Practice Exam #1
The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, who initiates the protocol? A. The server B. The client C. The certifying authority D. The Internet service provider (ISP)
104. B. In a typical TLS handshake, the client sends the message (called ClientHello) that initiates the negotiation of the session. All the other options are incorrect.
When a program's source code is open to review by the public, what is that software called? A. Freeware B. Malware C. Open source D. Shareware
109. C. Open source software includes programs where customers (or even the public) can view the software's source code. Freeware and shareware are licensing arrangements and ways of distributing intellectual property. Options A and D are incorrect. Malware is harmful software designed for attack purposes; option B is incorrect.
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing. The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. This conflict will most likely have to b t e resolved with what legal method? A. Breach of contract lawsuit B. Criminal prosecution C. Civil suit D. Military tribunal
120. C. Intellectual property disputes are usually settled in civil court, as a confl ict among private parties. Because there was no agreement between your company and the competitor in question, there is no contract, so no breach of contract dispute is pertinent. Option A is incorrect. Although statutes concerning intellectual property protections exist, they are usually in the form of torts (that is, laws that defi ne how civil actions can pursue restitution for private harm). This is not the government prosecuting someone in order to protect the public; criminal proceedings are rare when it comes to enforcing intellectual property rights. Option B is incorrect. The military does not often get involved in intellectual property disputes and most often uses the civil courts when it does. Option D is incorrect.
Which of the following aspects of the business continuity and disaster recovery (BC/DR) process poses a risk to the organization? A. Premature return to normal operations B. Event anticipation information C. Assigning roles for BC/DR activities D. Preparing the continuity-of-operations plan
A. A hasty return to normal operations can put operations and personnel at risk if whatever caused the contingency situation has not yet been fully resolved. All the other options are common aspects of BC/DR preparation and do not typically pose a threat to the organization.
You are the security manager for a research and development firm. Your company does contract work for a number of highly sensitive industries, including aerospace and pharmaceuticals. Your company's senior management is considering cloud migration and wants an option that is highly secure but still offers some of the flexibility and reduced overhead of the cloud. Which of the following deployment models do you recommend? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
A. A private cloud is the best option for work in highly regulated industries or industries that involve very sensitive assets. The other options simply are not as preferable as option A for this question.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources. If you don't use cross-certification, what other model can you implement for this purpose? A. Third-party identity broker B. Cloud reseller C. Intractable nuanced variance D. Mandatory access control (MAC)
A. A third-party identity broker can serve the purpose of checking and approving all participants to the federation so that the participants don't have to perform that task. A cloud reseller is an entity that sells cloud services without maintaining its own data centers. Option C is gibberish. MAC is used to defi ne access relationships between subjects and objects
Because of the nature of the cloud, all access is remote access. One of the preferred technologies employed for secure remote access is. A. VPN B. HTML C. DEED D. DNS
A. A virtual private network (VPN) creates a trusted path across an untrusted (often public) network (such as the Internet). It is highly recommended for cloud operations. Hypertext Markup Language (HTML) is used for displaying web pages; it is not inherently secure. Option B is incorrect. DEED is an invented term with no meaning in this context. Option C is incorrect. Domain Name System (DNS) is for resolving IP addresses to URLs; it has no inherent security benefi ts. Option D is incorrect.
Migrating to a cloud environment will reduce an organization's dependence on. A. Capital expenditures for IT B. Operational expenditures for IT C. Data-driven workflows D. Customer satisfaction
A. As a cloud customer, the organization is not responsible for making up-front infrastructure purchases, which are capital expenditures. Cloud customers do, however, make continual operational expenditures for IT resources, in the form of their payments to cloud providers. Option B is incorrect. Modern business is driven by data as much as any other input, regardless of sector or industry; this does not change whether the organization operates in the cloud or in the traditional IT environment. Option C is incorrect. The cloud does not obviate the need to satisfy customers. Option D is incorrect.
Which of the following aspects of cloud computing can enhance the customer's business continuity and disaster recovery (BC/DR) efforts? A. Geographical separation of data centers B. Hypervisor security C. Pooled resources D. Multitenancy
A. Because cloud data is typically spread across more than one data center and these data centers can be geographically separated, a single natural disaster event may be less likely to reduce access to the data. All the other options are common aspects of cloud computing but don't particularly serve BC/DR purposes.
You are the security manager for a small European appliance rental company. The senior management of your company is considering cloud migration for the production environment, which handles marketing, billing, and logistics. Which cloud deployment model should you be most likely to recommend? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
A. Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location. The other options simply are not as preferable as A for this question.
ISO 31000 is most similar to which of the following regulations, standards, guidelines, and frameworks? A. NIST 800-37 B. COBIT C. ITIL D. GDPR
A. Both ISO 31000 and National Institute of Standards and Technology (NIST) 800-37 are risk management frameworks. Control Objectives for Information and Related Technology (COBIT) is ISACA's framework for managing IT and IT controls, largely from a process and governance perspective. Though it includes elements of risk management, NIST 800-37 is still closer in nature to ISO 31000, so option A is preferable to B. ITIL (Information Technology Infrastructure Library) is a framework mostly focused on service delivery as opposed to risk management; option C is incorrect. The General Data Protection Regulation (GDPR) is a European Union law regarding privacy information, not risk management; option D is incorrect.
Domain Name System Security Extensions (DNSSEC) provides all of the following except. A. Payload encryption B. Origin authority C. Data integrity D. Authenticated denial of existence
A. DNSSEC is basically DNS with the added benefi t of certifi cate validation and the usual functions that certifi cates offer (the other options). This does not include payload encryption—confi dentiality is not an aspect of DNSSEC.
DevOps is a form of software development that typically joins the software development team with. A. The production team B. The marketing team C. The security office D. Management
A. In DevOps, the programmers continually work in close conjunction with the production team to ensure that the project will meet their needs. All the other options are simply incorrect.
The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what form of cryptography is used for the session key? A. Symmetric key B. Asymmetric key pairs C. Hashing D. One asymmetric key pair
A. In TLS, the parties will establish a shared secret, or symmetric key, for the duration of the session. All the other options are incorrect because they are not the form of cryptography used for the session key in a TLS session.
In container virtualization, unlike standard virtualization, what is not included? A. Hardware emulation B. OS replication C. A single kernel D. The possibility for multiple containers
A. In containerization, the underlying hardware is not emulated; the container(s) run on the same underlying kernel, sharing the majority of the base OS. All the other options are aspects of containerization.
In what cloud computing service model is the customer responsible for installing and maintaining the operating system? A. IaaS B. PaaS C. SaaS D. QaaS
A. In the infrastructure as a service (IaaS) model, the customer is responsible for everything up from the hardware layer. In platform as a service (PaaS) and software as a service (SaaS), this will be performed by the provider; options B and C are incorrect. QaaS is an invented term and not meaningful; option D is wrong.
In order to ensure proper in a secure cloud network environment, consider the use of Domain Name System Security Extensions (DNSSEC), Internet Protocol Security (IPSec), and Transport Layer Security (TLS). A. Isolation B. Motif C. Multitenancy D. Signal modulation
A. Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies). In order to do this, the use of technologies like those listed in the question is warranted. Options B and D have no meaning in this context and are therefore incorrect.
Representational state transfer (REST) outputs often take the form of. A. JavaScript Object Notation (JSON) B. Certificates C. Database entries D. WS-Policy
A. JSON outputs are common for REST applications. All the other options are incorrect because they are not the form of output one would expect from REST.
Which of the following countries has a national privacy law that conforms to European Union (EU) legislation? A. Japan B. Alaska C. Belize D. Madagascar
A. Japan's privacy law is suffi cient to meet EU legislative requirements. Alaska is not a country—it is a state. Option B is wrong. Neither Belize nor Madagascar has privacy laws suffi cient to meet EU requirements; options C and D are incorrect.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources. If you are in the United States, one of the standards you should adhere to is. A. NIST 800-53 B. Payment Card Industry (PCI) C. ISO 27014 D. European Union Agency for Network and Information Security (ENISA)
A. NIST Special Publication 800-53 pertains to U.S. federal information systems, guiding the selection of controls according to the Risk Management Framework. PCI is a contractual standard for commercial entities that take credit card payments, not applicable to the government. ENISA publishes a European standard, which is also not applicable to the United States. ISO is not required for government systems in the United States
Which of the following aspects of cloud computing can enhance the customer's business continuity and disaster recovery (BC/DR) efforts? A. On-demand self-service B. Pooled resources C. Virtualization D. The control plane
A. On-demand self-service allows the cloud customer to provision those production resources during a contingency without any delay in ordering or allocating those resources. All the other options are common aspects of cloud computing but don't particularly serve BC/DR purposes.
In regard to most privacy guidance, the data subject is. A. The individual described by the privacy data B. The entity that collects or creates the privacy data C. The entity that uses privacy data on behalf of the controller D. The entity that regulates privacy data
A. Option A is the defi nition of the data subject. All the other options defi ne other privacy-related roles.
You are the security manager for a data analysis company. Your senior management is considering a cloud migration in order to use the greater capabilities of a cloud provider to perform calculations and computations. Your company wants to ensure that neither the contractual nor the technical setup of the cloud service will affect your data sets in any way so that you are not locked in to a single provider. Which of the following criteria will probably be most crucial for your choice of cloud providers? A. Portability B. Interoperability C. Resiliency D. Governance
A. Portability is the term used to describe the ease with which a customer can move from one cloud provider to another; the higher the portability, the less chance for vendor lock-in. Interoperability describes how systems work together (or don't); because the question did not mention the use of your own company's systems, interoperability does not seem to be a major concern in this case. Option B is incorrect. Resiliency is how well an environment can withstand duress. While this is of obvious importance to all organizations in the cloud, it is usually seen as a defense against availability concerns, while the question has more to do with portability; option A is still preferable to option C. Nothing in the question suggests a need for the company to retain some form of governance; option D is incorrect.
Which of the following aspects of cloud computing can enhance the customer's business continuity and disaster recovery (BC/DR) efforts? A. Rapid elasticity B. Online collaboration C. Support of common regulatory frameworks D. Attention to customer service
A. Rapid elasticity allows the cloud customer to scale cloud operations as necessary, including during contingency operations; this is extremely useful for BC/DR activities. All the other options are common aspects of cloud computing but don't particularly serve BC/DR purposes.
You are the security policy lead for your organization, which is considering migrating from your on-premises, legacy environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selecting/applying the proper controls to meet your organization's regulatory needs? A. The Consensus Assessments Initiative Questionnaire (CAIQ) B. The Open Web Application Security Project (OWASP) Top Ten C. The Critical Security Controls (CSC) list D. NIST FIPS 140-2
A. The CAIQ is a self-administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls. The OWASP Top Ten is used to indicate trends in poor design of web applications. The CSC may be a useful tool for choosing and implementing appropriate controls, but it comes from the Center for Internet Security (CIS), not the CSA. The FIPS 140-2 lists only approved cryptographic tools and is published by NIST.
You are the security policy lead for your organization, which is considering migrating from your on-premises, legacy environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which of the following benefits will the CSA CCM offer your organization? A. Simplifying regulatory compliance B. Collecting multiple data streams from your log files C. Ensuring that the baseline configuration is applied to all systems D. Enforcing contract terms between your organization and the cloud provider
A. The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks. The CCM does not aid in collecting log fi les; that is the function of a security information and event management (SIEM), search engine marketing (SEM), or security information management (SIM) tool. The CCM will not help ensure that the baseline is applied to systems; automated confi guration tools are available for that purpose (although this answer might be interpreted as desirable; the CCM will help you select appropriate controls for your baseline, but it won't check to see if those are applied). Contract terms are not enforced by the CCM; the service-level agreement (SLA) should be the mechanism for that task.
Fiber-optic lines are considered part of Layer of the Open Systems Interconnection (OSI) model. A. 1 B. 3 C. 5 D. 7
A. The lines themselves are physical, which puts them at Layer 1. All the other options are simply incorrect.
Firewalls, DLP (data loss prevention or data leak protection) and digital rights management (DRM) solutions, and security information and event management (SIEM) products are all examples of controls. A. Technical B. Administrative C. Physical D. Competing
A. These are technical controls, automated systems that perform security functions. An argument could be made that there is an administrative component to these controls as well: the fi rewall rules, the DLP data discovery strategy, etc.—these are expressed in the form of a list or set of criteria, which might be viewed as an administrative control. However, the system itself (which is what the question asked) is still a technical control. Option A is preferable to option B. Because these devices/systems do not deter physical intrusion, but rather logical intrusion, they are not considered physical controls. Option C is incorrect. "Competing" is not a control type; option D is incorrect.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. You are fairly certain the complaint is not applicable, and that the material in question does not belong to anyone else. What should you do in order to comply with the law? A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded. B. Leave the material up, do an investigation, and post the results of the investigation alongside the material itself once the investigation is complete. C. Ignore the complaint. D. Leave the material up until such time as the complainant delivers an enforceable governmental request, such as a warrant or subpoena.
A. This is the correct process, according to the law. The rest are not proper procedures for complying with the law and are therefore incorrect and inadvisable.
Which of the following items, included in the contract between a cloud customer and cloud provider, can best aid in reducing vendor lock-in? A. Data format type and structure B. Availability C. Storage space D. List of available OSs
A. When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock-in. Availability may be an aspect of portability; the ease and speed at which the customer can access their own data can infl uence how readily the data might be moved to another provider. However, this is less infl uential than the format and structure of the data; option A is preferable to option B. Storage space has little to do with vendor lock-in; option C is incorrect. A list of OSs the provider offers might be infl uential for the customer's decision of which provider to select, but it is not typically a constraining factor that would restrict portability. Option D is incorrect.
What is the most important factor when considering the lowest t t emperature setting within a data center? A. System performance B. Health and human safety C. Risk of fire D. Regulatory issues
B . Bare skin sticks to cold metal. Most modern systems don't suffer performance degradation at the lower ends of the temperature spectrum; it's the higher temperatures that are of concern for that aspect of the data center. Option B is preferable to option A. Similarly, high temperature invokes a greater risk of fi re, not low temperature, and this environmental aspect is perhaps the factor least impacting risk of fi re anyway. Option C is incorrect. Any regulatory issues stemming from a workplace that is too cold correlates directly with risks to health and human safety, so option B is still preferable to option D.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective exchanges music files in two forms: images of written sheet music, and electronic copies of recordings. Both of these are protected by what intellectual property legal construct? A. Trademark B. Copyright C. Patent D. Trade secret
B. A copyright protects expressions of ideas, usually creative expression. Music, whether written or recorded, falls into this category. Trademarks are for data that is associated with a brand of a company. Patents are usually for processes or inventions. Trade secrets are business elements kept from public disclosure—music would not usually fi t into this category as its value is derived from its distribution in the marketplace.
You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You suggest that a(n) service model will best meet this requirement. A. IaaS B. PaaS C. SaaS D. TaaS
B. A platform as a service (PaaS) environment will likely provide the best option for testing the game; the provider will offer various OS platforms for the game to run on, giving your company the opportunity to reach as many customers (using various platforms) as possible, raising your potential for market penetration. Although infrastructure as a service (IaaS) is not a terrible option and would give your team additional control of the entire test, it would also require the team to duplicate many different platforms and OSs, requiring a much greater level of effort and additional expertise at what would likely be a much greater cost. Option B is preferable to option A. A software as a service (SaaS) model will not allow your team to install and run the game; option C is incorrect. TaaS is a made-up term with no meaning in this context, making option D incorrect.
Which of the following common aspects of cloud computing can aid in audit efforts? A. Scalability B. Virtualization C. Multitenancy D. Metered self-service
B. A ubiquitous baseline confi guration used in a virtualized environment can serve as an artifact for auditors and enhance the audit process. The other options are common facets of cloud computing but do not typically serve the purpose of auditing.
During maintenance mode for a given node in a virtualized environment, which of the following conditions is not accurate? A. Generation of new instances is prevented. B. Admin access is prevented. C. Alerting mechanisms are suspended. D. Events are logged.
B. Administrators will access devices during maintenance mode; blocking admin access would be contrary to the entire point of the activity. All other options are conditions that are true during maintenance mode.
Which of the following is a true statement about the virtualization management toolset? A. It can be regarded as something public facing. B. It must be on a distinct, isolated management network (virtual local area network [VLAN]). C. It connects physically to the specific storage area allocated to a given customer. D. The responsibility for securely installing and updating it falls on the customer.
B. All management functions should take place on a highly secure, isolated network. The toolset may be available via remote access but is not in any way to be considered public-facing; option A is incorrect. Resource pooling contradicts direct connections to any particular storage mechanism; option C is incorrect. Usually, virtualization management will be a responsibility of the provider because it is a crucial element for all customers; option D is incorrect.
What is the importance of adhering to vendor guidance in configuration settings? A. Conforming with federal law B. Demonstrating due diligence C. Staying one step ahead of aggressors D. Maintaining customer satisfaction
B. Applying vendor configurations is an excellent method for demonstrating due diligence in IT security efforts. Always remember that proper documentation of the action is also necessary. Federal law rarely dictates application of vendor guidance, or any other specific security method for individual platforms; option A is incorrect. Aggressors will almost always be on the offensive and adapt attack methodology faster than our industry creates defenses; even vendor guidance is usually reactive. Option C is incorrect. Customers rarely have any idea of (or reason to know) configuration settings; option D is incorrect.
Which of the following is n ot a reason for conducting audits? A. Regulatory compliance B. Enhanced user experience C. Determination of service quality D. Security assurance
B. Audits don't really provide any perceptible effect on user experience. All the other options are good reasons for performing audits.
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except. A. Removing all nonessential programs from the baseline image B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems C. Including the baseline image in the asset inventory and configuration management database D. Configuring the host OS according to the baseline requirements
B. Baseline systems need current patches/confi guration updates in order to be used to replicate production systems. All the other options are actual baselining functions.
The cloud provider should be required to make proof of vulnerability scans available to all of the following except. A. Regulators B. The public C. Auditors D. The cloud customer
B. The public does not have a need to know regarding proof of vulnerability scans. All the other options are legitimate recipients of proof of vulnerability scans.
You are the security manager for a small application development company. Your company is considering the use of the cloud for software testing purposes. Which of the following traits of cloud functionality is probably the most crucial in terms of deciding which cloud provider you will choose? A. Portability B. Interoperability C. Resiliency D. Governance
B. Because you will be creating proprietary software, you will probably be most concerned with how it will function across many platforms, in a virtualized environment, and in an environment that you do not own or operate. Interoperability describes how well a system relates to other systems. Portability is always a concern for cloud customers, as it is an indication of how likely the customer is to be subject to the risk of vendor lock-in. However, because you are using your own proprietary software and not that of another company, this is not a major issue in this case. Option A is incorrect. Resiliency is how well an environment can withstand duress. Although this is of obvious importance to all organizations, it is usually seen as a defense against availability concerns; the question has more to do with interoperability, and thus option B is still preferable to option C. Nothing in the question suggests a need for the company to retain some form of governance; option D is incorrect.
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline, except. A. Auditing the baseline to ensure that all configuration items have been included and applied correctly B. Imposing the baseline throughout the environment C. Capturing an image of the baseline system for future reference, versioning, and rollback purposes D. Documenting all baseline configuration elements and versioning data
B. Before applying the baseline to the environment, it is important to determine if there are any offi ces/systems that will require exceptions; not all baselines meet all business needs. All the other options are actual baselining functions.
Which of the following countries has a national privacy law that conforms to European Union (EU) legislation? A. The United States B. Australia C. Jamaica D. Honduras
B. Both Australia and New Zealand have privacy laws that conform to EU privacy legislation. All the other options are examples of countries that do not.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. Upon investigation, you determine that the material in question is the sheet music for a concerto written in 1872. What should you do in order to comply with the law? A. Contact the current owners of the copyright in order to get proper permissions to host and exchange the data. B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit. C. Apply for a new copyright based on the new usage of the material. D. Offer to pay the complainant for the usage of the material.
B. Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose. This material certainly exceeds the time of any copyright protection. All other options are invalid.
Which common security tool can aid in the overall business continuity and disaster recovery (BC/DR) process? A. Honeypots B. Data loss prevention or data leak protection (DLP) C. Security information and event management (SIEM) D. Firewalls
B. DLP solutions typically have the capability to aid in asset valuation and location, both important facets of the BC/DR process. All the other options are common security tools but don't really serve to enhance BC/DR efforts.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. It is absolutely crucial to include as part of this process. A. Managerial oversight B. Signed nondisclosure agreements C. Health benefits D. The programming team
B. Having the test participants provide signed nondisclosure agreements is an absolutely essential part of this process; they will be exposed to proprietary material and need to be held accountable for any disclosures they might make. Managerial oversight is not at all necessary at this level of development and would actually be a form of micromanagement; option A is incorrect. Health benefi ts are in no way appropriate for temporary, unpaid testers; option C is only a distractor. Programmers should be prevented from participating in testing as they have inherent bias and may unduly infl uence the results; option D is wrong.
Which of the following is n ot a typical mechanism used by intrusion detection system (IDS) and intrusion prevention system (IPS) solutions to detect threats? A. Signature-based detection B. User input C. Statistical-based detection D. Heuristic detection
B. IDS/IPS solutions do not elicit user input. All the other options are mechanisms used by IDS/IPS solutions to detect threats.
There are two general types of smoke detectors. Which type uses a small portion of radioactive material? A. Photoelectric B. Ionization C. Electron pulse D. Integral field
B. Ionization detectors usually use a small amount of americium in the detection chamber. Photoelectric detectors use a light source instead. Option A is incorrect. Options C and D are incorrect because they are meaningless in this context.
You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a. A. Functional requirement B. Nonfunctional requirement C. Regulatory issue D. Third-party function
B. It is preferable that your games do not have security fl aws in them, but this is not a core aspect of the product you are delivering: you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement. If you were creating security products, security would be a functional requirement; games are not security products. A game with security fl aws is still a game and fulfi lls the purpose. Option A is therefore incorrect (although hotly debated among IT security personnel—remember, the game can exist without a security department, but the security department couldn't exist without games). Thus far, regulations have not imposed particular security conditions on delivered products by statute. This does not obviate all liability from shipping defective products, of course; the need for due care and due diligence remains. However, this is a much lower threshold than direct statutory guidance, which exists in fi elds other than software development (to date). Option C is incorrect. Outsourcing may or may not be used when performing software security reviews; there is not enough information in the question to determine which method your company uses, so option D is too specifi c for the vague data provided.
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing. The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. This intellectual property is likely protected as a. A. Copyright B. Trademark C. Patent D. Trade secret
B. Logos and other identifying material are subject to trademark protections. The other options are also ways to protect intellectual property, but they are not usually associated with logos.
Multifactor authentication typically includes two or more of all the following elements except. A. What you know B. Who you know C. What you are D. What you have
B. Multifactor authentication doesn't typically utilize associative identifi cation. All the other options are typical aspects used in multifactor authentication.
In regard to most privacy guidance, the data controller is. A. The individual described by the privacy data B. The entity that collects or creates the privacy data C. The entity that uses privacy data on behalf of the controller D. The entity that regulates privacy data
B. Option B is the defi nition of the data controller. All the other options defi ne other privacy-related roles.
You are the security manager for a small application development company. Your company is considering the use of the cloud for software testing purposes. Which cloud service model is m ost likely to suit your needs? A. IaaS B. PaaS C. SaaS D. LaaS
B. Platform as a service (PaaS) allows a software development team to test their product across multiple OSs and hosting platforms, without the need for the customer to manage each one. Although infrastructure as a service (IaaS) could offer similar cross-platform benefi ts, it would require additional effort and expertise on the part of the customer, which would not be nearly as appealing and effi cient. Option A is incorrect. Software as a service (SaaS) does not allow the customer to install software and would be useless for this purpose, making option C incorrect. LaaS is not a cloud service model and has no meaning in this context. Option D is incorrect.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources. In order to pass the user IDs and authenticating credentials of each user among the organizations, what protocol/language/motif will you most likely utilize? A. Representational State Transfer (REST) B. Security Assertion Markup Language (SAML) C. Simple Object Access Protocol (SOAP) D. Hypertext Markup Language (HTML)
B. SAML 2.0 is currently the standard used to pass security assertions across the Internet. REST and SOAP are ways of presenting data and executing operations on the Internet, and HTML is a way of displaying web pages.
"Sensitive data exposure" is often included on the list of the Open Web Application Security Project (OWASP) Top Ten web application vulnerabilities. In addition to programming discipline and technological controls, what other approach is important for reducing this risk? A. Physical access control to the facility B. User training C. Crafting sophisticated policies D. Redundant backup power
B. Sensitive data is often exposed inadvertently because of user error or lack of knowledge about the material. User training can offset a signifi cant portion of this risk by informing users about the value of data assets and the proper use of controls and behaviors. Physical access control is important, but less for controlling exposure and more for preventing theft. Option B is preferable to A in this context. Policies are crucial but don't actually offset the risk; they are the underlying structure for creating programs and methods for dealing with the risk. Option B is preferable to C in this case. Backup power has nothing to do with data exposure, therefore option D is incorrect.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of. A. Static testing B. Dynamic testing C. Code review D. Open source review
B. Testing the product in a runtime context is dynamic testing. Because this is being done in runtime, it is neither code review nor static testing; options A and C are incorrect. Using a small pool of specifi ed individuals is not truly open source, which would involve releasing the game to the public. Option D is incorrect.
You are the security policy lead for your organization, which is considering migrating from your on-premises, legacy environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. What is probably the best benefit offered by the CCM? A. The low cost of the tool B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort C. Simplicity of control selection from the list of approved choices D. Ease of implementation by choosing controls from the list of qualified vendors
B. The CCM allows you to note where specifi c controls (some of which you might already have in place) will address requirements listed in multiple regulatory and contractual standards, laws, and guides. Option A is a misnomer because the CCM is free of charge. Options C and D are incorrect because the CCM does not list either specifi c controls or vendors.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources. If you are in Canada, one of the standards you will have to adhere to is. A. FIPS 140-2 B. PIPEDA C. HIPAA D. EFTA
B. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information. The Federal Information Processing Standard (FIPS) 140-2 standard certifi es cryptologic components for use by American federal government entities. The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers. The European Free Trade Association (EFTA) is not a standard; it is a group of European countries.
Which of the following is probably least suited for inclusion in the service-level agreement (SLA) between a cloud customer and cloud provider? A. Bandwidth B. Jurisdiction C. Storage space D. Availability
B. The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics. Jurisdiction is usually dictated by location instead, which should be included in the contract but is probably not useful to include in the SLA. All the other options are excellent examples of items that can and should be included in the SLA.
Which of the following contract terms most incentivizes t the cloud provider to meet the requirements listed in the service-level agreement (SLA)? A. Regulatory oversight B. Financial penalties C. Performance details D. Desire to maintain customer satisfaction
B. The contract usually stipulates what kind of fi nancial penalties are imposed when the provider fails to meet the SLAs (for instance, waiver for payment of a given service term). This is a huge motivating element for the provider. Regulatory oversight usually affects the customer, not the provider; option A is incorrect. The performance details are often included in the SLA but aren't the motivating factor; option C is incorrect. In a perfect world, option D would be the correct answer; B is a better answer to this question, however.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective wants to create a single sign-on experience for all members of the collective, where assurance and trust in the various members are created by having each member review all the others' policies, governance, procedures, and controls before allowing them to participate. This is an example of what kind of arrangement? A. SAML B. Cross-certification federation C. Third-party certification federation D. JSON
B. The cross-certifi cation model of federated identity requires all participants to review and confi rm all the others. SAML is the format most often used for identity assertions in a federated environment. JSON is a communications format for exchanging objects online.
What functional process can aid business continuity and disaster recovery (BC/DR) efforts? A. The software development lifecycle (SDLC) B. Data classification C. Honeypots D. Identity management
B. The data classifi cation process is the organization's formal means of determining value of its assets; this is extremely important to BC/DR efforts in that it can be useful in determining the critical path to be maintained during contingency events. The SDLC is a system development/acquisition tool; it doesn't particularly assist in BC/DR efforts. Option A is incorrect. Honeypots are a threat intelligence tool; they don't serve any useful BC/DR purpose. Option C is incorrect. Identity management is a part of the entitlement process but does not add any value to BC/ DR efforts; option D is incorrect.
In most privacy-regulation situations, which entity is m ost responsible for deciding how a particular privacy-related data set will be used or processed? A. The data subject B. The data controller C. The data steward D. The data custodian
B. The data controller makes the determination of purpose and scope of privacy-related data sets. The other options are the names of other privacy-related roles.
You run an online club for antique piano enthusiasts. In order to better share photo files and other data online, you want to establish a cloud-based environment where all your members can connect their own devices and files to each other, at their discretion. You do not want to centralize payment for such services as Internet service provider (ISP) connectivity, and you want to leave that up to the members. Which cloud deployment model would best suit your needs? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
B. This is an optimum situation for the use of a community cloud model. The other options are not as preferable as B for this question
Storage controllers will typically be involved with each of the following storage protocols except . A. Internet Small Computer Systems Interface (iSCSI) B. RAID C. Fibre Channel D. Fibre Channel over Ethernet
B. This question might be susceptible to overthinking because it is simplistically straightforward: RAID is not a protocol—it's a confi guration mechanism. All the other options are storage protocols that will involve storage controllers.
Bob is designing a data center to support his organization, a financial services firm. Which of the following actions would best enhance Bob's ef t forts to create redundancy and resiliency in the data center? A. Ensure that all entrances are secured with biometric-based locks. B. Purchase uninterruptible power supplies (UPSs) from different vendors. C. Include financial background checks in all personnel reviews for administrators. D. Make sure all raised floors have at least 24 inches of clearance.
B. Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing fl aw, the other should not, if it comes from a different producer. The other suggestions are all suitable but do not offer redundancy or resiliency.
Which of the following does not typically represent a means for enhanced t authentication? A. Challenge questions B. Variable keystrokes C. Out-of-band identity confirmation D. Dynamic end-user knowledge
B. Variables, in general, aren't useful for authentication; authentication requires a match against a template or a known quantity. All the other options are typical methods for enhancing authentication.
You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which facet of cloud computing is most important for making this possible? A. Broad network access B. Rapid elasticity C. Metered service D. Resource pooling
B. While all aspects of cloud computing are necessary to provide a true cloud service, this type of business fl exibility is possible because of rapid (close to instant) elasticity, the means to scale your usage up and down as needed. All the other options are facets of cloud computing but are not as pertinent to the question.
You are the IT director for a small contracting firm. Your company is considering migrating to a cloud production environment. Which service model would b est fit your needs if you wanted an option that reduced the chance of vendor lock-in but also did not require the highest degree of administration by your own personnel? A. IaaS B. PaaS C. SaaS D. TanstaafL
B. With platform as a service (PaaS), the cloud provider will administer both the hardware and the OS, but you will be in charge of managing the applications and data. There is less likelihood of vendor lock-in with PaaS than software as a service (SaaS), because your data will not be put into a proprietary format (option B is preferable to option C). With infrastructure as a service (IaaS), your company will still retain a great deal of the administrative responsibility, so PaaS is a better option; option B is preferable to A. Option D has no applicability in this context and is incorrect.
Why is Simple Object Access Protocol (SOAP) used for accessing web services instead of the Distributed Component Object Model (DCOM) and the Common Object Request Broker Architecture (CORBA)? A. SOAP provides a much more lightweight solution. B. SOAP replaces binary messaging with XML. C. SOAP is much more secure. D. SOAP is newer.
B. XML works better over the Internet than the binary messaging of the older technologies. SOAP is not particularly lightweight; in fact, it is kind of cumbersome. Option A is not true. SOAP is not especially more secure than DCOM or CORBA; option C is incorrect. SOAP is newer than the other technologies; however, that is not the reason it is preferable in a web context. Option B is still preferable to D.
You are the IT director for a small engineering services company. During the last year, one of your managing partners left the firm, and you lost several large customers, creating a cash flow problem. The remaining partners are looking to use a cloud environment as a means of drastically and quickly cutting costs, migrating away from the expense of operating an internal network. Which cloud deployment model would you suggest to best meet their needs? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
C. A public cloud will be the easiest, least expensive option and probably offer the simplest transition. The other options are not as preferable as C for this question.
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except. A. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications B. Starting with a clean installation (hardware or virtual) of the desired OS C. Including only the default account credentials and nothing customized D. Halting or removing all unnecessary services
C. Default credentials are the bane of security, everywhere. This is defi nitely the correct answer because it should not be part of the baseline build. t All the other options are actual baselining functions.
You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following methods could be used to determine if your ownership rights were violated? A. Physical surveillance of their property and personnel B. Communications tapping of their offices C. Code signing D. Subverting insiders
C. Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes. All the other options represent solutions that not only probably lack effi cacy but are also often illegal.
Which of the following is not typically used t as an information source for business continuity and disaster recovery (BC/DR) event anticipation? A. Open source news B. Business threat intelligence C. Egress monitoring solutions D. Weather monitoring agencies
C. Egress-monitoring solutions do not typically predict contingency-level events and are not useful for the purpose. All the other options represent information sources that can aid in predicting BC/DR events.
You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following legal methods are you likely able to exercise to defend your rights? A. Criminal prosecution B. Public hearings C. Civil court D. Arrest and detention
C. Enforcement of copyright is usually a tortious civil action, as a confl ict between private parties. Only crimes involve arrest, detention, and prosecution; most copyright cases such as this would not be tried as a crime, and the government would not be involved (other than in the form of the judge/court). Options A and D are incorrect. Public hearings are not used to gain restitution for harmful acts; option B is incorrect.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Trying to replicate this phenomenon in a testbed environment with internal testing mechanisms is called. A. Source code review B. Deep testing C. Fuzz testing D. White-box testing
C. Fuzz testing is the term used to describe the use of known bad or randomized inputs to determine what unintended results may occur. Source code review, just like it sounds, is a review of the actual program code; option A is incorrect. Deep testing is a made-up term; option B is incorrect. White-box testing is a term used to describe a form of code review; option D is incorrect.
Bob is designing a data center to support his organization, a financial services firm. Bob's data center will have to be approved by regulators using a framework under which law? A. Health Industry Portability and Accountability Act (HIPPA) B. Payment Card Industry (PCI) C. Gramm-Leach-Bliley Act (GLBA) D. Sarbanes-Oxley Act (SOX)
C. GLBA mandates requirements for securing personal account information in the fi nancial and insurance industries; Bob's company provides fi nancial services, so he will defi nitely have to comply with GLBA. If Bob's company is publicly traded, he may have to comply with SOX, but we don't know enough about Bob's company from the question to choose that answer. HIPAA is a requirement only for medical providers and their business associates. PCI is not a law.
An application programming interface (API) gateway can typically offer all of the following capabilities except. A. Rate limiting B. Access control C. Hardware confirmation D. Logging
C. Hardware confi rmation is a meaningless term in this respect. All the other options represent common capabilities of API gateways.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the participants in the collective using a third-party certification model, who would be the federated service provider(s) in that structure? A. The third party B. A cloud access security broker (CASB) C. The various members of the collective D. The cloud provider
C. In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers. In a third-party certifi cation model, the third party is the identity provider; this is often a CASB. The cloud provider is neither a federated identity provider nor a federated service provider, unless the cloud provider is specifi cally chosen as the third party providing this function; in this question, option C is more general and requires no assumptions, so it is the correct choice.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources. You want to connect your organization to 13 other organizations. You consider using the cross-certification model but then decide against it. What is the most likely reason for declining that option? A. It is impossible to trust more than two organizations. B. If you work for the government, the maximum parties allowed to share data is five. C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task. D. Data shared among that many entities loses its inherent value.
C. In the cross-certifi cation model, every participating organization has to review and approve every other organization; this does not scale well, and once the number of organizations gets fairly substantial, it becomes unwieldy. Option A is incorrect because it is possible to trust more than two organizations. Option B is not true. There is no law/rule that limits the government to sharing data to fi ve or less parties. Option D is incorrect. Sharing data does not automatically affect the value of the data.
How are virtual machines (VMs) moved from active hosts when the host is being put into maintenance mode? A. As a snapshotted image file B. In encrypted form C. As a live instance D. Via portable media
C. Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device. VMs are moved as image snapshots when they are transitioned from production to storage; option A is incorrect. During live migration, the VM moves in unencrypted form. Option B is incorrect. Live migration goes over the network; portable media is not necessary. Option D is incorrect.
You are the security manager for an online marketing company. Your company has recently migrated to a cloud production environment and has deployed a number of new cloud-based protection mechanisms offered by both third parties and the cloud provider, including data loss prevention or data leak protection (DLP) and security information and event management (SIEM) solutions. After one week of operation, your security team reports an inordinate amount of time responding to potential incidents that have turned out to only be false-positive reports. Management is concerned that the cloud migration was a bad idea and that it is too costly in terms of misspent security efforts. What do you recommend? A. Change the control set so that you use only security products not offered by the cloud provider. B. Change the control set so that you use only security products offered by the cloud provider. C. Wait three weeks before making a final decision. D. Move back to an on-premises environment as soon as possible to avoid additional wasted funds and effort.
C. Many security solutions, particularly DLP and similar tools, require a "learning curve" as they become accustomed to new data sets/confi gurations in order to discriminate between false positives and actual data loss. One week is not enough time to get an accurate determination of the effi cacy of these products, and waiting to gather more data over time is a good idea. The origin of the products probably does not matter in any signifi cant way; options A and B are incorrect. Hastily migrating out of the current cloud environment (whether to another cloud provider or back on-premises) is reactionary and could prove expensive. Option D is incorrect.
Which of the following is not an essential element defining cloud computing? A. Broad network access B. Metered service C. Off-site storage D. On-demand self-service
C. Off-site storage is not intrinsic to the defi nition of cloud computing; all the other options are.
You are the security policy lead for your organization, which is considering migrating from your on-premises, legacy environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which of the following regulatory frameworks is not covered by the CCM? A. ISACA's Control Objectives for Information and Related Technologies (COBIT) B. Canada's PIPEDA privacy law C. The ALL-TRUST framework from the environmental industry D. The US Federal Risk and Authorization Management Program (FedRAMP)
C. Option C is a nonsense term made up as a distractor. All the other frameworks are addressed in the CCM.
In regard to most privacy guidance, the data processor is. A. The individual described by the privacy data B. The entity that collects or creates the privacy data C. The entity that uses privacy data on behalf of the controller D. The entity that regulates privacy data
C. Option C is the defi nition of the data processor. All the other options defi ne other privacy-related roles.
How does representational state transfer (REST) make web service requests? A. XML B. SAML C. URIs D. TLS
C. REST calls web resources by using uniform resource identifi ers (URIs). Extensible Markup Language (XML) may be used for REST, but it is not a requirement as it is in Simple Object Access Protocol (SOAP). Option A is incorrect. Security Assertion Markup Language (SAML) is a form of XML used in passing identity assertions; option B is incorrect. Transport Layer Security (TLS) is a secure virtual private network (VPN) mechanism, not an element of SOAP. Option D is incorrect.
You are the IT security manager for a video game software development company. Which type of intellectual property protection will your company likely rely upon for legally enforcing your rights? A. Trademark B. Patent C. Copyright D. Trade secret
C. Software is protected by copyright. All the other options are forms of intellectual property protections but not applicable to software for the most part (trademarked names and characters may be important, but not as important as the copyright).
The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what is the usual means for establishing trust between the parties? A. Out-of-band authentication B. Multifactor authentication C. Public-key infrastructure (PKI) certificates D. Preexisting knowledge of each other
C. TLS usually relies on PKI certifi cates authenticated and issued by a trusted third party. All the other options are incorrect because they are not the usual means of establishing l trust between the parties in a typical TLS session.
The Agile Manifesto for software development focuses largely on. A. Secure build B. Thorough documentation C. Working prototypes D. Proper planning
C. The Agile Manifesto specifi cally advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs. The Manifesto refutes all other elements of programming that slow down this effort, including documentation, planning, processes, and specifi c tools.
Which of the following entities publishes a cloud-centric set of risk-benefit recommendations that includes a "Top 8" list of security risks an organization might face during a cloud migration, based on likelihood and impact? A. National Institute of Standards and Technology (NIST) B. International Organization for Standardization (ISO) C. European Union Agency for Network and Information Security (ENISA) D. Payment Card Industry (PCI)
C. The ENISA Cloud Computing: Benefi ts, Risks, and Recommendations for Information Security is the publication. All the other options are standards bodies but do not have a publication that matches the description in the question as well.
Which of the following contract terms most incentivizes the cloud customer to meet the requirements listed in the contract? A. Financial penalties B. Regulatory oversight C. Suspension of service D. Media attention
C. The cloud provider is usually allowed to suspend service to the customer if the customer fails to meet the contract requirements (specifi cally, not paying for the service in accordance with the contract terms). This can be fatal to a customer's operations and is a great motivation to make timely payments. Option A is incorrect because the cloud provider would be the entity that would face fi nancial penalties for not fulfi lling the SLA. Options B and D are incorrect because regulatory oversight and media attention cannot be controlled by the contract between cloud provider and customer.
Full isolation of user activity, processes, and virtual network segments in a cloud environment is incredibly important because of risks due to . A. Distributed denial of service (DDoS) B. Unencrypted packets C. Multitenancy D. Insider threat
C. The fact that many various customers (including some that may be competitive with, or even hostile to, each other) will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud environment. DDoS is an availability threat, not something to do with confi dentiality, so isolation does not serve much purpose in reducing it. Option A is incorrect. Unencrypted message traffi c is not the prevailing, general reason for the need for isolation; it might be one specifi c, particular aspect of a confi dentiality concern, but option C is preferable to B. Insider threat is not countered by isolation in the same way that isolation protects against threats due to multitenancy; option C is preferable to D.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. To optimize this situation, the test will need to involve. A. Management oversight B. A database administrator C. A trained moderator D. Members of the security team
C. The moderator will serve to guide the experience in an objective, dispassionate manner, without infl uencing the test, as well as to help document the outcomes. Having managers in attendance would present a form of unnecessary micromanagement; option A is wrong. There is no need for a database administrator (DBA) to be involved in the test; option B is wrong. The security team should use the data gathered from the test, but they don't need to be present for the testing; option D is incorrect.
Which of the following is n ot a common identity federation standard? A. WS-Federation B. OpenID C. OISame D. Security Assertion Markup Language (SAML)
C. This is a nonsense term, with no meaning in this context. All the other options are actual common identity federation standards.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Results gathered from this activity are. A. Useless B. Harmful C. Desirable D. Illegal
C. This is a very pragmatic and helpful means of gathering inputs that are unpredictable and diffi cult to simulate and that mimic conditions under which the software will operate. All the other options are incorrect.
You are the IT security manager for a video game software development company. Which of the following is most likely to be your primary concern on a daily basis? A. Health and human safety B. Security flaws in your products C. Security flaws in your organization D. Regulatory compliance
C. This is not an easy question and requires some concerted thought. The most grave concern to your company is the loss of proprietary information—that is, your games, which are your property and means of profi t. Security fl aws in your organization could lead to a total loss of your property, which could end your business. This is one of the very few questions where "health and human safety" is not the correct answer to a security issue; there just isn't much danger involved in either producing or consuming video games (aside from dated, anecdotal reports of seizures resulting from fl ashing images, which lacked scientifi c substantiation). Though this will be something you must consider (such as workplace violence issues), it will not be a daily activity. Option A is incorrect. Security fl aws in your products will most likely not be critical or of grave impact; people who hack your game after shipping may be able to include additional functionality or violate some elements of copy protection, but this is not as threatening as pre-release exposure of the material. Option B is incorrect. Current laws do not dictate much in the way of either content or functionality for software (other than very specifi c industries, such as health care or fi nancial services); option D is incorrect.
You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources. What is the term for this kind of arrangement? A. Public-key infrastructure (PKI) B. Portability C. Federation D. Repudiation
C. This is the definition of federation. PKI is used to establish trust between parties across an untrusted medium, portability is the characteristic describing the likelihood of being able to move data away from one cloud provider to another, and repudiation is when a party to a transaction can deny having taken part in that transaction.
Bob is designing a data center to support his organization, a financial services firm. What Uptime Institute tier rating should Bob try to attain in order to meet his company's needs without adding extraneous costs? A. 1 B. 2 C. 3 D. 4
C. Tier 3 should probably suffi ce for Bob's purposes, providing suffi cient redundancy and resiliency. Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for organizations providing health and human safety services (hospitals and trauma centers, for instance). Tiers 1 and 2 are probably not suffi cient and might only be considered for non-constant situations, such as archiving and backup.
You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You remind them that it is absolutely crucial that they perform before including any sample player or billing data. A. Vulnerability scans B. Intrusion detection C. Masking D. Malware scans
C. To attenuate the risks of inadvertent disclosure inherent in untested software, it is essential to obfuscate any raw production data (such as potential personally identifi able information [PII]) before including it in any test environment. The other options represent activity that is obviously benefi cial but secondary to the importance of masking production data. Think of it this way: even if there is a vulnerability, breach, or malware in the test environment, if raw data is included something of value is lost; if dummy or masked data is the only content included, nothing of value is lost.
You are the security manager for a small retailer engaged in e-commerce. A large part of your sales is transacted through the use of credit and debit cards. You have determined that the costs of maintaining an encrypted storage capability in order to meet compliance requirements are prohibitive. What other technology can you use instead to meet those regulatory needs? A. Obfuscation B. Masking C. Tokenization D. Hashing
C. Tokenization is an approved alternative to encryption for complying with Payment Card Industry (PCI) requirements. Obfuscation and masking don't really serve the purpose because they obscure data, making it unreadable; storing payment information that is unreadable does not aid in the effi ciency of future transactions. Moreover, neither technique meets PCI requirements. Options A and B are incorrect. Hashing does not serve the purpose because it is a one-way conversion of data; there is no way to retrieve payment information for future transactions once it has been hashed. Option D is incorrect.
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing. The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. What will most likely affect the determination of who has ownership of the logo? A. Whoever first used the logo B. The jurisdiction where both businesses are using the logo simultaneously C. Whoever first applied for legal protection of the logo D. Whichever entity has the most customers who recognize the logo
C. Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body. In the case of confl icting usage (or infringement), courts will take many criteria into account, including which party has fi rst claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth. But for a specifi c location and specifi c business purpose, the deciding element will probably be which party fi rst registered the trademark in question. All the other options may be factors the court takes into account when making its decision, but option C is the best answer.
When you're using a storage protocol that involves a storage controller, it is very important that the controller be configured in accordance with. A. Internal guidance B. Industry standards C. Vendor guidance D. Regulatory dictates
C. While it is important to follow internal policy, industry standards, and regulations when they are applicable, vendor guidance will most often offer the most detailed, specifi c settings for the particular product in question; the other forms of guidance do not usually specify individual products/versions. This does not mean using the default confi guration; the vendor will continue to publish suggestions and recommendations for optimizing performance and security of the product after it goes into distribution in order to meet evolving needs and threats.
Which Statement on Standards for Attestation Engagements (SSAE) 18 audit report is simply an attestation of audit results? A. Service Organization Control (SOC) 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3
D . This is the defi nition of a SOC 3. All the other options are SSAE 18 reports but not the correct answer.
Which of the following aspects of the business continuity and disaster recovery (BC/DR) process poses a risk to the organization? A. Threat intelligence gathering B. Preplacement of response assets C. Budgeting for disaster D. Full testing of the plan
D. A full test of the BC/DR plan can result in an actual disaster because it may involve interruption of service; the simulation can become the reality. All the other options are common aspects of BC/DR preparation and do not typically pose a threat to the organization.
Which of the following aspects of cloud computing can enhance the customer's business continuity and disaster recovery (BC/DR) efforts? A. Multitenancy B. Pooled resources C. Virtualization D. Remote access
D. Because the cloud environment can be accessed from any location (assuming good connectivity), the cloud customer is not required to maintain an expensive operational facility, either for primary or backup purposes. All the other options are common aspects of cloud computing, but don't particularly serve BC/DR purposes.
When you're deploying a honeypot/honeynet, it is best to fill it with data. A. Masked B. Raw C. Encrypted D. Useless
D. Because the honeypot/honeynet is meant to be observed, production data in any form should not be included. All the other options are insuffi cient for the question; D is, by far, the best answer.
You are the privacy data officer for a large hospital and trauma center. You are called on to give your opinion of the hospital's plans to migrate all IT functions to a cloud service. Which of the following Uptime Institute tier-level ratings would you insist be included for any data center offered by potential providers? A. 1 B. 2 C. 3 D. 4
D. Because the nature of a life-support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes. All the other options are incorrect.
You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration and will return to operating fully on-premises after the period of increased activity. This is an example of. A. Cloud framing B. Cloud enhancement C. Cloud fragility D. Cloud bursting
D. Cloud bursting is the industry term usually associated with this type of practice. All the other options are not terms with any particular meaning in this context.
Cloud customers in a public cloud managed services environment can install all the following types of firewalls except. A. Provider operated B. Host-based C. Third party D. Hardware
D. Cloud customers, with rare exception, will not be allowed to add hardware to the cloud data center. All the other options are various types of fi rewalls that a customer could implement in a cloud managed services environment.
Which of the following dictates the requirements for U.S. federal agencies operating in a cloud environment? A. ISO 27002 B. NIST SP 800-37 C. ENISA D. FedRAMP
D. Federal Risk and Authorization Management Program (FedRAMP) is the U.S. program for federal entities operating in the cloud. The International Organization for Standardization (ISO) is an international standards body and does not dictate American government practices. Option A is incorrect. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 is the Risk Management Framework (RMF) not specifi cally related to the cloud; option D is preferable to option B. The European Union Agency for Network and Information Security (ENISA) is a European Union standards body and does not dictate American government practices. Option C is incorrect.
Which of the following is not an essential element defining cloud computing? A. Rapid elasticity B. Pooled resources C. On-demand self-service D. Immediate customer support
D. Immediate customer support may be an option offered by some cloud providers, but it is not a defi ning characteristic of the industry. All the other options are.
You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Of the parties listed, who should most be excluded from the test? A. Management B. Security personnel C. Billing department representatives D. The game developers
D. It is absolutely essential that the developers are not present during the actual testing as they are likely to infl uence the test unduly, purposefully or otherwise. The other parties don't need to participate in the testing process but are not as undesirable as the developers; all the other options are incorrect.
It is probably fair to assume that software as a service (SaaS) functions take place at Layer of the OSI model. A. 1 B. 3 C. 5 D. 7
D. Layer 7 is the application's entry point to networking. All the other options are simply incorrect.
Which of the following is n ot typically a phase in the software development lifecycle (SDLC)? A. Define B. Test C. Develop D. Sanitization
D. Secure sanitization is not included in all (or even many) SDLC models. The other options are typical SDLC steps.
In a cloud context, who determines the risk appetite of your organization? A. The cloud provider B. Your Internet service provider (ISP) C. Federal regulators D. Senior management
D. Senior management is always responsible for determining the risk appetite of any organization, regardless of where and how it operates. Neither the cloud provider, nor the ISP, nor federal regulators determine the risk appetite of your organization. Options A, B, and C are incorrect.
Which of the following is a tool that can be used to perform security control audits? A. Federal Information Processing Standard (FIPS) 140-2 B. General Data Protection Regulation (GDPR) C. ISO 27001 D. Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
D. The Cloud Controls Matrix is an excellent tool for determining completeness and possible replication of security controls. FIPS 140-2 is a list of cryptographic system products approved for use by U.S. federal customers; option A is incorrect. The GDPR is a European Union law regarding privacy; ostensibly, an audit could be performed to ensure that an organization is meeting the law's requirements, but the law itself is not a tool for the purpose. Option B is incorrect. ISO 27001 details the information security management system an organization can adopt; it is not specifi cally a tool for reviewing cloud security controls. Option C is not correct.
Which standards body depends heavily on contributions and input from its open membership base? A. National Institute of Standards and Technology (NIST) B. International Organization for Standardization (ISO) C. Internet Corporation for Assigned Names and Numbers (ICANN) D. Cloud Security Alliance (CSA)
D. The Cloud Security Alliance is a volunteer organization that includes members from various industries and sectors and is focused on cloud computing. It relies largely on member participation for developing standards. All the other options are standards bodies that involve a specifi c board or other centralized authority for publishing requirements.
You are the compliance officer for a medical device manufacturing firm. Your company maintains a cloud-based list of patients currently fitted with your devices for long-term care and quality assurance purposes. The list is maintained in a database that crossreferences details about the hardware and some billing data. In this situation, who is likely to be considered the data custodian, under many privacy regulations and laws? A. You (the compliance officer) B. The cloud provider's network security team C. Your company D. The database administrator
D. The custodian is usually that specifi c entity in charge of maintaining and securing the privacy-related data on a daily basis, as an element of the data's use. The compliance offi cer might be considered a representative of the data controller (your company), or perhaps the data steward, depending on how much actual responsibility and interaction with the data you have on a regular basis. Option A is not as accurate as option D. The cloud provider (and anyone working for the provider) would be considered the data processor under most privacy regulations; option B is incorrect. Your company is the data controller, the legal entity ultimately responsible for the data. Option C is incorrect.
In most privacy-regulation situations, which entity is most responsible for the day-to-day maintenance and security of a privacy-related data set? A. The data subject B. The data controller C. The data steward D. The data custodian
D. The data custodian is usually tasked with securing and maintaining the privacy data on a regular basis, on behalf and under the guidance of the controller and steward. The other options are the names of other privacy-related roles.
You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective is set up in such a way that the members own various pieces of the network themselves, pool resources and data, and communicate and share files via the Internet. This is an example of what cloud model? A. Hydrogenous B. Private C. Public D. Community
D. This is a community cloud, because various parties own different elements of it for a common purpose. A private cloud would typically be owned by a single entity, hosted at a cloud provider data center. A public cloud would be open to anyone and everyone. Hydrogenous is a word that does not have relevant meaning in this context.
You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which deployment model best describes this type of arrangement? A. Private cloud B. Community cloud C. Public cloud D. Hybrid cloud
D. This is an excellent description of the hybrid model, where the customer owns elements of the infrastructure (the on-premises traditional environment) and the cloud provider owns other elements (the cloud environment used for the temporary additional demand). All the other options are cloud deployment models but do not suit this particular case.
Which Statement on Standards for Attestation Engagements (SSAE) 18 report is purposefully designed for public release (for instance, to be posted on a company's website)? A. Service Organization Control (SOC) 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3
D. This is the purpose of the SOC 3 report. All the other options are SSAE 18 reports but not the correct answer.
Which of the following mechanisms cannot be u t sed by a data loss prevention or data leak protection (DLP) solution to sort data? A. Labels B. Metadata C. Content strings D. Inverse signifiers
D. This term has no meaning in this context and is only a distractor. All the other mechanisms can be (and are) used by DLP solutions to sort data.
Bob is designing a data center to support his organization, a financial services firm. How long should the uninterruptible power supply (UPS) provide power to the systems in the data center? A. 12 hours B. An hour C. 10 minutes D. Long
D. Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing the electrical load that was previously handled by utility power. However, the absolute baseline for battery power is just long enough for all systems to complete their transactions without losing data. The other options are incorrect, because they use fi nite, specifi c durations; there is no single value that is optimum for all organizations.
Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contract) for ending the contract at any point prior to the scheduled date. This is best described as an example of. A. Favorable contract terms B. Strong negotiation C. Infrastructure as a service (IaaS) D. Vendor lock-in
D. Vendor lock-in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer. These contract terms can be described as favorable only from the provider's perspective; option D is preferable to option A for describing this situation. There was no description of negotiation included in the question; option B is incorrect. IaaS is a service model and doesn't really apply to anything in this context; option C is incorrect.