenticating a connection and exchanging the symmetric keys over a network?
A DNS
B Kerberos
C TLS
D TCP
C
What is used to dynamically allocate the cloud resources to maximize their use?
A Cloud OS
B Cloud controller
C Virtual host
D Hypervisor
B
Which of the following management recognizes, examines, and corrects hazards to prevent their occurrence in the future?
A Problem Management
B Incident Management
C Continuity Management
D Change Management
B
How is the redundancy in virtual switches achieved in a VLAN network?
A Using port forwarding
B Using port channeling
C Using kernel-based virtual machine
D Increasing network traffic
B
Which assessment is carried out when appropriate amount of data is not available in an organization to assist the risk assessment, and estimates are used to express risk?
A Security assessment
B Vulnerability assessment
C Quantitative risk assessments
D Qualitative risk assessments
D
What should private and public CSPs do to get isolated from other tenants?
A Configure server and all the network devices.
B Enable all application environments, customer data, and communication.
C Enable virtual switches and storage controllers.
D Configure kernel-based virtual machine.
B
Which technique safeguards the system against newly found vulnerabilities to provide additional functionalities?
A Risk management
B Configuration management
C Patch management
D Change management
C
Which of the following protocols provides authentication for client/server application using secret-key cryptography?
A Challenge handshake authentication protocol
B Internet key exchange
C Secure remote password
D Kerberos
D
Which of the following does a virtualization vendor use to allow host clusters to scale and manage computing resources without service disruption?
A Resource scheduling
B Resource optimization
C Resource sharing
D Distributed resource scheduling
D
Which of the following operation managements ensures the protection of the integrity of the live environment and presents the correct components to the customers?
A Information security management
B Problem management
C Availability management
D Release and deployment management
D
Which of the following threats is a form of cache poisoning in which forged data is placed in the cache of the name server?
A Data modification
B Footprinting
C Redirection
D Spoofing
D
Which of the following actions are required to establish and maintain log management in an organization?
A Define log requirements and goals of an organization
B Define volume of log data to be processed
C Define security requirements for log management
D Monitor the operations in standard log management process
A
What type of security control alerts the administrator about the suspicious activities by monitoring the inbound and outbound packets from devices?
A Host-based software firewall
B Host intrusion detection system
C Intrusion prevention system
D Network intrusion detection system
B
When the partnership is aborted, which policy should be clearly documented and communicated to effectively and efficiently terminate the partner’s access to cloud-based resources?
A On-boarding
B Checkout
C Termination
D Off-boarding
D
Which intelligence agency’s website was attacked by LulzSec on June 15, 2011?
A FBI
B CIA
C NSA
D CBI
B
Who among the following is responsible for supervision, secure data storage, transport, and implementation of business rules?
A Data stewards
B Data controller
C Data processor
D Data custodians
D
Which act protects the general public and the shareholders from accounting errors and illegal practices in the enterprise?
A SOX
B HIPAA
C GLBA
D SCA
A
What are the five key principles of ISO/IEC 27018?
A Independent and yearly audit, collection, control, transparency, and quality
B Consent, control, transparency, communication, and independent and yearly audit
C Quality, collection, transparency, communication, and disclosure to third parties
D Management, quality, communication, choice and consent, and access
B
Which level of CSA STAR needs the release of results related to security-properties monitoring on the basis of CTP (Cloud Trust Protocol)?
A Level 3
B Level 4
C Level 1
D Level 2
A
Which process aims to identify the relevant risks that may affect the AIC (Availability, integrity, and confidentiality) of key information assets?
A Gap analysis
B Patch management
C Risk analysis
D Change management
A
Which of the following metrics provides the time required to finish the initiated or requested task?
A Mean-time to switchover
B Completion time
C Response time
D Instance startup time
B
Which of the following phases of audit planning assures that operational and business changes internally have been captured as part of the audit plan?
A Defining audit objective
B Refining the audit process
C Conducting audit
D Defining audit scope
D
Which of the following laws relieves a victim suffering of a wrongful act of others and seeks to clear the compromised or diminished legal rights?
A State
B Privacy
C Criminal
D Tort
D
Which framework provides guidance for cloud vendors and assists the cloud customers to assess the overall security risk of a CSP?
A CSA STAR
B CSA CCM
C ISO 28000:2007
D Common Criteria
B
Which program addresses that the U.S. does not have a regulatory framework in place that provides sufficient protection for personal data transferred from the EEA (European Economic Area)?
A HIPAA
B GLBA
C Directive 95/46 EC
D Safe Harbor
D
Which approach deals with reducing the probability of risk occurrence?
A Risk Mitigation
B Risk management probability
C Risk Avoidance
D Risk analysis
A
Which of the following laws decides which law is most appropriate in event of disputing laws in different states?
A Restatement (second) conflict of law
B International law
C Criminal law
D The doctrine of the proper law
A
What is defined as an information used for distinguishing and tracing the identity of an individual?
A e-Discovery
B IAM (identity and access management)
C IRM (information rights management)
D PII (personally identifiable information)
D
What should a CCSP do to assure and perform proper auditing on VMs and hypervisors?
A Understand configuration management architecture
B Verify system updates according to organizational policy
C Verify hypervisor configuration according to remote access policy
D Verify hypervisor configuration according to organizational policy
D
Which organization focuses on enhancing the need to protect privacy using personal data using a practical, risk-management-based approach?
A General Data Protection Regulation
B Asia-Pacific Economic Cooperation
C Organization for Economic Cooperation and Development
D EU data protection directive
C
Which type of audit report requires the details of the tests performed by the service auditor and is conducted according to the SSAE 16 (Statement on Standards for Attestation Engagement)?
SOC 1 & SOC 2
Who among the following is responsible to validate that all the relevant laws and statutes pertaining to their investigation are documented before starting the investigation?
A CSP
B CSB
C Cloud consumer
D CCSP
D
__________ meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the client only paying for what they use.
Measured service
The key difference between cloud and traditional computing is the_________________, which includes the management plane components, which are network-enabled and remotely accessible. Another key difference is you tend to double up on each layer.
metastructure
In some cases, it may be necessary to obtain prior permission of the local Data Protection Commissioner before transferring data in or out of the country.
A True
B False
A
According to GDPR Policy, breaches must be reported within 72 hours of the company becoming aware of the incident.
A True
B False
A
_ are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities.
Artifacts
Ensuring the use of data and information complies with organizational policies, standards, and strategy — including regulatory, contractual, and business objectives.
information/data governance
_ abstracts the running of code (including operating systems) from the underlying hardware and most commonly refers to virtual machines.
Compute virtualization
Broad network access
There should never be network bandwidth bottlenecks.
On-demand services
Refers to the model that allows customers to scale their compute and/or storage needs with little or no intervention from or prior communication with the provider.
Resource pooling
Characteristic that allows the cloud provider to meet various demands from customers while remaining financially viable.
measured/metered service
The customer is charged for only what they use and nothing more.
Business Impact Analysis (BIA)
An assessment of the priorities given to each asset and process within the organization
personally identifiable information (PII)
Under current laws, no cloud customer can transfer risk or liability associated with the inadvertent or malicious disclosure of .
Elasticity
This is the flexibility of allocating resources as needed for immediate usage, instead of purchasing resources according to other variables.
Simplicity
Usage and administration of cloud services ought to be transparent to cloud customers and users; from their perspective, a digital data service is paid for and can be used, with very little additional input other than what is necessary to perform their duties.
Scalability
The organization’s computing needs won’t remain static: there will be new (and hopefully more) users, customers, and data as the organization continually matures.
Infrastructure as a Service (IaaS)
The most basic of cloud service offerings, allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.
Platform as a Service (PaaS)
contains everything included in IaaS, with the addition of OSs.
Software as a Service (SaaS)
The cloud vendor becomes responsible for administering, patching, and updating software as well.
Private cloud
Owned by a single organization and is implemented on a cloud-based secure environment protected by a firewall.
Hybrid cloud
Integrated arrangement of two or more cloud servers.
Community cloud
Multi-tenant setup shared between organizations that belong to a specific group.
Public cloud
Delivers cloud services over a network that is open for free usage.
Regulators
The entities that ensure organizations are in compliance with the regulatory framework for which they’re responsible.
Cloud Service Provider (CSP)
The will own the datacenter, employ the staff, own and manage the resources (hardware and software), monitor service provision and security, and provide administrative assistance for the customer and the customer’s data and processing needs.
Cloud Customer
The organization purchasing, leasing, or renting cloud services.
Cloud Access Security Broker (CASB)
A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary.
Apache Cloud Stack
An open source cloud computing and IaaS platform developed to help make creating, deploying, and managing cloud services easier by providing a complete “stack” of features and components for cloud environments.
Business Requirement
An operational driver for decision making and input for risk management.
Cloud App (Cloud Application)
The phrase used to describe a software application accessed via the Internet; may include an agent or applet installed locally on the user’s device.
Cloud Architecture
Subject matter expert for cloud computing infrastructure and deployment.
Cloud Backup
Backing up data to a remote, cloud-based server.
Cloud Computing
A type of computing, compared to grid computing, that relies on ensuring computing resources rather than having local server or personal devices to handle applications.
Cloud Computing Reseller
A company that purchases hosting services from a cloud server hosting or computing provider and then resells them to its own customers.
Cloud Migration
The process of transitioning all or part of a company’s data, applications, and services from onsite premises to the cloud, where the information can be provided over the Internet on an on-demand basis.
Cloud OS
A phrase frequently used in place of PaaS to denote an association to cloud computing.
Cloud Portability
The ability to move applications and associated data between one cloud provider and another, or between legacy and cloud environments.
Cloud Provider
A service provider that offers customer storage or software solutions available via a public network, usually the Internet.
Cloud Services Broker (CSB)
Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers.
Cloud Storage
The storage of data online in the cloud, wherein a company’s data is stored in an accessible form from multiple distributed and connected resources that comprise a cloud.
Cloud Testing
Load and performance testing conducted on the applications and services provided by a cloud provider, particularly the capability to access the services, in order to ensure optimal performance and scalability under a wide variety of conditions.
Community Cloud
A model where the cloud infrastructure is designed for use by a specific community.
Enterprise Application
The term used to describe applications or software that a business would use to assist the organization in solving enterprise problems.
Eucalyptus
An open source cloud computing and Infrastructure as a Service (IaaS) platform for enabling private clouds.
FIPS 140-2
A NIST document that lists accredited and outmoded cryptosystems.
Hybrid Cloud
A cloud solution that mixes elements of public, private, and community cloud models.
Managed Service Provider
An IT service where the customer dictates both the technology and operational procedures, and an external party executes administration and operational support according to a contract.
Multi-Tenant
Multiple customers using the same public cloud (and often the same hosts, in a virtualized cloud environment).
NIST 800-53
A guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all U.S. federal government information in information management systems.
Private Cloud
The phrase used to describe a cloud computing platform that is implemented within the organization.
Trusted Cloud Initiative (TCI) Reference Model
The TCI reference model is a guide for cloud providers, allowing them to create a holistic architecture (including the physical facility of the datacenter, the logical layout of the network, and the processes necessary to utilize both) that cloud customers can purchase and use with comfort and confidence.
Vendor Lock-in
Vendor lock-in occurs in a situation where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints.
Vendor Lock-out
Vendor lock-out occurs when a customer is unable to recover or access their own data due to the cloud provider going into bankruptcy or otherwise leaving the market.
Virtualization
Creating a virtual (a logical vs. a physical) version of something, including virtual computer hardware platforms, operating systems, storage devices, and computer network resources.
Confidentiality
Protecting information from unauthorized access/dissemination
Integrity
Ensuring that information is not subject to unauthorized modification
Availability
Ensuring that authorized users can access the information when they are permitted to do so
Encryption
Offers a degree of assurance that nobody without authorization will be able to access other’s data in a meaningful way.
Avoidance
This isn’t really a method for handling risk; it means leaving a business opportunity because the risk is simply too high and cannot be compensated for with adequate control mechanisms—a risk that exceeds the organization’s appetite.
Acceptance
The risk falls within the organization’s risk appetite, so the organization continues operations without any additional efforts regarding the risk.
Transference
The organization pays someone else to accept the risk, at a lower cost than the potential impact that would result from the risk being realized; this is usually in the form of insurance.
Mitigation
The organization takes steps to decrease the likelihood or the impact of the risk (and often both); this can take the form of controls/countermeasures, and is usually where security practitioners are involved.
Label-based
Used when the discovery effort is considered in response to a mandate with a specific purpose.
Metadata-based
Used to collect all matching data elements for a certain purpose.
Content-based
Used to locate and identify specific kinds of data by delving into the datasets.
Data analytics
Creates new data feeds from sets of data already existing within the environment.
The United States
Strong intellectual property protections, including stringent, multiple legal frameworks. (GLBA, HIPAA, and so forth)
Europe
Good intellectual property protections. Massive, exhaustive, comprehensive personal privacy protections, including the EU Data Directive and the General Data Protection Regulation.
Asia
Disparate levels of intellectual property protection. Data privacy protection levels differ greatly by country, with Japan adhering to the EU model, and other countries following much-reduced guidance.
South/Central America
Various intellectual property mechanisms. Generally lax privacy protection frameworks, with the notable exception of Argentina, which is in direct correlation with the EU legislation.
Australia/New Zealand
Strong intellectual property protections. Very strong privacy protections, with the Australian Privacy Act mapping directly to the EU statutes.
What are the 4 characteristics of cloud computing?
Broad network access
On-demand services
Resource Pooling
Measured or “metered” service
What NIST publication number defines cloud computing?
800-145
What ISO/IEC standard provides information on cloud computing?
17788
What is another way of describing a functional business requirement?
necessary
What is another way of describing a nonfunctional business requirement?
not necessary
What is the greatest driver pushing orgs to the cloud?
Cost savings
What is cloud bursting?
Ability to increase available cloud resources on demand
What are 3 characteristics of cloud computing?
Elasticity
Simplicity
Scalability
What is a cloud customer?
Anyone purchasing cloud services
What is a cloud user?
Anyone using cloud services
What are the three cloud computing service models?
SaaS(Software as a service)
PaaS(Platform as a service)
IaaS(Infrastructure as a service)
What is IaaS (Infrastructure as a Service)?
Cloud provider provides all the physical capability and administration, while the customer is responsible for logical resources.
What is PaaS (Platform as a Service)?
A cloud computing service that provides the hardware and the operating system and is responsible for updating and maintaining both.
What is SaaS (Software As A Service)?
Cloud provider manages everything.
What are the four cloud deployment models?
Public
Private
Community
Hybrid
What cloud model is owned by a single organization?
Private
What cloud model is an arrangement of two or more cloud servers?
Hybrid
What cloud model is a shared setup between orgs?
Community
What cloud model is open for free usage?
Public
What is a cloud service provider?
Cloud service provider manages and provides entire hosting ability
What is a Cloud Access Security Broker?
Third-party acting as an intermediary for identity and access management
What do regulators do?
Ensure organizations are in compliance with regulatory framework.
What word in the CIA triad describes: What protects information from unauthorized access/dissemination?
Confidentiality
What word in the CIA triad describes: Ensuring that information is not subject to unauthorized modification?
Integrity
What word in the CIA triad describes: Ensuring that authorized users can access the information when they are permitted to do so?
Availability
What is a cloud architect?
Expert in cloud computing
What is cloud os also known as?
PaaS
NIST standard number that lists accredited and outmoded cryptosystems
FIPS 140-2
customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.
vendor lock-m
What is cloud migration?
Process of transitioning part of a company’s data or services from onsite premises to the cloud
What is cloud portability?
Move applications and data between cloud providers
What offers a degree of assurance that nobody w/o authorization will be able to access other’s data?
Encryption
If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best?
PaaS
What technology has NOT made cloud service viable?
Smart hubs
What determines the critical paths, processes, and assets of an organization?
BIA
Fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best?
PaaS
customer is unable to recover or access their own data due to the cloud provider going into bankruptcy or otherwise leaving the market.
Vendor lock-out
What are four examples of things to know to decide how to handle risks within an org?
Inventory of all assets
Valuation of each asset
Critical paths, processes, and assets
Clear understanding of risk appetite
T/F: Assets are only tangible items.
False. Assets are everything owned or controlled by an org.
The process of evaluating assets?
Business Impact Analysis(BIA)
What is criticality?
Something an org could not operate or exist without
What are 5 examples of criticality for an org
Tangible assets
Intangible assets
Processes
Data paths
Personnel
In risk, what is the avoidance method?
Avoiding high risk
In risk, what is the acceptance method?
Acceptable level of risk
In risk, what is an example of the avoidance method?
Insurance
In risk, what is the mitigation method?
Controls or countermeasures
Assets can be what?
Tangible
Intangible
Personnel
What does Business Impact Analysis do?
Defines which of the assets provide the intrinsic value of an organization.
What is risk appetite
Level, Amount, or Type of risk that an org finds acceptable
What is the IaaS boundary?
The provider is responsible for connectivity and power and the customer is in charge for installation of software.
What is the PaaS boundary?
The provider is responsible for updates and administration of the OS and the customer monitors and reviews software events.
What is the SaaS boundary?
The provider is responsible for system maintenance and the customer supplies and processes data to and in the system.
What should encryption be used for in a cloud datacenter?
Long-term storage/archiving
Protecting near-term stored files, such as snapshots of virtualized instances
Preventing unauthorized access to specific datasets by authorized personnel
What should encryption be used for in communications between cloud providers and users?
Creating secure sessions
Ensuring the integrity and confidentiality of data in transit
What are 4 controls/mechanisms a cloud provider should play a role in in layered defense?
Strong personnel controls
Technological controls
Physical controls
Governance mechanisms
In cloud layered defense what are examples of personnel controls?
background checks
continual monitoring
In cloud layered defense what are examples of technological controls?
encryption
event logging
access control enforcement
In cloud layered defense what is an examples of physical controls?
access to overall campus
In cloud layered defense what is an example of governance mechanisms?
auditing
What are ways for securing devices in a datacenter?
Guess accounts removed
no default passwords
systems are patched, maintained and updated
unused ports are closed
limited physical access
What is layered defense?
The practice of having multiple overlapping means of securing the environment with a variety of methods
Who determines risk appetite?
senior management
Experimental technology of processing encrypted data w/o decrypting it first?
Homomorphic
T/F: Data owners remain legally responsible for all data they own
True
What are four ways an org might categorize data?
Regulatory compliance
business function
function unit
by project
What are three examples of classification?
sensitivity
jurisdiction
criticality
What is a data owner?
Collects or creates the data, and possesses the rights and responsibilities of the data
What is a data custodian?
Manipulates, stores, or moves the data, and serves as a cloud provider
What is datamining?
Data mining tries to automatically find interesting patterns in data using plethora of technologies
What method would an org creates categories based on which rules apply to a specific dataset?
regulatory compliance
What method would an org have specific categories for different uses of data?
business function
What would a department or office be called that has its own category and keeps all the data it controls?
functional unit
what dataset is defined by projects?
by project
What data discovery method is used when the discovery effort is considered in response to a mandate with a specific purpose?
Label-based
What data discovery method is used to collect all matching data elements for a certain purpose
Metedata-based
What data discovery method is used to locate and identify specific kinds of data by delving into the datasets?
Content-based
What data discovery method is used to create new data feeds from sets of data already existing within the environment?
data analytics
T/F: Being in the cloud means organization may not be subject to many legal constructs simultaneously.
False
T/F: Awareness and compliance with specific jurisdictions are challenges of cloud computing.
True
T/F: Cloud user is responsible for managing virtualized images, stored data, and operational data.
False
T/F: Cloud user is unaware about that where the data is exactly present at the moment in terms of both datacenters and geographic locations.
True
What are four examples of Fair Use under copyright laws?
Academic
Critique
News Reporting
Scholarly Research
What are five examples of exceptions under copyright laws?
Fair use
satire
library preservation
personal backup
versions for people with physical disabilities
What is copyright?
protection of written material or ideas
What is a trademark?
a symbol, word, or words legally registered or established by use as representing a company or product.
What is a patent?
legal mechanism for protecting intellectual property in the form of inventions, processes, materials, decorations, and plant life
What are trade secrets?
Any form of knowledge or info that has economic value from not being known to others, or readily ascertainable by proper means and has been the subject of reasonable efforts by the owner to maintain secrecy
What are rudimentary reference checks?
Content itself can automatically check for proper usage or ownership
What is the presence of licensed media?
DRM engine on the media identifies the unique disk
What are online reference checks?
Product key
What is support-based licensing?
the need for continual help for content
What are local agent checks?
Installed reference tool that checks the protected content against the user’s license
What are four examples of conflicts that are posed while employing DRM to the cloud?
API
Replication
Jurisdiction
Enterprise
What are six retention policies that should be included in data retention?
retention periods
applicable regulation
retention formats
data classification
archiving and retrieval procedures
monitoring, maintenance, and enforcement
What are four legacy examples of data destruction?
Physical destruction of media and hardware
degaussing
overwriting
Cryptoshredding
data retention policy: Retention period
how long data should be kept
data retention policy: data classification
how and when data should be categorized
data retention policy: retention format
how data is achieved and stored
data retention policy: applicable regulation
senior management’s decision to resolve conflict in policy
What is jurisdiction?
geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled
What is a data audit?
A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns.
What does copyright not protect?
ideas, facts, titles, names, short phrases, blank forms
Who is the data processor in the cloud motif?
Cloud provider
What isn’t included in data labels?
Data value
What is the intellectual property protection for the tangible expression of a creative idea?
Copyright
What federal agency accepts applications for new patents?
USPTO
What is the intellectual property protection for a very valuable set of sales leads?
Trade secret
What is the intellectual property protection for a useful manufacturing innovation?
Patent
What is the intellectual property protection for the tangible expression of a creative idea?
Copyright
Who is the data owner in a cloud motif?
cloud customer
What are 3 data analytic modes?
Data Mining
Agile business intelligence
real-time analytics
What are the 6 stages of the data life cycle?
Create
Store
Use
Share
Archive
Delete
Data created should be _ upon creation/upload
encrypted
new digital content is generated or existing content is modified
create
data is committed to a repository
store
data is viewed, processed, or otherwise in some sort of activity
use
information is made accessible to others
share
data leaves active use and enters long-term storage
archive
data is permanently removed using physical or digital means
destroy
T/F: Archive phase is for short-term storage when planning security controls for the data
False
T/F: Archive phase activities in the cloud will largely be driven by whether a user is using the same cloud provider for backups and its production environment
True
T/F: In the archive phase, physical security of the data in short-term storage is also important
False
T/F: In the archive phase, cryptography will, as with most data-related controls, be an essential consideration
True
What is volume storage?
allocates a storage space within the cloud; this storage space is represented as an attached drive to the user’s virtual machine
What are two types of volume storage architecture?
File
Block
Volume storage is associated with what infrastructure model?
Infrastructure as a Service(IaaS)
What is object-based storage?
Data is stored as objects
What is a database?
Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps
What is a content delivery network?
Acts as a form of data caching, usually near geophysical locations of high use demand, improves bandwidth and provides quality
What are three levels of encryption related to databases?
File-level
Transparent
application-level
When the database is stored on a volume, what encryption type should be used?
file-level
When wanting to encrypt the entire database or specific portions of it, what type of encryption should be used?
transparent
When should application-level encryption be used with a database?
compromised administrative accounts
other database and application-level attacks
What is tokenization?
Practice of having two distinct databases: one with the live, actual sensitive data, and one with nonrepresentational tokens mapped to each piece of data
What are the four goals of Security Information and Event Management(SIEM)?
Centralize collection of log data
enhanced analysis capabilities
dashboarding
automated response
What does DLP in egress monitoring stand for?
data loss, leak prevention, and protection
What are the four major goals of DLP?
Additional security
Policy Enforcement
Enhanced Monitoring
Regulatory compliance
What is randomization
replacement of data with random characters
What is hasing?
Using a one-way cryptographic function to create a digest of the original data
What is shuffling
Using different entries from within the same data set to represent the data
What is masking?
Hiding the data with useless characters
What are nulls?
deleting the raw data from the display before it is represented or displaying null
What is key recovery?
A procedure that involves multiple people, each with access to only a portion of the key
What is block storage?
A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance
What is the U.S. Commerce Department controls on technology exports?
Export Administration Regulations(EAR)
What is the U.S. State Department controls on technology exports?
International Traffic in Arms Regulations(ITAR)
T/F: Cryptographic keys for encrypted data stored in the cloud should be stored with cloud provider.
False
What is the practice of obscuring raw data where only a portion is displayed for operational purposes?
Masking
What are third-party providers of IAM functions for the cloud environment?
Cloud Access Security Broker(CASB)
T/F: The goals of DLP include elasticity
False
T/F: Risk and responsibilities will be shared between the cloud provider and customer
True
T/F: The customer is concerned with dat, whereas the provider is concerned with security and operation
True
T/F: The customer wants to refute control, deny insight, and refrain from disclosing any information used for malicious purpose
False
T/F: The customer is legally liable for their data even if the provider was negligent.
True
What is a private cloud?
a cloud that is owned and operated by an organization for its own benefit.
What are 5 risks private cloud owners face?
Personnel threats
Natural disasters
External attacks
regulatory noncompliance
malware
What are 3 risk associated with a community cloud?
Resiliency through shared ownership
Access and control
lack of centralized standards
What are the 3 main issues with a public cloud?
vendor lock-in
vendor lock-out
multitenant environments
What are 4 things to consider to avoid vender lock-in?
Ensure favorable contract terms for portability
Avoid proprietary formats
Ensure no physical limitations to moving
Check for regulatory constraints
What are 4 factors to consider to avoid vender lock-out?
Provider longevity
Core competency
Jurisdictional suitability
Supply chain dependencies
Legislative environment
What are 4 risks in a multitenant environment?
Conflict of interest
Privilege escalation
Information bleed
Legal activity
What are 3 risks associated with Infrastructure as a Service(Iaas)?
Personnel threats
External threats
Lack of specific skillsets
what are 4 risks associated with Platform as a service(Paas)?
Interoperability issues
Persistent backdoors
Virtualization
Resource Sharing
What are 3 risks associated with Software as a service(SaaS)?
Proprietary formats
Virtualization
Web application security
What are 4 risk with virtualization?
Attacks on the hypervisor
Guest escape
Information bleed
Data seizure
What is a type 1 hypervisor?
Installed on top of a bare metal install, bootable software
what is a type 2 hypervisor?
Applications that run on a standard OS
What are 8 threats to a private cloud?
malware
internal threats
external attackers
man in the middle
social engineering
theft or loss of devices
regulatory violations
natural disasters
What three additional concerns from a private cloud apply to a community cloud
Loss of policy control
loss of physical control
lack of audit access
What are three additional threats to public clouds from community and private clouds?
rogue administrator
privilege escalation
contractual failure
What are three methods of using cloud backups for business continuity / disaster recover(BC/DR)?
Private architecture, cloud service as a backup
Cloud operations, cloud provider as backup
Cloud operations, third-party cloud backup provider
What are some examples of cloud computing external threats?
malware, hacking, man-in-the-middle
What is a personnel threats?
Malicious or negligent insider who can cause negative impact, as they have physical access to the resources
What is resource sharing?
Programs and instances run by the customer that will operate on the same devices used by other customers, sometimes simultaneously
What is an interoperability issue?
Customer’s software may not function properly with each new adjustment in the environment if the OS is updated by the provider
What is a data seizure?
Legal activity that might results in a host machine being confiscated or inspected by law enforcement or plaintiffs’ attorneys
What is guest escape?
improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance
What is information bleed?
Possibility that processing performed on one virtualized instance may be detected by other instances on the same host
What are three techniques to enhance the portability of data and avoid vendor lock-in
Favorable contract terms
Avoid proprietary data formats
No physical limitations to moving
What are six countermeasures against internal threats?
Least privilege
mandatory vacation
separation of duties
skills and knowledge testing
extensive and comprehensive training programs
aggressive background checks
What are 3 countermeasures that can be applied to cloud operations against internal threats?
DLP solutions
Financial penalties against the cloud provider’s personnel
broad contractual protections
What are 3 dependencies that must be considered after cloud migration?
The cloud provider’s vendors, utilities, and suppliers
What 3 models are generally available for cloud BCDR?
Private architecture, cloud backup
cloud provider, back from same provider
cloud provider, backup from another cloud provider
T/F: After cloud migration and taking account new factors related to data breach impacts; Legal liability can’t be transferred to the cloud provider
True
What are three methods that can attenuate harm caused by privilege escalation?
Automated analysis tools
Extensive access control and authentication tools and techniques
Analysis and review of all log data by trained, skilled personnel on a frequent basis
What word describes the general ease and efficiency of moving data from one provider to another?
Portability
Who’s responsibility involves infrastructure and physical security?
cloud provider
Who’s responsibility involves data security and governance?
Enterprise
Vulnerability assessment, firewall, honeypot, and IDS/IPS are methods used for what?
securing a network
What are three methods to protect data in transit?
Encryption
Virtual private network
Strong authentication
What creates a secure tunnel across an untrusted network?
Virtual private network
What reduces the possibility that someone would be unable to acquire raw data in plaintext?
Encryption
What uses robust tokens and requires mutifactor verification reducing unauthorized user access?
Strong authentication
What cloud service type: Cloud provider maintains physical security control of the facility and the cloud customer provides all other security
PaaS
What cloud service type: Cloud provider maintains infrastructure’s physical security and the cloud customer is responsible for access and administration.
SaaS
What cloud service type: Cloud provider is responsible for physical security of the facility and systems.
IaaS
Removing unnecessary services and libraries, closing unused ports, limiting administrator access, ensuring event logging is enabled, are examples of what?
hardening
Who facilitates the data access method:
The customer will provision, manage, and remove user accounts without input or cooperation with the cloud provider if the cloud customer retains control.
Customer directly administers access
Who facilitates the data access method:
The user submits a request to the provider, either directly or through some point of contact, the provider verifies and then assigns
Provider administers access on behalf of the customer
Who facilitates the data access method:
The user requests to a local administrator, and the administrator verifies the account and then assigns the appropriate access and permissions
Third-party administers access on behalf of the customer
How many SOC report categories are there?
3
What SOC report audits the financial reporting instruments of a corporation and consists of two subclasses
SOC 1
What SOC intends to report audits of controls on an organization’s security, availability, processing integrity, and privacy
SOC 2
What SOC contains no actual data about the security controls of the audit target and is also known as seal of approval
SOC 3
What helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider?
shared policy
In all cloud models, security controls are driven by what?
business requirements
What are 3 things the provider will offer to address shared monitoring and testing responsibilities in a cloud configuration?
SIM, SEIM, and SEM logs
DLP solution results
Access to audit logs and performance data
What would a cloud provider offer to customers to enhance customer trust in provider?
Audit and performance log data
What are 3 examples that cloud provider would offer to enhance the customer’s trust?
Shared administration
SLAs
Audits
Who is responsible for the liability and responsibility for any data loss or disclosure?
Customer
What ensures trust in the provider’s performance and duties?
the contract
What does a cloud provider not allow physical access to their datacenters?
To keep the physical layout and controls confidential
How many subtypes of SOC 2 are there?
2
What is SOC 2 Type 1?
Reviews the design of controls
What is SOC 2 Type 2?
Detail report that provides how controls are implemented and maintained, or their function
What term is used for moving an entire application to the cloud without any significant change?
forklifting
What are 4 examples of issues that developers and administrators must deal with?
multitenancy
third-party admins
deployment models(Public, Private, Community, Hybrid)
service models(IaaS, PaaS, and SaaS)
What are 5 common cloud application deployment pitfalls?
On-Premises Apps do not always transfer
poor documentation
not all apps are cloud ready
tenancy separation
use of secure, validated APIs, possible data bleed
What are the 4 core stages of cloud-secure development life cycle, in order?
Defining
Designing
Development
Testing
What is the focus in the definition phase?
business needs of the application are identified
What is the focus in the design phase?
overall design of the application, including look and language used
What is the focus in the development phase?
perform static and dynamic application security testing(DAST)
What is the focus in the testing phase?
penetration testing and vulnerability scanning against an application are performed
What is the focus in the disposal phase?
once the software has completed its job or replaced with a newer version, it must be securely discarded.
What are the 7 ISO/IEC 27034-1 standard categories?
Business Context
Regulatory Context
Technical Context
Specifications
Roles, Responsibilities, and Qualifications
Processes
Application Security Control (ASC) Library
What are the 3 key elements in ISO/IEC 27034-1
organizational normative framework (ONF)
application normative framework (ANF)
application security management process (APSM).
What does IAM stand for and what two categories is IAM divided into?
Identity and Access Management
What is identity management?
process where individuals are given access to system resources by associating user rights with a given identity
What is access management?
part of the process that deals with controlling access to resources once they have been granted
What are 5 ways access management uses, to control access?
authentication
authorization
policy management
federation
identity repositories
Within access management what does authentication do?
establishes an identity of user
What is an example of access management authentication
username and password
What is an example of access management authorization?
comparing authentication with ACL
What is an example of access management policy management?
enforces authentication and authorization based on business needs and management decisions
What does access management federation do?
allows organization to exchange of information between trusted organizations
What are identity repositories?
directory services for the administrator of user accounts and their associated attributes
What are all of access management resources stored in?
identity repository directory
What are 5 examples of directory services?
X.500
LDAP
Active directory
Novell eDirectory
metadata and replication and synchronization
What are two general types of federation?
web-of-trust model
third-party identifier
What is a web of trust model?
each member of the federation has to approve each other member for inclusion
What is a third-party identifer?
outsource responsibilities to an external party.
Identity provider and replying parties are terms that apply to what concept?
federation
What are 3 federation standards?
WS-Federation
OAuth
OpenID Connect
What encryption technique ensures privacy when communicating between applications?
transport layer security(TLS)
What encrypts all of the system’s data at rest in one instance?
Whole-instance encryption
What encrypts only a partition instead of the entire disk?
volume encryption
What encrypts data transmission between servers?
secure sockets layer(SSL)
What does STRIDE stand for in threat modeling?
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege
What does SDLC stand for?
Software Development Life Cycle
What are 10 examples in threat modeling of common application vulnerabilities?
Injection
Broken Authentication
Cross-Site Scripting(XSS)
insecure direct object access
security misconfigurations
sensitive data exposure
missing function-level access control
cross-site request forgery(CSRF)
using components with known vulnerabilities
invalidated redirects and forwards
What is white box testing?
The tester is using knowledge of the program’s internals.
What is black box testing?
The tester is testing without knowledge of the internals.
What are 4 cloud application assurance and validation methods?
Approved APIs
Secure code reviews
runtime application self-protection
securing open source software
What allows applications to consume web services from the application, to expand its capabilities?
approved APIs
What identifies and mitigates codes in an application that has exposed a potential vulnerability?
secure code reviews
What protects itself without human intervention and assists in the prevention of successful attack?
runtime application self-protection
What allows users to make modifications that they choose in order to add or enhance the functionality?
securing open source software
What cloud model removes and reduces the authority and execution of security controls in the environment
deployment model
What is SAML
A standard for exchanging authentication and authorization data between security domains
What is the most widely used federation standard?
Security Assertion Markup Language(SAML)
What is an API?
A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool
What is SAST?
A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability
What is ONF?
A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization
What is data masking?
A method for creating similar but inauthentic datasets used for software testing and user training.
What are three descriptions of SOAP?
Reliant on XML
Standards-based
Works over numerous protocols
Normative Framework is a subset of what?
organizational normative framework
What does DAM stand for?
database activity monitoring
What are two types of DAMs?
Agent(Host)
Network(Network)
What is purpose of ISO/IEC 27034-1?
Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security
What best describes DAST?
Test performed on an application or software product while it is being executed in memory in an operating system
What does DAST stand for?
Dynamic application security testing
What is sandboxing best used for?
To isolate untrusted code changes for testing in a nonproduction environment.
What best describes REST?
Lightweight and scalable
What are web application firewalls designed to protect against?
XSS and SQL injection
What best describes data masking?
Data masking is used to create a similar, inauthentic dataset used for training and software testing.
What is the industry standard for uptime in cloud service provision?
five nines(99.999)
What is power conditioning?
involves adjusting the voltage from the line
What are three techniques used for personnel redundancy?
cross-training
water
egress
lighting
How many uptime institute tiers are there?
four
What are the minimum requirements for a tier 1 datacenter?
dedicated space for IT systems
UPS system
cooling system
power generation for at least 12 hours
What is the appeal to a tier 1 datacenter?
cost
What are the characteristics of a tier 2 datacenter?
tier 1 requirements
no interrupted operations
personnel activity may cause downtime
unplanned failures of components or systems cause downtime
What are the characteristics of a tier 3 datacenter?
tier 2 requirements
dual power supplies for all IT systems
critical operations can continue without interruption
unplanned failures may cause downtime
planned maintenance may cause downtime
What are the characteristics of a tier 4 datacenter?
tier 3 requirements
multiple components of IT and electrical
multiple facilities
personnel activity will not cause downtime
scheduled maintenance will not cause downtime
What is security redundancy?
Multiple security controls protecting the same assets with various technology
What is personnel redundancy?
Multiple personnel who administer and support IT
What is power line redundancy?
communication lines are replicated on opposite sides of each building
What are two types of clustering?
Tightly
loosely
What is tightly coupled cluster?
storage devices are directly connected to a shared physical backplane
What is a loosely coupled cluster?
cluster is independent of the others, logically connected
What are two options for storage?
volume
object
What are four traits in a secure KVM?
secure data port
tamper label
soldered circuit board
air-gapped pushbutton
What is initial training?
personnel that join the organization
What is recurring training?
continual updating of security knowledge that builds on the fundamentals
What is refresher training?
personnel who need additional lessons
What does SAST stand for?
static application security testing
What is static application security testing?
direct review of source code comprising an application
what is dynamic application security testing?
reviews outcomes of the application no information about environment provided
What term describes encrypted chunks of data?
data dispersion
What are 5 things monitored in a data center?
OS Logging
Hardware
Network
Temperature
Humidity
What tool is used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters?
OS logging
What is used to measure performance indicators such as CPU temperature, fan speed, and drive temperature?
hardware monitoring
What helps to check not only the hardware and the software but the distribution facets such as SDN control planes?
network monitoring
What is the 4 maintenance processes?
Upgrade
Update
Date
Implementation
What maintenance process describe the process that the replacement or secure disposal of older elements for new ones
upgrade
what maintenance process describes the vendors issuing the ongoing maintenance instructions?
Update
What maintenance process describe to combine the benefits of both manual and automated approaches?
Date
What maintenance process describes the operator decides which patch needs to be issued and when to be issued?
implementation
What is a baseline?
the minimum level of security and performance of a system in an organization
What are the four steps of change management in normal operations?
CMB meetings
CM Testing
deployment
documentation
What change management step reviews and analyzes change and exception requests
change management board(CMB) meetings
What change management step takes place in an isolated sandbox network that mimics all the systems?
change management(CM) testing
What change management step makes modification in accordance with appropriate guidance
deployment
What change management step reflects all the modifications to the environment in the asset inventory?
documentation
In what BC/DR testing example describes how the participants would perform their tasks in a given BC/DR scenario?
tabletop testing
In what BC/DR testing example describes the organization’s responses during the test and performing some minimal actions?
dry run
In what BC/DR testing example detects the shortcomings in a plan and it has the greatest impact on the productivity?
full test
What BC/DR concept calculates how long an interruption in service will take to kill an organization?
maximum allowable downtime
What BC/DR concept measures the time it takes to recover operational capability after a service interruption?
recovery time objective
What BC/DR concept is the goal of limiting the loss of information from an unplanned event?
recovery point objective
What are 5 items included in a BC/DR plan?
circumstances under which an event or disaster is declared
List of assets inventoried deemed critical
actions, tasks, and activities
who is authorized to make the declaration
essential points of contact
What are three essential BC/DR concepts?
MAD(maximum allowable downtime)
RTO(recovery time objective)
RPO(recovery point objective)
T/F: During maintenance mode you must initiate enhanced security controls.
False
What can a localized incident or disaster be addressed in a cost-effective manner?
joint operating agreements
What tool can reduce confusion and misunderstanding during a BC/DR response?
checklist
What are the three general bodies of law in the United States?
criminal law
civil law
administrative law
What is the specialized body of law unique to the United States military?
Uniform code of military justice (UCMJ)
What involves all legal matters where government is in conflict with any person, group, or organization that violates statutes?
criminal law
Who creates statutes?
Federal, state, and local legislatures
Where in the world can you be prosecuted for criminal violations and damages to whatever damages result from a data breach?
European Union(EU)
What are the three general bodies of law in the United States deal with personal and community-based law?
civil law
What is an agreement between parties to engage in some specified activity, usually for mutual benfit?
Contracts
What are 4 contracts that you should be familiar with?
service-level agreements
privacy-level agreements
operational-level agreement
payment card industry data security standards contracts
What does SLA mean?
service-level agreement
What does PLA mean?
privacy-level agreements
What does OLA mean?
operational-level agreement
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
What refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed as a result of wrongful acts by others?
Tort law
What are laws created by executive decision and function?
administrative law
What term describes intangible assets that are the property of the mind, also known as ideas?
intellectual property
What term describes the protection of expressions of ideas?
copyrights
What protection is for intellectual property used to immediately identify a brand?
trademarks
What do patents protect?
formulas
processes
patterns
inventions
plants
What term describes a court acknowledging the ownership of private business materials, such as client lists, processes, recipes?
trade secrets
What term is used to describe the processes associated with determining what legal jurisdiction will hear a dispute when one occurs?
doctrine of the proper law
What refers to a collation of developments in common law that help the courts stay up with the changes?
restatement (second) conflict of law
What law enhance laws restricting the government from putting wire taps on phone calls, updating them to include electronic communication in the form of data?
the electronic communication privacy act(ECPA)
What law restrict government from forcing ISPs to disclose customer data the ISP might possess?
The stored communications act
What law allows banks to merge with and own insurance companies
Graham-Leach-Bliley Act(GLBA)
What law increases transparency into publicly traded corporations’ financial activities. Includes provisions for securing data and expressly names the traits of confidentiality, integrity, and availability?
Sarbanes-Oxley Act(SOX)
What law protect patient records and data, known as electronic protected health information?
Health insurance portability and accountability act(HIPAA)
What law prevent academic institutions from sharing student data with anyone other than parents of students?
family educational rights and privacy act(FERPA)
What law update copyright provisions to protect owned data in an internet enabled world. Makes cracking of access controls on copyrighted media a crime, and enables copyright holders to require any site on the internet to remove content that may belong to the copyright holder?
The digital millennium copyright act(DMCA)
Who administrates GLBA?
FDIC
FFIEC
Who administrates SOX?
SEC
Who administrates FERPA?
department of education
What is the only country that has no federal law ensuring individual personal privacy?
United States
What is the first major EU data privacy law?
EU Data Protection Directive 95/26 EC
What are the seven principles of the EU Data Protection Directive?
Notice
Choice
Purpose
Access
Integrity
Security
Enforcement
What EU data directive principle says “the individual must be informed that personal information about them is being gathered or created?”
notice
What EU data directive principle addresses every individual can choose whether to disclose their personal information?
choice
What EU data directive principle says an individual must be told the specific use the information will be put to?
purpose
What EU data directive principle states the individual is allowed to get copies of any of their own information held by an entity?
access
What EU data directive principle states the individual must be allowed to correct any of their own information if it is inaccurate?
integrity
What EU data directive principle states any entity holding an individual’s personal information is responsible for protecting that information and is ultimately liable for any unauthorized disclosure of that data?
security
What EU data directive principle states all entities that have any personal data of any EU citizen understand that they are subject toe enforcement actions by the EU authorities?
enforcement
What is a data subject?
This is the person whos data is being stored.
What is a data controller?
This is the person who has overall control over all the Information/Data.
What is a data processor?
Performing any manipulation, storage or transmission of PII
What does PIPEDA stand for?
Personal Information Protection and Electronic Documents Act
What act conforms to the EU Data Directive and Privacy Regulation?
PIPEDA
What personal privacy principle informs an individual that personal information about them is being gathers or created?
notice
What personal privacy principle includes whether the information will be shared with any other entity?
purpose
What personal privacy principle allows an individual to get copies of any of their own information held by any entity?
access
What personal privacy principle allows an individual to correct any of their own information if it is inaccurate?
integrity
What is the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes?
eDiscovery
What are the 5 ISO/IEC standards for international digital forensics?
27037:2012
27041:2015
27042:2015
27043:2015
27050-1:2016
what ISO/IEC standard is a guide for collecting, identifying, and preserving electronic evidence?
27037:2012
what ISO/IEC standard is a guide for incident invetigations?
27041:2015
what ISO/IEC standard is a guide for digital evidence analysis?
27042:2015
what ISO/IEC standard is a incident investigation principles and processes?
27043:2015
what ISO/IEC standard is an overview and principles for eDiscovery?
27050-1:2016
What identifier is the characteristics and traits of an individual that could reveal the identity of that person?
indirect
What identifier could reveal a specific individual with specific data elements?
direct
What is the purpose of gap analysis?
To begin the benchmarking process
What is the best example of a key component of regulated PII?
Mandatory breach reporting
What is the least challenging part of eDiscovery in the cloud?
Forensic analysis
What statute addresses security and privacy matters in the financial industry?
GLBA
What does the doctrine of proper law refer to?
How jurisdictional disputes are settled
What is the best advantage of external audits?
Independence
What SOC report subtype represents a point in time?
Type I
What is not associated with HIPPA controls?
financial controls
What is the key component of GLBA?
information security program
T/F: The value of data is a component of contractual PII
False
What is the primary purpose of an SOC 3 report?
Seal of approval
T/F: SAS 70 report is no longer being used
True
What law refers to the basis for deciding which laws are most appropriate in a situation where conflicting laws exist?
The restatement (second) conflict of law
GAAPs are created and maintained by which organization?
AICPA
What was enacted because of poor financial controls, lack of independent audits, and poor BOD oversight?
SOX
What SOC subtype represents a period of time
Type II
What guides an organization, based on standards and guildlines?
policies
what describes items that will be the first things that let you know something is inappropriate?
key risk indicator(KRI)
What explains how an organization views risk when their tolerance increases or decreases?
risk appetite/tolerance
What includes a survey of the various operations an organization is engaged in public perception and pending legislation?
risk profile
What is an individual in an organization who determines the organization’s overall risk profile?
risk owner and player
What four choices do organizations have when faced with risk?
avoidance
acceptance
transference
mitigation
What risk mitigation method is not a method but a response? Where the costs outweigh the benefit?
avoidance
What risk mitigation method involves minimal risk and high reward?
acceptance
What risk mitigation method involves an organization only managing a fractional portion of the risk, also known as insurance?
transference
What risk mitigation method involves the use of controls and countermeasures?
mitigation
What are three risk management frameworks within the CCSP exam?
ISO 31000:2009
NIST 800-37
ENISA
What risk management framework is an international standard that focuses on designing, implementing, and reviewing risk management processes and practices?
ISO 31000:2009
What is a guide for implementing the risk management framework, which is a methodology for handling all organizational risk in a comprehensive manner?
NIST SP 800-37
What is a standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security?
ENISA
What refers to only departments or business units impacted by any cloud engagement?
scoping
What ISO/IEC number is associated with the common criteria assurance framework?
15408-1:2009
What are five examples of common supply chain risks?
financial instability of provider
single points of failure
data breaches
malware infestations
data loss
What provides an independent level of program assurance for cloud consumers?
CSA Security, Trust, and Assurance Registry(STAR)
What are two components of the CSA Security, Trust, and Assurance Registry (STAR) program?
CCM
CAIQ
What is a list of security controls and principles appropriate for cloud environment, cross-referenced to other control frameworks?
Cloud controls matrix(CCM)
What self-assessment performed by cloud providers, detailing their evaluation of the practice areas and controls groups they use in providing their services called?
consensus assessments initiative questionnaire (CAIQ)
How many levels are in the CSA STAR program?
3
What are the three levels of the CSA STAR program? (In order)
Self-assessment
Attestation
Continuous monitoring
What CSA STAR level requires the release and publication of due diligence assessments against the CSA’s CCM?
self-assessment
What CSA STAR level requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC2?
attestation
What CSA STAR level requires the release and publication of results related to the security properties of monitoring based on the cloudTrust Protocol?
continuous monitoring
What framework states “the primary goal is to ensure customers that security products they purchase have been thoroughly tested by independent third-party testers and meet the requirements the customer has specified?”
common criteria assurance
What cloud computing term describes the main characteristics relevant to cloud computing and its customers?
cloud computing certification
What framework identifies the top 8 security risks based on likelihood and impact?
ENISA
What are the ENISA top 8 security risks based on likelihood and impact?
loss of governance
lock-in
isolation failure
compliance risk
management interface failure
data protection
malicious insider
insecure or incomplete data deletion
What is the title of a person that is suppose to provide safe custody, transport, storage of data, and implementation of business rules?
data custodian
What ISO standard refers to addressing security risks in a supply chain?
ISO/IEC 28000:2007
Which phase of the cloud data lifecycle allows both read and process functions to be performed?
Create
Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data?
Format-preserving encryption
Which encryption technique connects the instance to the encryption instance that handles all crypto operations?
Proxy
Which type of control should be used to implement custom controls that safeguard data?
Application level
A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken?
The application stores the token
A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur?
Create
How is the compliance of the cloud service provider’s legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud?
Third party audits and attestations
Which security strategy is associated with data rights management solutions?
Continuous auditing
What is a key capability of security information and event management?
Centralized collection of big data
A security analyst is investigating an incident of access to a resource from an unauthorized location. Which data source should the security analyst use to investigate the incident?
Packet capture file
Which message type is generated from software systems to troubleshoot and identify problems with running application codes?
Debug
Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring?
Cloud access security broker (CASB)
Which cloud model provides data location assurance?
Private
Which technology allows an organization to control access to sensitive documents stored in the cloud?
Digital rights management
How do immutable workloads effect security overhead?
They reduce the management of the host
Which design principle of secure cloud computing ensures that users can utilize data and applications from around the globe?
Broad network access
Which standard addresses practices related to acquisition of forensic artifacts and can be directly applied to a cloud environment?
ISO/IEC 27050-1
Which technology allows an administrator to remotely manage a fleet of servers?
Management plane
What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks?
Management plane
Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems?
Applying the steps of a cloud software development life cycle
Which element is a cloud virtualization risk?
Guest isolation
The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization. Which standard should be applied?
ISO 27050-1
Which detection and analysis technique is performed to capture a point-in-time picture of the entire stack at the time of an incident?
Create a snapshot using API calls
A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm. Who is the CSP legally required to notify?
Information commisioner
A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided. Who is the CSP required to notify under the NIS directive?
Competent authorities
A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident. Which action facilitates this type of communication?
Using existing open standards
Which issue can be detected with static application security testing (SAST)?
Threading
Which problem is known as a common supply chain risk?
Data breaches
Which method should the cloud consumer use to secure the management plane of the cloud service provider?
Credential management
Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications?
Advanced application-specific integrated circuits (ASICs)
Which type of cloud deployment model is considered equivalent to a traditional IT architecture?
Private
Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy (CSP)?
Technological controls
Which countermeasure mitigates the risk of a rogue cloud administrator?
Logging and monitoring
Which cloud security control eliminates the risk of a virtualization guest escape from another tenant?
Dedicated hosting
Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived?
Application regulation
Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan?
Level of resiliency
Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of a disaster recovery (DR) service?
Cloud platform
An architect needs to constrain problems to a level that can be controlled when the problem exceeds the capabilities of disaster recovery (DR) controls. Which aspect of the plan will provide this guarantee?
Handling provider outages
Which standard addresses the privacy aspects of cloud computing for consumers?
ISO 27018:2014
Which international standard guide provides procedures for incident investigation principles and processes?
ISO/IEC 27043:2015
Which group is legally bound by the general data protection regulation (GDPR)?
Only corporations that processes the data of EU citizens
Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?
Reporting to the supervisory authority
Why is eDiscovery difficult in the cloud?
The client lacks the credentials to access the required data
Which artifact may be required as a data source for a compliance audit in a cloud environment?
Change management details
A business is concerned about the usage of its third-party provided, leased cloud resources. Which audit process should be used to investigate this concern?
Review traffic logs for the leased cloud resources
Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties?
Native production
Which type of control is important in order to achieve compliance for risk management?
Security
The Chef configuration management tool is for what?
Managing infrastructure
Database activity monitoring (DAM) is what layer?
Layer 7
Adding or replacing characters to protect information is what?
Masking
A top-down approach for addressing and managing risk in an organization is what?
Information security management system (ISMS)
ISO 31000:2009
Design implementation and management
Who is responsible for provisioning, managing, and delivering cloud services?
Cloud service manager
NIST 800-92
Log management
ISO 27017
Cloud specific security controls
ISO/IEC 27034-1
ASMP to manage and maintain each ANF
CCSL
Cloud certification schemes list
SSAE 16 replaced what?
SAS 70
IaaS uses what storage?
Volume or Object
CCM does what?
Assists cloud customers with assessing overall risk of a CSP
Data sliced into “chunks” that are encrypted along with parity bits on various drives is what?
Data dispersion
KMS
Key management service
API reliant on XML
SOAP
API for web services
REST
Encrypting a volume or folder in database
File-level encryption
Authentication in federated identity environments
SAML
Microsoft threat model
DREAD
Threat model with quantitative value
DREAD
“Which phase of the cloud data lifecycle allows both read and process functions to be performed?
(A) Share
(B) Store
(C) Create
(D) Archive”
Create
“Which phase of the cloud data security lifecycle typically occurs simultaneously with creation?
(A) Use
(B) Share
(C) Store
(D) Destroy”
Store
“Which phase of the cloud data life cycle uses content delivery networks?
(A) Share
(B) Create
(C) Destroy
(D) Archive”
Share
“Which phase of the cloud data life cycle is associated with crypto-shredding?
(A) Use
(B) Store
(C) Share
(D) Destroy”
Destroy
“Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security?
(A) Obfuscation
(B) Tokenization
(C) Anonymization
(D) Randomization”
Tokenization
“Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model?
(A) Sandbox encryption
(B) Client-side encryption
(C) Polymorphic encryption
(D) Whole-instance encryption”
Whole-instance encryption
“There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms. Which platform as a service (PaaS) data type should be used?
(A) Structured
(B) Unstructured
(C) Long-term storage
(D) Short-term storage”
Structured
“Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files?
(A) Block
(B) Object
(C) Distributed
(D) Relational database”
Object
“Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data?
(A) Tokenization
(B) Dynamic masking
(C) Proxy-based encryption
(D) Format-preserving encryption”
Format-preserving encryption
“Which encryption technique connects the instance to the encryption instance that handles all crypto operations?
(A) Proxy
(B) Database
(C) Server-side
(D) Externally managed”
Proxy
“Which type of control should be used to implement custom controls that safeguard data?
(A) Application level
(B) Management plane
(C) Options for access
(D) Public and internal sharing”
Application level
“Which element is protected by an encryption system?
(A) Data
(B) Public key
(C) Ciphertext
(D) Management engine”
Data
“A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data.
Which step should occur immediately before this action is taken?
(A) The application collects a token.
(B) The application stores the token.
(C) The tokenization server generates the token.
(D) The tokenization server returns the token to the application.”
(B) The application stores the token
“A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur?
(A) Use
(B) Share
(C) Create
(D) Archive”
Create
“Which jurisdictional data protection includes dealing with the international transfer of data?
(A) Privacy regulation
(B) Financial modernization
(C) Sarbanes-Oxley act (SOX)
(D) Secure choice authorization (SCA)”
Privacy Regulation
“Which jurisdictional data protection controls the ways that Financial institutions deal with the private information of individuals?
(A) Sarbanes-Oxley act (SOX)
(B) Gramm-Leach-Bliley act (GLBA)
(C) Stored communications act (SCA)
(D) Health insurance portability and accountability act (HIPAA)”
Gramm-Leach-Bliley act (GLBA)
“Which jurisdictional data protection safeguards protected health information (PHI)?
(A) Directive 95/46/EC
(B) Safe harbor regime
(C) Personal Data Protection Act of 2000
(D) Health Insurance Portability and Accountability Act (HIPAA)”
Health Insurance Portability and Accountability Act (HIPAA)
“How is the compliance of the cloud service provider’s legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud?
(A) E-discovery process
(B) Contractual agreements
(C) Researching data retention laws
(D) Third-party audits and attestations”
Third-party audits and attestations
“Which security strategy is associated with data rights management solutions?
(A) Static policy control
(B) Continuous auditing
(C) Unrestricted replication
(D) Limited documents type support”
Continuous auditing
“Who retains Final ownership for granting data access and permissions in a shared responsibility model?
(A) Analyst
(B) Manager
(C) Customer
(D) Developer”
Customer
“Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data?
(A) Saving
(B) Backup
(C) Caching
(D) Archiving”
Archiving
“Which data retention method is stored with a minimal amount of metadata storage with the content?
(A) File system
(B) Redundant array
(C) Block-based
(D) Object-based”
Block-based
“What is a key capability of security information and event management?
(A) Secure remote access
(B) Intrusion prevention capabilities
(C) Automatic remediation of issues
(D) Centralized collection of log data”
Centralized collection of log data
“Which data source provides auditability and traceability for event investigation as well as documentation?
(A) Storage files
(B) Packet capture
(C) Database tables
(D) Network interference”
Packet Capture
“Which data source provides auditability and traceability for event investigation as well as documentation?
(A) Database schema
(B) Ephemeral storage
(C) Network segmentation
(D) Virtualization platform logs”
Virtualization platform logs
“Which technology is used to manage identity access management by building trust relationships between organizations?
(A) Federation
(B) Single sign-on
(C) Biometric authentication
(D) Multifactor authentication”
Federation
“Which term describes the action of confirming identity access to an information system?
(A) Access
(B) Concept
(C) Coordination
(D) Authentication”
Authentication
“Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring?
(A) Data loss prevention (DLP)
(B) Web application ?rewall (WAF)
(C) Content delivery network (CDN)
(D) Cloud access security broker (CASB)”
Cloud access security broker (CASB)
“Which cloud computing technology unlocks business value through digital and physical access to maps?
(A) Multitenancy
(B) Cloud application
(C) On-demand self-service
(D) Application programming interface”
Application Programming interface
“Which cloud computing tool may help detect data migrations to cloud services?
(A) Cloud data transfer
(B) Data loss prevention
(C) Cloud security gateways
(D) Uniform resource locator (URL) Filtering”
(B) Data loss prevention
“What is a key component of the infrastructure as a service (IaaS) cloud service model?
(A) High reliability and resilience
(B) Allows choice and reduces lock-in
(C) Ease of use and limited administration
(D) Supports multiple languages and frameworks”
High reliability and resilience
“What is a key capability of infrastructure as a service (IaaS)?
(A) Multiple hosting environments
(B) Hosted application management
(C) Converged network and IT capacity pool
(D) Leased application and software licensing”
Converged network and IT capacity pool
“Which option should an organization choose if there is a need to avoid software ownership?
(A) Software as a service (SaaS)
(B) Platform as a service (PaaS)
(C) Containers as a service (CaaS)
(D) Infrastructure as a service (IaaS)”
Software as a service (SaaS)
“Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage?
(A) Data
(B) Platform
(C) Application
(D) Infrastructure”
Infrastructure
“In which situation could cloud clients find it impossible to recover or access their own data if their cloud provider goes bankrupt?
(A) Multicloud
(B) Multitenant
(C) Vendor lock-in
(D) Vendor lock-out”
Vendor lock-out
“Which cloud deployment model is operated for a single organization?
(A) Private
(B) Public
(C) Hybrid
(D) Consortium”
Private
“Which cloud model provides data location assurance?
(A) Hybrid
(B) Public
(C) Private
(D) Community”
Private
“Which cloud model allows the consumer to have sole responsibility for management and governance?
(A) Hybrid
(B) Public
(C) Private
(D) Community”
Private
“Which technology allows an organization to control access to sensitive documents stored in the cloud?
(A) Digital rights management (DRM)
(B) Database activity monitoring (DAM)
(C) Identity and access management (IAM)
(D) Distributed resource scheduling (DRS)”
Digital Rights Management (DRM)
“Which security technology can provide secure network communications from on-site enterprise systems to a cloud platform?
(A) Web application ?rewall (WAF)
(B) Data loss prevention (DLP)
(C) Domain name system security extensions (DNSSEC)
(D) Internet protocol security (IPSec) virtual private network (VPN)”
Internet protocol security (IPSec) virtual private network (VPN
“How do immutable workloads effect security overhead?
(A) They reduce the management of the hosts.
(B) They create patches for a running workload.
(C) They restrict the amount of instances in a cluster.
(D) They automatically perform vulnerability scanning as they launch.”
They reduce the management of the hosts
“Which document addresses CSP issues such as guaranteed uptime, liability, penalties, and dispute mediation process?
(A) Service level agreement (SLA)
(B) Service organization control 3 (SOC 3)
(C) General data protection regulation (GDPR)
(D) Common criteria assurance framework (CC)”
Service level agreement (SLA)
“Which design principle of secure cloud computing ensures that the business can resume essential operations in the event of an availability-affecting incident?
(A) Access control
(B) Resource pooling
(C) Disaster recovery
(D) Session management”
Disaster recovery
“Which design principle of secure cloud computing ensures that users can utilize data and applications from around the globe?
(A) Scalability
(B) Portability
(C) Broad network access
(D) On-demand self-service”
Broad network access
“Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure?
(A) Elasticity
(B) Resiliency
(C) Clustering
(D) Scalability”
Resiliency
“Which item should be part of the legal framework analysis if a company wishes to store prescription drug records in a SaaS solution?
(A) U.S. Patriot Act
(B) Sarbanes-Oxley Act
(C) Federal Information Security Modernization Act
(D) Health Insurance Portability and Accountability Act”
Health Insurance Portability and Accountability Act
“Which standard addresses practices related to acquisition of forensic artifacts and can be directly applied to a cloud environment?
(A) ISO/IEC 27001
(B) ISO/IEC 27050-1
(C) NIST SP 500-291
(D) NIST SP 800-145″
ISO/IEC 27050-1
“Which regulation in the United States defines the requirements for a CSP to implement and report on internal accounting controls?
(A) SOX
(B) GDPR
(C) HIPAA
(D) FERPA”
SOX
“Which legislation must a trusted cloud service adhere to when utilizing the data of EU citizens?
(A) SOX
(B) APPI
(C) GDPR
(D) EMTALA”
GDPR
“Which logical design decision can be attributed to required regulation?
(A) Retention formats
(B) Retention periods
(C) Database reads/second
(D) Database writes/second”
Retention periods
“Which service model influences the logical design by using additional measures in the application to enhance security?
(A) Public cloud
(B) Hybrid cloud
(C) Platform as a service (PaaS)
(D) Software as a service (SaaS)”
Software as a service (SaaS)
“Which environmental consideration should be addressed when planning the design of a data center?
(A) Heating and ventilation
(B) Utility power availability
(C) Expansion possibilities and growth
(D) Telecommunications connections”
Heating and ventilation
“Which result is achieved by removing all nonessential services and software of devices for secure configuration of hardware?
(A) Patching
(B) Lockdown
(C) Hardening
(D) Maintenance”
(C) Hardening
“What is a component of device hardening?
(A) Patching
(B) Unit testing
(C) Versioning
(D) Configuring VPN access”
Patching
“Which technology typically provides security isolation in infrastructure as a service (IaaS) cloud
(A) computing?
(B) Virtual machines
(C) Operating systems
(D) Application instance”
Virtual machines
“Which technology can an administrator us to remotely manage a fleet of servers?
(A) Bastion host
(B) Management plane
(C) VPN concentrator
(D) KVM switch”
(B) Management plane
“What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks?
(A) Management plane
(B) Database management
(C) Identity access management
(D) Management orchestration software”
Management plane
“Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems?
(A) Applying the steps of a cloud software development lifecycle
(B) Providing developer access to supporting components and services
(C) Outsourcing the infrastructure and integration platform management
(D) Verifying the application has an appropriate level of confidentiality and integrity”
Applying the steps of a cloud software development lifecycle
“Which type of agreement aims to negotiate policies with various parties in accordance with the agreed- upon targets?
(A) User license (ULA)
(B) Service-level (SLA)
(C) Privacy-level (PLA)
(D) Operation-level (OLA)”
Service-level (SLA)
“Which regulation requires a CSP to comply with copyright law for hosted content?
(A) SOX
(B) SCA
(C) GLBA
(D) DMCA”
DMCA
Digital Millennium Copyright Act
“Which element is a cloud virtualization risk?
(A) Licensing
(B) Jurisdiction
(C) Guest isolation
(D) Electronic discovery”
Guest isolation
“Which risk is related to interception of data in transit?
(A) Virtualization
(B) Traffic blocking
(C) Man-in-the-middle
(D) Software vulnerabilities”
Man-in-the-middle
“Which method is being used when a company evaluates the acceptable loss exposure associated with a cloud solution for a given set of objectives and resources?
(A) Risk appetite
(B) Risk management
(C) Business impact analysis
(D) Business continuity planning”
Risk appetite
“The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization.
Which standard should be applied?
(A) Sarbanes-Oxley act (SOX)
(B) Cloud controls matrix (CCM)
(C) International electrotechnical commission (IEC) 27037
(D) International organization for standardization (ISO) 27050-1″
International organization for standardization (ISO) 27050-1
“Which detection and analysis technique is performed to capture a point-in-time picture of the entire stack at the time of an incident?
(A) Review data access logs
(B) Examine configuration data
(C) Collect metadata during alert
(D) Create a snapshot using API calls”
Create a snapshot using API calls
“A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm. Who is the CSP legally required to notify?
(A) Cloud Security Alliance
(B) Information commissioner
(C) Australian privacy foundation
(D) Asian-Paci?c privacy control board”
Information commissioner
“A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided.
Who is the CSP required to notify under the NIS directive?
(A) Competent authorities
(B) Data protection regulator
(C) Provider’s services suppliers
(D) Personal Information Protection Commission”
Competent authorities
“A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident.
Which action facilitates this type of communication?
(A) Using existing open standards
(B) Incorporating checks on API calls
(C) Identifying key risk indicators (KRIs)
(D) Performing a vulnerability assessment”
Using existing open standards
“Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved?
(A) Data
(B) Platform
(C) Application
(D) Infrastructure”
Application
“Which description characterizes the application programming interface (API) format known as representational state transfer (REST)?
(A) Tolerates errors at a high level
(B) Supports only extensible markup language (XML)
(C) Delivers a slower performance with complex scalability
(D) Provides a framework for developing scalable web applications”
Provides a framework for developing scalable web applications
“Which issue occurs when a web browser is sent data without proper validation?
(A) Cross-site scripting (XXS)
(B) Cross-site request forgery (CSRF)
(C) Insecure direct object access (IDOA)
(D) Lightweight directory access protocol (LDAP) injection”
Cross-site scripting (XXS)
“Which security testing approach is used to review source code and binaries without executing the application?
(A) Fuzz testing
(B) Regression testing
(C) Static application security testing
(D) Dynamic application security testing”
Static application security testing
“Which issue can be detected with static application security testing (SAST)?
(A) Malware
(B) Threading
(C) Authentication
(D) Performance”
Threading
“Which approach is considered a black-box security testing method?
(A) Source code review
(B) Binary code inspection
(C) Static application security testing
(D) Dynamic application security testing”
Dynamic application security testing
“Which primary security control should be used by all cloud accounts, including individual users, in order to defend against the widest range of attacks?
(A) Perimeter security
(B) Logging and monitoring
(C) Redundant infrastructure
(D) Multi-factor authentication”
Multi-factor authentication
“Which cloud infrastructure is shared by several organizations and supports a specific population that has shared concerns (e.g., mission, security requirements, policy, compliance considerations)?
(A) Hybrid
(B) Public
(C) Private
(D) Community”
Community
“Which problem is known as a common supply chain risk?
(A) Data breaches
(B) Domain spoofing
(C) Source code design
(D) Runtime application self-protection”
Data breaches
“Which phase of the software development life cycle includes determining the business and security requirements for the application to occur?
(A) Testing
(B) Defining
(C) Designing
(D) Developing”
Defining
“Which phase of the software development life cycle includes writing application code?
(A) Defining
(B) Designing
(C) Developing
(D) Implementing”
Developing
“Which method should the cloud consumer use to secure the management plane of the cloud service provider?
(A) Credential management
(B) Network access control list
(C) Agent-based security tooling
(D) Disablement of management plane”
Credential management
“Which security threat occurs when a developer leaves an unauthorized access interface within an application after release?
(A) Easter egg
(B) Deprecated API
(C) Persistent backdoor
(D) Development operations”
Persistent backdoor
“Which process prevents the environment from being over-controlled by security measures to the point where application performance is impacted?
(A) Private cloud
(B) Community cloud
(C) Quality of service (QoS)
(D) Trusted cloud initiative (TCI)”
Quality of service (QoS)
“Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues?
(A) Denial-of-service
(B) Client-side injection
(C) Cross-site scripting
(D) Direct object reference”
Direct object reference
“Which identity management process targets access to enterprise resources by ensuring that the identity of an entity is verified?
(A) Federation
(B) Provisioning
(C) Authentication
(D) Policy management”
Authentication
“Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications?
(A) Volume encryption
(B) Whole-disk encryption
(C) Virtual private networks (VPNs)
(D) Advanced application-specific integrated circuits (ASICs)”
Advanced application-specific integrated circuits (ASICs)
“Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords?
(A) Biometrics
(B) Hard tokens
(C) Out-of-band passwords
(D) Transaction authentication numbers”
Hard tokens
“Which cloud infrastructure is shared by several organizations with common concerns, such as mission, policy, or compliance considerations?
(A) Hybrid cloud
(B) Public cloud
(C) Private cloud
(D) Community cloud”
Community cloud
“Which type of cloud deployment model is considered equivalent to a traditional IT architecture?
(A) Public
(B) Hybrid
(C) Private
(D) Community”
Private
“Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy (CSP)?
(A) Training programs
(B) Technological controls
(C) Strong access controls
(D) Contractual enforcement of policies”
Technological controls
“Which attack vector is associated with cloud infrastructure?
(A) Compromised API credentials
(B) Data storage locations in multiple jurisdictions
(C) Seizure and examination of a physical disk
(D) Licensing fees tied to the deployment of software based on a per-CPU licensing model”
Compromised API credentials
“Which risk is associated with malicious and accidental dangers to a cloud infrastructure?
(A) External attacks
(B) Personnel threats
(C) Natural disasters
(D) Regulatory noncompliance”
Personnel threats
“Which cloud-specific risk must be considered when moving infrastructure operations to the cloud?
(A) Denial of service
(B) Natural disasters
(C) Regulatory violations
(D) Lack of physical access”
Lack of physical access
“Which risk is controlled by implementing a private cloud?
(A) Eavesdropping
(B) Physical security
(C) Unauthorized access
(D) Denial-of-service (DoS)”
Physical security
“Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage?
(A) Tier 2 network access providers
(B) Multiple and independent power circuits to all racks
(C) Radio frequency interference (RFI) blocking devices
(D) Automated license plate readers (ALPR) at entry points”
Multiple and independent power circuits to all racks
“Which countermeasure helps mitigate the risk of stolen credentials for cloud-based platforms?
(A) Host lockdown
(B) Data sanitization
(C) Key management
(D) Multifactor authentication”
Multifactor authentication
“Which control helps mitigate the risk of sensitive information leaving the cloud environment?
(A) Data loss prevention (DLP)
(B) Disaster recovery plan (DRP)
(C) Web application ?rewall (WAF)
(D) Identity and access management (IAM)”
Data loss prevention (DLP)
“Which countermeasure mitigates the risk of a rogue cloud administrator?
(A) Data encryption
(B) Platform orchestration
(C) Logging and monitoring
(D) Multifactor authentication”
Logging and monitoring
“Which consideration should be taken into account when reviewing a cloud service provider’s risk of potential outage time?
(A) The type of database
(B) The provider’s support services
(C) The unique history of the provider
(D) The amount of cloud service offerings”
The unique history of the provider
“Which cloud security control eliminates the risk of a virtualization guest escape from another tenant?
(A) Dedicated hosting
(B) File integrity monitor
(C) Hardware hypervisor
(D) Immutable virtual machines”
Dedicated hosting
“Which cloud security control is a countermeasure for man-in-the-middle attacks?
(A) Reviewing log data
(B) Backing up data offsite
(C) Using block data storage
(D) Encrypting data in transit”
Encrypting data in transit
“Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived?
(A) Enforcement
(B) Maintenance
(C) Data classification
(D) Applicable regulation”
Applicable regulation
“Which disaster recovery (DR) site results in the quickest recovery in the event of a disaster?
(A) Hot
(B) Cold
(C) Passive
(D) Reserve”
HOT
“Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service?
(A) Tape drive
(B) Local storage
(C) Cloud platform
(D) Company headquarters”
Cloud platform
“Which technology should be included in the disaster recovery plan to prevent data loss?
(A) Locked racks
(B) System patches
(C) Offsite backups
(D) Video surveillance”
Offsite backups
“Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected?
(A) Recovery time objective (RTO)
(B) Mean time to switchover (MTS)
(C) Recovery point objective (RPO)
(D) Maximum allowable downtime (MAD)”
Maximum allowable downtime (MAD)
“Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan?
(A) Provider’s history
(B) Continuity planning
(C) Level of resiliency
(D) Costs will remain the same”
Level of resiliency
“An architect needs to constrain problems to a level that can be controlled when the problem exceeds the capabilities of disaster recovery (DR) controls.
Which aspect of the plan will provide this guarantee?
(A) Ensuring data backups
(B) Managing plane controls
(C) Handling provider outages
(D) Evaluating portability alternatives”
Handling provider outages
“Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider?
(A) Ensuring resiliency
(B) Managing plane controls
(C) Considering portability options
(D) Managing cloud provider outages”
Considering portability options
“What is a key method associated with a risk-based approach to business continuity planning?
(A) Using existing network technology
(B) Leveraging software-defined networking
(C) Applying internal authentication and credential passing
(D) Considering the degree of continuity required for assets”
Considering the degree of continuity required for assets
“Which testing method must be performed to demonstrate the effectiveness of a business continuity plan and procedures?
(A) SAST
(B) DAST
(C) Failover
(D) Penetration”
Failover
“Which process involves the use of electronic data as evidence in a civil or criminal legal case?
(A) Due diligence
(B) Cloud governance
(C) Auditing in the cloud
(D) eDiscovery investigations”
eDiscovery investigations
“Which standard addresses the privacy aspects of cloud computing for consumers?
(A) ISO 19011:2011
(B) ISO 27001:2013
(C) ISO 27018:2014
(D) ISO 27017:2015″
ISO 27018:2014
“Which international standard guide provides procedures for incident investigation principles and processes?
(A) ISO/IEC 27034-1:2011
(B) ISO/IEC 27037:2012
(C) ISO/IEC 27001:2013
(D) ISO/IEC 27043:2015″
ISO/IEC 27043:2015
“Which group is legally bound by the general data protection regulation (GDPR)?
(A) Only corporations headquartered in the EU
(B) Only corporations that processes the data of EU citizens
(C) Only corporations that have operations in more than one EU nation
(D) Only corporations located in countries that have adopted the GDPR standard”
Only corporations that processes the data of EU citizens
“Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?
(A) Notifying the affected persons
(B) Reporting to the supervisory authority
(C) Suspending the processing operations
(D) Informing consumer credit reporting services”
Reporting to the supervisory authority
“Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)?
(A) Penalty up to 10 million Euros
(B) Penalty up to 20 million Euros
(C) Penalty up to 2% of gross income
(D) Penalty up to 5% of gross income”
Penalty up to 20 million Euros
“Why is eDiscovery difficult in the cloud?
(A) The process is time consuming.
(B) The cloud service provider may lack sufficient resources.
(C) The client may lack the credentials to access the required data.
(D) The customer is responsible for their data on a multi-tenant system.”
The client may lack the credentials to access the required data.
“Which artifact may be required as a data source for a compliance audit in a cloud environment?
(A) Customer SLAs
(B) Change management details
(C) Quarterly revenue projections
(D) Annual actual-to-budgeted expense reports”
Change management details
“Which artifact may be required as a data source for a regulatory compliance audit (i.e., HIPAA, PCI-DSS) in a cloud environment?
(A) System configuration details
(B) Quarterly revenue projections
(C) System performance benchmarks
(D) Annual actual-to-budgeted expenses”
System configuration details
“Which item would be a risk for an enterprise considering contracting with a cloud service provider?
(A) 99.99% up time guarantees
(B) No SLA exclusion penalties
(C) Very expensive SLA provider penalties
(D) Suspension of service if payment is delinquent”
Suspension of service if payment is delinquent
“Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties?
(A) Direct access
(B) Authentication
(C) Native production
(D) Discovery by design”
Native production
“Which type of control is important in order to achieve compliance for risk management?
(A) Security
(B) Privacy
(C) Validation
(D) Technical”
Security
“Which requirement is included when exceptions, restrictions, and potential risks are highlighted in a cloud services contract?
(A) Load balancer algorithm
(B) Stockholder expectations
(C) Regulatory and compliance
(D) Virtual machine and operating system”
Regulatory and compliance
“Which item is required in a cloud contract?
(A) Strategy for the SDLC
(B) Specifications for unit testing
(C) Penalties for failure to meet SLA
(D) Diagrams for data flow structures”
(C) Penalties for failure to meet SLA
“Which factor exemplifies adequate cloud contract governance?
(A) The bandwidth that is contractually provided
(B) The emphasis of privacy controls in the contract
(C) The frequency with which contracts are renewed
(D) The flexibility of data types in accordance with a contract”
The frequency with which contracts are renewed,