CCSP CertLibrary 5
408 ( Topic 1) Which of the following are considered to be the building blocks of cloud computing? • A. CPU, RAM, storage, and networking • B. Data, CPU, RAM, and access control • C. Data, access control, virtualization, and services • D. Storage, networking, printing, and virtualization
A
457 ( Topic 1) The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement? • A. IaaS • B. SaaS • C. Community cloud • D. PaaS
A Explanation: IaaS entails the cloud customer installing and maintaining the OS, programs, and data; PaaS has the customer installing programs and data; in SaaS, the customer only uploads data. In a community cloud, data and device owners are distributed.
411 ( Topic 1) Which of the following are distinguishing characteristics of a managed service provider? • A. Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management. • B. Have some form of a help desk but no NOC. • C. Be able to remotely monitor and manage objects for the customer and reactively maintain these objects under management. • D. Have some form of a NOC but no help desk.
A Explanation: According to the MSP Alliance, typically MSPs have the following distinguishing characteristics: - Have some form of NOC service - Have some form of help desk service - Can remotely monitor and manage all or a majority of the objects for the customer - Can proactively maintain the objects under management for the customer - Can deliver these solutions with some form of predictable billing model, where the customer knows with great accuracy what her regular IT management expense will be
478 ( Topic 1) Which of the following best describes data masking? • A. A method for creating similar but inauthentic datasets used for software testing and user training. • B. A method used to protect prying eyes from data such as social security numbers and credit card data. • C. A method where the last few numbers in a dataset are not obscured. These are often used for authentication. • D. Data masking involves stripping out all digits in a string of numbers so as to obscure the original number.
A Explanation: All of these answers are actually correct, but A is the best answer, because it is the most general, includes the others, and is therefore the optimum choice. This is a good example of the type of question that can appear on the actual exam.
418 ( Topic 1) All policies within the organization should include a section that includes all of the following, except: • A. Policy adjudication • B. Policy maintenance • C. Policy review • D. Policy enforcement
A Explanation: All the elements except adjudication need to be addressed in each policy. Adjudication is not an element of policy.
421 ( Topic 1) Data labels could include all the following, except: • A. Multifactor authentication • B. Access restrictions • C. Confidentiality level • D. Distribution limitations
A Explanation: All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.
447 ( Topic 1) Data labels could include all the following, except: • A. Data value • B. Data of scheduled destruction • C. Date data was created • D. Data owner
A Explanation: All the others might be included in data labels, but we don"™t usually include data value, since it is prone to change frequently, and because it might not be information we want to disclose to anyone who does not have need to know.
403 ( Topic 1) What are SOC 1/SOC 2/SOC 3? • A. Audit reports • B. Risk management frameworks • C. Access controls • D. Software developments
A Explanation: An SOC 1 is a report on controls at a service organization that may be relevant to a user entity"™s internal control over financial reporting. An SOC 2 report is based on the existing SysTrust and WebTrust principles. The purpose of an SOC 2 report is to evaluate an organization"™s information systems relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 report is also based on the existing SysTrust and WebTrust principles, like a SOC 2 report. The difference is that the SOC 3 report does not detail the testing performed.
439 ( Topic 1) Cryptographic keys for encrypted data stored in the cloud should be ________________ . • A. Not stored with the cloud provider. • B. Generated with redundancy • C. At least 128 bits long • D. Split into groups
A Explanation: Cryptographic keys should not be stored along with the data they secure, regardless of key length. We don"™t split crypto keys or generate redundant keys (doing so would violate the principle of secrecy necessary for keys to serve their purpose).
414 ( Topic 1) DLP can be combined with what other security technology to enhance data controls? • A. DRM • B. Hypervisor • C. SIEM • D. Kerberos
A Explanation: DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.
423 ( Topic 1) The goals of DLP solution implementation include all of the following, except: • A. Elasticity • B. Policy enforcement • C. Data discovery • D. Loss of mitigation
A Explanation: DLP does not have anything to do with elasticity, which is the capability of the environment to scale up or down according to demand. All the rest are goals of DLP implementations.
417 ( Topic 1) DLP solutions can aid in deterring loss due to which of the following? • A. Inadvertent disclosure • B. Natural disaster • C. Randomization • D. Device failure
A Explanation: DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.
462 ( Topic 1) Because of multitenancy, specific risks in the public cloud that don"™t exist in the other cloud service models include all the following except: • A. DoS/DDoS • B. Information bleed • C. Risk of loss/disclosure due to legal seizures • D. Escalation of privilege
A Explanation: DoS/DDoS threats and risks are not unique to the public cloud model.
448 ( Topic 1) What are the U.S. Commerce Department controls on technology exports known as? • A. ITAR • B. DRM • C. EAR • D. EAL
A Explanation: EAR is a Commerce Department program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property.
409 ( Topic 1) Which of the following is considered a physical control? • A. Fences • B. Ceilings • C. Carpets • D. Doors
A Explanation: Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control: the lock on the door would be a physical security control. Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct.
485 ( Topic 1) What is one of the reasons a baseline might be changed? • A. Numerous change requests • B. To reduce redundancy • C. Natural disaster • D. Power fluctuation
A Explanation: If the CMB is receiving numerous change requests to the point where the amount of requests would drop by modifying the baseline, then that is a good reason to change the baseline. None of the other reasons should involve the baseline at all.
401 ( Topic 1) In which cloud service model is the customer required to maintain the OS? • A. Iaas • B. CaaS • C. PaaS • D. SaaS
A Explanation: In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer then is responsible for maintaining that OS. In the other models, the provider installs and maintains the OS.
479 ( Topic 1) Which of the following best describes a sandbox? • A. An isolated space where untested code and experimentation can safely occur separate from the production environment. • B. A space where you can safely execute malicious code to see what it does. • C. An isolated space where transactions are protected from malicious software • D. An isolated space where untested code and experimentation can safely occur within the production environment.
A Explanation: Options C and B are also correct, but A is more general and incorporates them both. D is incorrect, because sandboxing does not take place in the production environment.
468 ( Topic 1) As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as: • A. SOX • B. HIPAA • C. FERPA • D. GLBA
A Explanation: Sarbanes-Oxley was a direct response to corporate scandals. FERPA is related to education. GLBA is about the financial industry. HIPAA is about health care.
444 ( Topic 1) Cryptographic keys should be secured ________________ . • A. To a level at least as high as the data they can decrypt • B. In vaults • C. With two-person integrity • D. By armed guards
A Explanation: The physical security of crypto keys is of some concern, but guards or vaults are not always necessary. Two-person integrity might be a good practice for protecting keys. The best answer to this question is option A, because it is always true, whereas the remaining options depend on circumstances.
425 ( Topic 1) The most pragmatic option for data disposal in the cloud is which of the following? • A. Cryptoshredding • B. Overwriting • C. Cold fusion • D. Melting
A Explanation: We don"™t have physical ownership, control, or even access to the devices holding the data, so physical destruction, including melting, is not an option. Overwriting is a possibility, but it is complicated by the difficulty of locating all the sectors and storage areas that might have contained our data, and by the likelihood that constant backups in the cloud increase the chance we"™ll miss something as it"™s being overwritten. Cryptoshredding is the only reasonable alternative. Cold fusion is a red herring.
487 ( Topic 1) Database activity monitoring (DAM) can be: • A. Host-based or network-based • B. Server-based or client-based • C. Used in the place of encryption • D. Used in place of data masking
A Explanation: We don"™t use DAM in place of encryption or masking; DAM augments these options without replacing them. We don"™t usually think of the database interaction as client-server, so A is the best answer.
441 ( Topic 1) Best practices for key management include all of the following, except: • A. Ensure multifactor authentication • B. Pass keys out of band • C. Have key recovery processes • D. Maintain key security
A Explanation: We should do all of these except for requiring multifactor authentication, which is pointless in key management.
402 ( Topic 1) When using a PaaS solution, what is the capability provided to the customer? • A. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The provider does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. • B. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. • C. To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the consumer supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. • D. To deploy onto the cloud infrastructure provider-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
B Explanation: According to "The NIST Definition of Cloud Computing," in PaaS, "the capability provided to the consumer is to deploy onto the cloud infrastructure consumer- created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
471 ( Topic 1) Deviations from the baseline should be investigated and __________________. • A. Revealed • B. Documented • C. Encouraged • D. Enforced
B Explanation: All deviations from the baseline should be documented, including details of the investigation and outcome. We do not enforce or encourage deviations. Presumably, we would already be aware of the deviation, so "revealing" is not a reasonable answer.
434 ( Topic 1) When crafting plans and policies for data archiving, we should consider all of the following, except: • A. The backup process • B. Immediacy of the technology • C. Archive location • D. The format of the data
B Explanation: All of these things should be considered when creating data archival policies, except option D, which is a nonsense term.
477 ( Topic 1) APIs are defined as which of the following? • A. A set of protocols, and tools for building software applications to access a web-based software application or tool • B. A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool • C. A set of standards for building software applications to access a web-based software application or tool • D. A set of routines and tools for building software applications to access web-based software applications
B Explanation: All the answers are true, but B is the most complete.
449 ( Topic 1) All of these are methods of data discovery, except: • A. Label-based • B. User-based • C. Content-based • D. Metadata-based
B Explanation: All the others are valid methods of data discovery; user-based is a red herring with no meaning.
442 ( Topic 1) Data labels could include all the following, except: • A. Distribution limitations • B. Multifactor authentication • C. Confidentiality level • D. Access restrictions
B Explanation: All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label.
458 ( Topic 1) Countermeasures for protecting cloud operations against external attackers include all of the following except: • A. Continual monitoring for anomalous activity. • B. Detailed and extensive background checks. • C. Regular and detailed configuration/change management activities • D. Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines.
B Explanation: Background checks are controls for attenuating potential threats from internal actors; external threats aren"™t likely to submit to background checks.
427 ( Topic 1) What is the intellectual property protection for the tangible expression of a creative idea? • A. Trade secret • B. Copyright • C. Trademark • D. Patent
B Explanation: Copyrights are protected tangible expressions of creative works. The other answers listed are answers to subsequent questions.
464 ( Topic 1) All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except: • A. Ensure there are no physical limitations to moving • B. Use DRM and DLP solutions widely throughout the cloud operation • C. Ensure favorable contract terms to support portability • D. Avoid proprietary data formats
B Explanation: DRM and DLP are used for increased authentication/access control and egress monitoring, respectively, and would actually decrease portability instead of enhancing it.
438 ( Topic 1) Data masking can be used to provide all of the following functionality, except: • A. Test data in sandboxed environments • B. Authentication of privileged users • C. Enforcing least privilege • D. Secure remote access
B Explanation: Data masking does not support authentication in any way. All the others are excellent use cases for data masking.
426 ( Topic 1) In the cloud motif, the data processor is usually: • A. The cloud customer • B. The cloud provider • C. The cloud access security broker • D. The party that assigns access rights
B Explanation: In legal terms, when "data processor" is defined, it refers to anyone who stores, handles, moves, or manipulates data on behalf of the data owner or controller. In the cloud computing realm, this is the cloud provider.
495 ( Topic 1) Which of the following is a valid risk management metric? • A. KPI • B. KRI • C. SOC • D. SLA
B Explanation: KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management. When these change, they indicate something is amiss and should be looked at quickly to determine if the change is minor or indicative of something important.
405 ( Topic 1) In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type? • A. Physical • B. All of the above • C. technological • D. Administrative
B Explanation: Layered defense calls for a diverse approach to security.
483 ( Topic 1) Identity and access management (IAM) is a security discipline that ensures which of the following? • A. That all users are properly authorized • B. That the right individual gets access to the right resources at the right time for the right reasons. • C. That all users are properly authenticated • D. That unauthorized users will get access to the right resources at the right time for the right reasons
B Explanation: Options A and C are also correct, but included in B, making B the best choice. D is incorrect, because we don"™t want unauthorized users gaining access.
428 ( Topic 1) The goals of SIEM solution implementation include all of the following, except: • A. Dashboarding • B. Performance enhancement • C. Trend analysis • D. Centralization of log streams
B Explanation: SIEM does not intend to provide any enhancement of performance; in fact, a SIEM solution may decrease performance because of additional overhead. All the rest are goals of SIEM implementations.
437 ( Topic 1) The goals of SIEM solution implementation include all of the following, except: • A. Dashboarding • B. Performance enhancement • C. Trend analysis • D. Centralization of log streams
B Explanation: SIEM does not intend to provide any enhancement of performance; in fact, a SIEM solution may decrease performance because of additional overhead. All the rest are goals of SIEM implementations.
451 ( Topic 1) Which kind of SSAE audit reviews controls dealing with the organization"™s controls for assuring the confidentiality, integrity, and availability of data? • A. SOC 1 • B. SOC 2 • C. SOC 3 • D. SOC 4
B Explanation: SOC 2 deals with the CIA triad. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4.
469 ( Topic 1) In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider"™s performance and duties? • A. HIPAA • B. The contract • C. Statutes • D. Security control matrix
B Explanation: The contract between the provider and customer enhances the customer"™s trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures). Statutes, however, largely leave customers liable. The security control matrix is a tool for ensuring compliance with regulations. HIPAA is a statute.
492 ( Topic 1) A data custodian is responsible for which of the following? • A. Data context • B. Data content • C. The safe custody, transport, storage of the data, and implementation of business rules • D. Logging access and alerts
C Explanation: A data custodian is responsible for the safe custody, transport, and storage of data, and the implementation of business roles.
445 ( Topic 1) What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? • A. One-time pads • B. Link encryption • C. Homomorphic encryption • D. AES
C Explanation: AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.
432 ( Topic 1) All the following are data analytics modes, except: • A. Datamining • B. Agile business intelligence • C. Refractory iterations • D. Real-time analytics
C Explanation: All the others are data analytics methods, but "refractory iterations" is a nonsense term thrown in as a red herring.
412 ( Topic 1) To protect data on user devices in a BYOD environment, the organization should consider requiring all the following, except: • A. Multifactor authentication • B. DLP agents • C. Two-person integrity • D. Local encryption
C Explanation: Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic, and, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices.
415 ( Topic 1) What is the intellectual property protection for a confidential recipe for muffins? • A. Patent • B. Trademark • C. Trade secret • D. Copyright
C Explanation: Confidential recipes unique to the organization are trade secrets. The other answers listed are answers to other questions.
436 ( Topic 1) DLP can be combined with what other security technology to enhance data controls? • A. SIEM • B. Hypervisors • C. DRM • D. Kerberos
C Explanation: DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.
435 ( Topic 1) DLP solutions can aid in deterring loss due to which of the following? • A. Device failure • B. Randomization • C. Inadvertent disclosure • D. Natural disaster
C Explanation: DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.
419 ( Topic 1) Proper implementation of DLP solutions for successful function requires which of the following? • A. Physical access limitations • B. USB connectivity • C. Accurate data categorization • D. Physical presence
C Explanation: DLP tools need to be aware of which information to monitor and which requires categorization (usually done upon data creation, by the data owners). DLPs can be implemented with or without physical access or presence. USB connectivity has nothing to do with DLP solutions.
430 ( Topic 1) All of the following are terms used to described the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except: • A. Tokenization • B. Masking • C. Data discovery • D. Obfuscation
C Explanation: Data discovery is a term used to describe the process of identifying information according to specific traits or categories. The rest are all methods for obscuring data.
429 ( Topic 1) Data masking can be used to provide all of the following functionality, except: • A. Secure remote access • B. test data in sandboxed environments • C. Authentication of privileged users • D. Enforcing least privilege
C Explanation: Data masking does not support authentication in any way. All the others are excellent use cases for data masking.
493 ( Topic 1) Which of the following is the least challenging with regard to eDiscovery in the cloud? • A. Identifying roles such as data owner, controller and processor • B. Decentralization of data storage • C. Forensic analysis • D. Complexities of International law
C Explanation: Forensic analysis is the least challenging of the answers provided as it refers to the analysis of data once it is obtained. The challenges revolve around obtaining the data for analysis due to the complexities of international law, the decentralization of data storage or difficulty knowing where to look, and identifying the data owner, controller, and processor.
460 ( Topic 1) Countermeasures for protecting cloud operations against internal threats include all of the following except: • A. Extensive and comprehensive training programs, including initial, recurring, and refresher sessions • B. Skills and knowledge testing • C. Hardened perimeter devices • D. Aggressive background checks
C Explanation: Hardened perimeter devices are more useful at attenuating the risk of external attack.
410 ( Topic 1) What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? • A. Quantum-state • B. Polyinstantiation • C. Homomorphic • D. Gastronomic
C Explanation: Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.
433 ( Topic 1) What are the U.S. State Department controls on technology exports known as? • A. DRM • B. ITAR • C. EAR • D. EAL
C Explanation: ITAR is a Department of State program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property.
413 ( Topic 1) Tokenization requires two distinct _________________ . • A. Authentication factors • B. Personnel • C. Databases • D. Encryption
C Explanation: In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.
480 ( Topic 1) A localized incident or disaster can be addressed in a cost-effective manner by using which of the following? • A. UPS • B. Generators • C. Joint operating agreements • D. Strict adherence to applicable regulations
C Explanation: Joint operating agreements can provide nearby relocation sites so that a disruption limited to the organization"™s own facility and campus can be addressed at a different facility and campus. UPS and generators are not limited to serving needs for localized causes. Regulations do not promote cost savings and are not often the immediate concern during BC/DR activities.
400 ( Topic 1) What is a key capability or characteristic of PaaS? • A. Support for a homogenous environment • B. Support for a single programming language • C. Ability to reduce lock-in • D. Ability to manually scale
C Explanation: PaaS should have the following key capabilities and characteristics: - Support multiple languages and frameworks: PaaS should support multiple programming languages and frameworks, thus enabling the developers to code in whichever language they prefer or the design requirements specify. In recent times, significant strides and efforts have been taken to ensure that open source stacks are both supported and utilized, thus reducing "lock-in" or issues with interoperability when changing CSPs. - Multiple hosting environments: The ability to support a wide variety of underlying hosting environments for the platform is key to meeting customer requirements and demands. Whether public cloud, private cloud, local hypervisor, or bare metal, supporting multiple hosting environments allows the application developer or administrator to migrate the application when and as required. This can also be used as a form of contingency and continuity and to ensure the ongoing availability. - Flexibility: Traditionally, platform providers provided features and requirements that they felt suited the client requirements, along with what suited their service offering and positioned them as the provider of choice, with limited options for the customers to move easily. This has changed drastically, with extensibility and flexibility now afforded to meeting the needs and requirements of developer audiences. This has been heavily influenced by open source, which allows relevant plug-ins to be quickly and efficiently introduced into the platform. - Allow choice and reduce lock-in: PaaS learns from previous horror stories and restrictions, proprietary meant red tape, barriers, and restrictions on what developers could do when it came to migration or adding features and components to the platform. Although the requirement to code to specific APIs was made available by the providers, they could run their apps in various environments based on commonality and standard API structures, ensuring a level of consistency and quality for customers and users. - Ability to auto-scale: This enables the application to seamlessly scale up and down as required to accommodate the cyclical demands of users. The platform will allocate resources and assign these to the application as required. This serves as a key driver for any seasonal organizations that experience spikes and drops in usage.
424 ( Topic 1) What is the intellectual property protection for a useful manufacturing innovation? • A. Trademark • B. Copyright • C. patent • D. Trade secret
C Explanation: Patents protect processes (as well as inventions, new plantlife, and decorative patterns). The other answers listed are answers to other questions.
416 ( Topic 1) Every security program and process should have which of the following? • A. Severe penalties • B. Multifactor authentication • C. Foundational policy • D. Homomorphic encryption
C Explanation: Policy drives all programs and functions in the organization; the organization should not conduct any operations that don"™t have a policy governing them. Penalties may or may not be an element of policy, and severity depends on the topic. Multifactor authentication and homomorphic encryption are red herrings here.
465 ( Topic 1) Hardening the operating system refers to all of the following except: • A. Limiting administrator access • B. Closing unused ports • C. Removing antimalware agents • D. Removing unnecessary services and libraries
C Explanation: Removing antimalware agents. Hardening the operating system means making it more secure. Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure. But removing antimalware agents would actually make the system less secure. If anything, antimalware agents should be added, not removed.
494 ( Topic 1) What is the Cloud Security Alliance Cloud Controls Matrix (CCM)? • A. A set of software development life cycle requirements for cloud service providers • B. An inventory of cloud services security controls that are arranged into a hierarchy of security domains • C. An inventory of cloud service security controls that are arranged into separate security domains • D. A set of regulatory requirements for cloud service providers
C Explanation: The CSA CCM is an inventory of cloud service security controls that are arranged into separate security domains, not a hierarchy.
453 ( Topic 1) Which kind of SSAE audit report is most beneficial for a cloud customer, even though it"™s unlikely the cloud provider will share it? • A. SOC 3 • B. SOC 1 Type 2 • C. SOC 2 Type 2 • D. SOC 1 Type 1
C Explanation: The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.
466 ( Topic 1) Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? • A. SOC 1 Type 1 • B. SOC 2 Type 2 • C. SOC 3 • D. SOC 1 Type 2
C Explanation: The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting, and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.
406 ( Topic 1) The BIA can be used to provide information about all the following, except: • A. BC/DR planning • B. Risk analysis • C. Secure acquisition • D. Selection of security controls
C Explanation: The business impact analysis gathers asset valuation information that is beneficial for risk analysis and selection of security controls (it helps avoid putting the ten- dollar lock on the five-dollar bicycle), and criticality information that helps in BC/DR planning by letting the organization understand which systems, data, and personnel are necessary to continuously maintain. However, it does not aid secure acquisition efforts, since the assets examined by the BIA have already been acquired.
461 ( Topic 1) Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except: • A. The cloud provider"™s utilities • B. The cloud provider"™s suppliers • C. The cloud provider"™s resellers • D. The cloud provider"™s vendors
C Explanation: The cloud provider"™s resellers are a marketing and sales mechanism, not an operational dependency that could affect the security of a cloud customer.
422 ( Topic 1) In the cloud motif, the data owner is usually: • A. The cloud provider • B. In another jurisdiction • C. The cloud customer • D. The cloud access security broker
C Explanation: The data owner is usually considered the cloud customer in a cloud configuration; the data in question is the customer"™s information, being processed in the cloud. The cloud provider is only leasing services and hardware to the customer. The cloud access security broker (CASB) only handles access control on behalf of the cloud customer, and is not in direct contact with the production data.
407 ( Topic 1) Which of the following are cloud computing roles? • A. Cloud service broker and user • B. Cloud customer and financial auditor • C. CSP and backup service provider • D. Cloud service auditor and object
C Explanation: The following groups form the key roles and functions associated with cloud computing. They do not constitute an exhaustive list but highlight the main roles and functions within cloud computing: - Cloud customer: An individual or entity that utilizes or subscribes to cloud based services or resources. - CSP: A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations or individuals, usually for a fee; otherwise known to clients "as a service. - Cloud backup service provider: A third-party entity that manages and holds operational responsibilities for cloud-based data backup services and solutions to customers from a central data center. - CSB: Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple CSPs. It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. The CSB can be utilized as a "middleman" to broker the best deal and customize services to the customer"™s requirements. May also resell cloud services. - Cloud service auditor: Third-party organization that verifies attainment of SLAs.
489 ( Topic 1) The baseline should cover which of the following? • A. Data breach alerting and reporting • B. All regulatory compliance requirements • C. As many systems throughout the organization as possible • D. A process for version control
C Explanation: The more systems that be included in the baseline, the more cost-effective and scalable the baseline is. The baseline does not deal with breaches or version control; those are the provinces of the security office and CMB, respectively. Regulatory compliance might (and usually will) go beyond the baseline and involve systems, processes, and personnel that are not subject to the baseline.
476 ( Topic 1) Web application firewalls (WAFs) are designed primarily to protect applications from common attacks like: • A. Ransomware • B. Syn floods • C. XSS and SQL injection • D. Password cracking
C Explanation: WAFs detect how the application interacts with the environment, so they are optimal for detecting and refuting things like SQL injection and XSS. Password cracking, syn floods, and ransomware usually aren"™t taking place in the same way as injection and XSS, and they are better addressed with controls at the router and through the use of HIDS, NIDS, and antimalware tools.
488 ( Topic 1) The BC/DR kit should include all of the following except: • A. Annotated asset inventory • B. Flashlight • C. Hard drives • D. Documentation equipment
C Explanation: While hard drives may be useful in the kit (for instance, if they store BC/DR data such as inventory lists, baselines, and patches), they are not necessarily required. All the other items should be included.
484 ( Topic 1) Maintenance mode requires all of these actions except: • A. Remove all active production instances • B. Ensure logging continues • C. Initiate enhanced security controls • D. Prevent new logins
C Explanation: While the other answers are all steps in moving from normal operations to maintenance mode, we do not necessarily initiate any enhanced security controls.
452 ( Topic 1) To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except: • A. Access to audit logs and performance data • B. DLP solution results • C. Security control administration • D. SIM, SEIM. and SEM logs
C Explanation: While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer. Security controls are the sole province of the provider.
474 ( Topic 1) Which of the following best describes the purpose and scope of ISO/IEC 27034-1? • A. Describes international privacy standards for cloud computing • B. Serves as a newer replacement for NIST 800-52 r4 • C. Provides on overview of network and infrastructure security designed to secure cloud applications. • D. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security.
D
475 ( Topic 1) Which of the following best describes SAML? • A. A standard used for directory synchronization • B. A standard for developing secure application management logistics • C. A standard for exchanging usernames and passwords across devices. • D. A standards for exchanging authentication and authorization data between security domains.
D
481 ( Topic 1) In addition to battery backup, a UPS can offer which capability? • A. Breach alert • B. Confidentiality • C. Communication redundancy • D. Line conditioning
D Explanation: A UPS can provide line conditioning, adjusting power so that it is optimized for the devices it serves and smoothing any power fluctuations; it does not offer any of the other listed functions.
420 ( Topic 1) What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? • A. AES • B. Link encryption • C. One-time pads • D. Homomorphic encryption
D Explanation: AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.
456 ( Topic 1) Countermeasures for protecting cloud operations against internal threats include all of the following except: • A. Mandatory vacation • B. Least privilege • C. Separation of duties • D. Conflict of interest
D Explanation: Conflict of interest is a threat, not a control.
431 ( Topic 1) DLP solutions can aid in deterring loss due to which of the following? • A. Power failure • B. Performance • C. Bad policy • D. Malicious disclosure
D Explanation: DLP tools can identify outbound traffic that violates the organization"™s policies. DLP will not protect against losses due to performance issues or power failures. The DLP solution must be configured according to the organization"™s policies, so bad policies will attenuate the effectiveness of DLP tools, not the other way around.
446 ( Topic 1) What are third-party providers of IAM functions for the cloud environment? • A. AESs • B. SIEMs • C. DLPs • D. CASBs
D Explanation: Data loss, leak prevention, and protection is a family of tools used to reduce the possibility of unauthorized disclosure of sensitive information. SIEMs are tools used to collate and manage log data. AES is an encryption standard.
455 ( Topic 1) What is the term we use to describe the general ease and efficiency of moving data from one cloud provider either to another cloud provider or down from the cloud? • A. Obfuscation • B. Elasticity • C. Mobility • D. Portability
D Explanation: Elasticity is the name for the benefit of cloud computing where resources can be apportioned as necessary to meet customer demand. Obfuscation is a technique to hide full raw datasets, either from personnel who do not have need to know or for use in testing. Mobility is not a term pertinent to the CBK.
498 ( Topic 1) Which of the following is not a way to manage risk? • A. Transferring • B. Accepting • C. Mitigating • D. Enveloping
D Explanation: Enveloping is a nonsense term, unrelated to risk management. The rest are not.
463 ( Topic 1) What is the cloud service model in which the customer is responsible for administration of the OS? • A. QaaS • B. SaaS • C. PaaS • D. IaaS
D Explanation: In IaaS, the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data. In PaaS and SaaS, the provider also owns the OS. There is no QaaS. That is a red herring.
486 ( Topic 1) In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? • A. The users of the various organizations within the federations within the federation/a CASB • B. Each member organization/a trusted third party • C. Each member organization/each member organization • D. A contracted third party/the various member organizations of the federation
D Explanation: In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust. This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource providers that share resources based on approval from the third party).
440 ( Topic 1) Tokenization requires two distinct _________________ . • A. Personnel • B. Authentication factors • C. Encryption keys • D. Databases
D Explanation: In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.
496 ( Topic 1) Which of the following is the best example of a key component of regulated PII? • A. Audit rights of subcontractors • B. Items that should be implemented • C. PCI DSS • D. Mandatory breach reporting
D Explanation: Mandatory breach reporting is the best example of regulated PII components. The rest are generally considered components of contractual PII.
472 ( Topic 1) Which of the following best describes the Organizational Normative Framework (ONF)? • A. A set of application security, and best practices, catalogued and leveraged by the organization • B. A container for components of an application"™s security, best practices catalogued and leveraged by the organization • C. A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization • D. A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization.
D Explanation: Option B is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as D, making D the better choice. C suggests that the framework contains only "some" of the components, which is why B (which describes "all" components) is better
499 ( Topic 1) Which of the following terms is not associated with cloud forensics? • A. eDiscovery • B. Chain of custody • C. Analysis • D. Plausibility
D Explanation: Plausibility, here, is a distractor and not specifically relevant to cloud forensics.
482 ( Topic 1) For performance purposes, OS monitoring should include all of the following except: • A. Disk space • B. Disk I/O usage • C. CPU usage • D. Print spooling
D Explanation: Print spooling is not a metric for system performance; all the rest are.
470 ( Topic 1) The application normative framework is best described as which of the following? • A. A superset of the ONF • B. A stand-alone framework for storing security practices for the ONF • C. The complete ONF • D. A subnet of the ONF
D Explanation: Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization). Therefore, the ANF is a subset of the ONF.
454 ( Topic 1) When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: • A. Many states have data breach notification laws. • B. Breaches can cause the loss of proprietary data. • C. Breaches can cause the loss of intellectual property. • D. Legal liability can"™t be transferred to the cloud provider.
D Explanation: State notification laws and the loss of proprietary data/intellectual property pre-existed the cloud; only the lack of ability to transfer liability is new.
491 ( Topic 1) Which of the following storage types is most closely associated with a database-type storage implementation? • A. Object • B. Unstructured • C. Volume • D. Structured
D Explanation: Structured storage involves organized and categorized data, which most closely resembles and operates like a database system would.
473 ( Topic 1) A UPS should have enough power to last how long? • A. One day • B. 12 hours • C. Long enough for graceful shutdown • D. 10 minutes
D Explanation: Team-building has nothing to do with SAST; all the rest of the answers are characteristics of SAST.
490 ( Topic 1) Which of the following roles is responsible for creating cloud components and the testing and validation of services? • A. Cloud auditor • B. Inter-cloud provider • C. Cloud service broker • D. Cloud service developer
D Explanation: The cloud service developer is responsible for developing and creating cloud components and services, as well as for testing and validating services.
459 ( Topic 1) User access to the cloud environment can be administered in all of the following ways except: • A. Provider provides administration on behalf the customer • B. Customer directly administers access • C. Third party provides administration on behalf of the customer • D. Customer provides administration on behalf of the provider
D Explanation: The customer does not administer on behalf of the provider. All the rest are possible options.
443 ( Topic 1) What is the correct order of the phases of the data life cycle? • A. Create, Use, Store, Share, Archive, Destroy • B. Create, Archive, Store, Share, Use, Destroy • C. Create, Store, Use, Archive, Share, Destroy • D. Create, Store, Use, Share, Archive, Destroy
D Explanation: The other options are the names of the phases, but out of proper order.
497 ( Topic 1) Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider? • A. Redundant uplink grafts • B. Background checks for the provider"™s personnel • C. The physical layout of the datacenter • D. Use of subcontractors
D Explanation: The use of subcontractors can add risk to the supply chain and should be considered; trusting the provider"™s management of their vendors and suppliers (including subcontractors) is important to trusting the provider. Conversely, the customer is not likely to be allowed to review the physical design of the datacenter (or, indeed, even know the exact location of the datacenter) or the personnel security specifics for the provider"™s staff. "Redundant uplink grafts" is a nonsense term used as a distractor.
450 ( Topic 1) The various models generally available for cloud BC/DR activities include all of the following except: • A. Private architecture, cloud backup • B. Cloud provider, backup from another cloud provider • C. Cloud provider, backup from same provider • D. Cloud provider, backup from private provider
D Explanation: This is not a normal configuration and would not likely provide genuine benefit.
467 ( Topic 1) The cloud customer"™s trust in the cloud provider can be enhanced by all of the following except: • A. SLAs • B. Shared administration • C. Audits • D. real-time video surveillance
D Explanation: Video surveillance will not provide meaningful information and will not enhance trust. All the others will do it.
404 ( Topic 1) Gathering business requirements can aid the organization in determining all of this information about organizational assets, except: • A. Full inventory • B. Criticality • C. Value • D. Usefulness
D Explanation: When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from the owners of those assets), and assess criticality; this collection of information does not tell us, objectively, how useful an asset is, however.