WGU Course C838 - Managing Cloud Security Quizlet by Brian MacFarlane

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

The key difference between cloud and traditional computing is the_________________, which includes the management plane components, which are network-enabled and remotely accessible. Another key difference is you tend to double up on each layer.

metastructure

A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.

A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development, including web development and revision control.

Because of multitenancy, specific risks in the public cloud that don't exist in the other cloud service models include all the following except: A DoS/DDoS B Escalation of privilege C Risk of loss/disclosure due to legal seizures D Information bleed

A

Certain data sanitation methods may be required for different types of data. A True B False

A

Cloud Portability Means: A Ability to change providers B Ability to use anywhere C Ability to use with mobile devices D Ability to use on multiple device types

A

Clustered storage architectures can take one of two types: tightly coupled or loosely coupled. A True B False

A

Cryptographic keys for encrypted data stored in the cloud should be ______________. A Not stored with the cloud provider B At least 128 bits long C Generated with redundancy D Split into groups

A

DAST is usually run against live systems and those running the test do not know anything about the system. A True B False

A

DLP can be combined with what other security technology to enhance data controls? A DRM B Hypervisors C Kerberos D SIEM

A

DRM solutions should generally include all the following functions, except: A Automatic self-destruct B Automatic expiration C Dynamic policy control D Persistency

A

Data Classification is a core concept of PCI DSS. A True B False

A

Data classification determines what controls should protect data. A True B False

A

Data in the Archive and Destroy phases may need to be handled according to regulations, standards, or policies. A True B False

A

Data in the destroy phase can be considered destroyed if it is made permanently inaccessible. A True B False

A

Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except: A The cloud provider's resellers B The cloud provider's utilities C The cloud provider's vendors D The cloud provider's suppliers

A

For performance purposes, OS monitoring should include all of the following except: A Print spooling B Disk space C Disk I/O usage D CPU usage

A

Generator fuel storage for a cloud datacenter should last for how long, at a minimum? A 12 hours B Indefinitely C Three days D 10 minutes

A

HIPAA, SOX, and PCI DSS are examples of: A Regulatory compliance B Cloud security tools C Governance D SLAs

A

How do immutable workloads effect security overhead? A They reduce the management of the hosts. B They automatically perform vulnerability scanning as they launch. C They restrict the amount of instances in a cluster. D They create patches for a running workload.

A

How many layers of encryption are typically available to a Database? A 2 B 3 C 4 D 1

A

IRM allows for the following except: A Encryption B Protection C Auditing D Policy Control

A

Identity and access management (IAM) is a security discipline that ensures which of the following? A That the right individual gets access to the right resources at the right time for the right reasons B That all users are properly authorized C That unauthorized users will get access to the right resources at the right time for the right reasons D That all users are properly authenticated

A

If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad? A Availability B Integrity C Authentication D Confidentiality

A

If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best? A PaaS B IaaS C Hybrid D SaaS

A

If a patch is unavailable for a vulnerability, it may be advisable to turn off affected services or restrict access by other means. A True B False

A

If a service or solution does not meet all of the specified key characteristics listed below, it is said to be not true cloud computing. Please select the valid cloud computing characteristics out of the terms identified below. Each correct answer represents a complete solution. Choose all that apply. 1) Measured system 2) Broad network access 3) Resource pooling 4) Measured service 5) On-demand self-service 6) Selected self-service 7) Rapid expansion A All but 1 & 6 B All but 2 & 5

A

In PaaS the customer has control over: A Software B OS C Physical D Platform

A

In SOC 2 auditing, along with the security principle, how many of the other 4 principles must be included to complete a report? A 1 B 7 C 5 D 3

A

In SaaS the customer has control over: A Data B Software C OS D Platform

A

In a cloud environment, who ensures that various storage types and mechanisms meet and conform to the relevant SLAs? A Cloud data architect B Cloud administrator C Cloud storage administrator D Cloud operator

A

In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? A A contracted third party/the various member organizations of the federation B Each member organization/each member organization C Each member organization/a trusted third party D The users of the various organizations within the federation/a CASB

A

In all cloud models, security controls are driven by which of the following? A Business requirements B Virtualization engine C Hypervisor D SLAs

A

In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type? A All of these B Administrative C Physical D Technological

A

In some cases, it may be necessary to obtain prior permission of the local Data Protection Commissioner before transferring data in or out of the country. A True B False

A

In which cloud service model is the customer only responsible for the data? A SaaS B PaaS C IaaS D CaaS

A

In which of the following components of the data retention policy do data-retention considerations depend heavily on the required compliance administration associated with the data type? A Legislation, regulation, and standards requirements B Data mapping C Data classification D Monitoring and maintenance

A

In which of the following tests of the recovery plan are the industry workers mobilized to an alternative site to perform actual recovery process? A Functional drill/parallel test B Full-interruption/full-scale test C Tabletop exercise/structured walk-through test D Walk-through drill/simulation test

A

Proper identification and documentation of key stakeholders is vital to any IT system. A True B False

A

Proper implementation of DLP solutions for successful function requires which of the following? A Accurate data categorization B Physical access limitations C USB connectivity D Physical presence

A

SOAP and REST are APIs that must run over SSL or TLS for security purposes. A True B False

A

SOX was enacted because of which of the following? A All of these B Poor financial controls C Lack of independent audits D Poor BOD oversight

A

The BC/DR kit should include all of the following except: A Hard drives B Documentation equipment C Flashlight D Annotated asset inventory

A

The Brewer-Nash security model is also known as which of the following? A The Chinese Wall model B MAC C RBAC D Preventive measures

A

The CMB should include representations from all of the following offices except: A Regulators B Management C Security office D IT department

A

The CSA STAR program consists of three levels. Which of the following is not one of those levels? A SOC 2 audit certification B Continuous monitoring based certification C Self-assessment D Third-party assessment-based certification

A

The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified? A Contract B RMF C BIA D MOU

A

The cloud deployment model that features joint ownership of assets among an affinity group is known as: A Community B Hybrid C Public D Private

A

The customer is concerned with data, whereas the provider is concerned with security and operation. A True B False

A

The customer's ultimate legal liability for data it owns remains true even if the provider's failure was the result of negligence. A True B False

A

The entitlement process begins with business and security requirements and translates these into a set of rules. What would be the next step of the process? A Rules are then translated into component authorization decisions B Rules are then applied to vendors and consumers C Business and security requirements are updated D Rules are then translated into component authentication decisions

A

The following are common vulnerabilities in a cloud environment except: A DBSS B XSS C Injection D Unvalidated Redirects

A

The following are issues of Key Management except: A ACL B Trust C Availability D Integrity

A

The goals of SIEM solution implementation include all of the following, except: A Performance enhancement B Dashboarding C Trend analysis D Centralization of log streams

A

The process of hardening a device should include all of the following, except: A Improve default accounts B Close unused ports C Delete unnecessary services D Strictly control administrator access

A

The right to be forgotten refers to which of the following? A The right to have all of a data owner's data erased B Erasing criminal history C The right to no longer pay taxes D Masking

A

The scope of an audit will change based on the cloud model used. A True B False

A

The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization. Which standard should be applied? A International organization for standardization (ISO) 27050-1 B Sarbanes-Oxley Act (SOX) C Cloud controls matrix (CCM) D International electrotechnical commission (IEC) 27037

A

There may be extra costs associated with eDiscovery in a cloud environment. A True B False

A

This is the amount of data required to be maintained or restored in order to restore acceptable functionality: A RPO B RSL C RTO D RTL

A

This is the method of analyzing data for certain attributes to determine the appropriate controls to apply: A Classification B Data Discovery C eDiscovery D Categorization

A

This is the process which ensures resources are not over utilized or underutilized. A Dynamic Optimization B Auto-scaling C Elasticity D Dynamic Operations

A

This type of hypervisor is tied directly to the hardware or "Bare Metal": A Type 1 B Type 2 C Type 3 D Type 4

A

Volume Storage is split into pieces called: A LUNs B VLANs C Units D Drives

A

Vulnerability assessments cannot detect which of the following? A Zero-day exploits B Defined vulnerabilities C Malware D Programming flaws

A

What are SOC 1/SOC 2/SOC 3? A Audit reports B Software development phases C Risk management frameworks D Access controls

A

What are the five Trust Services principles? A Security, Availability, Processing Integrity, Confidentiality, and Privacy B Security, Availability, Processing Integrity, Confidentiality, and Nonrepudiation C Security, Availability, Customer Integrity, Confidentiality, and Privacy D Security, Auditability, Processing Integrity, Confidentiality, and Privacy

A

What functions does the CCSP perform to obtain assurance and conduct auditing on the VMs and hypervisor? Each correct answer represents a complete solution. Choose all that apply. 1) Verify configuration of hypervisor according to the organizational policy. 2) Verify systems are up to date and hardened according to best-practice standards. 3) Understand the virtualization management architecture. 4) Focus only on VMs and its associated hypervisors. A 1,2,3 B 2,3,4

A

What is a cloud storage architecture that manages the data in a hierarchy of files? A File-based storage B Object-based storage C CDN D Database

A

What is a component of device hardening? A Patching B Unit testing C Versioning D Configuring VPN access

A

What is a key component of GLBA? A The information security program B The right to audit C The right to be forgotten D EU Data Directives

A

What is the Cloud Security Alliance Cloud Controls Matrix (CCM)? A An inventory of cloud service security controls that are arranged into separate security domains B A set of software development life cycle requirements for cloud service providers C A set of regulatory requirements for cloud service providers D An inventory of cloud services security controls that are arranged into a hierarchy of security domains

A

What is the aspect of the DMCA that has often been abused and places the burden of proof on the accused? A Takedown notice B Puppet plasticity C Online service provider exemption D Decryption program prohibition

A

What is the cloud service model in which the customer is responsible for administration of the OS? A IaaS B QaaS C SaaS D PaaS

A

What is the intellectual property protection for the tangible expression of a creative idea? A Copyright B Trade secret C Trademark D Patent

A

What is the main objective of applying cryptography to the data in a cloud? A To ensure confidentiality B To ensure secure authentication C To manage authorization D To maintain integrity

A

What is the process of adding validation support to a section without changing the basic mechanism of a DNS query using DNSSEC? A Zone signing B DNS management C Patch management D Zone refining

A

What is the process of gathering evidence in a cloud environment? A eDiscovery B Discovery C ISO/IEC 27050 D Forensics

A

What responsibility does a customer hold in the SaaS cloud service? A Determining data for processing B Determining instruments of processing C Controlling functions of tools D Controlling operations of management

A

What should configuration management always be tied to? A Change management B Financial management C Business relationship management D IT service management

A

When a cloud customer uploads PII to a cloud provider, who becomes ultimately responsible for the security of that PII? A Cloud customer B The individuals who are the subjects of the PII C Cloud provider D Regulators

A

When using transparent encryption of a database, where does the encryption engine reside? A Within the database B At the application using the database C On the instances attached to the volume D In a key management system

A

Which Cloud Model uses mainly databases to store data? A SaaS B DBaaS C PaaS D IaaS

A

Which act protects the general public and the shareholders from accounting errors and illegal practices in the enterprise? A SOX B HIPAA C GLBA D SCA

A

Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems? A Applying the steps of a cloud software development life cycle B Providing developer access to supporting components and services C Outsourcing the infrastructure and integration platform management D Verifying the application has an appropriate level of confidentiality and integrity

A

Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event? A Reporting to the supervisory authority B Informing consumer credit reporting services C Notifying the affected persons D Suspending the processing operations

A

Which approach deals with reducing the probability of risk occurrence? A Risk Mitigation B Risk management probability C Risk Avoidance D Risk analysis

A

Which category does Rapid Provisioning and Scalability fall into? A PaaS B IaaS C SaaS D XaaS

A

Which characteristic of liquid propane increases its desirability as a fuel for backup generators? A Does not spoil B Flavor C Burn rate D Price

A

Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage? A Infrastructure B Platform C Application D Data

A

Which cloud security control eliminates the risk of a virtualization guest escape from another tenant? A Dedicated hosting B Hardware hypervisor C File integrity monitor D Immutable virtual machines

A

Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived? A Applicable regulation B Data classification C Enforcement D Maintenance

A

Which data-at-rest encryption method encrypts all the data stored on the volume and all snapshots created from the volume? A Whole instance encryption B Volume encryption C Directory encryptionWhole-instance encryption: Encrypts all of the system's data at rest in one instance

A

Which design principle of secure cloud computing ensures that the business can resume essential operations in the event of an availability-affecting incident? A Disaster recovery B Resource pooling C Access control D Session management

A

Which disaster recovery (DR) site results in the quickest recovery in the event of a disaster? A Hot B Cold C Reserve D Passive

A

Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected? A Maximum allowable downtime (MAD) B Recovery point objective (RPO) C Mean time to switchover (MTS) D Recovery time objective (RTO)

A

Which element is a cloud virtualization risk? A Guest isolation B Electronic discovery C Licensing D Jurisdiction

A

Which environmental consideration should be addressed when planning the design of a data center? A Heating and ventilation B Utility power availability C Expansion possibilities and growth D Telecommunications connections

A

Which factor exemplifies adequate cloud contract governance? A The frequency with which contracts are renewed B The emphasis of privacy controls in the contract C The flexibility of data types in accordance with a contract D The bandwidth that is contractually provided

A

Which form of BC/DR testing has the most impact on operations? A Full test B Dry run C Tabletop D Structured test

A

Which helps to establish the identity of an entity with adequate assurance? A Authentication B Identity and access management C Identification D Authorization

A

Which is a management control that is usually tied to hardware? A Hypervisor Type 1 B Hypervisor Type 2 C Hypervisor Type 3 D Hypervisor Type 4

A

Which is a management control that is usually tied to the host OS? A Hypervisor Type 2 B Hypervisor Type 3 C Hypervisor Type 4 D Hypervisor Type 1

A

Which is not a principle of GAAP? A Principle of Compensation B Principle of Sincerity C Principle of Regularity D Principle of Consistency

A

Which is not a security concept of customers of cloud computing? A Physical Security B Network Security C Access Control D Cryptography

A

Which is not part of the risk management process? A Discovery B Responding C Framing D Monitoring

A

Which is the lowest level of the CSA STAR program? A Self-assessment B Continuous monitoring C Attestation D Hybridization

A

Which item would be a risk for an enterprise considering contracting with a cloud service provider? A Suspension of service if payment is delinquent B No SLA exclusion penalties C 99.99% up time guarantees D Very expensive SLA provider penalties

A

Which legislation must a trusted cloud service adhere to when utilizing the data of EU citizens? A GDPR B EMTALA C APPI D SOX

A

Which level of CSA STAR needs the release of results related to security-properties monitoring on the basis of CTP (Cloud Trust Protocol)? A Level 3 B Level 4 C Level 1 D Level 2

A

Which method is more commonly used in federated identity environments? A SAML B WS C OpenID D OAuth

A

Which of the following SOC report subtypes represents a point in time? A Type I B Type II C SOC 3 D SOC 2

A

Which of the following actions are required to establish and maintain log management in an organization? A Define log requirements and goals of an organization B Define volume of log data to be processed C Define security requirements for log management D Monitor the operations in standard log management process

A

Which of the following allows consumers to obtain, remove, manage, and report on resources, without the need to engage or speak with resources internally or with the provider? A Self-service and on-demand capacity B Scale C High reliability and resilience D Converged network and IT capacity pool

A

Which of the following are attributes of cloud computing? A Minimal management effort and shared resources B High cost and unique resources C Rapid provisioning and slow release of resources D Limited access and service provider interaction

A

Which of the following are considered to be the building blocks of cloud computing? A CPU, RAM, storage, and networking B Data, CPU, RAM, and access control C Data, access control, virtualization, and services D Storage, networking, printing, and virtualization

A

Which of the following are not associated with HIPAA controls? A Financial controls B Physical controls C Technical controls D Administrative controls

A

Which of the following are the key regulations applicable to the CSP facility? Each correct answer represents a complete solution. Choose two. 1) COBRA 2) HITRUST CSF 3) PCI DSS 4) HIPAA A 3,4 B 1,2

A

Which of the following best define risk? A Threat coupled with a vulnerability B Threat coupled with a breach C Vulnerability coupled with an attack D Threat coupled with a threat actor

A

Which of the following best describes a sandbox? A An isolated space where untested code and experimentation can safely occur separate from the production environment B An isolated space where transactions are protected from malicious software C A space where you can safely execute malicious code to see what it does D An isolated space where untested code and experimentation can safely occur within the production environment

A

Which of the following cloud services provides a key benefit for the developers that the services required by them can be obtained from diverse sources nationally or internationally? A PaaS B NaaS C SaaS D IaaS

A

Which of the following cloud-specific risks occurs when various applications are pushed to a cloud environment without a complete understanding of the CSP environment? A Insufficient due diligence B Insecure APIs C Shared technology issues D Abuse of cloud services

A

Which of the following has not been attributed as the cause of lost capabilities due to DoS? A Changing regulatory motif B Squirrels C Hackers D Construction equipment

A

Which of the following is a part of the building blocks of a cloud computing system? A CPU B OS C Applications D ROM

A

Which of the following is a type of multifactor authentication (MFA)? A One-time password B Fingerprint C ID card D Password

A

Which of the following is not a common cloud service model? A Programming as a Service B Software as a Service C Platform as a Service D Infrastructure as a Service

A

Which of the following is not a feature of a secure KVM component? A Keystroke logging B Sealed exterior case C Welded chipsets D Push-button selectors

A

Which of the following is not a part of the ENISA Top 8 Security Risks of cloud computing? A Availability B Vendor lock-in C Isolation failure D Insecure or incomplete data deletion

A

Which of the following is not a risk management framework? A Key risk indicators (KRI) B European Union Agency for Network and Information Security (ENISA) C NIST SP 800-37 D ISO 31000:2009

A

Which of the following is not appropriate to include in an SLA? A Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status B The number of user accounts allowed during a specified period C The time allowed to migrate from normal operations to contingency operations D The amount of data allowed to be transmitted and received between the cloud provider and customer

A

Which of the following is not one of the types of controls? A Transitional B Physical C Technical D Administrative

A

Which of the following is the best advantage of external audits? A Independence B Oversight C Cheaper D Better results

A

Which of the following is the gathering of data as evidence? A eDiscovery B Data Collection C Discovery D eCollection

A

Which of the following is the primary purpose of an SOC 3 report? A Seal of approval B Absolute assurances C Compliance with PCI/DSS D HIPAA compliance

A

Which of the following is the science of hiding information to protect sensitive information and communications from unauthorized access? A Cryptography B Social Engineering C DDoS D Phishing

A

Which of the following is the software that manages the requests of multiple guest machines to access the resources of the host machine? A Hypervisor B VMware C Hyper-V D XenServer

A

Which of the following laws decides which law is most appropriate in event of disputing laws in different states? A Restatement (second) conflict of law B International law C Criminal law D The doctrine of the proper law

A

Which of the following laws resulted from a lack of independence in audit practices? A SOX B ISO 27064 C HIPAA D GLBA

A

Which of the following methods of addressing risk is most associated with insurance? A Transference B Avoidance C Acceptance D Mitigation

A

Which of the following practices for secure server configuration uses RBAC (Role-Based Access Control) to limit user access to a host? A Host lockdown B Host patching C Host hardening D Host mapping

A

Which of the following protocols provides encryption using cryptography for the data in transit? A SSL (Secure Socket Layer) B DNS (Domain Name System) C HTTP (HyperText Transfer Protocol) D MIME (Multipurpose Internet Mail Extension)

A

Which of the following quality assurance tests signifies the highest level of evaluation? A Formally verified design and tested B Methodically tested and checked C Functionally tested D Methodically designed, tested, and reviewed

A

Which of the following report is most aligned with financial control audits? A SOC 1 B SOC 2 C SOC 3 D SSAE 16

A

Which of the following security responsibilities are shared between an organization and its CSP in an IaaS cloud environment? A Infrastructure Security B Data Security C Application Security D Platform Security

A

Which of the following standards sets out terms and definitions, principles, a framework, and a process for managing risk? A ISO 31000:2009 B ISO 28000:2007 C ISO 27001:2013 D ISO/IEC 27037:2012

A

Which of the following supplemental security devices implements the DLP (data loss prevention) security control? A XML gateways B API gateway C Web application firewall D Database activity monitoring

A

Which of the following vulnerabilities exploits a user's browser to generate unauthorized commands? A Cross-site request forgery B Cross-site scripting C Sensitive data exposure D Invalidated redirects and forwards

A

Which of the following will help achieve redundancy in virtual switches? Each correct answer represents a complete solution. Choose all that apply. 1) Kerberos 2) CHAP 3) Port channeling 4) Physical NICs A 3,4 B 1,2

A

Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues? A Direct object reference B Cross-site scripting C Denial-of-service D Client-side injection

A

Which option should an organization choose if there is a need to avoid software ownership? A Software as a service (SaaS) B Platform as a service (PaaS) C Containers as a service (CaaS) D Infrastructure as a service (IaaS)

A

Which phase of the cloud data life cycle allows both read and process functions to be performed? A Create B Archive C Store D Share

A

Which primary security control should be used by all cloud accounts, including individual users, in order to defend against the widest range of attacks? A Multi-factor authentication B Logging and monitoring C Perimeter security D Redundant infrastructure

A

Which process aims to identify the relevant risks that may affect the AIC (Availability, integrity, and confidentiality) of key information assets? A Gap analysis B Patch management C Risk analysis D Change management

A

Which process analyzes data for certain attributes and uses that to determine the appropriate controls and policies to apply to it? A Classification B Monitoring C Discovery D eDiscovery

A

Which process involves the use of electronic data as evidence in a civil or criminal legal case? A eDiscovery investigations B Due diligence C Cloud governance D Auditing in the cloud

A

Which result is achieved by removing all nonessential services and software of devices for secure configuration of hardware? A Hardening B Maintenance C Patching D Lockdown

A

Which section of the CSA (Cloud Security Alliance) provides the ability to quantifiably measure return on investment (ROI) for the efficient use of resources? A TOGAF (The Open Group Architecture Framework) B ITIL (Information Technology Infrastructure Library) C Jericho D SABSA (Sherwood Applied Business Security Architecture)

A

Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy? A Technological controls B Contractual enforcement of policies C Training programs D Strong access controls

A

Which standard addresses the privacy aspects of cloud computing for consumers? A ISO 27018:2014 B ISO 27017:2015 C ISO 27001:2013 D ISO 19011:2011

A

Which standard protocol is used in the public cloud environment for managing identification of various agents and devices? A OAuth B Kerberos C RADIUS D LDAP

A

Which statute addresses security and privacy matters in the financial industry? A GLBA B FERPA C SOX D HIPAA

A

Which technology allows an organization to control access to sensitive documents stored in the cloud? A Digital rights management (DRM) B Database activity monitoring (DAM) C Identity and access management (IAM) D Distributed resource scheduling (DRS)

A

Which technology should be included in the disaster recovery plan to prevent data loss? A Offsite backups B Locked racks C Video surveillance D System patches

A

Which term is defined as a percentage measurement of how much computing power is necessary on the basis of the required percentage of the production system during a disaster? A RSL B MTD C RTO D RPO

A

Which testing method must be performed to demonstrate the effectiveness of a business continuity plan and procedures? A Failover B Penetration C DAST D SAST

A

Which tool can reduce confusion and misunderstanding during a BC/DR response? A Checklist B Call tree C Flashlight D Controls matrix

A

While working with integrations in a cloud environment, which of the following can be an issue? A Access to Logs B Authorization C Applications D Repudiation

A

Who among the following adds and extends value to the cloud-based services for customers? A Cloud services brokerage B Cloud service auditor C Cloud backup service provider D Cloud service provider

A

Who is responsible for delivering, managing, and provisioning cloud services? A Cloud service manager B Cloud service business manager C Network provider D Inter-cloud provider

A

Who retains final ownership for granting data access and permissions in a shared responsibility model? A Customer B Developer C Manager D Analyst

A

Which of the following is strongly encouraged for managing access of the directory administrators? A PIM B Active Directory C LDAP D IAM

A - PIM (Privileged Identity Management)

Security Services Health

3 things IT QoS focuses on measuring

___________ are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities.

Artifacts

Occurs on the hypervisor itself, the underlying OS, and the machine directly

Attacks on the hypervisor

Establishes identity by asking who you are and determining whether you are a legitimate user.

Authentication

The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator.

Authentication

After a cloud migration, the BIA should be updated to include a review of the new risks and impacts associated with cloud operations; this review should include an analysis of the possibility of vendor lock-in/lock-out. Analysis of this risk may not have to be performed as a new effort, because a lot of the material that would be included is already available from which of the following? A Open source providers B The cost-benefit analysis the organization conducted when deciding on cloud migration C The cloud provider D NIST

B

All formatting, security, and usage of LUNs is handled by the storage device. A True B False

B

All of the following can result in vendor lock-in except: A Proprietary data formats B Statutory compliance C Unfavorable contract D Insufficient bandwidth

B

All of the following should be included in the Audit Scope Statement except: A Deliverables B Cost C Classification D Reason

B

All of these are methods of data discovery, except: A Content-based B User-based C Label-based D Metadata-based

B

All of these are reasons because of which an organization may want to consider cloud migration, except: A Reduced operational expenses B Elimination of risks C Reduced personnel costs D Increased efficiency

B

All of these technologies have made cloud service viable except: A Cryptographic connectivity B Smart hubs C Virtualization D Widely available broadband

B

All the following are ways of addressing risk, except: A Mitigation B Reversal C Acceptance D Transfer

B

All versions of SSL and TLS are acceptable to secure Data in Transit. A True B False

B

An organization wants to preserve control of its IT environments and takes advantage of flexibility, scalability, and cost savings. Which cloud deployment model helps the organization do this? A Private B Hybrid C Community D Public

B

Applications with known vulnerabilities cannot be mitigated and should never be used. A True B False

B

As a cloud customer you have access to all logs regardless of the cloud model. A True B False

B

As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as: A GLBA B SOX C HIPAA D FERPA

B

Auditing is only used to discover security holes. A True B False

B

Baseline compliance scanning should alert on any deviation from the baseline. A True B False

B

Cloud Access Security Brokers (CASBs) might offer all the following services except: A IAM B BC/DR/COOP C Single sign-on D Key escrow

B

Cloud vendors are held to contractual obligations with specified metrics by: A Discipline B SLAs C Regulations D Law

B

Confidentiality and Integrity are essentially the same thing. A True B False

B

Countermeasures for protecting cloud operations against external attackers include all of the following except: A Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines B Detailed and extensive background checks C Continual monitoring for anomalous activity D Regular and detailed configuration/change management activities

B

Countermeasures for protecting cloud operations against internal threats include all of the following except: A Broad contractual protections to ensure the provider is ensuring an extreme level of trust in its own personnel B Scalability C DLP solutions D Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel

B

Countermeasures for protecting cloud operations against internal threats include all of the following except: A Masking and obfuscation of data for all personnel without need to know for raw data B Redundant ISPs C Active electronic surveillance and monitoring D Active physical surveillance and monitoring

B

DLP solutions can aid in deterring loss due to which of the following? A Natural disaster B Inadvertent disclosure C Randomization D Device failure

B

DLP solutions can aid in deterring loss due to which of the following? A Power failure B Malicious disclosure C Performance issues D Bad policy

B

Data labels could include all the following, except: A Handling restrictions B Delivery vendor C Source D Jurisdiction

B

Encryption ensures integrity of Data. A True B False

B

Every security program and process should have which of the following? A Homomorphic encryption B Foundational policy C Severe penalties D Multifactor authentication

B

GAAPs are created and maintained by which organization? A PCI Council B AICPA C ISO D ISO/IEC

B

Hardening the operating system refers to all of the following except: A Closing unused ports B Removing antimalware agents C Limiting administrator access D Removing unnecessary services and libraries

B

How is the compliance of the cloud service provider's legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud? A Contractual agreements B Third-party audits and attestations C e-Discovery process D Researching data retention laws

B

How is the redundancy in virtual switches achieved in a VLAN network? A Using port forwarding B Using port channeling C Using kernel-based virtual machine D Increasing network traffic

B

How often should the CMB meet? A Every week B Often enough to address organizational needs and attenuate frustration with delay C Whenever regulations dictate D Annually

B

If a cloud customer wants a bare-bones environment in which to replicate their own enterprise for BC/DR purposes, which cloud service model would probably be best? A Hybrid B IaaS C PaaS D SaaS

B

If a cloud customer wants a fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? A Hybrid B SaaS C PaaS D IaaS

B

In a federated environment, who is the relying party, and what does it do? A The relying party is the service provider; it consumes the tokens that the customer generates. B The relying party is the service provider; it consumes the tokens that the identity provider generates. C The relying party is the customer; he consumes the tokens that the identity provider generates. D The relying party is the identity provider; it consumes the tokens that the service provider generates.

B

In all cloud models, the _________ will retain ultimate liability and responsibility for any data loss or disclosure. A State B Customer C Vendor D Administrator

B

In cloud development, which of the following is essential to success? A Programming Languages B Experience\knowledge of newer languages\methodologies C Project Management D Development Methodologies

B

In the cloud motif, the data owner is usually: A The cloud provider B The cloud customer C In another jurisdiction D The cloud access security broker

B

In the cloud motif, the data processor is usually: A The cloud access security broker B The cloud provider C The cloud customer D The party that assigns access rights

B

In the tokenization architecture, which step should be performed after the tokenization server generates the token and stores it in the token database? A An application collects or generates a piece of sensitive data. B The tokenization server returns the token to the application. C The application stores the token rather than the original data. D Data is sent to the tokenization server; it is not stored locally.

B

In which cloud environment scenario does the business continuity strategy restore the service failover to another part of the same CSP infrastructure? A Cloud service consumer, alternative provider BCDR B Cloud service consumer, primary provider BCDR C On-premises, cloud as BCDR D Cloud user, alternative BCDR cloud provider

B

In which of the following encryption techniques does the encryption engine run on a secure machine that handles all the cryptographic actions? A Instance-based B Proxy-based C File-level D Application-level

B

In which of the following is customer access blocked and alert disabled? A Hosted VM B Maintenance mode C Public cloud D Hybrid cloud

B

In which of the following phases does an application enter after it has been implemented according to the principles of software development lifecycle? A Testing B Secure operations C Disposal D Defining

B

In which of the following policy and organization risks is the consumer not able to implement all required controls? A Compliance risk B Loss of governance C Provider exit D Provider lock-in

B

In which of the following scenarios is a CSP considered as the provider of alternative facilities? A Cloud service consumer, primary provider BCDR B On-premises, cloud as BCDR C Cloud service consumer, alternative provider BCDR

B

In which phase of the data lifecycle the data leaves active use phase and enters into long-term storage? A Share B Archive C Destroy D Store

B

In which phase of the digital forensics is the collected data forensically processed using a combination of manual and automated methods? A Acquisition B Examination C Analysis D Reporting

B

Key management in a cloud environment is not very important. A True B False

B

Knowing that the cloud provider does vulnerability assessment is good enough. A True B False

B

Maintenance mode requires all of these actions except: A Remove all active production instances B Initiate enhanced security controls C Prevent new logins D Ensure logging continues

B

Object Storage is usually accessed through: A LUNs B APIs C Drives D Management Plane

B

Open Source Software is less secure than proprietary software and should not be used in a cloud environment. A True B False

B

PII is only protected in the United States. A True B False

B

RPO and RSL are used to establish when services and data are completely restored. A True B False

B

Security training should not be: A Documented B Boring C A means to foster a non-adversarial relationship between the security office and operations personnel D Internal

B

The BIA can be used to provide information about all of the following, except: A BC/DR planning B Secure acquisition C Risk analysis D Selection of security controls

B

The Restatement (Second) Conflict of Law refers to which of the following? A When judges restate the law in an opinion B The basis for deciding which laws are most appropriate in a situation where conflicting laws exist C Whether local or federal laws apply in a situation D How jurisdictional disputes are settled

B

The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as: A Private B Public C Hybrid D Latent

B

The cloud model eliminates the need for a failover site. A True B False

B

The following are toolsets and technology commonly used to secure data except: A Anonymization B Marking C Masking D Encryption

B

The right to audit should be a part of what documents? A PLA B SLA C Masking D All cloud providers

B

The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as: A Vendor closure B Vendor lock-out C Vendor lock-in D Vending route

B

The various models generally available for cloud BC/DR activities include all of the following except: A Cloud provider, backup from another cloud provider B Cloud provider, backup from private provider C Private architecture, cloud backup D Cloud provider, backup from same provider

B

There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms. Which platform as a service (PaaS) data type should be used? A Short-term storage B Structured C Unstructured D Long-term storage

B

This concept is the unauthorized exposure of data: A Account Hijacking B Data Breach C Data Loss D Data Access

B

This device is used to offload processing of XML from the application: A XML Processor B XML Accelerator C XML Broker D XML Firewall

B

This includes policies focused on reducing threats and risks to IT and Data resources. A ITIL B ISMS C ITSM D MSIS

B

This is a method of categorizing data by finding patterns and it relies on users to refine it: A eDiscovery B Data Discovery C Categorization D Databasing

B

This system is provided by the CSP, but controlled and even hosted by the customer: A Customer-Side KMS B Client-Side KMS C Remote KMS D Internal KMS

B

To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except: A DLP solution results B Security control administration C Access to audit logs and performance data D SIM, SEIM, and SEM logs

B

To which of the following phases of the data lifecycle is the process function mapped? A Archive B Create C Destroy D Store

B

We use which of the following to determine the critical paths, processes, and assets of an organization? A Business requirements B BIA C RMF D CIA triad

B

What are the five key principles of ISO/IEC 27018? A Independent and yearly audit, collection, control, transparency, and quality B Consent, control, transparency, communication, and independent and yearly audit C Quality, collection, transparency, communication, and disclosure to third parties D Management, quality, communication, choice and consent, and access

B

What are the phases of a software development lifecycle process model? A Planning and requirements analysis, designing, defining, developing, testing, and maintenance B Planning and requirements analysis, defining, designing, developing, testing, and maintenance C Defining, planning and requirements analysis, designing, developing, testing, and maintenance D Planning and requirements analysis, defining, designing, testing, developing, and maintenance

B

What are the two biggest challenges associated with the use of IPSec in cloud computing environments? A Auditability and governance B Configuration management and performance C Training customers on how to use IPSec and documentation D Access control and patch management

B

What defines what the audit will produce? A Audit criteria for assessment B Deliverables C Scope of Audit D Audit Scope

B

What is Portability? A Ability to use cloud services on Mobile Devices. B Ability to change CSPs. C Measurement of Size. D Use of Cloud Services across multiple platforms.

B

What is a key capability of infrastructure as a service (IaaS)? A Hosted application management B Converged network and IT capacity pool C Leased application and software licensing D Multiple hosting environments

B

What is a security-related concern for a PaaS solution? A Data access and policies B System and resource isolation C Virtual machine attacks D Web application security

B

What is an association of organizations that come together to exchange appropriate information about their users and resources to enable collaborations and transactions called? A Identity repository B Federation C DAST D ONF

B

What is lock-in in reference to cloud services? A Access tools. B Proprietary roadblocks to changing CSPs. C Ability to change CSP with minimal changes to the environment. D SLA Commitment.

B

What is often a major challenge to getting both redundant power and communications utility connections? A Expense B Location of many datacenters C Personnel deployment D Carrying medium

B

What is one of the reasons a baseline might be changed? A Natural disaster B Numerous change requests C Power fluctuation D To reduce redundancy

B

What is the function of a secure kernel-based virtual machine? A Monitors transmission between the server and computer B Prevents data loss between the server and computer C Provides complete data center protection D Provides support to the virtual networking layer

B

What is the goal of business continuity management? A To recover elements of the business following a disaster B To assure the business operation continuity in the event of a disruption C To ensure that the business recover essential operations in the event of disaster D To quickly establish affected areas of the business after a disaster

B

What is the intellectual property protection for a very valuable set of sales leads? A Trademark B Trade secret C Copyright D Patent

B

What is the key issue associated with the object storage type that the CCSP has to be aware of? A Access control B Data consistency, which is achieved only after change propagation to all replica instances has taken place C Continuous monitoring D Data consistency, which is achieved only after change propagation to a specified percentage of replica instances has taken place

B

What is the lowest tier of datacenter redundancy, according to the Uptime Institute? A V B 1 C 4 D C

B

What is the purpose of using the Cloud Security Alliance cloud controls matrix? A To assure that adequate risk controls exist B To allow the cooperation in the CSPs and their customers C To perform capacity planning activities D To carry out session statistics usage information

B

What is used to dynamically allocate the cloud resources to maximize their use? A Cloud OS B Cloud controller C Virtual host D Hypervisor

B

What is used to separate the physical architecture of an organization when the security controls applied by the virtualization components seem to be weak? A Honeypot B Demilitarized zone C Intrusion detection system D Intrusion prevention system

B

What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks? A Management orchestration software B Management plane C Identity access management D Database management

B

What should private and public CSPs do to get isolated from other tenants? A Configure server and all the network devices. B Enable all application environments, customer data, and communication. C Enable virtual switches and storage controllers. D Configure kernel-based virtual machine.

B

What type of BCDR (Business Continuity and Disaster Recovery) strategy involves the selection of an additional deployment zone and recreation of the processing capacity on a different location? A Data Replication B Functionality Replication C File Replication D Database Replication

B

What type of security control alerts the administrator about the suspicious activities by monitoring the inbound and outbound packets from devices? A Host-based software firewall B Host intrusion detection system C Intrusion prevention system D Network intrusion detection system

B

What type of storage is used for swapping storage files? A Raw B Ephemeral C Long-term D Object

B

When crafting plans and policies for data archiving, we should consider all of the following, except: A The format of the data B Immediacy of the technology C Archive location D The backup process

B

When does an XSS flaw occur? A Whenever an application takes trusted data and sends it to a web browser without proper validation or escaping B Whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping C Whenever an application takes trusted data and sends it to a web browser with proper validation or escaping D Whenever an application takes untrusted data and sends it to a web browser with proper validation or escaping

B

When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed? A The directive applies to data processed by a natural person in the course of purely personal activities. B The directive applies to data processed by automated means and data contained in paper files. C The directive applies to data processed by automated means in the course of purely personal activities. D The directive applies to data processed in the course of an activity that falls outside the scope of community law, such as public safety.

B

When using an IaaS solution, what is a key benefit provided to the customer? A Transferred cost of ownership B Metered and priced usage on the basis of units consumed C The ability to scale up infrastructure services based on projected usage D Increased energy and cooling system efficiencies

B

When using maintenance mode, which two items are disabled and which item remains enabled? A Customer access and alerts are disabled while the ability to power on VMs remains enabled. B Customer access and alerts are disabled while logging remains enabled. C Customer access and logging are disabled while alerts remain enabled. D Logging and alerts are disabled while the ability to deploy new VMs remains enabled.

B

Where do the bare metal hypervisors run? A On software B On hardware C On a host OS D On a client OS

B

Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service? A Local storage B Cloud platform C Company headquarters D Tape drive

B

Where would the monitoring engine be deployed when using a network-based DLP system? A On a VLAN B Near the organizational gateway C In the storage system D On a user's workstation

B

Which agreement is negotiated between internal business units within an organization? A Service-level B Operational-level C Underpinning contract D Business-level

B

Which body establishes optimal temperature and humidity levels? A ASHAE B ASHRAE C ASHAPE D ASHARE

B

Which cloud infrastructure is shared by several organizations and supports a specific population that has shared concerns (e.g., mission, security requirements, policy, compliance considerations)? A Public B Community C Hybrid D Private

B

Which cloud infrastructure is shared by several organizations with common concerns, such as mission, policy, or compliance considerations? A Private cloud B Community cloud C Public cloud D Hybrid cloud

B

Which cloud model provides data location assurance? A Hybrid B Private C Community D Public

B

Which cloud-specific risk must be considered when moving infrastructure operations to the cloud? A Natural disasters B Lack of physical access C Denial of service D Regulatory violations

B

Which component is among the highest risk component with respect to software vulnerabilities? A Control plane B Management plane C User plane D Data plane

B

Which countermeasure helps mitigate the risk of stolen credentials for cloud-based platforms? A Key management B Multifactor authentication C Data sanitization D Host lockdown

B

Which data protection technique involves twisting the information in such a way that it remains unintelligible, even if the source code is obtained? A Tokenization B Obfuscation C Anonymization D Encryption

B

Which data source provides auditability and traceability for event investigation as well as documentation? A Storage files B Packet capture C Network interference D Database tables

B

Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure? A Elasticity B Resiliency C Scalability D Clustering

B

Which encryption technique connects the instance to the encryption instance that handles all crypto operations? A Database B Proxy C Externally managed D Server-side

B

Which framework provides guidance for cloud vendors and assists the cloud customers to assess the overall security risk of a CSP? A CSA STAR B CSA CCM C ISO 28000:2007 D Common Criteria

B

Which intelligence agency's website was attacked by LulzSec on June 15, 2011? A FBI B CIA C NSA D CBI

B

Which is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on an applied rule set? A IPS B Firewall C IDS D Honeypot

B

Which is not a part of the Management Plane? A Storage B Software C Hypervisor Type 1 D Hypervisor Type 2

B

Which is not a step in the BCDR continual process? A Define Scope B Auditing C Analyze D Assess Risk

B

Which is not associated with Federated ID Systems? A SAML B SAME C OpenID D OAuth

B

Which item is required in a cloud contract? A Specifications for unit testing B Penalties for failure to meet SLA C Strategy for the SDLC D Diagrams for data flow structures

B

Which item should be part of the legal framework analysis if a company wishes to store prescription drug records in a SaaS solution? A Sarbanes-Oxley Act B Health Insurance Portability and Accountability Act C Federal Information Security Modernization Act D U.S. Patriot Act

B

Which kind of Data Obfuscation method replaces Data with random values that can be mapped to actual data? A Transparency B Tokenization C Masking D Encryption

B

Which kind of SSAE report comes with a seal of approval from a certified auditor? A SOC 2 B SOC 3 C SOC 4 D SOC 1

B

Which logical design decision can be attributed to required regulation? A Database writes/second B Retention periods C Retention formats D Database reads/second

B

Which models allows the customer to choose\manage their software and operating systems? A PaaS B IaaS C DBaaS D SaaS

B

Which network functionality controls the amount of traffic sent or received as well as the number of API requests within a specified period? A Bandwidth allocation B Rate limiting C Access control D Filtering

B

Which of the following activities takes place in a secure operations phase of the software development lifecycle? A Static analysis B Dynamic analysis C Code review D Acceptance testing

B

Which of the following aids in the ability to demonstrate due diligence efforts? A Bollards B Security training documentation C HVAC placement D Redundant power lines

B

Which of the following are distinguishing characteristics of a managed service provider? A Have some form of a help desk but no NOC. B Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management. C Have some form of a NOC but no help desk. D Be able to remotely monitor and manage objects for the customer and reactively maintain these objects under management.

B

Which of the following are required for improving the level of assurance in cloud computing? Each correct answer represents a complete solution. Choose two. 1) Customer service 2) Service automation 3) Self-service A 1,2 B 2,3

B

Which of the following are storage types used with an IaaS solution? A Volume and block B Volume and object C Unstructured and ephemeral D Structured and object

B

Which of the following are the data classification categories? Each correct answer represents a complete solution. Choose three. 1) Obligation for retention and preservation 2)Ownership 3) Data type 4) Parameter type A 2,3,4 B 1,2,3

B

Which of the following are the virtualization risks? Each correct answer represents a complete solution. Choose three. 1) Guest breakout 2) Resource exhaustion 3) Sprawl 4) Isolation control failure 5) Snapshot and image security A 2,4,5 B 1,3,5

B

Which of the following best describes SAML? A A standard for exchanging usernames and passwords across devices B A standard for exchanging authentication and authorization data between security domains C A standard for developing secure application management logistics D A standard used for directory synchronization

B

Which of the following best describes data masking? A A method where the last few numbers in a dataset are not obscured. These are often used for authentication. B A method for creating similar but inauthentic datasets used for software testing and user training. C A method used to protect prying eyes from data such as social security numbers and credit card data. D Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number.

B

Which of the following best describes risk? A Everlasting B The likelihood that a threat will exploit a vulnerability C Transient D Preventable

B

Which of the following best describes the Organizational Normative Framework (ONF)? A A set of application security, and best practices, catalogued and leveraged by the organization B A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization C A container for components of an application's security, best practices, catalogued and leveraged by the organization D A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization

B

Which of the following best represents the definition of REST? A Built on protocol standards B Lightweight and scalable C Relies heavily on XML D Only supports XML output

B

Which of the following cloud characteristics explains that a cloud provides services to serve multiple clients according to their priority? A Measured service B Resource pooling C Rapid elasticity D Broad network access

B

Which of the following concerns does the "existing on-premise solution" BCDR scenario represent? A Evaluating a cloud service provider's BCDR B Using cloud as BCDR C Evaluating alternative CSP as BCDR

B

Which of the following encryption options establishes an encrypted link between a web server and a browser and ensures privacy and integrity of data on that link? A Secure socket shell B Secure socket layer C Virtual private network D IPsec gateway

B

Which of the following federation standards is an XML-based framework that allows the authentication, entitlement, and attribute information of the users communicating in a cloud? A OpenID Connect B SAML (Security Assertion Markup Language) C OAuth D WS-Federation

B

Which of the following frameworks focuses specifically on design implementation and management? A NIST 800-92 B ISO 31000:2009 C HIPAA D ISO 27017

B

Which of the following is a Type 1 hypervisor? A Virtual Box B Citrix XenServer C VMware Workstation D VMware Fusion

B

Which of the following is a drawback of cloud computing in which a customer depends on a dealer for products and services due to technical or nontechnical constraints? A Cryptographic erasure B Vendor lock-in C Resiliency D Data overwriting

B

Which of the following is a valid risk management metric? A SLA B KRI C KPI D SOC

B

Which of the following is application generated or imported through the application? A Content and File Storage B Information Storage and Management C Structured D Volume

B

Which of the following is considered a "white box" test? A DAST B SAST C Port Scanning D Pen Testing

B

Which of the following is considered a technological control? A Firing personnel B Firewall software C Fireproof safe D Fire extinguisher

B

Which of the following is considered an administrative control? A Keystroke logging B Access control process C Biometric authentication D Door locks

B

Which of the following is not a component of contractual PII? A Scope of processing B Value of data C Location of data D Use of subcontractors

B

Which of the following is not a risk management framework? A ISO 31000:2009 B Hex GBL C COBIT D NIST SP 800-37

B

Which of the following is not a way to manage risk? A Mitigating B Enveloping C Transferring D Accepting

B

Which of the following is used to distribute loads across physical devices? A Clustering B DRS C DNS D DO

B

Which of the following management recognizes, examines, and corrects hazards to prevent their occurrence in the future? A Problem Management B Incident Management C Continuity Management D Change Management

B

Which of the following methods is used for implementing volume storage encryption in an IaaS environment? A Application-level encryption B Proxy-based encryption C File-level encryption D Transparent encryption

B

Which of the following metrics provides the time required to finish the initiated or requested task? A Mean-time to switchover B Completion time C Response time D Instance startup time

B

Which of the following modes of encryption dependencies secures data while it navigates the CSP network or the Internet? A Encryption of data at rest B Encryption of data in transit C Data obfuscation

B

Which of the following processes seeks to exploit the vulnerabilities of a system by collecting the information related to system exposures? A Dynamic application security testing B Penetration testing C Vulnerability scanning D Vulnerability assessment

B

Which of the following security standards focuses on the protection of information assets and addresses the relevant risks by looking to the ISMS (Information Security Management System)? A SOC 1/SOC 2/SOC 3 B ISO/IEC 27001:2013 C ISO/IEC 27002:2013 D ISO/IEC 27017:2015

B

Which of the following statements is true of key management? A Uses key management interoperability protocol to generate keys B Includes generation of random number of keys C Manages keys within an encryption engine D Used in file-level encryption

B

Which of the following techniques for ensuring cloud datacenter storage resiliency uses encrypted chunks of data? A RAID B Data dispersion C SAN D Cloud-bursting

B

Which of the following techniques for ensuring cloud datacenter storage resiliency uses parity bits and disk striping? A Cloud-bursting B RAID C Data dispersion D SAN

B

Which of the following technologies is used to ensure that secure API (Application Programming Interface) access? A Virtual private network B Message-level crypto-access C Data loss prevention D ID.AM (Identity—Asset Management)

B

Which of the following terms is not associated with cloud forensics? A Analysis B Plausibility C Chain of custody D eDiscovery

B

Which phase forms the security and foundation for IAM (Identity and Access Management) within the cloud environment? A Privileged user management B Authentication and access management C Provisioning and deprovisioning D Centralized directory services

B

Which phase of the cloud data security life cycle typically occurs simultaneously with creation? A Share B Store C Use D Destroy

B

Which process verifies untested and untrusted codes in a controlled cloud environment? A Application virtualization B Sandboxing C Data masking D Supply chain management

B

Which regulation in the United States defines the requirements for a CSP to implement and report on internal accounting controls? A HIPAA B SOX C FERPA D GDPR

B

Which regulation requires a CSP to comply with copyright law for hosted content? A SCA B DMCA C SOX D GLBA

B

Which requirement is included when exceptions, restrictions, and potential risks are highlighted in a cloud services contract? A Virtual machine and operating system B Regulatory and compliance C Load balancer algorithm D Stockholder expectations

B

Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations? A Metered usage B Cross-training C Raised floors D Proper placement of HVAC temperature measurements tools

B

Which risk is related to interception of data in transit? A Virtualization B Man-in-the-middle C Software vulnerabilities D Traffic blocking

B

Which security technology can provide secure network communications from on-site enterprise systems to a cloud platform? A Domain name system security extensions (DNSSEC) B Internet protocol security (IPSec) virtual private network (VPN) C Web application firewall (WAF) D Data loss prevention (DLP)

B

Which standard applies to Credit Card Processing? A SOX B PCI DSS C PIC DSS D HIPPA

B

Which step of the BCDR Continual Process uses the RPO and RTO to determine what is needed in BCDR planning? A Asses Risk B Gather Requirements C Analyze D Define Scope

B

Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data? A Dynamic masking B Format-preserving encryption C Proxy-based encryption D Tokenization

B

Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications? A Whole-disk encryption B Advanced application-specific integrated circuits (ASICs) C Virtual private networks (VPNs) D Volume encryption

B

Which type of agreement aims to negotiate policies with various parties in accordance with the agreed-upon targets? A Privacy-level (PLA) B Service-level (SLA) C User license (ULA) D Operation-level (OLA)

B

Which type of cloud deployment model is considered equivalent to a traditional IT architecture? A Public B Private C Hybrid D Community

B

Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives? A Database management software B Open source software C Secure software D Proprietary software

B

Who among the following allocates cloud service connection and transportation between the CSPs and the cloud service consumers? A CSB B Cloud carrier C Cloud developer D Cloud operator

B

Who holds the identity of all the users and generates tokens for known users? A Identity repository B Federated identity provider C Federated SSO (Single Sign-On) D Identity management

B

Who publishes the optimal temperature and humidity levels for data centers? A ASHR B ASHRAE C BICSI D NFPA

B

Why is eDiscovery difficult in the cloud? A The process is time consuming. B The client may lack the credentials to access the required data. C The customer is responsible for their data on a multitenant system. D The cloud service provider may lack sufficient resources.

B

Why will cloud providers be unlikely to allow physical access to their datacenters? A They want to enhance exclusivity for their customers, so only an elite tier of higher-paying clientele will be allowed physical access. B They want to enhance security by keeping information about physical layout and controls confidential. C Most datacenters are inhospitable to human life, so minimizing physical access also minimizes safety concerns. D They want to minimize traffic in those areas, to maximize efficiency of operational personnel.

B

With whom does a service provider dictate both the technology and the operational procedures being made available to the cloud consumer? A Cloud computing reseller B Cloud service provider C Cloud services brokerage D Managed service provider

B

No wasted resources Easy and inexpensive setup Scalability to meet customer needs

Benefits of the public cloud deployment model

Application and software licensing Overall reduction of costs Reduced support costs

Benefits provided by SaaS for the applications accessible by clients anywhere

Host hardening Host patching Secure build Secure initial configuration

Best practice recommendations to secure host servers within a cloud environment

Usually involves splitting up and storing encrypted information across different cloud storage services.

Bit Splitting

A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance.

Block storage

Data labels could include all the following, except: A Distribution limitations B Access restrictions C Multifactor authentication D Confidentiality level

C

Data masking can be used to provide all of the following functionality, except: A Enforcing least privilege B Test data in sandboxed environments C Authentication of privileged users D Secure remote access

C

Database activity monitoring (DAM) can be: A Used in the place of encryption B Used in place of data masking C Host-based or network-based D Server-based or client-based

C

Deviations from the baseline should be investigated and ________. A Revealed B Encouraged C Documented D Enforced

C

An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems.

Business Impact Analysis (BIA)

We determine a value for every asset (usually in terms of dollars), what it would cost the organization if we lost that asset (either temporarily or permanently), what it would cost to replace or repair that asset, and any alternate methods for dealing with that loss.

Business Impact Analysis (BIA)

______________ efforts are concerned with maintaining critical operations during any interruption in service, whereas disaster recovery efforts are focused on the resumption of operations after an interruption due to disaster.

Business continuity

Dynamic application security testing (DAST) is best described as which of the following? A Masking B Test performed on an application or software product while being consumed by cloud customers C Test performed on an application or software product while it is being executed in memory in an operating system D Test performed on an application or software product while it is using real data in production

C

Gap analysis is performed for what reason? A To assure proper accounting practices are being used B To provide assurances to cloud customers C To begin the benchmarking process D To ensure all controls are in place and working properly

C

Gathering business requirements can aid the organization in determining all of this information about organizational assets, except: A Criticality B Value C Usefulness D Full inventory

C

How is data in the cloud typically sanitized? A Destruction B Shredding C Overwriting D Degaussing

C

In addition to battery backup, a UPS can offer which capability? A Confidentiality B Communication redundancy C Line conditioning D Breach alert

C

In which cloud deployment model are all infrastructure-level logs visible to the CCSP as detailed application logs? A NaaS B SaaS C IaaS D PaaS

C

In which cloud service model is the customer required to maintain the OS? A SaaS B PaaS C IaaS D CaaS

C

In which of the following threats does an illicit denial of an event occur? A Denial of service B Insiders C Repudiation D Insufficient due diligence

C

Legal controls refer to which of the following? A ISO 27001 B NIST 800-53r4 C Controls designed to comply with laws and regulations related to the cloud environment D PCI DSS

C

McDonald's is using a slogan "I'm lovin' it" over the last five decades, which has a strong right or law attached to it. What is that right or law? A Tort law B The doctrine of the proper law C Intellectual property right D Restatement conflict of law

C

Risk appetite for an organization is determined by which of the following? A Contractual agreement B Legislative mandates C Senior management D Appetite evaluation

C

Sandboxing provides which of the following? A A testing environment that prevents isolated code from running in a nonproduction environment. B A test environment that isolates untrusted code changes for testing in a production environment. C A test environment that isolates untrusted code changes for testing in a nonproduction environment. D A testing environment where new and experimental code can be tested in a nonproduction environment.

C

The cloud customer's trust in the cloud provider can be enhanced by all of the following except: A Audits B SLAs C Real-time video surveillance D Shared administration

C

The key areas of performance metrics are: A Storage and Processing B CPU, Memory, Capacity, and Bandwidth C CPU, Memory, Disk, and Networking D Storage, Processing, Networking

C

This concept affords the right to look at things anonymously and to be "forgotten" by a system when you leave. A Integrity B Access C Privacy D Confidentiality

C

This type of storage typically uses APIs or network requests: A Structured B Volume C Object D Unstructured

C

Tokenization requires two distinct ______________. A Personnel B Encryption keys C Databases D Authentication factors

C

Vulnerability testing where you have knowledge of the systems involved is called? A Hybrid B DAST C SAST D Pen

C

Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like: A Syn floods B Password cracking C XSS and SQL injection D Ransomware

C

What are the four cloud deployment models? A External, private, hybrid, and community B Public, internal, hybrid, and community C Public, private, hybrid, and community D Public, private, joint, and community

C

What are the four elements that a data retention policy should define? A Retention periods, data formats, data security, and data destruction procedures B Retention periods, data formats, data security, and data communication procedures C Retention periods, data formats, data security, and data retrieval procedures D Retention periods, data access methods, data security, and data retrieval procedures

C

What are the six stages of the cloud secure data lifecycle? A Create, archive, use, share, store, and destroy B Create, use, store, share, archive, and destroy C Create, store, use, share, archive, and destroy D Create, share, store, archive, use, and destroy

C

What is a key capability of security information and event management? A Intrusion prevention capabilities B Automatic remediation of issues C Centralized collection of log data D Secure remote access

C

What is a key characteristic of a honeypot? A Composed of physical infrastructure B Composed of virtualized infrastructure C Isolated, monitored environment D Isolated, nonmonitored environment

C

What is called as the process of intended permanent destruction of the data keys? A Sanitization B Encryption C Crypto-shredding D Degaussing

C

What is the biggest concern for migration of services during BCDR? A Security B Resources C Location D Vendor Lockin

C

What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? A AES B Link encryption C Homomorphic encryption D One-time pads

C

What is the function of a controller? A To perform operations upon personal data B To perform data-protection C To determine the ways of processing personal data D To replace sensitive data with unique symbols

C

What is the function of the BIA (Business Impact Analysis)? A To identify procedures to minimize the RTO B To measure the amount of computing power needed to recover the system C To determine the business recovery strategy by calculating the RTO and RPO D To evaluate the effects of business failover

C

What is the intellectual property protection for the logo of a new video game? A Copyright B Trade secret C Trademark D Patent

C

What is the process of allocating the cloud provider's services and application to the customers for utilizing them? A Cloud migration B Cloud enablement C Cloud provisioning D Cloud portability

C

What kind of relationship exists between organizational and application normative framework? A Many-to-many B One-to-one C One-to-many D Many-to-one

C

What should be the primary focus of datacenter redundancy and contingency planning? A Power and HVAC B Critical path/operations C Health and human safety D Infrastructure supporting the production environment

C

Where should the DLP (Data Leakage Prevention) engine be installed in a DIU (Data in use) topology of data lifecycle? A On the file server B On the gateway C On a user's workstation and endpoint devices D On the application server

C

Which ISAE Report is run over a pre-defined period of time usually six months. A Aged Reports B Type 3 Reports C Type 2 Reports D Type 1 Reports

C

Which ISO standard refers to addressing security risks in a supply chain? A ISO 31000:2009 B ISO 27001 C ISO/IEC 28000:2007 D ISO 18799

C

Which approach is considered a black-box security testing method? A Static application security testing B Binary code inspection C Dynamic application security testing D Source code review

C

Which artifact may be required as a data source for a compliance audit in a cloud environment? A Customer SLAs B Quarterly revenue projections C Change management details D Annual actual-to-budgeted expense reports

C

Which artifact may be required as a data source for a regulatory compliance audit (i.e., HIPAA, PCI-DSS) in a cloud environment? A System performance benchmarks B Annual actual-to-budgeted expenses C System configuration details D Quarterly revenue projections

C

Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan? A Continuity planning B Costs will remain the same C Level of resiliency D Provider's history

C

Which cloud computing technology unlocks business value through digital and physical access to maps? A Multitenancy B Cloud application C Application programming interface D On-demand self-service

C

Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring? A Data loss prevention (DLP) B Content delivery network (CDN) C Cloud access security broker (CASB) D Web application firewall (WAF)

C

Which cloud model allows the consumer to have sole responsibility for management and governance? A Hybrid B Community C Private D Public

C

Which consideration should be taken into account when reviewing a cloud service provider's risk of potential outage time? A The type of database B The amount of cloud service offerings C The unique history of the provider D The provider's support services

C

Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage? A Tier 2 network access providers B Radio frequency interference (RFI) blocking devices C Multiple and independent power circuits to all racks D Automated license plate readers (ALPR) at entry points

C

Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data? A Backup B Caching C Archiving D Saving

C

Which data-protection policies moves data that is no longer used to a separate storage device for long-term maintenance? A Data-retention B Data classification C Data-archiving D Data-deletion

C

Which detection and analysis technique is performed to capture a point-in-time picture of the entire stack at the time of an incident? A Collect metadata during alert B Examine configuration data C Create a snapshot using API calls D Review data access logs

C

Which determines the effectiveness of controls in an Audit? A Lessons Learned B Reporting C A final Audit report D Gap Analysis

C

Which document addresses CSP issues such as guaranteed uptime, liability, penalties, and dispute mediation process? A General data protection regulation (GDPR) B Service organization control 3 (SOC 3) C Service level agreement (SLA) D Common criteria assurance framework (CC)

C

Which element is protected by an encryption system? A Ciphertext B Management engine C Data D Public key

C

Which expenditure has minimized an organization's requirements of purchasing systems and resources? A Revenue B Deferred revenue C Operational D Capital

C

Which form of BC/DR testing has the least impact on operations? A Full test B Dry run C Tabletop D Structured test

C

Which identity management process targets access to enterprise resources by ensuring that the identity of an entity is verified? A Provisioning B Federation C Authentication D Policy management

C

Which is a PII law specifically for financial institutions? A GBLA B PCI DSS C GLBA D GLIBA

C

Which is an act enforced by the Securities Exchange Commission (SEC)? A Safe Harbor B SCA C SOX D SEC

C

Which is not a Critical Success Factor? A CSP responsibilities B Order of restoration C Identification of need to remove backups D Customer responsibilities

C

Which is not a part of the BCDR Continual Process? A Report B Analyze C Gather Resources D Revise

C

Which is the internationally accepted standard for eDiscovery? A ISO\IEC 27055A B ISO\IEC 20750A C ISO\IEC 27050 D ISO\IEC 27055

C

Which issue can be detected with static application security testing (SAST)? A Authentication B Performance C Threading D Malware

C

Which issue occurs when a web browser is sent data without proper validation? A Insecure direct object access (IDOA) B Cross-site request forgery (CSRF) C Cross-site scripting (XXS) D Lightweight directory access protocol (LDAP) injection

C

Which jurisdictional data protection controls the ways that financial institutions deal with the private information of individuals? A Stored communications act (SCA) B Health insurance portability and accountability act (HIPAA) C Gramm-Leach-Bliley act (GLBA) D Sarbanes-Oxley act (SOX)

C

Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? A SOC 2 Type 2 B SOC 1 Type 1 C SOC 3 D SOC 1 Type 2

C

Which method is being used when a company evaluates the acceptable loss exposure associated with a cloud solution for a given set of objectives and resources? A Business impact analysis B Business continuity planning C Risk appetite D Risk management

C

Which models provides the least amount of configuration options? A IaaS B PaaS C SaaS D DBaaS

C

Which models requires the customer to perform their own patching of systems. A SaaS B PaaS C IaaS D DBaaS

C

Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords? A Transaction authentication numbers B Biometrics C Hard tokens D Out-of-band passwords

C

Which of the following SOC report subtypes spans a period of time? A SOC 3 B SOC 1 C Type II D SOC 2

C

Which of the following allows logical isolation of hosts on a network? A DNS B TLS C VLAN D IPSec

C

Which of the following applies to the Stored Communications Act (SCA)? A It's in bad need of updating. B It's old. C All of these D It's unclear with regard to current technologies.

C

Which of the following best describes a cloud carrier? A The person or entity responsible for transporting data across the Internet B A person or entity responsible for making a cloud service available to consumers C The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers D The person or entity responsible for keeping cloud services running for customers

C

Which of the following best describes the purpose and scope of ISO/IEC 27034-1? A Provides an overview of network and infrastructure security designed to secure cloud applications B Serves as a newer replacement for NIST 800-53 r4 C Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security D Describes international privacy standards for cloud computing

C

Which of the following cloud storages allows users to share and sync data stored on a mobile device? A Public B Private C Personal D Mobile

C

Which of the following cloud threats is described in the statement below? "If a multitenant cloud service database is not properly designed, a flaw in one client's application can allow an attacker access not only to that client's data but to every other client's data as well." A Insecure APIs B Abuse of cloud services C Data breach D Insufficient due diligence

C

Which of the following frameworks identifies the top 8 security risks based on likelihood and impact? A NIST 800-53 B COBIT C ENISA D ISO 27000

C

Which of the following guidelines includes the given concepts? -National privacy strategies -Privacy management programs -Data security breach notification A OAuth B ANF C OECD D ONF

C

Which of the following input entities of data classification are required to follow a specific process of incident management activating measures to limit the damage to the concerned data? A Data retention constraints B Scope and purpose of the processing C Data breach constraints D Categories of users allowed

C

Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer's trust in the provider? A Site visit access B Backend administrative access C Audit and performance log data D SOC 2 Type 2

C

Which of the following is a plan to fix or mitigate all findings from an audit? A Fixpack B Mitigation C Remediation D Patching

C

Which of the following is a risk management option that halts a business function? A Acceptance B Transference C Avoidance D Mitigation

C

Which of the following is a technology that provides a shared resource pool, managed to maximize the number of guest operating systems? A Scalability B Rapid elasticity C Virtualization D Hypervisor

C

Which of the following is not a cloud deployment model? A Private B Public C Open D Hybrid

C

Which of the following is not a component of the of the STRIDE model? A Repudiation B Spoofing C External pen testing D Information disclosure

C

Which of the following is not a feature of SAST? A Highly skilled, often expensive outside consultants B "White-box" testing C Team-building efforts D Source code review

C

Which of the following is not an access control? A Developer access B Building access C Random access D Customer access

C

Which of the following is not an aspect of physical security that ought to be considered in the planning and design of a cloud datacenter facility? A Vehicular approach/traffic B Perimeter C Elevation of dropped ceilings D Fire suppression

C

Which of the following is not part of the STRIDE model? A Spoofing B Tampering C Resiliency D Information disclosure

C

Which of the following is the least challenging with regard to eDiscovery in the cloud? A Complexities of International law B Decentralization of data storage C Forensic analysis D Identifying roles such as data owner, controller, and processor

C

Which of the following processes involves migration of an application with minimal code changes? A Sandboxing B Data Masking C Forklifting D Tokenization

C

Which of the following protocols uses the X.509 certificates for authenticating a connection and exchanging the symmetric keys over a network? A DNS B Kerberos C TLS D TCP

C

Which of the following software configuration management tools integrates during building, deploying, and managing infrastructure? A Puppet B SVN C Chef D CVS

C

Which of the following threats occurs due to the loss of relevant encryption keys? A Insider B Service traffic hijacking C Data loss D Data breach

C

Which organization focuses on enhancing the need to protect privacy using personal data using a practical, risk-management-based approach? A General Data Protection Regulation B Asia-Pacific Economic Cooperation C Organization for Economic Cooperation and Development D EU data protection directive

C

Which phase of the cloud data life cycle is associated with crypto-shredding? A Share B Use C Destroy D Store

C

Which phase of the cloud data life cycle uses content delivery networks? A Destroy B Archive C Share D Create

C

Which phase of the software development life cycle includes determining the business and security requirements for the application to occur? A Designing B Developing C Defining D Testing

C

Which problem is known as a common supply chain risk? A Domain spoofing B Runtime application self-protection C Data breaches D Source code design

C

Which process prevents the environment from being over-controlled by security measures to the point where application performance is impacted? A Trusted cloud initiative (TCI) B Community cloud C Quality of service (QoS) D Private cloud

C

Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties? A Authentication B Discovery by design C Native production D Direct access

C

Which risk is associated with malicious and accidental dangers to a cloud infrastructure? A Regulatory noncompliance B Natural disasters C Personnel threats D External attacks

C

Which security testing approach is used to review source code and binaries without executing the application? A Regression testing B Dynamic application security testing C Static application security testing D Fuzz testing

C

Which security threat occurs when a developer leaves an unauthorized access interface within an application after release? A Deprecated API B Easter egg C Persistent backdoor D Development operations

C

Which service model influences the logical design by using additional measures in the application to enhance security? A Hybrid cloud B Public cloud C Software as a service (SaaS) D Platform as a service (PaaS)

C

Which technique helps to analyze the data itself in content analysis method? A Using data masking B Using tokenization technique C Using hashing technique D Using indexed sequential access method

C

Which technique safeguards the system against newly found vulnerabilities to provide additional functionalities? A Risk management B Configuration management C Patch management D Change management

C

Which technology is used to manage identity access management by building trust relationships between organizations? A Single sign-on B Multifactor authentication C Federation D Biometric authentication

C

Which technology typically provides security isolation in infrastructure as a service (IaaS) cloud computing? A Application instance B System image repository C Virtual machines D Operating systems

C

Which testing methodology is run against systems that can tune their focus of security? A DAST B REST C RASP D SAST

C

Which type of control is important in order to achieve compliance for risk management? A Technical B Validation C Security D Privacy

C

Who among the following acts as a middleman between CSPs and their customers to facilitate the customers with the best provider? A Cloud service auditor B Cloud computing reseller C Cloud services brokerage D Cloud backup service provider

C

Who among the following has the privilege to access the management plane to remotely manage the hosts in a cloud environment? A Server operator B Power user C Administrator D Local user

C

RFCs are approved by? A Managers B Committee C CAB D Supervisors

C - CAB (Change Advisory Board)

Which of the following provides privacy protections for certain electronic communication and computing services from unauthorized access or interception? A HIPAA B SOX C SCA D GLBA

C - SCA (Stored Communications Act)

What is the federal agency that accepts applications for new patents? A SEC B OSHA C USPTO D USDA

C - The U.S. Patent and Trademark Office

What is the difference between BC and BCM?

BC is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. BCM is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause. BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.

_____________ usually deals with modifications to the network, such as the acquisition and deployment of new systems and components and the disposal of those taken out of service.

Change management

Multitenancy Virtualization technology Cloud management plane

Characteristics of cloud computing that can affect the logical design of a data center

BC/DR backup plan in which the provider is responsible for determining the location and configuration of the backup and for assessing and declaring disaster events.

Cloud operations, cloud provider as backup:

BC/DR backup plan in which the cloud provider hosts regular operations and the customer opts for contingency operations to distribute risks.

Cloud operations, third-party cloud backup provider

A service provider who offers customers storage or software solutions available via a public network, usually the Internet.

Cloud provider

Someone who determines when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements from a technical perspective. Also responsible for designing the private cloud, being involved in hybrid cloud deployments and instances, and having a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components.

Cloud Architect

A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center.

Cloud Backup Service Provider

Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup.

Cloud Backup Solutions

A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications.

Cloud Computing

Accounting software that is hosted on remote servers.

Cloud Computing Accounting Software

A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers.

Cloud Computing Reseller

Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant service-level agreements (SLAs) and that the storage components are functioning according to their specified requirements.

Cloud Data Architect

A database accessible to clients from the cloud and delivered to users on demand via the Internet.

Cloud Database

Provides a cloud computing solution to a limited number of individuals Threats: Loss of policy control and physical control and lack of audit access

Community cloud

Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements.

Cloud Developer

The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application.

Cloud Enablement

Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services.

Cloud Management

The process of transitioning all or part of a company's data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis.

Cloud Migration

IaaS PaaS

Cloud Models that use the Structured vs Unstructured storage types

A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing.

Cloud Operating System (OS)

The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments. The ability to move applications and associated data between one cloud provider and another, or between legacy and cloud environments.

Cloud Portability

The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud.

Cloud Provisioning

A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud.

Cloud Server Hosting

Owns the datacenter, manages the resources, monitors services, and provides administrative assistance

Cloud Service Provider (CSP)

Provides administrative assistance for the customer and the customer's data and processing needs. Examples include Amazon Web Services, Rackspace, and Microsoft's Azure.

Cloud Service Provider (CSP)

Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services.

Cloud Services Brokerage (CSB)

The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud.

Cloud Storage

Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions.

Cloud Testing

-Poor documentation is a slow, methodical process that does not add to functionality or performance. -It allows tenants to access the organization's data through inadvertent data bleeding. -Even though some apps will eventually run successfully in the cloud, they may require configuration changes in order to work effectively.

Cloud application deployment pitfall issues

Describes the main characteristics relevant to cloud computing and its customers.

Cloud computing certification

Refers to the organization purchasing, leasing, or renting cloud services

Cloud customer

The legal protection for expressions of ideas is known as "copyright" and it doesn't include ideas, specific words, slogans, recipes, or formulae.

Copyright

The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation.

Corporate Governance

Single Sign On works by issuing: A Passwords B IDs C Tickets D Tokens

D

The Sarbanes-Oxley Act is enforced by: A SPA B FED C SOX D SEC

D

The application normative framework is best described as which of the following? A A superset of the ONF B The complete ONF C A stand-alone framework for storing security practices for the ONF D A subset of the ONF

D

The baseline should cover which of the following? A All regulatory compliance requirements B A process for version control C Data breach alerting and reporting D As many systems throughout the organization as possible

D

The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement? A Community cloud B SaaS C PaaS D IaaS

D

The cloud deployment model that features organizational ownership of the hardware and infrastructure, and usage only by members of that organization, is known as: A Public B Hybrid C Motive D Private

D

The following are Data States as referred to by DLP except: A Data in Transit B Data in use C Data at rest D Data in transmission

D

The following are possible authentication factors except: A Username\Password B Token C Biometric D SSO

D

The generally accepted definition of cloud computing includes all of the following characteristics except: A On-demand services B Measured or metered service C Resource pooling D Negating the need for backups

D

The goals of DLP solution implementation include all of the following, except: A Data discovery B Data Loss Mitigation C Policy enforcement D Elasticity

D

The process of hardening a device should include which of the following? A Encrypting the OS B Performing thorough personnel background checks C Using video cameras D Updating and patching the system

D

This regulation allows American and EU PII exchange without requiring American Entities to follow EU PII Laws. A EU B HIPPA C SOX D Safe Harbor

D

This type of attack attempts to identify known holes in the security systems. A Pen Testing B SAST C DAST D Vulnerability Scanning

D

This type of storage is a virtual hard drive attached to a virtual host: A Content and File Storage B Information Storage and Management C Structured D Volume

D

To protect data on user devices in a BYOD environment, the organization should consider requiring all of the following, except: A DLP agents B Local encryption C Multifactor authentication D Two-person integrity

D

User access to the cloud environment can be administered in all of the following ways except: A Customer directly administers access B Third party provides administration on behalf of the customer C Provider provides administration on behalf of the customer D Customer provides administration on behalf of the provider

D

What are third-party providers of IAM functions for the cloud environment? A SIEMs B AESs C DLPs D CASBs

D

What defines what is to be covered in the audit? A Requirements for the Audit B Audit Statement C Audit report D Scope of audit

D

What does the doctrine of the proper law refer to? A The proper handling of eDiscovery materials B The determination of what law will apply to a case C The law that is applied after the first law is applied D How jurisdictional disputes are settled

D

What is a key component of the infrastructure as a service (IaaS) cloud service model? A Allows choice and reduces lock-in B Supports multiple languages and frameworks C Ease of use and limited administration D High reliability and resilience

D

What is a key method associated with a risk-based approach to business continuity planning? A Applying internal authentication and credential passing B Leveraging software-defined networking C Using existing network technology D Considering the degree of continuity required for assets

D

What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? A Polyinstantiation B Quantum-state C Gastronomic D Homomorphic

D

What is defined as an information used for distinguishing and tracing the identity of an individual? A e-Discovery B IAM (identity and access management) C IRM (information rights management) D PII (personally identifiable information)

D

What is the amount of fuel that should be on hand to power generators for backup datacenter power, in all tiers, according to the Uptime Institute? A As much as needed to ensure all systems may be gracefully shut down and data securely stored B 1 C 1,000 gallons D 12 hours

D

What is the first international set of privacy controls in the cloud? A ISO/IEC 27032 B ISO/IEC 27005 C ISO/IEC 27002 D ISO/IEC 27018

D

What is the intellectual property protection for a confidential recipe for muffins? A Trademark B Patent C Copyright D Trade secret

D

What is the intellectual property protection for a useful manufacturing innovation? A Trademark B Trade secret C Copyright D Patent

D

What is the purpose of using puppet configuration management system? A To address the security of data while the data crosses the network B To poll for latest state and policy of the network C To plan the quality-assurance requirements and identify the risks related to the system D To define the state of IT infrastructure and then automatically enforcing the correct state

D

What is the risk left over after controls and countermeasures are put in place? A High B Null C Pertinent D Residual

D

What should a CCSP do to assure and perform proper auditing on VMs and hypervisors? A Understand configuration management architecture B Verify system updates according to organizational policy C Verify hypervisor configuration according to remote access policy D Verify hypervisor configuration according to organizational policy

D

What type of redundancy can we expect to find in a datacenter of any tier? A Full power capabilities B All operational components C All infrastructure D Emergency egress

D

When deciding whether to apply specific updates, it is best to follow ________, in order to demonstrate due care. A Internal policy B Competitors' actions C Regulations D Vendor guidance

D

When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: A Many states have data breach notification laws. B Breaches can cause the loss of proprietary data. C Breaches can cause the loss of intellectual property. D Legal liability can't be transferred to the cloud provider.

D

When the partnership is aborted, which policy should be clearly documented and communicated to effectively and efficiently terminate the partner's access to cloud-based resources? A On-boarding B Checkout C Termination D Off-boarding

D

Which SOC 2 report would be run to determine if security controls are suitable based on design and intent. A Type 2 Reports B Type 3 Reports C Aged Reports D Type 1 Reports

D

Which STRIDE component involves disputes? A Denial of Service B Spoofing Identity C Tampering with Data D Repudiation

D

Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider? A Managing plane controls B Ensuring resiliency C Managing cloud provider outages D Considering portability options

D

Which assessment is carried out when appropriate amount of data is not available in an organization to assist the risk assessment, and estimates are used to express risk? A Security assessment B Vulnerability assessment C Quantitative risk assessments D Qualitative risk assessments

D

Which attack vector is associated with cloud infrastructure? A Seizure and examination of a physical disk B Licensing fees tied to the deployment of software based on a per-CPU licensing model C Data storage locations in multiple jurisdictions D Compromised API credentials

D

Which characteristic of automated patching makes it attractive? A Cost B Capability to recognize problems quickly C Noise reduction D Speed

D

Which cloud computing tool may help detect data migrations to cloud services? A Uniform resource locator (URL) filtering B Cloud security gateways C Cloud data transfer D Data loss prevention

D

Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security? A Randomization B Obfuscation C Anonymization D Tokenization

D

Which cloud deployment model enhances cloud bursting that allows its users to utilize public cloud resources when the workload of private cloud reaches maximum capacity? A Public B Private C Community D Hybrid

D

Which cloud deployment model is operated for a single organization? A Consortium B Hybrid C Public D Private

D

Which cloud security control is a countermeasure for man-in-the-middle attacks? A Backing up data offsite B Reviewing log data C Using block data storage D Encrypting data in transit

D

Which cloud service allows its customers to deploy applications created using the tools supported by the provider onto the cloud infrastructure? A SaaS B XaaS C IaaS D PaaS

D

Which control helps mitigate the risk of sensitive information leaving the cloud environment? A Web application firewall (WAF) B Disaster recovery plan (DRP) C Identity and access management (IAM) D Data loss prevention (DLP)

D

Which countermeasure mitigates the risk of a rogue cloud administrator? A Multifactor authentication B Data encryption C Platform orchestration D Logging and monitoring

D

Which data retention method is stored with a minimal amount of metadata storage with the content? A File system B Redundant array C Object-based D Block-based

D

Which data source provides auditability and traceability for event investigation as well as documentation? A Network segmentation B Ephemeral storage C Database schema D Virtualization platform logs

D

Which design principle of secure cloud computing ensures that users can utilize data and applications from around the globe? A Portability B Scalability C On-demand self-service D Broad network access

D

Which group is legally bound by the general data protection regulation (GDPR)? A Only corporations located in countries that have adopted the GDPR standard B Only corporations headquartered in the EU C Only corporations that have operations in more than one EU nation D Only corporations that processes the data of EU citizens

D

Which hypervisor malicious attackers would prefer to attack? A Type 1 B Type 4 C Type 3 D Type 2

D

Which international standard guide provides procedures for incident investigation principles and processes? A ISO/IEC 27034-1:2011 B ISO/IEC 27037:2012 C ISO/IEC 27001:2013 D ISO/IEC 27043:2015

D

Which is NOT a benefit of PaaS? A Cost Effectiveness B Flexibility C Choice of Environments D High Cost

D

Which is a cloud service model category? A DBaaS B XaaS C BaaS D PaaS

D

Which is not necessarily related directly privacy? A Safe Harbor B HIPPA C GLBA D SOX

D

Which is the correct order of the Cloud Secure Data Lifecycle? A Create, Use, Store, Share, Archive, Destroy B Create, Store, Share, Use, Archive, Destroy C Create, Share, Store, Use, Archive, Destroy D Create, Store, Use, Share, Archive, Destroy

D

Which jurisdictional data protection includes dealing with the international transfer of data? A Financial modernization B Secure choice authorization (SCA) C Sarbanes-Oxley act (SOX) D Privacy regulation

D

Which jurisdictional data protection safeguards protected health information (PHI)? A Directive 95/46/EC B Safe harbor regime C Personal Data Protection Act of 2000 D Health Insurance Portability and Accountability Act (HIPAA)

D

Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it? A SOC 1 Type 1 B SOC 3 C SOC 1 Type 2 D SOC 2 Type 2

D

Which kind of SSAE audit reviews controls dealing with the organization's controls for assuring the confidentiality, integrity, and availability of data? A SOC 3 B SOC 4 C SOC 1 D SOC 2

D

Which kind of hypervisor would malicious actors prefer to attack, ostensibly because it offers a greater attack surface? A Cat IV B Converged C Bare metal D Type II

D

Which method should the cloud consumer use to secure the management plane of the cloud service provider? A Network access control list B Disablement of management plane C Agent-based security tooling D Credential management

D

Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model? A Sandbox encryption B Polymorphic encryption C Client-side encryption D Whole-instance encryption

D

Which of the following Acts consists of the given sections? -The financial privacy -The safeguards rule -The pretexting provisions A SCA B SOX C HIPAA D GLBA

D

Which of the following best describes SAST? A A set of technologies that analyze application bit code, and binaries for coding and design problems that would indicate a security problem or vulnerability B A set of technologies that analyze application source code, and bit code for coding and design problems that would indicate a security problem or vulnerability C A set of technologies that analyze application source code for coding and design problems that would indicate a security problem or vulnerability D A set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability

D

Which of the following best describes data masking? A Data masking is used in place of production data. B Data masking is used in place of encryption for better performance. C Data masking is used to hide PII. D Data masking is used to create a similar, inauthentic dataset used for training and software testing.

D

Which of the following capabilities to IRM (Information Rights Management) solution confirms the content delivery and offers proof of compliance with an organization's information security policy? A Automatic expiration B Dynamic policy control C Persistent protection D Continuous audit trail

D

Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider? A Redundant uplink grafts B The physical layout of the datacenter C Background checks for the provider's personnel D Use of subcontractors

D

Which of the following components is not associated with encryption deployments? A Encryption engine B The data C Encryption keys D Encryption algorithm

D

Which of the following data formats does SOAP (Simple object access protocol) support? A JSON (JavaScript Object Notation) B YAML (Yet Another Multicolumn Layout) C HTML (Hypertext Markup Language) D XML (eXtensible Markup Language)

D

Which of the following does a virtualization vendor use to allow host clusters to scale and manage computing resources without service disruption? A Resource scheduling B Resource optimization C Resource sharing D Distributed resource scheduling

D

Which of the following evaluates the risks and merits of various types of test scenarios? A Test scenario B Test plan C Comprehensive test scenario D Management

D

Which of the following guidelines covers eDiscovery? A ISO/IEC 27001 B ISO/IEC 27010 C ISO/IEC 27001 2013 D ISO/IEC 27050

D

Which of the following is a compute parameter of a cloud server? A Number of hypervisor B Amount of ROM C Number of host D Number of CPU

D

Which of the following is a technique used to attenuate risks to the cloud environment, resulting in loss or theft of a device used for remote access? A Dual control B Muddling C Safe harbor D Remote kill switch

D

Which of the following is a third-party entity that selects the best provider for each customer and monitors the services? A Cloud service developer B Cloud service business manager C Cloud service provider D Cloud service broker

D

Which of the following is an application virtualization? A Oracle virtual box B Parallel workstation C VMware workstation D Microsoft App-V

D

Which of the following is an ongoing process and implemented throughout the system life cycle to keep track of identified risks? A Risk assessment B Framing risk C Risk control D Risk monitoring

D

Which of the following is considered a physical control? A Doors B Ceilings C Carpets D Fences

D

Which of the following is not a feature of DAST? A Testing in runtime B User teams performing executable testing C "Black-box" testing D Binary inspection

D

Which of the following is not an example of a highly regulated environment? A Financial services B Healthcare C Public companies D Wholesale or distribution

D

Which of the following is not an example of an essential internal stakeholder? A IT director B CFO C HR director D IT analyst

D

Which of the following is not associated with security? A Integrity B Availability C Confidentiality D Quality

D

Which of the following is not one of the SDLC phases? A Design B Test C Define D Reject

D

Which of the following is not one of the three types of training? A Initial B Recurring C Refresher D Integral

D

Which of the following is part of the STRIDE model? A Redundancy B Resiliency C Rijndael D Repudiation

D

Which of the following is the best example of a key component of regulated PII? A Items that should be implemented B PCI DSS C Audit rights of subcontractors D Mandatory breach reporting

D

Which of the following is tier IV for data center design according to "Data Center Site Infrastructure Tier Standard: Topology"? A Concurrently maintainable site infrastructure B Redundant site infrastructure capacity components C Basic data center site infrastructure D Fault-tolerant site infrastructure

D

Which of the following laws relieves a victim suffering of a wrongful act of others and seeks to clear the compromised or diminished legal rights? A State B Privacy C Criminal D Tort

D

Which of the following logs is used for event investigation and documentation in a SaaS environment? A DNS server B Virtual machine manager C API access D Webserver

D

Which of the following open web application security threats occurs when a suspicious data in an application is sent to the web browser without proper validation? A Security Misconfiguration B Cross-Site Request Forgery C Injection D Cross-Site Scripting

D

Which of the following operation managements ensures the protection of the integrity of the live environment and presents the correct components to the customers? A Information security management B Problem management C Availability management D Release and deployment management

D

Which of the following phases of audit planning assures that operational and business changes internally have been captured as part of the audit plan? A Defining audit objective B Refining the audit process C Conducting audit D Defining audit scope

D

Which of the following protocols provides authentication for client/server application using secret-key cryptography? A Challenge handshake authentication protocol B Internet key exchange C Secure remote password D Kerberos

D

Which of the following publishes the most commonly used standards for data center tiers and topologies? A IDCA B BICSI C NFPA D Uptime Institute

D

Which of the following reports is no longer used? A SOC 3 B SOC 1 C SSAE 16 D SAS 70

D

Which of the following represents the amount of information that can be recovered and restored in the event of a disaster? A RTA (Recovery Time Actual) B RCO (Recovery Consistency Objective) C RTO (Recovery Time Objective) D RPO (Recovery Point Objective)

D

Which of the following services are accessible within SaaS cloud service model? A Virtualization B Networking C Middleware D Access control

D

Which of the following should be carried out first when seeking to perform a gap analysis? A Conduct information gathering. B Define scope and objectives. C Identify potential risks. D Obtain management support.

D

Which of the following testing is referred to as white-box testing and is used to determine the coding errors? A DAST (Dynamic application security testing) B RASP (Runtime application self-protection) C Penetration testing D SAST (Static application security testing)

D

Which of the following threats is a form of cache poisoning in which forged data is placed in the cache of the name server? A Data modification B Footprinting C Redirection D Spoofing

D

Which of the following types of storage do cloud infrastructure services use? A Structured B Unstructured C Content and file D Volume

D

Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)? A Penalty up to 2% of gross income B Penalty up to 10 million Euros C Penalty up to 5% of gross income D Penalty up to 20 million Euros

D

Which phase of the software development life cycle includes writing application code? A Defining B Designing C Implementing D Developing

D

Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files? A Relational database B Block C Distributed D Object

D

Which process is conducted to ensure that policies are understood in the context of the risks introduced into an organization? A Risk retention B Risk avoidance C Risk mitigation D Risk analysis

D

Which program addresses that the U.S. does not have a regulatory framework in place that provides sufficient protection for personal data transferred from the EEA (European Economic Area)? A HIPAA B GLBA C Directive 95/46 EC D Safe Harbor

D

Which risk is controlled by implementing a private cloud? A Eavesdropping B Unauthorized access C Denial-of-service (DoS) D Physical security

D

Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved? A Platform B Infrastructure C Data D Application

D

Which security strategy is associated with data rights management solutions? A Unrestricted replication B Limited documents type support C Static policy control D Continuous auditing

D

Which standard addresses practices related to acquisition of forensic artifacts and can be directly applied to a cloud environment? A NIST SP 500-291 B ISO/IEC 27001 C NIST SP 800-145 D ISO/IEC 27050-1

D

Which standard outlines domains which establish frameworks for risk assessment? A ISO\IEC 27018:2005 B ISO\IEC 27001:2005 C ISO\IEC 27001:2011 D ISO\IEC 27001:2013

D

Which standard outlines the steps to create an ISMS? A ISO\IEC 27018:2005 B ISO\IEC 27001:2005 C ISO\IEC 27001:2011 D ISO\IEC 27001:2013

D

Which technology allows a user to operate encrypted data without the need of decrypting it? A Data Anonymization B Bit Splitting C Secret Sharing Made Short D Homomorphic Encryption

D

Which technology an administrator to remotely manage a fleet of servers? A KVM switch B VPN concentrator C Bastion host D Management plane

D

Which technology makes the network control programmable and dynamically adjusts the flow of traffic when the pattern of network consumption changes? A Application-defined networking B Network function virtualization C Hardware-defined networking D Software-defined networking

D

Which term describes the action of confirming identity access to an information system? A Coordination B Concept C Access D Authentication

D

Which type of control should be used to implement custom controls that safeguard data? A Public and internal sharing B Options for access C Management plane D Application level

D

Which virtualization risk occurs when an OS on a VM outbursts to access a hypervisor? A Provider lock-in B Provider exit C Sprawl D Guest breakout

D

Who among the following is responsible for supervision, secure data storage, transport, and implementation of business rules? A Data stewards B Data controller C Data processor D Data custodians

D

Who among the following is responsible to validate that all the relevant laws and statutes pertaining to their investigation are documented before starting the investigation? A CSP B CSB C Cloud consumer D CCSP

D

Who bears the ultimate responsibility for creating and controlling data? A The Data Custodian B System Administrator C CSP D The Data Owner

D

You are a service provider who provides cloud-services and resources to a person using and subscribing them. There is an official commitment (i.e., service-level agreement) between the service provider and the user. Who verifies this official commitment? A Cloud computing reseller B Cloud backup service provider C Cloud customer D Cloud service auditor

D

What are the U.S. Commerce Department controls on technology exports known as? A EAL B DRM C ITAR D EAR

D - Export Administration Regulations

What are the U.S. State Department controls on technology exports known as? A EAR B EAL C DRM D ITAR

D - International Traffic in Arms Regulations

This is the amount of services that is required to be restored to meet the requirements of a BCDR plan: A RTO B RTL C RPO D RSL

D - Recovery Service Level

Which of the following is considered as white-box testing and analyzes application source code, byte code, and binaries for coding and design conditions that are revealing security vulnerabilities? A Penetration testing B RASP C DAST D SAST

D - SAST (static application security testing)

This plugin parses HTTP traffic and applies a set of rules before sending it to the application server. A WPA B WAP C WAS D WAF

D - WAF (Web Application Firewall)

Refers to the responsibility of the data owner which takes place in the Create phase and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset.

Data classification

Describes the ease of moving information from one cloud provider to another or away from the cloud provider and back to a legacy enterprise environment.

Data portability

A legal activity that might result in a host machine being confiscated or inspected by law enforcement or plaintiffs' attorneys.

Data seizure

Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps.

Database

A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs.

Database Activity Monitoring (DAM)

In essence, a managed database service.

Database as a Service (DBaaS)

Refers to a kind of data analysis which is an outgrowth of the possibilities offered by the regular use of the cloud, also known as "big data."

Datamining

Entails multiple differing security controls protecting the same assets with a variety of technological levels.

Defense in depth

Using strong magnets for scrambling data on magnetic media such as hard drive and tapes. Involves applying strong magnetic fields to the hardware and media where the data resides, effectively making them blank.

Degaussing

Isolates network elements such as email servers that, because they can be accessed from trustless networks, are exposed to external attacks.

Demilitarized Zone (DMZ)

Refers to any type of attack that could cause the application to be unavailable.

Denial of service

External attacker: Includes hardened devices, hypervisors, and virtual machines, with thorough configuration and change management protocols Social engineering: Uses training and incentive programs to identify personnel who resist the attempts and bring them to the attention of the security office Regulatory violation: Implements DRM solutions, hires knowledgeable, trained personnel with skillsets, and uses encryption, obfuscation, and masking Natural disaster: Ensures multiple redundancies for all systems and services for the datacenter Contractual failure: Considers full offsite backups, secured and kept by a customer, to protect against vendor lock-in/lock-out

Countermeasure methods that can be adopted to address each of the threats for each of the cloud models

Consider the following example: "An artist gives an art gallery permission to represent the art of some other artist but he is not allowed to reproduce his work." Which law is applied in the given example that restricts the artist? A Tort law B The doctrine of the proper law C Criminal law D Copyright and piracy law

D

Countermeasures for protecting cloud operations against internal threats include all of the following except: A Mandatory vacation B Separation of duties C Least privilege D Conflict of interest

D

Cryptographic keys should be secured ______________. A In vaults B By armed guards C With two-person integrity D To a level at least as high as the data they can decrypt

D

DLP to protect Data at Rest is installed: A Near the Network Perimeter B On the users' device C In the Application D On the system holding the data

D

DRM tools use a variety of methods for enforcement of intellectual property rights. These include all the following, except: A Media-present checks B Support-based licensing C Local agent enforcement D Dip switch validity

D

Devices in the cloud datacenter should be secure against attack. All the following are means of hardening devices, except: A Using a strong password policy B Removing default passwords C Strictly limiting physical access D Removing all admin accounts

D

For what purpose is a compensating control used in a cloud environment? A Providing extensive background checks and screening of initial controls B Allowing update of initial components without failure C Making initial controls resistant against any type of failure D Creating an additional layer of monitoring the initial control

D

For which of the following cloud environments is the client-side key management approach used? A XaaS B DaaS C PaaS D SaaS

D

How many phases are there in the data lifecycle? A 7 B 4 C 5 D 6

D

In SOC 2 Auditing, how many categories make up the security principle? A 1 B 3 C 5 D 7

D

In a cloud environment, encryption should be used for all the following, except: A Long-term storage of data B Near-term storage of virtualized images C Secure sessions/VPN D Profile formatting

D

In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties? A Security control matrix B HIPAA C Statutes D The contract

D

In all cloud models, the customer will be given access and ability to modify which of the following? A Security controls B User permissions C OS D Data

D

In which cloud service model is the customer required to maintain and update only the applications? A SaaS B CaaS C IaaS D PaaS

D

In which of the following cloud deployment models does platform security come under enterprise responsibility? A PaaS B SaaS C NaaS D IaaS

D

In which situation could cloud clients find it impossible to recover or access their own data if their cloud provider goes bankrupt? A Vendor lock-in B Multitenant C Multicloud D Vendor lock-out

D

In which type of cloud-specific risk can a malicious user affect the entire cloud infrastructure? A Guest breakout B Law enforcement C Loss of governance D Management plane breach

D

Multifactor authentication requires two of the following except: A Something you know B Something you are C Something you have D Something you do

D

SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP? A Works over numerous protocols B Standards-based C Reliant on XML D Extremely fast

D

The ________________ is a term used to describe the processes associated with determining what legal jurisdiction will hear a dispute when one occurs. An example would be when multiple jurisdictions are involved and courts must decide where a case must be heard and decided.

Doctrine of the Proper Law

Reflects all the modifications to the environment in the asset inventory.

Documentation

Describes the organization's responses during the test and performs some minimal actions.

Dry run

The process of testing an application or software product in an operating state.

Dynamic Application Security Testing (DAST)

___________________ is considered a black-box test since the code is not revealed and the test must look for problems and vulnerabilities while the application is running. It is most effective when used against standard HTTP and other HTML web application interfaces.

Dynamic application security testing (DAST)

Kim works as a project manager in ABC Inc. His organization requires an application to launch its products. For this, Kim performs the following activities: -Discusses business requirements in terms of confidentiality, integrity, and availability -Determines, creates, and identifies information to transmit or store -Determines privacy requirements Which of the following phases of SDLC includes the activities performed by Kim? A Developing B Testing C Defining D Designing E Planning and requirements analysis

E

The "Data Center Site Infrastructure Tier Standard: Topology" document describes a four-tiered architecture for enterprises to rate their data center designs. What are the names of the four tiers?

Fault-Tolerant Site Infrastructure Redundant Site Infrastructure Capacity Components Basic Data Center Site Infrastructure Concurrently Maintainable Site Infrastructure

Sets up a baseline for the default Information Protection Policy. Adds an extra layer of access controls on top of the data object. Protects sensitive organization content.

Features of IRM

A National Institute of Standards and Technology (NIST) publication written to accredit and distinguish secure and well-architected cryptographic modules produced by private-sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified as top secret.

Federal Information Processing Standard (FIPS) 140-2

Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment

Federal law

Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment.

Federal law

An arrangement that can be made among multiple enterprises allowing subscribers to use the same identification data to obtain access to the networks of all enterprises in the group.

Federated Identity Management (FIM)

A system that allows a single user authentication process across multiple information technology (IT) systems or even organizations. SSO is a subset of federated identity management (FIM), as it relates only to authentication and technical interoperability.

Federated Single Sign-On (SSO)

An association of organizations that facilitate the exchange of information and access to resources.

Federation

A tool which can be either hardware or software, or a combination of both, used to limit communications based on some criteria.

Firewall

This act allows banks to merge with and own insurance companies and keeps customer account information private and secure. With that customers are allowed to opt-out of any information-sharing arrangements the bank or insurer might engage in.

Graham-Leach-Bliley Act (GLBA) of 1999 backed by FDIC

An improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance.

Guest escape

Deployed on the local system

HIDS and HIPS

Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first.

Homomorphic Encryption

A developing technology that is intended to allow for processing of encrypted material without decrypting it first.

Homomorphic encryption

A tool used to detect, identify, isolate, and analyze attacks by attracting attackers.

Honeypot

Integrated arrangement of two or more cloud servers

Hybrid Cloud

A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise's private cloud whereas other data is stored and accessible from a public cloud storage provider.

Hybrid Cloud Storage

The possibility that processing performed on one virtualized instance may be detected by other instances on the same host.

Information bleed

An issue in which the customer's software may not function properly with each new adjustment in the environment if the OS is updated by the provider.

Interoperability issue

Takes defensive action when suspicious activity is recognized (such as closing ports and services), in addition to sending alerts.

Intrusion Prevention System (IPS)

Cooling Power Distribution Outside Power Supply Inside Power Supply

Items that should be redundant in a data center

The geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled.

Jurisdiction

Describes those items that will be the first things that let you know something is inappropriate.

Key risk indicator

Which of the following are the challenges associated with key management?

Key storage Access to the keys Backup and replication

Allows greater flexibility and each node of the cluster is independent of others

Loosely coupled cluster

Causes a wide variety of problems, including data loss, loss of control of devices, interruption of operations, and so forth.

Malware

According to whose perspective, auditability provides processes to review, assess, and report user and systems activities?

Management Stakeholder

The plane that controls the entire infrastructure. Because parts of it are exposed to customers independent of the network location, it is a prime resource to protect.

Management Plane

Used to collect all matching data elements for a certain purpose.

Metadata-based Discovery

Encryption Overwriting

Methods for the safe disposal of electronic records in Cloud Environments

The concept of sharing resources with other cloud customers simultaneously.

Multitenancy

Multiple customers using the same public cloud.

Multitenant

An approach to using many low-cost drives as a group to improve performance. Also provides a degree of redundancy that makes the chance of data loss remote.

Redundant Array of Independent Disks (RAID)

Ensures organizations are in compliance with the framework for which they're responsible

Regulator

These systems are controlled and maintained at the customer's site

Remote KMS Client-Side KMS

A policy that contains a description of how the data is actually archived, that is, what type of media it is stored on.

Retention format

Defines how long the data should be kept by an organization and is often expressed in a number of years.

Retention period

Determines if the risks are minimal and the reward is substantial before choosing to take the risks

Risk Acceptance

Refers to the level, amount, or type of risk that the organization finds acceptable.

Risk appetite

Defines as a response to the cost-benefit analysis when posed with a specific risk

Risk avoidance

Defines as a response to the cost-benefit analysis when posed with a specific risk.

Risk avoidance

Reduces risk to an acceptable level through the use of controls and countermeasures

Risk mitigation

Individuals in an organization who together determine the organization's overall risk profile.

Risk owner and player

Includes a survey of the various operations in which an organization is engaged in and public perception of the organization.

Risk profile

_________________ is the amount of risk that the leadership and stakeholders of an organization are willing to accept. It varies based on asset value and the requirements of a particular asset.

Risk tolerance

A way to handle risk associated with an activity without accepting all the risks.

Risk transference

Handles risk associated with an activity without accepting all risks

Risk transference

A __________ is a group of devices connected to the network that provide storage space to users. Typically, the storage apportioned to the user is mounted to that user's machine, like an empty drive. They mostly use iSCSI or Fibre Channel protocols.

SAN

An audit engagement consisting of an examination of organizational financial reporting controls. For a cloud customer trying to determine the suitability of a cloud provider, it is useless, because it doesn't tell us anything about data protection, configuration resiliency, or any other element the customer needs to know.

SOC 1

Audits the financial reporting instruments of a corporation and consists of two subclasses

SOC 1

Which type of audit report requires the details of the tests performed by the service auditor and is conducted according to the SSAE 16 (Statement on Standards for Attestation Engagement)?

SOC 1 & SOC 2

A type of report which is intended to report audits of controls on an organization's security, availability, processing integrity, and privacy.

SOC 2

________ reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. This is the report of most use to cloud customers (to determine the suitability of cloud providers) and IT security practitioners.

SOC 2

Contains no actual data about the security controls of the audit target and is also known as the "seal of approval".

SOC 3

The ________ report, on the other hand, is purely for public consumption and serves only as a seal of approval of sorts for public display without sharing any specific information regarding audit activity, control effectiveness, findings, and so on.

SOC 3

Which Threat Model provides a standardized way of describing threats by their attributes?

STRIDE

Which two are threat models?

STRIDE DREAD

Derived from an acronym for the following six threat categories: spoofing identity, tampering with data, repudiation, information disclosure, denial of service (DoS), and elevation of privilege.

STRIDE Threat Model

S (Spoofing): Any impersonation such as IP or user spoofing T (Tampering): Attacks that make unauthorized modifications to actual data, affecting the integrity of information or communications. R (Repudiation): When the inability to deny one's action has been compromised I (Information Disclosure): Data leakage or an outright breach D (Denial of Service): Any attack that results in loss of availability to authorized entities. E (Escalation of Privilege): The ability to elevate a user account privilege above the authorized level

STRIDE acronym

-Includes everything listed in the previous two models, with the addition of software programs. -The cloud vendor is responsible for administering, patching, and updating this software as well -Some examples include: Google Docs, Microsoft's Office 365, QuickBooks Online, and Customer Relationship Manager (CRM) software

SaaS

The cloud provider maintains infrastructure's physical security and the cloud customer is responsible for access and administration.

SaaS

The provider is responsible for system maintenance and the customer supplies and processes data to and in the system.

SaaS

This act increases transparency into publicly traded corporations' financial activities and includes provisions for securing data.

Sarbanes-Oxley Act (SOX) of 2002 backed by SEC

The organization's computing needs won't remain static: there will be new (and hopefully more) users, customers, and data as the organization continually matures.

Scalability

A formal agreement between two or more organizations: one that provides a service and the other that is the recipient of the service. It may be a legal contract with incentives and penalties.

Service-Level Agreement (SLA)

A technique which uses different entries from within the same data set to represent the data.

Shuffling

Behooves the cloud provider to ensure that all communication lines are replicated on opposite sides of each building

Power line redundancy

Behooves the cloud provider to ensure that all communication lines are replicated on opposite sides of each building.

Power line redundancy

BC/DR backup plan in which the customer decides when normal operations will cease and the backup will be utilized as the operational network.

Private architecture, cloud service as backup:

A private cloud configuration is a legacy configuration of a datacenter, often with distributed computing and BYOD capabilities.

Private cloud

An internal network with remote access capabilities Threats: Malware, man-in-the-middle attacks, and social engineering

Private cloud

_______________ is a protocol specification providing for the exchange of structured information or data in web services. It also works over other protocols such as SMTP, FTP, and HTTP. Standards-based Reliant on XML Highly intolerant of errors Slower Built-in error handling

Simple Object Access Protocol (SOAP)

Usage and administration of cloud services ought to be transparent to cloud customers and users; from their perspective, a digital data service is paid for and can be used, with very little additional input other than what is necessary to perform their duties.

Simplicity

___________________ is a full application and distributed model that's managed and hosted by the provider. Consumers access it with a web browser, mobile app, or a lightweight client app. Includes everything listed in the previous Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) models, with the addition of software programs.

Software as a Service (SaaS)

A broad and developing concept addressing the management of the various network components. The objective is to provide a control plane to manage network traffic on a more abstract level than through direct management of network components.

Software-Defined Networking (SDN)

A _________ is a network file server with a drive or group of drives, portions of which are assigned to users on that network. The user will see a NAS as a file server and can share files to it. NAS commonly uses TCP/IP.

NAS

Often used in authorization with mobile apps, the _________ framework provides third-party applications limited access to HTTP services.

OAuth

Allows a significant level of description, including the marking, labels, classification and categorization; it also enhances the opportunity for indexing capabilities.

Object-based storage

Ensure knowledge transfer. Manage stakeholders. Ensure the integrity of release packages.

Objectives of release and deployment management

Leverages the Internet and cloud computing to create an attractive offsite storage solution with little hardware requirements for any business of any size.

Online Backup

A form of cloud storage that applies to storing an individual's data in the cloud and providing the individual with access to the data from anywhere.

Personal Cloud Storage

Any information relating to an identified or identifiable data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.

Personal Data

The ______________________ conforms to the EU Data Directive and Privacy Regulation. It provides guidelines which describe how businesses should manage the personal data in a commercial activity.

Personal Information Protection and Electronic Documents Act (PIPEDA)

The cloud provider is responsible for installing, maintaining, and administering the OS(s).

PaaS boundaries

Information that can be traced back to an individual user, such as name, postal address, or email address. Personal user preferences tracked by a website via a cookie are also considered personally identifiable when linked to other PII you provide online.

Personally Identifiable Information (PII)

Provides increased level of robustness among personnel resources who administer and support the IT components

Personnel redundancy

Provides increased level of robustness among personnel resources who administer and support the IT components.

Personnel redundancy

A malicious or negligent insider who can cause significant negative impact, as they have physical access to the resources.

Personnel threat

Includes whether the information will be shared with any other entity.

Purpose

____________________ abstracts and provides development or application platforms, such as databases, application platforms (e.g. a place to run Python, PHP, or other code), file storage and collaboration, or even proprietary application processing (such as machine learning, big data processing, or direct API access to features of a full SaaS application). The key differentiator is that, with PaaS, you don't manage the underlying servers, networks, or other infrastructure. It contains everything included in IaaS, with the addition of OSs. This model is especially useful for software development operations (DevOps).

Platform as a Service (PaaS)

Provide a voice and expression to the strategic goals and objectives of management.

Policies

Serves as the enforcement arm of authentication and authorization and is established based on business needs and senior management decisions.

Policy management

BC/DR Concept: The goal for recovery of operational capability after an interruption in service, measured in time.

RTO (Recovery Time Objective)

Engaging with the users and IT personnel who will be impacted. Extending risk management and enterprise risk management. Objectively selecting the appropriate service and provider.

Stakeholder identification challenges

Includes day-to-day basis laws such as speed limits, state tax laws, the criminal code, and so on, which are enacted by a state legislature as opposed to those enacted at the national or federal level.

State law

Includes speed limits laws, tax laws, and the criminal code laws

State law

Items of the evidence must be labeled with signatures and descriptions. Records the signatures of people performing the transportation of items. Records actions, process, test, and handling of an item with date and time.

Statements are true of chain of evidence

SAST testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST).

Static Application Security Testing (SAST)

____________________ testing is useful in finding such security problems as cross-site scripting (XSS) errors, SQL injection vulnerabilities, buffer overflows, unhandled error conditions, and backdoors. This type of test usually delivers more results and more accuracy than its counterpart dynamic application security testing (DAST).

Static application security testing (SAST)

A methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities. Allows them to plan a roadmap to meet the security needs of their business.

TCI Reference Architecture

___________________ is the practice of viewing the application from the perspective of a potential attacker. Realistically, it involves more than just causing a breach or gaining access (the "penetration")

Threat modeling

To ensure that the service quality and availability are maintained. To minimize the adverse impact on business operations. To restore normal service operation as quickly as possible.

Three purposes of incident management

When using a PaaS solution, what is the capability provided to the customer?

To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.

Tokenization

Compensates victims for injuries suffered by the culpable action or inaction of others. It justifies legal rights and interests that have been compromised, diminished, or emasculated. Discourages injurious, careless, and risky behavior in the future.

Tort Law

Refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed by others.

Tort law

_________________ refers to the body of rights, obligations, and remedies that set out reliefs for persons who have been harmed by others and seeks to provide for the compensation of victims that suffered at the hand of others by shifting their costs to the person who caused them.

Tort law

Protects the esteem and goodwill that an organization has built among the marketplace, especially in public perception.

Trademark

Encrypts only a part of a hard drive instead of the entire disk.

Volume encryption

Allocates a storage space within the cloud and this storage space is represented as an attached drive to the user's virtual machine.

Volume storage

-All guest accounts are removed -No default passwords remain -Systems are patched, maintained, and updated according to vendor guidance -All unused ports are closed -Physical access is severely limited and controlled

Ways for securing devices in the datacenter

Third-party e-discovery Hosted e-discovery SaaS-based e-discovery

Ways to conduct e-discovery investigations in cloud environments

Removing unnecessary services and libraries Closing unused ports Installing antimalware agents Limiting administrator access Ensuring event logging is enabled

Ways to harden Operating Systems

An appliance, server plug-in, or filter that applies a set of rules to a hypertext transfer protocol (HTTP) conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injections.

Web Application Firewall (WAF)

KPIs Business Processes Events

What business QoS focuses on measuring

The____________ is a general-purpose map of the network and systems, based on the required functionality as well as security

baseline

The ___________ describes in detail exactly what both parties' responsibilities are, what services are being contracted, and what provisions are in place for the safety, security, integrity, and availability of those same services.

contract

The ______________ is any organization or person who manipulates, stores, or moves the data on behalf of the data owner.

data custodian

To create an accurate frame of reference, a ____________ is conducted, which is a lightweight audit where generally findings of weaknesses or vulnerabilities, but the purpose is to identify those weaknesses so they can be remediated prior to any further actual audit work.

gap analysis

Ensuring the use of data and information complies with organizational policies, standards, and strategy — including regulatory, contractual, and business objectives.

information/data governance

Cloud computing magnifies the likelihood and impact of two existing risks: __________ and ____________.

internal personnel; remote access

Automations can be used to monitor the baselines and remediation of servers. A True B False

A

Data labels could include all the following, except: A Date data was created B Data owner C Data value D Date of scheduled destruction

C

A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm. Who is the CSP legally required to notify? A Information commissioner B Australian privacy foundation C Asian-Pacific privacy control board D Cloud Security Alliance

A

A portable storage is vulnerable to which threat? A Accidental loss B Cross-site scripting C Distributed denial-of-service D Denial-of-service

A

A system capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network is known as: A HIDS B SIDS C IPSec D NIDS

A

According to GDPR Policy, breaches must be reported within 72 hours of the company becoming aware of the incident. A True B False

A

Adhering to ASHRAE standards for humidity can reduce the possibility of ________. A Static discharge B Breach C Inversion D Theft

A

All of the following are components of DLP except: A Labeling B Monitoring C Enforcement D Discovery and Classification

A

All of the following are part of a Federated Identity System except: A Relaying Party B User C Identity Provider D Relying Party

A

All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except: A Use DRM and DLP solutions widely throughout the cloud operation B Avoid proprietary data formats C Ensure favorable contract terms to support portability D Ensure there are no physical limitations to moving

A

All of the following should be included in the audit scope definition except: A Audit Duplication B Audit Steps C Change Controls D Communications

A

All the following are data analytics modes, except: A Refractory iterations B Real-time analytics C Datamining D Agile business intelligence

A

An insecure API could potentially put entire data sets at risk for loss or exposure. A True B False

A

Attackers prefer Type 2 hypervisors because of the larger surface area. A True B False

A

Multi-tenant setup shared between organizations that belong to a specific group

Community Cloud

In a community cloud configuration, resources are shared and dispersed among an affinity group.

Community cloud

The opposite of avoidance; the risk falls within the organization's risk appetite, so the organization continues operations without any additional efforts regarding the risk.

Acceptance

The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.

Anonymization

A form of virtual desktop infrastructure (VDI) that a third party outsources and handles.

Desktop as a Service (DaaS)

XaaS refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on-premises.

Anything as a Service (XaaS)

An open source cloud computing and infrastructure as a service (IaaS) platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments.

Apache CloudStack

A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust.

Application Normative Framework (ANF)

A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool.

Application Programming Interfaces (APIs)

Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed.

Application Virtualization

A user decides they need extra time to work on a project. They install a modem in their system to dial in and work from home. This is an example of what kind of threat? A Account hijacker B Insider C Modem D Advanced Persistent Threats

B

The granting of right of access to a user, program, or process.

Authorization

Eliminating the risk that is simply too high and cannot be compensated for with adequate control mechanism--a risk that exceeds the organization's appetite.

Avoidance

A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided. Who is the CSP required to notify under the NIS directive? A Data protection regulator B Competent authorities C Personal Information Protection Commission D Provider's services suppliers

B

A UPS should have enough power to last how long? A One day B Long enough for graceful shutdown C 12 hours D 10 minutes

B

A WAF typically parses which type of traffic? A XML B HTTP C REST D SOAP

B

A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident. Which action facilitates this type of communication? A Incorporating checks on API calls B Using existing open standards C Identifying key risk indicators (KRIs) D Performing a vulnerability assessment

B

A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur? A Use B Create C Share D Archive

B

A data center should always be geographically located in the same place as their headquarters for quick and easy access. A True B False

B

A honeypot should contain _________ data. A Sensitive B Useless C Production D Raw

B

A localized incident or disaster can be addressed in a cost-effective manner by using which of the following? A Strict adherence to applicable regulations B Joint operating agreements C Generators D UPS

B

_______ drive security decisions. A Public opinion B Business requirements C Surveys D Customer service responses

B

What is a cloud storage architecture that manages the data in caches of copied content close to locations of high demand? A Object-based storage B CDN C Database D File-based storage

B - Cloud Data Network

Which of the following is a specification constructed for making the management of applications easy in terms of a PaaS (Platform as a Service) system? A Vertical cloud computing B CAMP C Cloud provisioning D Cloud server hosting

B - Cloud application management for platforms

A Type 1 Hypervisor resides on the Host Device i.e. VM Workstation. A True B False

B - False. A Type 1 Hypervisor typically resides on the Server side, i.e. ESX.

Which of the following allows for agentless retrieval of the guest OS state, and is used for malware analysis, memory forensics, and process monitoring? A Firewall B VMI C SIEM D Honeypot

B - VMI (Virtual Machine Introspection)

A firewall can use all of the following techniques for controlling traffic except: A Behavior analysis B Rule sets C Randomization D Content filtering

C

A generator transfer switch should bring backup power online within what time frame? A 10 seconds B Before the recovery point objective is reached C Before the UPS duration is exceeded D Three days

C

All of the following methods can be used to attenuate the harm caused by escalation of privilege except: A Extensive access control and authentication tools and techniques B The use of automated analysis tools such as SIM, SIEM, and SEM solutions C Periodic and effective use of cryptographic sanitization tools D Analysis and review of all log data by trained, skilled personnel on a frequent basis

C

All policies within the organization should include a section that includes all of the following, except: A Policy review B Policy enforcement C Policy adjudication D Policy maintenance

C

An attacker establishes themselves on a system in such a way to enable the stealing of data over time. What kind of attack is this? A Data Breach B Malicious Insider C Advanced Persistent Threats D Account Hijacking

C

Best practices for key management include all of the following, except: A Maintain key security B Pass keys out of band C Ensure multifactor authentication D Have key recovery processes

C

Countermeasures for protecting cloud operations against internal threats include all of the following except: A Extensive and comprehensive training programs, including initial, recurring, and refresher sessions B Aggressive background checks C Hardened perimeter devices D Skills and knowledge testing

C

Helps to review and analyze change and exception requests.

CMB meeting

Which of the following cloud deployment models may exist on or off premises?

Community Private Hybrid

Biometric data Telephone or Internet data Sensitive data

Categories of the personal data that can be processed

1 The identity of persons who handle evidence between the time of commission of the alleged offense and the ultimate disposition of the case. It is the responsibility of each transferee to ensure that the items are accounted for during the time they are in his possession, that they are properly protected, and that there is a record of the names of the persons from whom he received the items and to whom he delivered those items, together with the time and date of such receipt and delivery. 2 The control over evidence. Lack of control over evidence can lead to its being discredited completely. Chain of custody depends on being able to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence so that it cannot in any way be changed and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering.

Chain of Custody

Refers to a documentation that records all evidences need to be tracked and monitored from the time they are recognized as evidence and acquired for that purpose.

Chain of custody

The Brewer-Nash model, also known as the _____________________, seeks to ensure that mask the nature and details of a customer's business from the administrators. This 1989 document distinguishes access and permissions of administrators based on policy.

Chinese Wall model

Deals with personal and community-based law such as marriage and divorce as opposed to a military law

Civil law

Which components must the CCSP review to ensure that the distributed IT model does not leave a negative impact on organizations?

Clear communications Coordination and management of activities Governance of processes and activities Security reporting

A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary.

Cloud Access Security Broker (CASB)

Offers independent identity and access management (IAM) services to CSPs and cloud customers

Cloud Access Security Broker (CASB)

This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party).

Cloud Administrator

Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet.

Cloud App (Cloud Application)

Typically responsible for adapting, porting, or deploying an application to a target cloud environment.

Cloud Application Architect

A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms.

Cloud Application Management for Platforms (CAMP)

Assessing Risk Monitoring Risk Responding to Risk Framing Risk

Components of the risk-management process

The compute parameters of a cloud server are the number of central processing units (CPUs) and the amount of random access memory (RAM).

Compute

___________ abstracts the running of code (including operating systems) from the underlying hardware and most commonly refers to virtual machines.

Compute virtualization

Because PaaS implementations are so often used for software development, what is one of the vulnerabilities that should always be kept in mind? A DoS/DDoS B Malware C Loss/theft of portable devices D Backdoors

D

__________ usually concerns modifications to a known set of parameters regarding each element of the network, including what settings each has, how the controls are implemented, and so forth.

Configuration management

Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions.

Control

A service where data is replicated across the global Internet. A form of data caching, usually near geophysical locations of high use demand, for copies of data commonly requested by users.

Content Delivery Network (CDN)

Acts as a form of data caching, usually near geophysical locations of high use demand, improves bandwidth and provides quality

Content Delivery Network (CDN)

Used to locate and identify specific kinds of data by delving into the datasets.

Content-based Discovery

What is the difference between contractual and regulated PII?

Contractual PII Exposure can lead to specified penalties or breach of contract. Regulated PII Exposure can lead to fines and criminal charges.

All of the following are terms used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except: A Obfuscation B Masking C Anonymization D Data discovery

D

All of the following regions have at least one country with an overarching, federal privacy law protecting personal data of its citizens, except: A South America B Europe C Asia D The United States

D

All of these are features of cloud computing except: A Rapid scaling B On-demand self-service C Broad network access D Reversed charging configuration

D

Among the following, whose responsibility is to organize the deployment and designing of an application in the cloud environment? A Cloud service manager B Cloud developer C Cloud operator D Cloud architect

D

An architect needs to constrain problems to a level that can be controlled when the problem exceeds the capabilities of disaster recovery (DR) controls. Which aspect of the plan will provide this guarantee? A Ensuring data backups B Evaluating portability alternatives C Managing plane controls D Handling provider outages

D

Benefits for addressing BC/DR offered by cloud operations include all of the following except: A Distributed, remote processing, and storage of data B Fast replication C Regular backups offered by cloud providers D Metered service

D

Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes

Criminal law

Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes.

Criminal law

Denotes those aspects of the organization without which the organization could not operate or exist. These could include tangible assets, intangible assets, specific business processes, data pathways, or even key personnel.

Criticality

An organization will conduct a risk assessment to evaluate which of the following? A Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the total risk B Threats to its assets, vulnerabilities not present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the residual risk C Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on another organization, and the residual risk D Threats to its assets, vulnerabilities present in the environment, the likelihood that a threat will be realized by taking advantage of an exposure, the impact that the exposure being realized will have on the organization, and the residual risk when appropriate controls are properly applied to lessen the vulnerability

D

As part of ITIL, what kind of ticket is created to make a change? A RFCM B CM C RCM D RFC

D

The process of deliberately destroying the encryption keys that were used to encrypt the data originally. Involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys.

Crypto-Shredding

A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken? A The tokenization server returns the token to the application. B The tokenization server generates the token. C The application collects a token. D The application stores the token.

D

A data custodian is responsible for which of the following? A Data context B Data content C Logging access and alerts D The safe custody, transport, storage of the data, and implementation of business rules

D

A poorly negotiated cloud service contract could result in all the following detrimental effects except: A Unfavorable terms B Lack of necessary services C Vendor lock-in D Malware

D

A standard base of technologies and policies across different organizations is called: A Regulations B Standards C Forests D Federation

D

APIs are defined as which of the following? A A set of routines and tools for building software applications to access web-based software applications B A set of protocols, and tools for building software applications to access a web-based software application or tool C A set of standards for building software applications to access a web-based software application or tool D A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool

D

Creates new data feeds from sets of data already existing within the environment.

Data analytics Discovery

A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns.

Data audit

What input entities does the secondary set include for data classification with regard to P&DP?

Data breach constraints Data retention constraints Data location allowed

Manipulates, stores, or moves the data, and serves as a cloud provider.

Data Custodian

Auditing and preventing unauthorized data exfiltration.

Data Loss Prevention (DLP)

A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.

Data Masking

Collects or creates the data, and possesses the rights and the responsibilities of the data.

Data Owner

Removes or reduces the authority and execution of security controls in the environment.

Deployment model

Focuses on security and encryption to prevent unauthorized copying, thus limiting distribution to only those who pay.

Digital Rights Management (DRM)

A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security

ENISA (European Union Agency for Network and Information Security)

Entails a procedure that involves multiple people, each with access to only a portion of the key.

Key recovery

This is the flexibility of allocating resources as needed for immediate usage, instead of purchasing resources according to other variables.

Elasticity

____________ refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes. Determining which data in a set is pertinent can be difficult. Regardless of whether it is databases, records, email, or just simple files.

Electronic discovery (eDiscovery)

Which of the following statements are true of software-defined networking?

Enables a user to execute the control plane software on general-purpose hardware Allows for network control to become directly programmable and distinct from forwarding Provides a clearly defined and separate network control plane to manage network traffic

An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext). Offers a degree of assurance that nobody without authorization will be able to access your data in a meaningful way.

Encryption

A special mathematical code that allows encryption hardware and software to encode and then decipher an encrypted message.

Encryption Key

Software that a business uses to assist in solving problems.

Enterprise Application

-Security Governance, Risk and Compliance (GRC) and data security comes under enterprise responsibility. -Physical security and infrastructure security comes under cloud provider responsibility.

Enterprise Responsibility Vs Cloud Provider Responsibility

The set of processes and structures to systematically manage all risks to the enterprise.

Enterprise Risk Management

Refers to the ability of any user to gain permissions above their authorized level.

Escalation of privilege

Broad network access. On-demand self-service.

Essential characteristics of cloud computing

An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds.

Eucalyptus

A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security.

European Union Agency for Network and Information Security (ENISA)

STRIDE DREAD

Examples of threat modeling

A type of risk that includes malware, hacking, DoS/DDoS, man-in-the-middle attacks, and so on.

External threat

This act prevents academic institutions from sharing student data with anyone other than parents of students.

Family Educational Rights and Privacy Act (FERPA) of 1974 backed by Department of Education

ENISA (European Network and Information Security Agency) NIST (National Institute of Standards and Technology) ISO 31000:2009

Frameworks that are associated with risk

This act protects patient records and data, known as electronically protected health information (ePHI).

Health Insurance Portability and Accountability Act (HIPAA) of 1996 backed by DHHS

A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more.

Hardware Security Module (HSM)

An international standard that focuses on designing, implementing, and reviewing risk management processes and practices

ISO 31000:2009

____________ specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

ISO/IEC 27001

Represents an overview of application security. It introduces definitions, concepts, principles, and processes involved in application security.

ISO/IEC 27034-1

Business Context Regulatory Context Technical Context Specifications Roles, Responsibilities, and Qualifications Processes Application Security Control (ASC) Library

ISO/IEC 27034-1 standard categories

Guide for collecting, identifying, and preserving electronic evidence

ISO/IEC 27037:2012

Guide for incident investigations

ISO/IEC 27041:2015

Guide for digital evidence analysis

ISO/IEC 27042: 2015

Incident investigation principles and processes

ISO/IEC 27043:2015

Overview and principles for eDiscovery

ISO/IEC 27050-1:2016

-Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.

IaaS

The cloud provider is responsible for physical security of the facility and systems.

IaaS

The provider is responsible for connectivity and power and the customer is in charge for installation of software.

IaaS

The cloud provider creates and administers the hardware assets on which the customer's programs and data will ride.

IaaS boundaries

Responsible for (a) providing identifiers for users looking to interact with a system, (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider. This can be achieved via an authentication module that verifies a security token that can be accepted as an alternative to repeatedly and explicitly authenticating a user within a security realm.

Identity Provider

The security discipline that enables the right individuals to access the right resources at the right times for the right reasons.

Identity and Access Management (IAM)

The directory services for the administration of user accounts and their associated attributes.

Identity repositories

A model that provides a complete infrastructure (servers and internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices. Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor.

Infrastructure as a Service (IaaS)

Allows an individual to correct any of their own information if it is inaccurate.

Integrity

The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.

Key Management

Used when the discovery effort is considered in response to a mandate with a specific purpose

Label-based Discovery

The practice of having multiple overlapping means of securing the environment with a variety of methods.

Layered defenses

BC/DR Concept: How long it would take for an interruption in service to kill an organization, measured in time. For instance, if a company would fail because it had to halt operations for a week.

MAD (Maximum Allowable Downtime)

A weak form of confidentiality assurance that replaces the original information with asterisks or Xs. A technique that hides the data with useless characters, e.g., showing only the last four digits of a social security number.

Masking

The measure of the average time between failures of a specific component or part of a system.

Mean time between failure (MTBF)

The measure of the average time it should take to repair a failed component or part of a system.

Mean time to repair (MTTR)

______________________ meters what is provided, to ensure that consumers only use what they are allotted, and, if necessary, to charge them for it. This is where the term utility computing comes from, since computing resources can now be consumed like water and electricity, with the client only paying for what they use.

Measured service

A process of taking steps to decrease the likelihood or the impact of the risk--this can take the form of controls/countermeasures and is usually where security practitioners are involved.

Mitigation

A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere.

Mobile Cloud Storage

A method of computer access control that a user can pass by successfully presenting authentication factors from two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification).

Multifactor Authentication

A guide for implementing the risk management framework, which is a methodology for handling all organizational risk in a comprehensive manner

NIST SP 800-37

A guide for implementing the risk management framework, which is a methodology for handling all organizational risks in a comprehensive manner.

NIST SP 800-37

______________ talks about personally identifiable information (PII) as a name, date of birth, and Social Security number. HIPAA calls this type of data "electronic protected health information" (ePHI), and it also includes any patient information, including medical records, and facial photos. GLBA includes customer account information such as account numbers and balances.

NIST Special Publication (SP) 800-122

A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.

National Institute of Standards and Technology (NIST) SP 800-53

Helps to check not only the hardware and the software but the distribution facets such as SDN control planes.

Network monitoring

The assurance that a specific author actually did create and send a specific item to a specific recipient and that it was successfully received. With assurance of nonrepudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it.

Nonrepudiation

Informs an individual that personal information about them is being gathered or created.

Notice

Used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters.

OS logging

The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable.

Obfuscation

Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI). Stores all data in a filesystem and also gives access to the customers to the parts of the hierarchy to which they are assigned.

Object Storage

Stores all the data on file system and also gives access to the customers to the parts of hierarchy to which they are assigned

Object storage

This is an interoperable authentication protocol based on the OAuth 2 specification. It allows developers to authenticate their users across websites and applications without having to manage usernames and passwords.

OpenID Connect

A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization.

Organizational Normative Framework (ONF)

Used by organizations to enable their information technology (IT) infrastructures to become more capable of quickly adapting to continually evolving business needs and requirements.

Private Cloud Project

-Contains everything included in IaaS, with the addition of OSs. -The vendor is responsible for patching, administering, and updating the OS as necessary, and the customer can install any software they deem useful. -This model is especially useful for software development operations (DevOps) -Some examples include systems already loaded with a hardened operating system such as Windows Server or Linux.

PaaS

The cloud provider maintains physical security control of the facility and the cloud customer provides all other security.

PaaS

The provider is responsible for updates and administration of the OS and the customer monitors and reviews software events.

PaaS

A form of cloud storage in which the enterprise data and cloud storage resources reside within the enterprise's data center and behind the firewall.

Private Cloud Storage

Owned by a single organization and is implemented on a cloud-based secure environment protected by a firewall

Private Cloud

Delivers cloud services over a network that is open for free usage

Public Cloud

A form of cloud storage in which the enterprise and storage service provider are separate and the data is stored outside the enterprise's data center.

Public Cloud Storage

Includes a company that relies on a third-party for services Threats: Rogue administrator, escalation of privilege, and contractual failure

Public cloud

The capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, synchronous optical networking (SONET), and Internet protocol (IP)-routed networks that may use any or all of these underlying technologies.

Quality of Service (QoS)

BC/DR Concept: The goal of limiting the loss of data from an unplanned event. Confusingly, this is often measured in time. For instance, if an organization is doing full backups every day and is affected by some sort of disaster, that organization's BC/DR plan might include a goal of resuming critical operations at an alternate operating site with the last full backup, and the time needed would be 24hrs

RPO (Recovery Point Objective)

A technique which allows the replacement of the data with random characters, leaving the other traits intact such as length of the string and character set.

Randomization

Complexity of fixes Project delays

Reasons Security Scanning should be performed throughout the development process

A data structure or collection of information that must be retained by an organization for legal, regulatory, or business reasons.

Record

A method for analyzing risk in software systems.

Security Information and Event Management (SIEM)

A solicitation, often made through a bidding process by a company, looking to secure goods or services from an external vendor.

Request for Proposal

Allows data to be recovered in a more efficient manner because if one of the drives fails, the missing data can be filled in by the other drives

Resiliency

Programs and instances run by the customer that will operate on the same devices used by other customers, sometimes simultaneously.

Resource sharing

The _______ is the list of defined, specific, numerical metrics that will be used to determine whether the provider is sufficiently meeting the contract terms during each period of performance.

SLA

Which contractual components include a clear understanding of the permissible forms of data processing, transmission, and storage, along with any limitations or nonpermitted uses?

Scope of processing Use of subcontractors

Which of the following are contractual components that the CCSP should review and understand fully when contracting with a CSP?

Scope of processing Use of subcontractors

Refers to including only departments or business units impacted by any cloud engagement.

Scoping

__________refers to include only departments or business units impacted by any cloud engagement.

Scoping

Reduces the likelihood of data leaking between computers that are connected through the KVM.

Secure data port

Encrypts data transmission between servers

Secure sockets layer

A framework to enable cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.

Security Alliance's Cloud Controls Matrix

A version of the SAML standard for exchanging authentication and authorization data between security domains.

Security Assertion Markup Language (SAML)

Entails multiple differing security controls protecting the same assets with a variety of technological levels

Security redundancy

The Cloud Security Alliance ______________ program is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative. (Provides an independent level of program assurance for cloud consumers and offers a central repository for providers to publicly release these documents.

Security, Trust, and Assurance Registry (STAR)

Helps the customer to seek financial restitution for damages caused to them, that occurred because of negligence or malfeasance on the part of the provider.

Shared policy

In a federated system, which two components serve as its core?

The IdP (Identifying Party) and The Relying Party

What are the virtualization components governed by the management plane?

Storage Network Compute

The collection of multiple distributed and connected resources responsible for storing and managing data online in the cloud.

Storage Cloud

Reduces the likelihood of unauthorized users gaining access and restricts authorized users to permitted activities.

Strong authentication

Data storage types that PaaS utilizes

Structured and Unstructured

Describes how the participants would perform their tasks in a given BC/DR scenario.

Tabletop testing

Level One: Self-Assessment: Requires the release and publication of due diligence assessments against the CSA's Consensus Assessment Initiative Questionnaire and/or Cloud Matrix (CCM) Level Two: CSA STAR Attestation: Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC 2 Level Three: CSA STAR Continuous Monitoring: Requires the release and publication of results related to the security properties of monitoring based on the CloudTrust Protocol

The 3 Levels of CSA Security, Trust, and Assurance Registry (STAR)

This act grants copyright provisions to protect owned data in an Internet-enabled world and enables copyright holders to require any site on the Internet to remove content that may belong to the copyright holder.

The Digital Millennium Copyright Act (DMCA) of 1998 enacted by Bill Clinton

This act often referred to as the Wiretap Act, prohibits the intentional actual or attempted interception, use, disclosure, or "procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication."

The Electronic Communication Privacy Act (ECPA) of 1986 backed by US Congress

Title II of the Electronic Communications Privacy Act of 1986, this act restricts the government from forcing ISPs to disclose customer data the ISP might possess.

The Stored Communications Act (SCA) of 1986 backed by US Congress

While STRIDE is widely used in the software development community, other models exist as well. ______________ (and its associated tool) is an open source alternative offered by Octotrike and cited by OWASP

The Trike model

A cloud provider who manages the administration of a user's system and who is not under the user's control.

Third-party admin

The organization pays someone else to accept the risk, at a lower cost than the potential impact that would result from the risk being realized; this is usually in the form of INSURANCE.

Transferance

A risk management strategy that involves the contractual shifting of a risk from one organization to another.

Transference

Ensures the privacy of communication between applications.

Transport Layer Security (TLS)

Hypervisor _________ also called bare-metal or hardware hypervisor, resides directly on the host machine, often as bootable software.

Type 1

Hypervisor _________ is a software hypervisor, and it runs on top of the OS that runs on a host device.

Type 2

____________ are applied to existing systems and components, whereas upgrades are the replacement of older elements for new ones.

Updates

______________ is an advisory organization for matters related to IT service.

Uptime Institute

Highlights where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or nontechnical constraints. Occurs in a situation where a customer may be unable to leave, migrate, or transfer to an alternate provider due to technical or non-technical constraints.

Vendor Lock-In

_________________ can be caused when the cloud provider goes out of business, is acquired by another interest, or ceases operation for any reason. In these circumstances, the concern is whether the customer can still readily access and recover their data.

Vendor lock-out

The optimization of cloud computing and cloud services for a particular vertical (such as a specific industry) or specific-use application.

Vertical Cloud Computing

A VMI helps to mitigate risk and ensure that a virtual machine's (VM's) security baseline is not modified over time. It provides an agentless method to examine all aspects of a VM from its physical location and its network settings to the installed operating systems (OSs), patches, applications, and services being used.

Virtual Machine Introspection (VMI)

Creates a secure tunnel across untrusted networks that can aid in obviating man-in-the-middle attacks such as eavesdropping.

Virtual private network

A process of creating a virtual version of something, including virtual computer hardware platforms, operating systems, storage devices, and computer network resources.

Virtualization

Which of the following technologies does cloud computing use through a management interface?

Virtualization Automation Federated identity management

Enable cloud computing to become a real and scalable service offering due to the savings, sharing, and allocation of resources across multiple tenants and environments.

Virtualization Technologies

This uses the term realms in explaining its capabilities to allow organizations to trust each other's identity information across organizations.

WS-Federation

Encrypts all of the system's data at rest in one instance

Whole-instance encryption

In the _______________of the Cloud SDLC, we are focused on identifying the business needs of the application, such as accounting, database, or customer relationship management.

definition phase

In the ____________ of the Cloud SDLC, we begin to develop user stories (what the user will want to accomplish and how to go about it), what the interface will look like, and whether it will require the use or development of any APIs.

design phase

The _______________ of the Cloud SDLC is where the code is written. The code takes into account the previously established definition and design parameters.

development phase

e-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence. Refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes.

e-Discovery

To avoid lock-in, the organization has to think in terms of _____________ when considering migration. We use the term to describe the level of ease or difficulty when transferring data out of a provider's datacenter.

portability


Ensembles d'études connexes

Chapter Ten Economic Development and Change p.314-329

View Set

Identifying lines and themes Romantic poetry

View Set

CST4401 - Java All Quiz Questions

View Set

Care of Nasogastric (Decompression) Tubes

View Set