CCSP

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Which of the following is considered an administrative control?

Access control process

Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications?

Advanced application-specific integrated circuits (ASICs)

What is the relying party?

Any member of the federation that shares resources based on authenticated identities

Which of the following should be redundant in a data center?

Anything that the data center relies on should be redundant

Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived?

Applicable regulations

Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved?

Application

Which cloud computing technology unlocks business value through digital and physical access to maps?

Application Programming Interface

Which type of control should be used to implement custom controls that safeguard data?

Application level

Which message type is generated from software systems to troubleshoot and identify problems with running application codes?

Debug

The most secure method of data disposal:

Degaussing

In 1939, the American Institute of Certified Professional Accountants (AICPA) established a committee to develop accounting standards and reports for the private sector. This committee developed ______ for use by accounting professionals.

GAAP

A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm. Who is the CSP legally required to notify?

Information Commissioner

Among the following, which involves a top-down approach for addressing and managing risk in an organization during the audit process?

Information security management system

All of these are reasons because of which an organization may want to consider cloud migration, except: -Reduced personnel costs -Elimination of risks -Reduced operational expenses -Increased efficiency

Elimination of risks

When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?

Shares

Data Discovery Method: What is the *Content-based* method used for?

Used to locate and identify specific kinds of data by delving into the datasets

Data Discovery Method: What is the *Label-based* method used for?

Used when the discovery effort is considered in response to a mandate with a specific purpose

T/F. Applications with known vulnerabilities cannot be mitigated and should never be used

False

T/F. Encryption ensures integrity of Data.

False

T/F. RPO and RSL are used to establish when services and data are *completely* restored.

False

Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data?

Format-preserving encryption

Which of the following things should an organization know to handle risks?

-A determination of critical path and process -An inventory of all assets -A valuation of each asset -A clear understanding of risk appetite

Which of the following are the features of IRM?

-Adds an extra layer of access controls on top of the data -Sets up a baseline for the default Information Protection Policy -Protects sensitive organization content

What metrics are examples of quality of service (QoS) issues?

-Availability -Outage duration -Capacity metrics -Performance metrics -Storage device metrics -Server capacity metrics -Instance startup time metric -Response time metric -Completion time metric -Mean time to switchover -Storage capability

The "Data Center Site Infrastructure Tier Standard: Topology" document describes a four-tiered architecture for enterprises to rate their data center designs. What are the names of the four tiers?

-Basic Data Center Site Infrastructure -Redundant Site Infrastructure Capacity Components -Fault-Tolerant Site Infrastructure -Concurrently Maintainable Site Infrastructure

Which of the following cloud deployment models may exist on or of premises?

-Community -Hybrid -Private

Which of the following cloud deployment models may exist on or off premises?

-Community -Hybrid -Private

Security Scanning should be performed throughout the development process vs waiting for the completed package because:

-Complexity of fixes -Project delays

What is the correct order of the Cloud Secure Data Lifecycle?

-Create -Store -Use -Share -Archive -Destroy

What are the steps in the BCDR continual process?

-Define Scope -Gather Requirements -Analyze -Assess Risk -Implement -Test -Report -Revise

Which of the following statements are true of the archive phase?

-It helps in planning security controls for the data -It helps in management of keys in cryptography

Which of the following are the key threats to data storage in cloud computing?

-Malware attack -Corruption of data -Data leakage and breaches -Unauthorized access

Which of the following are objectives of release and deployment management?

-Manage stakeholders -Ensure knowledge transfer -Ensure the integrity of release packages

Which of the following are the benefits provided by SaaS for the applications accessible by *clients* anywhere?

-Overall reduction of costs -Reduced support costs -Application and software licensing

Which of the following are the key regulations applicable to the CSP facility?

-PCI DSS -HIPAA

What are the phases of a software development lifecycle process model?

-Planning and requirements analysis -Defining -Designing -Developing -Testing -and Maintenance

What are the two main types of APIs used with cloud-based systems and applications?

-REST -SOAP

When using an IaaS solution, what are the key benefits provided to the customer?

-Reduced cost of ownership -Reduced energy and cooling costs -Metered and priced usage on the basis of units consumed

What are the four elements that a data retention policy should define?

-Retention periods -Data formats -Data security -Data retrieval procedures

IT QoS focuses on measuring which of the following?

-Security -Health -Services

What are the categories of personal data that can be processed?

-Sensitive data -Telephone or Internet data -Biometric data -Personal data -Categories of the processing to be performed

Which of the following are the approaches to data masking?

-Shuffle -Masking -Algorithm substitution -Random substitution -Deletion

In a federated system, which two components serve as its core?

-The Relying Party -The IdP

An organization will conduct a risk assessment to evaluate which of the following?

-Threats to its assets -Vulnerabilities present in the environment -The likelihood that a threat will be realized by taking advantage of an exposure -The impact that the exposure being realized will have on the organization -The residual risk when appropriate controls are properly applied to lessen the vulnerability

Which of the following are issues of Key Management?

-Trust -Availability -Integrity

Which contractual components include a clear understanding of the permissible forms of data processing, transmission, and storage, along with any limitations or nonpermitted uses?

-Use of subcontractors -Scope of processing

Which of the following are contractual components that the CCSP should review and understand fully when contracting with a CSP?

-Use of subcontractors -Scope of processing -Deletion of data -Appropriate or required data security controls -Locations of data -Return or restitution of data -Right to audit subcontractors

Object Storage is usually accessed through:

APIs

Which body establishes optimal temperature and humidity levels?

ASHRAE

In SOC 2 Auditing, how many categories make up the security principle?

7

A business is concerned about the usage of its third-party provided, leased cloud resources. Which audit process should be used to investigate this concern?

??

Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems?

Applying the steps of the software development lifecycle

Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data?

Archiving

Which of the following storage requires a greater amount of administration and entails the installation of an OS or other app to store, sort, and retrieve the data?

Block

Which data retention method is stored with a minimal amount of metadata storage with the content?

Block-based

When using a SaaS solution, who is responsible for application security?

Both CSP and the enterprise

Which model introduced the concept of allowing access controls to change dynamically based on a user's previous actions?

Brewer-Nash

Which problem is known as a common supply chain risk?

Data breaches

Which of the following is a specification constructed for making the management of applications easy in terms of a PaaS system?

CAMP

Which of the following gives an overview of various existing certification schemes?

CCSL

Which artifact may be required as a data source for a compliance audit in a cloud environment?

Change management details

Which process analyzes data for certain attributes and uses that that to determine the appropriate controls and policies to apply to it?

Classification

Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring?

Cloud Access Security Broker (CASB)

Mark, a security administrator, observes multiple service interruptions caused by a data center design. He decided to migrate the company away from its data center and successfully completed the migration of all data center servers and services to a cloud provider. He is still concerned with the availability requirements of critical applications. Which of the following should Mark implement next?

Cloud access security broker

Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service?

Cloud platform

You are a service provider who provides cloud-services and resources to a person using and subscribing them. There is an official commitment (i.e., service-level agreement) between the service provider and the user. Who verifies this official commitment?

Cloud service auditor

Who among the following adds and extends values to the cloud-based services for customers?

Cloud services brokerage

A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided. Who is the CSP required to notify under the NIS directive?

Competent Authorities

What are the two biggest challenges associated with the use of IPSec in cloud computing environments?

Configuration management and Performance

Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider?

Considering portability options

Which phase of the cloud data lifecycle allows both read and process functions to be performed?

Create

Which is the correct order of the Cloud Secure Data Lifecycle?

Create, Store, Use, Share, Archive, Destroy

Data Discovery Method: What is the *Data analytics* method used for?

Creates new data feeds from sets of data already existing within the environment

Which method should the cloud consumer use to secure the management plane of the cloud service provider?

Credential management

Which of the following vulnerabilities occurs when an application allows untrusted data to be sent to a web browser without proper validation or escaping?

Cross-site scripting

Which element is protected by an encryption system?

Data

This is a method of categorizing data by finding patterns and it relies on users to refine it:

Data Discovery

Which cloud threat is described in the statement below? "If a multitenant cloud service database is not properly designed, a flaw in one client's application can allow an attacker access not only to that client's data but to every other client's data as well."

Data breach

Which technology allows an organization to control access to sensitive documents stored in the cloud?

Digital Rights Management (DRM)

Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues?

Direct object reference

Which process analyzes data to look for certain attributes or patterns?

Discovery

What are the three components of DLP?

Discovery and Classification, Monitoring, and Enforcement

In which testing method does the entire organization take part in a scenario at a scheduled time, describe its responses during the test, and perform some minimal actions?

Dry run

Which approach is considered a black-box security testing method?

Dynamic application security testing

Management has requested that security testing be done against their live cloud-based applications, with the testers not having internal knowledge of the system. Not attempting to actually breach systems or inject data is also a top requirement. Which of the following would be the appropriate approach to take?

Dynamic application security testing (DAST)

Which of the following provides an organization with a static point of reference from which to begin work in defining its strategic goals and objectives regarding risk remediation and control implementation?

Gap analysis

From a cloud provider perspective, which of the following should a layered defense entail?

Governance mechanisms and enforcement

Which element is a cloud virtualization risk?

Guest isolation

Which environmental consideration should be addressed when planning the design of a data center?

Heating and Ventilation

What is a key capability of infrastructure as a service (IaaS)?

High reliability and resilience

Which standard addresses the privacy aspects of cloud computing for consumers?

ISO 27018:2014

Which international standard guide provides procedures for incident investigation principles and processes?

ISO 27043:2015

Which of the following standards sets out terms and definitions, principles, a framework, and a process for managing risk?

ISO 31000:2009

What is the first international set of privacy controls in the cloud?

ISO/IEC 27018

Which of the following guidelines covers eDiscovery?

ISO/IEC 27050

Which standard addresses practices related to the acquisition of forensic artifacts and can be directly applied to a cloud environment?

ISO/IEC 27050-1

Which standard outlines domains which establish frameworks for risk assessment?

ISO\IEC 27001:2013

Which is the internationally accepted standard for eDiscovery?

ISO\IEC 27050

In which of the following cloud deployment models does platform security come under enterprise responsibility?

IaaS

Which of the following is the result of the process flow that identifies issues and external variables?

Implement security policy

Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage?

Infrastructure

The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization. Which standard should be applied?

International Organization for Standardization (ISO) 27050-1

A KMS is?

Key Management Service

Rex has implemented asymmetric key cryptography for the emails of his company. He is concerned that users may lose their private keys and will not be able to decrypt their messages. Which of the following is the best solution to this problem?

Key escrow

Rex has implemented asymmetric key cryptography for the emails of his company. He is concerned that users may lose their private keys and will not be able to decrypt their messages. Which of the following is the *best* solution to this problem?

Key escrow

Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan?

Level of resiliency

What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks?

Management plane

Which component is among the highest risk component with respect to software vulnerabilities?

Management plane

Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected?

Max allowable downtime (MAD)

Which role acts as monitors of the response activity, provides scenario inputs to heighten realism, and documents performance and any plan shortcomings?

Moderator

Which of the following characteristics of cloud computing can affect the logical design of a data center?

Mulitenancy -Cloud management plane -Virtualization technology

Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage?

Multiple and independent power circuits to all racks

Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties?

Native production

Which type of storage with IaaS will be maintained by the cloud provider and referenced with a key value?

Object

Which of the following should be carried out *first* when seeking to perform a gap analysis?

Obtain management support

DLP to protect Data at Rest is installed:

On the system holding the data

Which group is legally bound by the general data protection regulation (GDPR)?

Only corporations that process the data of EU citizens

Which federation standard allows developers to authenticate their users across websites and applications without having to manage usernames and passwords?

OpenID Connect

Which of the following is strongly encouraged for managing access of the directory administrators?

PIM (privileged identity management)

Which category does Auto-Scaling fall into?

PaaS

A security analyst is investigating an incident of access to a resource from an unauthorized location. Which data source should the security analyst used to investigate the incident?

Packet capture logs

Which of the following provides a voice and expression to the strategic goals and objectives of management?

Policy

This concept affords the right to look at things anonymously and to be "forgotten" by a system when you leave

Privacy

Which jurisdictional data protection includes dealing with the international transfer of data?

Privacy Regulation

Which cloud model allows the consumer to have sole responsibility for management and governance?

Private

Which cloud model provides data location assurance?

Private

Which description characterizes the application programming interface (API) format known as representation state transfer (REST)?

Provides a framework for developing scalable web applications

Which encryption technique connects the instance to the encryption instance that handles all crypto operations?

Proxy

How many categories does the security principle in SOC2 include?

Seven

Patrick, a cloud administrator, is looking at business requirements that specify the preceding backup data available at the discovery recovery site must not be more than 24 hours old. Which of the following metrics correctly relates to these requirements?

RPO

Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?

Reporting to the supervisory authority

Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure?

Resiliency

Which of the following cloud characteristics explains that a cloud provides services to serve multiple clients according to their priority?

Resource pooling

Which of the following is considered a "white box" test?

SAST

Max, a cloud administrator, needs to find a web service that will allow systems to communicate over FTP using an XML-based protocol. Which of the following communication methods will he use?

SOAP (Simple Object Access Protocol)

Which Cloud Model uses mainly databases to store data?

SaaS

Which of the following would be covered by an external audit and *not* by an internal audit?

Security controls

Which service model influences the logical design by using additional measures in the application to enhance security?

Software as a Service (SaaS)

What does the acronym STRIDE stand for?

Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege

Which security testing approach is used to review source code and binaries without executing the application?

Static application security testing

All of the following can result in vendor lock-in except: -Statutory compliance -Proprietary data formats -Insufficient bandwidth -Unfavorable contract

Statutory compliance

Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy (CSP)?

Technological controls

Which kind of Data obfuscation method replaces Data with random values that can be mapped to actual data?

Tokenization

A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken?

The application stores the token

When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed?

The directive applies to data processed by automated means and data contained in paper files

Which factor exemplifies adequate cloud contract governance?

The frequency with which contracts are renewed

In the tokenization architecture, which step should be performed after the tokenization server generates the token and stores it in the token database?

The tokenization server returns the token to the application

Which consideration should be taken into account when reviewing a cloud service provider's risk of potential outage time?

The unique history of the provider

How do immutable workloads effect security overhead?

They reduce the management of the hosts

Which issue can be detected with static application security testing (SAST)?

Threading

Which UI standard Tier will work perfectly without any downtime of critical operations even after the loss of any single system, component, or distribution element?

Tier 4

Which kind of Data Obfuscation method replaces Data with random values that can be mapped to actual data?

Tokenization

Max is the co-founder of a manufacturing firm. Together with his partner, Joe, he has developed a special type of oil that will dramatically improve the manufacturing process. To keep the formula secret, Max and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection *best* suits their needs

Trade secret

T/F. Business impact analysis defines which of the assets provide the intrinsic value of an organization

True

T/F. SOX is not directly related to privacy or IT Security

True

Which SOC 2 report would be run to determine if security controls are suitable based on design and intent.

Type 1 Reports

Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)?

Up to 20 Million Euros

Which of the following is the *replacement* of older elements for new ones?

Upgrade

Which of the following publishes the most commonly used standards for data center tiers and topologies?

Uptime Institute

Data Discovery Method: What is the *Metadata-based* method used for?

Used to collect all matching data elements for a certain purpose

A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident. Which action facilitates this type of communication?

Using existing open standards

Which data-at-rest encryption method encrypts all the data stored on the volume and all snapshots created from the volume?

Whole instance encryption

Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model?

Whole-instance encryption


Ensembles d'études connexes

Threats, Attacks, and Vulnerabilities

View Set

BRAVE NEW WORLD - ANALYTIC CUBISM

View Set

ACCT 250 GCU, Accounting 250 GCU

View Set

306 Ricci PrepU Chapter 16: Nursing Management During the Postpartum Period 1

View Set

ACCT 3190 Intermediate II CH. 12 Smartbook

View Set

Organization Behavior 7,8,9,10 Exam #3

View Set