CCSP

¡Supera tus tareas y exámenes ahora con Quizwiz!

What are the three elements of Identity and Access Management (IAM)

1. Identity Management 2. Access Management 3. Identity repository/Directory Services

What is the minimum level for raised floors?

24 inches

What is STAR level 2?

3rd party assessment-based certification

What is the appropriate ambient humidity for a data center?

40% to 60%

What is the appropriate ambient temperature for a data center?

64F to 81F

What is a SOC Type 1 report?

A point-in-time report covering design

What type of masking strategy involves replacing data on a system while it passes between the data and application layers? A. Dynamic B. Static C. Replication D. Duplication

A. With dynamic masking, production environments are protected with the masking process being implemented between the application and data layers of the application. This allows for a masking translation to take place live in the system and during normal application processing of data.

Many aspects of cloud computing bring enormous benefits over a traditional data center, but also introduce new challenges unique to cloud computing.Which of the following aspects of cloud computing makes appropriate data classification of high importance? A. Multitenancy B. Interoperability C. Portability D. Reversibility

A. With multitenancy, where different cloud customers all share the same physical systems and networks, data classification becomes even more important to ensure that the appropriate security controls are applied immediately to prevent any potential leakage or exposure to other customers. Portability refers to the ability to move easily from one cloud provider to another. Interoperability refers to the ability to reuse components and services for different uses. Reversibility refers to the ability of the cloud customer to quickly and completely remove all data and services from a cloud provider and to verify the removal.

For each of the six phases of the Data Life Cycle, waht are the three FUNCTIONS that must be considered?

Access, Process, Store

What does the "A" stand for in the DREAD threat model?

Affected Users

Patents last how many years after the patent application? A. 15 B. 20 C. 25 D. 50

B. 20

Data labels could include all the following, except: A. Distribution limitations B. Multifactor authentication C. Confidentiality level D. Access restrictions

B. All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.

What database encryption option resides within the database? A. File-level B. Transparent C. Application-level

B. Transparent

"Metered or measured service" automatically controls and optimizes resource use by A. provisioning service based on set thresholds B. leveraging a metering capability C. setting time limits on services and resources base on pre-paid funds

B. leveraging a metering capability

What is a Type 1 hypervisor?

Bare metal (i.e. ESXi)

The GAPP framework was developed through a joint effort between the major Canadian and American professional accounting associations in order to assist their members with managing and preventing risks to the privacy of their data and customers.Which of the following is the meaning of GAPP? A. General accounting personal privacy B. Generally accepted privacy practices C. Generally accepted privacy principles D. General accounting privacy policies

C.

How many controls in the Center for Internet Security's Critical Security Controls (CIS CSC)? A. 10 B. 15. C. 20. D. 25

C. 20

A comprehensive BCDR plan will encapsulate many or most of the traditional concerns of operating a system in any data center.However, what is one consideration that is often overlooked with the formulation of a BCDR plan? A. Availability of staff B. Capacity at the BCDR site C. Restoration of services D. Change management processes

C. BCDR planning tends to focus so much on the failing over of services in the case of a disaster that recovery back to primary hosting after the disaster is often overlooked. In many instances, this can be just as complex a process as failing over, if not more so. Availability of staff, capacity at the BCDR site, and change management processes are typically integral to BCDR plans and are common components of them.

The JCorp CFO purchases cloud services from Amazon, and he and his employees use it. A. JCorp CFO is a cloud customer B. JCorp CFO is a cloud user C. Both D. Neither

C. Both. He purchased the services as a custoemr and uses it as a user.

Which of the following is NOT one of the official risk rating categories? A. Critical B. Low C. Catastrophic D. Minimal

C. The official categories of cloud risk ratings are Minimal, Low, Moderate, High, and Critical.

Which aspect of SaaS will alleviate much of the time and energy organizations spend on compliance (specifically baselines)? A. Maintenance B. Licensing C. Standardization D. Development

C. With the entire software platform being controlled by the cloud provider, the standardization of configurations and versioning is done automatically for the cloud customer. This alleviates the customer's need to track upgrades and releases for its own systems and development; instead, the onus is on the cloud provider.Although licensing is the responsibility of the cloud customer within SaaS, it does not have an impact on compliance requirements. Within SaaS, development and maintenance of the system are solely the responsibility of the cloud provider.

Within an Infrastructure as a Service model, which of the following would NOT be a measured service? A. CPU B. Storage C. Number of users D. Memory

C. Within IaaS, the number of users on a system is not relevant to the particular hosting model in regard to cloud resources. IaaS is focused on infrastructure needs of a system or application. Therefore, a factor such as the number of users that could affect licensing requirements, for example, would apply to the SaaS model, or in some instances to PaaS.

What is the Cloud Security Alliance Open Certification Framework level (CSA OCF) for Self Assessment?

CSA STAR Level 1

What is STAR level 3?

Continuous Monitoring and Improvement

What are the three types of law?

Criminal law, civil law, administrative law

What two things happen in maintenance mode?

Customer access is blocked & alerts are disabled

Which if the following is NOT one of the three components of a federated identity system transaction? A. Relying party B. Identity provider C. User D. Proxy relay

D.

Which of the following best describes SAML? A. A standard used for directory synchronization B. A standard for developing secure application management logistics C. A standard for exchanging usernames and passwords across devices. D. A standards for exchanging authentication and authorization data between security domains.

D.

Which of the following is NOT part of an Audit policy? A. Audit periods B. Audit scope C. Audit responsibilities D. Audit standards E. Audit processes and procedures F. Applicable regulations G. Monitoring, maintenance, and enforcement

D. Audit standards

Which of the following is the MOST important requirement and guidance for testing during an audit? A. Stakeholders B. Shareholders C. Management D. Regulations

D. During any audit, regulations are the most important factor and guidelines for what must be tested. Although the requirements from management, stakeholders, and shareholders are also important, regulations are not negotiable and pose the biggest risk to any organization for compliance failure.

What does dynamic application security testing (DAST) NOT entail? A. Scanning B. Probing C. Discovery D. Knowledge of the system

D. Dynamic application security testing (DAST) is considered "black box" testing and begins with no inside knowledge of the application or its configurations.Everything about the application must be discovered during the testing.

Which of the following is not a way to manage risk? A. Transferring B. Accepting C. Mitigating D. Enveloping

D. Enveloping is a nonsense term, unrelated to risk management. The rest are not.

Which of the following terms is not associated with cloud forensics? A. eDiscovery B. Chain of custody C. Analysis D. Plausibility

D. Plausibility, here, is a distractor and not specifically relevant to cloud forensics.

For performance purposes, OS monitoring should include all of the following except: A. Disk space B. Disk I/O usage C. CPU usage D. Print spooling

D. Print spooling is not a metric for system performance; all the rest are.

Which of the following should NOT be part of the requirement analysis phase of the software development lifecycle? A. Functionality B. Programming languages C. Software platform D. Security requirements

D. Security requirements should be incorporated into the software development lifecycle (SDLC) from the earliest requirement gathering stage and should be incorporated prior to the requirement analysis phase.

Which of the following storage types is most closely associated with a database-type storage implementation? A. Object B. Unstructured C. Volume D. Structured

D. Structured storage involves organized and categorized data, which most closely resembles and operates like a database system would.

What is the only data format permitted with the SOAP API? A. HTML B. SAML C. XSML D. XML

D. The SOAP protocol only supports the XML data format.

Gathering business requirements can aid the organization in determining all of this information about organizational assets, except: A. Full inventory B. Criticality C. Value D. Usefulness

D. When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from the owners of those assets), and assess criticality; this collection of information does not tell us, objectively, how useful an asset is, however.

Which of the following is not an example of a highly regulated environment? A. Financial services B. Healthcare C. Public companies D. Wholesale or distribution

D. Wholesalers or distributors are generally not regulated, although the products they sell may be.

Which of the following features is a main benefit of PaaS over IaaS? A. Location independence B. High-availability C. Physical security requirements D. Auto-scaling

D. With PaaS providing a fully configured and managed framework, auto-scaling can be implemented to programmatically adjust resources based on the current demands of the environment.

Enterprise Rights Management is a form of _____?

DRM

What are the three components of DLP?

Data discovery and classification, monitoring, enforcement

What does the "D" stand for in STRIDE?

Denial of Service

What does the second "D" stand for in the DREAD threat model?

Discoverability

Which of the following threat sources would cover utility failures? A. Human B. Natural C. Physical D. Technical E. Environmental F. Operational

E. Environmental

What EAL Level is "Functionally Tested"?

EAL1

What EAL Level is "Structurally Tested?

EAL2

What EAL Level is "Methodically Tested and Checked?

EAL3

What EAL Level is "Methodically Designed, Tested, and Reviewed?

EAL4

What EAL Level is "Semi-Formally Designed and Tested?

EAL5

What EAL Level is "Formally Verified Design and Tested?

EAL7

What does the "E" stand for in STRIDE?

Elevation of Privilege

What is the traditional purpose of a BCP

Ensures that the critical business functions continue AT the alternate location

What does the "E" stand for in the DREAD threat model?

Exploitability

In this phase of the Data Life Cycle, data is committed to a temporary storage repository. A. Share B. Use C. Archive D. Destroy E. Create F. Store

F. Store

What systems are covered by a SOC 1 report?

Financial systems

Joe uses creates and account in LinkedIn using his Google account. Which is the identity provider, which is the service provider, and which is the relying provider?

Google is the ID, LinkedIn is the SP and RP.

What part of the shared responsibility model is the customer ALWAYS responsible for?

Governance, risk, and compliance

What is a Type 2 hypervisor?

Hosted (i.e. VMware Workstation)

What is the difference between IRM and DRM?

IRM focuses on digital documents, DRM focuses on digital media (music, videos, software)

How do you know if something belongs in a contract or in an SLA?

If it has metrics associated with it, it goes in the SLA.

What two types of data storage are used in SaaS?

Information Storage and Management & Content/file storage

What does the "I" stand for in STRIDE?

Information disclosure

What is another name for a private cloud?

Intranet

Why is reduced sign-on less secure?

It involves identity synchronization, and transmits credentials for each authorization - this has more attack surface.

How is key escrow different form key recovery?

Key recovery is an internally-managed means of recovering a key when the key owner is unavailable. Key escrow is a means of ensuring a trusted third-party manages keys.

What are the most widely-used directory services?

LDAP and X.500

What is the primary risk involved with vendor lock-in?

Lack of portability.

Do the six phases of the Data Life Cycle need to be followed in order?

No.

What systems are covered by a SOC 2 report?

Non-financial systems

What are the two most common protocols for Federated Identity?

OAuth 2.0 & SAML

What are the two types of elasticity?

Outward and inward

What part of the shared responsibility model is the CSP ALWAYS responsible for?

Physical Security

What is the process to maintain and safeguard the integrity and/or original condition of the potential digital evidence as defined in ISO 27037:2012?

Preservation

What should you be using to manage segregation of duties for privileged accounts?

Privileged Identity Management (PIM)

What does the "R" stand for in the DREAD threat model?

Reproducability

What does the "R" stand for in STRIDE?

Repudiation

What is RASP?

Runtime Application Self Protection

What are the two most popular API formats?

SOAP and REST

What's the difference between SOC 2 and SOC 3?

SOC 2 is a full report and provides details on the controls and the auditor's actions and opinions to assess them

What is the difference between scalability and elasticity?

Scalability refers to adding resources, elasticity refers to scaling down resources when not needed.

What three areas are SOC 2 and SOC 3 reports focused on?

Security, CIA, Privacy

What is STAR level 1?

Self-assessment

How is object storage accessed?

Similar to a file share accessed via APIs or a web interface

What does the "S" stand for in STRIDE?

Spoofing an identity

Which is more secure, static masking or dynamic masking?

Static masking, as it does not expose the actual underlying data, it creates a new copy then operates on that.

Which THREE phases of the Data Life Cycle require policies? A. Share B. Use C. Archive D. Destroy E. Create F. Store

Store (retention), archive, and destroy (deletion)

What two types of data storage are used in PaaS?

Structured and Unstructured

What is a SOC 3 report also known as?

SysTrust/WebTrust/Trust Service Report

What is a concern for cloud customers in an IaaS environment?

System and network auditing may be difficult

What does the "T" stand for in STRIDE?

Tampering with data

In a CSP, who dictates the technology and operational procedures?

The CSPs

Who published the Security, Trust & Assurance Registry?

The Cloud Security Alliance

What is the European Union Agency for Network Information Security Agency (ENISA)?

The European equivalent of NIST

In an MSP, who dictates the technology and operational procedures?

The consumer

What is the Application Normative Framework (ANF) subordinate to?

The organizational normative framework (ONF)

This type of storage cluster has a physical backplane which delivers a high-performance interconnect between servers for load-balanced performance and maximum scalability as the cluster grows

Tightly-coupled

What is the traditional purpose of a COOP

Used to relocate to an alternate location those activities that sustain organization-wide essential processes

What are the two types of scalability?

Vertical (add size, scale up) and horizontal (add guests, scale out)

What two types of data storage are used in IaaS?

Volume Storage and Object Storage

What type of storage do database servers typically reside?

Volume storage

This type of storage cluster offer cost-effective building blocks that can start small and grow as applications demand

loosely-coupled

Which of the following are considered to be the building blocks of cloud computing? A. CPU, RAM, storage, and networking B. Data, CPU, RAM, and access control C. Data, access control, virtualization, and services D. Storage, networking, printing, and virtualization

A.

Which of the following are the storage types associated with IaaS? A. Volume and object B. Volume and label C. Volume and container D. Object and target

A.

An average disk drive has what failure rate per year?

A. <1% B. 1-2% C. 3-5% D. 4-6%|C. 3-5%

Why does a Type 2 hypervisor typically offer less security control than a Type 1 hypervisor? A. A Type 2 hypervisor runs on top of another operating system and is dependent on the security of the OS for its own security. B. A Type 2 hypervisor allows users to directly perform some functions with their own access. C. A Type 2 hypervisor is open source, so attackers can more easily find exploitable vulnerabilities with that access. D. A Type 2 hypervisor is always exposed to the public Internet for federated identity access.

A. A Type 2 hypervisor differs from a Type 1 hypervisor in that it runs on top of another operating system rather than directly tied into the underlying hardware of the virtual host servers. With this type of implementation, additional security and architecture concerns come into play because the interaction between the operating system and the hypervisor becomes a critical link. The hypervisor no longer has direct interaction and control over the underlying hardware, which means that some performance will be lost due to the operating system in the middle needing its own resources, patching requirements, and operational oversight.

Which of the following best describes a cloud carrier? A. The intermediary who provides connectivity and transport of cloud providers and cloud consumers B. A person or entity responsible for making a cloud service available to consumers C. The person or entity responsible for transporting data across the Internet D. The person or entity responsible for keeping cloud services running for customers

A. A cloud carrier is the intermediary who provides connectivity and transport of cloud services between cloud providers and cloud customers.

Which of the cloud deployment models requires the cloud customer to be part of a specific group or organization in order to host cloud services within it? A. Community B. Hybrid C. Private D. Public

A. A community cloud model is where customers that share a certain common bond or group membership come together to offer cloud services to their members, focused on common goals and interests.

Which of the following is considered a technological control? A. Firewall software B. Firing personnel C. Fireproof safe D. Fire extinguisher

A. A firewall is a technological control. The safe and extinguisher are physical controls and firing someone is an administrative control.

The president of your company has tasked you with implementing cloud services as the most efficient way of obtaining a robust disaster recovery configuration for your production services.Which of the cloud deployment models would you MOST likely be exploring? A. Hybrid B. Private C. Community D. Public

A. A hybrid cloud model spans two more different hosting configurations or cloud providers. This would enable an organization to continue using its current hosting configuration, while adding additional cloud services to enable disaster recovery capabilities. The other cloud deployment models--public, private, and community-- would not be applicable for seeking a disaster recovery configuration where cloud services are to be leveraged for that purpose rather than production service hosting.

Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner? A. KVM B. HTTPS C. VPN D. TLS

A. A keyboard-video-mouse (KVM) system is commonly used for directly accessing server terminals in a data center. It is not a method that would be possible within a cloud environment, primarily due to the use virtualized systems, but also because only the cloud provider's staff would be allowed the physical access to hardware systems that's provided by a KVM. Hypertext Transfer Protocol Secure (HTTPS), virtual private network (VPN), and Transport Layer Security (TLS) are all technologies and protocols that are widely used with cloud implementations for secure access to systems and services.

In order to prevent cloud customers from potentially consuming enormous amounts of resources within a cloud environment and thus having a negative impact on other customers, what concept is commonly used by a cloud provider? A. Limit B. Cap C. Throttle D. Reservation

A. A limit puts a maximum value on the amount of resources that may be consumed by either a system, a service, or a cloud customer. It is commonly used to prevent one entity from consuming enormous amounts of resources and having an operational impact on other tenants within the same cloud system. Limits can either be hard or somewhat flexible, meaning a customer can borrow from other customers while still having their actual limit preserved. A reservation is a guarantee to a cloud customer that a certain level of resources will always be available to them, regardless of what operational demands are currently placed on the cloud environment. Both cap and throttle are terms that sound similar to limit, but they are not the correct terms in this case.

Which OSI layer does IPsec operate at? A. Network B. transport C. Application D. Presentation

A. A major difference between IPsec and other protocols such as TLS is that IPsec operates at the Internet network layer rather than the application layer, allowing for complete end-to-end encryption of all communications and traffic.

What concept does the D represent within the STRIDE threat model? A. Denial of service B. Distributed C. Data breach D. Data loss

A. Any application can be a possible target of denial of service (DoS) attacks. From the application side, the developers should minimize how many operations are performed for unauthenticated users. This will keep the application running as quickly as possible and using the least amount of system resources to help minimize the impact of any such attacks. None of the other options provided is the correct term.

Although host-based and network-based IDSs perform similar functions and have similar capabilities, which of the following is an advantage of a network-basedIDS over a host-based IDS, assuming all capabilities are equal? A. Segregated from host systems B. Network access C. Scalability D. External to system patching

A. A network-based IDS has the advantage of being segregated from host systems, and as such, it would not be open to compromise in the same manner a host- based system would be. Although a network-based IDS would be external to system patching, this is not the best answer here because it is a minor concern compared to segregation due to possible host compromise. Scalability is also not the best answer because, although a network-based IDS does remove processing from the host system, it is not a primary security concern. Network access is not a consideration because both a host-based IDS and a network-basedIDS would have access to network resources.

Key maintenance and security are paramount within a cloud environment due to the widespread use of encryption for both data and transmissions.Which of the following key-management systems would provide the most robust control over and ownership of the key-management processes for the cloud customer? A. Remote key management service B. Local key management service C. Client key management service D. Internal key management service

A. A remote key management system resides away from the cloud environment and is owned and controlled by the cloud customer. With the use of a remote service, the cloud customer can avoid being locked into a proprietary system from the cloud provider, but also must ensure that service is compatible with the services offered by the cloud provider. A local key management system resides on the actual servers using the keys, which does not provide optimal security or control over them. Both the terms internal key management service and client key management service are provided as distractors.

Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer? A. Reservation B. Share C. Limit D. Provision

A. A reservation is a minimum resource that is guaranteed to a customer within a cloud environment. Within a cloud, a reservation can pertain to the two main aspects of computing: memory and processor. With a reservation in place, the cloud provider guarantees that a cloud customer will always have at minimum the necessary resources available to power on and operate any of their services.

Which of the following statements accurately describes VLANs? A. They are not restricted to the same data center or the same racks. B. They are not restricted to the name rack but restricted to the same data center. C. They are restricted to the same racks and data centers. D. They are not restricted to the same rack but restricted to same switches.

A. A virtual area network (VLAN) can span any networks within a data center, or it can span across different physical locations and data centers.

When using an IaaS solution, what is the capability provided to the customer? A. To provision processing, storage, networks, and other fundamental computing resources when the consumer is able to deploy and run arbitrary software, which can include OSs and applications. B. To provision processing, storage, networks, and other fundamental computing resources when the auditor is able to deploy and run arbitrary software, which can include OSs and applications. C. To provision processing, storage, networks, and other fundamental computing resources when the provider is able to deploy and run arbitrary software, which can include OSs and applications. D. To provision processing, storage, networks, and other fundamental computing resources when the consumer is not able to deploy and run arbitrary software, which can include OSs and applications.

A. According to "The NIST Definition of Cloud Computing," in IaaS, "the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls).

Which is the appropriate phase of the cloud data lifecycle for determining the data's classification? A. Create B. Use C. Share D. Store

A. Any time data is created, modified, or imported, the classification needs to be evaluated and set from the earliest phase to ensure security is always properly maintained for the duration of its lifecycle.

Which of the following are distinguishing characteristics of a managed service provider? A. Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management. B. Have some form of a help desk but no NOC. C. Be able to remotely monitor and manage objects for the customer and reactively maintain these objects under management. D. Have some form of a NOC but no help desk.

A. According to the MSP Alliance, typically MSPs have the following distinguishing characteristics:- Have some form of NOC service- Have some form of help desk service- Can remotely monitor and manage all or a majority of the objects for the customer- Can proactively maintain the objects under management for the customer- Can deliver these solutions with some form of predictable billing model, where the customer knows with great accuracy what her regular IT management expense will be

What concept does the "A" represent in the DREAD model? A. Affected users B. Authentication C. Affinity D. Authorization

A. Affected users refers to the percentage of users who would be impacted by a successful exploit. Scoring ranges from 0, which means no users are impacted, to10, which means all users are impacted.

Which of the following best describes data masking? A. A method for creating similar but inauthentic datasets used for software testing and user training. B. A method used to protect prying eyes from data such as social security numbers and credit card data. C. A method where the last few numbers in a dataset are not obscured. These are often used for authentication. D. Data masking involves stripping out all digits in a string of numbers so as to obscure the original number.

A. All of these answers are actually correct, but A is the best answer, because it is the most general, includes the others, and is therefore the optimum choice. This is a good example of the type of question that can appear on the actual exam.

All policies within the organization should include a section that includes all of the following, except: A. Policy adjudication B. Policy maintenance C. Policy review D. Policy enforcement

A. All the elements except adjudication need to be addressed in each policy. Adjudication is not an element of policy.

Data labels could include all the following, except: A. Multifactor authentication B. Access restrictions C. Confidentiality level D. Distribution limitations

A. All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.

Data labels could include all the following, except: A. Data value B. Data of scheduled destruction C. Date data was created D. Data owner

A. All the others might be included in data labels, but we don't usually include data value, since it is prone to change frequently, and because it might not be information we want to disclose to anyone who does not have need to know.

Which of the following actions will NOT make data part of the "create" phase of the cloud data lifecycle? A. Modifying metadata B. Importing data C. Modifying data D. Constructing new data

A. Although the initial phase is called "create," it can also refer to modification. In essence, any time data is considered "new," it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and modified into a new form or value. Modifying the metadata does not change the actual data.

What are SOC 1/SOC 2/SOC 3? A. Audit reports B. Risk management frameworks C. Access controls D. Software developments

A. An SOC 1 is a report on controls at a service organization that may be relevant to a user entity's internal control over financial reporting. An SOC 2 report is based on the existing SysTrust and WebTrust principles. The purpose of an SOC 2 report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 report is also based on the existing SysTrust and WebTrust principles, like a SOC 2 report.The difference is that the SOC 3 report does not detail the testing performed.

Many different common threats exist against web-exposed services and applications. One attack involves attempting to leverage input fields to execute queries in a nested fashion that is unintended by the developers.What type of attack is this? A. Injection B. Missing function-level access control C. Cross-site scripting D. Cross-site request forgery

A. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it can potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

Which of the following systems is used to employ a variety of different techniques to discover and alert on threats and potential threats to systems and networks? A. IDS B. IPS C. Firewall D. WAF

A. An intrusion detection system (IDS) is implemented to watch network traffic and operations, using predefined criteria or signatures, and alert administrators if anything suspect is found. An intrusion prevention system (IPS) is similar to an IDS but actually takes action against suspect traffic, whereas an IDS just alerts when it finds anything suspect. A firewall works at the network level and only takes into account IP addresses, ports, and protocols; it does not inspect the traffic for patterns or content. A web application firewall (WAF) works at the application layer and provides additional security via proxying, filtering service requests, or blocking based on additional factors such as the client and requests.

Which of the following provides assurance, to a predetermined acceptable level of certainty, that an entity is indeed who they claim to be? A. Authentication B. Identification C. Proofing D. Authorization

A. Authentication goes a step further than identification by providing a means for proving an entity's identification. Authentication is most commonly done through mechanisms such as passwords. Identification involves ascertaining who the entity is, but without a means of proving it, such as a name or user ID. Authorization occurs after authentication and sets access permissions and other privileges within a system or application for the user. Proofing is not a term that is relevant to the question.

What must be secured on physical hardware to prevent unauthorized access to systems? A. BIOS B. SSH C. RDP D. ALOM

A. BIOS is the firmware that governs the physical initiation and boot up of a piece of hardware. If it is compromised, an attacker could have access to hosted systems and make configurations changes to expose or disable some security elements on the system.

What is the minimum regularity for testing a BCDR plan to meet best practices? A. Once year B. Once a month C. Every six months D. When the budget allows it

A. Best practices and industry standards dictate that a BCDR solution should be tested at least once a year, though specific regulatory requirements may dictate more regular testing. The BCDR plan should also be tested whenever a major modification to a system occurs.

Which of the following are NOT a way in which an organization may classify data? A. By applicability B. By criticality C. By jurisdiction D. By sensitivity

A. By applicability

Which of the following are attributes of cloud computing? A. Minimal management effort and shared resources B. High cost and unique resources C. Rapid provisioning and slow release of resources D. Limited access and service provider interaction

A. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Which crucial aspect of cloud computing can be most threatened by insecure APIs? A. Automation B. Redundancy C. Resource pooling D. Elasticity

A. Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment.

Which crucial aspect of cloud computing can be most threatened by insecure APIs? A. Automation B. Resource pooling C. Elasticity D. Redundancy

A. Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment. Resource pooling and elasticity could both be impacted by insecure APIs, as both require automation and orchestration to operate properly, but automation is the better answer here. Redundancy would not be directly impacted by insecure APIs.

Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance? A. Virtualization B. Multitenancy C. Resource pooling D. Dynamic optimization

A. Cloud environments will regularly change virtual machines as patching and versions are changed. Unlike a physical environment, there is little continuity from one period of time to another. It is very unlikely that the same virtual machines would be in use during a repeat audit.

Which component of ITIL involves planning for the restoration of services after an unexpected outage or incident? A. Continuity management B. Problem management C. Configuration management D. Availability management

A. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements.Configuration management tracks and maintains detailed information about all IT components within an organization.

Cryptographic keys for encrypted data stored in the cloud should be ________________ . A. Not stored with the cloud provider. B. Generated with redundancy C. At least 128 bits long D. Split into groups

A. Cryptographic keys should not be stored along with the data they secure, regardless of key length. We don't split crypto keys or generate redundant keys (doing so would violate the principle of secrecy necessary for keys to serve their purpose).

DLP can be combined with what other security technology to enhance data controls? A. DRM B. Hypervisor C. SIEM D. Kerberos

A. DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.

The goals of DLP solution implementation include all of the following, except: A. Elasticity B. Policy enforcement C. Data discovery D. Loss of mitigation

A. DLP does not have anything to do with elasticity, which is the capability of the environment to scale up or down according to demand. All the rest are goals of DLP implementations.

DLP solutions can aid in deterring loss due to which of the following? A. Inadvertent disclosure B. Natural disaster C. Randomization D. Device failure

A. DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.

Which aspect of security is DNSSEC designed to ensure? A. Integrity B. Authentication C. Availability D. Confidentiality

A. DNSSEC is a security extension to the regular DNS protocol and services that allows for the validation of the integrity of DNS lookups. It does not address confidentiality or availability at all. It allows for a DNS client to perform DNS lookups and validate both their origin and authority via the cryptographic signature that accompanies the DNS response.

Which technology is NOT commonly used for security with data in transit? A. DNSSEC B. IPsec C. VPN D. HTTPS

A. DNSSEC relates to the integrity of DNS resolutions and the prevention of spoofing or redirection, and does not pertain to the actual security of transmissions or the protection of data.

What type of data does data rights management (DRM) protect? A. Consumer B. PII C. Financial D. Healthcare

A. DRM applies to the protection of consumer media, such as music, publications, video, movies, and soon.

The DLP engine is installed on the network or at the gateway A. Data in motion B. Data in use C. Data at rest

A. Data in motion

Which of the following is a management role, versus a technical role, as it pertains to data management and oversight? A. Data owner B. Data processor C. Database administrator D. Data custodian

A. Data owner is a management role that's responsible for all aspects of how data is used and protected. The database administrator, data custodian, and data processor are all technical roles that involve the actual use and consumption of data, or the implementation of security controls and policies with the data.

hich of the following is NOT part of a Data Deletion policy? A. Data retention thresholds B. Data disposal process and procedures C. Applicable regulation D. Clear direction of when data should be destroyed

A. Data retention thresholds

Security is a critical yet often overlooked consideration for BCDR planning.At which stage of the planning process should security be involved? A. Scope definition B. Requirements gathering C. Analysis D. Risk assessment

A. Defining the scope of the plan is the very first step in the overall process. Security should be included from the very earliest stages and throughout the entire process. Bringing in security at a later stage can lead to additional costs and time delays to compensate for gaps in planning. Risk assessment, requirements gathering, and analysis are all later steps in the process, and adding in security at any of those points can potentially cause increased costs and time delays.

Because of multitenancy, specific risks in the public cloud that don't exist in the other cloud service models include all the following except: A. DoS/DDoS B. Information bleed C. Risk of loss/disclosure due to legal seizures D. Escalation of privilege

A. DoS/DDoS threats and risks are not unique to the public cloud model.

Which data state would be most likely to use digital signatures as a security protection mechanism? A. Data in use B. Data in transit C. Archived D. Data at rest

A. During the data-in-use state, the information has already been accessed from storage and transmitted to the service, so reliance on a technology such as digital signatures is imperative to ensure security and complement the security methods used during previous states. Data in transit relies on technologies such as TLS to encrypt network transmission of packets for security. Data at rest primarily uses encryption for stored file objects. Archived data would be the same as data at rest.

What are the U.S. Commerce Department controls on technology exports known as? A. ITAR B. DRM C. EAR D. EAL

A. EAR is a Commerce Department program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property.

Which of the following directed NIST to work with other industry stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices to reduce cyber risks to critical infrastructure

A. EO 13800, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" B. EO 13691, "Promotiong Private Sector Cybersecurity Information Sharing" C. EO 13636, "Improving Critical Infrastructure Cybersecurity" D. EO 13870, "America's Cybersecurity Workforce" |C. EO 13636, "Improving Critical Infrastructure Cybersecurity"

Which component of ITIL involves handling anything that can impact services for either internal or public users? A. Incident management B. Deployment management C. Problem management D. Change management

A. Explanation -Incident management is focused on limiting the impact of disruptions to an organization's services or operations, as well as returning their state to full operational status as soon as possible. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur. Deployment management is a subcomponent of change management and is where the actual code or configuration change is put into place. Change management involves the processes and procedures that allow an organization to make changes to its IT systems and services in a controlled manner.

When beginning an audit, both the system owner and the auditors must agree on various aspects of the final audit report.Which of the following would NOT be something that is predefined as part of the audit agreement? A. Size B. Format C. Structure D. Audience

A. Explanation -The ultimate size of the audit report is not something that would ever be included in the audit scope or definition. Decisions about the content of the report should be the only factor that drives the ultimate size of the report. The structure, audience, and format of the audit report are all crucial elements that must be defined and agreed upon as part of the audit scope.

Which of the following is considered a physical control? A. Fences B. Ceilings C. Carpets D. Doors

A. Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control: the lock on the door would be a physical security control. Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct.

What database encryption option resides on volume storage? A. File-level B. Transparent C. Application-level

A. File-level

Which of the following is NOT a factor that is part of a firewall configuration? A. Encryption B. Port C. Protocol D. Source IP

A. Firewalls take into account source IP, destination IP, the port the traffic is using, as well as the network protocol (UDP/TCP). Whether or not the traffic is encrypted is not something a firewall is concerned with.

Which term relates to the application of scientific methods and practices to evidence? A. Forensics B. Methodical C. Theoretical D. Measured

A. Forensics is the application of scientific and methodical processes to identify, collect, preserve, analyze, and summarize/report digital information and evidence.

Which of the following is a widely used tool for code development, branching, and collaboration? A. GitHub B. Maestro C. Orchestrator D. Conductor

A. GitHub is an open source tool that developers leverage for code collaboration, branching, and versioning.

Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions? A. IPSec B. VPN C. SSL D. TLS

A. IPSec is a protocol for encrypting and authenticating packets during transmission between two parties and can involve any type of device, application, or service.The protocol performs both the authentication and negotiation of security policies between the two parties at the start of the connection and then maintains these policies throughout the lifetime of the connection. TLS operates at the application layer, not the network layer, and is widely used to secure communications between two parties. SSL is similar to TLS but has been deprecated. Although a VPN allows a secure channel for communications into a private network from an outside location, it's not a protocol.

Which of the following frameworks focuses specifically on design implementation and management? A. ISO 31000:2009 B. ISO 27017 C. NIST 800-92 D. HIPAA

A. ISO 31000:2009 specifically focuses on design implementation and management. HIPAA refers to health care regulations, NIST 800-92 is about log management, and ISO 27017 is about cloud specific security controls.

In what cloud service model does the customer have the most control over the resources? A. IaaS B. PaaS C. SaaS

A. IaaS

The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement? A. IaaS B. SaaS C. Community cloud D. PaaS

A. IaaS entails the cloud customer installing and maintaining the OS, programs, and data; PaaS has the customer installing programs and data; in SaaS, the customer only uploads data. In a community cloud, data and device owners are distributed.

When using an IaaS solution, what is a key benefit provided to the customer? A. Metered and priced on the basis of units consumed B. Increased energy and cooling system efficiencies C. Transferred cost of ownership D. The ability to scale up infrastructure services based on projected usage

A. IaaS has a number of key benefits for organizations, which include but are not limited to these: -- - Usage is metered and priced on the basis of units (or instances) consumed. This can also be billed back to specific departments or functions.- It has an ability to scale up and down infrastructure services based on actual usage. This is particularly useful and beneficial where there are significant spikes and dips within the usage curve for infrastructure.- It has a reduced cost of ownership. There is no need to buy assets for everyday use, no loss of asset value over time, and reduced costs of maintenance and support.- It has a reduced energy and cooling costs along with "green IT" environment effect with optimum use of IT resources and systems.

Which is NOT one of the four tasks in Identity Management? A. Identity proofing B. Password Management C. Self-Service D. Provisioning E. Registration

A. Identity proofing

What is one of the reasons a baseline might be changed? A. Numerous change requests B. To reduce redundancy C. Natural disaster D. Power fluctuation

A. If the CMB is receiving numerous change requests to the point where the amount of requests would drop by modifying the baseline, then that is a good reason to change the baseline. None of the other reasons should involve the baseline at all.

In which cloud service model is the customer required to maintain the OS? A. Iaas B. CaaS C. PaaS D. SaaS

A. In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer then is responsible for maintaining that OS. In the other models, the provider installs and maintains the OS.

In order to ensure ongoing compliance with regulatory requirements, which phase of the cloud data lifecycle must be tested regularly? A. Archive B. Share C. Store D. Destroy

A. In order to ensure compliance with regulations, it is important for an organization to regularly test the restorability of archived data. As technologies change and older systems are deprecated, the risk rises for an organization to lose the ability to restore data from the format in which it is stored. With the destroy, store, and share phases, the currently used technologies will be sufficient for an organization's needs in an ongoing basis, so the risk that is elevated with archived data is not present.

Which of the following is NOT a focus or consideration of an internal audit? A. Certification B. Design C. Costs D. Operational efficiency

A. In order to obtain and comply with certifications, independent external audits must be performed and satisfied. Although some testing of certification controls can be part of an internal audit, they will not satisfy requirements.

What concept and operational process must be spelled out clearly, as far as roles and responsibilities go, between the cloud provider and cloud customer for the mitigation of any problems or security events? A. Incident response B. Problem management C. Change management D. Conflict response

A. Incident response is the process through which security or operational issues are handled, including and coordination with and communication to the appropriate stakeholders. None of the other terms provided is the correct response.

Which security concept is focused on the trustworthiness of data? A. Integrity B. Availability C. Nonrepudiation D. Confidentiality

A. Integrity is focused on the trustworthiness of data as well as the prevention of unauthorized modification or tampering of it. A prime consideration for maintaining integrity is an emphasis on the change management and configuration management aspects of operations, so that all modifications are predictable, tracked, logged, and verified, whether they are performed by actual human users or systems processes and scripts.

Your IT steering committee has, at a high level, approved your project to begin using cloud services. However, the committee is concerned with getting locked into a single cloud provider and has flagged the ability to easily move between cloud providers as a top priority. It also wants to save costs by reusing components.Which cross-cutting aspect of cloud computing would be your primary focus as your project plan continues to develop and you begin to evaluate cloud providers? A. Interoperability B. Resiliency C. Scalability D. Portability

A. Interoperability is ability to easily move between cloud providers, by either moving or reusing components and services. This can pertain to any cloud deployment model, and it gives organizations the ability to constantly evaluate costs and services as well as move their business to another cloud provider as needed or desired. Portability relates to the wholesale moving of services from one cloud provider to another, not necessarily the reuse of components or services for other purposes. Although resiliency is not an official concept within cloud computing, it certainly would be found throughout other topics such as elasticity, auto-scaling, and resource pooling. Scalability pertains to changing resource allocations to a service to meet current demand, either upward or downward in scope.

Which of the following threat types can occur when an application does not properly validate input and can be leveraged to send users to malicious sites that appear to be legitimate? A. Unvalidated redirects and forwards B. Insecure direct object references C. Security miscomfiguration D. Sensitive data exposure

A. Many web applications offer redirect or forward pages that send users to different, external sites. If these pages are not properly secured and validated, attackers can use the application to forward users off to sites for phishing or malware attempts. These attempts can often be more successful than direct phishing attempts because users will trust the site or application that sent them there, and they will assume it has been properly validated and approved by the trusted application's owners or operators. Security misconfiguration occurs when applications and systems are not properly configured for security--often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data.

Which approach is typically the most efficient method to use for data discovery? A. Metadata B. Content analysis C. Labels D. ACLs

A. Metadata is data about data. It contains information about the type of data, how it is stored and organized, or information about its creation and use.

If you are running an application that has strict legal requirements that the data cannot reside on systems that contain other applications or systems, which aspect of cloud computing would be prohibitive in this case? A. Multitenancy B. Broad network access C. Portability D. Elasticity

A. Multitenancy is the aspect of cloud computing that involves having multiple customers and applications running within the same system and sharing the same resources. Although considerable mechanisms are in place to ensure isolation and separation, the data and applications are ultimately using shared resources.Broad network access refers to the ability to access cloud services from any location or client. Portability refers to the ability to easily move cloud services between different cloud providers, whereas elasticity refers to the capabilities of a cloud environment to add or remove services, as needed, to meet current demand.

Where is this definition of cloud computing found? "Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and with minimal management effort or service provider interaction A. NIST SP 800-145 B. NIST SP 800-144 C. NIST SP 800-146

A. NIST SP 800-145, "The NIST Definition of Cloud Computing"

What does a cloud customer purchase or obtain from a cloud provider? A. Services B. Hosting C. Servers D. Customers

A. No matter what form they come in, "services" are obtained or purchased by a cloud customer from a cloud service provider. Services can come in many forms-- virtual machines, network configurations, hosting setups, and software access, just to name a few. Hosting and servers--or, with a cloud, more appropriately virtual machines--are just two examples of "services" that a customer would purchase from a cloud provider. "Customers" would never be a service that's purchased.

Which of the following is the biggest concern or challenge with using encryption? A. Dependence on keys B. Cipher strength C. Efficiency D. Protocol standards

A. No matter what kind of application, system, or hosting model used, encryption is 100 percent dependent on encryption keys. Properly securing the keys and the exchange of them is the biggest and most important challenge of encryption systems.

How is an object stored within an object storage system? A. Key value B. Database C. LDAP D. Tree structure

A. Object storage uses a flat structure with key values to store and access objects.

Utility costs and maintenance costs are examples of: A. OpEx B. CapEx

A. OpEx. Operational expenditures are ongoing costs.

Which of the following is NOT a contributor for moving to the cloud: A. Operability B. Agility C. Elasticity D. Mobility E. Scalability

A. Operability

Which of the following best describes a sandbox? A. An isolated space where untested code and experimentation can safely occur separate from the production environment. B. A space where you can safely execute malicious code to see what it does. C. An isolated space where transactions are protected from malicious software D. An isolated space where untested code and experimentation can safely occur within the production environment.

A. Options C and B are also correct, but A is more general and incorporates them both. D is incorrect, because sandboxing does not take place in the production environment.

Many activities within a cloud environment are performed via programmatic means, where complex and distributed operations are handled without the need to perform each step individually.Which of the following concepts does this describe? A. Orchestration B. Provisioning C. Automation D. Allocation

A. Orchestration is the programmatic means of managing and coordinating activities within a cloud environment and allowing for a commensurate level of automation and self-service. Provisioning, allocation, and automation are all components of orchestration, but none refers to the overall concept.

Which type of testing uses the same strategies and toolsets that hackers would use? A. Penetration B. Dynamic C. Static D. Malicious

A. Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities.

Which of the following is considered an internal redundancy for a data center? A. Power distribution units B. Network circuits C. Power substations D. Generators

A. Power distribution units are internal to a data center and supply power to internal components such as racks, appliances, and cooling systems. As such, they are considered an internal redundancy.

In what model is the cloud infrastructure provisioned for exclusive use by a single organization, comprising of multiple customers, and it may be owne, managed, and operated by the organiaztion, a thrid-party, or some combination, and it may exist on- or off-premise. A. Private cloud B. Hybrid cloud C. Public cloud D. Community cloud

A. Private cloud

The key benefits of this type of cloud deployment are: increased control over data, underlying systems and applications; ownership and retention of governance controls; assurance over data location and removal. A. Private cloud B. Hybrid cloud C. Public cloud D. Community cloud

A. Private cloud

Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report? A. Six months B. One month C. One year D. One week

A. SOC Type 2 reports are focused on the same policies and procedures, as well as their effectiveness, as SOC Type 1 reports, but are evaluated over a period of at least six consecutive months, rather than a finite point in time.

If a key feature of cloud computing that your organization desires is the ability to scale and expand without limit or concern about available resources, which cloud deployment model would you MOST likely be considering? A. Public B. Hybrid C. Private D. Community

A. Public clouds, such as AWS and Azure, are massive systems run by major corporations, and they account for a significant share of Internet traffic and services.They are always expanding, offer enormous resources to customers, and are the least likely to run into resource constraints compared to the other deployment models. Private clouds would likely have the resources available for specific uses and could not be assumed to have a large pool of resources available for expansion. A community cloud would have the same issues as a private cloud, being targeted to similar organizations. A hybrid cloud, because it spans multiple clouds, would not fit the bill either, without the use of individual cloud models.

Which of the cloud cross-cutting aspects relates to the requirements placed on a system or application by law, policy, or requirements from standards? A. regulatory requirements B. Auditability C. Service-level agreements D. Governance

A. Regulatory requirements are those imposed upon businesses and their operations either by law, regulation, policy, or standards and guidelines. These requirements are specific either to the locality in which the company or application is based or to the specific nature of the data and transactions conducted.

Which component of ITIL pertains to planning, coordinating, executing, and validating changes and rollouts to production environments? A. Release management B. Availability management C. Problem management D. Change management

A. Release management involves planning, coordinating, executing, and validating changes and rollouts to the production environment. Change management is a higher-level component than release management and also involves stakeholder and management approval, rather than specifically focusing the actual release itself. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.

Which protocol does the REST API depend on? A. HTTP B. XML C. SAML D. SSH

A. Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats.

The REST API is a widely used standard for communications of web-based services between clients and the servers hosting them.Which protocol does the REST API depend on? A. HTTP B. SSH C. SAML D. XML

A. Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats. Extensible Markup Language (XML) and Security AssertionMarkup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. Secure Shell client (SSH) is a secure method for allowing remote login to systems over a network.

What concept does the "R" represent with the DREAD model? A. Reproducibility B. Repudiation C. Risk D. Residual

A. Reproducibility is the measure of how easy it is to reproduce and successful use an exploit. Scoring within the DREAD model ranges from 0, signifying a nearly impossibly exploit, up to 10, which signifies something that anyone from a simple function call could exploit, such as a URL.

Which of the following can be useful for protecting cloud customers from a denial-of-service (DoS) attack against another customer hosted in the same cloud? A. Reservations B. Measured service C. Limits D. Shares

A. Reservations ensure that a minimum level of resources will always be available to a cloud customer for them to start and operate their services. In the event of aDoS attack against one customer, they can guarantee that the other customers will still be able to operate.

Which of the cloud cross-cutting aspects relates to the ability for a cloud customer to easily remove their applications and data from a cloud environment? A. Reversibility B. Availability C. Portability D. Interoperability

A. Reversibility is the ability for a cloud customer to easily remove their applications or data from a cloud environment, as well as to ensure that all traces of their applications or data have been securely removed per a predefined agreement with the cloud provider.

Which cloud service category most commonly uses client-side key management systems? A. Software as a Service B. Infrastructure as a Service C. Platform as a Service D. Desktop as a Service

A. SaaS most commonly uses client-side key management. With this type of implementation, the software for doing key management is supplied by the cloud provider, but is hosted and run by the cloud customer. This allows for full integration with the SaaS implementation, but also provides full control to the cloud customer. Although the cloud provider may offer software for performing key management to the cloud customers, with the Infrastructure, Platform, and Desktop as a Service categories, the customers would largely be responsible for their own options and implementations and would not be bound by the offerings from the cloud provider.

As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as: A. SOX B. HIPAA C. FERPA D. GLBA

A. Sarbanes-Oxley was a direct response to corporate scandals. FERPA is related to education. GLBA is about the financial industry. HIPAA is about health care.

Which of the following threat types can occur when baselines are not appropriately applied or when unauthorized changes are made? A. Security misconfiguration B. Insecure direct object references C. Unvalidated redirects and forwards D. Sensitive data exposure

A. Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner. This can be due to a shortcoming in security baselines or configurations, unauthorized changes to system configurations, or a failure to patch and upgrade systems as the vendor releases security patches. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, allowing spoofing for malware or phishing attacks.Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data.

At which stage of the BCDR plan creation phase should security be included in discussions? A. Define scope B. Analyze C. Assess risk D. Gather requirements

A. Security should be included in discussions from the very first phase when defining the scope. Adding security later is likely to incur additional costs in time and money, or will result in an incomplete or inadequate plan.

In this phase of the Data Life Cycle, information is made accessible to others A. Share B. Use C. Archive D. Destroy E. Create F. Store

A. Share

Which entity requires all collection and storing of data on their citizens to be done on hardware that resides within their borders? A. Russia B. France C. Germany D. United States

A. Signed into law and effective starting on September 1, 2015, Russian Law 526-FZ establishes that any collecting, storing, or processing of personal information or data on Russian citizens must be done from systems and databases that are physically located with the Russian Federation.

What must SOAP rely on for security since it does not provide security as a built-in capability? A. Encryption B. Tokenization C. TLS D. SSL

A. Simple Object Access Protocol (SOAP) uses Extensible Markup Language (XML) for data passing, and it must rely on the encryption of those data packages for security. TLS and SSL (before it was deprecated) represent two commons approaches to using encryption for protection of data transmissions. However, they are only two possible options and do not encapsulate the overall concept the question is looking for. Tokenization, which involves the replacement of sensitive data with opaque values, would not be appropriate for use with SOAP because the actual data is needed by the services.

What must SOAP rely on for security? A. Encryption B. Tokenization C. TLS D. SSL

A. Simple Object Access Protocol (SOAP) uses Extensible Markup Language (XML) for passing data, and it must rely on the encryption of those data packages for security.

What sits below policy? A. Standard B. Process C. Procedure D. References

A. Standard

What are the two protocols that TLS uses? A. Handshake and record B. Transport and initiate C. Handshake and transport D. Record and transmit

A. TLS uses the handshake protocol to establish and negotiate the TLS connection, and it uses the record protocol for the secure transmission of data.

The European Union is often considered the world leader in regard to the privacy of personal data and has declared privacy to be a "human right."In what year did the EU first assert this principle? A. 1995 B. 2000 C. 2010 D. 1999

A. The EU passed Directive 95/46 EC in 1995, which established data privacy as a human right. The other years listed are incorrect.

Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.Which of the following is not a regulatory framework for more sensitive or specialized data? A. FIPS 140-2 B. FedRAMP C. PCI DSS D. HIPAA

A. The FIPS 140-2 standard pertains to the certification of cryptographic modules and is not a regulatory framework. The Payment Card Industry Data SecurityStandard (PCI DSS), the Federal Risk and Authorization Management Program (FedRAMP), and the Health Insurance Portability and Accountability Act (HIPAA) are all regulatory frameworks for sensitive or specialized data.

Which regulatory system pertains to the protection of healthcare data? A. HIPAA B. HAS C. HITECH D. HFCA

A. The Health Insurance Portability and Accountability Act (HIPAA) sets stringent requirements in the United States for the protection of healthcare records.

Different certifications and standards take different approaches to data center design and operations. Although many traditional approaches use a tiered methodology, which of the following utilizes a macro-level approach to data center design? A. IDCA B. BICSI C. Uptime Institute D. NFPA

A. The Infinity Paradigm of the International Data Center Authority (IDCA) takes a macro-level approach to data center design. The IDCA does not use a specific, focused approach on specific components to achieve tier status. Building Industry Consulting Services International (BICSI) issues certifications for data center cabling. The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. TheUptime Institute publishes the most widely known and used standard for data center topologies and tiers.

What does the REST API support that SOAP does NOT support? A. Caching B. Encryption C. Acceleration D. Redundancy

A. The SOAP protocol does not support caching, whereas the REST API does.

Most APIs will support a variety of different data formats or structures.However, the SOAP API will only support which one of the following data formats? A. XML B. XSLT C. JSON D. SAML

A. The Simple Object Access Protocol (SOAP) protocol only supports the Extensible Markup Language (XML) data format. Although the other options are all data formats or data structures, they are not supported by SOAP.

The WS-Security standards are built around all of the following standards except which one? A. SAML B. WDSL C. XML D. SOAP

A. The WS-Security specifications, as well as the WS-Federation system, are built upon XML, WDSL, and SOAP. SAML is a very similar protocol that is used as an alternative to WS.XML, WDSL, and SOAP are all integral to the WS-Security specifications.

Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for? A. Authentication mechanism B. Branding C. Training D. User access

A. The authentication mechanisms and implementations are the responsibility of the cloud provider because they are core components of the application platform and service. Within a SaaS implementation, the cloud customer will provision user access, deploy branding to the application interface (typically), and provide or procure training for its users.

What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function? A. Remove B. Monitor C. Disable D. Stop

A. The best practice is to totally remove any unneeded services and utilities on a system to prevent any chance of compromise or use. If they are just disabled, it is possible for them to be inadvertently started again at any point, or another exploit could be used to start them again. Removing also negates the need to patch and maintain them going forward.

What concept does the A represent within the DREAD model? A. Affected users B. Authorization C. Authentication D. Affinity

A. The concept of affected users measures the percentage of users who would be impacted by a successful exploit. Scoring ranges from 0, which would impact no users, to 10, which would impact all users. None of the other options provided is the correct term.

From a legal perspective, what is the most important first step after an eDiscovery order has been received by the cloud provider? A. Notification B. Key identification C. Data collection D. Virtual image snapshots

A. The contract should include requirements for notification by the cloud provider to the cloud customer upon the receipt of such an order. This serves a few important purposes. First, it keeps communication and trust open between the cloud provider and cloud customers. Second, and more importantly, it allows the cloud customer to potentially challenge the order if they feel they have the grounds or desire to do so.

Just like the risk management process, the BCDR planning process has a defined sequence of steps and processes to follow to ensure the production of a comprehensive and successful plan.Which of the following is the correct sequence of steps for a BCDR plan? A. Define scope, gather requirements, assess risk, implement B. Define scope, gather requirements, implement, assess risk C. Gather requirements, define scope, implement, assess risk D. Gather requirements, define scope, assess risk, implement

A. The correct sequence for a BCDR plan is to define the scope, gather requirements based on the scope, assess overall risk, and implement the plan. The other sequences provided are not in the correct order.

Upon completing a risk analysis, a company has four different approaches to addressing risk. Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.Which of the following groupings correctly represents the four possible approaches? A. Accept, avoid, transfer, mitigate B. Accept, deny, transfer, mitigate C. Accept, deny, mitigate, revise D. Accept, dismiss, transfer, mitigate

A. The four possible approaches to risk are as follows: accept (do not patch and continue with the risk), avoid (implement solutions to prevent the risk from occurring), transfer (take out insurance), and mitigate (change configurations or patch to resolve the risk). Each of these answers contains at least one incorrect approach name.

Limits for resource utilization can be set at different levels within a cloud environment to ensure that no particular entity can consume a level of resources that impacts other cloud customers.Which of the following is NOT a unit covered by limits? A. Hypervisor B. Cloud customer C. Virtual machine D. Service

A. The hypervisor level, as a backend cloud infrastructure component, is not a unit where limits may be applied to control resource utilization. Limits can be placed at the service, virtual machine, and cloud customer levels within a cloud environment.

Which of the following roles would be responsible for managing memberships in federations and the use and integration of federated services? A. Inter-cloud provider B. Cloud service business manager C. Cloud service administrator D. Cloud service integrator

A. The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services. A cloud service administrator is responsible for testing, monitoring, and securing cloud services, as well as providing usage reporting and dealing with service problems. The cloud service integrator is responsible for connecting existing systems and services with a cloud. The cloud service business manager is responsible for overseeing the billing, auditing, and purchasing of cloud services.

Which of the following would NOT be a reason to activate a BCDR strategy? A. Staffing loss B. Terrorism attack C. Utility disruptions D. Natural disaster

A. The loss of staffing would not be a reason to declare a BCDR situation because it does not impact production operations or equipment, and the same staff would be needed for a BCDR situation.

The management plane is used to administer a cloud environment and perform administrative tasks across a variety of systems, but most specifically it's used with the hypervisors.What does the management plane typically leverage for this orchestration? A. APIs B. Scripts C. TLS D. XML

A. The management plane uses APIs to execute remote calls across the cloud environment to various management systems, especially hypervisors. This allows a centralized administrative interface, often a web portal, to orchestrate tasks throughout an enterprise. Scripts may be utilized to execute API calls, but they are not used directly to interact with systems. XML is used for data encoding and transmission, but not for executing remote calls. TLS is used to encrypt communications and may be used with API calls, but it is not the actual process for executing commands.

Which of the following is NOT a regulatory system from the United States federal government? A. PCI DSS B. FISMA C. SOX D. HIPAA

A. The payment card industry data security standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry regulatory standard, not a governmental one.

Cryptographic keys should be secured ________________ . A. To a level at least as high as the data they can decrypt B. In vaults C. With two-person integrity D. By armed guards

A. The physical security of crypto keys is of some concern, but guards or vaults are not always necessary. Two-person integrity might be a good practice for protecting keys. The best answer to this question is option A, because it is always true, whereas the remaining options depend on circumstances.

Gap analysis is performed for what reason? A. To begin the benchmarking process B. To assure proper accounting practices are being used C. To provide assurances to cloud customers D. To ensure all controls are in place and working properly

A. The primary purpose of the gap analysis is to begin the benchmarking process against risk and security standards and frameworks.

With a cloud service category where the cloud customer is provided a full application framework into which to deploy their code and services, which storage types are MOST likely to be available to them? A. Structured and unstructured B. Structured and hierarchical C. Volume and database D. Volume and object

A. The question is describing the Platform as a Service (PaaS) cloud offering, and as such, structured and unstructured storage types will be available to the customer. Volume and object are storage types associated with IaaS, and although the other answers present similar-sounding storage types, they are a mix of real and fake names.

BCDR strategies do not typically involve the entire operations of an organization, but only those deemed critical to their business.Which concept pertains to the amount of services that need to be recovered to meet BCDR objectives? A. RSL B. RTO C. RPO D. SRE

A. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the determined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. SRE is provided as an erroneous response.

Whereas a contract articulates overall priorities and requirements for a business relationship, which artifact enumerates specific compliance requirements, metrics, and response times? A. Service level agreement B. Service level contract C. Service compliance contract D. Service level amendment

A. The service level agreement (SLA) articulates minimum requirements for uptime, availability, processes, customer service and support, security controls, auditing requirements, and any other key aspect or requirement of the contract. Although the other choices sound similar to the correct answer, none is the proper term for this concept.

Which of the following pertains to a macro level approach to data center design rather than the traditional tiered approach to data centers? A. IDCA B. NFPA C. BICSI D. Uptime Institute

A. The standards put out by the International Data Center Authority (IDCA) have established the Infinity Paradigm, which is intended to be a comprehensive data center design and operations framework. The Infinity Paradigm shifts away from many models that rely on tiered architecture for data centers, where each successive tier increases redundancy. Instead, it emphasizes data centers being approached at a macro level, without a specific and isolated focus on certain aspects to achieve tier status.

Which of the following pertains to fire safety standards within a data center, specifically with their enormous electrical consumption? A. NFPA B. BICSI C. IDCA D. Uptime Institute

A. The standards put out by the National Fire Protection Association (NFPA) cover general fire protection best practices for any type of facility, but also specific publications pertaining to IT equipment and data centers.

Which of the following security technologies is commonly used to give administrators access into trust zones within an environment? A. VPN B. WAF C. IPSec D. HTTPS

A. Virtual private networks (VPNs) are commonly used to allow access into trust zones. Via a VPN, access can be controlled and logged and only allowed through secure channels by authorized users. It also adds an additional layer of encryption and protection to communications.

Which data sanitation method is also commonly referred to as "zeroing"? A. Overwriting B. Nullification C. Blanking D. Deleting

A. The zeroing of data--or the writing of null values or arbitrary data to ensure deletion has been fully completed--is officially referred to as overwriting. Nullification, deleting, and blanking are provided as distractor terms.

Where is a DLP solution generally installed when utilized for monitoring data in transit? A. Network perimeter B. Database server C. Application server D. Web server

A. To monitor data in transit, a DLP solution would optimally be installed at the network perimeter, to ensure that data leaving the network through various protocols conforms to security controls and policies. An application server or a web server would be more appropriate for monitoring data in use, and a database server would be an example of a location appropriate for monitoring data at rest.

Passwords and PINs are examples of what authenticator Type? A. Type 1 B. Type 2 C. Type 3

A. Type 1

Which type of hypervisor is harder to attack? A. Type 1 B. Type 2

A. Type 1

With a federated identity system, what does the identity provider send information to after a successful authentication? A. Relying party B. Service originator C. Service relay D. Service relay

A. Upon successful authentication, the identity provider sends an assertion with appropriate attributes to the relying party to grant access and assign appropriate roles to the user. The other terms provided are similar sounding to the correct term but are not actual components of a federated system.

Which cloud storage type resembles a virtual hard drive and can be utilized in the same manner and with the same type of features and capabilities? A. Volume B. Unstructured C. Structured D. Object

A. Volume storage is allocated and mounted as a virtual hard drive within IaaS implementations, and it can be maintained and used the same way a traditional file system can. Object storage uses a flat structure on remote services that is accessed via opaque descriptors, structured storage resembles database storage, and unstructured storage is used to hold auxiliary files in conjunction with applications hosted within a PaaS implementation.

Which of the following storage types is most closely associated with a traditional file system and tree structure? A. Volume B. Unstructured C. Object D. Structured

A. Volume storage works as a virtual hard drive that is attached to a virtual machine. The operating system sees the volume the same as how a traditional drive on a physical server would be seen.

The most pragmatic option for data disposal in the cloud is which of the following? A. Cryptoshredding B. Overwriting C. Cold fusion D. Melting

A. We don't have physical ownership, control, or even access to the devices holding the data, so physical destruction, including melting, is not an option. Overwriting is a possibility, but it is complicated by the difficulty of locating all the sectors and storage areas that might have contained our data, and by the likelihood that constant backups in the cloud increase the chance we'll miss something as it's being overwritten. Cryptoshredding is the only reasonable alternative. Cold fusion is a red herring.

Database activity monitoring (DAM) can be: A. Host-based or network-based B. Server-based or client-based C. Used in the place of encryption D. Used in place of data masking

A. We don't use DAM in place of encryption or masking; DAM augments these options without replacing them. We don't usually think of the database interaction as client-server, so A is the best answer.

Best practices for key management include all of the following, except: A. Ensure multifactor authentication B. Pass keys out of band C. Have key recovery processes D. Maintain key security

A. We should do all of these except for requiring multifactor authentication, which is pointless in key management.

What is a serious complication an organization faces from the compliance perspective with international operations? A. Multiple jurisdictions B. Different certifications C. Different operational procedures D. Different capabilities

A. When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, which often may not be clearly applicable or may be in contention with each other. These requirements can involve the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, and finally the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which may be multiple jurisdictions as well. Different certifications would not come into play as a challenge because the major IT and data center certifications are international and would apply to any cloud provider. Different capabilities and different operational procedures would be mitigated by the organization's selection of a cloud provider and would not be a challenge if an appropriate provider was chosen, regardless of location.

With software-defined networking (SDN), which two types of network operations are segregated to allow for granularity and delegation of administrative access and functions? A. Filtering and forwarding B. Filtering and firewalling C. Firewalling and forwarding D. Forwarding and protocol

A. With SDN, the filtering and forwarding capabilities and administration are separated. This allows the cloud provider to build interfaces and management tools for administrative delegation of filtering configuration, without having to allow direct access to underlying network equipment. Firewalling and protocols are both terms related to networks, but they are not components SDN is concerned with.

Which of the following service categories entails the least amount of support needed on the part of the cloud customer? A. SaaS B. IaaS C. DaaS D. PaaS

A. With SaaS providing a fully functioning application that is managed and maintained by the cloud provider, cloud customers incur the least amount of support responsibilities themselves of any service category.

Other than cost savings realized due to measured service, what is another facet of cloud computing that will typically save substantial costs in time and money for an organization in the event of a disaster? A. Broad network access B. Interoperability C. Resource pooling D. Portability

A. With a typical BCDR solution, an organization would need some number of staff to quickly travel to the location of the BCDR site to configure systems and applications for recovery. With a cloud environment, everything is done over broad network access, with no need (or even possibility) to travel to a remote site at any time.

What strategy involves hiding data in a data set to prevent someone from identifying specific individuals based on other data fields present? A. Anonymization B. Tokenization C. Masking D. Obfuscation

A. With data anonymization, data is manipulated in such a way so as to prevent the identification of an individual through various data objects, and is often used in conjunction with other concepts such as masking.

What is a SOC Type 2 report?

An over-time report covering design and operating effectiveness

Copyright is the legal protection for expressions of ideas and lasts how many years after the author's death? A. 50 B. 70 C. 100

B. 70

What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users? A. Proxy B. Bastion C. Honeypot D. WAF

B. A bastion host is a server that is fully exposed to the public Internet, but is extremely hardened to prevent attacks and is usually dedicated for a specific application or usage; it is not something that will serve multiple purposes. This singular focus allows for much more stringent security hardening and monitoring.

Which of the following threat types involves the sending of invalid and manipulated requests through a user's client to execute commands on the application under their own credentials? A. Injection B. Cross-site request forgery C. Missing function-level access control D. Cross-site scripting

B. A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user's own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way to see the results of the commands, it does open other ways to compromise an application. Missing function- level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call.An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

Which of the following is NOT something that an HIDS will monitor? A. Configurations B. User logins C. Critical system files D. Network traffic

B. A host intrusion detection system (HIDS) monitors network traffic as well as critical system files and configurations.

Which of the following is considered an administrative control? A. Keystroke logging B. Access control process C. Door locks D. Biometric authentication

B. A process is an administrative control; sometimes, the process includes elements of other types of controls (in this case, the access control mechanism might be a technical control, or it might be a physical control), but the process itself is administrative. Keystroke logging is a technical control (or an attack, if done for malicious purposes, and not for auditing); door locks are a physical control; and biometric authentication is a technological control.

If a company needed to guarantee through contract and SLAs that a cloud provider would always have available sufficient resources to start their services and provide a certain level of provisioning, what would the contract need to refer to? A. Limit B. Reservation C. Assurance D. Guarantee

B. A reservation guarantees to a cloud customer that they will have access to a minimal level of resources to run their systems, which will help mitigate against DoS attacks or systems that consume high levels of resources. A limit refers to the enforcement of a maximum level of resources that can be consumed by or allocated to a cloud customer, service, or system. Both guarantee and assurance are terms that sound similar to reservation, but they are not correct choices.

Data masking can be used to provide all of the following functionality, except: A. Test data in sandboxed environments B. Authentication of privileged users C. Enforcing least privilege D. Secure remote access

B. Data masking does not support authentication in any way. All the others are excellent use cases for data masking.

When using a PaaS solution, what is the capability provided to the customer? A. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The provider does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. B. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. C. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the consumer supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. D. To deploy onto the cloud infrastructure provider-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

B. According to "The NIST Definition of Cloud Computing," in PaaS, "the capability provided to the consumer is to deploy onto the cloud infrastructure consumer- created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

Deviations from the baseline should be investigated and __________________. A. Revealed B. Documented C. Encouraged D. Enforced

B. All deviations from the baseline should be documented, including details of the investigation and outcome. We do not enforce or encourage deviations.Presumably, we would already be aware of the deviation, so "revealing" is not a reasonable answer.

When crafting plans and policies for data archiving, we should consider all of the following, except: A. The backup process B. Immediacy of the technology C. Archive location D. The format of the data

B. All of these things should be considered when creating data archival policies, except option D, which is a nonsense term.

APIs are defined as which of the following? A. A set of protocols, and tools for building software applications to access a web-based software application or tool B. A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool C. A set of standards for building software applications to access a web-based software application or tool D. A set of routines and tools for building software applications to access web-based software applications

B. All the answers are true, but B is the most complete.

All of these are methods of data discovery, except: A. Label-based B. User-based C. Content-based D. Metadata-based

B. All the others are valid methods of data discovery; user-based is a red herring with no meaning.

Which of the following is NOT a key area for performance monitoring as far as an SLA is concerned? A. CPU B. Users C. Memory D. Network

B. An SLA requires performance monitoring of CPU, memory, storage, and networking. The number of users active on a system would not be part of an SLA specifically, other than in regard to the impact on the other four variables.

A variety of security systems can be integrated within a network--some that just monitor for threats and issue alerts, and others that take action based on signatures, behavior, and other types of rules to actively stop potential threats.Which of the following types of technologies is best described here? A. IDS B. IPS C. Proxy D. Firewall

B. An intrusion prevention system (IPS) can inspect traffic and detect any suspicious traffic based on a variety of factors, but it can also actively block such traffic.Although an IDS can detect the same types of suspicious traffic as an IPS, it is only design to alert, not to block. A firewall is only concerned with IP addresses, ports, and protocols; it cannot be used for the signature-based detection of traffic. A proxy can limit or direct traffic based on more extensive factors than a network firewall can, but it's not capable of using the same signature detection rules as an IPS.

What concept does the "D" represent with the STRIDE threat model? A. Data loss B. Denial of service C. Data breach D. Distributed

B. Any application can be a possible target of denial-of-service (DoS) attacks. From the application side, the developers should minimize how many operations are performed for non-authenticated users. This will keep the application running as quickly as possible and using the least amount of system resources to help minimize the impact of any such attacks.

What is the concept of isolating an application from the underlying operating system for testing purposes? A. Abstracting B. Application virtualization C. Hosting D. Sandboxing

B. Application virtualization is a software implementation that allows applications and programs to run in an isolated environment rather than directly interacting with the operating system. Sandboxing refers to segregating information or processes for security or testing purposes, but it's not directly related to isolation from the underlying operating system. Abstracting sounds similar to the correct term but is not pertinent to the question, and hosting is provided as an erroneous answer.

Which is the following two are NOT characteristics of cloud computing as defined by NIST? A. Broad network access B. Assisted provisioning C. Resource pooling D. Rapid elasticity E. On-demand self-service F. Shared resources G. Measured service

B. Assisted provisioning is a feature of some cloud services. F. Shared resources may not apply in a private cloud.

Which process serves to prove the identity and credentials of a user requesting access to an application or data? A. Repudiation B. Authentication C. Identification D. Authorization

B. Authentication is the process of proving whether the identity presented by a user is true and valid. This can be done through common mechanisms such as userID and password combinations or with more secure methods such as multifactor authentication.

Which ITIL component focuses on ensuring that system resources, processes, and personnel are properly allocated to meet SLA requirements? A. Continuity management B. Availability management C. Configuration management D. Problem management

B. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Configuration management tracks and maintains detailed information about all IT components within an organization.Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.

Which of the following methods of addressing risk is most associated with insurance? A. Mitigation B. Transference C. Avoidance D. Acceptance

B. Avoidance halts the business process, mitigation entails using controls to reduce risk, acceptance involves taking on the risk, and transference usually involves insurance.

Countermeasures for protecting cloud operations against external attackers include all of the following except: A. Continual monitoring for anomalous activity. B. Detailed and extensive background checks. C. Regular and detailed configuration/change management activities D. Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines.

B. Background checks are controls for attenuating potential threats from internal actors; external threats aren't likely to submit to background checks.

Who would be responsible for implementing IPsec to secure communications for an application? A. Developers B. Systems staff C. Auditors D. Cloud customer

B. Because IPsec is implemented at the system or network level, it is the responsibility of the systems staff. IPsec removes the responsibility from developers, whereas other technologies such as TLS would be implemented by developers.

You were recently hired as a project manager at a major university to implement cloud services for the academic and administrative systems. Because the load and demand for services at a university are very cyclical in nature, commensurate with the academic calendar, which of the following aspects of cloud computing would NOT be a primary benefit to you? A. Measured service B. Broad network access C. Resource pooling D. On-demand self-service

B. Broad network access to cloud services, although it is an integral aspect of cloud computing, would not being a specific benefit to an organization with cyclical business needs. The other options would allow for lower costs during periods of low usage as well as provide the ability to expand services quickly and easily when needed for peak periods. Measured service allows a cloud customer to only use the resources it needs at the time, and resource pooling allows a cloud customer to access resources as needed. On-demand self-service enables the cloud customer to change its provisioned resources on its own, without the need to interact with the staff from the cloud provider.

Cloud systems are increasingly used for BCDR solutions for organizations.What aspect of cloud computing makes their use for BCDR the most attractive? A. On-demand self-service B. Measured service C. Portability D. Broad network access

B. Business continuity and disaster recovery (BCDR) solutions largely sit idle until they are actually needed. This traditionally has led to increased costs for an organization because physical hardware must be purchased and operational but is not used. By using a cloud system, an organization will only pay for systems when they are being used and only for the duration of use, thus eliminating the need for extra hardware and costs. Portability is the ability to easily move services among different cloud providers. Broad network access allows access to users and staff from anywhere and from different clients, and although this would be important for a BCDR situation, it is not the best answer in this case. On-demand self-service allows users to provision services automatically and when needed, and although this too would be important for BCDR situations, it is not the best answer because it does not address costs or the biggest benefits to an organization.

Buildings and computer equipment are an example of: A. OpEx B. CapEx

B. CapEx. Capital expenditures are hard assets.

Which of the following is considered an internal redundancy for a data center? A. Power feeds B. Chillers C. Network circuits D. Generators

B. Chillers and cooling systems are internal to a data center and its operations, and as such they are considered an internal redundancy. Power feeds, network circuits, and generators are all external to a data center and provide utility services to them, which makes them an external redundancy.

Which data point that auditors always desire is very difficult to provide within a cloud environment? A. Access policy B. Systems architecture C. Baselines D. Privacy statement

B. Cloud environments are constantly changing and often span multiple physical locations. A cloud customer is also very unlikely to have knowledge and insight into the underlying systems architecture in a cloud environment. Both of these realities make it very difficult, if not impossible, for an organization to provide a comprehensive systems design document.

Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost-effective services for which of the following concepts by moving to a cloud environment? A. Regulatory B. Security C. Testing D. Development

B. Cloud environments, regardless of the specific deployment model used, have extensive and robust security controls in place, especially in regard to physical and infrastructure security. A small company can leverage the extensive security controls and monitoring provided by a cloud provider, which they would unlikely ever be able to afford on their own. Moving to a cloud would not result in any gains for development and testing because these areas require the same rigor regardless of where deployment and hosting occur. Regulatory compliance in a cloud would not be a gain for an organization because it would likely result in additional oversight and auditing as well as require the organization to adapt to a new environment.

An SLA contains the official requirements for contract performance and satisfaction between the cloud provider and cloud customer.Which of the following would NOT be a component with measurable metrics and requirements as part of an SLA? A. Network B. Users C. Memory D. CPU

B. Dealing with users or user access would not be an appropriate item for inclusion in an SLA specifically. However, user access and user experience would be covered indirectly through other metrics. Memory, CPU, and network resources are all typically included within an SLA for availability and response times when dealing with any incidents.

One of the main components of system audits is the ability to track changes over time and to match these changes with continued compliance and internal processes.Which aspect of cloud computing makes this particular component more challenging than in a traditional data center? A. Portability B. Virtualization C. Elasticity D. Resource pooling

B. Cloud services make exclusive use of virtualization, and systems change over time, including the addition, subtraction, and reimaging of virtual machines. It is extremely unlikely that the exact same virtual machines and images used in a previous audit would still be in use or even available for a later audit, making the tracking of changes over time extremely difficult, or even impossible. Elasticity refers to the ability to add and remove resources from a system or service to meet current demand, and although it plays a factor in making the tracking of virtual machines very difficult over time, it is not the best answer in this case. Resource pooling pertains to a cloud environment sharing a large amount of resources between different customers and services. Portability refers to the ability to move systems or services easily between different cloud providers.

What type of PII is regulated based on the type of application or per the conditions of the specific hosting agreement? A. Specific B. Contractual C. regulated D. Jurisdictional

B. Contractual PII has specific requirements for the handling of sensitive and personal information, as defined at a contractual level. These specific requirements will typically document the required handling procedures and policies to deal with PII. They may be in specific security controls and configurations, required policies or procedures, or limitations on who may gain authorized access to data and systems.

What is the intellectual property protection for the tangible expression of a creative idea? A. Trade secret B. Copyright C. Trademark D. Patent

B. Copyrights are protected tangible expressions of creative works. The other answers listed are answers to subsequent questions.

Which of the following threat types involves the sending of untrusted data to a user's browser to be executed with their own credentials and access? A. Missing function level access control B. Cross-site scripting C. Cross-site request forgery D. Injection

B. Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or where the code is not properly escaped from processing by the browser. The code is then executed on the user's browser with the user's own access and permissions, allowing an attacker to redirect their web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access.

Which of the folowing is NOT at characteristic of a control framework? A. Consistent B. Customizable C. Measurable D. Standardized E. Comprehensive F. Modular

B. Customizable

How many additional DNS queries are needed when DNSSEC integrity checks are added? A. Three B. Zero C. One D. Two

B. DNSSEC does not require any additional DNS queries to be performed. The DNSSEC integrity checks and validations are all performed as part of the single DNS lookup resolution.

All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except: A. Ensure there are no physical limitations to moving B. Use DRM and DLP solutions widely throughout the cloud operation C. Ensure favorable contract terms to support portability D. Avoid proprietary data formats

B. DRM and DLP are used for increased authentication/access control and egress monitoring, respectively, and would actually decrease portability instead of enhancing it.

The DLP engine is installed on a user's workstation A. Data in motion B. Data in use C. Data at rest

B. Data in use

Which of the following is NOT one of the main intended goals of a DLP solution? A. Showing due diligence B. Preventing malicious insiders C. Regulatory compliance D. Managing and minimizing risk

B. Data loss prevention (DLP) extends the capabilities for data protection beyond the standard and traditional security controls that are offered by operating systems, application containers, and network devices. DLP is not specifically implemented to counter malicious insiders, and would not be particularly effective in doing so, because a malicious insider with legitimate access would have other ways to obtain data. DLP is a set of practices and controls to manage and minimize risk, comply with regulatory requirements, and show due diligence with the protection of data.

The share phase of the cloud data lifecycle involves allowing data to leave the application, to be shared with external systems, services, or even other vendors/ contractors.What technology would be useful for protecting data at this point? A. IDS B. DLP C. IPS D. WAF

B. Data loss prevention (DLP) solutions allow for control of data outside of the application or original system. They can enforce granular control such as printing, copying, and being read by others, as well as forcing expiration of access. Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions are used for detecting and blocking suspicious and malicious traffic, respectively, whereas a web application firewall (WAF) is used for enforcing security or other controls on web-based applications.

Which European Union directive pertains to personal data privacy and an individual's control over their personal data? A. 99/9/EC B. 95/46/EC C. 2000/1/EC D. 2013/27001/EC

B. Directive 95/46/EC is titled "On the protection of individuals with regard to the processing of personal data and on the free movement of such data."

Which security concept would business continuity and disaster recovery fall under? A. Confidentiality B. Availability C. Fault tolerance D. Integrity

B. Disaster recovery and business continuity are vital concerns with availability. If data is destroyed or compromised, having regular backup systems in place as well as being able to perform disaster recovery in the event of a major or widespread problem allows operations to continue with an acceptable loss of time and data to management. This also ensures that sensitive data is protected and persisted in the event of the loss or corruption of data systems or physical storage systems.

Different security testing methodologies offer different strategies and approaches to testing systems, requiring security personnel to determine the best type to use for their specific circumstances.What does dynamic application security testing (DAST) NOT entail that SAST does? A. Discovery B. Knowledge of the system C. Scanning D. Probing

B. Dynamic application security testing (DAST) is considered "black-box" testing and begins with no inside knowledge of the application or its configurations.Everything about it must be discovered during its testing. As with most types of testing, dynamic application security testing (DAST) involves probing, scanning, and a discovery process for system information.

With an application hosted in a cloud environment, who could be the recipient of an eDiscovery order? A. Users B. Both the cloud provider and cloud customer C. The cloud customer D. The cloud provider

B. Either the cloud customer or the cloud provider could receive an eDiscovery order, and in almost all circumstances they would need to work together to ensure compliance.

Which of the following is NOT a component of access control? A. Accounting B. Federation C. Authorization D. Authentication

B. Federation is not a component of access control. Instead, it is used to allow users possessing credentials from other authorities and systems to access services outside of their domain. This allows for access and trust without the need to create additional, local credentials. Access control encompasses not only the key concepts of authorization and authentication, but also accounting. Accounting consists of collecting and maintaining logs for both authentication and authorization for operational and regulatory requirements.

Which of the following does NOT relate to the hiding of sensitive data from data sets? A. Obfuscation B. Federation C. Masking D. Anonymization

B. Federation pertains to authenticating systems between different organizations.

Firewalls are used to provide network security throughout an enterprise and to control what information can be accessed--and to a certain extent, through what means.Which of the following is NOT something that firewalls are concerned with? A. IP address B. Encryption C. Port D. Protocol

B. Firewalls work at the network level and control traffic based on the source, destination, protocol, and ports. Whether or not the traffic is encrypted is not a factor with firewalls and their decisions about routing traffic. Firewalls work primarily with IP addresses, ports, and protocols.

Which of the following is considered an external redundancy for a data center? A. Power feeds to rack B. Generators C. Power distribution units D. Storage systems

B. Generators are considered an external redundancy to a data center. Power distribution units (PDUs), storage systems, and power feeds to racks are all internal to a data center, and as such they are considered internal redundancies.

Which of the following is NOT an application or utility to apply and enforce baselines on a system? A. Chef B. GitHub C. Puppet D. Active Directory

B. GitHub is an application for code collaboration, including versioning and branching of code trees. It is not used for applying or maintaining system configurations.

Which of the cloud cross-cutting aspects relates to the assigning of jobs, tasks, and roles, as well as to ensuring they are successful and properly performed? A. Service-level agreements B. Governance C. Regulatory requirements D. Auditability

B. Governance at its core is the idea of assigning jobs, takes, roles, and responsibilities and ensuring they are satisfactory performed.

When data discovery is undertaken, three main approaches or strategies are commonly used to determine what the type of data, its format, and composition are for the purposes of classification.Which of the following is NOT one of the three main approaches to data discovery? A. Content analysis B. Hashing C. Labels D. Metadata

B. Hashing involves taking a block of data and, through the use of a one-way operation, producing a fixed-size value that can be used for comparison with other data.It is used primarily for protecting data and allowing for rapid comparison when matching data values such as passwords. Labels involve looking for header information or other categorizations of data to determine its type and possible classifications. Metadata involves looking at information attributes of the data, such as creator, application, type, and so on, in determining classification. Content analysis involves examining the actual data itself for its composition and classification level.

Which of the following is not a risk management framework? A. COBIT B. Hex GBL C. ISO 31000:2009 D. NIST SP 800-37

B. Hex GBL is a reference to a computer part in Terry Pratchett's fictional Discworld universe. The rest are not.

Which of the following attempts to establish an international standard for eDiscovery processes and best practices? A. ISO/IEC 31000 B. ISO/IEC 27050 C. ISO/IEC 19888 D. ISO/IEC 27001

B. ISO/IEC 27050 strives to establish an internationally accepted standard for eDiscovery processes and best practices. It encompasses all steps of the eDiscovery process: identification, preservation, collection, processing, review, analysis, and the final production of the requested data.

Which security concept, if implemented correctly, will protect the data on a system, even if a malicious actor gains access to the actual system? A. Sandboxing B. Encryption C. Firewalls D. Access control

B. In any environment, data encryption is incredibly important to prevent unauthorized exposure of data either internally or externally. If a system is compromised by an attack, having the data encrypted on the system will prevent its unauthorized exposure or export, even with the system itself being exposed.

In the cloud motif, the data processor is usually: A. The cloud customer B. The cloud provider C. The cloud access security broker D. The party that assigns access rights

B. In legal terms, when "data processor" is defined, it refers to anyone who stores, handles, moves, or manipulates data on behalf of the data owner or controller. In the cloud computing realm, this is the cloud provider.

Which aspect of archiving must be tested regularly for the duration of retention requirements? A. Availability B. Recoverability C. Auditability D. Portability

B. In order for any archiving system to be deemed useful and compliant, regular tests must be performed to ensure the data can still be recovered and accessible, should it ever be needed, for the duration of the retention requirements.

Which of the following would NOT be considered part of resource pooling with an Infrastructure as a Service implementation? A. Storage B. Application C. Mamory D. CPU

B. Infrastructure as a Service pools the compute resources for platforms and applications to build upon, including CPU, memory, and storage. Applications are not part of an IaaS offering from the cloud provider.

Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data.Which concept encapsulates this? A. Validity B. Integrity C. Accessibility D. Confidentiality

B. Integrity refers to the trustworthiness of data and whether its format and values are true and have not been corrupted or otherwise altered through unauthorized means. Confidentiality refers to keeping data from being access or viewed by unauthorized parties. Accessibility means that data is available and ready when needed by a user or service. Validity can mean a variety of things that are somewhat similar to integrity, but it's not the most appropriate answer in this case.

Which of the cloud cross-cutting aspects relates to the ability to reuse or move components of an application or service? A. Availability B. Interoperability C. Reversibility D. Portability

B. Interoperability is the ease with which one can move or reuse components of an application or service. This is maximized when services are designed without specific dependencies on underlying platforms, operating systems, locations, or cloud providers.

Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks? A. Injection B. Missing function-level access control C. Cross-site request forgery D. Cross-site scripting

B. It is imperative that an application perform checks when each function or portion of the application is accessed, to ensure that the user is properly authorized to access it. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted.

Which of the following threat types involves an application that does not validate authorization for portions of itself beyond when the user first enters it? A. Cross-site request forgery B. Missing function-level access control C. Injection D. Cross-site scripting

B. It is imperative that applications do checks when each function or portion of the application is accessed to ensure that the user is properly authorized. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.

Which of the following does NOT fall under the "IT" aspect of quality of service (QoS)? A. Applications B. Key performance indicators (KPIs) C. Services D. Security

B. KPIs fall under the "business" aspect of QoS, along with monitoring and measuring of events and business processes. Services, security, and applications are all core components and concepts of the "IT" aspect of QoS.

Which of the following is a valid risk management metric? A. KPI B. KRI C. SOC D. SLA

B. KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management. When these change, they indicate something is amiss and should be looked at quickly to determine if the change is minor or indicative of something important.

In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type? A. Physical B. All of the above C. technological D. Administrative

B. Layered defense calls for a diverse approach to security.

What is used for local, physical access to hardware within a data center? A. SSH B. KVM C. VPN D. RDP

B. Local, physical access in a data center is done via KVM (keyboard, video, mouse) switches.

Which technique involves replacing values within a specific data field to protect sensitive data? A. Anonymization B. Masking C. Tokenization D. Obfuscation

B. Masking involves replacing specific data within a data set with new values. For example, with credit card fields, as most who have ever purchased anything online can attest, nearly the entire credit card number is masked with a character such as an asterisk, with the last four digits left visible for identification and confirmation.

Which of the following concepts refers to a cloud customer paying only for the resources and offerings they use within a cloud environment, and only for the duration that they are consuming them? A. Consumable service B. Measured service C. Billable service D. Metered service

B. Measured service is where cloud services are delivered and billed in a metered way, where the cloud customer only pays for those that they actually use, and for the duration of time that they use them.

Which of the following actions will NOT make data part of the create phase of the cloud data lifecycle? A. Modify data B. Modify metadata C. New data D. Import data

B. Modifying the metadata does not change the actual data. Although this initial phase is called "create," it can also refer to modification. In essence, any time data is considered "new," it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and is modified into a new form or value.

Which publication from the United States National Institute of Standards and Technology pertains to defining cloud concepts and definitions for the various core components of cloud computing? A. SP 800-153 B. SP 800-145 C. SP 800-53 D. SP 800-40

B. NIST Special Publications 800-145 is titled "The NIST Definition of Cloud Computing" and contains definitions and explanations of core cloud concepts and components.

The goals of SIEM solution implementation include all of the following, except: A. Dashboarding B. Performance enhancement C. Trend analysis D. Centralization of log streams

B. SIEM does not intend to provide any enhancement of performance; in fact, a SIEM solution may decrease performance because of additional overhead. All the rest are goals of SIEM implementations.

What's a potential problem when object storage versus volume storage is used within IaaS for application use and dependency? A. Object storage is only optimized for small files. B. Object storage is its own system, and data consistency depends on replication. C. Object storage may have availability issues. D. Object storage is dependent on access control from the host server.

B. Object storage runs on its own independent systems, which have their own redundancy and distribution. To ensure data consistency, sufficient time is needed for objects to fully replicate to all potential locations before being accessed. Object storage is optimized for high availability and will not be any less reliable than any other virtual machine within a cloud environment. It is hosted on a separate system that does not have dependencies in local host servers for access control, and it is optimized for files of all different sizes and uses.

Which type of audit report does many cloud providers use to instill confidence in their policies, practices, and procedures to current and potential customers? A. SAS-70 B. SOC 2 C. SOC 1 D. SOX

B. One approach that many cloud providers opt to take is to undergo a SOC 2 audit and make the report available to cloud customers and potential cloud customers as a way of providing security confidence without having to open their systems or sensitive information to the masses.

Which of the following control types are NOT considered part of the defense-in-depth design principle? A. Physical B. Operational C. Logical D. Technical E. Administrative

B. Operational

Identity and access management (IAM) is a security discipline that ensures which of the following? A. That all users are properly authorized B. That the right individual gets access to the right resources at the right time for the right reasons. C. That all users are properly authenticated D. That unauthorized users will get access to the right resources at the right time for the right reasons

B. Options A and C are also correct, but included in B, making B the best choice. D is incorrect, because we don't want unauthorized users gaining access.

Which of the following services is NOT provided by a Cloud Access Security Brokers (CASB)? A. Single sign-on B. Public Key Infrastructure C. Certificate management D. Cryptographic key escrow

B. PKI

What concept does the "I" represent with the STRIDE threat model? A. Integrity B. Information disclosure C. IT security D. Insider threat

B. Perhaps the biggest concern for any user is having their personal and sensitive information disclosed by an application. There are many aspects of an application to consider with security and protecting this information, and it is very difficult for any application to fully ensure security from start to finish. The obvious focus is on security within the application itself, as well as protecting and storing the data.

Which kind of SSAE audit reviews controls dealing with the organization's controls for assuring the confidentiality, integrity, and availability of data? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4

B. SOC 2 deals with the CIA triad. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4.

Which cloud service category would be most ideal for a cloud customer that is developing software to test its applications among multiple hosting providers to determine the best option for its needs? A. DaaS B. PaaS C. IaaS D. SaaS

B. Platform as a Service would allow software developers to quickly and easily deploy their applications among different hosting providers for testing and validation in order to determine the best option. Although IaaS would also be appropriate for hosting applications, it would require too much configuration of application servers and libraries in order to test code. Conversely, PaaS would provide a ready-to-use environment from the onset. DaaS would not be appropriate in any way for software developers to use to deploy applications. IaaS would not be appropriate in this scenario because it would require the developers to also deploy and maintain the operating system images or to contract with another firm to do so. SaaS, being a fully functional software platform, would not be appropriate for deploying applications into.

Which of the cloud deployment models is used by popular services such as iCloud, Dropbox, and OneDrive? A. Hybrid B. Public C. Private D. Community

B. Popular services such as iCloud, Dropbox, and OneDrive are all publicly available and are open to any user for free, with possible add-on services offered for a cost.

Cloudbursting is an application deployment model where an application runs in a __________ cloud and bursts into a ______ cloud when demand spikes. A. Community B. Private C. Public D. Hybrid

B. Private C. Public

Which of the following aspects of security is solely the responsibility of the cloud provider? A. Regulatory compliance B. Physical security C. Operating system auditing D. Personal security of developers

B. Regardless of the particular cloud service used, physical security of hardware and facilities is always the sole responsibility of the cloud provider. The cloud provider may release information about their physical security policies and procedures to ensure any particular requirements of potential customers will meet their regulatory obligations. Personal security of developers and regulatory compliance are always the responsibility of the cloud customer. Responsibility for operating systems, and the auditing of them, will differ based on the cloud service category used.

What type of PII is controlled based on laws and carries legal penalties for noncompliance with requirements? A. Contractual B. Regulated C. Specific D. Jurisdictional

B. Regulated PII involves those requirements put forth by specific laws or regulations, and unlike contractual PII, where a violation can lead to contractual penalties, a violation of regulated PII can lead to fines or even criminal charges in some jurisdictions. PII regulations can depend on either the jurisdiction that applies to the hosting location or application or specific legislation based on the industry or type of data used.

There are many situations when testing a BCDR plan is appropriate or mandated.Which of the following would not be a necessary time to test a BCDR plan? A. After software updates B. After regulatory changes C. After major configuration changes D. Annually

B. Regulatory changes by themselves would not trigger a need for new testing of a BCDR plan. Any changes necessary for regulatory compliance would be accomplished through configuration changes or software updates, which in turn would then trigger the necessary new testing. Annual testing is crucial to anyBCDR plan. Also, any time major configuration changes or software updates are done, the plan should be evaluated and tested to ensure it is still valid and complete.

Which aspect of cloud computing serves as the biggest challenge to using DLP to protect data at rest? A. Portability B. Resource pooling C. Interoperability D. Reversibility

B. Resource pooling serves as the biggest challenge to using DLP solutions to protect data at rest because data is spread across large systems, which are also shared by many different clients. With the data always moving and being distributed, additional challenges for protection are created versus a physical and isolated storage system. Portability is the ability to easily move between different cloud providers, and interoperability is focused on the ability to reuse components or services. Reversibility pertains to the ability of a cloud customer to easily and completely remove their data and services from a cloud provider.

Different types of audits are intended for different audiences, such as internal, external, regulatory, and so on.Which of the following audits are considered "restricted use" versus being for a more broad audience? A. SOC Type 2 B. SOC Type 1 C. SOC Type 3 D. SAS-70

B. SOC Type 1 reports are intended for restricted use, only to be seen by the actual service organization, its current clients, or its auditors. These reports are not intended for wider or public distribution.SAS-70 audit reports have been deprecated and are no longer in use, and both the SOC Type 2 and 3 reports are designed to expand upon the SOC Type 1 reports and are for broader audiences.

What is the concept of segregating information or processes, within the same system or application, for security reasons? A. fencing B. Sandboxing C. Cellblocking D. Pooling

B. Sandboxing involves segregating and isolating information or processes from others within the same system or application, typically for security concerns. This is generally used for data isolation (for example, keeping different communities and populations of users isolated from other similar data).

Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons? A. Cell blocking B. Sandboxing C. Pooling D. Fencing

B. Sandboxing involves the segregation and isolation of information or processes from other information or processes within the same system or application, typically for security concerns. Sandboxing is generally used for data isolation (for example, keeping different communities and populations of users isolated from others with similar data). In IT terminology, pooling typically means bringing together and consolidating resources or services, not segregating or separating them. Cell blocking and fencing are both erroneous terms.

Which of the following APIs are most commonly used within a cloud environment? A. REST and SAML B. SOAP and REST C. REST and XML D. XML and SAML

B. Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) are the most commonly used APIs within a cloud environment. ExtensibleMarkup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data.

What is the data encapsulation used with the SOAP protocol referred to? A. Packet B. Envelope C. Payload D. Object

B. Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope and then leverages common communications protocols for transmission.

What does SDN stand for within a cloud environment? A. Software-dynamic networking B. Software-defined networking C. Software-dependent networking D. System-dynamic nodes

B. Software-defined networking separates the administration of network filtering and network forwarding to allow for distributed administration.

What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies? A. Live testing B. Source code access C. Production system scanning D. Injection attempts

B. Static application security testing (SAST) is conducted against offline systems with previous knowledge of them, including their source code. Live testing is not part of static testing but rather is associated with dynamic testing. Production system scanning is not appropriate because static testing is done against offline systems.Injection attempts are done with many different types of testing and are not unique to one particular type. It is therefore not the best answer to the question.

What is the first stage of the cloud data lifecycle where security controls can be implemented? A. Use B. Store C. Share D. Create

B. The "store" phase of the cloud data lifecycle, which typically occurs simultaneously with the "create" phase, or immediately thereafter, is the first phase where security controls can be implemented. In most case, the manner in which the data is stored will be based on its classification.

GAAPs are created and maintained by which organization? A. ISO/IEC B. AICPA C. PCI Council D. ISO

B. The AICPA is the organization responsible for generating and maintaining what are the Generally Accepted Accounting Practices in the United States.

What type of solution is at the core of virtually all directory services? A. WS B. LDAP C. ADFS D. PKI

B. The Lightweight Directory Access Protocol (LDAP) forms the basis of virtually all directory services, regardless of the specific vendor or software package.WS is a protocol for information exchange between two systems and does not actually store the data. ADFS is a Windows component for enabling single sign-on for the operating system and applications, but it relies on data from an LDAP server. PKI is used for managing and issuing security certificates.

With an API, various features and optimizations are highly desirable to scalability, reliability, and security.What does the REST API support that the SOAP API does NOT support? A. Acceleration B. Caching C. Redundancy D. Encryption

B. The Simple Object Access Protocol (SOAP) does not support caching, whereas the Representational State Transfer (REST) API does. The other options are all capabilities that are either not supported by SOAP or not supported by any API and must be provided by external features.

Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies? A. IDCA B. Uptime Institute C. NFPA D. BICSI

B. The Uptime Institute publishes the most commonly used and widely known standard on data center tiers and topologies. It is based on a series of four tiers, with each progressive increase in number representing more stringent, reliable, and redundant systems for security, connectivity, fault tolerance, redundancy, and cooling.

Which of the following roles is responsible for obtaining new customers and securing contracts and agreements? A. Inter-cloud provider B. Cloud service broker C. Cloud auditor D. Cloud service developer

B. The cloud service broker is responsible for obtaining new customers, analyzing the marketplace, and securing contracts and agreements.

Which of the following roles involves overseeing billing, purchasing, and requesting audit reports for an organization within a cloud environment? A. Cloud service user B. Cloud service business manager C. Cloud service administrator D. Cloud service integrator

B. The cloud service business manager is responsible for overseeing business and billing administration, purchasing cloud services, and requesting audit reports when necessary

In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties? A. HIPAA B. The contract C. Statutes D. Security control matrix

B. The contract between the provider and customer enhances the customer's trust by holding the provider financially liable for negligence or inadequate service(although the customer remains legally liable for all inadvertent disclosures). Statutes, however, largely leave customers liable. The security control matrix is a tool for ensuring compliance with regulations. HIPAA is a statute.

Which of the following is NOT part of a retention policy? A. Format B. Costs C. Accessibility D. Duration

B. The data retention policy covers the duration, format, technologies, protection, and accessibility of archives, but does not address the specific costs of its implementation and maintenance.

Which of the following is NOT considered a type of data loss? A. Data corruption B. Stolen by hackers C. Accidental deletion D. Lost or destroyed encryption keys

B. The exposure of data by hackers is considered a data breach. Data loss focuses on the data availability rather than security. Data loss occurs when data becomes lost, unavailable, or destroyed, when it should not have been.

Which of the following is the optimal temperature for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and AirConditioning Engineers (ASHRAE)? A. 69.8-86.0degF (21-30degC) B. 64.4-80.6degF(18-27degC) C. 51.8-66.2degF(11-19degC) D. 44.6-60-8degF(7-16degC)

B. The guidelines from ASHRAE establish 64.4-80.6degF (18-27degC) as the optimal temperature for a data center.

Which of the following is NOT a function performed by the handshake protocol of TLS? A. Key exchange B. Encryption C. Negotiation of connection D. Establish session ID

B. The handshake protocol negotiates and establishes the connection as well as handles the key exchange and establishes the session ID. It does not perform the actual encryption of data packets.

Which of the following roles is responsible for peering with other cloud services and providers? A. Cloud auditor B. Inter-cloud provider C. Cloud service broker D. Cloud service developer

B. The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services.

Which of the following is the dominant driver behind the regulations to which a system or application must adhere? A. Data source B. Locality C. Contract D. SLA

B. The locality--or physical location and jurisdiction where the system or data resides--is the dominant driver of regulations. This may be based on the type of data contained within the application or the way in which the data is used. The contract and SLA both articulate requirements for regulatory compliance and the responsibilities for the cloud provider and cloud customer, but neither artifact defines the actual requirements. Instead, the contract and SLA merely form the official documentation between the cloud provider and cloud customer. The source of the data may place contractual requirements or best practice guidelines on its usage, but ultimately jurisdiction has legal force and greater authority.

Which is the lowest level of the CSA STAR program? A. Attestation B. Self-assessment C. Hybridization D. Continuous monitoring

B. The lowest level is Level 1, which is self-assessment, Level 2 is an external third-party attestation, and Level 3 is a continuous-monitoring program. Hybridization does not exist as part of the CSA STAR program.

Which attribute of data poses the biggest challenge for data discovery? A. Labels B. Quality C. Volume D. Format

B. The main problem when it comes to data discovery is the quality of the data that analysis is being performed against. Data that is malformed, incorrectly stored or labeled, or incomplete makes it very difficult to use analytical tools against.

From a security perspective, what component of a cloud computing infrastructure represents the biggest concern? A. Hypervisor B. Management plane C. Object storage D. Encryption

B. The management plane will have broad administrative access to all host systems throughout an environment; as such, it represents the most pressing security concerns. A compromise of the management plane can directly lead to compromises of any other systems within the environment. Although hypervisors represent a significant security concern to an environment because their compromise would expose any virtual systems hosted within them, the management plane is a better choice in this case because it controls multiple hypervisors. Encryption and object storage both represent lower-level security concerns.

What is a standard configuration and policy set that is applied to systems and virtual machines called? A. Standardization B. Baseline C. Hardening D. Redline

B. The most common and efficient manner of securing operating systems is through the use of baselines. A baseline is a standardized and understood set of base configurations and settings. When a new system is built or a new virtual machine is established, baselines will be applied to a new image to ensure the base configuration meets organizational policy and regulatory requirements.

Which of the following concepts is NOT one of the core components to an encryption system architecture? A. Software B. Network C. Keys D. Data

B. The network utilized is not one of the key components of an encryption system architecture. In fact, a network is not even required for encryption systems or the processing and protection of data. The data, software used for the encryption engine itself, and the keys used to implement the encryption are all core components of an encryption system architecture.

With a cloud service category where the cloud customer is responsible for deploying all services, systems, and components needed for their applications, which of the following storage types are MOST likely to be available to them? A. Structured and hierarchical B. Volume and object C. Volume and database D. Structured and unstructured

B. The question is describing the Infrastructure as a Service (IaaS) cloud offering, and as such, the volume and object storage types will be available to the customer.Structured and unstructured are storage types associated with PaaS, and although the other answers present similar-sounding storage types, they are a mix of real and fake names.

Which of the following is NOT a function performed by the record protocol of TLS? A. Encryption B. Acceleration C. Authentication D. Compression

B. The record protocol of TLS performs the authentication and encryption of data packets, and in some cases compression as well. It does not perform any acceleration functions.

BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.Which concept pertains to the amount of data and services needed to reach the predetermined level of operations? A. SRE B. RPO C. RSL D. RTO

B. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet theBCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. SRE is provided as an erroneous response.

Which of the following standards primarily pertains to cabling designs and setups in a data center? A. IDCA B. BICSI C. NFPA D. Uptime Institute

B. The standards put out by Building Industry Consulting Service International (BICSI) primarily cover complex cabling designs and setups for data centers, but also include specifications on power, energy efficiency, and hot/cold aisle setups.

Where is a DLP solution generally installed when utilized for monitoring data at rest? A. Network firewall B. Host system C. Application server D. Database server

B. To monitor data at rest appropriately, the DLP solution would be installed on the host system where the data resides. A database server, in some situations, may be an appropriate answer, but the host system is the best answer because a database server is only one example of where data could reside. An application server processes data and typically sits between the data and presentation zones, and as such, does not store data at rest. A network firewall would be more appropriate for data in transit because it is not a place where data would reside.

Which data protection strategy would be useful for a situation where the ability to remove sensitive data from a set is needed, but a requirement to retain the ability to map back to the original values is also present? A. Masking B. Tokenization C. Encryption D. Anonymization

B. Tokenization involves the replacement of sensitive data fields with key or token values, which can ultimately be mapped back to the original, sensitive data values.Masking refers to the overall approach to covering sensitive data, and anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.

Being in a cloud environment, cloud customers lose a lot of insight and knowledge as to how their data is stored and their systems are deployed.Which concept from the ISO/IEC cloud standards relates to the necessity of the cloud provider to inform the cloud customer on these issues? A. Disclosure B. Transparency C. Openness D. Documentation

B. Transparency is the official process by which a cloud provider discloses insight and information into its configurations or operations to the appropriate audiences.Disclosure, openness, and documentation are all terms that sound similar to the correct answer, but none of them is the correct term in this case.

Which of the following security measures done at the network layer in a traditional data center are also applicable to a cloud environment? A. Dedicated switches B. Trust zones C. Redundant network circuits D. Direct connections

B. Trust zones can be implemented to separate systems or tiers along logical lines for great security and access controls. Each zone can then have its own security controls and monitoring based on its particular needs.

Why does a Type 1 hypervisor typically offer tighter security controls than a Type 2 hypervisor? A. A Type 1 hypervisor also controls patching of its hosted virtual machines ensure they are always secure. B. A Type 1 hypervisor is tied directly to the bare metal and only runs with code necessary to perform its specific mission. C. A Type 1 hypervisor performs hardware-level encryption for tighter security and efficiency. D. A Type 1 hypervisor only hosts virtual machines with the same operating systems as the hypervisor.

B. Type 1 hypervisors run directly on top of the bare metal and only contain the code and functions required to perform their purpose. They do not rely on any other systems or contain extra features to secure.

Tokens and smart cards are examples of what authenticator Type? A. Type 1 B. Type 2 C. Type 3

B. Type 2

What expectation of data custodians is made much more challenging by a cloud implementation, especially with PaaS or SaaS? A. Data classification B. Knowledge of systems C. Access to data D. Encryption requirements

B. Under the Federal Rules of Civil Procedure, data custodians are assumed and expected to have full and comprehensive knowledge of the internal design and architecture of their systems. In a cloud environment, especially with PaaS and SaaS, it is impossible for the data custodian to have this knowledge because those systems are controlled by the cloud provider and protected as proprietary knowledge.

In this phase of the Data Life Cycle, data is viewed, processed or otherwise used A. Share B. Use C. Archive D. Destroy E. Create F. Store

B. Use

With IaaS, what is responsible for handling the security and control over the volume storage space? A. Management plane B. Operating system C. Application D. Hypervisor

B. Volume storage is allocated via a LUN to a system and then treated the same as any traditional storage. The operating system is responsible for formatting and securing volume storage as well as controlling all access to it. Applications, although they may use volume storage and have permissions to write to it, are not responsible for its formatting and security. Both a hypervisor and the management plane are outside of an individual system and are not responsible for managing the files and storage within that system.

A crucial decision any company must make is in regard to where it hosts the data systems it depends on. A debate exists as to whether it's best to lease space in a data center or build your own data center--and now with cloud computing, whether to purchase resources within a cloud.What is the biggest advantage to leasing space in a data center versus procuring cloud services? A. Regulations B. Control C. Security D. Costs

B. When leasing space in a data center versus utilizing cloud services, a customer has a much greater control over its systems and services, from both the hardware/ software perspective and the operational management perspective. Costs, regulations, and security are all prime considerations regardless of the hosting type selected. Although regulations will be the same in either hosting solution, in most instances, costs and security will be greater factors with leased space.

What is the biggest benefit to leasing space in a data center versus building or maintain your own? A. Certification B. Costs C. Regulation D. Control

B. When leasing space in a data center, an organization can avoid the enormous startup and building costs associated with a data center, and can instead leverage economies of scale by grouping with other organizations and sharing costs.

What is the biggest negative to leasing space in a data center versus building or maintain your own? A. Costs B. Control C. Certification D. Regulation

B. When leasing space in a data center, an organization will give up a large degree of control as to how it is built and maintained, and instead must conform to the policies and procedures of the owners and operators of the data center.

What is a serious complication an organization faces from the perspective of compliance with international operations? A. Different certifications B. Multiple jurisdictions C. Different capabilities D. Different operational procedures

B. When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, and many times they might be in contention with one other or not clearly applicable. These requirements can include the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, as well as the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which might be multiple jurisdictions as well.

Which of the cloud cross-cutting aspects relates to the requirements placed on the cloud provider by the cloud customer for minimum performance standards and requirements that must be met? A. Regulatory requirements B. SLAs C. Auditability D. Governance

B. Whereas a contract spells out general terms and costs for services, the SLA is where the real meat of the business relationship and concrete requirements come into play. The SLA spells out in clear terms the minimum requirements for uptime, availability, processes, customer service and support, security controls and requirements, auditing and reporting, and potentially many other areas that define the business relationship and the success of it.

What is an often overlooked concept that is essential to protecting the confidentiality of data? A. Strong password B. Training C. Security controls D. Policies

B. While the main focus of confidentiality revolves around technological requirements or particular security methods, an important and often overlooked aspect of safeguarding data confidentiality is appropriate and comprehensive training for those with access to it. Training should be focused on the safe handling of sensitive information overall, including best practices for network activities as well as physical security of the devices or workstations used to access the application.

Which of the following statements about Type 1 hypervisors is true? A. The hardware vendor and software vendor are different. B. The hardware vendor and software vendor are the same C. The hardware vendor provides an open platform for software vendors. D. The hardware vendor and software vendor should always be different for the sake of security.

B. With a Type 1 hypervisor, the management software and hardware are tightly tied together and provided by the same vendor on a closed platform. This allows for optimal security, performance, and support. The other answers are all incorrect descriptions of a Type 1 hypervisor.

Which of the following aspects of cloud computing would make it more likely that a cloud provider would be unwilling to satisfy specific certification requirements? A. Regulation B. Multitenancy C. Virtualization D. Resource pooling

B. With cloud providers hosting a number of different customers, it would be impractical for them to pursue additional certifications based on the needs of a specific customer. Cloud environments are built to a common denominator to serve the greatest number of customers. Especially within a public cloud model, it is not possible or practical for a cloud provider to alter its services for specific customer demands. Resource pooling and virtualization within a cloud environment would be the same for all customers, and would not impact certifications that a cloud provider might be willing to pursue. Regulations would form the basis for certification problems and would be a reason for a cloud provider to pursue specific certifications to meet customer requirements.

Within an IaaS implementation, which of the following would NOT be a metric used to quantify service charges for the cloud customer? A. Memory B. Number of users C. Storage D. CPU

B. Within IaaS, where the cloud customer is responsible for everything beyond the physical network, the number of users on a system would not be a factor in billing or service charges. The core cloud services for IaaS are based on the memory, storage, and CPU requirements of the cloud customer. Because the cloud customer with IaaS is responsible for its own images and deployments, these components comprise the basis of its cloud provisioning and measured services billing.

Within a SaaS environment, what is the responsibility on the part of the cloud customer in regard to procuring the software used? A. Maintenance B. Licensing C. Development D. Purchasing

B. Within a SaaS implementation, the cloud customer licenses the use of the software from the cloud provider because SaaS delivers a fully functional application to the customer. With SaaS, the cloud provider is responsible for the entire software application and any necessary infrastructure to develop, run, and maintain it.The purchasing, development, and maintenance are fully the responsibility of the cloud provider.

Which protocol allows a system to use block-level storage as if it was a SAN, but over TCP network traffic instead? A. SATA B. iSCSI C. TLS D. SCSI

B. iSCSI is a protocol that allows for the transmission and use of SCSI commands and features over a TCP-based network. iSCSI allows systems to use block-level storage that looks and behaves as a SAN would with physical servers, but to leverage the TCP network within a virtualized environment and cloud.

In what cloud model does the customer ONLY have control over their data and possibly some app config settings? A. IaaS B. PaaS C. SaaS

B.PaaS

What cloud model is best for development projects? A. IaaS B. PaaS C. SaaS

B.PaaS

A data custodian is responsible for which of the following? A. Data context B. Data content C. The safe custody, transport, storage of the data, and implementation of business rules D. Logging access and alerts

C. A data custodian is responsible for the safe custody, transport, and storage of data, and the implementation of business roles.

What does the "SOC" acronym refer to with audit reports? A. Service Origin Confidentiality B. System Organization Confidentiality C. Service Organizational Control D. System Organization Control

C.

Which of the following are the storage types associated with PaaS? A. Structured and freeform B. Volume and object C. Structured and unstructured D. Database and file system

C.

Which of the cloud deployment models involves spanning multiple cloud environments or a mix of cloud hosting models? A. Community B. Public C. Hybrid D. Private

C. A hybrid cloud model involves the use of more than one type of cloud hosting models, typically the mix of private and public cloud hosting models.

Which of the following could be used as a second component of multifactor authentication if a user has an RSA token? A. Access card B. USB thumb drive C. Retina scan D. RFID

C. A retina scan could be used in conjunction with an RSA token because it is a biometric factor, and thus a different type of factor. An access card, RFID, and USB thumb drive are all items in possession of a user, the same as an RSA token, and as such would not be appropriate.

What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? A. One-time pads B. Link encryption C. Homomorphic encryption D. AES

C. AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.

Which is NOT one of the four tasks in Access Management? A. Authorization B. Authentication C. Access Control D. Federation E. Policy Management

C. Access Control

The European Union passed the first major regulation declaring data privacy to be a human right. In what year did it go into effect? A. 2010 B. 2000 C. 1995 D. 1990

C. Adopted in 1995, Directive 95/46 EC establishes strong data protection and policy requirements, including the declaring of data privacy to be a human right. It establishes that an individual has the right to be notified when their personal data is being access or processed, that it only will ever be accessed for legitimate purposes, and that data will only be accessed to the exact extent it needs to be for the particular process or request.

All the following are data analytics modes, except: A. Datamining B. Agile business intelligence C. Refractory iterations D. Real-time analytics

C. All the others are data analytics methods, but "refractory iterations" is a nonsense term thrown in as a red herring.

To protect data on user devices in a BYOD environment, the organization should consider requiring all the following, except: A. Multifactor authentication B. DLP agents C. Two-person integrity D. Local encryption

C. Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic, and, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices.

Which of the following threat types involves the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing? A. Cross-site scripting B. Missing function-level access control C. Injection D. Cross-site forgery

C. An injection attack is where a malicious actor will send commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it could potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.

Which of the following threat types involves an application developer leaving references to internal information and configurations in code that is exposed to the client? A. Sensitive data exposure B. Security misconfiguration C. Insecure direct object references D. Unvalidated redirect and forwards

C. An insecure direct object reference occurs when a developer has in their code a reference to something on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, allowing spoofing for malware of phishing attacks. Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data. Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner.

What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible? A. Tokenization B. Encryption C. Anonymization D. Masking

C. Anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Although masking refers to the overall approach of covering sensitive data, anonymization is the best answer here because it is more specific to exactly what is being asked.Tokenization involves the replacement of sensitive data with a key value that can be matched back to the real value. However, it is not focused on indirect identifiers or preventing the matching to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.

What database encryption option resides at the application that is using the database? A. File-level B. Transparent C. Application-level

C. Application-level

In this phase of the Data Life Cycle, data leaves active use and enters long-term storage. A. Share B. Use C. Archive D. Destroy E. Create F. Store

C. Archive

A DLP solution/implementation has three main components.Which of the following is NOT one of the three main components? A. Monitoring B. Enforcement C. Auditing D. Discovery and classification

C. Auditing, which can be supported to varying degrees by DLP solutions, is not a core component of them. Data loss prevention (DLP) solutions have core components of discovery and classification, enforcement, and monitoring. Discovery and classification are concerned with determining which data should be applied to the DLP policies, and then determining its classification level. Monitoring is concerned with the actual watching of data and how it's used through its various stages. Enforcement is the actual application of policies determined from the discovery stage and then triggered during the monitoring stage.

Configurations and policies for a system can come from a variety of sources and take a variety of formats. Which concept pertains to the application of a set of configurations and policies that is applied to all systems or a class of systems? A. Hardening B. Leveling C. Baselines D. Standards

C. Baselines are a set of configurations and policies applied to all new systems or services, and they serve as the basis for deploying any other services on top of them. Although standards often form the basis for baselines, the term is applicable in this case. Hardening is the process of securing a system, often through the application of baselines. Leveling is an extraneous but similar term to baselining.

An audit scope statement defines the limits and outcomes from an audit.Which of the following would NOT be included as part of an audit scope statement? A. Reports B. Certification C. Billing D. Exclusions

C. Billing for an audit, or other cost-related items, would not be part of an audit scope statement and would instead be handled prior to the actual audit as part of the contract between the organization and auditors. Reports, exclusions to the scope of the audit, and required certifications on behalf of the systems or auditors are all crucial elements of an audit scope statement.

Which if teh following is NOT a consideration for cloud deployment model selection? A. Risk appetite B. Cost C. Business Structure D. Compliance and regulatory considerations E. Legal obligations

C. Business Structure

Which of the following are NOT a way in which an organization may categorize data? A. Functional unit B. By project C. By criticality D. Regulatory framework E. Business function

C. By criticality

Which of the following are considered to be the building blocks of cloud computing? A. Data, Access Control, Virtualization and services B. Storage, Networking, Printing, and Virtualization C. CPU, RAM, Storage, and Networking D. Data, CPU, RAM, and Access control

C. CPU, RAM, Storage, and Networking

What is the intellectual property protection for a confidential recipe for muffins? A. Patent B. Trademark C. Trade secret D. Copyright

C. Confidential recipes unique to the organization are trade secrets. The other answers listed are answers to other questions.

Your company is in the planning stages of moving applications that have large data sets to a cloud environment.What strategy for data removal would be the MOST appropriate for you to recommend if costs and speed are primary considerations? A. Shredding B. Media destruction C. Crypthographic erasure D. Overwriting

C. Cryptographic erasure involves having the data encrypted, typically as a matter of standard operations, and then rendering the data useless and unreadable by destroying the encryption keys for it. It represents a very cheap and immediate way to destroy data, and it works in all environments. With a cloud environment and multitenancy, media destruction or the physical destruction of storage devices, including shredding, would not be possible. Depending on the environment, overwriting may or may not be possible, but cryptographic erasure is the best answer because it is always an available option and is very quick to implement.

DLP can be combined with what other security technology to enhance data controls? A. SIEM B. Hypervisors C. DRM D. Kerberos

C. DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.

DLP solutions can aid in deterring loss due to which of the following? A. Device failure B. Randomization C. Inadvertent disclosure D. Natural disaster

C. DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.

Proper implementation of DLP solutions for successful function requires which of the following? A. Physical access limitations B. USB connectivity C. Accurate data categorization D. Physical presence

C. DLP tools need to be aware of which information to monitor and which requires categorization (usually done upon data creation, by the data owners). DLPs can be implemented with or without physical access or presence. USB connectivity has nothing to do with DLP solutions.

Many tools and technologies are available for securing or monitoring data in transit within a data center, whether it is a traditional data center or a cloud.Which of the following is NOT a technology for securing data in transit? A. VPN B. TLS C. DNSSEC D. HTTPS

C. DNSSEC is an extension of the normal DNS protocol that enables a system to verify the integrity of a DNS query resolution by signing it from the authoritative source and verifying the signing chain. It is not used for securing data transmissions or exchanges. HTTPS is the most common method for securing web service and data calls within a cloud, and TLS is the current standard for encrypting HTTPS traffic. VPNs are widely used for securing data transmissions and service access.

DNSSEC was designed to add a layer of security to the DNS protocol.Which type of attack was the DNSSEC extension designed to mitigate? A. Account hijacking B. Snooping C. Spoofing D. Data exposure

C. DNSSEC is an extension to the regular DNS protocol that utilizes digital signing of DNS query results, which can be verified to come from an authoritative source.This verification mitigates the ability for a rogue DNS server to be used to spoof query results and to direct users to malicious sites. DNSSEC provides for the verification of the integrity of DNS queries. It does not provide any protection from snooping or data exposure. Although it may help lessen account hijacking by preventing users from being directed to rogue sites, it cannot by itself eliminate the possibility.

What type of security threat is DNSSEC designed to prevent? A. Account hijacking B. Snooping C. Spoofing D. Injection

C. DNSSEC is designed to prevent the spoofing and redirection of DNS resolutions to rogue sites.

The DLP engine is installed where the data resides A. Data in motion B. Data in use C. Data at rest

C. Data at rest

All of the following are terms used to described the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except: A. Tokenization B. Masking C. Data discovery D. Obfuscation

C. Data discovery is a term used to describe the process of identifying information according to specific traits or categories. The rest are all methods for obscuring data.

Which technology can be useful during the "share" phase of the cloud data lifecycle to continue to protect data as it leaves the original system and security controls? A. IPS B. WAF C. DLP D. IDS

C. Data loss prevention (DLP) can be applied to data that is leaving the security enclave to continue to enforce access restrictions and policies on other clients and systems.

Data masking can be used to provide all of the following functionality, except: A. Secure remote access B. test data in sandboxed environments C. Authentication of privileged users D. Enforcing least privilege

C. Data masking does not support authentication in any way. All the others are excellent use cases for data masking.

Which United States program was designed to enable organizations to bridge the gap between privacy laws and requirements of the United States and theEuropean Union? A. GLBA B. HIPAA C. Safe Harbor D. SOX

C. Due to the lack of an adequate privacy law or protection at the federal level in the United States, European privacy regulations generally prohibit the exporting or sharing of PII from Europe with the United States. Participation in the Safe Harbor program is voluntary on behalf of an organization, but it does require them to conform to specific requirements and policies that mirror those from the EU. Thus, organizations can fulfill requirements for data sharing and export and possibly serve customers in the EU.

Which phase of the cloud data lifecycle would be the MOST appropriate for the use of DLP technologies to protect the data? A. Use B. Store C. Share D. Create

C. During the share phase, data is allowed to leave the application for consumption by other vendors, systems, or services. At this point, as the data is leaving the security controls of the application, the use of DLP technologies is appropriate to control how the data is used or to force expiration. During the use, create, and store phases, traditional security controls are available and are more appropriate because the data is still internal to the application.

What masking strategy involves the replacing of sensitive data at the time it is accessed and used as it flows between the data and application layers of a service? A. Active B. Static C. Dynamic D. Transactional

C. Dynamic masking involves the live replacing of sensitive data fields during transactional use between the data and application layers of a service. Static masking involves creating a full data set with the sensitive data fields masked, but is not done during live transactions like dynamic masking. Active and transactional are offered as similar types of answers but are not types of masking.

What concept does the "T" represent in the STRIDE threat model? A. TLS B. Testing C. Tampering with data D. Transport

C. Explanation -Any application that sends data to the user will face the potential that the user could manipulate or alter the data, whether it resides in cookies, GET or POST commands, or headers, or manipulates client-side validations. If the user receives data from the application, it is crucial that the application validate and verify any data that is received back from the user.

Modern web service systems are designed for high availability and resiliency. Which concept pertains to the ability to detect problems within a system, environment, or application and programmatically invoke redundant systems or processes for mitigation? A. Elasticity B. Redundancy C. Fault tolerance D. Automation

C. Fault tolerance allows a system to continue functioning, even with degraded performance, if portions of it fail or degrade, without the entire system or service being taken down. It can detect problems within a service and invoke compensating systems or functions to keep functionality going. Although redundancy is similar to fault tolerance, it is more focused on having additional copies of systems available, either active or passive, that can take up services if one system goes down.Elasticity pertains to the ability of a system to resize to meet demands, but it is not focused on system failures. Automation, and its role in maintaining large systems with minimal intervention, is not directly related to fault tolerance.

Which of the following is the least challenging with regard to eDiscovery in the cloud? A. Identifying roles such as data owner, controller and processor B. Decentralization of data storage C. Forensic analysis D. Complexities of International law

C. Forensic analysis is the least challenging of the answers provided as it refers to the analysis of data once it is obtained. The challenges revolve around obtaining the data for analysis due to the complexities of international law, the decentralization of data storage or difficulty knowing where to look, and identifying the data owner, controller, and processor.

Countermeasures for protecting cloud operations against internal threats include all of the following except: A. Extensive and comprehensive training programs, including initial, recurring, and refresher sessions B. Skills and knowledge testing C. Hardened perimeter devices D. Aggressive background checks

C. Hardened perimeter devices are more useful at attenuating the risk of external attack.

What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? A. Quantum-state B. Polyinstantiation C. Homomorphic D. Gastronomic

C. Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.

What are the U.S. State Department controls on technology exports known as? A. DRM B. ITAR C. EAR D. EAL

C. ITAR is a Department of State program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property.

Tokenization requires two distinct _________________ . A. Authentication factors B. Personnel C. Databases D. Encryption

C. In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.

What does a Cloud Service Broker do? A. It facilitates the purchase of cloud services B. It performs services in cloud environments C. It acts as a liaison between customers and providers D. It acts as a liaison between CSPs and MSPs

C. It acts as a liaison between customers and providers

Although the REST API supports a wide variety of data formats for communications and exchange, which data formats are the most commonly used? A. SAML and HTML B. XML and SAML C. XML and JSON D. JSON and SAML

C. JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer(REST) API and are typically implemented with caching for increased scalability and performance. Extensible Markup Language (XML) and Security AssertionMarkup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. HTML is used for authoring web pages for consumption by web browsers

Which data formats are most commonly used with the REST API? A. JSON and SAML B. XML and SAML C. XML and JSON D. SAML and HTML

C. JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer(REST) API, and are typically implemented with caching for increased scalability and performance.

A localized incident or disaster can be addressed in a cost-effective manner by using which of the following? A. UPS B. Generators C. Joint operating agreements D. Strict adherence to applicable regulations

C. Joint operating agreements can provide nearby relocation sites so that a disruption limited to the organization's own facility and campus can be addressed at a different facility and campus. UPS and generators are not limited to serving needs for localized causes. Regulations do not promote cost savings and are not often the immediate concern during BC/DR activities.

From the perspective of compliance, what is the most important consideration when it comes to data center location? A. Natural disasters B. Utility access C. Jurisdiction D. Personnel access

C. Jurisdiction will dictate much of the compliance and audit requirements for a data center. Although all the aspects listed are very important to security, from a strict compliance perspective, jurisdiction is the most important. Personnel access, natural disasters, and utility access are all important operational considerations for selecting a data center location, but they are not related to compliance issues like jurisdiction is.

Which of the following basic characteristics of cloud computing is specific to ISO/IEC 17888? A. Resource pooling B. On-demand services C. Multi-tenancy D. Broad network access E. Rapid elasticity F. Measured or metered service

C. Multi-tenancy

Which of the following is NOT one of the components of multifactor authentication? A. Something the user knows B. Something the user has C. Something the user sends D. Something the user is

C. Multifactor authentication systems are composed of something the user knows, has, and/or is, not something the user sends. Multifactor authentication commonly uses something that a user knows, has, and/or is (such as biometrics or features).

Over time, what is a primary concern for data archiving? A. Size of archives B. Format of archives C. Recoverability D. Regulatory changes

C. Over time, maintaining the ability to restore and read archives is a primary concern for data archiving. As technologies change and new systems are brought in, it is imperative for an organization to ensure they are still able to restore and access archives for the duration of the required retention period.

What is a key capability or characteristic of PaaS? A. Support for a homogenous environment B. Support for a single programming language C. Ability to reduce lock-in D. Ability to manually scale

C. PaaS should have the following key capabilities and characteristics:- Support multiple languages and frameworks: PaaS should support multiple programming languages and frameworks, thus enabling the developers to code in whichever language they prefer or the design requirements specify. In recent times, significant strides and efforts have been taken to ensure that open source stacks are both supported and utilized, thus reducing "lock-in" or issues with interoperability when changing CSPs.- Multiple hosting environments: The ability to support a wide variety of underlying hosting environments for the platform is key to meeting customer requirements and demands. Whether public cloud, private cloud, local hypervisor, or bare metal, supporting multiple hosting environments allows the application developer or administrator to migrate the application when and as required. This can also be used as a form of contingency and continuity and to ensure the ongoing availability.- Flexibility: Traditionally, platform providers provided features and requirements that they felt suited the client requirements, along with what suited their service offering and positioned them as the provider of choice, with limited options for the customers to move easily. This has changed drastically, with extensibility and flexibility now afforded to meeting the needs and requirements of developer audiences. This has been heavily influenced by open source, which allows relevant plug-ins to be quickly and efficiently introduced into the platform.- Allow choice and reduce lock-in: PaaS learns from previous horror stories and restrictions, proprietary meant red tape, barriers, and restrictions on what developers could do when it came to migration or adding features and components to the platform. Although the requirement to code to specific APIs was made available by the providers, they could run their apps in various environments based on commonality and standard API structures, ensuring a level of consistency and quality for customers and users.- Ability to auto-scale: This enables the application to seamlessly scale up and down as required to accommodate the cyclical demands of users. The platform will allocate resources and assign these to the application as required. This serves as a key driver for any seasonal organizations that experience spikes and drops in usage.

What is the intellectual property protection for a useful manufacturing innovation? A. Trademark B. Copyright C. patent D. Trade secret

C. Patents protect processes (as well as inventions, new plantlife, and decorative patterns). The other answers listed are answers to other questions.

Which type of testing uses the same strategies and toolsets that hackers would use? A. Static B. Malicious C. Penetration D. Dynamic

C. Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities. Although the term malicious captures much of the intent of penetration testing from the perspective of an attacker, it is not the best answer. Static and dynamic are two types of system testing--where static is done offline and with knowledge of the system, and dynamic is done on a live system without any previous knowledge is associated--but neither describes the type of testing being asked for in the question.

Every security program and process should have which of the following? A. Severe penalties B. Multifactor authentication C. Foundational policy D. Homomorphic encryption

C. Policy drives all programs and functions in the organization; the organization should not conduct any operations that don't have a policy governing them. Penalties may or may not be an element of policy, and severity depends on the topic. Multifactor authentication and homomorphic encryption are red herrings here.

A main objective for an organization when utilizing cloud services is to avoid vendor lock-in so as to ensure flexibility and maintain independence.Which core concept of cloud computing is most related to vendor lock-in? A. Scalability B. Interoperability C. Portability D. Reversibility

C. Portability is the ability for a cloud customer to easily move their systems, services, and applications among different cloud providers. By avoiding reliance on proprietary APIs and other vendor-specific cloud features, an organization can maintain flexibility to move among the various cloud providers with greater ease.Reversibility refers to the ability for a cloud customer to quickly and easy remove all their services and data from a cloud provider. Interoperability is the ability to reuse services and components for other applications and uses. Scalability refers to the ability of a cloud environment to add or remove resources to meet current demands.

Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers? A. Reversibility B. Availability C. Portability D. Interoperability

C. Portability is the ease with which a service or application can be moved between different cloud providers. Maintaining portability gives an organization great flexibility between cloud providers and the ability to shop for better deals or offerings.

SOC Type 1 reports are considered "restricted use," in that they are intended only for limited audiences and purposes.Which of the following is NOT a population that would be appropriate for a SOC Type 1 report? A. Current clients B. Auditors C. Potential clients D. The service organization

C. Potential clients are not served by SOC Type 1 audits. A Type 2 or Type 3 report would be appropriate for potential clients. SOC Type 1 reports are intended for restricted use, where only the service organization itself, current clients, or auditors would have access to them.

What two methods can be used to implement volume storage encryption? A. Tenant-based B. Device-based C. Proxy-based D. Instance-based

C. Proxy-based D. Instance-based

The key benefits of this type of cloud deployment are: easy and inexpensive setup, streamlined and easy-to-provision resources, scalability to meet needs, no wasted resources - pay as you go? A. Private cloud B. Hybrid cloud C. Public cloud D. Community cloud

C. Public cloud

What cloud deployment model CANNOT be deployed either on-site or off-site? A. Private cloud B. Hybrid cloud C. Public cloud D. Community cloud

C. Public cloud

Which cloud deployment model is MOST likely to offer free or very cheap services to users? A. Hybrid B. Community C. Public D. Private

C. Public clouds offer services to anyone, regardless of affiliation, and are the most likely to offer free services to users. Examples of public clouds with free services include iCloud, Dropbox, and OneDrive. Private cloud models are designed for specific customers and for their needs, and would not offer services to the public at large, for free or otherwise. A community cloud is specific to a group of similar organizations and would not offer free or widely available public services. A hybrid cloud model would not fit the specifics of the question.

Which of the following is a commonly used tool for maintaining system configurations? A. Maestro B. Orchestrator C. Puppet D. Conductor

C. Puppet is a commonly used tool for maintaining system configurations based on policies, and done so from a centralized authority.

Which of the following is NOT a contributor for moving to the cloud: A. Cost B. Agility C. Security D. Scalability E. Virtualization

C. Security

Which of the following areas of responsibility always falls completely under the purview of the cloud provider, regardless of which cloud service category is used? A. Infrastructure B. Data C. Physical D. Governance

C. Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. In many instances, the cloud provider will supply audit reports or some general information about their physical security practices, especially to those customers or potential customers that may have regulatory requirements, but otherwise the cloud customer will have very little insight into the physical environment. With IaaS, the infrastructure is a shared responsibility between the cloud provider and cloud customer. With all cloud service categories, the data and governance are always the sole responsibility of the cloud customer.

Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used? A. Platform B. Infrastructure C. Governance D. Application

C. Regardless of which cloud-hosting model is used, the cloud customer always has sole responsibility for the governance of systems and data.

Which of the following is the sole responsibility of the cloud provider, regardless of which cloud model is used? A. Platform B. Data C. Physical environment D. Infrastructure

C. Regardless of which cloud-hosting model is used, the cloud provider always has sole responsibility for the physical environment.

What category of PII data can carry potential fines or even criminal charges for its improper use or disclosure? A. Protected B. Legal C. Regulated D. Contractual

C. Regulated PII data carries legal and jurisdictional requirements, along with official penalties for its misuse or disclosure, which can be either civil or criminal in nature. Legal and protected are similar terms, but neither is the correct answer in this case. Contractual requirements can carry financial or contractual impacts for the improper use or disclosure of PII data, but not legal or criminal penalties that are officially enforced.

When dealing with PII, which category pertains to those requirements that can carry legal sanctions or penalties for failure to adequately safeguard the data and address compliance requirements? A. Contractual B. Jurisdictional C. Regulated D. Legal

C. Regulated PII pertains to data that is outlined in law and regulations. Violations of the requirements for the protection of regulated PII can carry legal sanctions or penalties. Contractual PII involves required data protection that is determined by the actual service contract between the cloud provider and cloud customer, rather than outlined by law. Violations of the provisions of contractual PII carry potential financial or contractual implications, but not legal sanctions. Legal and jurisdictional are similar terms to regulated, but neither is the official term used.

Which of the following is NOT part of civil law? A. Contracts B. Regulation C. Tort law D. Statutes

C. Regulation

Hardening the operating system refers to all of the following except: A. Limiting administrator access B. Closing unused ports C. Removing antimalware agents D. Removing unnecessary services and libraries

C. Removing antimalware agents. Hardening the operating system means making it more secure. Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure. But removing antimalware agents would actually make the system less secure. If anything, antimalware agents should be added, not removed.

Which audit type has been largely replaced by newer approaches since 2011? A. SOC Type 1 B. SSAE-16 C. SAS-70 D. SOC Type 2

C. SAS-70 reports were replaced in 2011 with the SSAE-16 reports throughout the industry.

Which type of audit report is considered a "restricted use" report for its intended audience? A. SAS-70 B. SSAE-16 C. SOC Type 1 D. SOC Type 2

C. SOC Type 1 reports are considered "restricted use" reports. They are intended for management and stakeholders of an organization, clients of the service organization, and auditors of the organization. They are not intended for release beyond those audiences.

Which type of controls are the SOC Type 1 reports specifically focused on? A. Integrity B. PII C. Financial D. Privacy

C. SOC Type 1 reports are focused specifically on internal controls as they relate to financial reporting.

Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance.Which type of audit reports can be used for general public trust assurances? A. SOC 2 B. SAS-70 C. SOC 3 D. SOC 1

C. SOC Type 3 audit reports are very similar to SOC Type 2, with the exception that they are intended for general release and public audiences.SAS-70 audits have been deprecated. SOC Type 1 audit reports have a narrow scope and are intended for very limited release, whereas SOC Type 2 audit reports are intended for wider audiences but not general release.

Which format is the most commonly used standard for exchanging information within a federated identity system? A. XML B. HTML C. SAML D. JSON

C. Security Assertion Markup Language (SAML) is the most common data format for information exchange within a federated identity system. It is used to transmit and exchange authentication and authorization data.XML is similar to SAML, but it's used for general-purpose data encoding and labeling and is not used for the exchange of authentication and authorization data in the way that SAML is for federated systems. JSON is used similarly to XML, as a text-based data exchange format that typically uses attribute-value pairings, but it's not used for authentication and authorization exchange. HTML is used only for encoding web pages for web browsers and is not used for data exchange--and certainly not in a federated system.

Which of the following threat types can occur when baselines are not appropriately applied or unauthorized changes are made? A. Insecure direct object references B. Unvalidated redirects and forwards C. Security misconfiguration D. Sensitive data exposure

C. Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner. This can be caused from a shortcoming in security baselines or configurations, unauthorized changes to system configurations, or a failure to patch and upgrade systems as the vendor releases security patches.

Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used? A. Security misconfiguration B. Insecure direct object references C. Sensitive data exposure D. Unvalidated redirects and forwards

C. Sensitive data exposure occurs when information is not properly secured through encryption and secure transport mechanisms; it can quickly become an easy and broad method for attackers to compromise information. Web applications must enforce strong encryption and security controls on the application side, but secure methods of communications with browsers or other clients used to access the information are also required. Security misconfiguration occurs when applications and systems are not properly configured for security, often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, thus allowing spoofing for malware or phishing attacks.

With finite resources available within a cloud, even the largest cloud providers will at times need to determine which customers will receive additional resources first.What is the term associated with this determination? A. Weighting B. Prioritization C. Shares D. Scoring

C. Shares are used within a cloud environment to prioritize resource allocation when customer requests exceed the available resources. Cloud providers utilize shares by assigning a priority score to each customer and allocating resources to those with the highest scores first. Scoring is a component of shares that determines the actual order in which to allocate resources. Neither weighting nor prioritization is the correct term in this case.

Which of the following may unilaterally deem a cloud hosting model inappropriate for a system or application? A. Multitenancy B. Certification C. Regulation D. Virtualization

C. Some regulations may require specific security controls or certifications be used for hosting certain types of data or functions, and in some circumstances they may be requirements that are unable to be met by any cloud provider.

What does static application security testing (SAST) offer as a tool to the testers? A. Production system scanning B. Injection attempts C. Source code access D. Live testing

C. Static application security testing (SAST) is conducted with knowledge of the system, including source code, and is done against offline systems.

You just hired an outside developer to modernize some applications with new web services and functionality. In order to implement a comprehensive test platform for validation, the developer needs a data set that resembles a production data set in both size and composition.In order to accomplish this, what type of masking would you use? A. Development B. Replicated C. Static D. Dynamic

C. Static masking takes a data set and produces a copy of it, but with sensitive data fields masked. This allows for a full data set from production for testing purposes, but without any sensitive data. Dynamic masking works with a live system and is not used to produce a distinct copy. The terms "replicated" and "development" are not types of masking.

Humidity levels for a data center are a prime concern for maintaining electrical and computing resources properly as well as ensuring that conditions are optimal for top performance.Which of the following is the optimal humidity level, as established by ASHRAE? A. 20 to 40 percent relative humidity B. 50 to 75 percent relative humidity C. 40 to 60 percent relative humidity D. 30 to 50 percent relative humidity

C. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends 40 to 60 percent relatively humidity for data centers.None of these options is the recommendation from ASHRAE.

Along with humidity, temperature is crucial to a data center for optimal operations and protection of equipment.Which of the following is the optimal temperature range as set by ASHRAE? A. 69.8 to 86.0 degrees Fahrenheit (21 to 30 degrees Celsius) B. 51.8 to 66.2 degrees Fahrenheit (11 to 19 degrees Celsius) C. 64.4 to 80.6 degrees Fahrenheit (18 to 27 degrees Celsius) D. 44.6 to 60.8 degrees Fahrenheit (7 to 16 degrees Celsius)

C. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends 64.4 to 80.6 degrees Fahrenheit (or 18 to 27 degreesCelsius) as the optimal temperature range for data centers. None of these options is the recommendation from ASHRAE.

Many of the traditional concepts of systems and services for a traditional data center also apply to the cloud. Both are built around key computing concepts.Which of the following compromise the two facets of computing? A. CPU and software B. CPU and storage C. CPU and memory D. Memory and networking

C. The CPU and memory resources of an environment together comprise its "computing" resources. Cloud environments, especially public clouds, are enormous pools of resources for computing and are typically divided among a large number of customers with constantly changing needs and demands. Although storage and networking are core components of a cloud environment, they do not comprise its computing core. Software, much like within a traditional data center, is highly subjective based on the application, system, service, or cloud computing model used; however, it is not one of the core cloud components.

What is the Cloud Security Alliance Cloud Controls Matrix (CCM)? A. A set of software development life cycle requirements for cloud service providers B. An inventory of cloud services security controls that are arranged into a hierarchy of security domains C. An inventory of cloud service security controls that are arranged into separate security domains D. A set of regulatory requirements for cloud service providers

C. The CSA CCM is an inventory of cloud service security controls that are arranged into separate security domains, not a hierarchy.

Data centers have enormous power resources that are distributed and consumed throughout the entire facility.Which of the following standards pertains to the proper fire safety standards within that scope? A. IDCA B. BICSI C. NFPA D. Uptime Institute

C. The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. Building IndustryConsulting Services International (BICSI) issues certifications for data center cabling. The Uptime Institute publishes the most widely known and used standard for data center topologies and tiers. The International Data Center Authority (IDCA) offers the Infinity Paradigm, which takes a macro-level approach to data center design.

Which of the following report is most aligned with financial control audits? A. SSAE 16 B. SOC 2 C. SOC 1 D. SOC 3

C. The SOC 1 report focuses primarily on controls associated with financial services. While IT controls are certainly part of most accounting systems today, the focus is on the controls around those financial systems.

Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it? A. SOC 3 B. SOC 1 Type 2 C. SOC 2 Type 2 D. SOC 1 Type 1

C. The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting and not relevant. TheSOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.

Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? A. SOC 1 Type 1 B. SOC 2 Type 2 C. SOC 3 D. SOC 1 Type 2

C. The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting, and not relevant. TheSOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.

Which of the following is the primary purpose of an SOC 3 report? A. HIPAA compliance B. Absolute assurances C. Seal of approval D. Compliance with PCI/DSS

C. The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service provider.

Which of the following is NOT one of five principles of SOC Type 2 audits? A. Privacy B. Processing integrity C. Financial D. Security

C. The SOC Type 2 audits include five principles: security, privacy, processing integrity, availability, and confidentiality.

Which United States law is focused on accounting and financial practices of organizations? A. Safe Harbor B. GLBA C. SOX D. HIPAA

C. The Sarbanes-Oxley (SOX) Act is not an act that pertains to privacy or IT security directly, but rather regulates accounting and financial practices used by organizations. It was passed to protect stakeholders and shareholders from improper practices and errors, and it sets forth rules for compliance, regulated and enforced by the Securities and Exchange Commission (SEC). The main influence on IT systems and operations is the requirements it sets for data retention, specifically in regard to what types of records must be preserved and for how long.

Which of the following jurisdictions lacks a comprehensive national policy on data privacy and the protection of personally identifiable information (PII)? A. European Union B. Asian-Pacific Economic Cooperation C. United States D. Russia

C. The United States has a myriad of regulations focused on specific types of data, such as healthcare and financial, but lacks an overall comprehensive privacy law on the national level. The European Union, the Asian-Pacific Economic Cooperation, and Russia all have national privacy protections and regulations for the handling the PII data of their citizens.

Which aspect of data poses the biggest challenge to using automated tools for data discovery and programmatic data classification? A. Quantity B. Language C. Quality D. Number of courses

C. The biggest challenge for properly using any programmatic tools in data discovery is the actual quality of the data, including the data being uniform and well structured, labels being properly applied, and other similar facets. Without data being organized in such a manner, it is extremely difficult for programmatic tools to automatically synthesize and make determinations from it. The overall quantity of data, as well as the number of sources, does not pose an enormous challenge for data discovery programs, other than requiring a longer time to process the data. The language of the data itself should not matter to a program that is designed to process it, as long as the data is well formed and consistent.

The BIA can be used to provide information about all the following, except: A. BC/DR planning B. Risk analysis C. Secure acquisition D. Selection of security controls

C. The business impact analysis gathers asset valuation information that is beneficial for risk analysis and selection of security controls (it helps avoid putting the ten- dollar lock on the five-dollar bicycle), and criticality information that helps in BC/DR planning by letting the organization understand which systems, data, and personnel are necessary to continuously maintain. However, it does not aid secure acquisition efforts, since the assets examined by the BIA have already been acquired.

Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except: A. The cloud provider's utilities B. The cloud provider's suppliers C. The cloud provider's resellers D. The cloud provider's vendors

C. The cloud provider's resellers are a marketing and sales mechanism, not an operational dependency that could affect the security of a cloud customer.

Which of the following roles is responsible for overseeing customer relationships and the processing of financial transactions? A. Cloud service manager B. Cloud service deployment C. Cloud service business manager D. Cloud service operations manager

C. The cloud service business manager is responsible for overseeing business plans and customer relationships as well as processing financial transactions.

Your boss has tasked your team with getting your legacy systems and applications connected with new cloud-based services that management has decided are crucial to customer service and offerings.Which role would you be assuming under this directive? A. Cloud service administrator B. Cloud service user C. Cloud service integrator D. Cloud service business manager

C. The cloud service integrator role is responsible for connecting and integrating existing services and applications with cloud-based services.A cloud service administrator is responsible for testing, monitoring, and securing cloud services, as well as providing usage reporting and dealing with service problems. The cloud service user is someone who consumes cloud services. The cloud service business manager is responsible for overseeing the billing, auditing, and purchasing of cloud services.

Which of the following roles involves the provisioning and delivery of cloud services? A. Cloud service deployment manager B. Cloud service business manager C. Cloud service manager D. Cloud service operations manager

C. The cloud service manager is responsible for the delivery of cloud services, the provisioning of cloud services, and the overall management of cloud services.

Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets? A. Cloud service business manager B. Cloud service deployment manager C. Cloud service operations manager D. Cloud service manager

C. The cloud service operations manager is responsible for preparing systems for the cloud, administering and monitoring services, providing audit data as requested or required, and managing inventory and assets.

During which phase of the cloud data lifecycle is it possible for the classification of data to change? A. Use B. Archive C. Create D. Share

C. The create phase encompasses any time data is created, imported, or modified. With any change in the content or value of data, the classification may also change. It must be continually reevaluated to ensure proper security. During the use, share, and archive phases, the data is not modified in any way, so the original classification is still relevant.

In the cloud motif, the data owner is usually: A. The cloud provider B. In another jurisdiction C. The cloud customer D. The cloud access security broker

C. The data owner is usually considered the cloud customer in a cloud configuration; the data in question is the customer's information, being processed in the cloud.The cloud provider is only leasing services and hardware to the customer. The cloud access security broker (CASB) only handles access control on behalf of the cloud customer, and is not in direct contact with the production data.

Which of the following are cloud computing roles? A. Cloud service broker and user B. Cloud customer and financial auditor C. CSP and backup service provider D. Cloud service auditor and object

C. The following groups form the key roles and functions associated with cloud computing. They do not constitute an exhaustive list but highlight the main roles and functions within cloud computing:- Cloud customer: An individual or entity that utilizes or subscribes to cloud based services or resources.- CSP: A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations or individuals, usually for a fee; otherwise known to clients "as a service.- Cloud backup service provider: A third-party entity that manages and holds operational responsibilities for cloud-based data backup services and solutions to customers from a central data center.- CSB: Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple CSPs. It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. TheCSB can be utilized as a "middleman" to broker the best deal and customize services to the customer's requirements. May also resell cloud services.- Cloud service auditor: Third-party organization that verifies attainment of SLAs.

What does the management plane typically utilize to perform administrative functions on the hypervisors that it has access to? A. Scripts B. RDP C. APIs D. XML

C. The functions of the management plane are typically exposed as a series of remote calls and function executions and as a set of APIs. These APIs are typically leveraged through either a client or a web portal, with the latter being the most common.

As part of the auditing process, getting a report on the deviations between intended configurations and actual policy is often crucial for an organization.What term pertains to the process of generating such a report? A. Deficiencies B. Findings C. Gap analysis D. Errors

C. The gap analysis determines if there are any differences between the actual configurations in use on systems and the policies that govern what the configurations are expected or mandated to be. The other terms provided are all similar to the correct answer ("findings" in particular is often used to articulate deviations in configurations), but gap analysis is the official term used.

For service provisioning and support, what is the ideal amount of interaction between a cloud customer and cloud provider? A. Half B. Full C. Minimal D. Depends on the contract

C. The goal with any cloud-hosting setup is for the cloud customer to be able to perform most or all its functions for service provisioning and configuration without any need for support from or interaction with the cloud provider beyond the automated tools provided. To fulfill the tenants of on-demand self-service, required interaction with the cloud provider--either half time, full time, or a commensurate amount of time based on the contract--would be in opposition to a cloud's intended use. As such, these answers are incorrect.

Which of the following service capabilities gives the cloud customer the most control over resources and configurations? A. Desktop B. Platform C. Infrastructure D. Software

C. The infrastructure service capability gives the cloud customer substantial control in provisioning and configuring resources, including processing, storage, and network resources.

Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it? A. Integrity B. Availability C. Confidentiality D. Nonrepudiation

C. The main goal of confidentiality is to ensure that sensitive information is not made available or leaked to parties that should not have access to it, while at the same time ensuring that those with appropriate need and authorization to access it can do so in a manner commensurate with their needs and confidentiality requirements.

The baseline should cover which of the following? A. Data breach alerting and reporting B. All regulatory compliance requirements C. As many systems throughout the organization as possible D. A process for version control

C. The more systems that be included in the baseline, the more cost-effective and scalable the baseline is. The baseline does not deal with breaches or version control; those are the provinces of the security office and CMB, respectively. Regulatory compliance might (and usually will) go beyond the baseline and involve systems, processes, and personnel that are not subject to the baseline.

Which of the following service capabilities gives the cloud customer an established and maintained framework to deploy code and applications? A. Software B. Desktop C. Platform D. Infrastructure

C. The platform service capability provides programming languages and libraries from the cloud provider, where the customer can deploy their own code and applications into a managed and controlled framework.

Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations? A. SRE B. RTO C. RPO D. RSL

C. The recovery point objective (RPO) is defined as the amount of data a company would need to maintain and recover in order to function at a level acceptable to management. This may or may not be a restoration to full operating capacity, depending on what management deems as crucial and essential.

Which value refers to the percentage of production level restoration needed to meet BCDR objectives? A. RPO B. RTO C. RSL D. SRE

C. The recovery service level (RSL) is a percentage measure of the total typical production service level that needs to be restored to meet BCDR objectives in the case of a failure.

BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.Which concept pertains to the required amount of time to restore services to the predetermined level? A. RPO B. RSL C. RTO D. SRE

C. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the predetermined level of operations necessary during a BCDR situation. SRE is provided as an erroneous response.

Which of the following service capabilities gives the cloud customer the least amount of control over configurations and deployments? A. Platform B. Infrastructure C. Software D. Desktop

C. The software service capability gives the cloud customer a fully established application, where only minimal user configuration options are allowed.

Which phase of the cloud data lifecycle represents the first instance where security controls can be implemented? A. Use B. Share C. Store D. Create

C. The store phase occurs immediately after the create phase, and as data is committed to storage structures, the first opportunity for security controls to be implemented is realized. During the create phase, the data is not yet part of a system where security controls can be applied, and although the use and share phases also entail the application of security controls, they are not the first phase where the process occurs.

Which of the following is not a component of contractual PII? A. Scope of processing B. Value of data C. Location of data D. Use of subcontractors

C. The value of data itself has nothing to do with it being considered a part of contractual

What strategy involves replacing sensitive data with opaque values, usually with a means of mapping it back to the original value? A. Masking B. Anonymization C. Tokenization D. Obfuscation

C. Tokenization is the practice of utilizing a random and opaque "token" value in data to replace what otherwise would be a sensitive or protected data object. The token value is usually generated by the application with a means to map it back to the actual real value, and then the token value is placed in the data set with the same formatting and requirements of the actual real value so that the application can continue to function without different modifications or code changes.

Which of the following is NOT part of criminal law? A. Case law B. Regulation C. Tort law D. Statutes

C. Tort law

Biometrics and fingerprints are examples of what authenticator Type? A. Type 1 B. Type 2 C. Type 3

C. Type 3|A

The SOC Type 2 reports are divided into five principles.Which of the five principles must also be included when auditing any of the other four principles? A. Confidentiality B. Privacy C. Security D. Availability

C. Under the SOC guidelines, when any of the four principles other than security are being audited, which includes availability, confidentiality, processing integrity, and privacy, the security principle must also be included with the audit.

Which of the following types of data would fall under data rights management (DRM) rather than information rights management (IRM)? A. Personnel data B. Security profiles C. Publications D. Financial records

C. Whereas IRM is used to protect a broad range of data, DRM is focused specifically on the protection of consumer media, such as publications, music, movies, and so on. IRM is used to protect general institution data, so financial records, personnel data, and security profiles would all fall under the auspices of IRM.

What is the best source for information about securing a physical asset's BIOS? A. Security policies B. Manual pages C. Vendor documentation D. Regulations

C. Vendor documentation from the manufacturer of the physical hardware is the best source of best practices for securing the BIOS.

During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis. A. Contractual requirements B. Regulations C. Vendor recommendations D. Corporate policy

C. Vendor recommendations would not be pertinent to the gap analysis after an audit. Although vendor recommendations will typically play a role in the development of corporate policies or contractual requirements, they are not required. Regulations, corporate policy, and contractual requirements all determine the expected or mandated controls in place on a system.

For optimal security, trust zones are used for network segmentation and isolation. They allow for the separation of various systems and tiers, each with its own security level.Which of the following is typically used to allow administrative personnel access to trust zones? A. IPSec B. SSH C. VPN D. TLS

C. Virtual private networks (VPNs) are used to provide administrative personnel with secure communication channels through security systems and into trust zones.They allow staff who perform system administration tasks to have access to ports and systems that are not allowed from the public Internet. IPSec is an encryption protocol for point-to-point communications at the network level, and may be used within a trust zone but not to give access into a trust zone. TLS enables encryption of communications between systems and services and would likely be used to secure the VPN communications, but it does not represent the overall concept being asked for in the question. SSH allows for secure shell access to systems, but not for general access into trust zones.

Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like: A. Ransomware B. Syn floods C. XSS and SQL injection D. Password cracking

C. WAFs detect how the application interacts with the environment, so they are optimal for detecting and refuting things like SQL injection and XSS. Password cracking, syn floods, and ransomware usually aren't taking place in the same way as injection and XSS, and they are better addressed with controls at the router and through the use of HIDS, NIDS, and antimalware tools.

What is the biggest concern with hosting a key management system outside of the cloud environment? A. Confidentiality B. Portability C. Availability D. Integrity

C. When a key management system is outside of the cloud environment hosting the application, availability is a primary concern because any access issues with the encryption keys will render the entire application unusable.

From a security perspective, which of the following is a major concern when evaluating possible BCDR solutions? A. Access provisioning B. Auditing C. Jurisdictions D. Authorization

C. When a security professional is considering cloud solutions for BCDR, a top concern is the jurisdiction where the cloud systems are hosted. If the jurisdiction is different from where the production systems are hosted, they may be subjected to different regulations and controls, which would make a seamless BCDR solution far more difficult.

The BC/DR kit should include all of the following except: A. Annotated asset inventory B. Flashlight C. Hard drives D. Documentation equipment

C. While hard drives may be useful in the kit (for instance, if they store BC/DR data such as inventory lists, baselines, and patches), they are not necessarily required.All the other items should be included.

Maintenance mode requires all of these actions except: A. Remove all active production instances B. Ensure logging continues C. Initiate enhanced security controls D. Prevent new logins

C. While the other answers are all steps in moving from normal operations to maintenance mode, we do not necessarily initiate any enhanced security controls.

To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except: A. Access to audit logs and performance data B. DLP solution results C. Security control administration D. SIM, SEIM. and SEM logs

C. While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer. Security controls are the sole province of the provider.

Which of the following areas of responsibility would be shared between the cloud customer and cloud provider within the Software as a Service (SaaS) category? A. Data B. Governance C. Application D. Physical

C. With SaaS, the application is a shared responsibility between the cloud provider and cloud customer. Although the cloud provider is responsible for deploying, maintaining, and securing the application, the cloud customer does carry some responsibility for the configuration of users and options. Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. With all cloud service categories, the data and governance are always the sole responsibility of the cloud customer.

With a federated identity system, where would a user perform their authentication when requesting services or application access? A. Cloud provider B. The application C. Their home organization D. Third-party authentication system

C. With a federated identity system, a user will perform authentication with their home organization, and the application will accept the authentication tokens and user information from the identity provider in order to grant access. The purpose of a federated system is to allow users to authenticate from their home organization.Therefore, using the application or a third-party authentication system would be contrary to the purpose of a federated system because it necessitates the creation of additional accounts. The use of a cloud provider would not be relevant to the operations of a federated system.

Which of the following would make it more likely that a cloud provider would be unwilling to satisfy specific certification requirements? A. Resource pooling B. Virtualization C. Multitenancy D. Regulation

C. With cloud providers hosting a number of different customers, it would be impractical for them to pursue additional certifications based on the needs of a specific customer. Cloud environments are built to a common denominator to serve the greatest number of customers, and especially within a public cloud model, it is not possible or practical for a cloud provider to alter their services for specific customer demands.

Which type of cloud model typically presents the most challenges to a cloud customer during the "destroy" phase of the cloud data lifecycle? A. IaaS B. DaaS C. SaaS D. PaaS

C. With many SaaS implementations, data is not isolated to a particular customer but rather is part of the overall application. When it comes to data destruction, a particular challenge is ensuring that all of a customer's data is completely destroyed while not impacting the data of other customers.

Which aspect of cloud computing makes data classification even more vital than in a traditional data center? A. Interoperability B. Virtualization C. Multitenancy D. Portability

C. With multiple tenants within the same hosting environment, any failure to properly classify data may lead to potential exposure to other customers and applications within the same environment.

Which of the following cloud aspects complicates eDiscovery? A. Resource pooling B. On-demand self-service C. Multitenancy D. Measured service

C. With multitenancy, eDiscovery becomes more complicated because the data collection involves extra steps to ensure that only those customers or systems that are within scope are turned over to the requesting authority.

Many aspects and features of cloud computing can make eDiscovery compliance more difficult or costly.Which aspect of cloud computing would be the MOST complicating factor? A. Measured service B. Broad network access C. Multitenancy D. Portability

C. With multitenancy, multiple customers share the same physical hardware and systems. With the nature of a cloud environment and how it writes data across diverse systems that are shared by others, the process of eDiscovery becomes much more complicated. Administrators cannot pull physical drives or easily isolate which data to capture. They not only have to focus on which data they need to collect, while ensuring they find all of it, but they also have to make sure that other data is not accidently collected and exposed along with it. Measured service is the aspect of a cloud where customers only pay for the services they are actually using, and for the duration of their use. Portability refers to the ease with which an application or service can be moved among different cloud providers.Broad network access refers to the nature of cloud services being accessed via the public Internet, either with or without secure tunneling technologies. None of these concepts would pertain to eDiscovery.

With software-defined networking, what aspect of networking is abstracted from the forwarding of traffic? A. Routing B. Session C. Filtering D. Firewalling

C. With software-defined networking (SDN), the filtering of network traffic is separated from the forwarding of network traffic so that it can be independently administered.

What type of masking strategy involves making a separate and distinct copy of data with masking in place? A. Dynamic B. Replication C. Static D. Duplication

C. With static masking, a separate and distinct copy of the data set is created with masking in place. This is typically done through a script or other process that takes a standard data set, processes it to mask the appropriate and predefined fields, and then outputs the data set as a new one with the completed masking done.

What is the biggest challenge to data discovery in a cloud environment? A. Format B. Ownership C. Location D. Multitenancy

C. With the distributed nature of cloud environments, the foremost challenge for data discovery is awareness of the location of data and keeping track of it during the constant motion of cloud storage systems.

Choose the THREE out-of-place terms: "Cloud computing is a model for enabling (A. ubiquitous B. convenient C. flexible) on-demand network access to a shared pool of (D. configurable E. shared) computing resources that can be rapidly (F. provisioned G. configured and H. released) with minimal management effort or service provider interaction"

C. flexible E. shared F. configured

What is the Cloud Security Alliance Open Certification Framework level (CSA OCF) for Attestation?

CSA STAR Level 2

What is the Cloud Security Alliance Open Certification Framework level (CSA OCF) for Ongoing Monitoring and Certification?

CSA STAR Level 3

Which of the following best describes the purpose and scope of ISO/IEC 27034-1? A. Describes international privacy standards for cloud computing B. Serves as a newer replacement for NIST 800-52 r4 C. Provides on overview of network and infrastructure security designed to secure cloud applications. D. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security.

D.

How many subcategories, which are outcome-driven statements, are there in the NIST CSF? A. 89 B. 92 C. 95 D. 97

D. 97

In addition to battery backup, a UPS can offer which capability? A. Breach alert B. Confidentiality C. Communication redundancy D. Line conditioning

D. A UPS can provide line conditioning, adjusting power so that it is optimized for the devices it serves and smoothing any power fluctuations; it does not offer any of the other listed functions.

When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations? A. Firewall B. Proxy C. Honeypot D. Bastion

D. A bastion is a system that is exposed to the public Internet to perform a specific function, but it is highly restricted and secured to just that function. Any nonessential services and access are removed from the bastion so that security countermeasures and monitoring can be focused just on the bastion's specific duties. A honeypot is a system designed to look like a production system to entice attackers, but it does not contain any real data. It is used for learning about types of attacks and enabling countermeasures for them. A firewall is used within a network to limit access between IP addresses and ports. A proxy server provides additional security to and rulesets for network traffic that is allowed to pass through it to a service destination.

Which aspect of cloud computing will be most negatively impacted by vendor lock-in? A. Elasticity B. Reversibility C. Interoperability D. Portability

D. A cloud customer utilizing proprietary APIs or services from one cloud provider that are unlikely to be available from another cloud provider will most negatively impact portability.

Which cloud deployment model would be ideal for a group of universities looking to work together, where each university can gain benefits according to its specific needs? A. Private B. Public C. Hybrid D. Community

D. A community cloud is owned and maintained by similar organizations working toward a common goal. In this case, the universities would all have very similar needs and calendar requirements, and they would not be financial competitors of each other. Therefore, this would be an ideal group for working together within a community cloud. A public cloud model would not work in this scenario because it is designed to serve the largest number of customers, would not likely be targeted toward specific requirements for individual customers, and would not be willing to make changes for them. A private cloud could accommodate such needs, but would not meet the criteria for a group working together, and a hybrid cloud spanning multiple cloud providers would not fit the specifics of the question.

Which if these is NOT one of the basic characteristics of cloud computing as defined by NIST? A. Broad network access B. On-demand services C. Resource pooling D. Centralized management E. Measured or metered service F. Rapid elasticity

D. Centralized management

Which one of the following threat types to applications and services involves the sending of requests that are invalid and manipulated through a user's client to execute commands on the application under the user's own credentials? A. Injection B. Missing function-level access control C. Cross-site scripting D. Cross-site request forgery

D. A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user's own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way of seeing the results of the commands, it does open other ways to compromise an application. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.

Which of the cloud deployment models offers the most control and input to the cloud customer as to how the overall cloud environment is implemented and configured? A. Public B. Community C. Hybrid D. Private

D. A private cloud model, and the specific contractual relationships involved, will give a cloud customer the most level of input and control over how the overall cloud environment is designed and implemented. This would be even more so in cases where the private cloud is owned and operated by the same organization that is hosting services within it.

If a cloud computing customer wishes to guarantee that a minimum level of resources will always be available, which of the following set of services would compromise the reservation? A. Memory and networking B. CPU and software C. CPU and storage D. CPU and memory

D. A reservation guarantees to a cloud customer that they will have access to a minimal level of resources to run their systems, which will help mitigate against DoS attacks or systems that consume high levels of resources. A reservation pertains to memory and CPU resources. Under the concept of a reservation, memory andCPU are the guaranteed resources, but storage and networking are not included even though they are core components of cloud computing. Software would be out of scope for a guarantee and doesn't really pertain to the concept.

Having a reservation in a cloud environment can ensure operations continue in the event of high utilization across the cloud.Which of the following would NOT be a capability covered by reservations? A. Performing business operations B. Starting virtual machines C. Running applications D. Auto-scaling

D. A reservation will not guarantee auto-scaling is available because it involves the allocation of additional resources beyond what a cloud customer already has provisioned. Reservations will guarantee minimal resources are available to start virtual machines, run applications, and perform normal business operations.

Which networking concept in a cloud environment allows for network segregation and isolation of IP spaces? A. PLAN B. WAN C. LAN D. VLAN

D. A virtual area network (VLAN) allows the logical separation and isolation of networks and IP spaces to provide enhanced security and controls.

When is a virtual machine susceptible to attacks while a physical server in the same state would not be? A. When it is behind a WAF B. When it is behind an IPS C. When it is not patched D. When it is powered off

D. A virtual machine is ultimately an image file residing a file system. Because of this, even when a virtual machine is "powered off," it is still susceptible to attacks and modification. A physical server that is powered off would not be susceptible to attacks.

What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? A. AES B. Link encryption C. One-time pads D. Homomorphic encryption

D. AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.

Common challenges to excryption key management do NOT include: A. Internally-managed storage B. Externally-managed storage C. Third-party-managed storage D. CSP-managed storage

D. CSP-managed storage

When using a SaaS solution, what is the capability provided to the customer? A. To use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user- specific application configuration settings. B. To use the consumer's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user- specific application configuration settings. C. To use the consumer's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user- specific application configuration settings. D. To use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user- specific application configuration settings.

D. According to "The NIST Definition of Cloud Computing," in SaaS, "The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based e-mail), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings."

What was the result of EO 13800, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" A. All Federal subcontractors must comply with CUI requirements. B. All critical infrastructure providers must adopt and use NIST standards. C. All agencies must transition to NIST SP 800-53 rev. 5. D. All agencies must adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity.

D. All agencies must adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity, or any successor document to manage the agency's cybersecurity risk.

In a cloud environment, encryption should be used for all the following, except: A. Secure sessions/VPN B. Long-term storage of data C. Near-term storage of virtualized images D. Profile formatting

D. All of these activities should incorporate encryption, except for profile formatting, which is a made-up term.

Where is an XML firewall most commonly and effectively deployed in the environment? A. Between the application and data layers B. Between the presentation and application layers C. Between the IPS and firewall D. Between the firewall and application server

D. An XML firewall is most commonly deployed in line between the firewall and application server to validate XML code before it reaches the application. An XML firewall is intended to validate XML before it reaches the application. Placing the XML firewall between the presentation and application layers, between the firewall and IPS, or between the application and data layers would not serve the intended purpose.

Which of the following technologies is used to monitor network traffic and notify if any potential threats or attacks are noticed? A. IPS B. WAF C. Firewall D. IDS

D. An intrusion detection system (IDS) is designed to analyze network packets, compare their contents or characteristics against a set of configurations or signatures, and alert personnel if anything is detected that could constitute a threat or is otherwise designated for alerting.

Which of the cloud cross-cutting aspects relates to the oversight of processes and systems, as well as to ensuring their compliance with specific policies and regulations? A. Governance B. Regulatory requirements C. Service-level agreements D. Auditability

D. Auditing involves reports and evidence that show user activity, compliance with controls and regulations, the systems and processes that run and what they do, as well as information and data access and modification records. A cloud environment adds additional complexity to traditional audits because the cloud customer will not have the same level of access to systems and data as they would in a traditional data center.

Which of the cloud deployment models offers the easiest initial setup and access for the cloud customer? A. Hybrid B. Community C. Private D. Public

D. Because the public cloud model is available to everyone, in most instances all a customer will need to do to gain access is set up an account and provide a credit card number through the service's web portal. No additional contract negotiations, agreements, or specific group memberships are typically needed to get started.

Which of the following is NOT a domain of the Cloud Controls Matrix (CCM)? A. Data center security B. Human resources C. Mobile security D. Budgetary and cost controls

D. Budgetary and cost controls is not one of the domains outlined in the CCM.

What type of segregation and separation of resources is needed within a cloud environment for multitenancy purposes versus a traditional data center model? A. Virtual B. Security C. Physical D. Logical

D. Cloud environments lack the ability to physically separate resources like a traditional data center can. To compensate, cloud computing logical segregation concepts are employed. These include VLANs, sandboxing, and the use of virtual network devices such as firewalls.

What type of cloud model should an organization choose that wants a low-cost solution that has higher levels of privacy and security? A. Private cloud B. Hybrid cloud C. Public cloud D. Community cloud

D. Community cloud

Digital evidence must be all of the following EXCEPT: A. Complete B. Convincing C. Admissible D. Comprehensive E. Authentic F. Accurate

D. Comprehensive

Which ITIL component is an ongoing, iterative process of tracking all deployed and configured resources that an organization uses and depends on, whether they are hosted in a traditional data center or a cloud? A. Problem management B. Continuity management C. Availability management D. Configuration management

D. Configuration management tracks and maintains detailed information about all IT components within an organization. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster.Problem management is focused on identifying and mitigating known problems and deficiencies before they occur.

Countermeasures for protecting cloud operations against internal threats include all of the following except: A. Mandatory vacation B. Least privilege C. Separation of duties D. Conflict of interest

D. Conflict of interest is a threat, not a control.

In order to comply with regulatory requirements, which of the following secure erasure methods would be available to a cloud customer using volume storage within the IaaS service model? A. Demagnetizing B. Shredding C. Degaussing D. Cryptographic erasure

D. Cryptographic erasure is a secure method to destroy data by destroying the keys that were used to encrypt it. This method is universally available for volume storage on IaaS and is also extremely quick. Shredding, degaussing, and demagnetizing are all physically destructive methods that would not be permitted within a cloud environment using shared resources.

DLP solutions can aid in deterring loss due to which of the following? A. Power failure B. Performance C. Bad policy D. Malicious disclosure

D. DLP tools can identify outbound traffic that violates the organization's policies. DLP will not protect against losses due to performance issues or power failures.The DLP solution must be configured according to the organization's policies, so bad policies will attenuate the effectiveness of DLP tools, not the other way around.

Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit? A. IPSec B. HTTPS C. VPN D. DNSSEC

D. DNSSEC is used as a security extension to DNS lookup queries in order to ensure the authenticity and authoritativeness of hostname resolutions, in order to prevent spoofing and redirection of traffic. Although it is a very important concept to be employed for security practices, it is not used to secure or encrypt data transmissions. HTTPS is the most commonly used security mechanism for data communications between clients and websites and web services. IPSec is less commonly used, but is also intended to secure communications between servers. VPN is commonly used to secure traffic into a network area or subnet for developers and administrative users.

What are third-party providers of IAM functions for the cloud environment? A. AESs B. SIEMs C. DLPs D. CASBs

D. Data loss, leak prevention, and protection is a family of tools used to reduce the possibility of unauthorized disclosure of sensitive information. SIEMs are tools used to collate and manage log data. AES is an encryption standard.

Three central concepts define what type of data and information an organization is responsible for pertaining to eDiscovery.Which of the following are the three components that comprise required disclosure? A. Possession, ownership, control B. Ownership, use, creation C. Control, custody, use D. Possession, custody, control

D. Data that falls under the purview of an eDiscovery request is that which is in the possession, custody, or control of the organization. Although this is an easy concept in a traditional data center, it can be difficult to distinguish who actually possesses and controls the data in a cloud environment due to multitenancy and resource pooling. Although these options provide similar-sounding terms, they are ultimately incorrect.

Which of the following approaches would NOT be considered sufficient to meet the requirements of secure data destruction within a cloud environment? A. Cryptographic erasure B. Zeroing C. Overwriting D. Deletion

D. Deletion merely removes the pointers to data on a system; it does nothing to actually remove and sanitize the data. As such, the data remains in a recoverable state, and more secure methods are needed to ensure it has been destroyed and is not recoverable by another party.

In this phase of the Data Life Cycle, data is permanently destroyed. A. Share B. Use C. Archive D. Destroy E. Create F. Store

D. Destroy

Clustered systems can be used to ensure high availability and load balancing across individual systems through a variety of methodologies.What process is used within a clustered system to ensure proper load balancing and to maintain the health of the overall system to provide high availability? A. Distributed clustering B. Distributed balancing C. Distributed optimization D. Distributed resource scheduling

D. Distributed resource scheduling (DRS) is used within all clustered systems as the method for providing high availability, scaling, management, workload distribution, and the balancing of jobs and processes. None of the other choices is the correct term in this case.

What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed? A. Dynamic clustering B. Dynamic balancing C. Dynamic resource scheduling D. Dynamic optimization

D. Dynamic optimization is the process through which the cloud environment is constantly maintained to ensure resources are available when and where needed, and that physical nodes do not become overloaded or near capacity, while others are underutilized.

What process is used within a clustered system to provide high availability and load balancing? A. Dynamic balancing B. Dynamic clustering C. Dynamic optimization D. Dynamic resource scheduling

D. Dynamic resource scheduling (DRS) is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes. From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.

What is the term we use to describe the general ease and efficiency of moving data from one cloud provider either to another cloud provider or down from the cloud? A. Obfuscation B. Elasticity C. Mobility D. Portability

D. Elasticity is the name for the benefit of cloud computing where resources can be apportioned as necessary to meet customer demand. Obfuscation is a technique to hide full raw datasets, either from personnel who do not have need to know or for use in testing. Mobility is not a term pertinent to the CBK.

Which of the following is NOT a concern for moving to the cloud: A. Security B. Privacy C. Compliance D. Expertise E. Interoperability F. Lock-Ins

D. Expertise

Which of the following terms is NOT a commonly used category of risk acceptance? A. Moderate B. Critical C. Minimal D. Accepted

D. Explanation -Accepted is not a risk acceptance category. The risk acceptance categories are minimal, low, moderate, high, and critical.

Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user's valid credentials? A. Injection B. Missing function-level access control C. Cross-site scripting D. Cross-site request forgery

D. Explanation -Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or perhaps the code is not properly escaped from processing by the browser. The code is then executed on the user's browser with their own access and permissions, allowing the attacker to redirect the user's web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.

Which of the following is NOT a major regulatory framework? A. PCI DSS B. HIPAA C. SOX D. FIPS 140-2

D. FIPS 140-2 is a United States certification standard for cryptographic modules, and it provides guidance and requirements for their use based on the requirements of the data classification. However, these are not actual regulatory requirements. The Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS) are all major regulatory frameworks either by law or specific to an industry.

Digital investigations have adopted many of the same methodologies and protocols as other types of criminal or scientific inquiries.What term pertains to the application of scientific norms and protocols to digital investigations? A. Scientific B. Investigative C. Methodological D. Forensics

D. Forensics refers to the application of scientific methods and protocols to the investigation of crimes. Although forensics has traditionally been applied to well- known criminal proceedings and investigations, the term equally applies to digital investigations and methods. Although the other answers provide similar- sounding terms and ideas, none is the appropriate answer in this case.

Implementing baselines on systems would take an enormous amount of time and resources if the staff had to apply them to each server, and over time, it would be almost impossible to keep all the systems in sync on an ongoing basis.Which of the following is NOT a package that can be used for implementing and maintaining baselines across an enterprise? A. Puppet B. SCCM C. Chef D. GitHub

D. GitHub is a software development platform that serves as a code repository and versioning system. It is solely used for software development and would not be appropriate for applying baselines to systems. Puppet is an open-source configuration management tool that runs on many platforms and can be used to apply and maintain baselines. The Software Center Configuration Manager (SCCM) was developed by Microsoft for managing systems across large groups of servers.Chef is also a system for maintaining large groups of systems throughout an enterprise.

Which of the following is a restriction that can be enforced by information rights management (IRM) that is not possible for traditional file system controls? A. Delete B. Modify C. Read D. Print

D. IRM allows an organization to control who can print a set of information. This is not be possible under traditional file system controls, where if a user can read a file, they are able to print it as well.

With the rapid emergence of cloud computing, very few regulations were in place that pertained to it specifically, and organizations often had to resort to using a collection of regulations that were not specific to cloud in order to drive audits and policies.Which standard from the ISO/IEC was designed specifically for cloud computing? A. ISO/IEC 27001 B. ISO/IEC 19889 C. ISO/IEC 27001:2015 D. ISO/IEC 27018

D. ISO/IEC 27018 was implemented to address the protection of personal and sensitive information within a cloud environment. ISO/IEC 27001 and its later27001:2015 revision are both general-purpose data security standards. ISO/IEC 19889 is an erroneous answer.

ISO/IEC has established international standards for many aspects of computing and any processes or procedures related to information technology.Which ISO/IEC standard has been established to provide a framework for handling eDiscovery processes? A. ISO/IEC 27001 B. ISO/IEC 27002 C. ISO/IEC 27040 D. ISO/IEC 27050

D. ISO/IEC 27050 strives to establish an internationally accepted standard for eDiscovery processes and best practices. It encompasses all steps of the eDiscovery process, including the identification, preservation, collection, processing, review, analysis, and the final production of the requested data archive. ISO/IEC 27001 is a general security specification for an information security management system. ISO/IEC 27002 gives best practice recommendations for information security management. ISO/IEC 27040 is focused on the security of storage systems.

Which is NOT one of the four phases of IAM? A. Privileged User Management B. Authentication and Access Management C. Centralized Directory Services D. Identifier Management E. Provisioning and de-provisioning

D. Identifier Management

When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern? A. Self-service B. Resource pooling C. Availability D. Location

D. If an organization wants to use a cloud service for BCDR, the location of the cloud hosting becomes a very important security consideration due to regulations and jurisdiction, which could be dramatically different from the organization's normal hosting locations. Availability is a hallmark of any cloud service provider, and likely will not be a prime consideration when an organization is considering using a cloud for BCDR; the same goes for self-service options. Resource pooling is common among all cloud systems and would not be a concern when an organization is dealing with the provisioning of resources during a disaster.

What is the cloud service model in which the customer is responsible for administration of the OS? A. QaaS B. SaaS C. PaaS D. IaaS

D. In IaaS, the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data. In PaaS and SaaS, the provider also owns the OS. There is no QaaS. That is a red herring.

In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? A. The users of the various organizations within the federations within the federation/a CASB B. Each member organization/a trusted third party C. Each member organization/each member organization D. A contracted third party/the various member organizations of the federation

D. In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust. This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource providers that share resources based on approval from the third party).

Tokenization requires two distinct _________________ . A. Personnel B. Authentication factors C. Encryption keys D. Databases

D. In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.

Apart from using encryption at the file system level, what technology is the most widely used to protect data stored in an object storage system? A. TLS B. HTTPS C. VPN D. IRM

D. Information rights management (IRM) technologies allow security controls and policies to be enforced on a data object regardless of where it resides. They also allow for extended controls such as expirations and copying restrictions, which are not available through traditional control mechanisms. Hypertext TransferProtocol Secure (HTTPS), virtual private network (VPN), and Transport Layer Security (TLS) are all technologies and protocols that are widely used with cloud implementations for secure access to systems and services and likely will be used in conjunction with other object data protection strategies.

Legal controls refer to which of the following? A. ISO 27001 B. PCI DSS C. NIST 800-53r4 D. Controls designed to comply with laws and regulations related to the cloud environment

D. Legal controls are those controls that are designed to comply with laws and regulations whether they be local or international.

Which of the following represents a control on the maximum amount of resources that a single customer, virtual machine, or application can consume within a cloud environment? A. Share B. Reservation C. Provision D. Limit

D. Limits are put in place to enforce a maximum on the amount of memory or processing a cloud customer can use. This can be done either on a virtual machine or as a comprehensive whole for a customer, and is meant to ensure that enormous cloud resources cannot be allocated or consumed by a single host or customer to the detriment of other hosts and customers.

Which of the following is the best example of a key component of regulated PII? A. Audit rights of subcontractors B. Items that should be implemented C. PCI DSS D. Mandatory breach reporting

D. Mandatory breach reporting is the best example of regulated PII components. The rest are generally considered components of contractual PII.

Which of the following would be considered an example of insufficient due diligence leading to security or operational problems when moving to a cloud? A. Monitoring B. Use of a remote key management system C. Programming languages used D. Reliance on physical network controls

D. Many organizations in a traditional data center make heavy use of physical network controls for security. Although this is a perfectly acceptable best practice in a traditional data center, this reliance is not something that will port to a cloud environment. The failure of an organization to properly understand and adapt to the difference in network controls when moving to a cloud will likely leave an application with security holes and vulnerabilities. The use of a remote key management system, monitoring, or certain programming languages would not constitute insufficient due diligence by itself.

Which aspect of cloud computing pertains to cloud customers only paying for the resources and services they actually use? A. Metered service B. Measured billing C. Metered billing D. Measured service

D. Measured service is the aspect of cloud computing that pertains to cloud services and resources being billed in a metered way, based only on the level of consumption and duration of the cloud customer. Although they sound similar to the correct answer, none of the other choices is the actual cloud terminology.

Which aspect of cloud computing would make the use of a cloud the most attractive as a BCDR solution? A. Interoperability B. Resource pooling C. Portability D. Measured service

D. Measured service means that costs are only incurred when a cloud customer is actually using cloud services. This is ideal for a business continuity and disaster recovery (BCDR) solution because it negates the need to keep hardware or resources on standby in case of a disaster. Services can be initiated when needed and without costs unless needed.

Following a business requirement analysis, Bill determines that the SaaS must be secure to meet compliance needs. What type of requirement is this? A. Functional B. Legal C. Policy D. Non-functional

D. Non-functional

Which cloud storage type is typically used to house virtual machine images that are used throughout the environment? A. Structured B. Unstructured C. Volume D. Object

D. Object storage is typically used to house virtual machine images because it is independent from other systems and is focused solely on storage. It is also the most appropriate for handling large individual files. Volume storage, because it is allocated to a specific host, would not be appropriate for the storing of virtual images.Structured and unstructured are storage types specific to PaaS and would not be used for storing items used throughout a cloud environment.

What type of storage structure does object storage employ to maintain files? A. Directory B. Hierarchical C. tree D. Flat

D. Object storage uses a flat file system to hold storage objects; it assigns files a key value that is then used to access them, rather than relying on directories or descriptive filenames. Typical storage layouts such as tree, directory, and hierarchical structures are used within volume storage, whereas object storage maintains a flat structure with key values.

What controls the formatting and security settings of a volume storage system within a cloud environment? A. Management plane B. SAN host controller C. Hypervisor D. Operating system of the host

D. Once a storage LUN is allocated to a virtual machine, the operating system of that virtual machine will format, manage, and control the file system and security of the data on that LUN.

Which of the following best describes the Organizational Normative Framework (ONF)? A. A set of application security, and best practices, catalogued and leveraged by the organization B. A container for components of an application's security, best practices catalogued and leveraged by the organization C. A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization D. A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization.

D. Option B is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as D, making D the better choice. C suggests that the framework contains only "some" of the components, which is why B (which describes "all" components) is better

When an organization is considering the use of cloud services for BCDR planning and solutions, which of the following cloud concepts would be the most important? A. Reversibility B. Elasticity C. Interoperability D. Portability

D. Portability is the ability for a service or system to easily move among different cloud providers. This is essential for using a cloud solution for BCDR because vendor lock-in would inhibit easily moving and setting up services in the event of a disaster, or it would necessitate a large number of configuration or component changes to implement. Interoperability, or the ability to reuse components for other services or systems, would not be an important factor for BCDR. Reversibility, or the ability to remove all data quickly and completely from a cloud environment, would be important at the end of a disaster, but would not be important during setup and deployment. Elasticity, or the ability to resize resources to meet current demand, would be very beneficial to a BCDR situation, but not as vital as portability.

Which ITIL component is focused on anticipating predictable problems and ensuring that configurations and operations are in place to prevent these problems from ever occurring? A. Availability management B. Continuity management C. Configuration management D. Problem management

D. Problem management is focused on identifying and mitigating known problems and deficiencies before they are able to occur, as well as on minimizing the impact of incidents that cannot be prevented. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Configuration management tracks and maintains detailed information about all IT components within an organization.

Which concept BEST describes the capability for a cloud environment to automatically scale a system or application, based on its current resource demands? A. On-demand self-service B. Resource pooling C. Measured service D. Rapid elasticity

D. Rapid elasticity allows a cloud environment to automatically add or remove resources to or from a system or application based on its current demands. Whereas a traditional data center model would require standby hardware and substantial effort to add resources in response to load increases, a cloud environment can easily and rapidly expand to meet resources demands, so long as the application is properly implemented for it.

Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used? A. Infrastructure B. Platform C. Application D. Data

D. Regardless of which cloud-hosting model is used, the cloud customer always has sole responsibility for the data and its security.

The application normative framework is best described as which of the following? A. A superset of the ONF B. A stand-alone framework for storing security practices for the ONF C. The complete ONF D. A subnet of the ONF

D. Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization).Therefore, the ANF is a subset of the ONF.

What does the REST API use to protect data transmissions? A. NetBIOS B. VPN C. Encapsulation D. TLS

D. Representational State Transfer (REST) uses TLS for communication over secured channels. Although REST also supports SSL, at this point SSL has been phased out due to vulnerabilities and has been replaced by TLS.

You need to gain approval to begin moving your company's data and systems into a cloud environment. However, your CEO has mandated the ability to easily remove your IT assets from the cloud provider as a precondition.Which of the following cloud concepts would this pertain to? A. Removability B. Extraction C. Portability D. Reversibility

D. Reversibility is the cloud concept involving the ability for a cloud customer to remove all of its data and IT assets from a cloud provider. Also, processes and agreements would be in place with the cloud provider that ensure all removals have been completed fully within the agreed upon timeframe. Portability refers to the ability to easily move between different cloud providers and not be locked into a specific one. Removability and extraction are both provided as terms similar to reversibility, but neither is the official term or concept.

Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes.Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it? A. SOC Type 2, one year B. SOC Type 1, one year C. SOC Type 2, one month D. SOC Type 2, six months

D. SOC Type 2 audits are done over a period of time, with six months being the minimum duration. SOC Type 1 audits are designed with a scope that's a static point in time, and the other times provided for SOC Type 2 are incorrect.

When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service.What is the data encapsulation used with the SOAP protocol referred to as? A. Packet B. Payload C. Object D. Envelope

D. Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope. It then leverages common communications protocols for transmission. Object is a type of cloud storage, but also a commonly used term with certain types of programming languages. Packet and payload are terms that sound similar to envelope but are not correct in this case.

When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: A. Many states have data breach notification laws. B. Breaches can cause the loss of proprietary data. C. Breaches can cause the loss of intellectual property. D. Legal liability can't be transferred to the cloud provider.

D. State notification laws and the loss of proprietary data/intellectual property pre-existed the cloud; only the lack of ability to transfer liability is new.

What type of masking would you employ to produce a separate data set for testing purposes based on production data without any sensitive information? A. Dynamic B. Tokenized C. Replicated D. Static

D. Static masking involves taking a data set and replacing sensitive fields and values with non-sensitive or garbage data. This is done to enable testing of an application against data that resembles production data, both in size and format, but without containing anything sensitive. Dynamic masking involves the live and transactional masking of data while an application is using it. Tokenized would refer to tokenization, which is the replacing of sensitive data with a key value that can later be matched back to the original value, and although it could be used as part of the production of test data, it does not refer to the overall process.Replicated is provided as an erroneous answer, as replicated data would be identical in value and would not accomplish the production of a test set.

Which cloud storage type requires special consideration on the part of the cloud customer to ensure they do not program themselves into a vendor lock-in situation? A. Unstructured B. Object C. Volume D. Structured

D. Structured storage is designed, maintained, and implemented by a cloud service provider as part of a PaaS offering. It is specific to that cloud provider and the way they have opted to implement systems, so special care is required to ensure that applications are not designed in a way that will lock the cloud customer into a specific cloud provider with that dependency. Unstructured storage for auxiliary files would not lock a customer into a specific provider. With volume and object storage, because the cloud customer maintains their own systems with IaaS, moving and replicating to a different cloud provider would be very easy.

Which data state would be most likely to use TLS as a protection mechanism? A. Data in use B. Data at rest C. Archived D. Data in transit

D. TLS would be used with data in transit, when packets are exchanged between clients or services and sent across a network. During the data-in-use state, the data is already protected via a technology such as TLS as it is exchanged over the network and then relies on other technologies such as digital signatures for protection while being used. The data-at-rest state primarily uses encryption for stored file objects. Archived data would be the same as data at rest.

A UPS should have enough power to last how long? A. One day B. 12 hours C. Long enough for graceful shutdown D. 10 minutes

D. Team-building has nothing to do with SAST; all the rest of the answers are characteristics of SAST.

On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources.Which of the following is crucial to the orchestration and automation of networking resources within a cloud? A. DNSSEC B. DNS C. DCOM D. DHCP

D. The Dynamic Host Configuration Protocol (DHCP) automatically configures network settings for a host so that these settings do not need to be configured on the host statically. Given the rapid and programmatic provisioning of resources within a cloud environment, this capability is crucial to cloud operations. Both DNS and its security-integrity extension DNSSEC provide name resolution to IP addresses, but neither is used for the configuration of network settings on a host. DCOM refers to the Distributed Component Object Model, which was developed by Microsoft as a means to request services across a network, and is not used for network configurations at all.

Which United States law is focused on PII as it relates to the financial industry? A. HIPAA B. SOX C. Safe Harbor D. GLBA

D. The GLBA, as it is commonly called based on the lead sponsors and authors of the act, is officially known as "The Financial Modernization Act of 1999." It is specifically focused on PII as it relates to financial institutions. There are three specific components of it, covering various areas and use, on top of a general requirement that all financial institutions must provide all users and customers with a written copy of their privacy policies and practices, including with whom and for what reasons their information may be shared with other entities.

Which United States law is focused on data related to health records and privacy? A. Safe Harbor B. SOX C. GLBA D. HIPAA

D. The Health Insurance Portability and Accountability Act (HIPAA) requires the U.S. Federal Department of Health and Human Services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers, and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than the specific technologies used, so long as they meet the requirements of the regulations.

Although the United States does not have a single, comprehensive privacy and regulatory framework, a number of specific regulations pertain to types of data or populations.Which of the following is NOT a regulatory system from the United States federal government? A. HIPAA B. SOX C. FISMA D. PCI DSS

D. The Payment Card Industry Data Security Standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry-regulatory standard, not a governmental one. The Sarbanes-Oxley Act (SOX) was passed in 2002 and pertains to financial records and reporting, as well as transparency requirements for shareholders and other stakeholders. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and pertains to data privacy and security for medical records. FISMA refers to the Federal Information Security Management Act of 2002 and pertains to the protection of all US federal government IT systems, with the exception of national security systems.

Jurisdictions have a broad range of privacy requirements pertaining to the handling of personal data and information.Which jurisdiction requires all storage and processing of data that pertains to its citizens to be done on hardware that is physically located within its borders? A. Japan B. United States C. European Union D. Russia

D. The Russian government requires all data and processing of information about its citizens to be done solely on systems and applications that reside within the physical borders of the country. The United States, European Union, and Japan focus their data privacy laws on requirements and methods for the protection of data, rather than where the data physically resides.

There is a large gap between the privacy laws of the United States and those of the European Union. Bridging this gap is necessary for American companies to do business with European companies and in European markets in many situations, as the American companies are required to comply with the stricter requirements.Which US program was designed to help companies overcome these differences? A. SOX B. HIPAA C. GLBA D. Safe Harbor

D. The Safe Harbor regulations were developed by the Department of Commerce and are meant to serve as a way to bridge the gap between privacy regulations of the European Union and the United States. Due to the lack of adequate privacy laws and protection on the federal level in the US, European privacy regulations generally prohibit the exporting of PII from Europe to the United States. Participation in the Safe Harbor program is voluntary on the part of US organizations.These organizations must conform to specific requirements and policies that mirror those from the EU, thus possibly fulfilling the EU requirements for data sharing and export. This way, American businesses can be allowed to serve customers in the EU. The Health Insurance Portability and Accountability Act (HIPAA) pertains to the protection of patient medical records and privacy. The Gramm-Leach-Bliley Act (GLBA) focuses on the use of PII within financial institutions. TheSarbanes-Oxley Act (SOX) regulates the financial and accounting practices used by organizations in order to protect shareholders from improper practices and errors.

In the wake of many scandals with major corporations involving fraud and the deception of investors and regulators, which of the following laws was passed to govern accounting and financial records and disclosures? A. GLBA B. Safe Harbor C. HIPAA D. SOX

D. The Sarbanes-Oxley Act (SOX) regulates the financial and accounting practices used by organizations in order to protect shareholders from improper practices and accounting errors.The Health Insurance Portability and Accountability Act (HIPAA) pertains to the protection of patient medical records and privacy. TheGramm-Leach-Bliley Act (GLBA) focuses on the use of PII within financial institutions. The Safe Harbor program was designed by the US government as a way forAmerican companies to comply with European Union privacy laws.

Within a federated identity system, which of the following would you be MOST likely to use for sending information for consumption by a relying party? A. XML B. HTML C. WS-Federation D. SAML

D. The Security Assertion Markup Language (SAML) is the most widely used method for encoding and sending attributes and other information from an identity provider to a relying party.WS-Federation, which is used by Active Directory Federation Services (ADFS), is the second most used method for sending information to a relying party, but it is not a better choice than SAML. XML is similar to SAML in the way it encodes and labels data, but it does not have all of the required extensions that SAML does. HTML is not used within federated systems at all.

Which protocol, as a part of TLS, handles negotiating and establishing a connection between two parties? A. Record B. Binding C. Negotiation D. Handshake

D. The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables a secure communications channel to then handle data transmissions. The TLS record protocol is the actual secure communications method for transmitting data; it's responsible for the encryption and authentication of packets throughout their transmission between the parties, and in some cases it also performs compression. Negotiation and binding are not protocols under TLS.

Which protocol, as a part of TLS, handles the actual secure communications and transmission of data? A. Negotiation B. Handshake C. Transfer D. Record

D. The TLS record protocol is the actual secure communications method for transmitting data; it's responsible for encrypting and authenticating packets throughout their transmission between the parties, and in some cases it also performs compression. The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables the secure communications channel to then handle data transmissions. Negotiation and transfer are not protocols under TLS.

Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority? A. European Union B. Germany C. Russia D. United States

D. The United States lacks a single comprehensive law at the federal level addressing data security and privacy, but there are multiple federal laws that deal with different industries.

Data center and operations design traditionally takes a tiered, topological approach.Which of the following standards is focused on that approach and is prevalently used throughout the industry? A. IDCA B. NFPA C. BICSI D. Uptime Institute

D. The Uptime Institute publishes the most widely known and used standard for data center topologies and tiers. The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. Building Industry Consulting Services International (BICSI) issues certifications for data center cabling. The International Data Center Authority (IDCA) offers the Infinity Paradigm, which takes a macro-level approach to data center design.

Which component of ITIL involves the creation of an RFC ticket and obtaining official approvals for it? A. Problem management B. Release management C. Deployment management D. Change management

D. The change management process involves the creation of the official Request for Change (RFC) ticket, which is used to document the change, obtain the required approvals from management and stakeholders, and track the change to completion. Release management is a subcomponent of change management, where the actual code or configuration change is put into place. Deployment management is similar to release management, but it's where changes are actually implemented on systems. Problem management is focused on the identification and mitigation of known problems and deficiencies before they are able to occur.

Which of the following roles involves testing, monitoring, and securing cloud services for an organization? A. Cloud service integrator B. Cloud service business manager C. Cloud service user D. Cloud service administrator

D. The cloud service administrator is responsible for testing cloud services, monitoring services, administering security for services, providing usage reports on cloud services, and addressing problem reports

Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes? A. Cloud service business manager B. Cloud service operations manager C. Cloud service manager D. Cloud service deployment manager

D. The cloud service deployment manager is responsible for gathering metrics on cloud services, managing cloud deployments and the deployment process, and defining the environments and processes.

Which of the following roles is responsible for creating cloud components and the testing and validation of services? A. Cloud auditor B. Inter-cloud provider C. Cloud service broker D. Cloud service developer

D. The cloud service developer is responsible for developing and creating cloud components and services, as well as for testing and validating services.

Which of the following roles involves the connection and integration of existing systems and services to a cloud environment? A. Cloud service business manager B. Cloud service user C. Cloud service administrator D. Cloud service integrator

D. The cloud service integrator is the official role that involves connecting and integrating existing systems and services with a cloud environment. This may involve moving services into a cloud environment, or connecting to external cloud services and capabilities from traditional data center-hosted services.

Which of the following represents a prioritization of applications or cloud customers for the allocation of additional requested resources when there is a limitation on available resources? A. Provision B. Limit C. Reservation D. Share

D. The concept of shares within a cloud environment is used to mitigate and control the request for resource allocations from customers that the environment may not have the current capability to allow. Shares work by prioritizing hosts within a cloud environment through a weighting system that is defined by the cloud provider. When periods of high utilization and allocation are reached, the system automatically uses scoring of each host based on its share value to determine which hosts get access to the limited resources still available. The higher the value a particular host has, the more resources it will be allowed to utilize.

User access to the cloud environment can be administered in all of the following ways except: A. Provider provides administration on behalf the customer B. Customer directly administers access C. Third party provides administration on behalf of the customer D. Customer provides administration on behalf of the provider

D. The customer does not administer on behalf of the provider. All the rest are possible options.

Which of the following is the optimal humidity level for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and AirConditioning Engineers (ASHRAE)? A. 30-50 percent relative humidity B. 50-75 percent relative humidity C. 20-40 percent relative humidity D. 40-60 percent relative humidity

D. The guidelines from ASHRAE establish 40-60 percent relative humidity as optimal for a data center.

Your new CISO is placing increased importance and focus on regulatory compliance as your applications and systems move into cloud environments.Which of the following would NOT be a major focus of yours as you develop a project plan to focus on regulatory compliance? A. Data in transit B. Data in use C. Data at rest D. Data custodian

D. The jurisdictions where data is being stored, processed, or consumed are the ones that dictate the regulatory frameworks and compliance requirements, regardless of who the data owner or custodian might be. The other concepts for protecting data would all play a prominent role in regulatory compliance with a move to the cloud environment. Each concept needs to be evaluated based on the new configurations as well as any potential changes in jurisdiction or requirements introduced with the move to a cloud.

What is the correct order of the phases of the data life cycle? A. Create, Use, Store, Share, Archive, Destroy B. Create, Archive, Store, Share, Use, Destroy C. Create, Store, Use, Archive, Share, Destroy D. Create, Store, Use, Share, Archive, Destroy

D. The other options are the names of the phases, but out of proper order.

Which value refers to the amount of time it takes to recover operations in a BCDR situation to meet management's objectives? A. RSL B. RPO C. SRE D. RTO

D. The recovery time objective (RTO) is a measure of the amount of time it would take to recover operations in the event of a disaster to the point where management's objectives are met for BCDR.

Within a federated identity system, which entity accepts tokens from the identity provider? A. Assertion manager B. Servicing party C. Proxy party D. Relying party

D. The relying party is attached to the application or service that a user is trying to access, and it accepts authentication tokens from the user's own identity provider in order to facilitate authentication and access. The other terms provided are all associated with federated systems, but none is the correct choice in this case.

Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider? A. Redundant uplink grafts B. Background checks for the provider's personnel C. The physical layout of the datacenter D. Use of subcontractors

D. The use of subcontractors can add risk to the supply chain and should be considered; trusting the provider's management of their vendors and suppliers (including subcontractors) is important to trusting the provider. Conversely, the customer is not likely to be allowed to review the physical design of the datacenter (or, indeed, even know the exact location of the datacenter) or the personnel security specifics for the provider's staff. "Redundant uplink grafts" is a nonsense term used as a distractor.

The various models generally available for cloud BC/DR activities include all of the following except: A. Private architecture, cloud backup B. Cloud provider, backup from another cloud provider C. Cloud provider, backup from same provider D. Cloud provider, backup from private provider

D. This is not a normal configuration and would not likely provide genuine benefit.

What changes are necessary to application code in order to implement DNSSEC? A. Adding encryption modules B. Implementing certificate validations C. Additional DNS lookups D. No changes are needed.

D. To implement DNSSEC, no additional changes are needed to applications or their code because the integrity checks are all performed at the system level.

Where is a DLP solution generally installed when utilized for monitoring data in use? A. Application server B. Database server C. Network perimeter D. User's client

D. To monitor data in use, the DLP solution's optimal location would be on the user's client or workstation, where the data would be used or processed, and where it would be most vulnerable to access or exposure. The network perimeter is most appropriate for data in transit, and an application server would serve as middle stage between data at rest and data in use, but is a less correct answer than a user's client. A database server would be an example of a location appropriate for monitoring data at rest.

Which of the following intellectual property types can be prosecuted criminally? A. Trademark B. Patent C. Copyright D. Trade Secret

D. Trade Secret

IRM solutions allow an organization to place different restrictions on data usage than would otherwise be possible through traditional security controls.Which of the following controls would be possible with IRM that would not with traditional security controls? A. Copy B. Read C. Delete D. Print

D. Traditional security controls would not be able to restrict a user from printing something that they have the ability to access and read, but IRM solutions would allow for such a restriction. If a user has permissions to read a file, he can also copy the file or print it under traditional controls, and the ability to modify or write will give the user the ability to delete.

What provides the information to an application to make decisions about the authorization level appropriate when granting access? A. User B. Relying party C. Federation D. Identity Provider

D. Upon successful user authentication, the identity provider gives information about the user to the relying party that it needs to make authorization decisions for granting access as well as the level of access needed.

The cloud customer's trust in the cloud provider can be enhanced by all of the following except: A. SLAs B. Shared administration C. Audits D. real-time video surveillance

D. Video surveillance will not provide meaningful information and will not enhance trust. All the others will do it.

Which of the following is NOT a type of database encryption? A. File-level B. Transparent C. Application-level D. Volume-level

D. Volume-level

You are working for a cloud service provider and receive an eDiscovery order pertaining to one of your customers.Which of the following would be the most appropriate action to take first? A. Take a shapshot of the virtual machines B. Escrow the encryption keys C. Copy the data D. Notify the customer

D. When a cloud service provider receives an eDiscovery order pertaining to one of their customers, the first action they must take is to notify the customer. This allows the customer to be aware of what was received, as well as to conduct a review to determine if any challenges are necessary or warranted. Taking snapshots of virtual machines, copying data, and escrowing encryption keys are all processes involved in the actual collection of data and should not be performed until the customer has been notified of the request.

The different cloud service models have varying levels of responsibilities for functions and operations depending with the model's level of service.In which of the following models would the responsibility for patching lie predominantly with the cloud customer? A. DaaS B. SaaS C. PaaS D. IaaS

D. With Infrastructure as a Service (IaaS), the cloud customer is responsible for deploying and maintaining its own systems and virtual machines. Therefore, the customer is solely responsible for patching and any other security updates it finds necessary. With Software as a Service (SaaS), Platform as a Service (PaaS), and Desktop as a Service (DaaS), the cloud provider maintains the infrastructure components and is responsible for maintaining and patching them.

Which of the following statements best describes a Type 1 hypervisor? A. The hypervisor software runs within an operating system tied to the hardware. B. The hypervisor software runs as a client on a server and needs an external service to administer it. C. The hypervisor software runs on top of an application layer. D. The hypervisor software runs directly on "bare metal" without an intermediary.

D. With a Type 1 hypervisor, the hypervisor software runs directly on top of the bare-metal system, without any intermediary layer or hosting system. None of these statements describes a Type 1 hypervisor.

What is the primary reason that makes resolving jurisdictional conflicts complicated? A. Different technology standards B. Costs C. Language barriers D. Lack of international authority

D. With international operations, systems ultimately cross many jurisdictional boundaries, and many times, they conflict with each other. The major hurdle to overcome for an organization is the lack of an ultimate international authority to mediate such conflicts, with a likely result of legal efforts in each jurisdiction.

Where is an XML firewall most commonly deployed in the environment? A. Between the application and data layers B. Between the IPS and firewall C. Between the presentation and application layers D. Between the firewall and application server

D. XML firewalls are most commonly deployed in line between the firewall and application server to validate XML code before it reaches the application.

Which of the following is NOT a criterion for data within the scope of eDiscovery? A. Possession B. Custody C. Control D. Archive

D. eDiscovery pertains to information and data that is in the possession, control, and custody of an organization.

If you're using iSCSI in a cloud environment, what must come from an external protocol or application? A. Kerberos support B. CHAP support C. Authentication D. Encryption

D. iSCSI does not natively support encryption, so another technology such as IPsec must be used to encrypt communications.

What does the first "D" stand for in the DREAD threat model?

Damage potential

In this phase of the Data Life Cycle, new digital content is created. A. Share B. Use C. Archive D. Destroy E. Create F. Store

E. Create

Which of the following is NOT part of a Data Retention Policy? A. Retention Period B. Regulatory requirements C. Data mapping D. Data classification E. Data categorization F. Retention formats G. Data retention procedure H. Data retrieval procedure I. Monitoring, maintenance, and enforcement

E. Data categorization

Which is the strongest method for data masking or data obfuscation? A. Random substitution B. Algorithmic substitution C. Shuffle D. Masking E. Deletion

E. Deletion. Substitution can be reversed. Masking can be attacked via inference.

What EAL Level is "Semi-Formally Verified Design and Tested?

EAL8

What does ISO/IEC 27034-1 lay out?

Security within the SDLC


Conjuntos de estudio relacionados

Alcohol and drug awareness program

View Set

079 Social NeuroScience Study Guide

View Set

Microprocessor System (MCSL51E) - Chapter 4: Instructions and Memory

View Set