CCSP Domain 1: Cloud Concepts, Architecture Mike Chappel 3rdEdition Flashcards

1
Q

Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthews company. What cloud deployment model is being used?

A. Hybrid cloud
B. Public Cloud
C. Private cloud
D. Community Cloud

A

B. Public Cloud

Explanation:
The key to answering this questions is recognizing that the multi tenancy model involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthews company. In a private cloud deployment, only Matthews company would have access to any resources hosted on the same physical hardware. This is not multi tenancy. There is no indication that Matthews organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group which would be a community cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Zeke is responsible for sanitizing a set of SSDs removed from servers in his organizations datacenter. The drives will be reused on a different project. Which of the following sanitization techniques would be most effective?

A. Cryptographic erasure
B. Physical destruction
C. Degaussing
D. Overwriting

A

A. Cryptographic erasure

Explanation:
A cryptographic erasure is a strong sanitization technique that involves encrypting the data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption encryption engine, and destroying the resulting keys of the second round of encryption. This technique is effective on both magnetic and SSDs. Degaussing and overwriting are not effective on SSDs. Physical destruction would effectively sanitize the media but would prevent Zeke from reusing the drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Tina would like to use technology that will allow her to bundle up workloads and easily move them between different operating systems. What technology would best meet this need?

A. Virtual machines
B. Serverless computing
C. Hypervisors
D. Containers

A

A. Virtual machines

Explanation:
Containers do not provide easy portability because they are dependent upon the host OS. Hypervisors are used to host virtual machines on a device, so that is another incorrect answer. Serverless computing is a PaaS model that allows customers to run their own code on the providers platform without provisioning servers, so that is also incorrect. Virtual machines are self contained and have their own internal OS, so it is possible to move them between different host OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Under the cloud reference architecture, which one of the following activities is not generally part of the responsibilities of the customer?

A. Monitor services
B. Prepare systems
C. Perform business administration
D. Handle problem reports

A

B. Prepare systems

Explanation:
Under the cloud reference architecture, the activities of customers are to use cloud service, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform business administration, select and purchase service, and request audit reports. Preparing systems is one of the responsibilities of cloud service providers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Seth is helping his organization move their web server cluster to a cloud provider. The goal of this move is to provide the cluster with the ability to grow and shrink based on changing demand. What characteristic of cloud computing is Seth hoping to achieve?

A. Scalability
B. On Demand Self Service
C. Elasticity
D. Broad network access

A

C. Elasticity

Explanation:
The reality is that Seth will likely achieve all of these goals, but the most relevant one is elasticity. Elasticity refers to the ability of a system to dynamically grow and shrink based on the current level of demand. Scalability refers to the ability of a system to grow as demand increases but does not require the ability to shrink.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Sherry is deploying a zero trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?

A. User Identity
B. IP Address
C. Geolocation
D. Nature of requested access

A

B. IP Address

Explanation:
The defining characteristic of zero trust network architecture is that trust decisions are not based on network location, such as IP address. It is appropriate to use other characteristics such as a users identity, the nature of the requested access, and the users geographic (not network) location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which one of the following hypervisor models is the most resistant to attack?

A. Type 1
B. Type 2
C. Type 3
D. Type 4

A

A. Type 1

Explanation:
If a cloud provider is able to choose between types of hypervisors, the bare metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (type 2) because it will offer less attack surface. Type 3 and 4 hypervisors do not exists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Joe is using a virtual server instance running on a public cloud provider and would like to restrict the ports on that server accessible from the internet. What security control would best allow him to meet this need?

A. Geofencing
B. Traffic inspection
C. Network firewall
D. NSGs

A

D. NSGs

Explanation:
NSGs provide functionality equivalent to network firewalls for cloud hosted server instances. They allow the restriction of traffic that may reach a server instance. Joe would not be able to modify the network firewall rules because those are only available to the cloud provider.
Geofencing would restrict the geographic locations from which users may access the servers, which is not Joes requirement.
Traffic inspection may be used to examine the traffic reaching the instance but is not normally used to create port based restrictions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following cybersecurity threats is least likely to directly affect an object storage service?

A. Disk failure
B. User error
C. Ransomware
D. Virus

A

D. Virus

Explanation:
Object storage services are susceptible to disk failures and user error that may unintentionally destroy or modify data. They are also vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service. They are unlikely to be affected by traditional viruses because they do not have a runtime environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Vince would like to be immediately alerted whenever a user with access to a sensitive cloud service leaves a defined physical area. What type of security control should he implement?

A. Intrusion prevention system
B. Geofencing
C. Firewall Rule
D. Geotagging

A

B. Geofencing

Explanation:
Geofencing may be used to trigger actions, such as an alert, when a user or device leaves a defined geographic area. Firewalls and intrusion prevention systems may incorporate geographic information into their decision making processes but would not provide the immediate notification that Vince desires. Geotagging simply annotates log records or other data with the geographic location of the user performing an action but does not directly provide alerting based on geographic location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following characteristics is not a component of the standard definition of cloud computing?

A. Broad network access
B. Rapid provisioning
C. Multitenancy
D. On Demand Self Service

A

C. Multitenancy

Explanation:
Cloud computing is a model for enabling ubiquitous, convenient on demand network access to a shared pool of configurable computing resources (ie networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition does not include multitenancy, which is a characteristic of public cloud computing but not all cloud computing models

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following sources providers a set of vendor neutral design patterns for cloud security?

A. Cloud Security Alliance
B. AWS
C. Microsoft
D. ICS^2

A

A. Cloud Security Alliance

Explanation:
CSA provides an enterprise architecture reference guide that offers vendor netural design patterns for cloud security. AWS and Microsoft do provide cloud patterns but they are specific to the service offerings of those vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Lori is using an API to access sensitive information stored in a cloud service. What cloud secure data lifecycle activity is Lori engage in?

A. Store
B. Use
C. Destroy
D. Create

A

B. Use

Explanation:
The use of an API is an example of accessing data programmatically during the Use phase of the lifecycle. If Lori were simply placing data into a cloud service or maintaining data there, that would be an example of the Store phase. Lori is not creating or destroying data; she is simply using the data that is already stored in the cloud service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Helen would like to provision a disk volume in the cloud that is mountable from a server. What cloud capability does she want?

A. Virtualized server
B. Object storage
C. Network capacity
D. Block storage

A

D. Block storage

Explanation:
This is an example of block storage, storage that is available as disk volumes. Object storage maintains files in buckets. Virtualized servers are compute capabilities, not storage capabilities. Network capacity is used to connect servers to each other and the internet and is not used for the storage of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Ben is using the sudo command to carry out operations on a Linux server. What type of access is he using?

A. Service access
B. Unauthorized access
C. User access
D. Privileged Access

A

D. Privileged Access

Explanation:
The sudo command allows a normal user account to execute administrative commands and is an example of privileged access, not standard user access. There is no indication in the scenario that Ben lacks proper authorization for this access. Service access is the access to resources by system services, rather than individual people

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which one of the cryptographic goals protects against the risks posed when a device is lost or stolen?

A. Nonrepudiation
B. Authentication
C. Integrity
D. Confidentiality

A

D. Confidentiality

Explanation:
The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against the risk. Nonrepudiation is when the recipient of a message can prove the originators identity to a third party. Authentication is a means of proving ones identity. Integrity demonstrates that information has not been modified since transmission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

A. Quantitative
B. Qualitative
C. Annualized Loss Expectancy
D. Single Loss Expectancy

A

B. Qualitative

Explanation:
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale and reputation. Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for easily quantifiable risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

A. It has been functionally
B. It has been structurally tested
C. It has been formally verified, designed and tested
D. It has been semi formally designed and tested

A

B. It has been structurally tested

Explanation:
EAL2 assurance applies when the system been structurally tested. It is the second to lowest level of assurance under the Common Criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Jake would like to use a third party platform to automatically move workloads between cloud service providers. What type of tool would best meet this need?

A. Cloud access service
B. Database
C. Virtualization
D. Orchestration

A

D. Orchestration

Explanation:
Orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers. Virtualization platforms allow a cloud provider to host virtual server instance, but they do not provide the ability to migrate workloads between different providers. Databases are a cloud service offering that allows for the organized storage of relational data. Cloud access service brokers (CASBs) allow for the consistent enforcement of security policies across cloud providers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his action?

A. HIPAA
B. PCI DSS
C. SOX
D. GLBA

A

B. PCI DSS

Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing and transmission of credit card information. HIPAA governs protected health information. The SOX Act regulates the funancial reporting of publicy traded corporations. The Gramm-Leach Billey Act (GLBA) protects personal financial information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What type of effort attempts to bring all of an organizations cloud activities under more centralized control?

A. Cloud access service broker
B. Cloud orchestration
C. Cloud governance
D. Cloud migration

A

C. Cloud governance

Explanation:
Cloud governane programs try to bring all of an organizations cloud activities under more centralized control. They server as a screening body helping to ensure that cloud services user by the organization meet technical, function and security requirements. They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment. Cloud orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Chris is designing a cryptographic system for use within his company. The company has 1000 employees, and they plan to use an asymmetric encryption system. They would like the system to be set up so that any pair of arbitrary users may communication privately. How many total keys will they need?

A. 500
B. 1000
C. 2000
D. 4950

A

C. 2000

Explanation:
A symmetric cryptosystems use a pair of keys for each user. In this case, with 1000 users, the system will require 2000 keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Erin is concerned about the risk that a cloud provider user by her organization will fail, so she is creating a strategy that will combine resources from multiple public cloud providers. What term best describes this strategy?

A. Community Cloud
B. Multicloud
C. Private Cloud
D. Hybrid cloud

A

B. Multicloud

Explanation:
The use of multiple public cloud providers to achieve diversity is known as a multicloud strategy. That is the scenario that Eric is creating. Community clouds are shared cloud resources open to members of an affinity group. Private cloud resources are limited to the use of a single organization. Hybrid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which one of the following would normally be considered an application capability of a cloud service provider?

A. Network capacity
B. Hosted email
C. Block storage
D. Serverless computing

A

B. Hosted email

Explanation:
Email is an application level service that is offered by cloud providers as a SaaS capability. Block storage and network capacity are IaaS offerings and are infrastructure capabilities. Serverless computing is a PaaS offering and is a platform capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What activity are cloud providers able to engage in because not all users will access the full capacitry of their service offering simultaneously?

A. Oversubscription
B. Overprovisioning
C. Underprovisioning
D. Undersubscription

A

A. Oversubscription

Explanation:
Oversubscrpition means that cloud providers can sell customers a total capacity that exceed the actual physical capacity of their infrastructure, because in the big picture, customers will never use all of that capacity simultaneously. Undersubscription would be when a cloud provider does not sell all of their available capacity and this would not require that users not access services simultaneously. Overprovisioning occurs when a customer (not a service provider) purchases more capacity than they need. Similarly, underprovisioning occurs when a customer does not purchase enough capacity to meet their needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datancenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?

A. Public cloud
B. Dedicated cloud
C. Private cloud
D. Hybrid cloud

A

D. Hybrid cloud

Explanation:
The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In an IaaS environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service?

A. Customers security team
B. Customers storage team
C. Customers vendor management team
D. Vendor

A

D. Vendor

Explanation:
In an IaaS environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customers responsibility to validate that the vendors sanitization procedures meet their requirements prior to utilizing the vendors storage services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Lucca is reviewing his organizations disaster recovery process data and notes that the MTD for the business’s main website is two hours. What does he know about the RTO for the site when he does testing and validation?

A. It needs to be less than two hours
B. It needs to be at least two hours
C. The MTD is too short and needs to be longer
D. The RTO is too short and needs to be longer

A

A. It needs to be less than two hours

Explanation:
When Lucca reviews the recovery time objective (RTO) data, he needs to ensure that the organization can recover from an outage in less than two hours based on the maximum tolerable downtime (MTD) of two hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Alice and Bob woud like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When Bob receives an encrypted message from Alien, what key does he use to decrypt the plaintext messages contents?

A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bobs private key

A

D. Bobs private key

Explanation:
The recipient of a message that was encrypted using asymmetric cryptography always decrypts that message using their own private key. The sender of the message previously encrypted it using the recipients public key. The senders public and private keys are not used in this process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Jen works for an organization that assist other companies in moving their operations from on premises datacenters to the cloud. Jen’s company does not operate their own cloud services but assists in the use of services offered by other organizations. What term best describes the role of Jen’s company?

A. Cloud service customer
B. Cloud service partner
C. Cloud service provider
D. Cloud Service broker

A

B. Cloud service partner

Explanation:
Jens organization is a cloud service partner - an organization that helps cloud service customers use the services offered by cloud service providers. In this case, Jebs clients are cloud service customers and they are moving to services offered by cloud service providers. Cloud service brokers and cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Carla is selecting a hardware security module (HSM) for use by her organization. She is employed by an agency of the US federal government and must ensure that the technology she chooses meets applicable federal standards for cryptographic systems. What publication would best help her determine these requirements?

A. NIST 800-53
B. NIST 800-171
C. Common Criteria
D. FIPS 140-2

A

D. FIPS 140-2

Explanation:
NIST 800-53 provides general cybersecurity standards for federal agencies, whereas NIST 800-171 applies specifically to the use of controlled unclassified information (CUI). The Common Criteria (CC) provide a certification process for hardware and software products. However, the most relevant standard are FIPS 140-2, the security requirements for cryptographic modules. THis guidance is specific to the cryptographic requirements of systems such as HSMs and would have the most directly relevant guidance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Ryan is reviewing the design of a new service that will use several offerings from a cloud service provider. The design depends on some unique features offered only by that provider. What should concern Ryan the most about the fact that these service features are not available from other providers?

A. Vendor lock-in
B. Interoperability
C. Auditability
D. Confidentiality

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.

A

A. Vendor lock-in

Explanation:
The grestest risk in the situation is that the service offering will depend on features provided only by a single vendor, preventing Ryans organization from moving to a different vendor and locking them into their current provider. Interoperability is the concern that services should be able to integrate and work well together. There is no indication that interoperability is at risk in this scenario. There is also no inidcation that the use of this vendor creates any special auditability or confidentiality concerns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

A. It has been functionally tested.
B.It has been methodically tested and checked.
C. It has been methodically designed, tested, and reviewed.
D . It has been formally verified, designed, and tested.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

A

D . It has been formally verified, designed, and tested.

Explanation:
EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed and tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which one of the following technologies provides the capability of creating a distributed, immutable ledger?

A. Quantum computing
B. Blockchain
C. Edge computing
D. Confidential computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

A

B. Blockchain

Explanation:
The blockchain is technology that uses cryptography to create a distributed immutable ledger. It is the technical foundation behind cryptocurrency and many other applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which one of the following systems assurance processes provides an independent third-party evaluation of a system’s controls that may be trusted by many different organizations?

A. Planning
B. Definition
C. Verification
D. Accreditation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

A

C. Verification

Explanation:
The veridication process is similar to the certification process in that it validates controls. Verification may go a step further by involving a third party testing service and compiling results that may be trusted by many different organizations.

Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which one of the following would be considered an example of infrastructure as a service cloud computing?

A. Payroll system managed by a vendor and delivered over the web
B. Application platform managed by a vendor that runs customer code
C. Servers provisioned by customers on a vendor-managed virtualization platform
D. Web-based email service provided by a vendor

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

A

C. Servers provisioned by customers on a vendor-managed virtualization platform

Explanation:
One of the core capabilities of IaaS is providing servers on a vendor managed virtualization platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following is not a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

A

D. Branding associated with which cloud provider might be selected

Explanation:
The brnad associated with the cloud provider should not influence the cost benefit analysis; the cloud providers brand ( and even which cloud provider an organizes uses) will most likely not even be known to the consumers who have a business relationship with the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Barry has a temporary need for massive computing power and is planning to use virtual server instances from a cloud provider for a short period of time. What term best describes the characteristic of Barry’s workload?

A. Quantum computing
B. Confidential computing
C. Ephemeral computing
D. Parallel computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

A

C. Ephemeral computing

Explanation:
Ephemeral computing means that you can create computing resources, such as servers and storage spaces, to solve a particular problem then get rid of them as soon you no longer need them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

You are reviewing a service-level agreement (SLA) and find a provision that guarantees 99.99% uptime for a service you plan to use. What term best describes this type of provision?

A. Availability
B. Security
C. Privacy
D. Resiliency

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

A

A. Availability

Explanation:
This type of provision is best described as an availability commitment because the service provider is guaranteeing that the service will be available 99.9% of the time. It could also be described as a security provision because availability is a subset of security, but availability is the better answer in this case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Carlton is selecting a cloud environment for an application run by his organization. He needs an environment where he will have the most control over the application’s performance. What service category would be best suited for his needs?

A. SaaS
B. FaaS
C. IaaS
D. PaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

A

C. IaaS

Explanation:
Users have the most control over environment hosted on an IaaS platform because they are able to manually adjust the resources assigned to the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Gavin is looking for guidance on how his organization should approach the evaluation of cloud service providers. What ISO document can help him with this work?

A. ISO 27001
B. ISO 27701
C. ISO 27017
D. ISO 17789

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

A

C. ISO 27017

Explanation:
ISO 27017 provides guidance on the security controls that should be implemented by cloud service providers and would be useful to Gavin in evaluating such as a provider. ISO 27001 is general description of controls appropriate for a cybersecurity program

ISO 27701 provides control guidance for privacy programs

ISO 17789 providers provides a cloud reference architecture and does not offer specific security guidance

41
Q

Ed has a question about the applicability of PCI DSS requirements to his organization’s credit card processing environment. What organization is the regulator in this case?

A. SEC
B. FDA
C. FTC
D. PCI SSC

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

A

D. PCI SSC

Explanation:
PCI DSS is overseen by the PCI SSC. This is not a responsibility of any other the others listed.

42
Q

Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What cloud service category includes this service?

A. SaaS
B. PaaS
C. IaaS
D. CaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

A

B. PaaS

Explanation:
Cloud computing systems where the customer only provides application code for execution on a vendor supplied computing platform are examples of PaaS computing

43
Q

Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?

A. Purchasing earthquake insurance
B. Relocating the datacenter to a safer area
C. Documenting the decision-making process
D. Reengineering the facility to withstand the shock of an earthquake

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

A

C. Documenting the decision-making process

Explanation:
In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk.

44
Q

Matthew is a data scientist looking to apply machine learning and artificial intelligence techniques in his organization. He is developing an application that will analyze a potential customer and develop an estimate of how likely it is that they will make a purchase. What type of analytic technique is he using?

A. Optimal analytics
B. Descriptive analytics
C. Prescriptive analytics
D. Predictive analytics

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

A

D. Predictive analytics

Explanation:
Predictive analytics seek to use our existing data to predict future events. In this case, Matthew is seeking to predict the likelihood that a customer will place an order, so he is performing predictive analytics.

45
Q

Which one of the following statements correctly describes resource pooling?

A. Resource pooling allows customers to add computing resources as needed. B. Resource pooling allows the cloud provider to achieve economies of scale.
C. Resource pooling allows customers to remove computing resources as needed.
D. Resource pooling allows customers to provision resources without service provider interaction.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

A

B. Resource pooling allows the cloud provider to achieve economies of scale.

Explanation:
Resource pooling is the characteristics that allows the cloud provider to meet various demands from customers while remaining financially viable.
The cloud provider can make capital investments that greatly exceed what any single customer could provide on their own and apportion these resources as needed so that the resources are not underutilized or overtaxed

46
Q

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?

A. I
B. II
C. III
D. IV

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

A

A. I

Explanation:
The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I.

47
Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

A. Service-level agreement (SLA)
B. Operational-level agreement (OLA)
C. Memorandum of understanding (MOU)
D. Statement of work (SOW)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

A

A. Service-level agreement (SLA)

Explanation:
The SLA is between a service provider and the customer and documents in a formal manner expectations for availability, performance and other parameters

48
Q

Bianca is preparing for her organization’s move to a cloud computing environment. She is concerned that issues may arise during the change and would like to ensure that they can revert back to their on-premises environment in the case of a problem. What consideration is Bianca concerned about?

A. Reversibility
B. Portability
C. Regulatory
D. Resiliency

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

A

A. Reversibility

Explanation:
Biancas concern in this situation is reversibility - the ability to back out the change if it does not go well.

49
Q

Which one of the following organizations is not known for producing cloud security guidance?

A. SANS Institute
B. FBI
C. Cloud Security Alliance
D. Microsoft

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

A

B. FBI

Explanation:
The FBI does not produce cloud security guidance documents.

50
Q

Vince is using a new cloud service provider and is charged for each CPU that he uses, every bit of data transferred over the network, and every GB of disk space allocated. What characteristic of cloud services does this describe?

A. Elasticity
B. On-demand self service
C. Scalability
D. Measured service

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

A

D. Measured service

Explanation:
Measured service means that almost everything you do in the cloud is metered. Cloud providers measure the number of seconds you use a virtual server, the mount of disk space you consumer, the number of function calls you make and many other measures

51
Q

Who is responsible for performing scheduled maintenance of server operating systems in a PaaS environment?

A. The customer.
B. Both the customer and the service provider.
C. No operating system maintenance is necessary in a PaaS environment.
D. The service provider.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

A

D. The service provider.

Explanation:
OS do not exist in PaaS environments where they are maintained by the service provider. The customer has no access to or ability to maintain the OS in a PaaS environment

52
Q

When considering a move from a traditional on-premises environment to the cloud, organizations often calculate a return on investment. Which one of the following factors should you expect to contribute the most to this calculation?

A. Utility costs
B. Licensing fees
C. Security expenses
D. Executive compensation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

A

A. Utility costs

Explanation:
Organizations moving from an on premises datacenter to the cloud should expect to see a reduction in utiliter expenses due to the reduction in on site equipment

53
Q

Devon is using an IaaS environment and would like to provision storage that will be used as a disk attached to a server instance. What type of storage should he use?

A. Archival storage
B. Block storage
C. Object storage
D. Database storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

A

B. Block storage

Explanation:
Block storage is used to provide disk volumes and is the appropriate choice in this situation. Object storage is used to store individual files but cannot be mounted as a disk.

54
Q

During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

A. Remove the key from the bucket.
B. Notify all customers that their data may have been exposed.
C. Request a new certificate using a new key.
D. Nothing, because the private key should be accessible for validation.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

A

C. Request a new certificate using a new key.

Explanation:
The first thing Casey should do is notify her management, but after that, replacing the cert and using proper key management practices with the new vert key should be at the top of their list

55
Q

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

A. Tabletop exercise
B. Parallel test
C. Full interruption test
D, Checklist review

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

A

D, Checklist review

Explanation:
The checklist review is the least disruptive type of DR test. During a checklist review, team members each review the contents of the DR checklists on their own and suggest any necessary changes

56
Q

Mark is considering replacing his organization’s customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor, and Mark’s company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

A. IaaS
B. CaaS
C. PaaS
D. SaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

A

D. SaaS

Explanation:
In a SaaS Solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application

57
Q

Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?

A. They apply in all circumstances, allowing consistent security controls.
B. They are approved by industry standards bodies, preventing liability.
C. They provide a good starting point that can be tailored to organizational needs.
D. They ensure that systems are always in a secure state.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

A

C. They provide a good starting point that can be tailored to organizational needs.

Explanation:
Security baselines provide a starting point to scope and tailor security controls to your organizations needs.

58
Q

What approach to technology management integrates the three components of technology management shown in this illustration?

A. Agile
B. Lean
C. DevOps
D. ITIL

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

A

C. DevOps

Explanation:
The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a seamless approach that builds collaboration between the three disciplines

59
Q

Stacey is configuring a PaaS service for use in her organization. She would like to get SSH access to the servers that will be executing her code and contacts the vendor to request this access. What response should she expect?

A. Immediate approval of the request.
B. Immediate denial of the request.
C. The vendor will likely request more information before granting the request. D. The vendor will likely ask for executive-level approval of the request.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

A

B. Immediate denial of the request.

Explanation:
The vendor will immediately deny this request because customers should not have access to underlying infrastructure in a PaaS environment

60
Q

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?

A. Impact
B. RPO
C. MTO
D. Likelihood

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

A

D. Likelihood

Explanation:
Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

61
Q

Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs?

A. OpenID Connect
B. SAML
C. RADIUS
D. Kerberos

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

A

A. OpenID Connect

Explanation:
OpenID conect is an authentication layer that works with OAuth 2.0 as its underlying authorization framework. It has been widely adopted by cloud service providers and is widely supported.
SAML, RADIUS, and Kerberos are alternative authentication technologies but do not have the same level of seamless integration with OAuth

62
Q

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?

A. Compliance with all laws and regulations
B. Handling information in the same manner the organization would
C. Elimination of all identified security risks
D. Compliance with the vendor’s own policies

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

A

B. Handling information in the same manner the organization would

Explanation:
The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendors security controls meet the organizations standards.

63
Q

Fran’s company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran’s company considering?

A. SaaS
B. IaaS
C. CaaS
D. PaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

A

A. SaaS

Explanation:
This is an example of a vendor offering a fully functional application as a webservice service. Therefore, it fits under the definition of SaaS

64
Q

Carl is deploying a set of video sensors that will be placed in remote locations as part of a research project. Due to connectivity limitations, he would like to perform as much image processing and computation as possible on the device itself before sending results back to the cloud for further analysis. What computing model would best meet his needs?

A. Serverless computing
B. Edge computing
C. IaaS computing
D. SaaS computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

A

B. Edge computing

Explanation:
In this case, most cloud service models would require transmitting most information back to the cloud. The edge computing service model would be far more appropriate, as it places computing power at the sensor, minimizing the data that must be sent back to the cloud over limited network connectivity

65
Q

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?

A. HTML
B. XACML
C. SAML
D. SPML

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

A

C. SAML

Explanation:
SAML is the best choice for providing authenitcation and authorization information, particularly for browser SSO. HTML is used for webpages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup

66
Q

Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario?

A. Maintaining the hypervisor
B. Managing operating system security settings
C. Maintaining the host firewall
D. Configuring server access control

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

A

A. Maintaining the hypervisor

Explanation:
In an IaaS server environment, the customer retain responsibility for most server security operations under the shared responsibility model however the vendor would be responsible for all security mechanisms at the hypervisor layer and below

67
Q

Nuno’s company is outsourcing its email system to a cloud service provider who will provide web-based email access to employees of Nuno’s company. What cloud service category is being used?

A. PaaS
B. IaaS
C. SaaS
D. FaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

A

C. SaaS

Explanation:
This is an example of providing a fully developed and hosted application to a customer, so it is an example of SaaS computing

68
Q

What software development methodology is most closely linked to the DevSecOps approach?

A. Waterfall
B. Spiral
C. Agile
D. Modified waterfall

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

A

C. Agile

Explanation:
The DevOps and DevSecOps philosophies are closely linked to the Agile method of software development. The waterfall, modified waterfall and spiral models are more traditional approaches that are not commonly used with DevOps and DevSecOps

69
Q

Bailey is concerned that users around her organization are using a variety of cloud services and would like to enforce security policies consistently across those services. What security control would be best suited for her needs?

A. DRM
B. IPS
C. CASB
D. DLP

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

A

C. CASB

Explanation:
CASBs are designed to enforce security policies consistently across cloud services and would best meet these needs

70
Q

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger’s firm?

A. Configuring accessible network ports
B. Applying hypervisor updates
C. Patching operating systems
D. Wiping drives prior to disposal

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 15). Wiley. Kindle Edition.

A

C. Patching operating systems

Explanation:
In IaaS, the vendor is responsible for hardware and network relates responsibilities.

71
Q

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?

A. Public cloud
B. Private cloud
C. Community cloud
D. Shared cloud

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 16). Wiley. Kindle Edition.

A

A. Public cloud

Explanation:
In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the multitenancy model

72
Q

Kristen wants to use multiple processing sites for her data, but does not want to pay for a full datacenter. Which of the following options would you recommend as her best option if she wants to be able to quickly migrate portions of her custom application environment to the facilities in multiple countries without having to wait to ship or acquire hardware?

A. A cloud PaaS vendor
B. A hosted datacenter provider
C. A cloud IaaS vendor
D. A datacenter vendor that provides rack, power, and remote hands services

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 16). Wiley. Kindle Edition.

A

C. A cloud IaaS vendor

Explanation:
A cloud IaaS vendor will allow Kristen to set up infrastructure as quickly as she can deploy and pay for it

73
Q

Which one of the following statements about cloud networking is not correct?

A. Security groups are the equivalent of network firewall rules.
B. IaaS networking is not configurable.
C. PaaS and SaaS networking are managed by the cloud service provider. D. Customers may connect to cloud service provider networks using a VPN.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 16). Wiley. Kindle Edition.

A

B. IaaS networking is not configurable.

Explanation:
IaaS network is generally configurable by the end customer through the use of network security groups, bandwidth provisioning and similar mechanisms

74
Q

Darcy’s organization is deploying serverless computing technology to better meet the needs of developers and users. In a serverless model, who is normally responsible for configuring operating system security controls?

A. Software developer
B. Cybersecurity professional
C. Cloud architect
D. Vendor

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 16). Wiley. Kindle Edition.

A

D. Vendor

Explanation:
In a serverless computing model, the vendor does not expose details of the OS to its customers

75
Q

What is the international standard that provides guidance for the creation of an organizational information security management system (ISMS)?

A. NIST SP 800-53
B. PCI DSS
C. ISO 27001
D. NIST SP 800-37

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 16). Wiley. Kindle Edition.

A

C. ISO 27001

Explanation:
ISO 27001 is an international standard for the creation of an information security management system

76
Q

You are the security subject matter expert (SME) for an organization considering a transition from a traditional IT enterprise environment into a hosted cloud provider’s datacenter. One of the challenges you’re facing is whether your current applications in the on-premises environment will function properly with the provider’s hosted systems and tools. This is a(n) ________________ issue.

A. Interoperability
B. Portability
C. Stability
D. Security

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 17). Wiley. Kindle Edition.

A

A. Interoperability

Explanation:
This is the definition of cloud migration interoperability challenges
Portability is the measure of how difficult it might be to move the organizations systems/data from a given cloud host to another cloud host

77
Q

Mike is conducting a business impact assessment of his organization’s potential move to the cloud. He is concerned about the ability to shift workloads between cloud vendors as needs change. What term best describes Mike’s concern?

A. Resiliency
B. Regulatory
C. Reversibility
D. Portability

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 17). Wiley. Kindle Edition.

A

D. Portability

Explanation:
Mike concern’s in this situation is portability - the capability to move workloads easily between environments.

78
Q

Which one of the following statements is correct?

A. Services that are scalable are also elastic.
B. There is no relationship between elasticity and scalability.
C. Services that are elastic are also scalable.
D. Services that are either elastic or scalable are both elastic and scalable.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 17). Wiley. Kindle Edition.

A

C. Services that are elastic are also scalable.

Explanation:
Elasticity refers to the ability of a system to dynamically grow and shrink based on the current level of demand. Scalability refers to the ability of a system to grow as demand increases but does not require the ability to shrink. Services that are elastic must also be scalable, but services that are not scalable are not necessarily elastic

79
Q

From a customer perspective, all of the following are benefits of infrastructure as a service (IaaS) cloud services except ____________.

A. Reduced cost of ownership
B. Reduced energy costs
C. Metered usage
D. Reduced overhead of administering the operating system (OS) in the cloud environment

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 17). Wiley. Kindle Edition.

A

D. Reduced overhead of administering the operating system (OS) in the cloud environment

Explanation:
In an IaaS configuration, the customer still has to maintain the OS, so option D is the only answer that is not a direct benefit for the cloud customer

80
Q

Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, piece of data, and transaction that takes place on the cloud, why might that not be the optimum choice for an organization?

A. Key length variances don’t provide any actual additional security.
B. It would cause additional processing overhead and time delay.
C. It might result in vendor lockout.
D. The data subjects might be upset by this.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 17). Wiley. Kindle Edition.

A

B. It would cause additional processing overhead and time delay.

Explanation:
Encryption consumes processing power and time; as with all security controls, additional security means measurably less operational capability - there is always a trade off between security and productivity

81
Q

__________ is an example of due care, and ___________ is an example of due diligence.

A. Privacy data security policy; auditing the controls dictated by the privacy data security policy
B. The European Union General Data Protection Regulation (GDPR); the Gramm–Leach–Bliley Act (GLBA)
C. Locks on doors; turnstiles
D. Perimeter defenses; internal defenses

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 17-18). Wiley. Kindle Edition.

A

A. Privacy data security policy; auditing the controls dictated by the privacy data security policy

Explanation:
Due care is the minimal level of effort necessary to perform your duty to others; in cloud security; that is often the care that the customer is required to demonstrate in order to protect the data on its own

82
Q

Which one of the following is a critical component for confidential computing environments?

A. TEE
B. TPM
C. HSM
D. PKI

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 18). Wiley. Kindle Edition.

A

A. TEE

Explanation:
Confidential computing protects data in use by using a trusted execution environment (TEE).

83
Q

Which one of the following programs provides a general certification process for computing hardware that might be used in a government environment?

A. FedRAMP
B. NIST 800-53
C. Common Criteria
D. FIPS 140-2

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 18). Wiley. Kindle Edition.

A

C. Common Criteria

Explanation:
The Common Criteria provide a general certification process for computing hardware that might be used in government applications. FIPS 140-2 provides similar guidance but is specific to cryptographic modules and is not used for generalized hardware. NIST 800-53 provides security control guidance but is not a certification process. FedRAMP provides a certification process for cloud computing services but not for hardware

84
Q

In a Lightweight Directory Access Protocol (LDAP) environment, each entry in a directory server is identified by a ______________.

A. Domain name (DN)
B. Distinguished name (DN)
C. Directory name (DN)
D. Default name (DN)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 18). Wiley. Kindle Edition.

A

B. Distinguished name (DN)

Explanation:
The distinguished name is is the nomenclature for all entries in an LDAP environment

85
Q

Which one of the following cloud building block technologies is best suited for storing data that is structured into related tables?

A. Storage
B. Networking
C. Databases
D. Virtualization

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 18). Wiley. Kindle Edition.

A

C. Databases

Explanation:
Databases are used to store information that is collected into related tables. Storage could also be used for this purpose, but it does not provide the table structure of a database, so it would not be the best solution

86
Q

You are concerned about protecting sensitive data while it is stored in memory on a server. What emerging technology is designed to assist with this work?

A. Quantum computing
B. Confidential computing
C. Edge computing
D. Fog computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 18). Wiley. Kindle Edition.

A

B. Confidential computing

Explanation:
Confidential computing is an emerging technology designed to support the protection of data that is actively stored in memory

87
Q

Your organization has migrated into a platform as a service (PaaS) configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notifications in accordance with all applicable laws?

A. The network admin responsible
B. The cloud provider
C. The regulators overseeing your deployment
D. Your organization

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 19). Wiley. Kindle Edition.

A

D. Your organization

Explanation:
The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider might be liable for financial costs related to these responsibilities, but those damages can only be recovered long after the notifications have been made by the cloud customer

88
Q

If an organization wants to retain the most control of their assets in the cloud, which service and deployment model combination should they choose?

A. Platform as a service (PaaS), community
B. Infrastructure as a service (IaaS), hybrid
C. Software as a service (SaaS), public
D. Infrastructure as a service (IaaS), private

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 19). Wiley. Kindle Edition.

A

D. Infrastructure as a service (IaaS), private

Explanation:
An IaaS service model allows an organization to retain the most control of their IT assets in the cloud; the cloud customer is responsible for the OS, the applications and the data in the cloud. The private cloud model allows the organization to retain the greatest degree of governance control in the cloud

89
Q

Henry’s company has deployed an extensive IoT infrastructure for building monitoring that includes environmental controls, occupancy sensors, and a variety of other sensors and controllers that help manage the building. Which of the following security concerns should Henry report as the most critical in his analysis of the IoT deployment?

A. There is a lack of local storage space for security logs, which is common to IoT devices.
B. The IoT devices may not have a separate administrative interface, allowing anybody on the same network to attempt to log in to them and making brute-force attacks possible.
C. The IoT devices may not support strong encryption for communications, exposing the log and sensor data to interception on the network.
D. The long-term support and patching model for the IoT devices may create security and operational risk for the organization.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 19). Wiley. Kindle Edition.

A

D. The long-term support and patching model for the IoT devices may create security and operational risk for the organization.

Explanation:
Henry’s biggest concern should be the long term security and supportability of the IoT devices. As these devices are increasingly embedded in buildings and infrastructure, it is important to understand the support model and the security model. Both the lack of separate administrative access and the lack of strong encryption can be addressed by placing the IoT devices on a dedicated subnet or network that prevents other users from accessing the devices directly.

90
Q

In what cloud computing model does the customer build a cloud computing environment in their own datacenter or build an environment in another datacenter that is for the customer’s exclusive use?

A. Public cloud
B. Private cloud
C. Hybrid cloud
D. Shared cloud

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 19). Wiley. Kindle Edition.

A

B. Private cloud

Explanation:
In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not followed the shared tenancy model

91
Q

What cloud computing component is most susceptible to an escape attack?

A. Hypervisor
B. Hardware security module
C. Trusted platform module
D. Database

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 19). Wiley. Kindle Edition.

A

A. Hypervisor

Explanation:
Hypervisors enforce isolation between virtual machines and are therefore most susceptible to escape attacks

92
Q

Steve is concerned that users of his organization’s cloud environment may be sending sensitive information over HTTPS connections. What technology would best help him detect this activity?

A. Traffic inspection
B. Port blocking
C. Patching
D. Geofencing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 20). Wiley. Kindle Edition.

A

A. Traffic inspection

Explanation:
Traffic inspection technology would allow Steve to examine the content of encrypted HTTPS traffic and detect sensitive information. Port blocking may be used to stop HTTPS traffic entirely, but that would not detect a security violation. Patching and geofencing technologies would play no roles in this scenario

93
Q

Which one of the following disaster recovery approaches is generally the most cost-effective for an organization?

A. Hot site
B. Cloud site
C. Cold site
D. Warm site

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 20). Wiley. Kindle Edition.

A

B. Cloud site

Explanation:
Hot sites, cold sites and warm sites all require a significant investment in physical facilities. Hot sites and warm sites also require investments in hardware and/or software. Using the cloud provides a way to minimize costs by configuring but not activating resources until they are actually needed.

94
Q

An essential element of access management, ____________ is the practice of confirming that an individual is who they claim to be.

A. Authentication
B. Authorization
C. Nonrepudiation
D. Regression

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 20). Wiley. Kindle Edition.

A

A. Authentication

Explanation:
Authentication is verifying that the user is who they claim to be and assigning them an identity assetion (usually a user ID) based on that identity

95
Q

Which one of the following cloud service categories places the most security responsibility with the cloud service provider?

A. SaaS
B. PaaS
C. FaaS
D. IaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 20). Wiley. Kindle Edition.

A

A. SaaS

Explanation:
SaaS models place the primary burden of security (and other administration) on the service provider

96
Q

Alice and Bob are using a symmetric encryption algorithm to exchange sensitive information. How many total encryption keys are necessary for this communication?

A. 1
B. 2
C. 3
D. 4

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 20). Wiley. Kindle Edition.

A

A. 1

Explanation:
In a symmetric encryption algorithm, all data is encrypted and decrypted with the same shared secret key. This key is the only key required for the communication

97
Q

Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When Mike receives Renee’s digital certificate, what key does he use to verify the authenticity of the certificate?

A. Renee’s public key
B. Renee’s private key
C. CA’s public key
D. CA’s private key

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 20-21). Wiley. Kindle Edition.

A

C. CA’s public key

Explanation:
When an individual receives a copy of a digital certificate, the person verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the cert

98
Q

What computing technology, if fully developed, has the potential to undermine the security of modern encryption algorithms?

A. Confidential computing
B. Ephemeral computing
C. Quantum computing
D. Parallel computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 21). Wiley. Kindle Edition.

A

C. Quantum computing

Explanation:
Quantum computing uses advanced particle physics to perform computing tasks in a revolutionary manner that might render modern encryption algorithms insecure

99
Q

What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?

A. BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO).
B. BC is for events caused by humans (like arson or theft), whereas DR is for natural disasters.
C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.
D. BC involves protecting human assets (personnel, staff, users), whereas DR is about protecting property (assets, data).

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 21). Wiley. Kindle Edition.

A

C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.

Explanation:
Technically, BC efforts are meant to ensure that critical business functions can continue during a disuprtive event, and DR efforts are supposed to support the return of normal operations. However, in practice, the efforts often coincide, use the same plans/personnel and have many of the same procedures