Ch. 4: Compliance and the Cloud
Which statements regarding a CSP's legal and regulatory compliance are correct? (Choose two) A. All security responsibilities fall upon the CSP B. A CSP's service level agreements list independent third-party auditors. C. A CSP provides documentation about its security standards compliance. D. Cloud customers also bear some responsibility in securing their use of cloud computing.
A CSP provides documentation about its security standards compliance. Cloud customers also bear some responsibility in securing their use of cloud computing.
Compared to vulnerability assessments, which word is most closely associated with penetration testing? A. Documentation B. Authentication C. Active D. Passive
Active
What kind of standard is SSAE No. 16? A. Auditing B. Encryption C. Risk Management D. Authentication
Auditing
Which term refers to the applicable laws based on the location of where data is collected, stored, and used? A. Special Publication B. Security control C. Data sovereignty D. PKI
Data sovereignty
You are reviewing a CSP's media destruction procedures. Your organization requires that hard disk data is removed magnetically. Which technique does this? A. Drilling B. Shredding C. Hammering D. Degaussing
Degaussing
To prevent future sensitive data retrieval of cloud-replicated data, you have repartitioned a hard disk within a laptop computer. The computer was running a Windows client operating system at the time of the repartitioning. Which statement regarding this scenario is correct? A. A Windows server operating system should have been used B. Deleted partitions are easily recovered C. A Linux server operating system should have been used D. The operating system cannot be running when disk partitions are removed.
Deleted partitions are easily recovered
Which U.S. federal government security standard is most closely related to cloud security? A. HIPAA B. ISO/IEC 27017:2015 C. FedRAMP D. Sarbanes-Oxley Act
FedRAMP
Why is a CSP's security standards compliance important? (Choose two) A. It provides a level of assurance to cloud customers that the CSP has taken effective steps to mitigate risk. B. A CSP's security standards compliance means its cloud customers are also compliant. C. It proves that the CSP cannot be hacked D. The CSP security posture is accredited by third parties
It provides a level of assurance to cloud customers that the CSP has taken effective steps to mitigate risk. The CSP security posture is accredited by third parties
You want to know the specific physical addresses of a CSP's data centers. What should you do? A. Run a DNS domain name lookup for the CSP domain suffix B. Send an information request to the CSP C. Review the CSP service level agreement D. Nothing. CSPs do not voluntarily disclose data center physical addresses.
Nothing. CSPs do not voluntarily disclose data center physical addresses.
Which of the following statements regarding laws and regulations is accurate? A. Regulations provide implementation and enforcement details. B. Laws provide implementation and enforcement details. C. Breaking laws can result in fines; this is not true for a lack of regulatory compliance. D. A lack of regulatory compliance can result in fines, but not imprisonment.
Regulations provide implementation and enforcement details.
Which U.S. regulation is designed to mitigate financial document reporting fraud? A. HIPAA B. ISO/IEC 27017:2015 C. FedRAMP D. Sarbanes-Oxley Act
Sarbanes-Oxley Act
Which risk is the most prevalent when adopting cloud computing? A. The use of deprecated encryption algorithms B. Cloud tenant centralized data storage C. Lack of cloud tenant isolation D. Trust placed in outsourcing
Trust placed in outsourcing
Which factor has the most influence on which regulations apply to your organization? A. Operating system used for cloud virtual machines B. Type of industry C. Cloud storage encryption strength D. Type of cloud media sanitization in use
Type of industry
You are evaluating CSPs because your organization has decided to adopt cloud computing for some of its IT service needs. What is the quickest way to determine which security standards the CSP is compliant with? A. Send an e-mail message to the CSP inquiring about compliance B. Call the CSP to inquire about compliance C. View government legislative bill details D. View the CSP's compliance web page
View the CSP's compliance web page
Which type of security testing identifies weaknesses but does not attempt to exploit them? A. Penetration test B. Regression test C. Load test D. Vulnerability test
Vulnerability test