D320 - Managing Cloud Security

Ace your homework & exams now with Quizwiz!

A cloud customer wants to store application programming interface (API) tokens for their applications so they can be accessed from anywhere. Which cloud provider service should the customer use? A) Secrets management B) Multifactor authentication C) Single sign-on D) Federated identity

A

A company configures a backup solution that will automatically sync the data between the services of multiple cloud service providers to prevent data redundancy. One concern is that the different service offerings may not have the same level of data protection and may not allow direct syncing between the providers. Which architectural concept addresses this concern? A) Interoperability B) Availability C) Resiliency D) Scalability

A

A company plans to deploy a new application. Before the deployment, the company hires an IT security consultant to perform a zero-knowledge test to access the application as an external hacker would. Which testing technique applies to the work the consultant is performing? A) Black box B) White box C) Abuse case D) Static application

A

After an internal audit, an organization determined that its cloud deployment may be vulnerable to threats from external attackers. What should the organization implement to mitigate this risk? A) Hardened virtual machines with strong access controls B) Mandatory vacation and job rotation for employees C) Real-time video surveillance monitoring of physical access to devices D) USB-blocking software to prevent unauthorized devices from being used

A

An organization believes that a man-in-the-middle attack is possible but unlikely to occur. However, if a successful attack occurs, the consequences will be serious. The cost estimate for reducing the risk of such an attack is much more than the organization wishes to pay. Which factor will determine whether the organization decides to pay the amount to mitigate the risk of an attack? A) Risk appetite B) Risk management C) Inherent risk D) Residual risk

A

An organization exclusively uses Microsoft software and prefers to use tools that run natively on Windows whenever possible. Which tool should this organization use to provide remote access to machines over an encrypted channel? A) Remote Desktop Protocol (RDP) B) Secure Shell (SSH) C) Virtual clients D) Secure terminal access

A

An organization identified the need to improve the resiliency of a critical IT service to ensure access for its customers. Which information technology service management (ITSM) process should be implemented to ensure the organization meets this goal? A) Availability management B) Capacity management C) Incident management D) Security management

A

An organization lost connectivity to one of its data centers because of a power outage. What is used to measure the return to operational capability after the loss of connectivity? A) Recovery time objective (RTO) B) Maximum tolerable downtime (MTD) C) Recovery point objective (RPO) D) Annualized loss expectancy (ALE)

A

An organization needs to quickly identify the document owner in a shared network folder. Which technique should the organization use to meet this goal? A) Labeling B) Classification C) Mapping D) Categorization

A

An organization opens an office with a reception area. Visitors are required to sign in at the reception and collect a visitor's badge, which turns from white to red after eight hours. Which security concept is the organization employing? A) Controlled entry point B) Monitoring systems C) Vehicular approach controls D) Fire systems

A

An organization plans to introduce a new data standard and wants to ensure that system inventory data will be efficiently discovered and processed. Which type of data should the organization use to meet this goal? A) Structured B) Semi-structured C) Annotated D) Mapped

A

An organization started the transition to using a public cloud service for a customer-facing application. The organization's security team has concerns about the application programming interface (API) tokens being lost or exposed to malicious actors. Which service do cloud providers offer that the organization should leverage to administer its API tokens? A) Secrets management B) Output encoding C) Gateway D) Sandbox

A

An organization with a single headquarters building in New York City wants to secure its cloud infrastructure so that only users at its offices can administer its cloud resources. Which architectural concept should the organization implement? A) Geofencing B) Two-factor authentication C) Data loss prevention D) Antivirus software

A

Angela wants to provide users with access rights to files based on their roles. What capability of an IRM system most directly supports this requirement? A. Provisioning B. DRM C. CRM D. Data labeling

A

Asha wants to document the path that data takes from creation to storage in her institution's database. As part of that effort, she creates a data flow diagram. Which of the following is not a common element of a data flow diagram? A. Credentials used for each service listed B. Hostnames and IP addresses or address blocks for each system involved C. Ports and protocols used for data transfer D. Security controls used at each point in the diagram

A

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the annualized rate of occurrence (ARO)? A. 0.05 B. 0.20 C. 2.00 D. 5.00

A

Benefits for addressing BC/DR offered by cloud operations include all of the following except : A. One-time pads B. Distributed, remote processing and storage of data C. Fast replication D. Regular backups offered by cloud providers

A

Chris is considering whether his organization should build a data center or buy a preexisting data center. His organization needs a large amount of space and uses a significant amount of power. Which of the following is a common reason to build a new data center rather than pay for data center space in a scenario like the one Chris is facing? A. Cost B. Resilience C. Efficiency D. Flexibility

A

Cloud vendors are held to contractual obligations with specified metrics by: A. Service-level agreements (SLAs) B. Regulations C. Law D. Discipline

A

Daniel wants to provide SSH access to hosts in a protected subnet in his cloud-hosted data center environment. He deploys a system dedicated for this type of access with rules allowing lower security zones to connect through the system to higher security devices in the subnet. What type of device has Daniel deployed? A. A bastion host B. A security gateway C. A VPC span D. A span port

A

Data discovery can be described as which of the following? A) A business intelligence operation and a user-driven process to look for patterns or specific attributes within data B) The method of using masking, obfuscation, or anonymization to protect sensitive data C) A set of controls and practices put in place to ensure that data is only accessible to those authorized to access it D) The practice of safeguarding encryption keys

A

Deviations from security baselines should be investigated and: A. Documented B. Enforced C. Revealed D. Encouraged

A

From a security perspective, what advantage does a network-based IDS have over a host-based IDS? A) Separately maintained from the host B) Removed from patching cycles C) System load D) Dedicated appliance

A

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is Grace using in this situation? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

A

Gwen is developing a new security policy for her organization. Which one of the following statements does not reflect best practices for policy development? A. All stakeholders should agree with the proposed policy. B. The policy should follow normal corporate policy approval processes. C. Policies should match the "tone at the top" from senior business leaders. D. Cybersecurity managers are typically responsible for communicating and implementing approved security policies.

A

Helen wants to apply rules to traffic in her cloud-hosted environment. What cloud tool allows rules permitting traffic to pass or be blocked to be set based on information like the destination or source host or IP address, port, and protocol? A. Security groups B. Stateless IDS C. VPC boundaries D. Stateful IPS

A

If a cloud customer wants to build their own computing environment using storage, networking, and compute resources offered by a cloud provider, which cloud service category would probably be best? A. IaaS B. PaaS C. SaaS D. FaaS

A

If an organization owns all of the hardware and infrastructure of a cloud data center that is used only by members of that organization, which cloud deployment model would this be? A. Private B. Public C. Hybrid D. Motive

A

If you're using iSCSI in a cloud environment, what must come from an external protocol or application? A) Encryption B) Kerberos support C) Authentication D) CHAP support

A

In a federated environment, who is the relying party, and what do they do? A) The relying party is the service provider and they would consume the tokens generated by the identity provider. B) The relying party is the service provider and they would consume the tokens generated by the customer. C) The relying party is the customer and they would consume the tokens generated by the identity provider. D) The relying party is the identity provider and they would consume the tokens generated by the service provider.

A

In which step of the SDLC are the possible user operations defined? A) Design B) Testing C) Defining D) Development

A

Jason wants to add traffic flow control and access control to his organization's APIs. What security tool can he use to add this additional security layer most effectively? A. An API gateway B. An IPS C. An API firewall D. An IDS

A

Jim's organization wants to ensure that it has the right information available in case of an attack against its web server. Which of the following data elements is not commonly used and thus shouldn't be expected to be logged? A. The version of the executable run B. The service name C. The source IP address of the traffic D. The destination IP address of the traffic

A

Lin wants to conduct nonfunctional testing of her organization's new application. Which of the following items is not tested by nonfunctional testing? A. User acceptance B. Stability C. Performance D. Quality

A

Maria's organization wants to ensure that logins by most malicious actors would be prohibited if a system administrator's credentials were compromised. What technology is commonly used to check for potential malicious logins from international attacks? A. Geofencing B. IPOrigin C. Multi factor D. Biometric authentication

A

Megan wants to improve the controls provided by her organization's data loss prevention (DLP) tool. What additional tool can be combined with her DLP to most effectively enhance data controls? A. IRM B. SIEM C. Kerberos D. Hypervisors

A

Naomi wants to provide secure SSH connectivity to systems in a protected VLAN. Which of the following describes the best security method for doing so? A. Use SSH to a jumpbox, require multifactor authentication, and use SSH certificates. B. Use SSH directly to the host, require multifactor authentication, and use SSH certificates. C. Use SSH directly to the host, require multifactor authentication, and do not allow SSH certificates. D. Use SSH to a jumpbox, do not require multifactor authentication, and use SSH certificates.

A

Nina replaces all but the last four digits of credit card numbers stored in a database with asterisks. What data obfuscation technique has she used? A. Masking B. Randomization C. Tokenization D. Anonymization

A

One of the requirements from management for an application you are developing in-house is that any feature changes and bug fixes need to be developed and deployed quickly. Which model of software development would you pick to meet this requirement? A) Agile B) Waterfall C) Regressive D) Iterative

A

Over time, what is a primary concern for data archiving? A) Recoverability B) Format of archives C) Regulatory changes D) Size of archives

A

Software composition analysis tools are used to help protect against which of the following OWASP Top-10 Cloud Native Application Security issues? A. CI/CD pipeline and software supply chain flaws B. Injection flaws C. Improper asset management D. Insecure orchestration configurations

A

Susan's organization is a cloud service provider that runs its hypervisor directly on the underlying hardware for its systems. What type of hypervisor is Susan running? A. Type 1 B. Type 2 C. Type 3 D. Type 4

A

The CMB should include representations from all of the following offices except: A. Regulators B. IT department C. Security office D. Management

A

The baseline should cover which of the following? A. As many systems throughout the organization as possible B. Data breach alerting and reporting C. A process for version control D. All regulatory compliance requirements

A

The broad use of many small instances to allow applications to increase or decrease performance as needed is part of what cloud application development pitfall? A. Scalability B. Interoperability C. Portability D. API security

A

The cloud customer will have the most control of their data and systems and the cloud provider will have the least amount of responsibility in which cloud computing arrangement? A. IaaS B. PaaS C. SaaS D. Community cloud

A

The organization that Jules works for wants to ensure that a loss of chilled water does not cause an outage for her data center. What option should Jules ensure is in place in case of a failure of the chilled water system? A. The ability to switch to utility water B. A complete fire suppression system C. The ability to switch to external temperature air D. A complete generator system to provide backup power to the chiller

A

The service at a cloud provider has been interrupted. Which group should this cloud provider contact with information about the expected window for which the services will be down as per a contractual agreement? A) Customers B) Regulators C) Executives D) Employees

A

Users are reporting issues when accessing data in the cloud. When you research the issue, you notice that there are an unusually high number of dropped packets. Which component is most likely causing this problem? A) network B) memory C) CPU D) disk

A

What changes are necessary to application code in order to implement DNSSEC? A) No changes are needed. B) Implementing certificate validations. C) Adding encryption modules. D) Additional DNS lookups.

A

What concept does the "T" represent in the STRIDE threat model? A) Tampering with data B) TLS C) Transport D) Testing

A

What does GAPP stand for? A) Generally Accepted Privacy Principles B) General Activities for Personal Privacy C) Generally Accepted Personal Privacy D) Generally Accepted Privacy Policies

A

What does dynamic application security testing not entail? A) Knowledge of the system B) Discovery C) Scanning D) Probing

A

What does the REST API support that SOAP does not support? A) Caching B) Redundancy C) Acceleration D) Encryption

A

What does the REST API use to protect data transmissions? A) TLS B) VPN C) NetBIOS D) Encapsulation

A

What does the acronym "SOC" refer to with audit reports? A) Service Organization Control B) Service Origin Confidentiality C) System Organization Confidentiality D) System Organization Control

A

What expectation of data custodians is made much more challenging by a cloud implementation, especially with PaaS or SaaS? A) Knowledge of systems B) Access to data C) Encryption requirements D) Data classification

A

What is a serious complication an organization faces from the perspective of compliance with international operations? A) Multiple jurisdictions B) Different certifications C) Different capabilities D) Different operational procedures

A

What is essential to change immediately upon the installation of new software components? A) Default credentials B) Certificates C) Open ports D) Firewalls

A

What is one of the reasons a baseline might be changed? A. Numerous change requests B. Power fluctuation C. To reduce redundancy D. Natural disaster

A

What is the biggest benefit to leasing space in a data center versus building or maintaining your own? A) Costs B) Certification C) Regulation D) Control

A

What is the first stage of the cloud data lifecycle where security controls can be implemented? A) Store B) Share C) Use D) Create

A

What is the minimum regularity for testing a BCDR plan to meet best practices? A) Once a year B) Every six months C) Once a month D) When the budget allows it

A

What is the primary reason that makes resolving jurisdictional conflicts complicated? A) Lack of international authority B) Language barriers C) Differing technology standards D) Costs

A

What must SOAP rely on for security? A) Encryption B) Tokenization C) TLS D) SSL

A

What phase of the cloud data lifecycle involves data labeling? A. Create B. Store C. Use D. Archive

A

What strategy involves hiding data in a data set to prevent someone from identifying specific individuals based on other data fields present? A) Anonymization B) Masking C) Tokenization D) Obfuscation

A

What type of PII is controlled based on laws and carries legal penalties for noncompliance with requirements? A) Regulated B) Jurisdictional C) Specific D) Contractual

A

What type of data does data rights management (DRM) protect? A) Consumer media B) PII C) Financial D) Healthcare

A

What type of masking strategy involves replacing data on a system while it passes between the data and application layers? A) Dynamic B) Replication C) Duplication D) Static

A

What type of security threat is DNSSEC designed to prevent? A) Spoofing B) Snooping C) Account hijacking D) Injection

A

When establishing a baseline, what should you do immediately after a fresh operating system install? A) Remove unnecessary software. B) Create documentation. C) Apply configurations. D) Apply patching.

A

When is a virtual machine susceptible to attacks but a physical server in the same state would not be? A) When it is powered off B) When it is behind a WAF C) When it is not patched D) When it is behind an IPS

A

When limits are allowed to change based on current conditions within the cloud environment, they do not actually change but just temporarily adapt. What is this process called? A) Borrowing B) Flexing C) Adapting D) Loaning

A

When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: A. Legal liability can't be transferred to the cloud provider. B. Many states have data breach notification laws. C. Breaches can cause the loss of proprietary data. D. Breaches can cause the loss of intellectual property.

A

When using transparent encryption of a database, where does the encryption engine reside? A) Within the database application itself B) At the application using the database C) On the instances attached to the volume D) In a key management system

A

Which ITIL component is focused on reacting to disruptions to production services and ensuring they are restored as quickly as possible to their normal state? A) Incident management B) Information security management C) Problem management D) Availability management

A

Which United States law is focused on data related to health records and privacy? A) HIPAA B) SOX C) Safe Harbor D) GLBA

A

Which approach to media sanitation involves the zeroing of data on a system to ensure that it cannot be put back together or recovered later? A) Overwriting B) Encryption C) Nullification D) Cryptographic erasure

A

Which aspect of archiving must be tested regularly for the duration of retention requirements? A) Recoverability B) Auditability C) Availability D) Portability

A

Which aspect of cloud computing would make the use of a cloud the most attractive as a BCDR solution? A) Measured service B) Resource pooling C) Portability D) Interoperability

A

Which assurance standard uses protection profiles? A) Common Criteria B) Cloud Certification Schemes List (CCSL) C) CSA Security, Trust, and Assurance Registry (STAR) D) None of these options

A

Which cloud computing characteristic allows customers to manage their utilization by only paying for the resources used? A) Metered service B) Broad network access C) Rapid elasticity D) On-demand self-service

A

Which cloud service model entails patching responsibility for the cloud customer? A) IaaS B) PaaS C) DaaS D) SaaS

A

Which cloud vulnerability occurs when an application allows untrusted data to be sent to a web browser without proper validation or escaping? A) XSS (Cross-site scripting) B) DoS (Denial of Service) C) CSRF (Cross-site request forgery) D) SQL injection

A

Which component provides improved availability and path redundancy? A) Network interface card (NIC) teaming B) Virtual local area network (VLAN) C) Network access control list (NACL) D) Network security group (NSG)

A

Which concept denotes an advantage of virtualized environments that enable them to achieve high availability? A) Hardware abstraction B) Containerization C) Maintenance mode D) Alerting

A

Which concept pertains to the official record of evidence and data, from its conception through destruction, and what is needed for official legal proceedings? A) Chain of custody B) Authentication C) Custodial records D) Nonrepudiation

A

Which concept refers to multiple teams and roles within an organization that perform testing on code from end to end to ensure that the code meets all standards and requirements? A) Quality assurance B) Identity assurance C) Full tests D) Tabletop tests

A

Which crucial aspect of cloud computing can be most threatened by insecure APIs? A) Automation B) Redundancy C) Resource pooling D) Elasticity

A

Which data formats are most commonly used with the REST API? A) XML and JSON B) SAML and HTML C) JSON and SAML D) XML and SAML

A

Which document provides a contract for a vendor's work for an organization over an extended period and usually includes security requirements? A) Master service agreement (MSA) B) Service level agreement (SLA) C) Nondisclosure agreement (NDA) D) Business partnership agreement (BPA)

A

Which entity requires all collection and storing of data on its citizens to be done on hardware that resides within its borders? A) Russia B) Germany C) United States D) France

A

Which form of BC/DR testing has the least impact on operations? A. Tabletop B. Dry run C. Full test D. Structured test

A

Which international standard is specifically for privacy involving cloud computing? A) ISO/IEC 27018 B) ISO/IEC 31000 C) ISO/IEC 27001 D) ISO/IEC 18779

A

Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority? A) United States B) European Union C) Russia D) Germany

A

Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers? A) Portability B) Reversibility C) Interoperability D) Availability

A

Which of the cloud cross-cutting aspects relates to the requirements placed on the cloud provider by the cloud customer for minimum performance standards and requirements that must be met? A) SLAs B) Regulatory requirements C) Auditability D) Governance

A

Which of the cloud deployment models offers the easiest initial setup and access for the cloud customer? A) Public B) Community C) Hybrid D) Private

A

Which of the following APIs are most commonly used within a cloud environment? A) SOAP and REST B) REST and XML C) XML and SAML D) REST and SAML

A

Which of the following attempts to establish an international standard for eDiscovery processes and best practices? A) ISO/IEC 27050 B) ISO/IEC 27001 C) ISO/IEC 31000 D) ISO/IEC 19888

A

Which of the following blockchain types requires permission to join but can be open and utilized by a group of different organizations working together? A) Consortium B) Private C) Public D) Permissioned

A

Which of the following can be useful for protecting cloud customers from a denial-of-service (DoS) attack against another customer hosted in the same cloud? A) Reservations B) Shares C) Measured service D) Limits

A

Which of the following can help to protect against a loss of power from the service provider? A) Power provider redundancy B) Power line redundancy C) Server redundancy D) Application redundancy

A

Which of the following could be used as a second component for multifactor authentication if a user also has an RSA token? A) Retinal scan B) Access card C) RFID D) USB thumb drive

A

Which of the following data storage types are associated or used with Platform as a Service (PaaS)? A) Databases and Big Data B) Software as a Service (SaaS) application C) Tabular D) Raw and block

A

Which of the following free tools from VMware can be used for patch management on both hosts and virtual machines? A) vSphere Update Manager B) vSphere Patch Update utility C) vSphere Patch Manager D) vSphere Update Service

A

Which of the following hypervisor types is most likely to be seen in a cloud provider's data center? A. Type 1 B. Type 2 C. Type 3 D. Type 4

A

Which of the following is a challenge that is most often overlooked when formulating a BCDR plan? A) Restoration of services B) Capacity at BCDR site C) Availability of staff D) Change management processes

A

Which of the following is a commonly used tool for maintaining system configurations? A) Puppet B) Maestro C) Conductor D) Orchestrator

A

Which of the following is a technique used to attenuate risks to the cloud environment, resulting in loss or theft of a device used for remote access? A. Remote kill switch B. Dual control C. Muddling D. Safe harbor

A

Which of the following is a threat model? A) STRIDE B) CSRF C) XSS D) CMDB

A

Which of the following is an example of a direct identifier? A) Name B) Race C) Religion D) Location

A

Which of the following is considered an internal redundancy for a data center? A) Power distribution units B) Power substations C) Network circuits D) Generators

A

Which of the following is not a common data right controlled by an IRM system? A. Copyright B. Creating C. Editing D. Viewing

A

Which of the following is not a common threat to cloud applications that should be considered during threat modeling? A. Firmware vulnerabilities B. Broken authentication C. Sensitive data exposure D. Using components with known vulnerabilities

A

Which of the following is not a criterion for data within the scope of eDiscovery? A) Archive B) Possession C) Control D) Custody

A

Which of the following is not an application or utility to apply and enforce baselines on a system? A) GitHub B) Chef C) Puppet D) Active Directory

A

Which of the following is not one of five principles of SOC Type 2 audits? A) Financial B) Processing integrity C) Privacy D) Security

A

Which of the following is not one of the three methods of data discovery? A) Heuristics B) Metadata C) Labels D) Content analysis

A

Which of the following is the maximum amount of time you can continue without a resource? A) MTD B) RTO C) RPO D) ALE

A

Which of the following is the most important requirement and guidance for testing during an audit? A) Regulations B) Shareholders C) Management D) Stakeholders

A

Which of the following lists the correct six components of the STRIDE threat model? A) Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege B) Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Social Engineering Elasticity C) Spoofing, Tampering, Repudiation, Information Disclosure, Distributed Denial of Service, and Elevation of Privilege D) Spoofing, Tampering, Nonrepudiation, Information Disclosure, Denial of Service, and Elevation of Privilege

A

Which of the following provides both guidance and inspiration to support business goals while managing and mitigating the risks associated with the adoption of cloud computing technology? A) CSA B) IANA C) IEEE D) OWASP

A

Which of the following represents a control on the maximum amount of resources a single customer, virtual machine, or application can consume within a cloud environment? A) Limit B) Share C) Provision D) Reservation

A

Which of the following roles involves the connection and integration of existing systems and services to a cloud environment? A) Cloud service integrator B) Cloud service business manager C) Cloud service administrator D) Cloud service user

A

Which of the following roles is responsible for obtaining new customers and securing contracts and agreements? A) Cloud service broker B) Cloud auditor C) Cloud service developer D) Inter-cloud provider

A

Which of the following roles is responsible for peering with other cloud services and providers? A) Inter-cloud provider B) Cloud service broker C) Cloud service developer D) Cloud auditor

A

Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets? A) Cloud service operations manager B) Cloud service deployment manager C) Cloud service manager D) Cloud service business manager

A

Which of the following security measures done at the network layer in a traditional data center are also applicable to a cloud environment? A) Trust zones B) Dedicated switches C) Redundant network circuits D) Direct connections

A

Which of the following security technologies is commonly used to give administrators access into trust zones within an environment? A) VPN B) HTTPS C) WAF D) IPSec

A

Which of the following service capabilities gives the cloud customer the most control over resources and configurations? A) Infrastructure B) Desktop C) Platform D) Software

A

Which of the following shows the correct order for the steps in BCDR planning? A) Define scope, gather requirements, assess risk, implement B) Gather requirements, define scope, assess risk, implement C) Define scope, gather requirements, implement, assess risk D) Gather requirements, define scope, implement, assess risk

A

Which of the following storage types is most closely associated with a traditional file system and tree structure? A) Volume B) Unstructured C) Structured D) Object

A

Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used? A) Sensitive data exposure B) Insecure direct object references C) Unvalidated redirects and forwards D) Security misconfiguration

A

Which of the following threat types involves an application developer leaving references to internal information and configurations in code that is exposed to the client? A) Insecure direct object references B) Sensitive data exposure C) Security misconfiguration D) Unvalidated redirects and forwards

A

Which of the following threat types involves an application that does not validate privileges for portions of itself after the initial checks? A) Identification and authentication failures B) Cross-site request forgery C) Software and data integrity failures D) Injection

A

Which of the following threat types involves the sending of commands or arbitrary data through an application's input fields in an attempt to execute them as part of normal processing? A) Injection B) Cross-site scripting C) Cross-site request forgery D) Missing function-level access control

A

Which of the following threat types involves the sending of invalid and manipulated requests through a user's client to execute commands on an application under the user's own credentials? A) Cross-site request forgery B) Injection C) Cross-site scripting D) Missing function level access control

A

Which of the following threat types involves the sending of untrusted data to a user's browser to be executed with their own credentials and access? A) Cross-site scripting B) Injection C) Cross-site request forgery D) Missing function-level access control

A

Which of the following would be a reason to undertake a BCDR test? A) Functional change of the application B) Change in staff C) Change in regulations D) User interface overhaul of the application

A

Which of the following would not be a potential impact of changing the location of services during a BCDR incident? A) Authentication methods B) Administrative access C) Regulations D) Network latency

A

Which of the following would not be covered by a reservation in a cloud environment? A) Auto-scaling B) Performing normal business operations C) Operating applications D) Starting virtual machines

A

Which one of the following emerging technologies, if fully implemented, would jeopardize the security of current encryption technology? A. Quantum computing B. Blockchain C. Internet of Things D. Confidential computing

A

Which operating requirement does a cloud provider encounter? A) Secure logical framework B) Vendor management C) Cloud security D) Client's data security

A

Which purpose does an intrusion prevention system (IPS) serve when compared to an intrusion detection system (IDS)? A) An IPS detects and stops malicious traffic, while an IDS detects and alerts about malicious traffic. B) An IPS detects and alerts about malicious traffic, while an IDS detects and stops malicious traffic. C) An IDS tells an IPS what malicious traffic it detects, and then the IPS blocks that traffic. D) An IPS tells an IDS what malicious traffic it detects, and then the IDS blocks that traffic.

A

Which regulatory system pertains to the protection of healthcare data? A) HIPAA B) HITECH C) HAS D) HFCA

A

Which security concept does encryption apply to? A) Confidentiality B) Integrity C) Availability D) Compliance

A

Which software type allows multiple operating systems to run on the same physical server in a virtualized environment? A) Hypervisor B) Container C) Quantum computing D) Blockchain technology

A

Which state of data involves data that is stored on a file system or storage device? A) Data at rest B) Data in transit C) Data in use D) Data in storage

A

Which statute addresses security and privacy matters in the U.S. financial industry? A. GLBA B. FERPA C. SOX D. HIPAA

A

Which step in the cloud secure data lifecycle comes immediately after Create? A) Store B) Secure C) Share D) Use

A

Which technology can be used for large deployments within a cloud to substantially decrease the costs of validation of deployments? A) Containers B) MDM C) Blockchain D) IoT

A

Which type of common threat involves an organization not taking proper precautions or planning to mitigate threats to its system or applications? A) Insufficient due diligence B) Insider threat C) Account hijacking D) System vulnerability

A

Which type of controls are the SOC Type 1 reports specifically focused on? A) Financial B) PII C) Privacy D) Integrity

A

Which type of security testing could also be used to verify some aspects of software licensing compliance? A) SCA (Software Composition Analysis) B) Abuse case testing C) RASP D) DAST

A

Which type of testing uses the same strategies and toolsets that hackers would use? A) Penetration B) Dynamic C) Malicious D) Static

A

Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations? A) RPO B) RSL C) SRE D) RTO

A

Which web application firewall (WAF) feature protects the application servers behind it from systems sending requests? A) Reverse proxy B) User-based filters C) Content-based filters D) Reverse IP lookup

A

With a federated identity system, where would a user perform their authentication when requesting services or application access? A) Their home organization B) Cloud provider C) Third-party authentication system D) The application

A

With an application hosted in a cloud environment, who could be the recipient of an eDiscovery order? A) Both the cloud provider and cloud customer B) The cloud provider C) The cloud customer D) Users

A

You are an administrator for a cloud service provider (CSP). During negotiations with a new client, the client mentions several concerns regarding virtualization. The client is particularly concerned that attackers might be able to alter the logic of a secure kernel-based virtual machine (KVM). Which KVM feature will prevent this from happening? A) fixed firmware B) housing intrusion detection C) isolated data channels D) safe buffer design

A

You are concerned that an attacker might be able to use a guest virtual machine to gain access to the underlying hypervisor. What term describes this threat? A. VM escape B. SQL injection C. Man-in-the-middle D. VM sprawl

A

You recently worked with a third-party vendor to help you implement a SaaS offering provided by a different company. Which one of the following cloud service roles is not represented here? A. Regulator B. Customer C. Provider D. Partner

A

You work for a cloud service provider (CSP) as a design architect. You are working with other employees on the logical and physical design of a new data center. Which of the following statements is TRUE regarding the logical design? A) Cloud multitenancy requires a logical design that partitions and segregates client and customer data. B) The logical design of any virtualization technology should only incorporate a Type I hypervisor that meets the system requirements. C) The cloud management plane needs to be physically isolated, although logical isolation may offer a more secure solution. D) Logical design for data separation only needs to be incorporated at the management and control plane levels.

A

Your company wants to deploy several virtual machines using resources provided by your cloud service provider (CSP). As part of this deployment, you need to install and configure the virtualization management tools on your network. Which of the following statements is FALSE about installing these tools? A) Access to the virtualization management tools should be rule-based. B) Audit and log all access to the virtualization management tools. C) Only a secure kernel-based virtual machine (KVM) should be used to access the hosts. D) Virtualization management should take place on an isolated management network.

A

_____________________ focuses on security and encryption to prevent unauthorized copying and limitations on distribution to only those who pay. A) Digital rights management (DRM) B) Enterprise digital rights management C) Bit splitting D) Degaussing

A

A data center engineer is tasked with the destruction of data on solid-state drives (SSDs). The engineer must ensure that the data is not able to be retrieved. Which data destruction action should the engineer take to meet this goal? A) Overwriting B) Crypto-shredding C) Wiping D) Degaussing

B

A poorly negotiated cloud service contract could result in all the following detrimental effects except: A. Vendor lock-in B. Malware C. Unfavorable terms D. Lack of necessary services

B

A project manager is working on a new software project for a customer. The project manager works closely with the customer to get input on the desired features and ranks them based on how critical they are for the project. Which phase of the software development life cycle (SDLC) is the project manager working on? A) Planning B) Requirements definition C) Development D) Ongoing operations

B

A small organization adopts a strategy to ensure that the cryptographic keys it uses in its cloud environment are securely stored and handled. Which third-party service should the organization leverage for key administration in the given scenario? A) Hardware security module (HSM) B) Cloud access security broker (CASB) C) Identity provider (IdP) D) Security information and event management (SIEM)

B

According to the Cloud Certification Schemes Metaframework (CCSM), which of the following does NOT fulfill the risk management objective? A) Certified Cloud Service - TUV Rhineland B) ISO/IEC 27001 Certification C) CSA Attestation OCF Level 2 D) EuroCloud Self-Assessment

B

Adhering to ASHRAF standards for humidity can reduce the possibility of: A. Breach B. Static discharge C. Theft D. Inversion

B

All of the following are techniques to enhance the portability of cloud data in order to minimize the potential of vendor lock-in except: A. Avoiding proprietary data formats B. Using IRM and DTP solutions widely throughout the cloud operation C. Ensuring there are no physical limitations to moving D. Ensuring favorable contract terms to support portability

B

All of these are characteristics of cloud computing except: A. Broad network access B. Diminished elasticity C. Rapid scaling D. On-demand self-service

B

All of these are reasons an organization may want to consider cloud migration except: A. Reduced personnel costs B. Elimination of risks C. Reduced operational expenses D. Increased efficiency

B

An organization deploying a greenfield cloud-based system wants to validate users' identities and access before they are allowed to interact with data. Which scheme should the organization leverage to ensure that users are properly validated? A) Security groups B) Zero trust C) Bastion hosts D) Traffic inspection

B

An organization has devised a new use for the personal data that it stores about its customers. What should the organization do in this situation according to the Generally Accepted Privacy Principles (GAPP)? A) Notify users once the updated data processing is in place B) Obtain additional consent before using personal data in a different way C) Take no further action as the users have already consented to data processing D) Remove the data processing clause from its policy to avoid a conflict

B

An organization is taking part in a disaster recovery (DR) exercise that simulates a natural disaster. The key players are performing minimal actions that test the call tree to ensure that all the contact information is up to date. Which type of testing is the organization performing? A) Full B) Dry run C) Split D) Abuse case

B

An organization needs to store passwords in a database securely. The data should not be available to system administrators. Which technique should the organization use? A) Encryption B) Hashing C) Encoding D) Masking

B

An organization wants to gather and interpret logs from its cloud environment. Which system should the organization use for this task? A) Simple Network Management Protocol (SNMP) B) Security Information and Event Management (SIEM) C) Business Process Management (BPM) D) Distributed System Management (DSM)

B

An organization with a Security Information and Event Management (SIEM) system wants to minimize errors or missed issues due to human log analysis. Which SIEM policy should the organization use in this case? A) Automated analysis of metadata B) Automated analysis of data sets C) Manually generated analysis of data sets D) Manually generated analysis of metadata

B

As applications mature and new features are added, which concept refers to the process of ensuring new event types are discovered and collected, based on the changes in the application? A) Augmentation B) Continuous optimization C) Continuous review D) Continuous compliance

B

As part of your cloud deployment, you decide to encrypt data in transit. Which threat will this protect against? A) escalation of privilege B) man-in-the-middle C) social engineering D) loss or theft of device

B

As part of your company's cloud deployment, the cloud service provider (CSP) implements virtual machines on a Type I hypervisor. Which of the following statements is NOT true about this virtualization deployment? A) The hypervisor works directly on the host's hardware. B) The hypervisor is dependent on the host OS for its operation. C) The hypervisor is known as a bare metal or embedded hypervisor. D) The hypervisor's main task is sharing and managing hardware resources.

B

Asha is configuring a virtualized environment and wants to back up a virtualized server, including its memory state. What type of backup should she perform? A. A full backup B. A snapshot C. An incremental backup D. A differential backup

B

At which OSI layer does IPSec operate? A) Presentation B) Network C) Application D) Transport

B

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the annualized loss expectancy (ALE)? A. $5,000 B. $25,000 C. $100,000 D. $500,000

B

Ben wants to implement tokenization for his organization's data. What will he need to be able to implement it? A. Authentication factors B. Databases C. Encryption keys D. Personnel

B

Canh has been working with the Disaster Recovery (DR) planning team to build a plan that will have the cloud environment failing to another provider in the event of a disaster. They have been able to establish the needs of the plan and the configurations to enable a failover if the primary cloud provider has a massive failure. The plan should not be considered valid until which of the following has been completed? A) Reports B) Testing C) Nothing extra D) Revisions

B

Charles wants to detect abnormal traffic in his organization's cloud environment. The vendor who provides his SIEM tool has advanced analytical tools that baseline normal traffic and then analyze logs and traffic to identify potential attacks based on learning models. Which of the following options best describes this type of technology? A. Behavior-based analysis B. Artificial intelligence C. Rules-based analysis D. Pattern matching

B

Countermeasures for protecting cloud operations against external attackers include all of the following except: A. Continual monitoring for anomalous activity B. Detailed and extensive background checks C. Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines D. Regular and detailed configuration/change management activities

B

Countermeasures for protecting cloud operations against internal threats include all of the following except: A. Aggressive background checks B. Hardened perimeter devices C. Skills and knowledge testing D. Extensive and comprehensive training programs, including initial, recurring, and refresher sessions

B

Dimitri cashed a paycheck at County Bank three months ago, but he doesn't have an account there and hasn't been back since. Under GLBA, County Bank should consider Dimitri as which of the following? A. Customer B. Consumer C. Visitor D. No relationship with the bank

B

Felix is planning for his organization's third-party audit process after recently switching to a cloud SaaS provider. What information will Felix most likely be unable to provide? A. Access logs B. Operating system logs C. Activity logs D. User and account privilege information

B

Felix wants to monitor data transfers between two systems inside of his IaaS cloud-hosted data center. Which of the following audit mechanisms is unlikely to be available to him that is commonly available in on-premises environments? A. Log review B. Packet capture C. Data flow diagrams D. Log correlation

B

From a legal perspective, what is the most important first step after an eDiscovery order has been received by the cloud provider? A) Virtual image snapshots B) Notification C) Key identification D) Data collection

B

From a security perspective, which of the following is a major concern when evaluating possible BCDR solutions? A) Access provisioning B) Auditing C) Jurisdiction D) Authorization

B

Geoff's organization has designed its application to rely on Docker. What type of application virtualization model has Geoff's organization adopted? A. Sandboxing B. Containers C. Microservices D. Multitenancy

B

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would Grace's approach use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

B

Hashing can be applied to virtually any type of data or object. Which of the following is an essential facet of hashing? A) Encrypted B) Fixed size C) Reversibility D) Multivalued

B

Heikka has deployed a web application firewall and is preparing to write policies to analyze traffic. Which of the following is not a typical filtering capability for WAFs? A. Users B. Privileged database use C. Session information D. Application-specific context

B

How often should the CMB meet? A. Whenever regulations dictate B. Often enough to address organizational needs and reduce frustration with delay C. Every week D. Annually

B

In a federated identity arrangement, which organization authorizes users to perform actions on systems or services? A. The identity provider B. The service provider C. The token provider D. All of the above

B

In addition to battery backup, a UPS can offer which capability? A. Communication redundancy B. Line conditioning C. Breach alert D. Confidentiality

B

In which of the following risk management responses does the organization do nothing? A) avoidance B) acceptance C) mitigation D) transfer

B

In which step of the SDLC are the business requirements of the software determined? A) Testing B) Defining C) Design D) Development

B

Isaac wants to describe common information rights management (IRM) functions to his team. Which of the following is not a common IRM function? A. Persistency B. Crypto-shredding C. Automatic expiration D. Dynamic policy control

B

Isabella is a cloud data architect who has been working with application developers. They are building a machine learning tool for their business. There is a great deal of concern about protecting some of the information because if there is a breach the implications are wide ranging. The customers could lose confidence in their business, and the regulatory fines are quite high. So, they are interested in a technology that will allow the data to be used in machine learning, possibly through mathematical operations and Boolean logic without revealing the actual values. What technology do they need? A) Tokenization B) Fully Homomorphic Encryption C) Public key cryptography D) Symmetric encryption

B

Jaime wants to set up a tool that will allow him to capture and analyze attacker behavior, including command-line activity and uploaded toolkits targeted at systems in his environment. What type of tool should he deploy? A. A dark web B. A honeypot C. A network IPS D. A network IDS

B

Joe is authoring a document that explains to system administrators one way in which they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing? A. Policy B. Guideline C. Procedure D. Standard

B

Maintenance mode requires all of these actions except: A. Remove all active production instances B. Initiate enhanced security controls C. Prevent new logins D. Ensure logging continues

B

MediRecs Co. provides secure server space to help healthcare providers store medical records. MediRecs would be best described under HIPAA as which of the following? A. Service provider B. Business associate C. Covered partner D. Covered entity

B

Meena is conducting data discovery with data encoded in JSON. What type of data is she working with? A. Structured B. Semi-structured C. Super-structured D. Unstructured

B

Megan has downloaded a container from a public repository. What should her next step be to use the container? A. Run the container using her containerization service. B. Scan the container for malicious software. C. Validate the container by decrypting it. D. Check the container into her organization's container repository.

B

Mei wants to conduct data discovery activities in her organization. Which of the following types of data discovery is best suited for identifying all photos that were taken using a specific model of camera based on the original files generated by the camera? A. Label-based B. Metadata-based C. Extension-based D. Content-based

B

Melissa knows that many data destruction options are not available for data kept in the cloud due to how the services are architected using shared hardware and services. Which of the following is the best option for her organization to select for cloud-hosted data that must be disposed of in a secure manner? A. Melting B. Crypto-shredding C. Zeroization D. Overwriting

B

Naomi has implemented a data archiving process as part of her organization's cloud design. What important part of her archiving plan should she prioritize to ensure its long-term success? A. Data classification B. Periodic testing C. Data mapping D. Hashing

B

Naomi is working on a list that will include data obfuscation options for her organization. Which of the following is not a type of data obfuscation technique? A. Tokenization B. Data hiding C. Anonymization D. Masking

B

OWASP identifies cloud native application security risks. Which of the following should Jean identify as the most critical issue to address to ensure the security of her organization's SSH keys? A. Injection flaws B. Insecure secrets storage C. Using components with known vulnerabilities D. Ineffective logging and monitoring

B

Olivia wants to ensure that her new data center cannot lose its internet connectivity due to a single event that damages the fiber optic cable run to her internet service providers. What term describes the solution Olivia is looking for? A. Linear continuity B. Multivendor pathway connectivity C. Separation of networks D. Redundant fiber assessment

B

Samuel wants to check what country a file was accessed from. What information can he use to make a guess as accurate as possible, given information typically available in log entries? A. The username B. The source IP address of the request C. The destination IP address of the request D. The hostname

B

Sarah is continuing her data labeling efforts and has received suggestions for appropriate data labels for data that will be used in multiple countries in which her company operates as part of ongoing security and data lifecycle efforts. Which of the following is not a label that would help with that usage? A. Source B. Language C. Handling restrictions D. Jurisdiction

B

Selah wants to assess her organization's application security using the Application Security Verification Standard, and wants to perform a penetration test as the validation method for security. What ASVS level does she want to use? A. Level 0 B. Level 1 C. Level 2 D. Level 3

B

Selah's cloud environment analyzes traffic patterns and load and adjusts the number of systems in a web server pool to meet the current and expected future load as needed. Which of the following terms best describes what her organization is doing? A. Distributed resource scheduling B. Dynamic optimization C. Maintenance mode D. High availability

B

The CIO of Gurvinder's company wants him to have its audit company perform an audit of its cloud infrastructure provider. Why are cloud infrastructure vendors unlikely to allow audits of their systems and infrastructure by customer-sponsored third parties? A. They do not want to have problems with their service identified. B. Audits may disrupt their other customers or lead to risks of data exposure for those customers. C. It is required for compliance with industry standard best practices. D. It would have to be reported as a potential data breach.

B

The Department of Justice (DOJ) assesses options for a new cloud-hosted collaboration solution. What should it use to ensure that the vendors are compliant with the governmental regulations for data management in the United States? A) Business partnership agreement (BPA) B) Federal Risk and Authorization Management Program (FedRAMP) C) European Union Agency for Network and Information Security (ENISA) D) Nondisclosure agreement (NDA)

B

The General Data Protection Regulation (GDPR) provides data subjects with various rights related to privacy. What do organizations need to do in order to acquire and use personal information under GDPR? A) Give the data subject notice of the data use B) Have the data subject opt in for the data use C) Allow the data subject to opt out of the data use D) Get the data subject to sign an agreement for the data use

B

The WS-Security standards are built around all of the following standards except which one? A) SOAP B) SAML C) XML D) WDSL

B

The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as: A. Private B. Public C. Hybrid D. Latent

B

The generally accepted definition of cloud computing includes all of the following characteristics except: A. On-demand self-service B. Negating the need for backups C. Resource pooling D. Measured or metered service

B

Ting sets a system up in her Amazon VPC that exists in a low-security, public internet-facing zone and also has an interface connected to a high-security subnet that is used to house application servers so that she can administer those systems. What type of security solution has she configured? A. A firewall hopper B. A bastion host C. A bridge D. A bailey system

B

Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report? A) Six months B) One week C) One year D) One month

B

Valerie has deployed an IDS to help protect her cloud-based systems. Which of the following actions isn't an option that she can use the IDS for if it detects an attack? A. Log the attack B. Block the attack C. Send a notification about the attack D. Display information about the attack on a dashboard

B

Valerie wants to be able to refer to data contained in a database without having the actual values in use. What obfuscation technique should she select? A. Masking B. Tokenization C. Anonymization D. Randomization

B

Valerie's organization uses a security baseline as part of its systems configuration process. Which of the following is not a typical part of a baselining process? A. Limiting administrator access B. Removing anti-malware agents C. Closing unused ports D. Removing unnecessary services and libraries

B

We use which of the following to determine the critical paths, processes, and assets of an organization? A. Business requirements B. Business impact analysis (BIA) C. Risk Management Framework (RMF) D. Confidentiality, integrity, availability (CIA) triad

B

What are the two protocols TLS uses? A) Record and transmit B) Handshake and record C) Transport and initiate D) Handshake and transport

B

What concept does the "A" represent in the DREAD model? A) Authorization B) Affected users C) Affinity D) Authentication

B

What concept does the "D" represent in the STRIDE threat model? A) Data loss B) Denial of service C) Data breach D) Distributed

B

What concept does the T represent in the STRIDE threat model? A) Insider threat B) Information disclosure C) Integrity D) IT security

B

What controls the formatting and security settings of a volume storage system within a cloud environment? A) Hypervisor B) Operating system of the host C) SAN host controller D) Management plane

B

What does SDN stand for within a cloud environment? A) Software-dependent networking B) Software-defined networking C) Software-dynamic networking D) System-dynamic nodes

B

What does the management plane typically utilize to perform administrative functions on the hypervisors to which it has access? A) XML B) APIs C) Scripts D) RDP

B

What is a company that purchases hosting services from a cloud server hosting or cloud computing provider who then resells to its own customers? A) Cloud broker B) Cloud computing reseller C) Cloud proxy D) VAR

B

What is a device called that can safely store and manage encryption keys and is used in servers, data transmission, and log files? A) Private key B) Hardware security module (HSM) C) Public key D) Trusted Operating System Module (TOS)

B

What is a major challenge with forensic data collection within a cloud environment? A) Format of data B) Ownership of data C) Classification of data D) Size of data

B

What is a potential cloud-specific concern in emergent business impact analysis (BIA)? A) Infrastructure failure B) New dependencies C) Swapping D) Natural disaster

B

What is a set of technologies designed to analyze application source code and binaries for coding and design conditions that are indicative of security and vulnerabilities? A) Dynamic application security testing B) Static application security testing (SAST) C) Secure coding D) Open web application security project (OWASP)

B

What is a special mathematical code that allows encryption hardware/software to encode and then decipher an encrypted message called? A) Public key infrastructure (PKI) B) Encryption key C) Public key D)Masking

B

What is a type of assessment called that employs a set of methods, principles, or rules for assessing risk based on non numerical categories or levels? A) Quantitative assessment B) Qualitative assessment C) Hybrid assessment D) SOC 2

B

What is a type of cloud infrastructure that is provisioned for open use by the general public and is owned, managed, and operated by a business, academic, or government organization and exists on the premises of the cloud provider called? A) Private cloud B) Public cloud C) Hybrid cloud D) Personal cloud

B

What is an audit standard for service organizations? A) SOC 1 B) SSAE18 C) GAAP D) SOC 2

B

What is one of the primary considerations in addressing the physical safety needs of a facility? A) Providing transportation access B) Designing for protection C) Providing shelter D) Providing emotional safety

B

What is the benefit of virtualization management tools with respect to the management plane? A) They provide insights into current bandwidth needs and traffic types. B) They allow more effective handling of resource demands. C) They protect cloud resources and data from threats and vulnerabilities. D) They enable the backup of data and applications.

B

What is the correct order of the phases of the data lifecycle? A. Create, Store, Use, Archive, Share, Destroy B. Create, Store, Use, Share, Archive, Destroy C. Create, Use, Store, Share, Archive, Destroy D. Create, Archive, Store, Share, Use, Destroy

B

What is the hypervisor malicious attackers would prefer to attack? A. Type 1 B. Type 2 C. Type 3 D. Type 4

B

What is the name of the process of automatically provisioning, configuring, and managing virtual machines and other resources in a virtualized environment? A) Continuous deployment B) Orchestration C) Programmability D) Continuous integration

B

What is the purpose of egress monitoring tools? A) They are used to convert a given set of data or information into a different value. B) They are used to prevent data from going outside the control of an organization. C) They are used to create data during the Create phase of the cloud data life cycle. D) They are used to remove data during the Destroy phase of the cloud data life cycle.

B

What is the term used for software technology that encapsulates application software from the underlying operating system on which it is executed? A) Hypervisor B) Application virtualization C) VMWare D) Software as a Service (SaaS)

B

What is the term used to describe loss of access to data because the cloud provider has ceased operation? A. Closing B. Vendor lock-out C. Vendor lock-in D. Masking

B

What is used for local, physical access to hardware within a data center? A) VPN B) KVM C) SSH D) RDP

B

What is used to allow additional functionality such as improved networking or video output for a guest operating system by connecting to an underlying host's hardware? A) Application toolsets B) Virtualization toolsets C) Memory controllers C) Flash controllers

B

What must be secured on physical hardware to prevent unauthorized access to systems? A) RDP B) BIOS C) SSH D) ALOM

B

What network provisioning protocol is essential for automation and orchestration within a cloud environment? A) DDoS B) DHCP C) DNS D) DNSSEC

B

What standard governs SOC audits that occur within the United States? A. SSAE 16 B. SSAE 18 C. ISAE 3402 D. ISAE 3602

B

What type of PII is regulated based on the type of application or per the conditions of the specific hosting agreement? A) Specific B) Contractual C) Regulated D) Jurisdictional

B

What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users? A) Honeypot B) Bastion C) Proxy D) WAF

B

What type of segregation and separation of resources is needed within a cloud environment for multitenancy purposes versus a traditional data center model? A) Physical B) Logical C) Virtual D) Security

B

What type of solutions enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup? A) Online backups B) Cloud backup solutions C) Removable hard drives D) Masking

B

What type of technology/system is typically used for log aggregation and storage at an enterprise level? A) SIM B) SIEM C) LSS D) SEM

B

When a conflict of laws occurs, what determines the jurisdiction in which the dispute will be heard? A) Tort law B) Doctrine of Proper Law C) Common law D) Criminal law

B

When deciding whether to apply specific updates, it is best to follow ____________ in order to demonstrate due care. A. Regulations B. Vendor guidance C. Internal policy D. Competitors' actions

B

When designing privacy controls, an organization should be informed by the results of what type of analysis? A. Impact analysis B. Gap analysis C. Business analysis D. Authorization analysis

B

Where would a DLP solution be implemented within an environment to monitor data in transit? A) Client B) Network perimeter C) Virtual machine D) Firewalls

B

Which European Union directive pertains to personal data privacy and an individual's control over their personal data? A) 2000/1/EC B) 95/46/EC C) 2013/27001/EC D) 99/9/EC

B

Which ITIL component is focused on ensuring that services are configured and monitored for confidentiality, integrity, and availability? A) Problem management B) Information security management C) Incident management D) Availability management

B

Which ITIL component is focused on ensuring that services are properly provisioned and secured to meet requirements? A) Information security management B) Availability management C) Problem management D) Incident management

B

Which ITIL component is focused on maintaining detailed information about all components and services within an organization? A) Release management B) Configuration management C) Deployment management D) Change management

B

Which United States law is focused on PII as it relates to the financial industry? A) Safe Harbor B) GLBA C) SOX D) HIPAA

B

Which aspect of access control involves ensuring users are assigned to the correct roles and levels of access within a system once they have successfully proven their identity to the system? A) Authentication B) Authorization C) Account provisioning D) Privileged access

B

Which aspect of access control involves the verification of the identity of a user to establish their credentials within the system? A) Privileged access B) Account provisioning C) Authorization D) Authentication

B

Which aspect of access control involves users having administrative access to a system, or higher levels of access and permissions than normal users would have? A) Account provisioning B) Privileged access C) Authentication D) Authorization

B

Which aspect of cloud computing makes data classification even more vital than in a traditional data center? A) Interoperability B) Multitenancy C) Portability D) Virtualization

B

Which aspect of cloud computing will be most negatively impacted by vendor lock-in? A) Elasticity B) Portability C) Interoperability D) Reversibility

B

Which audit type has been largely replaced by newer approaches since 2011? A) SOC Type 1 B) SAS-70 C) SOC Type 2 D) SSAE-16

B

Which business continuity/disaster recovery (BC/DR) term refers to a secure container that contains all the necessary documentation and resources needed to conduct a proper BC/DR response action? A) Configuration management B) Toolkit C) Process automation D) Standard

B

Which certification and standard is published by the United States federal government and pertains to information security requirements for federal agencies and government contractors? A) ISO/IEC 27001 B) NIST SP 800-53 C) FIPS 140-2 D) PCI DSS

B

Which certification and standard is published specific IT security controls and practices for by the credit card industry for any vendors that accept their cards? A) ISO/IEC 27001 B) PCI DSS C) FIPS 140-2 D) NIST SP 800-53

B

Which certification is a general information security standard that is used internationally and is considered the "gold standard" for information and data security? A) PCI DSS B) ISO/IEC 27001 C) NIST SP 800-53 D) FIPS 140-2

B

Which characteristic of automated patching makes it attractive? A. Cost B. Speed C. Noise reduction D. Capability to recognize problems quickly

B

Which concept refers to the programmatic handling of resource allocation and configuration within a cloud environment? A) Automation B) Orchestration C) Allocation D) Provisioning

B

Which data classification process ensures that data that is considered sensitive in one environment is likewise treated as sensitive in another environment? A) labeling B) mapping C) cross-referencing D) classification

B

Which data format is the SAML standard based on? A) HTML B) XML C) JSON D) OAuth

B

Which exception falls under the "fair use" category of copyright-protected materials? A) Noncommercial repurposing B) Critique C) Minor modification D) Commercial research

B

Which format is the most commonly used standard for exchanging information within a federated identity system? A) XML B) SAML C) HTML D) JSON

B

Which of the cloud cross-cutting aspects relates to the assigning of jobs, tasks, and roles, as well as to ensuring they are successful and properly performed? A) Regulatory requirements B) Governance C) Auditability D) Service level agreements

B

Which of the cloud cross-cutting aspects relates to the oversight of processes and systems as well as to ensuring their compliance with specific policies and regulations? A) Regulatory requirements B) Auditability C) Governance D) Service level agreements

B

Which of the cloud deployment models requires the cloud customer to be part of a specific group or organization in order to host cloud services within it? A) Hybrid B) Community C) Public D) Private

B

Which of the following ISO standards would apply to analyzing digital evidence In a cloud environment? A) ISO/IEC 27041 B) ISO/IEC 27042 C) ISO/IEC 27037 D) ISO/IEC 27043

B

Which of the following are the storage types associated with IaaS? A) Object and target B) Volume and object C) Volume and container D) Volume and label

B

Which of the following concepts involves the ability to detect problems and automatically switch to redundant systems based on the nature of the problem? A) Orchestration B) Fault tolerance C) High availability D) Elasticity

B

Which of the following concepts refers to a cloud customer paying only for the resources and offerings they use within a cloud environment and only for the duration in which they consume them? A) Metered service B) Measured service C) Billable service D) Consumable service

B

Which of the following describes a SYN flood attack? A) Rapid transmission of Internet Relay Chat (IRC) messages B) Creating a high number of partially open TCP connections C) Disabling the Domain Name Service (DNS) server D) Excessive list linking of users and files

B

Which of the following does not fall under the "IT" aspect of quality of service (QoS)? A) Services B) Key performance indicators (KPIs) C) Applications D) Security

B

Which of the following does not relate to the hiding of sensitive data from data sets? A) Obfuscation B) Federation C) Masking D) Anonymization

B

Which of the following features is a main benefit of PaaS over IaaS? A) Physical security requirements B) Auto-scaling C) High availability D) Location independence

B

Which of the following is NOT a phase of the cloud secure data life cycle? A) Create B) Discover C) Use D) Store

B

Which of the following is an example of an indirect identifier? A) National ID number B) Location C) Date of birth D) Name

B

Which of the following is considered an external redundancy for a data center? A) Power feeds to racks B) Generators C) Power distribution units D) Storage systems

B

Which of the following is in use when one system is configured to always boot up prior to another system? A) piping B) orchestration C) sinkholing D) encoding

B

Which of the following is not a common cloud service model? A. Software as a service (SaaS) B. Programming as a service (PaaS) C. Infrastructure as a service (IaaS) D. Platform as a service (PaaS)

B

Which of the following is not a common method of data discovery? A. Content-based B. User-based C. Label-based D. Metadata-based

B

Which of the following is not a common type of facility-based tenant partitioning? A. Separate racks B. Separate facilities C. Separate cages D. Separate bays

B

Which of the following is not a focus or consideration of an internal audit? A) Operational efficiency B) Certification C) Costs D) Design

B

Which of the following is not a type of artificial intelligence as it pertains to cloud-computing? A) Humanized B) Regression-adaptive C) Human-inspired D) Analytical

B

Which of the following is not an example of "something the user has" for a multifactor authentication system? A) USB drive B) Fingerprint C) Access card D) RSA token

B

Which of the following is not one of the components of multifactor authentication? A) Something the user knows B) Something the user sends C) Something the user is D) Something the user has

B

Which of the following is not one of the five key principles of the ISO/IEC 27018 standards on privacy with cloud computing? A) Control B) Internal audit C) Consent D) Transparency

B

Which of the following is not one of the specialized compliance requirements for highly regulated industries? A) HIPAA B) GAPP C) FedRAMP D) PCI DSS

B

Which of the following is not something that an HIDS (Host-based Intrusion Detections System) will monitor? A) Network traffic B) User logins C) Critical system files D) Configurations

B

Which of the following is the optimal humidity level for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)? A) 20-40 percent relative humidity B) 40-60 percent relative humidity C) 50-75 percent relative humidity D) 30-50 percent relative humidity

B

Which of the following may unilaterally deem a cloud hosting model inappropriate for a system or application? A) Virtualization B) Regulation C) Multitenancy D) Certification

B

Which of the following pertains to fire safety standards within data centers and their enormous electrical consumption? A) BICSI B) NFPA C) IDCA D) Uptime Institute

B

Which of the following provides guidelines that can be used to assess the security of an organization that handles credit card data? A) Common Criteria B) PCI-DSS C) ISO/IEC 27017 D) FIPS 140-2

B

Which of the following regulatory systems contains provisions that require a minimum length of time that financial records must be retained? A) PCI DSS B) SOX C) FedRAMP D) HIPAA

B

Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer? A) Limit B) Reservation C) Provision D) Share

B

Which of the following represents a prioritization of applications or cloud customers for the allocation of additional requested resources when there is a limitation on available resources? A) Provision B) Share C) Reservation D) Limit

B

Which of the following represents the correct set of four cloud deployment models? A) Public, Private, Joint and Community B) Public, Private, Hybrid, and Community C) Public, Internet, Hybrid, and Community D) External, Private, Hybrid, and Community

B

Which of the following roles involves overseeing billing, purchasing, and requesting audit reports for an organization within a cloud environment? A) Cloud service integrator B) Cloud service business manager C) Cloud service administrator D) Cloud service user

B

Which of the following roles involves the provisioning and delivery of cloud services? A) Cloud service deployment manager B) Cloud service manager C) Cloud service operations manager D) Cloud service business manager

B

Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes? A) Cloud service operations manager B) Cloud service deployment manager C) Cloud service manager D) Cloud service business manager

B

Which of the following service capabilities gives the cloud customer the least amount of control over configurations and deployments? A) Platform B) Software C) Infrastructure D) Desktop

B

Which of the following statements accurately describes VLANs? A) They are restricted to the same racks and data centers. B) They are not restricted to the same data centers or the same racks. C) They are not restricted to the same racks but restricted to the same switches. D) They are not restricted to the same racks but restricted to the same data centers.

B

Which of the following threat types can occur when baselines are not appropriately applied or unauthorized changes are made? A) Sensitive data exposure B) Security misconfiguration C) Insecure direct object references D) Unvalidated redirects and forwards

B

Which of the following would be the BEST way to mitigate the risk of cryptographic failures on web applications? A) Establish and use a library of secure design patterns or paved road B) Ensure up-to-date and strong standard algorithms, protocols, and keys C) User-supplied data is not validated, filtered, or sanitized by the application D) Sanitize and validate all client-supplied input data

B

Which of the following would include the Social Security number and name of an individual? A) trade secrets B) PII C) PHI D) proprietary data

B

Which of the following would make it more likely for a cloud provider to be unwilling to satisfy specific certification requirements? A) Virtualization B) Multitenancy C) Resource pooling D) Regulation

B

Which of the following would not be a reason to activate a BCDR strategy? A) Utility disruptions B) Staffing loss C) Terrorism attack D) Natural disaster

B

Which one of the following options is no longer valid for protecting the transfer of personal information between the European Union and other nations? A. Adequacy decisions B. EU/US Privacy Shield C. Binding Corporate Rules D. Standard Contractual Clauses

B

Which one of the following would not normally be found in an organization's information security policy? A. Statement of the importance of cybersecurity B. Requirement to use AES-256 encryption C. Delegation of authority D. Designation of responsible executive

B

Which phase of the cloud data life cycle requires adherence to export and import restrictions, including Export Administration Regulations (EAR) and the Wassenaar Arrangement? A) Create B) Share C) Use D) Destroy

B

Which process describes the tracking and monitoring of evidence, including who had access and what controls were used, from the time it is classified and gathered for evidential purposes until the time it is delivered to a court or law enforcement officials? A) Audit B) Chain of custody C) Electronic discovery D) Forensic imaging

B

Which process serves to prove the identity and credentials of a user requesting access to an application or data? A) Identification B) Authentication C) Authorization D) Repudiation

B

Which risk management strategy involves continuing business operations as normal after being made aware of an enterprise risk? A) Transference B) Acceptance C) Avoidance D) Mitigation

B

Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it? A) Availability B) Confidentiality C) Integrity D) Nonrepudiation

B

Which security concept is focused on the trustworthiness of data? A) Confidentiality B) Integrity C) Availability D) Nonrepudiation

B

Which serverless technology allows users to upload code and data sets and have operations and processing automatically performed in a fully managed environment? A) Data warehousing B) Data flows C) Data pipelines D) Data dispersion

B

Which storage type of PaaS would be used for website files or multimedia objects? A) Object B) Unstructured C) Volume D) Structured

B

Which technique is used to obscure data in the cloud? A) Shuffling B) Anonymization C) Disassembling D) Expunging

B

Which technology is not commonly used for security with data in transit? A) VPN B) DNSSEC C) IPSec D) HTTPS

B

Which technology is used to prevent cross-site request forgery (CSRF) attacks? A) Encoding B) Tokens C) Multifactor authentication (MFA) D) Identity-based encryption (IBE)

B

Which term relates to the application of scientific methods and practices to digital evidence? A) Methodical B) Forensics C) Measured D) Theoretical

B

Which type of analysis compares a control analysis against a baseline standard? A) Privacy impact analysis B) Gap analysis C) Risk analysis D) Business impact analysis

B

Which type of cloud model typically presents the most challenges to a cloud provider during the Destroy phase of the cloud data lifecycle? A) PaaS B) SaaS C) DaaS D) IaaS

B

Which type of common threat involves data being exposed to a party that is not authorized to have it? A) Data loss B) Data breach C) Account hijacking D) Insider threat

B

Which type of hypervisor runs directly on the underlying hardware and is coupled tightly with it? A) Bare-metal hypervisor B) Type 1 hypervisor C) Type 2 hypervisor D) Hardware hypervisor

B

Which type of key management service involves a system that is provided by the cloud provider but hosted and maintained by the cloud customer? A) External key management service B) Client-side key management service C) Remote key management service D) Customer key management service

B

Which type of key management service involves storing and maintaining keys by the customer at their own location? A) Client-side key management service B) Remote key management service C) External key management service D) Customer key management service

B

Which type of management focuses on arranging all the elements needed to deploy new software, including QA testing and staging, before the software enters active maintenance? A) Availability management (AM) B) Release management (RM) C) Incident management (IM) D) Problem management (PM)

B

Why does a Type 2 hypervisor typically offer less security control than a Type 1 hypervisor? A) A Type 2 hypervisor allows users to directly perform some functions with their own access. B) A Type 2 hypervisor runs on top of another operating system and is dependent on the security of the OS for its own security. C) A Type 2 hypervisor is open source, so attackers can more easily find exploitable vulnerabilities with that access. D) A Type 2 hypervisor is always exposed to the public Internet for federated identity access.

B

With a cloud environment, who is responsible for the collection of data pursuant to an eDiscovery order? A) The cloud provider B) Both the cloud provider and cloud customer C) The cloud customer D) The application owner

B

With an IaaS implementation, which logs will be available directly to the cloud customer without needing the cloud provider to supply them? A) DNS B) Operating system C) Network perimeter D) Hypervisor

B

Yarif's organization wants to process sensitive information in a cloud environment. The organization is concerned about data throughout its lifecycle. What protection should it select for its compute elements if security is a priority and cost is less important? A. Memory encryption B. Dedicated hardware instances C. Shared hardware instances D. Avoiding installing virtualization tools

B

You are considering working with a cloud provider and would like to review the results of an audit that contains detailed information on security controls. The provider requires that you sign an NDA before reviewing the material. What category of report are you likely reviewing? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4

B

You have been asked to ensure that data that is stored in your company's cloud is encrypted during transmission. Which of the following should you deploy? A) BitLocker B) IPSec C) EFS D) database encryption

B

Your organization has decided to replace its current magnetic tape media backup policy with a DVD media backup policy. Which phase of the cloud data lifecycle is this MOST LIKELY to affect? A) Use B) Archive C) Share D) Create

B

Your organization needs to conform to the highest levels of FIPS-140 cryptographic standards in order to meet contractual obligations. Your manager has tasked you with investigating options to meet this requirement. Which technology are you most likely to recommend? A) DRS B) HSM C) Bastion host D) KVM

B

A European Union (EU) citizen contacts a company doing business in the EU, claiming that its data processing activities are out of compliance with the General Data Protection Regulation (GDPR). The citizen demands that the company stops processing their personal data. What must the company do if it wishes to continue processing this personal data? A) File an appeal with the Court of Justice of the European Union (CJEU) within 60 days and continue processing the data B) Demonstrate that this data processing is a necessary business requirement C) Demonstrate that this data processing is authorized under approved standards D) File an appeal with the Court of Justice of the European Union (CJEU) within 60 days and stop processing the data

C

A U.S. federal government agency is negotiating with a cloud service provider for the use of IaaS services. What program should the vendor be certified under before entering into this agreement? A. FIPS 140-2 B. Common Criteria C. FedRAMP D. ISO 27001

C

A cloud service provider (CSP) is deploying a new cloud data center. As part of this deployment, new hardware has been purchased for the physical infrastructure for the data center. You are concerned about the secure configuration of hardware, particularly that the new hardware will not be updated properly. Which of the following is MOST likely to be overlooked as part of this secure configuration? A) operating system updates B) driver updates C) firmware updates D) application updates

C

A company is looking to ensure that the names of individuals in its data in the cloud are not revealed in the event of a data breach, as the data is sensitive and classified. Which data masking technique should the company use to prevent attackers from identifying individuals in the event of a data breach? A) Crypto-shredding B) Degaussing C) Anonymization D) Randomization

C

A generator transfer switch should bring backup power online within what time frame? A. 10 seconds B. Before the recovery point objective is reached C. Before the UPS duration is exceeded D. Three days

C

A group of colleges decided to pool their resources to create a community cloud. Which risk is associated with this type of cloud deployment? A) Proprietary data formats preventing data conversion B) A lack of compliance with relevant regulations C) Shared access and control mechanisms between members D) Decreased visibility of cloud performance and resource usage

C

A localized incident or disaster can be addressed in a cost-effective manner by using which of the following? A. UPS B. Generators C. Joint operating agreements D. Strict adherence to applicable regulations

C

A manager is made aware of a customer complaint about how an application developed by the company collects personal and environmental information from the devices it is installed on. Which document should the manager refer to in order to determine if the company has properly disclosed information about what data it collects from this application's users? A) Retention policy B) Breach notification C) Privacy notice D) Denial of service

C

After a cloud migration, the BIA should be updated to include a review of the new risks and impacts associated with cloud operations; this review should include an analysis of the possibility of vendor lock-in/lock-out. Analysis of this risk may not have to be performed as a new effort because a lot of the material that would be included is already available from which of the following? A. NIST B. The cloud provider C. The cost-benefit analysis the organization conducted when deciding on cloud migration D. Open-source providers

C

After a severe storm, the local power grid used by an organization's primary European data center was damaged and could no longer provide the necessary power to keep the services running. Management has established that this event does not meet the definition of a disaster but is a business continuity impacting event since a failover site can temporarily bear the load. What should the organization leverage to return operations to the data center? A) Uninterruptible power supply (UPS) B) Redundant array of independent disks (RAID) C) Generators D) Archives

C

All of the following are cloud computing risks in a multitenant environment except: A. Risk of loss/disclosure due to legal seizures B. Information bleed C. DDoS D. Escalation of privilege

C

All of the following methods can be used to attenuate the harm caused by escalation of privilege except: A. Extensive access control and authentication tools and techniques B. Analysis and review of all log data by trained, skilled personnel on a frequent basis C. Periodic and effective use of cryptographic sanitization tools D. The use of automated analysis tools such as SIM, SIEM, and SEM solutions

C

Amanda downloads VeraCrypt, a free, open-source disk encryption software package. When she downloads the software, she sees the following information on the downloads page: Linux: - Generic Installers, veracrvpt-l.25-9-setup.tar.bz2 (41.5 MB) (PGP Signature) - Linux Legacy installer for 32-bit CPI' with no SSE2: veracrvpt-1.25.9-xS6-legacv-setup tar bz2 (13.8 MB) (PGP Signature) - Debían Ubuntu packages : - Debían 11: - GUI: veracrvpt-1.25.9-Debian-11 -amd64 deb (PGP Signature) - Console: veracrvpt-console-1 25.9-Dehian-11 -amd64.deb (PGP Signature) What will she need to validate the signature and ensure that the software is legitimate? A. VeraCrypt's private key B. Her private key C. VeraCrypt's public key D. Her public key

C

Amanda has been told that the organization she is joining uses a sandbox as part of its CI/ CD pipeline. With what SDLC phase is the sandbox most likely associated? A. The design phase B. The coding phase C. The testing phase D. The operations phase

C

Amanda has joined a new company, and part of her orientation notes that staff use virtual clients to access secure data used by the company as part of their data center operations. What type of solution should Amanda expect to use? A. Virtual clients hosted on her laptop B. A cloud-based server environment C. Virtual clients hosted in the cloud or on servers D. A third-party managed data center

C

An organization implemented an information rights management (IRM) solution to prevent critical data from being copied without permission and a cloud backup solution to ensure that the critical data is protected from storage failures. Which IRM challenge will the organization need to address? A) Jurisdictional conflicts B) Agent conflicts C) Replication restrictions D) Execution restrictions

C

An organization is planning to store its production data in a public cloud service. While researching the service, the organization discovers that its data will be stored in a proprietary data format that cannot be read by other cloud services. Which cloud risk does this represent? A) Regulatory failure B) Inadvertent disclosure C) Vendor lock-in D) Data seizure

C

An organization wants to include a second factor of authentication in its authentication, authorization, and accounting scheme for its cloud environment. It wants to ensure that the additional authentication mechanism will not be compromised if an employee's laptop or smartphone is compromised. Which type of authentication token will meet the organization's requirements? A) Text messages with one-time passwords B) Applications such as password managers C) Hardware such as key fob devices D) Caller ID authentication

C

An organization's engineers recently attended a training session designed to raise awareness of the dangers of using insecure direct object identifiers to view another user's account information. Which Open Web Application Security Project (OWASP) Top 10 vulnerability category did their training cover? A) Vulnerable and outdated components B) Identification and authentication failures C) Broken access control D) Security logging failures

C

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the asset value (AV)? A. $5,000 B. $100,000 C. $500,000 D. $600,000

C

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the single loss expectancy (SLE)? A. $5,000 B. $100,000 C. $500,000 D. $600,000

C

Because PaaS implementations are so often used for software development, what is one of the vulnerabilities that should always be kept in mind? A. Malware B. Loss/theft of portable devices C. Backdoors D. DoS/DDoS

C

Charles is working with internal auditors to review his organization's cloud infrastructure. Which of the following is not a common goal of internal audits? A. Testing operational integrity B. Improving practices C. Providing attestation of compliance to a standard to a third party D. Validating practices against an industry standard

C

Chris is using a third-party vulnerability scanning application in his cloud-hosted environment. Which of the following issues is he unlikely to be able to detect with a vulnerability scanner? A. Malware B. Defined vulnerabilities C. Zero-day exploits D. Programming flaws

C

Countermeasures for protecting cloud operations against internal threats at the provider's data center include all of the following except: A. Separation of duties B. Least privilege C. Conflict of interest D. Mandatory vacation

C

Countermeasures for protecting cloud operations against internal threats include all of the following except: A. Active physical surveillance and monitoring B. Active electronic surveillance and monitoring C. Redundant ISPs D. Masking and obfuscation of data for all personnel without need to know for raw data

C

DLP technologies are increasingly being offered as services by vendors and public cloud providers. Which type of cloud service category would a DLP solution be a part of? A) IDaaS B) DBaaS C) SECaaS D) DaaS

C

Frank's organization wants to institute a 24/7 monitoring and response capability focused on security. What type of operations capability will Frank establish? A. A SIEM B. A NOC C. A SOC D. An IDS

C

From a storage perspective, what is the partition allocated to a virtual machine for volume storage referred to as? A) LAN B) HDD C) LUN (Logical Unit Number) D) Partition

C

Geeta wants to connect to a Windows server using a full graphical user interface. What secure connection option should she use? A. Telnet B. SSH C. RDP D. Screen

C

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

C

Greg has implemented logging for his company's worldwide web services implementation running in Azure. What concern should Greg address when he enables logging of all web requests? A. Data lifecycle planning B. Secrets management C. Log volume D. Geolocation of log events

C

Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use? A. BPA B. MOU C. MSA D. SLA

C

How is an object stored within an object storage system? A) Tree structure B) Database C) Key value D) LDAP

C

How many additional DNS queries are needed when DNSSEC integrity checks are added? A) One B) Two C) Zero D) Three

C

Jason wants to properly describe the type of data his organization is using. He knows that the data is stored in a MySQL database. What type of data is Jason's organization storing? A. Unstructured data B. Tabular data C. Structured data D. Warehoused data

C

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done? A. Removed the threat B. Reduced the threat C. Removed the vulnerability D. Reduced the vulnerability

C

Jim's organization uses the Waterfall SDLC model. What occurs after testing and debugging has been finished in the Waterfall model? A. Quality assurance testing B. Interactive software testing C. Operational activities D. Business rule validation

C

Kara is the chief privacy officer of an organization that maintains a database of customer information for marketing purposes. What term best describes the role of Kara's organization with respect to that database? A. Data subject B. Data custodian C. Data controller D. Data processor

C

Katie is assessing her organization's privacy practices and determines that the organization previously collected customer addresses for the purpose of shipping goods and is now using those addresses to mail promotional materials. If this possibility was not previously disclosed, what privacy principle is the organization most likely violating? A. Quality B. Management C. Notice D. Security

C

Liam wants to store the private keys used to generate certificates for his organization. What security level should he apply to those keys? A. The highest level of security possible. B. The same or lower than the data the certificates protect. C. The same or greater than the data that the certificates protect. D. Private keys can be shared without issues.

C

Mark has set up a series of tasks that make up a workflow to ensure that his cloud-hosted web application environment scales, updates, and maintains itself. What cloud management plane feature is he leveraging? A. Maintenance B. Scheduling C. Orchestration D. Virtualization

C

Megan is documenting roles as part of the implementation of her organization's data classification policy. Her organization uses a software as a service tool to accept applications from customers. What term best describes the SaaS vendor? A. A data custodian B. A data owner C. A data processor D. A data steward

C

Michelle wants to securely store her organization's secrets using a cloud service. What tool should she select? A. TPM as a service B. GPG as a service C. HSM as a service D. SSD as a service

C

Mike's organization has determined that it wants to use interactive application security testing (IAST) as part of its SDLC. In which stage in a typical SDLC is IAST typically performed? A. Design B. Code C. Test D. Maintain

C

Murali is using the Process for Attack Simulation and Threat Analysis (PASTA) framework as part of his organization's security processes. He has just completed Stage 3, factoring applications and identifying application controls. What will he do next in Stage 4? A. He will analyze and model attacks. B. He will define business objectives. C. He will perform threat analysis based on threat intelligence. D. He will run vulnerability scans.

C

Naomi's organization has adopted the CIS security controls for Windows. What type of solution have they adopted? A. A SOC template B. An ISO standard C. A security baseline D. A NIST standard

C

Nina's company has stored unstructured data in an S3 bucket in AWS. She wants to perform data discovery on the data, but the discovery tool that she has requires the data to be local. What concern should Nina express about retrieving large volumes of data from a cloud service? A. Performance may be low. B. Data ingress costs may be high. C. Data egress costs may be high. D. The data will need to be structured before discovery can run.

C

Other than cost savings realized due to measured service, what is another facet of cloud computing that will typically save substantial costs in time and money for an organization in the event of a disaster? A) Resource pooling B) Portability C) Broad network access D) Interoperability

C

Rhonda is outlining the threats to her cloud storage environment. Which of the following is not a common threat to cloud storage? A. Credential theft or compromise B. Infection with malware or ransomware C. Privilege reuse D. Human error

C

Richard would like to use an industry standard reference for designing his organization's privacy controls. Which one of the following ISO standards is best suited for this purpose? A. ISO 27001 B. ISO 27002 C. ISO 27701 D. ISO 27702

C

Sara is planning to implement data labeling for her organization. Which of the following is not a data label field that she should consider? A. Date data was created B. Data owner C. Data value D. Date of scheduled destruction

C

Selah wants to securely store her organization's encryption keys. What solution should she ask her cloud service provider about? A. A PKI B. A DLP C. A cloud HSM D. A CRL

C

Sensitivity, jurisdiction, and criticality might all be considered for what cloud data security activity? A. Crypto-shredding B. Data flow diagramming C. Classification D. Tokenization

C

Stacey wants to detect attacks against her hosted systems and would like to be able to analyze the techniques and tools used in those attacks. What security tool could she use to accomplish both of these goals? A. A network security group B. A firewall C. A honeypot D. A beartrap

C

Stanislaw wants to use log information to create accountability for data events. Which of the following data elements would be most useful for his purpose? A. Time stamps B. Host IP addresses C. User IDs D. Certificate IDs

C

Susan wants to ensure that files containing credit card numbers are not stored in her organization's cloud-based file storage. If she deploys a DLP system, what method should she use to identify files with credit card numbers to have the best chance of finding them, even if she may encounter some false positives? A. Manually tag files with credit card numbers at creation. B. Require users to save files containing credit card numbers with specific file-naming conventions. C. Scan for credit card numbers based on a pattern match or algorithm. D. Tag files with credit card numbers at destruction.

C

Susan wants to monitor privileged use in her database system as part of an effort to detect attacks using behavioral analysis. What tool should she recommend to her database team? A. A CASB B. A WAF C. A DAM D. A SDLC

C

Tej wants to conduct data discovery across his organization's databases; however, he knows that data is stored in multiple countries. What concern should he raise before the discovery process is conducted? A. Structured data is harder to conduct discovery on. B. The discovery process may create a denial of service condition on the database servers. C. Jurisdiction and local laws may impact the ability to perform discovery. D. Unstructured data is harder to conduct discovery on.

C

The BC/DR kit should include all of the following except: A. Flashlight B. Documentation equipment C. Fuel for the backup generators D. Annotated asset inventory

C

The SOC Type 2 reports are divided into five principles. Which of the five principles must also be included when auditing any of the other four principles? A) Availability B) Confidentiality C) Security D) Privacy

C

The right to be forgotten refers to which of the following? A. The right to no longer pay taxes B. Erasing criminal history C. The right to have all of a data subject's data erased D. Masking

C

The risk that a customer might not be able to switch cloud providers at a later date is known as: A. Vendor closure B. Vendor lock-out C. Vendor lock-in D. Vendor synchronization

C

The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to protect transmissions that exist: A) Between the WAP gateway and the wireless endpoint device B) Between the web server and the WAP gateway C) From the web server to the wireless endpoint device D) Between the wireless device and the base station

C

Under SOC Type 2 audits, the security principle contains seven separate categories. Which of the following is not one of the seven categories? A) Change management B) Communications C) Incident management D) System operations

C

Wei's organization uses Lambda functions as part of a serverless application inside of its Amazon-hosted environment. What storage type should Wei consider the storage associated with the instances to be? A. Long-term B. Medium term C. Ephemeral D. Instantaneous

C

What best describes the Cloud Security Alliance Cloud Controls Matrix ? A) A set of regulatory requirements for cloud service providers B) A set of software development life cycle requirements for cloud service providers C) A security controls framework that provides mapping/cross relationships with the main industry accepted security standards, regulations, and controls frameworks n such as the International Organization for Standardization (ISO) 27001 27002, ISACA's Control objectives for information and related technologies (COBIT), and Payment card industry (PCI) Data security standard (DSS) D) An inventory of cloud service security controls that are arranged into separate security domains

C

What concept does the "R" represent in the DREAD model? A) Residual B) Risk C) Reproducibility D) Repudiation

C

What does a cloud system use from a technical perspective to make decisions on the allocation of resources with shares? A) Cost of the resources B) Size of the customer C) Prioritization weighting D) Owner of the cloud provider

C

What does a single sign-on system pass between services to validate authentication? A) Tickets B) Certificates C) Tokens D) Keys

C

What is a type of computing comparable to grid computing that relies on sharing computing resources rather than having local servers or personal devices to handle applications? A) Server hosting B) Legacy computing C) Cloud computing D) Intranet

C

What is the biggest negative to leasing space in a data center versus building or maintaining your own? A) Certification B) Regulation C) Control D) Costs

C

What is the concept of isolating an application from the underlying operating system for testing purposes? A) Sandboxing B) Abstracting C) Application virtualization D) Hosting

C

What is the concept of segregating information or processes, within the same system or application, for security reasons? A) Cellblocking B) Fencing C) Sandboxing D) Pooling

C

What is the official term for the process of determining audit results that deviate from intended configurations and policies? A) Audit deficiency B) Findings C) Gap analysis D) Noncompliance

C

What is the only data format permitted with the SOAP API? A) HTML B) XSML C) XML D) SAML

C

What is the purpose of implementing rate limiting in application programming interface (API) security? A) To reduce API response time B) To block unauthorized API access C) To prevent API overuse D) To increase API usage

C

What is the root cause of a problem known as? A) event B) incident C) known error D) change E) workaround

C

What is the security training delivery category? A) Peer review sessions B) Onboarding C) Recurring training D) Job rotation

C

What is the term for the assurance that a specific author actually created and sent a specific item to a specific recipient, and that the message was successfully received? A) Public key infrastructure (PKI) B) Data loss prevention (DLP) C) Nonrepudiation D) Bit splitting

C

What process is used within a clustered system to provide high availability and load balancing? A) Dynamic optimization B) Dynamic clustering C) Dynamic resource scheduling D) Dynamic balancing

C

What provides the information to an application to make decisions about the authorization level appropriate when granting access? A) Federation B) User C) Identity provider D) Relying party

C

What source contains much of the administrative law created by the U.S. government? A. U.S. Code B. Bill of Rights C. Code of Federal Regulations D. U.S. Constitution

C

What strategy involves replacing sensitive data with opaque values, usually with a means of mapping it back to the original value? A) Masking B) Obfuscation C) Tokenization D) Anonymization

C

What type of common vulnerability can occur when an application accepts objects from untrusted sources via APIs and can result in the modification of application logic? A) XML external entities B) Security misconfiguration C) Insecure deserialization D) Insufficient monitoring

C

What types of security incidents is a security operations center typically responsible for monitoring and taking action against? A) Technical and physical B) Organizational and physical C) Technical and organizational D) Technical and managerial

C

When a cloud customer uploads personally identifiable information (PII) to a cloud provider, who is ultimately responsible for the security of that PII? A. Cloud provider B. Regulators C. Cloud customer D. The individuals who are the subjects of the PII

C

When can risk be fully mitigated? A) When using a private cloud B) With risk avoidance C) Never D) With risk transference

C

When constructing cloud data centers, it is necessary to control the temperature within the data center. Given the size of some data centers, it would be wise to manage the heating and air conditioning as efficiently as possible. If the data center is constructed with rows of equipment that have servers facing each other and then the backs of servers facing each other, the area that needs to be cooled is less than if all servers are oriented facing the same direction in the data center (e.g., facing north). If the data center is constructed with cold air aisles, where does the cold air flow into the servers? A) Hot air aisles have the hot air coming out the back of the server racks B) Hot air aisles have the hot air coming out the front of the server racks C) Cold air aisles have the cold air coming into the front of the server racks D) Cold air aisles have the cold air coming into the back of the server racks

C

When two virtual machines are hosted on the same hypervisor, what must network traffic pass through in order to get from one virtual machine to the other? A) IPS B) Firewall C) They can directly communicate. D) IDS

C

Where is an XML firewall most commonly deployed in the environment? A) Between the presentation and application layers B) Between the IPS and firewall C) Between the firewall and application server D) Between the application and data layers

C

Where would a DLP solution be implemented within an environment to monitor data in use? A) Firewalls B) Network perimeter C) Client D) Virtual machine

C

Which ITIL component is focused on ensuring that changes made to a production environment are properly executed and validated? A) Configuration management B) Release management C) Deployment management D) Change management

C

Which ITIL component is focused on proactively putting processes in place to prevent disruptions from ever happening? A) Incident management B) Information security management C) Problem management D) Availability management

C

Which act expanded upon the privacy and reporting requirements that were originally outlined in HIPAA? A) PCI DSS B) SOX C) HITECH D) GDPR

C

Which approach is typically the most efficient method to use for data discovery? A) Labels B) ACLs C) Metadata D) Content analysis

C

Which approach to data removal involves the destruction of keys rather than the actual deletion of data? A) Encryption B) Nullification C) Cryptographic erasure D) Overwriting

C

Which aspect of security is DNSSEC designed to ensure? A) Confidentiality B) Authentication C) Integrity D) Availability

C

Which certification pertains to the accreditation of cryptographic modules? A) PCI DSS B) NIST SP 800-53 C) FIPS 140-2 D) ISO/IEC 27001

C

Which characteristic of liquid propane increases its desirability as a fuel for backup generators? A. Burn rate B. Price C. Does not spoil D. Flavor

C

Which cloud consideration refers to the ability of the infrastructure to withstand disruptive events? A) Governance B) Availability C) Resiliency D) Maintenance

C

Which cloud deployment model allows customers to take advantage of service and price differences from two or more cloud vendors? A) Public cloud B) Hybrid cloud C) Multi-cloud D) Private cloud

C

Which concept focuses on balancing virtual machines across clusters to ensure reliable and consistent performance? A) Ephemeral computing B) Distinct physical paths C) Distributed resource scheduling D) High availability

C

Which data point that auditors always desire is very difficult to provide within a cloud environment? A) Baselines B) Access policy C) Systems architecture D) Privacy statement

C

Which entity is involved in cloud service arrangements? A) Vendors B) Consultants C) Regulators D) Investors

C

Which form of BC/DR testing has the most impact on operations? A. Tabletop B. Dry run C. Full test D. Structured walk-through

C

Which is the appropriate phase of the cloud data lifecycle for determining the data's classification? A) Use B) Share C) Create D) Store

C

Which kind of data should be encrypted? A) Globally shared data B) Frequently repurposed data C) Data at rest D) Encrypted data

C

Which of the cloud cross-cutting aspects relates to the ability to reuse or move components of an application or service? A) Reversibility B) Availability C) Interoperability D) Portability

C

Which of the cloud cross-cutting aspects relates to the requirements placed on a system or application by law, policy, or requirements from standards? A) Service level agreements B) Auditability C) Regulatory requirements D) Governance

C

Which of the cloud deployment models involves spanning multiple cloud environments or a mix of cloud hosting models? A) Private B) Community C) Hybrid D) Public

C

Which of the following actions will not make data part of the Create phase of the cloud data lifecycle? A) Importing data B) Modifying data C) Modifying metadata D) Constructing new data

C

Which of the following are the storage types associated with PaaS? A) Volume and object B) Database and file system C) Structured and unstructured D) Structured and freeform

C

Which of the following defines what systems and applications are included with an audit? A) Purpose B) Limitations C) Scope D) Audience

C

Which of the following free tools from Microsoft can be used for patch management on Windows systems? A) Windows Service Manager B) Windows Patch Update Service C) Windows Server Update Service D) Windows patch management tool

C

Which of the following is _not_ a function performed by the handshake protocol of TLS? A) Negotiation of connection B) Key exchange C) Encryption D) Establish session ID

C

Which of the following is a federal law enacted in the United States to control the way that financial institutions deal with private information of individuals? A) Payment card industry (PCI) B) International Organization for Standardization (ISO)/International electrotechnical commission (IEC) C) Gramm Leach Bliley Act (GLBA) D) Consumer Protection Act

C

Which of the following is a restriction that can be enforced by information rights management (IRM) that is not possible for traditional file system controls? A) Delete B) Modify C) Print D) Read

C

Which of the following is always safe to use in the disposal of electronic records within a cloud environment? A) Physical destruction B) Overwriting C) Encryption D) Degaussing

C

Which of the following is an open source federated identity system commonly used in academic institutions? A) OpenID B) Chef C) Shibboleth D) Puppet

C

Which of the following is not a factor in a firewall configuration? A) Protocol B) Port C) Encryption D) Source IP

C

Which of the following is not a function performed by the record protocol of TLS? A) Compression B) Authentication C) Acceleration D) Encryption

C

Which of the following is not one of the domains within the ISO/IEC 27001:2013 standards? A) Cryptography B) Personnel C) Integrity D) Compliance

C

Which of the following is not one of the four official steps of an audit plan? A) Lessons learned B) Define objectives C) Billing and compensation D) Define scope

C

Which of the following is not one of the official risk rating categories? A) Low B) Critical C) Catastrophic D) Minimal

C

Which of the following is not part of a retention policy? A) Format B) Accessibility C) Costs D) Duration

C

Which of the following is not something that is maintained with chain of custody records? A) Locations B) Formats C) Copyrights D) Access

C

Which of the following is the optimal humidity level for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)? A) 30-50 percent relative humidity B) 50-75 percent relative humidity C) 40-60 percent relative humidity D) 20-40 percent relative humidity

C

Which of the following is the optimal temperature for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)? A) 44.6 - 60.8°F (7 - 16°C) B) 69.8 - 86.0°F (21 - 30°C) C) 64.4 - 80.6°F (18 - 27°C) D) 51.8 - 66.2°F (11 - 19°C)

C

Which of the following is the sole responsibility of the cloud provider, regardless of which cloud model is used? A) Data B) Infrastructure C) Physical environment D) Platform

C

Which of the following processes is used to exchange evidence during a trial in court where the information sought is in electronic format? A) legal hold B) Identification C) eDiscovery D) collection

C

Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies? A) BICSI B) IDCA C) Uptime Institute D) NFPA

C

Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies? A) IDCA B) NFPA C) Uptime Institute D) BICSI

C

Which of the following represents the legislation enacted to protect shareholders and the public from enterprise accounting errors and fraudulent practices? A) Payment card industry (PCI) B) Gramm Leach Bliley Act (GLBA) C) Sarbanes Oxley Act (SOX) D) Health Insurance Portability and Accountability Act (HIPAA)

C

Which of the following service capabilities gives the cloud customer an established and maintained framework to deploy code and applications? A) Infrastructure B) Desktop C) Platform D) Software

C

Which of the following terms best describes a distributed model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources? A) Infrastructure as a Service (IaaS) B) Public cloud C) Software as a Service (SaaS) D) Private cloud

C

Which of the following will have the biggest impact on the availability of logs within a cloud environment? A) Cloud deployment model B) Cloud service category C) Cloud service model D) Cloud cross-cutting aspect

C

Which of the following would not be an appropriate limitation to be included as an audit restriction? A) Types of invasive testing B) Names of auditors C) Length of audit report D) Devices of auditors

C

Which one of the following elements is not always required for the creation of a legal contract? A. An offer B. Acceptance of an offer C. Written agreement D. Consideration

C

Which one of the following is not a law that would concern cloud security professionals? A. GLBA B. HIPAA C. PCI DSS D. SOX

C

Which one of the following items is not normally included in a request for an exception to security policy? A. Description of a compensating control B. Description of the risks associated with the exception C. Proposed revision to the security policy D. Business justification for the exception

C

Which one of the following organizations is least likely to be subject to the requirements of HIPAA? A. Health insurance company B. Hospital C. Medical device manufacturer D. Health information clearinghouse

C

Which process is used to prevent the aggregation of indirect identifiers from directly identifying an individual? A) Masking B) Obfuscation C) Anonymization D) Tokenization

C

Which protocol does the REST API depend on? A) SAML B) XML C) HTTP

C

Which safety control acts as a virtual firewall in cloud environments? A) Traffic inspection B) Zero trust C) Network security group D) Geofencing

C

Which security concept would business continuity and disaster recovery fall under? A) Fault tolerance B) Integrity C) Availability D) Confidentiality

C

Which security paradigm requires authorization while they are using users to be continually validated for an application or service? A) Multifactor authentication B) Geofencing C) Zero trust network D) Least privilege

C

Which storage architecture contains nodes that are logically connected rather than physically connected? A) Tightly coupled clusters B) Data dispersion C) Loosely coupled clusters D) Archival storage

C

Which technology allows cryptographic secrets to be held in a secure way so that they can be recovered by parties who have authorization? A) Revocation B) Key distribution C) Key escrow D) Lifetime

C

Which term is used for when the possession of evidence is logged? A) parol evidence B) legal hold C) chain of custody D) lawful intercept

C

Which tool can reduce confusion and misunderstanding during a BC/DR response? A. Flashlight B. Controls matrix C. Checklist D. Call tree

C

Which type of common threat involves leveraging access to an environment to snoop on other systems within it? A) System vulnerability B) Insider threat C) Account hijacking D) Insufficient due diligence

C

Which type of common threat involves trusted and approved users of a system leveraging their legitimate access for unauthorized purposes? A) Account hijacking B) Insufficient due diligence C) Insider threat D) Data breach

C

Which type(s) of storage are most likely to be used in IaaS cloud deployments? A) structured and unstructured storage B) content delivery network (CDN) C) volume and object storage D) ephemeral storage

C

Which value refers to the amount of time it takes to recover operations in a BCDR situation to meet management's objectives? A) RSL B) RPO C) RTO D) SRE

C

Which value refers to the percentage of production-level restoration needed to meet BCDR objectives? A) RTO B) SRE C) RSL (Recovery Service Level) D) RPO

C

Why does a Type 1 hypervisor typically offer tighter security controls than a Type 2 hypervisor? A) A Type 1 hypervisor performs hardware-level encryption for tighter security and efficiency. B) A Type 1 hypervisor only hosts virtual machines with the same operating systems as the hypervisor. C) A Type 1 hypervisor is tied directly to the bare metal and only runs with code necessary to perform its specific mission. D) A Type 1 hypervisor also controls patching of its hosted virtual machines to ensure they are always secure.

C

With software-defined networking, what aspect of networking is abstracted from the forwarding of traffic? A) Routing B) Session C) Filtering D) Firewalling

C

Yarif's organization uses a secrets management tool to handle its secrets lifecycle. Yarif wants to explain a typical secret's lifecycle to one of his staff. What order is typical for a secret? A. Creation, revocation, rotation, expiration B. Expiration, creation, rotation, revocation C. Creation, rotation, revocation, expiration D. Creation, rotation, expiration, revocation

C

Yasine's organization wants to enable systems to use data controlled by an IRM. What method is most commonly used to identify systems while allowing them to have their trust revoked if needed? A. LEAP authentication B. Multifactor authentication C. Certificate-based authentication and authorization D. TACACS

C

Yasmine's organization has identified data masking as a key security control. Which of the following functions will it provide? A. Secure remote access B. Enforcing least privilege C. Testing data in sandboxed environments D. Authentication of privileged users

C

You are an employee of a cloud service provider (CSP). The CSP is designing a new data center, and you must provide the guidelines for cable management in the under-floor areas. Which of the following statements are FALSE? 1) Cable congestion in the raised floor can reduce the total airflow. 2) The cable management strategy should maximize airflow obstructions caused by cabling. 3) The raised floor will provide a cold air feed and a place to run wiring. 4) The company should install a raised floor with a minimum height of 24 inches. 5) The company should install a raised floor with a minimum height of 30 inches. A) 1, 2 B) 2, 3 C) 2, 5 D) 3, 4

C

You are considering purchasing an e-commerce system where the cloud provider runs a hosted application on their own servers. What cloud service category is the provider offering? A. IaaS B. PaaS C. SaaS D. FaaS

C

You are currently working to ensure that the data retention policies for your company's cloud deployment are correct. Which phase of the cloud data life cycle will these policies affect? A) Create B) Store C) Archive D) Destroy

C

You are designing the encryption system to use for your cloud solution. What type of cryptography would be appropriate when most of the access to the cloud will be from smartphones and tablets? A) AES B) DES C) ECC (Elliptical curve cryptography) D) Triple DES

C

You have recently been hired by a company with a SaaS cloud that was launched earlier this year. You discover that the appropriate risk assessment was not performed prior to the deployment. As a result, a number of issues have been encountered since the cloud deployment that could have been mitigated. What is the threat that has occurred in this scenario? A) Shared technology issues B) Denial of service C) Insufficient due diligence D) APTs

C

You need to design an auditing plan for your company's PaaS cloud deployment. Which of the following are NOT logging recommendations by the Open Web Application Security Project (OWASP)? A) authentication successes and failures B) authorization failures C) packet captures D) validation errors

C

You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk? A. Reduced the magnitude B. Eliminated the vulnerability C. Reduced the probability D. Eliminated the threat

C

Your company deploys an SaaS solution with a large cloud service provider (CSP). Six months into the deployment, the CSP experienced a system-wide issue that affected all customers, resulting in prolonged downtime during prime business hours. Now management wants to deploy a business continuity plan that would ensure that service will be restored within 30 minutes of downtime while minimizing resource costs. Which of the following BC/DR solutions would be best in this scenario? A) on-premises cloud deployment; CSP BC/DR B) CSP cloud deployment; on-premises BC/DR C) CSP cloud deployment; alternative provider BC/DR D) CSP cloud deployment; primary provider BC/DR

C

Your company runs a media distribution site that offers users rich video content and audio files. It is used by a large international audience, and you want the delivery of your content to have the lowest possible latency for the customers. Which technology would you look to employ to solve this problem? A) Broad network access B) Resource pooling C) Edge computing D) Ephemeral computing

C

Your organization is in an industry that follows the recommendations of PCI-DSS. What type of data does this cover? A) driving records B) banking records C) credit card data D) medical records

C

_______________ drive security decisions. A. Customer service responses B. Surveys C. Business requirements D. Public opinion

C

"Hrant wants to ensure that traffic inside of his organization's Azure Virtual Network (VNet) — Azure's basic building block for customer IaaS instances — is secure. What should he do to protect it? A. VNet traffic is already secure; he does not need to do anything. B. Set up VPN tunnels between each system. C. Set up and use a bastion host for all secure traffic. D. Use end-to-end encryption for all communications.

D

A UPS should have enough power to last how long? A. 12 hours B. 10 minutes C. One day D. Long enough for graceful shutdown

D

A bad actor working for an enemy state has created malware that has the purpose of stealing data from the other country regarding their military and its products and capabilities. The bad actor has planted malware on the enemy's systems and has left it, undetected, for eight months. What is the name of this type of attack? A) Human error B) Malicious insider C) Insecure Application Programming Interface (API) D) Advanced persistent threat (APT)

D

A cloud service provider (CSP) needs to provide an audit report in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). Which of the following reports should be completed? A) SOC 2 Type 1 B) SOC 3 C) SOC 2 Type 2 D) SOC 1

D

A company is looking at different types of cloud storage options. One of the threats to cloud storage that the company foresees is the possibility of losing forensic artifacts in the event of an incident response investigation. Which type of cloud storage has the highest risk of losing forensic artifacts in the event of an incident response investigation? A) File-based B) Long-term C) Block D) Ephemeral

D

A security analyst is tasked with collecting evidence related to a data breach involving monetary theft. Which action should the security analyst take when accessing the breached system? A) Create an unencrypted backup of all data B) Create an encrypted backup of all data C) Detail and replicate all activities taken D) Document and record all activities taken

D

Adata and media sanitization clause is being included as part of the service level agreement (SLA) with your company's cloud service provider. Which sanitization method is the preferred method of sanitization? A) overwriting B) degaussing C) cryptographic erasure D) physical destruction

D

Alaina wants to ensure that her system instances for a web application hosted in her cloud data center have proper security for data at rest. What solution should she select to help ensure this? A. Disk or volume hashing B. Use only ephemeral disks or volumes C. Use read-only disks or volumes D. Disk or volume encryption

D

All policies within the organization should include a section that includes all of the following except: A. Policy maintenance B. Policy monitoring C. Policy enforcement D. Policy transference

D

An analyst needs to scan hosts for misconfigurations and known security threats that could lead to a security incident. Which type of scanner will allow the analyst to check for these types of issues? A) Protocol B) Address C) Port D) Vulnerability

D

An engineer entered a data center and noticed that the humidity level was 20 percent relative humidity. What risk could this pose to systems? A) Systems may overheat and burn internal components B) There is no risk because 20% relative humidity is the ideal humidity level C) Condensation may form, causing water damage D) Electrostatic discharge causing damage to the equipment

D

An online store has declared a disaster situation because of a large storm in the area of its primary cloud data center location. The emergency plan has allowed the store to remain online and accept payments, but it has fallen out of compliance with its Payment Card Industry Data Security Standard (PCI DSS) practices. Which party should the store keep apprised of ongoing developments and the potential solutions being considered? A) Customers B) Developers C) Consumers D) Regulators

D

An organization wants to ensure that untested software updates provided by a third-party vendor are not run in its mission-critical environment. What should the organization use in this scenario? A) Automatic updates B) Update notifications C) Update documentation D) Manual updates

D

An organization's engineers recently attended a training session that raised their awareness of the dangers of using weak algorithms or protocols for data security. Which Open Web Application Security Project (OWASP) Top 10 vulnerability category did their training cover? A) Insecure design B) Hashing C) Sandboxing D) Cryptographic failures

D

At which stage of the BCDR plan creation phase should security be included in discussions? A) Gather requirements B) Assess risk C) Define scope D) Analyze

D

Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. Aziz is assessing the risk of a denial-of-service attack against the database where the attacker would destroy the data contained within the database. He expects that it would cost approximately $500,000 to reconstruct the database from existing records. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the exposure factor (EF)? A. 5 percent B. 20 percent C. 50 percent D. 100 percent

D

Best practices for key management include all of the following except: A. Having key recovery processes B. Maintaining key security C. Passing keys out of band D. Ensuring multifactor authentication

D

Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk? A. Inherent risk B. Control risk C. Risk appetite D. Residual risk

D

Charles wants to ensure that files in his cloud file system have not been changed. What technique can he use to compare files to determine if changes have been made? A. Obfuscation B. Masking C. Tokenization D. Hashing

D

Chinelo has been working with the legal department to ensure that they are in compliance with appropriate laws. The business that he works for is a financial services company. As they are located in the US, which law must they be in compliance with? A) Federal Information Management Act (FISMA) B) Service Organization Control (SOC) 1® Type II C) Basel III D) Sarbanes Oxley (SOX)

D

Countermeasures for protecting cloud operations against internal threats at the provider's data center include all of the following except: A. Broad contractual protections to make sure the provider is ensuring an extreme level of trust in its own personnel B. Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel C. DLP solutions D. Scalability

D

Dana wants to ensure the availability of her guest operating systems. Which of the following techniques is not a common technique to help improve the availability of guest operating systems? A. Clustering of VM hosts B. Storage clustering C. Distributed resource scheduling D. Enabling a load balancer

D

During a negligence lawsuit, the court determined that the respondent was not at fault because the plaintiff did not present evidence that they suffered some form of harm. What element of negligence was missing from this case? A. Duty of care B. Breach of duty C. Causation D. Damages

D

During an investigation, government agents asked a security professional to collect the records stored in a database and present them to the court. Which process should the security professional use to identify and obtain that information? A) Electronic communication B) Error correcting code (ECC) memory C) Cyclic redundancy check (CRC) D) Electronic discovery

D

Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except: A. The cloud provider's suppliers B. The cloud provider's vendors C. The cloud provider's utilities D. The cloud provider's resellers

D

For performance purposes, OS monitoring should include all of the following except: A. Disk space B. Disk I/O usage C. CPU usage D. Print spooling

D

From a security perspective, what must be defined for an audit before any testing or collection is performed? A) Audience for reports B) Reports C) Debriefing schedule D) Classification

D

From the perspective of compliance, what is the most important consideration when it comes to data center location? A) Utility access B) Natural disasters C) Personnel access D) Jurisdiction

D

Gary wants to drain currently running virtual machines from a VM server host so that he can replace failing hardware in the system. What should he enable to allow this to occur? A. Distributed resource scheduling B. Dynamic optimization C. Storage clustering D. Maintenance mode

D

Generator fuel storage for a cloud data center should last for how long, at a minimum? A. 10 minutes B. Three days C. Indefinitely D. 12 hours

D

Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

D

Grazing is working with the cloud security architect on the design of the encryption that will be used to protect the data that they need to store within the public cloud. The corporation formerly made the decision to store their data within the public cloud because it is much cheaper than building the physical Storage Area Networks (SAN) they would need within their own datacenter. Of the following, which is the MOST important to consider when planning encryption? A) Encryption algorithms B) Data format requirements C) Regulatory requirements D) Key storage location

D

Henry knows that multi factor authentication consists of at least two items and that they have to be of different types. Which of the following is a valid multifactor authentication option? A. A complex password and a secret code B. Complex passwords and an HSM C. A hardware token and a magnetic strip card D. A password and an application generated PIN on a smartphone

D

Hu has placed copies of his data in multiple data centers. What data resiliency technique has he employed? A. Mirroring B. RAID C. Data cloning D. Data dispersion

D

If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad? A. Integrity B. Authentication C. Confidentiality D. Availability

D

Jack wants to design a redundant power system for his data center. Which of the following is not a common element in a fully redundant power system? A. Power from two or more utility providers B. UPS devices in each rack C. Multiple generators D. Solar power arrays

D

Jaime has been informed of legal action against his company and must now ensure that data relevant to the case is kept. What term describes this? A. Legal retention B. Legal archiving C. Court hold D. Legal hold

D

Jason wants to validate that the open-source software package he has downloaded matches the official release. What technique is commonly used to validate packages? A. Encryption B. Rainbow tables C. Decryption D. Hashing

D

Jim wants to harden his virtualization environment. Which of the following is not a common hypervisor hardening technique? A. Restricting the use of superuser accounts B. Requiring multi factor authentication C. Logging and alerting on improper usage D. Enabling secure boot for guest systems

D

Joanna's team of developers is reviewing source code to identify potential issues. What type of testing is Joanna's team conducting? A. Dynamic B. Interactive C. Black box D. Static

D

Lisa's organization installs virtualization tools on each virtual machine it sets up. Which of the following is not a common function of virtualization tools? A. Access to sound and video cards B. Mapping storage C. Improved networking D. Control of the underlying host operating system

D

Management has requested that you confirm with your company's CSP the failover capability of the cloud deployment used. Which of the following best provides this information? A) Relevant VM images are copied to the CSP's backup facility. B) Backup functions provide snapshot functionality to ensure that data can be restored. C) Alternate CSP locations are deployed to ensure that CSP functionality can continue in the event of a natural disaster. D) Cluster managers are deployed to ensure that the resources share the load.

D

Management is concerned that virtualization hosts would be compromised by attackers. You have asked to implement a measure that will reduce the attack surface of the hypervisor. What is the BEST solution? A) Implement a Type II hypervisor. B) Isolate each virtual machine. C) Isolate each host. D) Implement a Type 1 hypervisor.

D

OpenID is an authentication protocol based on which specifications? A) XML B) WS-Federation C) SAML D) OAuth

D

Pete wants to configure network security defenses for his cloud-hosted instances. What cloud security tool is best compared to a firewall? A. Cloud watchers B. Cloud IDS C. Cloud IPS D. Network security groups

D

State data breach notification laws may require organizations to notify which of the following parties? A. Consumers impacted by the breach B. State regulatory authorities C. National credit reporting agencies D. All of the above

D

The European Union passed the first major regulation declaring data privacy to be a human right. In what year did it go into effect? A) 2000 B) 2010 C) 1990 D) 1995

D

The accounting department in your organization is considering using a new cloud service provider. As you investigate the provider, you discover that one of their major investors withdrew their support and will not be providing future funding. What major concern should you raise? A. Vendor lock-in B. Vendor suitability C. Vendor security D. Vendor viability

D

The auditor that Ian's company works with has inquired about whether his organization uses a software composition analysis tool as part of its risk management efforts. What capability is the auditor asking Ian about? A. The ability to identify the language in which source code is written B. The ability to identify software version numbers in a codebase C. The ability to identify the language in which compiled code is written D. The ability to identify open-source software in a codebase

D

The cloud deployment model that features joint ownership of assets among an affinity group is known as: A. Private B. Public C. Hybrid D. Community

D

The goals of SIEM solution implementations include all of the following except: A. Centralization of log streams B. Trend analysis C. Dashboarding D. Performance enhancement

D

The various models generally available for cloud BC/DR activities include all of the following except: A. Private architecture, cloud backup B. Cloud provider, backup from same provider C. Cloud provider, backup from another cloud provider D. Cloud provider, backup from private provider

D

What are the four approaches to responding to risk? A) Accept, deny, mitigate, revise B) Accept, dismiss, transfer, mitigate C) Accept, deny, transfer, mitigate D) Accept, avoid, transfer, mitigate

D

What are the two types of physical storage systems typically used in a cloud environment? A) SAN and SDD B) RAID and SCSI C) iSCSI and SDD D) RAID and SAN

D

What category of law best describes the HIPAA Privacy Rule? A. Constitutional law B. Common law C. Legislative law D. Administrative law

D

What does static application security testing offer as a tool to testers? A) Production system scanning B) Live testing C) Injection attempts D) Source code access

D

What feature of a SIEM solution can simplify an organization's strategy for log retention compliance? A) Dashboards B) Reporting C) Alerting D) Aggregation

D

What feature of a SIEM solution enables the discovery of similar events throughout the enterprise? A) Reporting B) Dashboards C) Alerting D) Correlation

D

What is a potential problem with using object storage versus volume storage within IaaS in regard to availability? A) Object storage is dependent on access control from the host server. B) Object storage may have availability issues. C) Object storage is only optimized for small files. D) Object storage is its own system, and data consistency depends on replication.

D

What is a standard configuration and policy set that is applied to systems and virtual machines called? A) Standardization B) Hardening C) Redline D) Baseline

D

What is an often-overlooked concept that is essential to protecting the confidentiality of data? A) Strong passwords B) Security controls C) Policies D) Training

D

What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function? A) Disable B) Stop C) Monitor D) Remove

D

What is the best source for information about securing a physical asset's BIOS? A) Regulations B) Manual pages C) Security policies D) Vendor documentation

D

What is the biggest challenge to data discovery in a cloud environment? A) Ownership B) Format C) Multitenancy D) Location

D

What is the biggest concern with hosting a key management system outside of the cloud environment? A) Integrity B) Portability C) Confidentiality D) Availability

D

What is the correct term for the process of deliberately destroying the encryption keys used to encrypt data? A) Poor key management B) Public key infrastructure (PKI) C) Obfuscation D) Crypto shredding

D

What is the data encapsulation used with SOAP referred to as? A) Payload B) Object C) Packet D) Envelope

D

What is the primary coverage area in ISO/IEC 28000:2007? A) security techniques for Pll in public clouds B) information security management systems C) risk management D) security management systems for the supply chain

D

What is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security? A) Randomization B) Elasticity C) Obfuscation D) Tokenization

D

What is the term we use to describe the general ease and efficiency of moving data from one cloud provider to another cloud provider or down from the cloud? A. Mobility B. Elasticity C. Obfuscation D. Portability

D

What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed? A) Dynamic balancing B) Dynamic clustering C) Dynamic resource scheduling D) Dynamic optimization

D

What type of masking strategy involves making a separate and distinct copy of data with masking in place? A) Dynamic B) Replication C) Duplication D) Static

D

What type of network model combines the storage and IP-based traffic into a single virtualized design? A) Combined B) Concurrent C) Cooperative D) Converged

D

When an organization is considering using multiple cloud providers for BCDR, which of the following concepts is the most important? A) Elasticity B) Reversibility C) Interoperability D) Portability

D

When an organization uses a cloud provider for BCDR, where services are only enabled if needed in the event of an incident, which would be the most important consideration while bringing up services? A) Measured service B) Broad network access C) Resource pooling D) Rapid elasticity

D

When long-term storage is used to save costs, which of the following is the most important consideration in the selection of an appropriate storage tier? A) Volume size B) Backups C) Redundancy D) Access time

D

When packet capture is being performed in a cloud environment, what is the main challenge facing the cloud customer? A) Data dispersion B) Virtualization C) Geolocation D) Network device access

D

When using an Infrastructure as a Service (IaaS) solution, what is the key benefit for the customer? A) Scalability B) Metered service C) Energy and cooling efficiencies D) Transfer of ownership cost

D

Which ITIL component is focused on structured and methodical modifications to systems or applications? A) Deployment management B) Configuration management C) Release management D) Change management

D

Which U.S. federal law has a significant impact on cloud computing? A) Americans with Disabilities Act (ADA) B) Consumer Protection Act (CPA) C) Freedom of Information Act (FOIA) D) Sarbanes-Oxley Act (SOX)

D

Which United States law is focused on accounting and financial practices of organizations? A) Safe Harbor B) HIPAA C) GLBA D) SOX

D

Which amendment to the U.S. Constitution explicitly grants individuals the right to privacy? A. First Amendment B. Fourth Amendment C. Fifth Amendment D. None of the above

D

Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance? A) Resource pooling B) Dynamic optimization C) Multitenancy D) Virtualization

D

Which attribute of data poses the biggest challenge for data discovery? A) Labels B) Format C) Volume D) Quality

D

Which certification or assessment does NOT include risk management or cloud data security? A) CSA Attestation OCF Level 2 B) EuroCloud Self-Assessment C) Certified Cloud Service - TUV Rhineland D) ISO/IEC 27001

D

Which concept BEST describes the capability for a cloud environment to automatically scale a system or application based on its current resource demands? A) Resource pooling B) On-demand self-service C) Measured service D) Rapid elasticity

D

Which concept refers to the ability to confirm the origin or authenticity of data? A) Validation B) Authentication C) Repudiation D) Nonrepudiation

D

Which design pillar represents the ability of a workload to execute its intended function accurately and consistently when it is expected to? A) Security B) Operational excellence C) Cost optimization D) Reliability

D

Which document specifies the service guarantees a vendor will provide and the remedies available if the vendor fails to adhere to them? A) Master service agreement (MSA) B) Nondisclosure agreement (NDA) C) Business partnership agreement (BPA) D) Service level agreement (SLA)

D

Which emerging type of encryption aims to allow the manipulation of data without the need to unencrypt it first? A) Dynamic B) Elliptic curve C) Transparent D) Homomorphic

D

Which kind of analysis identifies and reports on risks affecting availability, integrity, and confidentiality (AIC) of key information assets? A) Network analysis B) Predictive analysis C) Market analysis D) Gap analysis

D

Which legal requirement mandates companies in the United States to provide federal officials with data even if the data is not stored in the United States and disclosure of the data is illegal under the laws where it is stored? A) The Sarbanes-Oxley (SOX) Act B) The General Data Protection Regulation (GDPR) C) The Gramm-Leach-Bliley Act (GLBA) D) The Clarifying Lawful Overseas Use of Data (CLOUD) Act

D

Which networking concept in a cloud environment allows for network segregation and isolation of IP spaces? A) LAN B) PLAN C) WAN D) VLAN

D

Which of the cloud cross-cutting aspects relates to the ability for a cloud customer to easily remove their applications and data from a cloud environment? A) Availability B) Portability C) Interoperability D) Reversibility

D

Which of the cloud deployment models is used by popular services such as iCloud, Dropbox, and OneDrive? A) Private B) Hybrid C) Community D) Public

D

Which of the cloud deployment models offers the most control and input to the cloud customer as to how the overall cloud environment is implemented and configured? A) Hybrid B) Public C) Community D) Private

D

Which of the following approaches would not be considered sufficient to meet the requirements of secure data destruction within a cloud environment? A) Overwriting B) Zeroing C) Cryptographic erasure D) Deletion

D

Which of the following can be used to separate VMs in the cloud at both Layer 2 and Layer 3? A) VPNs B) blacklists C) subnets D) VLANs

D

Which of the following cloud aspects complicates eDiscovery? A) Measured service B) Resource pooling C) On-demand self-service D) Multitenancy

D

Which of the following concepts is a primary determinant in regard to the storage costs incurred by a cloud customer? A) Data replication B) Data preservation C) Data distribution D) Data dispersion

D

Which of the following is NOT a characteristic of the log collection process? A) sufficient experience and training requirements B) often not a priority C) mundane and repetitive D) difficult process, easy analysis

D

Which of the following is a widely used tool for code development, branching, and collaboration? A) Maestro B) Orchestrator C) ConductorGitHub D) GitHub

D

Which of the following is an example of a form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere? A)Raw storage B) Flash storage C) Obfuscation archiving D) Mobile cloud storage

D

Which of the following is least likely to be deployed in a multi-tenant architecture? A) public cloud B) community cloud C) semi-private cloud D) private cloud

D

Which of the following is not a component covered by the GDPR? A) Disclosure B) Requested removal of data C) Notification for data breaches D) Location of data

D

Which of the following is not a component of the STRIDE model? A. Spoofing B. Repudiation C. Information disclosure D. Exploitation

D

Which of the following is not a domain of the Cloud Controls Matrix (CCM)? A) Data center security B) Human resources C) Mobile security D) Budgetary and cost controls

D

Which of the following is not a function performed by an SIEM solution? A) Reporting B) Alerting C) Searching D) Tracking

D

Which of the following is not a key area for performance monitoring as far as an SLA is concerned? A) CPU B) Network C) Memory D) Users

D

Which of the following is not a potential consequence an organization may face under state law following a breach? A. An obligation to provide free credit monitoring to affected consumers B. Enforcement actions, including penalties, from state attorneys general C. Civil actions brought by consumers under a private right of action D. Criminal prosecution of company employees who allowed the breach to occur

D

Which of the following is not a regulatory system from the United States federal government? A) HIPAA B) FISMA C) SOX D) PCI DSS

D

Which of the following is not a unit that is used to define a limit with a cloud environment? A) Customer B) Application C) Virtual machine D) Hypervisor

D

Which of the following is not one of the three components of a federated identity system transaction? A) User B) Relying party C) Identity provider D) Proxy relay

D

Which of the following is the biggest concern or challenge with using encryption? A) Efficiency B) Protocol standards C) Cipher strength D) Dependence on keys

D

Which of the following is the optimal temperature for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)? A) 51.8 - 66.2°F (11 -19°C) B) 44.6 - 60.8°F (7-16°C) C) 68.8 - 86.0°F (21-30°C) D) 64.4 - 80.6°F (18-27°C)

D

Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used? A) Application B) Infrastructure C) Platform D) Data

D

Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used? A) Application B) Platform C) Infrastructure D) Governance

D

Which of the following pertains to a macro-level approach to data center design rather than the traditional tiered approach? A) BICSI B) Uptime Institute C) NFPA D) IDCA (International Data Center Authority)

D

Which of the following pertains to fire safety standards within data centers and their enormous electrical consumption? A) IDCA B) BICSI C) Uptime Institute D) NFPA

D

Which of the following roles involves testing, monitoring, and securing cloud services for an organization? A) Cloud service business manager B) Cloud service user C) Cloud service integrator D) Cloud service administrator

D

Which of the following roles is responsible for overseeing customer relationships and the processing of financial transactions? A) Cloud service deployment manager B) Cloud service operations manager C) Cloud service manager D) Cloud service business manager

D

Which of the following roles is responsible for the creation of cloud components and the testing and validation of services? A) Cloud service broker B) Cloud auditor C) Inter-cloud provider D) Cloud service developer

D

Which of the following service categories entails the least amount of support needed on the part of the cloud customer? A) PaaS B) DaaS C) IaaS D) SaaS

D

Which of the following should not be part of the requirement analysis phase of the software development lifecycle? A) Software platform B) Functionality C) Programming languages D) Security requirements

D

Which of the following standards primarily pertains to cabling designs and setups in a data center? A) NFPA B) Uptime Institute C) IDCA D) BICSI (Building Industry Consulting Service International)

D

Which of the following steps in the data discovery process will help to ensure that the cloud security controls that are implemented comply with data privacy acts and cover their tenets? A) selecting controls B) classifying discovered data C) implementing data discovery D) mapping controls

D

Which of the following storage types is most closely associated with a database-type storage implementation? A) Unstructured B) Volume C) Object D) Structured

D

Which of the following technologies is used to monitor network traffic and block any potential threats or attacks that match defined signatures and policies? A) WAF B) Firewall C) IDS D) IPS

D

Which of the following technologies is used to monitor network traffic and notify if any potential threats or attacks are noticed? A) IPS B) WAF C) Firewall D) IDS

D

Which of the following tests of the BCP provides the highest level of simulation, including notification and resource mobilization? A) tabletop exercise B) walk-through drill C) functional drill D) full-interruption test

D

Which of the following types of applications is likely to work with application virtualization? A) Applications that require access to system drivers B) Antivirus software C) Applications that require shared memory D) 32-bit applications

D

Which of the following would not be considered part of resource pooling with an Infrastructure as a Service implementation? A) Memory B) Storage C) CPU D) Application

D

Which of the following would not be included in the criteria for audit deliverables? A) Structure B) Audience C) Format D) Length

D

Which one of the following documents must normally be approved by the CEO or a similarly high-level executive? A. Standard B. Procedure C. Guideline D. Policy

D

Which one of the following is the most important security consideration when selecting a new computer facility? A) Local law enforcement response times B) Location adjacent to competitor's facilities C) Aircraft flight paths D) Utility infrastructure

D

Which part of a network should a security information and event management (SIEM) suite use to ensure network devices in a software-defined network are properly forwarding traffic? A) Data plane B) Debug log C) Error log D) Control plane

D

Which phase of software design includes gathering customer input to determine a system's desired functionality? A) Ongoing operations B) Decommissioning C) Planning D) Requirements definition

D

Which protocol allows a system to use block-level storage as if it was a SAN, but over TCP network traffic instead? A) TLS B) SCSI C) SATA D) iSCSI

D

Which publication from the United States National Institute of Standards and Technology pertains to defining cloud concepts and definitions for the various core components of cloud computing? A) SP 800-40 B) SP 800-53 C) SP 800-153 D) SP 800-145

D

Which risk management strategy involves changing business practices to eliminate the potential of an enterprise risk? A) Acceptance B) Transference C) Mitigation D) Avoidance

D

Which scheme would provide protection if an entire physical solid-state drive was lost or stolen? A) File-level encryption B) Transport Layer Security (TLS) C) Secure Socket Layer (SSL) D) Full-disk encryption

D

Which security concept, if implemented correctly, will protect the data on a system, even if a malicious actor gains access to the actual system? A) Firewalls B) Access control C) Sandboxing D) Encryption

D

Which software development methodology is sequential, with each phase followed by the next phase and with no overlap between the phases? A) Scrum B) Lean C) Agile D) Waterfall

D

Which technique involves replacing values within a specific data field to protect sensitive data? A) Anonymization B) Tokenization C) Obfuscation D) Masking

D

Which technology can be useful during the Share phase of the cloud data lifecycle to continue to protect data as it leaves the original system and security controls? A) WAF B) IPS C) IDS D) DLP

D

Which technology is used to protect the confidentiality of data from on-path attacks? A) Bring your own device (BYOD) B) Data loss prevention (DLP) C) Information Rights Management (IRM) D) Transport Layer Security (TLS)

D

Which term defines how easy it is to move and reuse application components, regardless of the provider, platform, OS, infrastructure, location, storage, format of data, or APIs? A) Portability B) Availability C) Security D) Interoperability

D

Which tier of service is provided by a data center that is designed to have independent and physically isolated systems, multiple distribution paths, and fault tolerance for components? A) Tier 1 B) Tier 2 C) Tier 3 D) Tier 4

D

Which type of audit report do many cloud providers use to instill confidence in current and potential customers concerning their policies, practices, and procedures? A) SOC 1 B) SOX C) SAS-70 D) SOC 2

D

Which type of audit report is considered a "restricted use" report for its intended audience? A) SAS-70 B) SSAE-18 C) SOC Type 2 D) SOC Type 1

D

Which type of audit reports are intended for broad or public release? A) SOC Type 1 B) SOC Type 2 C) SAS-70 D) SOC Type 3

D

Which type of communication channel should be established between parties in a supply chain to be used in a disaster situation? A) Back B) Landline C) Satellite D) Secondary

D

Which type of statement issued by an auditor indicates that an organization did not disclose enough information to perform a fair audit? Less A) Income B) Adverse opinion C) Compliance D) Scope limitation

D

Who would be responsible for implementing IPSec to secure communications for an application? A) Developers B) Cloud customer C) Auditors D) Systems staff

D

Why is the striping method of storing data used in most redundant array of independent disks (RAID) configurations? A) It prevents outages and attacks from occurring in a cloud environment. B) It prevents data from being recovered once it is destroyed using crypto-shredding. C) It allows data to be safely distributed and stored in a common centralized location. D) It allows efficient data recovery as even if one drive fails, other drives fill in the missing data.

D

With a SaaS implementation, which types of logs are typically available directly to the cloud customer? A) Patching B) Change management C) Security D) Billing

D

Within a federated identity system, to whom does the identity provider send information after a successful authentication? A) Service originator B) Service relay C) Relaying party D) Relying party

D

Within an Infrastructure as a Service model, which of the following would not be a measured service? A) Memory B) Storage C) CPU D) Number of users

D

You are working on a governance project designed to make sure the different cloud services used in your organization work well together. What goal are you attempting to achieve? A. Performance B. Resiliency C. Reversibility D. Interoperability

D

You have recently been hired by your company as a system administrator. As part of your job duties, you are responsible for managing the resourced deployed in the cloud. You are currently reviewing the SLA with your CSP. You want to determine the level of risk that is acceptable in this deployment. Which SLA element should you research? A) risk profile B) risk mitigation C) risk framework D) risk appetite

D

You are hired by a CSP as a security administrator. The main data center and all backup facilities are located in countries that are members of the European Union (EU). When the CSP started, it only accepted clients within the EU. In Q1 2018, management has decided to allow international customers. Customers within which country are MOST likely to cause problems based on that country's data privacy laws? A) Argentina B) United Kingdom C) Australia D) Switzerland E) United States

E


Related study sets

Micro Exam #3- Study Grind- Chapter 9

View Set

Exam #2 (CH 40 - Musculoskeletal Function)

View Set

Life Insurance Premiums, Proceeds and Beneficiaries

View Set

Combo with "Management Chapter 1-4 Quizzes" and 1 other

View Set

Abdominal Review Questions Penny Ch. 7-10

View Set

Social and Behavioral: Playground Supervision

View Set

Ethos, Pathos and Logos - Speech (Persuasion)

View Set