CCSP Chapter 11
a
A data custodian is responsible for which of the following? a. the safe custody, transport, storage of the data, and implementation of business rules b. logging and alerts c. data content d. data context
c
The CSA STAR program consists of three levels. Which of the following is not one of those levels? a. self-assessment b. third-party assessment-based certification c. SOC 2 audit certification d. continuous monitoring-based certification
a
What is the cloud security alliance cloud controls matrix (CCM)? a. an inventory of cloud services security controls that are arranged into separate security domains b. an inventory of cloud services security controls that are arranged into a hierarchy of security domains c. a set of regulatory requirements for cloud service providers d. a set of software development life cycle requirements for cloud service providers
b
Which ISO standard refers to addressing security risks in a supply chain? a. ISO 27001 b. ISO/IEC 28000:2007 c. ISO 18799 d. ISO 31000:2009
b
Which is the lowest level of the CSA STAR program? a. continuous monitoring b. self-assessment c. hybridization d. attestation
d
Which of the following best define risk? a. threat coupled with breach b. vulnerability coupled with an attack c. threat coupled with a threat actor d. threat coupled with a vulnerability
b
Which of the following best describes a cloud carrier? a. person or entity responsible for making a cloud service available to consumers b. The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud customers c. the person or entity responsible for keeping cloud services running for customers d. the person or entity responsible for transporting data across the internet
c
Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider? a. the physical layout of the datacenter b. background checks for the provider's personnel c. use of subcontractors d. redundant uplink grafts
a
Which of the following frameworks focuses specifically on design implementation and management? a. ISO 31000:2009 b. HIPAA c. ISO 27017 d. NIST 800-92
c
Which of the following frameworks identifies the top 8 security risks based on likelihood and impact? a. NIST 800-53 b. ISO 27000 c. ENISA d. COBIT
d
Which of the following is a risk management option that halts a business function? a. mitigation b. acceptance c. transference d. aviodance
b
Which of the following is a valid risk management metric? a. KPI b. KRI c. SLA d. SOC
d
Which of the following is not a part of the ENISA Top 8 Security Risks of cloud computing? a. vendor lock-in b. isolation failure c. insecure or incomplete data deletion d. availability
a
Which of the following is not a risk management framework? a. Hex GBL b. COBIT c. NIST SP 800-37 d. ISO 31000:2009
c
Which of the following is not a risk management framework? a. NIST SP 800-37 b. European Union Agency for Network and Information Security (ENISA) c. key risk indicators (KRI) d. ISO 31000:2009
a
Which of the following is not a way to manage risk? a. enveloping b. mitigating c. accepting d. transferring
a
Which of the following is not an example of an essential internal stakeholder? a. IT analyst b. IT director c. CFO d. HR director
b
Which of the following is not appropriate to include in an SLA? a. the number of user accounts allowed during a specified period b. which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status c. the amount of data to be transmitted and received between the cloud provider and customer d. the time allowed to migrate from normal operations to contingency operations
a
Which of the following is not one of the types of controls? a. transitional b. administrative c. technical d. physical
a
Which of the following methods of addressing risk is most associated with insurance? a. transference b. avoidance c. acceptance d. mitigation
