Ultimate Cloud Security Quiz

Collection of 1000+ questions for cloud security certification.

CCSP - Certified Cloud Security Professional

--- primaryColor: steelblue secondaryColor: yellow textColor: black locale: en --- #### 1.The management plane is used to administer a cloud environment and perform administrative tasks across a variety of systems, but most specifically it's used with the hypervisors. What does the management plane typically leverage for this orchestration? - [x] APIs - [ ] Scripts - [ ] TLS - [ ] XML > Explanation: The management plane uses APIs to execute remote calls across the cloud environment to various management systems, especially hypervisors. This allows a centralized administrative interface, often a web portal, to orchestrate tasks throughout an enterprise. Scripts may be utilized to execute API calls, but they are not used directly to interact with systems. XML is used for data encoding and transmission, but not for executing remote calls. TLS is used to encrypt communications and may be used with API calls, but it is not the actual process for executing commands. #### When dealing with PII, which category pertains to those requirements that can carry legal sanctions or penalties for failure to adequately safeguard the data and address compliance requirements? - [ ] Contractual - [ ] Jurisdictional - [X] Regulated - [ ] Legal > Explanation/Reference: Explanation: Regulated PII pertains to data that is outlined in law and regulations. Violations of the requirements for the protection of regulated PII can carry legal sanctions or penalties. Contractual PII involves required data protection that is determined by the actual service contract between the cloud provider and cloud customer, rather than outlined by law. Violations of the provisions of contractual PII carry potential financial or contractual implications, but not legal sanctions. Legal and jurisdictional are similar terms to regulated, but neither is the official term used. #### Although the United States does not have a single, comprehensive privacy and regulatory framework, a number of specific regulations pertain to types of data or populations. Which of the following is NOT a regulatory system from the United States federal government? - [ ] HIPAA - [ ] SOX - [ ] FISMA - [X] PCI DSS > Explanation Explanation/Reference: Explanation: The Payment Card Industry Data Security Standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry-regulatory standard, not a governmental one. The Sarbanes-Oxley Act (SOX) was passed in 2002 and pertains to financial records and reporting, as well as transparency requirements for shareholders and other stakeholders. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and pertains to data privacy and security for medical records. FISMA refers to the Federal Information Security Management Act of 2002 and pertains to the protection of all US federal government IT systems, with the exception of national security systems. #### The president of your company has tasked you with implementing cloud services as the most efficient way of obtaining a robust disaster recovery configuration for your production services. Which of the cloud deployment models would you MOST likely be exploring? - [x] Hybrid - [ ] Private - [ ] Community - [ ] Public > Explanation Explanation/Reference: Explanation: A hybrid cloud model spans two more different hosting configurations or cloud providers. This would enable an organization to continue using its current hosting configuration, while adding additional cloud services to enable disaster recovery capabilities. The other cloud deployment models--public, private, and community--would not be applicable for seeking a disaster recovery configuration where cloud services are to be leveraged for that purpose rather than production service hosting. #### If you are running an application that has strict legal requirements that the data cannot reside on systems that contain other applications or systems, which aspect of cloud computing would be prohibitive in this case? - [x] Multitenancy - [ ] Broad network access - [ ] Portability - [ ] Elasticity > Explanation Explanation/Reference: Explanation: Multitenancy is the aspect of cloud computing that involves having multiple customers and applications running within the same system and sharing the same resources. Although considerable mechanisms are in place to ensure isolation and separation, the data and applications are ultimately using shared resources. Broad network access refers to the ability to access cloud services from any location or client. Portability refers to the ability to easily move cloud services between different cloud providers, whereas elasticity refers to the capabilities of a cloud environment to add or remove services, as needed, to meet current demand. #### The REST API is a widely used standard for communications of web-based services between clients and the servers hosting them. Which protocol does the REST API depend on? - [ ] HTTP - [ ] SSH - [ ] SAML - [x] XML > Explanation: Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. Secure Shell client (SSH) is a secure method for allowing remote login to systems over a network. #### Which of the following actions will NOT make data part of the create phase of the cloud data lifecycle? - [x] Modify data - [ ] Modify metadata - [ ] New data - [ ] Import data > Explanation: Modifying the metadata does not change the actual data. Although this initial phase is called "create," it can also refer to modification. In essence, any time data is considered "new," it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and is modified into a new form or value. #### Most APIs will support a variety of different data formats or structures. However, the SOAP API will only support which one of the following data formats? - [ ] XML - [ ] XSLT - [ ] JSON - [x] SAML > Explanation: The Simple Object Access Protocol (SOAP) protocol only supports the Extensible Markup Language (XML) data format. Although the other options are all data formats or data structures, they are not supported by SOAP. #### Which cloud storage type is typically used to house virtual machine images that are used throughout the environment? - [ ] Structured - [ ] Unstructured - [ ] Volume - [x] Object > Explanation: Object storage is typically used to house virtual machine images because it is independent from other systems and is focused solely on storage. It is also the most appropriate for handling large individual files. Volume storage, because it is allocated to a specific host, would not be appropriate for the storing of virtual images. Structured and unstructured are storage types specific to PaaS and would not be used for storing items used throughout a cloud environment. #### With an API, various features and optimizations are highly desirable to scalability, reliability, and security. What does the REST API support that the SOAP API does NOT support? - [ ] Acceleration - [x] Caching - [ ] Redundancy - [ ] Encryption > Explanation: The Simple Object Access Protocol (SOAP) does not support caching, whereas the Representational State Transfer (REST) API does. The other options are all capabilities that are either not supported by SOAP or not supported by any API and must be provided by external. #### Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data. Which concept encapsulates this? - [ ] Validity - [X] Integrity - [ ] Accessibility - [ ] Confidentiality > Explanation: Integrity refers to the trustworthiness of data and whether its format and values are true and have not been corrupted or otherwise altered through unauthorized means. Confidentiality refers to keeping data from being access or viewed by unauthorized parties. Accessibility means that data is available and ready when needed by a user or service. Validity can mean a variety of things that are somewhat similar to integrity, but it's not the most appropriate answer in this case. #### Three central concepts define what type of data and information an organization is responsible for pertaining to eDiscovery. Which of the following are the three components that comprise required disclosure? - [ ] Possession, ownership, control - [ ] Ownership, use, creation - [ ] Control, custody, use - [x] Possession, custody, control > Explanation: Data that falls under the purview of an eDiscovery request is that which is in the possession, custody, or control of the organization. Although this is an easy concept in a traditional data center, it can be difficult to distinguish who actually possesses and controls the data in a cloud environment due to multitenancy and resource pooling. Although these options provide similar-sounding terms, they are ultimately incorrect. #### Which of the following threat types involves the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing? - [ ] Cross-site scripting - [ ] Missing function-level access control - [X] Injection - [ ] Cross-site forgery > Explanation: An injection attack is where a malicious actor will send commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it could potentially allow an attacker to gain insight into configurations or security controls. Missing function- level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. #### With a cloud service category where the cloud customer is responsible for deploying all services, systems, and components needed for their applications, which of the following storage types are MOST likely to be available to them? - [ ] Structured and hierarchical - [x] Volume and object - [ ] Volume and database - [ ] Structured and unstructured > Explanation: The question is describing the Infrastructure as a Service (IaaS) cloud offering, and as such, the volume and object storage types will be available to the customer. Structured and unstructured are storage types associated with PaaS, and although the other answers present similar-sounding storage types, they are a mix of real and fake names. #### Which of the following roles would be responsible for managing memberships in federations and the use and integration of federated services? - [x] Inter-cloud provider - [ ] Cloud service business manager - [ ] Cloud service administrator - [ ] Cloud service integrator > Explanation: The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services. A cloud service administrator is responsible for testing, monitoring, and securing cloud services, as well as providing usage reporting and dealing with service problems. The cloud service integrator is responsible for connecting existing systems and services with a cloud. The cloud service business manager is responsible for overseeing the billing, auditing, and purchasing of cloud services. #### Which data state would be most likely to use TLS as a protection mechanism? - [ ] Data in use - [ ] Data at rest - [ ] Archived - [x] Data in transit > Explanation/Reference: Explanation: TLS would be used with data in transit, when packets are exchanged between clients or services and sent across a network. During the data-in-use state, the data is already protected via a technology such as TLS as it is exchanged over the network and then relies on other technologies such as digital signatures for protection while being used. The data-at-rest state primarily uses encryption for stored file objects. Archived data would be the same as data at rest. #### You are working for a cloud service provider and receive an eDiscovery order pertaining to one of your customers. Which of the following would be the most appropriate action to take first? - [ ] Take a shapshot of the virtual machines - [ ] Escrow the encryption keys - [ ] Copy the data - [ ] Notify the customer > Explanation: When a cloud service provider receives an eDiscovery order pertaining to one of their customers, the first action they must take is to notify the customer. This allows the customer to be aware of what was received, as well as to conduct a review to determine if any challenges are necessary or warranted. Taking snapshots of virtual machines, copying data, and escrowing encryption keys are all processes involved in the actual collection of data and should not be performed until the customer has been notified of the request. #### If a cloud computing customer wishes to guarantee that a minimum level of resources will always be available, which of the following set of services would compromise the reservation? - [ ] Memory and networking - [ ] CPU and software - [ ] CPU and storage - [X] CPU and memory > Explanation: A reservation guarantees to a cloud customer that they will have access to a minimal level of resources to run their systems, which will help mitigate against DoS attacks or systems that consume high levels of resources. A reservation pertains to memory and CPU resources. Under the concept of a reservation, memory and CPU are the guaranteed resources, but storage and networking are not included even though they are core components of cloud computing. Software would be out of scope for a guarantee and doesn't really pertain to the concept. #### Which of the following threat types can occur when baselines are not appropriately applied or when unauthorized changes are made? - [x] Security misconfiguration - [ ] Insecure direct object references - [ ] Unvalidated redirects and forwards - [ ] Sensitive data exposure > Explanation: Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner. This can be due to a shortcoming in security baselines or configurations, unauthorized changes to system configurations, or a failure to patch and upgrade systems as the vendor releases security patches. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, allowing spoofing for malware or phishing attacks. Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data. #### Which of the following is considered an internal redundancy for a data center? - [ ] Power feeds - [x] Chillers - [ ] Network circuits - [ ] Generators > Explanation: Chillers and cooling systems are internal to a data center and its operations, and as such they are considered an internal redundancy. Power feeds, network circuits, and generators are all external to a data center and provide utility services to them, which makes them an external redundancy. #### Which of the following threat types involves the sending of invalid and manipulated requests through a user's client to execute commands on the application under their own credentials? - [ ] Injection - [ ] Cross-site request forgery - [ ] Missing function-level access control - [x] Cross-site scripting > Explanation: A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user's own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way to see the results of the commands, it does open other ways to compromise an application. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. #### With finite resources available within a cloud, even the largest cloud providers will at times need to determine which customers will receive additional resources first. What is the term associated with this determination? - [ ] Weighting - [ ] Prioritization - [x] Shares - [ ] Scoring > Explanation: Shares are used within a cloud environment to prioritize resource allocation when customer requests exceed the available resources. Cloud providers utilize shares by assigning a priority score to each customer and allocating resources to those with the highest scores actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes first. Scoring is a component of shares that determines the actual order in which to allocate resources. Neither weighting nor prioritization is the correct term in this case. #### In order to comply with regulatory requirements, which of the following secure erasure methods would be available to a cloud customer using volume storage within the IaaS service model? - [ ] Demagnetizing - [ ] Shredding - [ ] Degaussing - [x] Cryptographic erasure > Explanation: Cryptographic erasure is a secure method to destroy data by destroying the keys that were used to encrypt it. This method is universally available for volume storage on IaaS and is also extremely quick. Shredding, degaussing, and demagnetizing are all physically destructive methods that would not be permitted within a cloud environment using shared resources. #### Where is a DLP solution generally installed when utilized for monitoring data in use? - [ ] Application server - [ ] Database server - [ ] Network perimeter - [x] User’s client > Explanation: To monitor data in use, the DLP solution's optimal location would be on the user's client or workstation, where the data would be used or processed, and where it would be most vulnerable to access or exposure. The network perimeter is most appropriate for data in transit, and an application server would serve as middle stage between data at rest and data in use, but is a less correct answer than a user's client. A database server would be an example of a location appropriate for monitoring data at rest. #### Which of the following aspects of cloud computing would make it more likely that a cloud provider would be unwilling to satisfy specific certification requirements? - [x] Regulation - [ ] Multitenancy - [ ] Virtualization - [ ] Resource pooling > Explanation: With cloud providers hosting a number of different customers, it would be impractical for them to pursue additional certifications based on the needs of a specific customer. Cloud environments are built to a common denominator to serve the greatest number of customers. Especially within a public cloud model, it is not possible or practical for a cloud provider to alter its services for specific customer demands. Resource pooling and virtualization within a cloud environment would be the same for all customers, and would not impact certifications that a cloud provider might be willing to pursue. Regulations would form the basis for certification problems and would be a reason for a cloud provider to pursue specific certifications to meet customer requirements. #### Which phase of the cloud data lifecycle would be the MOST appropriate for the use of DLP technologies to protect the data? - [ ] Use - [ ] Store - [ ] Share - [x] Create > Explanation: The create phase encompasses any time data is created, continually reevaluated to ensure proper security. During the use, share, and archive phases, the data is not modified in any way, so the original classification is still relevant. #### If a key feature of cloud computing that your organization desires is the ability to scale and expand without limit or concern about available resources, which cloud deployment model would you MOST likely be considering? - [x] Public - [ ] Hybrid - [ ] Private - [ ] Community > Explanation: Public clouds, such as AWS and Azure, are massive systems run by major corporations, and they account for a significant share of Internet traffic and services. They are always expanding, offer enormous resources to customers, and are the least likely to run into resource constraints compared to the other deployment models. Private clouds would likely have the resources available for specific uses and could not be assumed toimported, or modified. With any change in the content or value of data, the classification may also change. It must be continually reevaluated to ensure proper security. During the use, share, and archive phases, the data is not modified in any way, so the original classification is still relevant. #### What is a serious complication an organization faces from the compliance perspective with international operations? - [x] Multiple jurisdictions - [ ] Different certifications - [ ] Different operational procedures - [ ] Different capabilities > Explanation: When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, which often may not be clearly applicable or may be in contention with each other. These requirements can involve the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, and finally the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which may be multiple jurisdictions as well. Different certifications would not come into play as a challenge because the major IT and data center certifications are international and would apply to any cloud provider. Different capabilities and different operational procedures would be mitigated by the organization's selection of a cloud provider and would not be a challenge if an appropriate provider was chosen, regardless of location. #### ISO/IEC has established international standards for many aspects of computing and any processes or procedures related to information technology. Which ISO/IEC standard has been established to provide a framework for handling eDiscovery processes? - [ ] ISO/IEC 27001 - [ ] ISO/IEC 27002 - [ ] ISO/IEC 27040 - [x] ISO/IEC 27050 > Explanation: ISO/IEC 27050 strives to establish an internationally accepted standard for eDiscovery processes and best practices. It encompasses all steps of the eDiscovery process, including the identification, preservation, collection, processing, review, analysis, and the final production of the requested data archive. ISO/IEC 27001 is a general security specification for an information security management system. ISO/IEC 27002 gives best practice recommendations for information security management. ISO/IEC 27040 is focused on the security of storage systems. #### If a company needed to guarantee through contract and SLAs that a cloud provider would always have available sufficient resources to start their services and provide a certain level of provisioning, what would the contract need to refer to? - [ ] Limit - [x] Reservation - [ ] Assurance - [ ] Guarantee > Explanation: A reservation guarantees to a cloud customer that they will have access to a minimal level of resources to run their systems, which will help mitigate against DoS attacks or systems that consume high levels of resources. A limit refers to the enforcement of a maximum level of resources that can be consumed by or allocated to a cloud customer, service, or system. Both guarantee and assurance are terms that sound similar to reservation, but they are not correct choices. #### Many aspects and features of cloud computing can make eDiscovery compliance more difficult or costly. Which aspect of cloud computing would be the MOST complicating factor? - [ ] Measured service - [ ] Broad network access - [x] Multitenancy - [ ] Portability > Explanation: With multitenancy, multiple customers share the same physical hardware and systems. With the nature of a cloud environment and how it writes data across diverse systems that are shared by others, the process of eDiscovery becomes much more complicated. Administrators cannot pull physical drives or easily isolate which data to capture. They not only have to focus on which data they need to collect, while ensuring they find all of it, but they also have to make sure that other data is not accidently collected and exposed along with it. Measured service is the aspect of a cloud where customers only pay for the services they are actually using, and for the duration of their use. Portability refers to the ease with which an application or service can be moved among different cloud providers. Broad network access refers to the nature of cloud services being accessed via the public Internet, either with or without secure tunneling technologies. None of these concepts would pertain to eDiscovery. #### A crucial decision any company must make is in regard to where it hosts the data systems it depends on. A debate exists as to whether it's best to lease space in a data center or build your own data center--and now with cloud computing, whether to purchase resources within a cloud. What is the biggest advantage to leasing space in a data center versus procuring cloud services? - [ ] Regulations - [ ] Control - [ ] Security - [ ] Costs > Explanation: When leasing space in a data center versus utilizing cloud services, a customer has a much greater control over its systems and services, from both the hardware/software perspective and the operational management perspective. Costs, regulations, and security are all prime considerations regardless of the hosting type selected. Although regulations will be the same in either hosting solution, in most instances, costs and security will be greater factors with leased space. #### Which of the following systems is used to employ a variety of different techniques to discover and alert on threats and potential threats to systems and networks? - [x] IDS - [ ] IPS - [ ] Firewall - [ ] WAF > Explanation: An intrusion detection system (IDS) is implemented to watch network traffic and operations, using predefined criteria or signatures, and alert administrators if anything suspect is found. An intrusion prevention system (IPS) is similar to an IDS but actually takes action against suspect traffic, whereas an IDS just alerts when it finds anything suspect. A firewall works at the network level and only takes into account IP addresses, ports, and protocols; it does not inspect the traffic for patterns or content. A web application firewall (WAF) works at the application layer and provides additional security via proxying, filtering service requests, or blocking based on additional factors such as the client and requests. #### Which of the following is not a risk management framework? - [ ] COBIT - [x] Hex GBL - [ ] ISO 31000:2009 - [ ] NIST SP 800-37 > Explanation: Hex GBL is a reference to a computer part in Terry Pratchett’s fictional Discworld universe. The rest are not. #### In order to ensure ongoing compliance with regulatory requirements, which phase of the cloud data lifecycle must be tested regularly? - [x] Archive - [ ] Share - [ ] Store - [ ] Destroy > Explanation: In order to ensure compliance with regulations, it is important for an organization to regularly test the restorability of archived data. As technologies change and older systems are deprecated, the risk rises for an organization to lose the ability to restore data from the format in which it is stored. With the destroy, store, and share phases, the currently used technologies will be sufficient for an organization's needs in an ongoing basis, so the risk that is elevated with archived data is not present. #### Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user’s valid credentials? - [ ] Injection - [ ] Missing function-level access control - [x] Cross-site scripting - [ ] Cross-site request forgery > Explanation Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user's browser without going through any validation or sanitization processes, or perhaps the code is not properly escaped from processing by the browser. The code is then executed on the user's browser with their own access and permissions, allowing the attacker to redirect the user's web traffic, steal data from their session, or potentially access information on the user's own computer that their browser has the ability to access. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. #### Digital investigations have adopted many of the same methodologies and protocols as other types of criminal or scientific inquiries. What term pertains to the application of scientific norms and protocols to digital investigations? - [ ] Scientific - [ ] Investigative - [ ] Methodological - [x] Forensics > Explanation: Forensics refers to the application of scientific methods and protocols to the investigation of crimes. Although forensics has traditionally been applied to well-known criminal proceedings and investigations, the term equally applies to digital investigations and methods. Although the other answers provide similar-sounding terms and ideas, none is the appropriate answer in this case. #### Within a federated identity system, which entity accepts tokens from the identity provider? - [ ] Assertion manager - [ ] Servicing party - [ ] Proxy party - [x] Relying party > Explanation: The relying party is attached to the application or service that a user is trying to access, and it accepts authentication tokens from the user's own identity provider in order to facilitate authentication and access. The other terms provided are all associated with federated systems, but none is the correct choice in this case. #### Different types of audits are intended for different audiences, such as internal, external, regulatory, and so on. Which of the following audits are considered "restricted use" versus being for a more broad audience? - - [ ] SOC Type 2 - [x] SOC Type 1 - [ ] SOC Type 3 - [ ] SAS-70 > Explanation: SOC Type 1 reports are intended for restricted use, only to be seen by the actual service organization, its current clients, or its auditors. These reports are not intended for wider or public distribution.SAS-70 audit reports have been deprecated and are no longer in use, and both the SOC Type 2 and 3 reports are designed to expand upon the SOC Type 1 reports and are for broader audiences. #### Although host-based and network-based IDSs perform similar functions and have similar capabilities, which of the following is an advantage of a network-based IDS over a host- based IDS, assuming all capabilities are equal? - [x] Segregated from host systems - [ ] Network access - [ ] Scalability - [ ] External to system patching > Explanation: A network-based IDS has the advantage of being segregated from host systems, and as such, it would not be open to compromise in the same manner a host-based system would be. Although a network-based IDS would be external to system patching, this is not the best answer here because it is a minor concern compared to segregation due to possible host compromise. Scalability is also not the best answer because, although a network-based IDS does remove processing from the host system, it is not a primary security concern. Network access is not a consideration because both a host-based IDS and a network-based IDS would have access to network resources. ### DNSSEC was designed to add a layer of security to the DNS protocol. Which type of attack was the DNSSEC extension designed to mitigate? - [x] Account hijacking - [ ] Snooping - [ ] Spoofing - [ ] Data exposure > Explanation: DNSSEC is an extension to the regular DNS protocol that utilizes digital signing of DNS query results, which can be verified to come from an authoritative source. This verification mitigates the ability for a rogue DNS server to be used to spoof query results and to direct users to malicious sites. DNSSEC provides for the verification of the integrity of DNS queries. It does not provide any protection from snooping or data exposure. Although it may help lessen account hijacking by preventing users from being directed to rogue sites, it cannot by itself eliminate the possibility. #### Which aspect of cloud computing pertains to cloud customers only paying for the resources and services they actually use? - [ ] Metered service - [ ] Measured billing - [ ] Metered billing - [x] Measured service > Explanation: Measured service is the aspect of cloud computing that pertains to cloud services and resources being billed in a metered way, based only on the level of consumption and duration of the cloud customer. Although they sound similar to the correct answer, none of the other choices is the actual cloud terminology. #### Many of the traditional concepts of systems and services for a traditional data center also apply to the cloud. Both are built around key computing concepts. Which of the following compromise the two facets of computing? - [ ] CPU and software - [ ] CPU and storage - [x] CPU and memory - [ ] Memory and networking > Explanation: The CPU and memory resources of an environment together comprise its "computing" resources. Cloud environments, especially public clouds, are enormous pools of resources for computing and are typically divided among a large number of customers with constantly changing needs and demands. Although storage and networking are core components of a cloud environment, they do not comprise its computing core. Software, much like within a traditional data center, is highly subjective based on the application, system, service, or cloud computing model used; however, it is not one of the core cloud components. #### With a cloud service category where the cloud customer is provided a full application framework into which to deploy their code and services, which storage types are MOST likely to be available to them? - [x] Structured and unstructured - [ ] Structured and hierarchical - [ ] Volume and database - [ ] Volume and object > Explanation: The question is describing the Platform as a Service (PaaS) cloud offering, and as such, structured and unstructured storage types will be available to the customer. Volume and object are storage types associated with IaaS, and although the other answers present similar-sounding storage types, they are a mix of real and fake names. #### Firewalls are used to provide network security throughout an enterprise and to control what information can be accessed--and to a certain extent, through what means. Which of the following is NOT something that firewalls are concerned with? - [ ] IP address - [x] Encryption - [ ] Port - [ ] Protocol > Explanation: Firewalls work at the network level and control traffic based on the source, destination, protocol, and ports. Whether or not the traffic is encrypted is not a factor with firewalls and their decisions about routing traffic. Firewalls work primarily with IP addresses, ports, and protocols. #### Within an IaaS implementation, which of the following would NOT be a metric used to quantify service charges for the cloud customer? - [ ] Memory - [x] Number of users - [ ] Storage - [ ] CPU > Explanation: Within IaaS, where the cloud customer is responsible for everything beyond the physical network, the number of users on a system would not be a factor in billing or service charges. The core cloud services for IaaS are based on the memory, storage, and CPU requirements of the cloud customer. Because the cloud customer with IaaS is responsible for its own images and deployments, these components comprise the basis of its cloud provisioning and measured services billing. #### Many different common threats exist against web-exposed services and applications. One attack involves attempting to leverage input fields to execute queries in a nested fashion that is unintended by the developers. What type of attack is this? - [x] Injection - [ ] Missing function-level access control - [ ] Cross-site scripting - [ ] Cross-site request forgery > Explanation: An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. This can trick an application into exposing data that is not intended or authorized to be exposed, or it can potentially allow an attacker to gain insight into configurations or security controls. Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials. Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes. #### For service provisioning and support, what is the ideal amount of interaction between a cloud customer and cloud provider? - [ ] Half - [x] Full - [ ] Minimal - [ ] Depends on the contract > Explanation: The goal with any cloud-hosting setup is for the cloud customer to be able to perform most or all its functions for service provisioning and configuration without any need for support from or interaction with the cloud provider beyond the automated tools provided. To fulfill the tenants of on-demand self-service, required interaction with the cloud provider--either half time, full time, or a commensurate amount of time based on the contract--would be in opposition to a cloud's intended use. As such, these answers are incorrect. #### What does a cloud customer purchase or obtain from a cloud provider? - [x] Services - [ ] Hosting - [ ] Servers - [ ] Customers > Explanation: No matter what form they come in, "services" are obtained or purchased by a cloud customer from a cloud service provider. Services can come in many forms--virtual machines, network configurations, hosting setups, and software access, just to name a few. Hosting and servers--or, with a cloud, more appropriately virtual machines--are just two examples of "services" that a customer would purchase from a cloud provider. "Customers" would never be a service that's purchased. #### Which phase of the cloud data lifecycle represents the first instance where security controls can be implemented? - [ ] Use - [ ] Share - [x] Store - [ ] Create > Explanation Explanation/Reference: Explanation: The store phase occurs immediately after the create phase, and as data is committed to storage structures, the first opportunity for security controls to be implemented is realized. During the create phase, the data is not yet part of a system where security controls can be applied, and although the use and share phases also entail the application of security controls, they are not the first phase where the process occurs. #### You were recently hired as a project manager at a major university to implement cloud services for the academic and administrative systems. Because the load and demand for services at a university are very cyclical in nature, commensurate with the academic calendar, which of the following aspects of cloud computing would NOT be a primary benefit to you? - [ ] Measured service - [x] Broad network access - [ ] Resource pooling - [ ] On-demand self-service > Explanation: Broad network access to cloud services, although it is an integral aspect of cloud computing, would not being a specific benefit to an organization with cyclical business needs. The other options would allow for lower costs during periods of low usage as well as provide the ability to expand services quickly and easily when needed for peak periods. Measured service allows a cloud customer to only use the resources it needs at the time, and resource pooling allows a cloud customer to access resources as needed. On-demand self-service enables the cloud customer to change its provisioned resources on its own, without the need to interact with the staff from the cloud provider. #### Which cloud deployment model is MOST likely to offer free or very cheap services to users? - [ ] Hybrid - [ ] Community - [ ] Public - [x] Private > Explanation: Public clouds offer services to anyone, regardless of affiliation, and are the most likely to offer free services to users. Examples of public clouds with free services include iCloud, Dropbox, and OneDrive. Private cloud models are designed for specific customers and for their needs, and would not offer services to the public at large, for free or otherwise. A community cloud is specific to a group of similar organizations and would not offer free or widely available public services. A hybrid cloud model would not fit the specifics of the question. #### Where is a DLP solution generally installed when utilized for monitoring data in transit? - [x] Network perimeter - [ ] Database server - [ ] Application server - [ ] Web server > Explanation/Reference: Explanation: To monitor data in transit, a DLP solution would optimally be installed at the network perimeter, to ensure that data leaving the network through various protocols conforms to security controls and policies. An application server or a web server would be more appropriate for monitoring data in use, and a database server would be an example of a location appropriate for monitoring data at rest. #### With IaaS, what is responsible for handling the security and control over the volume storage space? - [ ] Management plane - [x] Operating system - [ ] Application - [ ] Hypervisor > Explanation: Volume storage is allocated via a LUN to a system and then treated the same as any traditional storage. The operating system is responsible for formatting and securing volume storage as well as controlling all access to it. Applications, although they may use volume storage and have permissions to write to it, are not responsible for its formatting and security. Both a hypervisor and the management plane are outside of an individual system and are not responsible for managing the files and storage within that system. #### Configurations and policies for a system can come from a variety of sources and take a variety of formats. Which concept pertains to the application of a set of configurations and policies that is applied to all systems or a class of systems? - [ ] Hardening - [ ] Leveling - [x] Baselines - [ ] Standards > Explanation: Baselines are a set of configurations and policies applied to all new systems or services, and they serve as the basis for deploying any other services on top of them. Although standards often form the basis for baselines, the term is applicable in this case. Hardening is the process of securing a system, often through the application of baselines. Leveling is an extraneous but similar term to baselining. #### Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for? - [x] Authentication mechanism - [ ] Branding - [ ] Training - [ ] User access > Explanation: The authentication mechanisms and implementations are the responsibility of the cloud provider because they are core components of the application platform and service. Within a SaaS implementation, the cloud customer will provision user access, deploy branding to the application interface (typically), and provide or procure training for its users. QUESTION 58 An SLA contains the official requirements for contract performance and satisfaction between the cloud provider and cloud customer. #### Which of the following would NOT be a component with measurable metrics and requirements as part of an SLA? - [ ] Network - [x] Users - [ ] Memory - [ ] CPU > Explanation: Dealing with users or user access would not be an appropriate item for inclusion in an SLA specifically. However, user access and user experience would be covered indirectly through other metrics. Memory, CPU, and network resources are all typically included within an SLA for availability and response times when dealing with any incidents. #### Within a federated identity system, which of the following would you be MOST likely to use for sending information for consumption by a relying party? - [ ] XML - [ ] HTML - [ ] WS-Federation - [x] SAML > Explanation: The Security Assertion Markup Language (SAML) is the most widely used method for encoding and sending attributes and other information from an identity provider to a relying party.WS-Federation, which is used by Active Directory Federation Services (ADFS), is the second most used method for sending information to a relying party, but it is not a better choice than SAML. XML is similar to SAML in the way it encodes and labels data, but it does not have all of the required extensions that SAML does. HTML is not used within federated systems at all. #### Which data state would be most likely to use digital signatures as a security protection mechanism? - [x] Data in use - [ ] Data in transit - [ ] Archived - [ ] Data at rest > Explanation: During the data-in-use state, the information has already been accessed from storage and transmitted to the service, so reliance on a technology such as digital signatures is imperative to ensure security and complement the security methods used during previous states. Data in transit relies on technologies such as TLS to encrypt network transmission of packets for security. Data at rest primarily uses encryption for stored file objects. Archived data would be the same as data at rest. #### There is a large gap between the privacy laws of the United States and those of the European Union. Bridging this gap is necessary for American companies to do business with European companies and in European markets in many situations, as the American companies are required to comply with the stricter requirements. Which US program was designed to help companies overcome these differences? - [ ] SOX - [ ] HIPAA - [ ] GLBA - [x] Safe Harbor > Explanation: The Safe Harbor regulations were developed by the Department of Commerce and are meant to serve as a way to bridge the gap between privacy regulations of the European Union and the United States. Due to the lack of adequate privacy laws and protection on the federal level in the US, European privacy regulations generally prohibit the exporting of PII from Europe to the United States. Participation in the Safe Harbor program is voluntary on the part of US organizations. These organizations must conform to specific requirements and policies that mirror those from the EU, thus possibly fulfilling the EU requirements for data sharing and export. This way, American businesses can be allowed to serve customers in the EU. The Health Insurance Portability and Accountability Act (HIPAA) pertains to the protection of patient medical records and privacy. The Gramm-Leach-Bliley Act (GLBA) focuses on the use of PII within financial institutions. The Sarbanes-Oxley Act (SOX) regulates the financial and accounting practices used by organizations in order to protect shareholders from improper practices and errors. #### Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes. Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it? - [ ] SOC Type 2, one year - [ ] SOC Type 1, one year - [ ] SOC Type 2, one month - [x] SOC Type 2, six months > Explanation: SOC Type 2 audits are done over a period of time, with six months being the minimum duration. SOC Type 1 audits are designed with a scope that's a static point in time, and the other times provided for SOC Type 2 are incorrect. #### With software-defined networking (SDN), which two types of network operations are segregated to allow for granularity and delegation of administrative access and functions? - [x] Filtering and forwarding - [ ] Filtering and firewalling - [ ] Firewalling and forwarding - [ ] Forwarding and protocol > Explanation: With SDN, the filtering and forwarding capabilities and administration are separated. This allows the cloud provider to build interfaces and management tools for administrative delegation of filtering configuration, without having to allow direct access to underlying network equipment. Firewalling and protocols are both terms related to networks, but they are not components SDN is concerned with. #### Along with humidity, temperature is crucial to a data center for optimal operations and protection of equipment. Which of the following is the optimal temperature range as set by ASHRAE? - [ ] 69.8 to 86.0 degrees Fahrenheit (21 to 30 degrees Celsius) - [ ] 51.8 to 66.2 degrees Fahrenheit (11 to 19 degrees Celsius) - [x] 64.4 to 80.6 degrees Fahrenheit (18 to 27 degrees Celsius) - [ ] 44.6 to 60.8 degrees Fahrenheit (7 to 16 degrees Celsius) > Explanation Explanation/Reference: Explanation: The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends 64.4 to 80.6 degrees Fahrenheit (or 18 to 27 degrees Celsius) as the optimal temperature range for data centers. None of these options is the recommendation from ASHRAE. #### Which of the following statements best describes a Type 1 hypervisor? - [ ] The hypervisor software runs within an operating system tied to the hardware. - [ ] The hypervisor software runs as a client on a server and needs an external service to administer it. - [ ] The hypervisor software runs on top of an application layer. - [x] The hypervisor software runs directly on “bare metal” without an intermediary. > Explanation : With a Type 1 hypervisor, the hypervisor software runs directly on top of the bare-metal system, without any intermediary layer or hosting system. None of these statements describes a Type 1 hypervisor. #### Which cloud storage type resembles a virtual hard drive and can be utilized in the same manner and with the same type of features and capabilities? - [ ] Volume - [x] Unstructured - [ ] Structured - [ ] Object > Explanation Explanation/Reference: Explanation: Volume storage is allocated and mounted as a virtual hard drive within IaaS implementations, and it can be maintained and used the same way a traditional file system can. Object storage uses a flat structure on remote services that is accessed via opaque descriptors, structured storage resembles database storage, and unstructured storage is used to hold auxiliary files in conjunction with applications hosted within a PaaS implementation. #### Which aspect of SaaS will alleviate much of the time and energy organizations spend on compliance (specifically baselines)? - [ ] Maintenance - [x] Licensing - [ ] Standardization - [ ] Development > Explanation: With the entire software platform being controlled by the cloud provider, the standardization of configurations and versioning is done automatically for the cloud customer. This alleviates the customer's need to track upgrades and releases for its own systems and development; instead, the onus is on the cloud provider. Although licensing is the responsibility of the cloud customer within SaaS, it does not have an impact on compliance requirements. Within SaaS, development and maintenance of the system are solely the responsibility of the cloud provider. #### Many tools and technologies are available for securing or monitoring data in transit within a data center, whether it is a traditional data center or a cloud. Which of the following is NOT a technology for securing data in transit? - [ ] VPN - [ ] TLS - [x] DNSSEC - [ ] HTTPS > Explanation: DNSSEC is an extension of the normal DNS protocol that enables a system to verify the integrity of a DNS query resolution by signing it from the authoritative source and verifying the signing chain. It is not used for securing data transmissions or exchanges. HTTPS is the most common method for securing web service and data calls within a cloud, and TLS is the current standard for encrypting HTTPS traffic. VPNs are widely used for securing data transmissions and service access. #### With a federated identity system, where would a user perform their authentication when requesting services or application access? - [ ] Cloud provider - [ ] The application - [x] Their home organization - [ ] Third-party authentication system > Explanation: With a federated identity system, a user will perform authentication with their home organization, and the application will accept the authentication tokens and user information from the identity provider in order to grant access. The purpose of a federated system is to allow users to authenticate from their home organization. Therefore, using the application or a third-party authentication system would be contrary to the purpose of a federated system because it necessitates the creation of additional accounts. The use of a cloud provider would not be relevant to the operations of a federated system. #### Where is an XML firewall most commonly and effectively deployed in the environment? - [ ] Between the application and data layers - [ ] Between the presentation and application layers - [ ] Between the IPS and firewall - [x] Between the firewall and application server > Explanation: An XML firewall is most commonly deployed in line between the firewall and application server to validate XML code before it reaches the application. An XML firewall is intended to validate XML before it reaches the application. Placing the XML firewall between the presentation and application layers, between the firewall and IPS, or between the application and data layers would not serve the intended purpose. #### Modern web service systems are designed for high availability and resiliency. Which concept pertains to the ability to detect problems within a system, environment, or application and programmatically invoke redundant systems or processes for mitigation? - [ ] Elasticity - [ ] Redundancy - [x] Fault tolerance - [ ] Automation > Explanation: Fault tolerance allows a system to continue functioning, even with degraded performance, if portions of it fail or degrade, without the entire system or service being taken down. It can detect problems within a service and invoke compensating systems or functions to keep functionality going. Although redundancy is similar to fault tolerance, it is more focused on having additional copies of systems available, either active or passive, that can take up services if one system goes down. Elasticity pertains to the ability of a system to resize to meet demands, but it is not focused on system failures. Automation, and its role in maintaining large systems with minimal intervention, is not directly related to fault tolerance. #### On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources. Which of the following is crucial to the orchestration and automation of networking resources within a cloud? - [ ] DNSSEC - [ ] DNS - [ ] DCOM - [x] DHCP > The Dynamic Host Configuration Protocol (DHCP) automatically configures network settings for a host so that these settings do not need to be configured on the host statically. Given the rapid and programmatic provisioning of resources within a cloud environment, this capability is crucial to cloud operations. Both DNS and its security- integrity extension DNSSEC provide name resolution to IP addresses, but neither is used for the configuration of network settings on a host. DCOM refers to the Distributed Component Object Model, which was developed by Microsoft as a means to request services across a network, and is not used for network configurations at all. ### BCDR strategies do not typically involve the entire operations of an organization, but only those deemed critical to their business. Which concept pertains to the amount of services that need to be recovered to meet BCDR objectives? - [x] RSL - [ ] RTO - [ ] RPO - [ ] SRE > Explanation: The recovery service level (RSL) measures the percentage of operations that would be recovered during a BCDR situation. The recovery point objective (RPO) sets and defines the amount of data an organization must have available or accessible to reach the determined level of operations necessary during a BCDR situation. The recovery time objective (RTO) measures the amount of time necessary to recover operations to meet the BCDR plan. SRE is provided as an erroneous response. #### During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis. - [ ] Contractual requirements - [ ] Regulations - [x] Vendor recommendations - [ ] Corporate policy > Explanation: Vendor recommendations would not be pertinent to the gap analysis after an audit. Although vendor recommendations will typically play a role in the development of corporate policies or contractual requirements, they are not required. Regulations, corporate policy, and contractual requirements all determine the expected or mandated controls in place on a system. #### The GAPP framework was developed through a joint effort between the major Canadian and American professional accounting associations in order to assist their members with managing and preventing risks to the privacy of their data and customers. Which of the following is the meaning of GAPP? - [ ] General accounting personal privacy - [ ] Generally accepted privacy practices - [x] Generally accepted privacy principles - [ ] General accounting privacy policies > Explanation Explanation/Reference: GAPP stands for Generally Accepted Privacy Principles. It is a framework developed by a joint effort between the major Canadian and American professional accounting associations to assist their members with managing and preventing risks to the privacy of their data and customers. #### Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions? - [x] IPSec - [ ] VPN - [ ] SSL - [ ] TLS > Explanation Explanation/Reference: Explanation: IPSec is a protocol for encrypting and authenticating packets during transmission between two parties and can involve any type of device, application, or service. The protocol performs both the authentication and negotiation of security policies between the two parties at the start of the connection and then maintains these policies throughout the lifetime of the connection. TLS operates at the application layer, not the network layer, and is widely used to secure communications between two parties. SSL is similar to TLS but has been deprecated. Although a VPN allows a secure channel for communications into a private network from an outside location, it's not a protocol. #### When data discovery is undertaken, three main approaches or strategies are commonly used to determine what the type of data, its format, and composition are for the purposes of classification. Which of the following is NOT one of the three main approaches to data discovery? - [ ] Content analysis - [x] Hashing - [ ] Labels - [ ] Metadata > Explanation: Hashing involves taking a block of data and, through the use of a one-way operation, producing a fixed-size value that can be used for comparison with other data. It is used primarily for protecting data and allowing for rapid comparison when matching data values such as passwords. Labels involve looking for header information or other categorizations of data to determine its type and possible classifications. Metadata involves looking at information attributes of the data, such as creator, application, type, and so on, in determining classification. Content analysis involves examining the actual data itself for its composition and classification level. #### There are many situations when testing a BCDR plan is appropriate or mandated. Which of the following would not be a necessary time to test a BCDR plan? - [ ] After software updates - [x] After regulatory changes - [ ] After major configuration changes - [ ] Annually > Explanation Explanation/Reference: Explanation: Regulatory changes by themselves would not trigger a need for new testing of a BCDR plan. Any changes necessary for regulatory compliance would be accomplished through configuration changes or software updates, which in turn would then trigger the necessary new testing. Annual testing is crucial to any BCDR plan. Also, any time major configuration changes or software updates are done, the plan should be evaluated and tested to ensure it is still valid and complete. #### Key maintenance and security are paramount within a cloud environment due to the widespread use of encryption for both data and transmissions. Which of the following key-management systems would provide the most robust control over and ownership of the key-management processes for the cloud customer? - [x] Remote key management service - [ ] Local key management service - [ ] Client key management service - [ ] Internal key management service > Explanation: A remote key management system resides away from the cloud environment and is owned and controlled by the cloud customer. With the use of a remote service, the cloud customer can avoid being locked into a proprietary system from the cloud provider, but also must ensure that service is compatible with the services offered by the cloud provider. A local key management system resides on the actual servers using the keys, which does not provide optimal security or control over them. Both the terms internal key management service and client key management service are provided as distractors. #### Security is a critical yet often overlooked consideration for BCDR planning. At which stage of the planning process should security be involved? - [x] Scope definition - [ ] Requirements gathering - [ ] Analysis - [ ] Risk assessment > Explanation: Defining the scope of the plan is the very first step in the overall process. Security should be included from the very earliest stages and throughout the entire process. Bringing in security at a later stage can lead to additional costs and time delays to compensate for gaps in planning. Risk assessment, requirements gathering, and analysis are all later steps in the process, and adding in security at any of those points can potentially cause increased costs and time delays. #### Which type of testing uses the same strategies and toolsets that hackers would use? - [ ] Static - [ ] Malicious - [x] Penetration - [ ] Dynamic > Explanation: Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities. Although the term malicious captures much of the intent of penetration testing from the perspective of an attacker, it is not the best answer. Static and dynamic are two types of system testing--where static is done offline and with knowledge of the system, and dynamic is done on a live system without any previous knowledge is associated--but neither describes the type of testing being asked for in the question. #### Which of the following statements about Type 1 hypervisors is true? - [ ] The hardware vendor and software vendor are different. - [ ] The hardware vendor and software vendor are the same - [x] The hardware vendor provides an open platform for software vendors. - [ ] The hardware vendor and software vendor should always be different for the sake of security. > Explanation: With a Type 1 hypervisor, the management software and hardware are tightly tied together and provided by the same vendor on a closed platform. This allows for optimal security, performance, and support. The other answers are all incorrect descriptions of a Type 1 hypervisor. #### Which format is the most commonly used standard for exchanging information within a federated identity system? - [ ] XML - [ ] HTML - [x] SAML - [ ] JSON > Explanation: Security Assertion Markup Language (SAML) is the most common data format for information exchange within a federated identity system. It is used to transmit and exchange authentication and authorization data.XML is similar to SAML, but it's used for general-purpose data encoding and labeling and is not used for the exchange of authentication and authorization data in the way that SAML is for federated systems. JSON is used similarly to XML, as a text-based data exchange format that typically uses attribute-value pairings, but it's not used for authentication and authorization exchange. HTML is used only for encoding web pages for web browsers and is not used for data exchange--and certainly not in a federated system. #### Which ITIL component is focused on anticipating predictable problems and ensuring that configurations and operations are in place to prevent these problems from ever occurring? - [ ] Availability management - [ ] Continuity management - [ ] Configuration management - [x] Problem management > Explanation: Problem management is focused on identifying and mitigating known problems and deficiencies before they are able to occur, as well as on minimizing the impact of incidents that cannot be prevented. Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Configuration management tracks and maintains detailed information about all IT components within an organization. #### Which of the following areas of responsibility would be shared between the cloud customer and cloud provider within the Software as a Service (SaaS) category? - [ ] Data - [ ] Governance - [ ] Application - [x] Physical > Explanation: With SaaS, the application is a shared responsibility between the cloud provider and cloud customer. Although the cloud provider is responsible for deploying, maintaining, and securing the application, the cloud customer does carry some responsibility for the configuration of users and options. Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. With all cloud service categories, the data and governance are always the sole responsibility of the cloud customer. #### When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations? - [ ] Firewall - [ ] Proxy - [ ] Honeypot - [ ] Bastion > Explanation: A bastion is a system that is exposed to the public Internet to perform a specific function, but it is highly restricted and secured to just that function. Any nonessential services and access are removed from the bastion so that security countermeasures and monitoring can be focused just on the bastion's specific duties. A honeypot is a system designed to look like a production system to entice attackers, but it does not contain any real data. It is used for learning about types of attacks and enabling countermeasures for them. A firewall is used within a network to limit access between IP addresses and ports. A proxy server provides additional security to and rulesets for network traffic that is allowed to pass through it to a service destination. #### With the rapid emergence of cloud computing, very few regulations were in place that pertained to it specifically, and organizations often had to resort to using a collection of regulations that were not specific to cloud in order to drive audits and policies. Which standard from the ISO/IEC was designed specifically for cloud computing? - [ ] ISO/IEC 27001 - [ ] ISO/IEC 19889 - [ ] ISO/IEC 27001:2015 - [x] ISO/IEC 27018 > Explanation: ISO/IEC 27018 was implemented to address the protection of personal and sensitive information within a cloud environment. ISO/IEC 27001 and its later 27001:2015 revision are both general-purpose data security standards. ISO/IEC 19889 is an erroneous answer. #### Which of the following is NOT considered a type of data loss? - [ ] Data corruption - [x] Stolen by hackers - [ ] Accidental deletion - [ ] Lost or destroyed encryption keys > Explanation: The exposure of data by hackers is considered a data breach. Data loss focuses on the data availability rather than security. Data loss occurs when data becomes lost, unavailable, or destroyed, when it should not have been. #### Which of the following jurisdictions lacks a comprehensive national policy on data privacy and the protection of personally identifiable information (PII)? - [ ] European Union - [ ] Asian-Pacific Economic Cooperation - [x] United States - [ ] Russia > Explanation: The United States has a myriad of regulations focused on specific types of data, such as healthcare and financial, but lacks an overall comprehensive privacy law on the national level. The European Union, the Asian-Pacific Economic Cooperation, and Russia all have national privacy protections and regulations for the handling the PII data of their citizens. QUESTION 90 Which component of ITIL involves planning for the restoration of services after an unexpected outage or incident? - [x] Continuity management - [ ] Problem management - [ ] Configuration management - [ ] Availability management > Explanation: Continuity management (or business continuity management) is focused on planning for the successful restoration of systems or services after an unexpected outage, incident, or disaster. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Configuration management tracks and maintains detailed information about all IT components within an organization. #### Which component of ITIL pertains to planning, coordinating, executing, and validating changes and rollouts to production environments? - [x] Release management - [ ] Availability management - [ ] Problem management - [ ] Change management > Explanation: Release management involves planning, coordinating, executing, and validating changes and rollouts to the production environment. Change management is a higher-level component than release management and also involves stakeholder and management approval, rather than specifically focusing the actual release itself. Availability management is focused on making sure system resources, processes, personnel, and toolsets are properly allocated and secured to meet SLA requirements. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur. QUESTION 92 What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible? - [ ] Tokenization - [ ] Encryption - [x] Anonymization - [ ] Masking > Explanation: Anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Although masking refers to the overall approach of covering sensitive data, anonymization is the best answer here because it is more specific to exactly what is being asked. Tokenization involves the replacement of sensitive data with a key value that can be matched back to the real value. However, it is not focused on indirect identifiers or preventing the matching to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality. #### Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance. Which type of audit reports can be used for general public trust assurances? - [ ] SOC 2 - [ ] SAS-70 - [x] SOC 3 - [ ] SOC 1 > SOC Type 3 audit reports are very similar to SOC Type 2, with the exception that they are intended for general release and public audiences.SAS-70 audits have been deprecated. SOC Type 1 audit reports have a narrow scope and are intended for very limited release, whereas SOC Type 2 audit reports are intended for wider audiences but not general release. #### Which of the following concepts is NOT one of the core components to an encryption system architecture? - [ ] Software - [x] Network - [ ] Keys - [ ] Data > Explanation: The network utilized is not one of the key components of an encryption system architecture. In fact, a network is not even required for encryption systems or the processing and protection of data. The data, software used for the encryption engine itself, and the keys used to implement the encryption are all core components of an encryption system architecture. #### For optimal security, trust zones are used for network segmentation and isolation. They allow for the separation of various systems and tiers, each with its own security level. Which of the following is typically used to allow administrative personnel access to trust zones? - [ ] IPSec - [ ] SSH - [x] VPN - [ ] TLS > Explanation: Virtual private networks (VPNs) are used to provide administrative personnel with secure communication channels through security systems and into trust zones. They allow staff who perform system administration tasks to have access to ports and systems that are not allowed from the public Internet. IPSec is an encryption protocol for point-to-point communications at the network level, and may be used within a trust zone but not to give access into a trust zone. TLS enables encryption of communications between systems and services and would likely be used to secure the VPN communications, but it does not represent the overall concept being asked for in the question. SSH allows for secure shell access to systems, but not for general access into trust zones. #### Which of the following is NOT a major regulatory framework? - [ ] PCI DSS - [ ] HIPAA - [ ] SOX - [x] FIPS 140-2 > Explanation: FIPS 140-2 is a United States certification standard for cryptographic modules, and it provides guidance and requirements for their use based on the requirements of the data classification. However, these are not actual regulatory requirements. The Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS) are all major regulatory frameworks either by law or specific to an industry. ### As part of the auditing process, getting a report on the deviations between intended configurations and actual policy is often crucial for an organization. What term pertains to the process of generating such a report? - [ ] Deficiencies - [ ] Findings - [x] Gap analysis - [ ] Errors > Explanation: The gap analysis determines if there are any differences between the actual configurations in use on systems and the policies that govern what the configurations are expected or mandated to be. The other terms provided are all similar to the correct answer ("findings" in particular is often used to articulate deviations in configurations), but gap analysis is the official term used. #### An audit scope statement defines the limits and outcomes from an audit. Which of the following would NOT be included as part of an audit scope statement? - [ ] Reports - [ ] Certification - [x] Billing - [ ] Exclusions > Explanation: Billing for an audit, or other cost-related items, would not be part of an audit scope statement and would instead be handled prior to the actual audit as part of the contract between the organization and auditors. Reports, exclusions to the scope of the audit, and required certifications on behalf of the systems or auditors are all crucial elements of an audit scope statement. #### What concept and operational process must be spelled out clearly, as far as roles and responsibilities go, between the cloud provider and cloud customer for the mitigation of any problems or security events? - [x] Incident response - [ ] Problem management - [ ] Change management - [ ] Conflict response > Explanation: Incident response is the process through which security or operational issues are handled, including and coordination with and communication to the appropriate stakeholders. None of the other terms provided is the correct response. ### Your new CISO is placing increased importance and focus on regulatory compliance as your applications and systems move into cloud environments. Which of the following would NOT be a major focus of yours as you develop a project plan to focus on regulatory compliance? - [ ] Data in transit - [ ] Data in use - [ ] Data at rest - [x] Data custodian > Explanation: The jurisdictions where data is being stored, processed, or consumed are the ones that dictate the regulatory frameworks and compliance requirements, regardless of who the data owner or custodian might be. The other concepts for protecting data would all play a prominent role in regulatory compliance with a move to the cloud environment. Each concept needs to be evaluated based on the new configurations as well as any potential changes in jurisdiction or requirements introduced with the move to a cloud.

AWS - Amazon Web Services