CCSK-Combined

Question 1

What are the five essential characteristics of cloud computing as defined by NIST?

Answer 1

Broad Network AccessRapid ElasticityMeasured ServiceOn-Demand Self ServiceResource Pooling

Question 2

The level of attention and scrutiny paid to enterprise risk assessments should be directly related to what?

Answer 2

The value at risk

Question 3

In the majority of data protection laws, when the data is transferred to a third party custodian, who is ultimately responsible for the security of the data?

Answer 3

The Data Controller

Question 4

What is the most important reason for knowing where the cloud service provider will host the data?

Answer 4

So that it can address the specific restrictions that foreign data protection laws may impose.

Question 5

What are the six phases of the data security lifecycle?

Answer 5

CreateStoreUseShareArchiveDestroy

Question 6

Why is the size of data sets a consideration in portability between cloud service providers?

Answer 6

The sheer size of data may cause an interruption of service during a transition, or a longer transition period than anticipated.

Question 7

What are the four D’s of perimeter security?

Answer 7

DeterDetectDelayDeny

Question 8

In which type of environment is it impractical to allow the customer to conduct their own audit, making it important that the data center operators are required to provide auditing for the customers?

Answer 8

In multiñtenant environments the operator or provider cannot normally accommodate visits by every customer to conduct an audit.

Question 9

What measures could be taken by the cloud service provider (CSP) that might reduce the occurrence of application level incidents?

Answer 9

SaaS providers that generate extensive customerñspecific application logs and provide secure storage as well as analysis facilities will ease the IR burden on the customer.

Question 10

How should an SDLC be modified to address application security in a Cloud Computing environment?

Answer 10

Organizations must adopt best practices for development, either by having a good blend of processes, tools, and technologies of their own or adopting one of the maturity models.

Question 11

What is the most significant reason that customers are advised to maintain inñhouse key management?

Answer 11

To be able to prove that all data has been deleted from the public cloud environment when exiting that environment.

Question 12

What two types of information will cause additional regulatory issues for all organizations if held as an aspect of an Identity?

Answer 12

PII ñ Personal Identifiable InformationSPI ñ Sensitive Personal Information

Question 13

Why do blind spots occur in a virtualized environment, where networkñbased security controls may not be able to monitor certain types of traffic?

Answer 13

Virtual machines may communicate with each other over a hardware backplane, rather than a network.

Question 14

When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?

Answer 14

Agreement on the metrics defining the service level required to achieve regulatory objectives

Question 15

Economic Denial of Service (EDOS), refers to…

Answer 15

The destruction of economic resources; the worst case scenario would be bankruptcy of the customer or a serious economic impact

Question 16

How does SaaS alleviate much of the consumer’s direct operational responsibility?

Answer 16

The provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data.

Question 17

In Europe, name the group that has enacted data protection laws and the principles on which they follow.

Answer 17

The European Economic Area (EEA) Member States follow principles set forth in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009.

Question 18

What is the minimum that U.S. state laws require when using a Cloud Service Provider?

Answer 18

Written contract with the service provider with reasonable security measures.

Question 19

What must be included between an organization and a Cloud Service Provider when the organization has contractual obligations to protect the personal information of their clients, contacts or employees, to ensure that the data are not used for secondary use and are not disclosed to third parties?

Answer 19

The organization must ensure contractually that it will have the continued ability to meet the promises and commitments that it made in its privacy notice(s) or other contracts.

Question 20

What is a clickñwrap agreement?

Answer 20

A nonñnegotiated contract

Question 21

How does an organization respond to the evolving nature of the cloud environment?

Answer 21

Periodic monitoring, testing, and evaluation of the services.

Question 22

What must a U.S. litigant provide during eñdiscovery?

Answer 22

All documents that pertain to the case whether favorable to its case or the other litigant’s case.

Question 23

What is ESI?

Answer 23

Electronically Stored Information

Question 24

What are four considerations for a cloud customer to understand in reference to regulatory compliance?

Answer 24

ñ Crossñborder or multiñjurisdictionñ Assignment of compliance responsibilities including the CSP’s providersñ CSP capability to show complianceñ Relationship between all parties including customer, CSP, auditors and CSP’s providers

Question 25

What role do audits perform in the cloud relationships?

Answer 25

Audits must be independently conducted and should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards.

Question 26

At what stage should compliance be addressed between an organization and CSP?

Answer 26

Requirements identification stage

Question 27

What is multiñtenancy?

Answer 27

Use of same resources or application by multiple customers that may belong to the same organization or a different organization.

Question 28

What does a cloud service model need to include for multiñtenancy consumers?

Answer 28

Policyñdriven enforcementSegmentationIsolationGovernanceService LevelsChargeback/billing models

Question 29

What services can be shared in multiñtenancy cloud service models?

Answer 29

InfrastructureDataMetadataServicesApplications

Question 30

What three cloud services make up the Cloud Reference Model?

Answer 30

Infrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)

Question 31

Define IaaS

Answer 31

IaaS delivers computer infrastructure as a service along with raw storage and networking.

Question 32

Define PaaS

Answer 32

PaaS delivers computing platform and solution stack as a service.

Question 33

Define SaaS

Answer 33

SaaS delivers software and its associated data hosted centrally typically in the cloud and are usually accessed by users via a web browser over the Internet.

Question 34

List the four dimensions in the Jericho Cloud Cube Model

Answer 34

ñ Internal (I) / External (E): Physical Locationñ Proprietary (P) / Open (O): State of Ownership ñ Perimeterised (Per) / Deñperimeterised (Dñp): Architectural mindsetñ Insourced / Outsourced: Who provides the cloud service

Question 35

List the four cloud deployment models

Answer 35

PublicPrivate ñ internal/externalHybridCommunity

Question 36

What is the key takeaway for security architecture?

Answer 36

The lower down the stack the CSP stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.

Question 37

What are the risks and pitfalls to consider in the Cloud Security Reference Model?

Answer 37

ñ How / where cloud service are deployedñ Manner in which cloud services are consumedñ Reñperimeterization of enterprise networksñ Types of assets, resources and information being managedñ Who manages them and howñ Which controls are selected and how they are integratedñ Compliance issues

Question 38

How do you determine the general security posture of a service and how it relates to an asset’s assurance and protection requirements?

Answer 38

ñ Classify a cloud service against the cloud architectural modelñ Map the security architecture and business, regulatory, and other compliance requirements as a gapñanalysis exercise

Question 39

What do cloud service brokers provide?

Answer 39

ñ Intermediationñ Monitoringñ Transformation/portabilityñ Governanceñ Provisioningñ Integration servicesñ Relationship negotiation between CSP and consumers

Question 40

What are included in a Service Level Agreement (SLA)?

Answer 40

ñ Service levelsñ Securityñ Governanceñ Complianceñ Liability expectations of the service and provider

Question 41

What are two types of Service Level Agreements (SLA)?

Answer 41

NegotiableNonñnegotiable

Question 42

Name the five basic principles followed in Corporate Governance.

Answer 42

ñ Auditing supply chainsñ Board and management structure and processñ Corporate responsibility and complianceñ Financial transparency and information disclosureñ Ownership structure and exercise of control rights

Question 43

Define Corporate Governance

Answer 43

The set of processes, technologies, customs, policies, laws and institutions affecting the way an enterprise is directed, administered or controlled.

Question 44

Define Information Risk Management

Answer 44

The process of identifying and understanding exposure to risk and the capability of managing it, aligned with the risk appetite and tolerance of the data owner.

Question 45

Define Enterprise Risk Management

Answer 45

The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.

Question 46

List four of the specific risks identified and analyzed by management in a cloud environment.

Answer 46

ñ Avoidance: exiting the activities giving rise to riskñ Reduction: taking action to reduce the likelihood or impact related to the riskñ Share or insure: transferring or sharing a portion of the risk to finance itñ Accept: no action is taken due to a cost/benefit decision

Question 47

What should be specifically targeted in the assessment of a CSP’s third party service providers?

Answer 47

ñ Incident managementñ Business continuityñ Disaster recovery policies, processes and proceduresñ Review of coñlocation and backñup facilities

Question 48

What is a CSP’s supply chain?

Answer 48

Their service provider relationships and dependencies

Question 49

How should the cost savings obtained by cloud computing services be utilized?

Answer 49

Reinvest into increased scrutiny of the security capabilities of the provider, application of security controls, and ongoing detailed assessments and audits to ensure requirements are continuously met.

Question 50

Define Public Cloud

Answer 50

The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Question 51

Define Private Cloud

Answer 51

The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located onñpremise or offñpremise.

Question 52

Define Community Cloud

Answer 52

The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy or compliance considerations). It may be managed by the organizations or by a third party and may be located onñpremise or offñpremise.

Question 53

Define Hybrid Cloud

Answer 53

The cloud infrastructure is a composition of two or more clouds (private, community of public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for loadñbalancing between clouds).

Question 54

Define Cloud Bursting

Answer 54

Where an enterprise shares the load with external cloud providers to meet peak demands

Question 55

In most jurisdictions in the U.S., what types of information are a party obligated to produce?

Answer 55

Documents and data within its possession, custody or control.

Question 56

What types of data hosted by a CSP could be outside the control of a client?

Answer 56

ñ Disaster recovery systemsñ Certain metadata created and maintained by the CSP to operate its environment

Question 57

What should a client account for during eñdiscovery?

Answer 57

Additional time and expense where a client may not have the ability or administrative rights to search or access all of the data hosted in the cloud.

Question 58

In the U.S. what is generally considered to be the obligation of a client who knows or reasonably should know is relevant to a pending or reasonably anticipated litigation or government investigation?

Answer 58

To undertake reasonable steps to prevent the destruction or modification of data or information in its possession, custody or control.

Question 59

Who is held liable for acts of a subcontractor?

Answer 59

Government agencies, such as the FTC or the state Attorney General, have consistently held organizations liable for the activities of their subcontractors.

Question 60

What does the GLBA and HIPAA require between an organization and their subcontractor?

Answer 60

The security and privacy rules require organizations to compel their subcontractors in written contracts to use reasonable security measures and comply with data privacy provisions.

Question 61

What two general categories do assets supported by the cloud fall into?

Answer 61

1. Data2. Applications/Functions/Process

Question 62

What is the first step in evaluating risk for the cloud?

Answer 62

Determine exactly what data or function is being considered for the cloud.

Question 63

What is the second step in evaluating risk for the cloud?

Answer 63

Determine how important the data or function is to the organization.

Question 64

For each asset, what three areas are assessed if all or part of the asset is handled in the cloud?

Answer 64

1. Confidentiality2. Integrity3. Availability requirements

Question 65

For each asset, what six areas are examined in how the organization would be harmed if all or part of the asset is handled in the cloud?

Answer 65

1. If the asset became widely public and widely distributed2. If an employee of the cloud provider accessed the asset3. If the process or function were manipulated by an outsider4. If the process or function failed to provide expected results5. If the information/data were unexpectedly changed6. If the asset were unavailable for a period of time

Question 66

What is the third step in evaluating risk for the cloud?

Answer 66

Determine which deployment models are best suited to the organization

Question 67

What is the fourth step in evaluating risk for the cloud?

Answer 67

Evaluate potential cloud service providers

Question 68

How do you prevent scope creep?

Answer 68

Determine potential uses of the data or function being considered for the cloud.

Question 69

Define cloud computing

Answer 69

A model for enabling ubiquitous, convenient, onñdemand network access to a shared pool of configurable computing resources.

Question 70

Define multiñtenancy in cloud service models

Answer 70

The need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies.

Question 71

Name two mechanisms to automate monitoring and testing of cloud supply chains.

Answer 71

ñ Cloud Auditñ Cloud Trust Protocol

Question 72

______ is the foundation of all cloud services as described in the Cloud Reference Model.

Answer 72

IaaS

Question 73

The Jericho Cloud Cube Model is based upon ____dimensions?

Answer 73

4

Question 74

The notion of how cloud services are ______ is often used interchangeably with where they are _______, which can lead to confusion.

Answer 74

Deployed, provided

Question 75

Amazon’s AWS EC2_______________ offering includes vendor responsibility for security up to the hypervisor.

Answer 75

Infrastructure as a service

Question 76

___________as a service provides a set of API’s, which allows management and other forms of interaction with the ______________ by consumers.

Answer 76

Infrastructure

Question 77

____ sits on top of _____ and adds an additional layer of integration with application development frameworks, middleware capabilities, and functions such as database, messaging, and queuing.

Answer 77

PaaS, IaaS

Question 78

Public or private clouds may be described as ____________, which may not be accurate in all situations.

Answer 78

External or internal

Question 79

The_________ and the erosion of trust boundaries already happening in the enterprise is amplified and accelerated by cloud computing.

Answer 79

Re-perimeterization

Question 80

A LAMP stack deployed on Amazon’s AWS EC2 would be classified as a public, off-premise, third-party managed _____ solution.

Answer 80

IaaS

Question 81

The Cloud Cube Model highlights the challenges of understanding and mapping cloud models to control frameworks and standards such as ____________

Answer 81

ISO/IEC 27002

Question 82

Security controls in cloud computing are ______________ security controls in any IT environment.

Answer 82

No different than

Question 83

An effective governance and enterprise risk management cloud computing program flows from well-developed information security governance processes as part of the organization’s overall corporate governance obligations to _______.

Answer 83

Due care

Question 84

For many cloud deployments, a major element of governance will be the agreement between__________________

Answer 84

Provider and customer.

Question 85

_______ is the set of processes, technologies, customs, policies, laws, and institutions affecting the way an enterprise is directed, administered or controlled.

Answer 85

Corporate governance

Question 86

Good governance is based on the acceptance of the rights of __________ as the true owners of the corporation, and the role of senior management as trustees.

Answer 86

Shareholders

Question 87

If that results in less confidence in a particular vendor, then further engagement with that vendor is_____

Answer 87

Less likely

Question 88

Stakeholders should carefully consider the _____________________that are appropriate and necessary for the company’s consistent performance and growth.

Answer 88

Monitoring mechanisms

Question 89

In a cloud environment, technologist selects a risk response strategy for specific risks identified and analyzed, which is typically_______.

Answer 89

Reduction

Question 90

Assessment of third party service providers should specifically target the provider’s ___________.

Answer 90

Incident management

Question 91

Reinvest the cost savings obtained by cloud computing services into __________________capabilities of the provider, application of security controls, and ongoing detailed assessments and audits to ensure requirements are continuously met.

Answer 91

Increased scrutiny of the security

Question 92

Each of these laws includes a security requirement and places on the __________ the burden of ensuring the protection and security of personal data wherever the data are located, and especially when transferring to a third party.

Answer 92

Data custodian

Question 93

PCI applies to credit card data anywhere in the world, including data processed by subcontractors has similar requirements to other regulatory bodies.

Answer 93

PCI

Question 94

When data is transferred to a cloud, the ultimate responsibility for protecting and securing the data typically remains with the ______________, even if in some circumstances, this responsibility may be shared with others.

Answer 94

Data owner

Question 95

Before entering into a cloud computing arrangement, the most important issue a company should evaluate is _____________associated with a proposed cloud computing transaction.

Answer 95

Compliance requirements

Question 96

Depending on the nature of the services, the contract may commonly be in the form of a _____________ agreement, which is never negotiated.

Answer 96

Click-wrap

Question 97

One of the particularities of the ________ judicial system - in great contrast to most other countries - is that a litigant must provide its adversary with ALL documents that pertain to the case.

Answer 97

American

Question 98

In certain litigations and investigations, the ___________ could itself be relevant to resolving the dispute in the litigation or investigation.

Answer 98

Cloud application

Question 99

_____________________ can require that large volumes of data be retained for extended periods.

Answer 99

Preservation

Question 100

________ of a cloud data source is generally difficult or impossible.

Answer 100

Bit-by-bit imaging

Question 101

All stakeholders expect organizations to proactively comply with regulatory guidelines and requirements across multiple _________.

Answer 101

Jurisdictions

Question 102

______ is focused on aligning with external requirements while _______ is focused on aligning with internal requirements.

Answer 102

Compliance, governance

Question 103

By leveraging cloud services, sub-scale organizations can achieve ___________of compliance as much larger and highly resources entities.

Answer 103

The same level

Question 104

The role of __________________ needs to be carefully considered, and responsibility for including them in governance, indirectly or directly, should be explicitly assigned within the customer organization.

Answer 104

External providers

Question 105

Audit must be____________________ and should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards.

Answer 105

Independently conducted

Question 106

Particularly important to outsourcing and regulations is __________ requirements and obligations.

Answer 106

Chained

Question 107

Any information processed, transmitted, stored, or viewed that is identified as_______________ information faces a plethora of compliance regulation worldwide that may vary country or state.

Answer 107

Personal Identifiable Information

Question 108

____________ is a technique that is commonly used to improve data security, but without the use of encryption mechanisms.

Answer 108

Data Dispersion

Question 109

The Data Security Lifecycle in order is

Answer 109

Create, Store, Use, Share, Archive, Destroy

Question 110

Unlike with _________ the goal isn’t to label every piece of data in the organization, but rather to define high-level categories.

Answer 110

Data classification

Question 111

File Activity Monitoring provides similar protection to _________________.

Answer 111

Database Activity Monitoring

Question 112

In cloud deployments, and throughout the different service models, it’s important to protect data in transit. This includes:

Answer 112

Between cloud vendors

Question 113

________ mandates that those components should be replaceable by new or different components from different providers and continue to work, as should the exchange of data between systems.

Answer 113

Interoperability

Question 114

A lack of interoperability can lead to __________.

Answer 114

Lock-in

Question 115

Using open standards for Identity such as ________________ will help to ensure portability.

Answer 115

SAML

Question 116

Encryption keys should be escrowed _______________.

Answer 116

Locally

Question 117

_______________ may cause an interruption of service during a transition, or a longer transition period than anticipated.

Answer 117

The size of data

Question 118

A common scenario is “___________”, where an enterprise shares the load with external cloud providers to meet peak demands.

Answer 118

Cloud bursting

Question 119

The Four D’s of Perimeter Security consists of _____________.

Answer 119

Deter, Detect, Delay and Deny

Question 120

Segregation of duties originated in _________.

Answer 120

Accounting and financial management

Question 121

The data center should be equipped with specific environmental support equipment according to published internal standards such as:

Answer 121

Uninterruptible power supply

Question 122

The composition of the Emergency Response Team, Crisis Management Team and Incident response team should be reviewed in detail along with ________

Answer 122

Crisis communication procedure

Question 123

The Restoration plan should incorporate and quantify the _____

Answer 123

Recovery Point Objective

Question 124

Cloud providers should consider adopting as a security baseline the______________ requirements of any customer, such that systems, facilities, and procedures are at a system high level.

Answer 124

Most stringent

Question 125

Organizations building cloud data centers should incorporate management processes, practices, and software to understand and react to technology running _______.

Answer 125

Inside the data center

Question 126

Given the controls in the Cloud Control Matrix the data center being built or purchased must conform to _____.

Answer 126

Physical and asset security requirements

Question 127

Use _________ techniques to ensure availability, security, and asset delivery and management.

Answer 127

IT service management

Question 128

Cloud computing does not necessitate a new conceptual framework for Incident Response; rather it requires that the organization appropriately_________

Answer 128

Maps its extant IR

Question 129

________offered by cloud infrastructures, may dramatically complicate the IR process, especially the forensic activities carried out as part of the incident analysis.

Answer 129

Resource pooling

Question 130

In a ____ solution, response activities will likely reside almost entirely with the CSP, whereas in ____ a greater degree of responsibility and capability for detecting and responding to security incidents may reside with the customer.

Answer 130

SaaS, IaaS

Question 131

The most important part of preparing for an incident is ____ the plan.

Answer 131

Testing

Question 132

_____________ examines the code as it executes in a running cloud application.

Answer 132

Dynamic code analysis

Question 133

The type of cloud model has a huge impact on the penetration testing or in deciding if penetration test is possible. Generally,__are likely to permit penetration testing.

Answer 133

SaaS, PaaS

Question 134

Often user authentication and authorization is delegated to the customer’s user management system using a ______ standard.

Answer 134

Federation

Question 135

____________________ refers to establishing/asserting the identity to the application.

Answer 135

Authentication

Question 136

The user determines the access for their resources, and the service provider acts as ____________

Answer 136

Policy Enforcement Point

Question 137

For unstructured files that must be protected when stored or shared in the cloud use data-centric encryption you should ___

Answer 137

Apply protection directly to files

Question 138

_____ can be avenues for data leakage.

Answer 138

Log files and metadata

Question 139

When choosing encryption, Use open, validated formats and avoid__________________ wherever possible.

Answer 139

Proprietary encryption formats

Question 140

As the industry expands identity systems from single computers into global enterprises and then into cloud deployment models, the ability to identify all the entities involved in a transaction become significantly more difficult. This is a _

Answer 140

Scaling problem

Question 141

_____ is the interconnection of disparate Directories Services.

Answer 141

Federation

Question 142

The PDP and PEP will be part of an authorization eco-system that uses

Answer 142

XACML

Question 143

In most cloud based systems, the Authorization layer is likely to be a _______ or the point that evaluates and issues authorization decisions, and the Access Management layer, the____, the point that enforces the___’s decision.

Answer 143

PDP, PEP, PDP

Question 144

Implementers should, where possible, use federation based on open standards such as _________

Answer 144

SAML and Oauth

Question 145

The primary concerns for enterprises and virtualization users should be ____

Answer 145

The proper management of configuration and operations

Question 146

Virtual machines may communicate with each other over _______, rather than a network.

Answer 146

A hardware backplane

Question 147

Installing security software designed for physical servers onto a virtualized server can result in _____

Answer 147

Degradation in performance

Question 148

When a VM is moved from one physical server to another, enterprises need assurances that no bits are left behind on the disk that could be recovered by another user or when the disk is de-provisioned. _______are solutions to this problem.

Answer 148

Zeroing or encryption

Question 149

Implement data automated discovery and labeling solutions to augment the data classification and control between virtual machines and environments. This is better know as:

Answer 149

DLP

Question 150

Security in the cloud environment is often based on the concern that_____ security controls implemented means systems are not locked down as well as they are in traditional data centers.

Answer 150

Lack of visibility into

Question 151

Security as a Service providers recognize the _____ of the relationship and often go to extreme lengths to ensure that their environment is locked down as much as possible.

Answer 151

Fragility

Question 152

_______ presents concerns of data leakage between virtual instances.

Answer 152

Multi-tenancy

Question 153

Companies that employ third party security service providers gain a competitive edge over their peers due to ____

Answer 153

Early access to information

Question 154

Due to the ______________ delivered via the cloud, customers need only pay for the amount of security they require.

Answer 154

Elastic model of services

Question 155

Isolation Failure is due to

Answer 155

Shared resources

Question 156

An attacker uses a public channel to use up the customer’s metered resources from the cloud, this is a(n)

Answer 156

EDOS

Question 157

Licensing conditions, such as _______ may become unworkable in a cloud environment.

Answer 157

Per-seat agreements, and online licensing checks

Question 158

The ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc., to defend against:

Answer 158

DDOS

Question 159

The five key legal issues common across all scenarios according to ENISA are

Answer 159

Data protection, Confidentiality, Intellectual property, Professional negligence, Outsourcing services

Question 160

We do not recommend that the customer look to be able to restrict ________by the cloud provider.

Answer 160

The outsourcing of services