CCSP
Which of the following is considered an administrative control?
Access control process
Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications?
Advanced application-specific integrated circuits (ASICs)
What is the relying party?
Any member of the federation that shares resources based on authenticated identities
Which of the following should be redundant in a data center?
Anything that the data center relies on should be redundant
Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived?
Applicable regulations
Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved?
Application
Which cloud computing technology unlocks business value through digital and physical access to maps?
Application Programming Interface
Which type of control should be used to implement custom controls that safeguard data?
Application level
Which message type is generated from software systems to troubleshoot and identify problems with running application codes?
Debug
The most secure method of data disposal:
Degaussing
In 1939, the American Institute of Certified Professional Accountants (AICPA) established a committee to develop accounting standards and reports for the private sector. This committee developed ______ for use by accounting professionals.
GAAP
A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm. Who is the CSP legally required to notify?
Information Commissioner
Among the following, which involves a top-down approach for addressing and managing risk in an organization during the audit process?
Information security management system
All of these are reasons because of which an organization may want to consider cloud migration, except: -Reduced personnel costs -Elimination of risks -Reduced operational expenses -Increased efficiency
Elimination of risks
When setting up resource sharing within a host cluster, which option would you choose to mediate resource contention?
Shares
Data Discovery Method: What is the *Content-based* method used for?
Used to locate and identify specific kinds of data by delving into the datasets
Data Discovery Method: What is the *Label-based* method used for?
Used when the discovery effort is considered in response to a mandate with a specific purpose
T/F. Applications with known vulnerabilities cannot be mitigated and should never be used
False
T/F. Encryption ensures integrity of Data.
False
T/F. RPO and RSL are used to establish when services and data are *completely* restored.
False
Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data?
Format-preserving encryption
Which of the following things should an organization know to handle risks?
-A determination of critical path and process -An inventory of all assets -A valuation of each asset -A clear understanding of risk appetite
Which of the following are the features of IRM?
-Adds an extra layer of access controls on top of the data -Sets up a baseline for the default Information Protection Policy -Protects sensitive organization content
What metrics are examples of quality of service (QoS) issues?
-Availability -Outage duration -Capacity metrics -Performance metrics -Storage device metrics -Server capacity metrics -Instance startup time metric -Response time metric -Completion time metric -Mean time to switchover -Storage capability
The "Data Center Site Infrastructure Tier Standard: Topology" document describes a four-tiered architecture for enterprises to rate their data center designs. What are the names of the four tiers?
-Basic Data Center Site Infrastructure -Redundant Site Infrastructure Capacity Components -Fault-Tolerant Site Infrastructure -Concurrently Maintainable Site Infrastructure
Which of the following cloud deployment models may exist on or of premises?
-Community -Hybrid -Private
Which of the following cloud deployment models may exist on or off premises?
-Community -Hybrid -Private
Security Scanning should be performed throughout the development process vs waiting for the completed package because:
-Complexity of fixes -Project delays
What is the correct order of the Cloud Secure Data Lifecycle?
-Create -Store -Use -Share -Archive -Destroy
What are the steps in the BCDR continual process?
-Define Scope -Gather Requirements -Analyze -Assess Risk -Implement -Test -Report -Revise
Which of the following statements are true of the archive phase?
-It helps in planning security controls for the data -It helps in management of keys in cryptography
Which of the following are the key threats to data storage in cloud computing?
-Malware attack -Corruption of data -Data leakage and breaches -Unauthorized access
Which of the following are objectives of release and deployment management?
-Manage stakeholders -Ensure knowledge transfer -Ensure the integrity of release packages
Which of the following are the benefits provided by SaaS for the applications accessible by *clients* anywhere?
-Overall reduction of costs -Reduced support costs -Application and software licensing
Which of the following are the key regulations applicable to the CSP facility?
-PCI DSS -HIPAA
What are the phases of a software development lifecycle process model?
-Planning and requirements analysis -Defining -Designing -Developing -Testing -and Maintenance
What are the two main types of APIs used with cloud-based systems and applications?
-REST -SOAP
When using an IaaS solution, what are the key benefits provided to the customer?
-Reduced cost of ownership -Reduced energy and cooling costs -Metered and priced usage on the basis of units consumed
What are the four elements that a data retention policy should define?
-Retention periods -Data formats -Data security -Data retrieval procedures
IT QoS focuses on measuring which of the following?
-Security -Health -Services
What are the categories of personal data that can be processed?
-Sensitive data -Telephone or Internet data -Biometric data -Personal data -Categories of the processing to be performed
Which of the following are the approaches to data masking?
-Shuffle -Masking -Algorithm substitution -Random substitution -Deletion
In a federated system, which two components serve as its core?
-The Relying Party -The IdP
An organization will conduct a risk assessment to evaluate which of the following?
-Threats to its assets -Vulnerabilities present in the environment -The likelihood that a threat will be realized by taking advantage of an exposure -The impact that the exposure being realized will have on the organization -The residual risk when appropriate controls are properly applied to lessen the vulnerability
Which of the following are issues of Key Management?
-Trust -Availability -Integrity
Which contractual components include a clear understanding of the permissible forms of data processing, transmission, and storage, along with any limitations or nonpermitted uses?
-Use of subcontractors -Scope of processing
Which of the following are contractual components that the CCSP should review and understand fully when contracting with a CSP?
-Use of subcontractors -Scope of processing -Deletion of data -Appropriate or required data security controls -Locations of data -Return or restitution of data -Right to audit subcontractors
Object Storage is usually accessed through:
APIs
Which body establishes optimal temperature and humidity levels?
ASHRAE
In SOC 2 Auditing, how many categories make up the security principle?
7
A business is concerned about the usage of its third-party provided, leased cloud resources. Which audit process should be used to investigate this concern?
??
Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems?
Applying the steps of the software development lifecycle
Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data?
Archiving
Which of the following storage requires a greater amount of administration and entails the installation of an OS or other app to store, sort, and retrieve the data?
Block
Which data retention method is stored with a minimal amount of metadata storage with the content?
Block-based
When using a SaaS solution, who is responsible for application security?
Both CSP and the enterprise
Which model introduced the concept of allowing access controls to change dynamically based on a user's previous actions?
Brewer-Nash
Which problem is known as a common supply chain risk?
Data breaches
Which of the following is a specification constructed for making the management of applications easy in terms of a PaaS system?
CAMP
Which of the following gives an overview of various existing certification schemes?
CCSL
Which artifact may be required as a data source for a compliance audit in a cloud environment?
Change management details
Which process analyzes data for certain attributes and uses that that to determine the appropriate controls and policies to apply to it?
Classification
Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring?
Cloud Access Security Broker (CASB)
Mark, a security administrator, observes multiple service interruptions caused by a data center design. He decided to migrate the company away from its data center and successfully completed the migration of all data center servers and services to a cloud provider. He is still concerned with the availability requirements of critical applications. Which of the following should Mark implement next?
Cloud access security broker
Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service?
Cloud platform
You are a service provider who provides cloud-services and resources to a person using and subscribing them. There is an official commitment (i.e., service-level agreement) between the service provider and the user. Who verifies this official commitment?
Cloud service auditor
Who among the following adds and extends values to the cloud-based services for customers?
Cloud services brokerage
A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided. Who is the CSP required to notify under the NIS directive?
Competent Authorities
What are the two biggest challenges associated with the use of IPSec in cloud computing environments?
Configuration management and Performance
Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider?
Considering portability options
Which phase of the cloud data lifecycle allows both read and process functions to be performed?
Create
Which is the correct order of the Cloud Secure Data Lifecycle?
Create, Store, Use, Share, Archive, Destroy
Data Discovery Method: What is the *Data analytics* method used for?
Creates new data feeds from sets of data already existing within the environment
Which method should the cloud consumer use to secure the management plane of the cloud service provider?
Credential management
Which of the following vulnerabilities occurs when an application allows untrusted data to be sent to a web browser without proper validation or escaping?
Cross-site scripting
Which element is protected by an encryption system?
Data
This is a method of categorizing data by finding patterns and it relies on users to refine it:
Data Discovery
Which cloud threat is described in the statement below? "If a multitenant cloud service database is not properly designed, a flaw in one client's application can allow an attacker access not only to that client's data but to every other client's data as well."
Data breach
Which technology allows an organization to control access to sensitive documents stored in the cloud?
Digital Rights Management (DRM)
Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues?
Direct object reference
Which process analyzes data to look for certain attributes or patterns?
Discovery
What are the three components of DLP?
Discovery and Classification, Monitoring, and Enforcement
In which testing method does the entire organization take part in a scenario at a scheduled time, describe its responses during the test, and perform some minimal actions?
Dry run
Which approach is considered a black-box security testing method?
Dynamic application security testing
Management has requested that security testing be done against their live cloud-based applications, with the testers not having internal knowledge of the system. Not attempting to actually breach systems or inject data is also a top requirement. Which of the following would be the appropriate approach to take?
Dynamic application security testing (DAST)
Which of the following provides an organization with a static point of reference from which to begin work in defining its strategic goals and objectives regarding risk remediation and control implementation?
Gap analysis
From a cloud provider perspective, which of the following should a layered defense entail?
Governance mechanisms and enforcement
Which element is a cloud virtualization risk?
Guest isolation
Which environmental consideration should be addressed when planning the design of a data center?
Heating and Ventilation
What is a key capability of infrastructure as a service (IaaS)?
High reliability and resilience
Which standard addresses the privacy aspects of cloud computing for consumers?
ISO 27018:2014
Which international standard guide provides procedures for incident investigation principles and processes?
ISO 27043:2015
Which of the following standards sets out terms and definitions, principles, a framework, and a process for managing risk?
ISO 31000:2009
What is the first international set of privacy controls in the cloud?
ISO/IEC 27018
Which of the following guidelines covers eDiscovery?
ISO/IEC 27050
Which standard addresses practices related to the acquisition of forensic artifacts and can be directly applied to a cloud environment?
ISO/IEC 27050-1
Which standard outlines domains which establish frameworks for risk assessment?
ISO\IEC 27001:2013
Which is the internationally accepted standard for eDiscovery?
ISO\IEC 27050
In which of the following cloud deployment models does platform security come under enterprise responsibility?
IaaS
Which of the following is the result of the process flow that identifies issues and external variables?
Implement security policy
Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage?
Infrastructure
The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization. Which standard should be applied?
International Organization for Standardization (ISO) 27050-1
A KMS is?
Key Management Service
Rex has implemented asymmetric key cryptography for the emails of his company. He is concerned that users may lose their private keys and will not be able to decrypt their messages. Which of the following is the best solution to this problem?
Key escrow
Rex has implemented asymmetric key cryptography for the emails of his company. He is concerned that users may lose their private keys and will not be able to decrypt their messages. Which of the following is the *best* solution to this problem?
Key escrow
Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan?
Level of resiliency
What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks?
Management plane
Which component is among the highest risk component with respect to software vulnerabilities?
Management plane
Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected?
Max allowable downtime (MAD)
Which role acts as monitors of the response activity, provides scenario inputs to heighten realism, and documents performance and any plan shortcomings?
Moderator
Which of the following characteristics of cloud computing can affect the logical design of a data center?
Mulitenancy -Cloud management plane -Virtualization technology
Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage?
Multiple and independent power circuits to all racks
Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties?
Native production
Which type of storage with IaaS will be maintained by the cloud provider and referenced with a key value?
Object
Which of the following should be carried out *first* when seeking to perform a gap analysis?
Obtain management support
DLP to protect Data at Rest is installed:
On the system holding the data
Which group is legally bound by the general data protection regulation (GDPR)?
Only corporations that process the data of EU citizens
Which federation standard allows developers to authenticate their users across websites and applications without having to manage usernames and passwords?
OpenID Connect
Which of the following is strongly encouraged for managing access of the directory administrators?
PIM (privileged identity management)
Which category does Auto-Scaling fall into?
PaaS
A security analyst is investigating an incident of access to a resource from an unauthorized location. Which data source should the security analyst used to investigate the incident?
Packet capture logs
Which of the following provides a voice and expression to the strategic goals and objectives of management?
Policy
This concept affords the right to look at things anonymously and to be "forgotten" by a system when you leave
Privacy
Which jurisdictional data protection includes dealing with the international transfer of data?
Privacy Regulation
Which cloud model allows the consumer to have sole responsibility for management and governance?
Private
Which cloud model provides data location assurance?
Private
Which description characterizes the application programming interface (API) format known as representation state transfer (REST)?
Provides a framework for developing scalable web applications
Which encryption technique connects the instance to the encryption instance that handles all crypto operations?
Proxy
How many categories does the security principle in SOC2 include?
Seven
Patrick, a cloud administrator, is looking at business requirements that specify the preceding backup data available at the discovery recovery site must not be more than 24 hours old. Which of the following metrics correctly relates to these requirements?
RPO
Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event?
Reporting to the supervisory authority
Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure?
Resiliency
Which of the following cloud characteristics explains that a cloud provides services to serve multiple clients according to their priority?
Resource pooling
Which of the following is considered a "white box" test?
SAST
Max, a cloud administrator, needs to find a web service that will allow systems to communicate over FTP using an XML-based protocol. Which of the following communication methods will he use?
SOAP (Simple Object Access Protocol)
Which Cloud Model uses mainly databases to store data?
SaaS
Which of the following would be covered by an external audit and *not* by an internal audit?
Security controls
Which service model influences the logical design by using additional measures in the application to enhance security?
Software as a Service (SaaS)
What does the acronym STRIDE stand for?
Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege
Which security testing approach is used to review source code and binaries without executing the application?
Static application security testing
All of the following can result in vendor lock-in except: -Statutory compliance -Proprietary data formats -Insufficient bandwidth -Unfavorable contract
Statutory compliance
Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy (CSP)?
Technological controls
Which kind of Data obfuscation method replaces Data with random values that can be mapped to actual data?
Tokenization
A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken?
The application stores the token
When does the EU Data Protection Directive (Directive 95/46/EC) apply to data processed?
The directive applies to data processed by automated means and data contained in paper files
Which factor exemplifies adequate cloud contract governance?
The frequency with which contracts are renewed
In the tokenization architecture, which step should be performed after the tokenization server generates the token and stores it in the token database?
The tokenization server returns the token to the application
Which consideration should be taken into account when reviewing a cloud service provider's risk of potential outage time?
The unique history of the provider
How do immutable workloads effect security overhead?
They reduce the management of the hosts
Which issue can be detected with static application security testing (SAST)?
Threading
Which UI standard Tier will work perfectly without any downtime of critical operations even after the loss of any single system, component, or distribution element?
Tier 4
Which kind of Data Obfuscation method replaces Data with random values that can be mapped to actual data?
Tokenization
Max is the co-founder of a manufacturing firm. Together with his partner, Joe, he has developed a special type of oil that will dramatically improve the manufacturing process. To keep the formula secret, Max and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property protection *best* suits their needs
Trade secret
T/F. Business impact analysis defines which of the assets provide the intrinsic value of an organization
True
T/F. SOX is not directly related to privacy or IT Security
True
Which SOC 2 report would be run to determine if security controls are suitable based on design and intent.
Type 1 Reports
Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)?
Up to 20 Million Euros
Which of the following is the *replacement* of older elements for new ones?
Upgrade
Which of the following publishes the most commonly used standards for data center tiers and topologies?
Uptime Institute
Data Discovery Method: What is the *Metadata-based* method used for?
Used to collect all matching data elements for a certain purpose
A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident. Which action facilitates this type of communication?
Using existing open standards
Which data-at-rest encryption method encrypts all the data stored on the volume and all snapshots created from the volume?
Whole instance encryption
Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model?
Whole-instance encryption