CCSP Domain 1: Cloud Concepts, Architecture Mike Chappel 3rdEdition Flashcards

Question 1

Q

Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthews company. What cloud deployment model is being used?

A. Hybrid cloud
B. Public Cloud
C. Private cloud
D. Community Cloud

Answer

A

B. Public Cloud

Explanation:
The key to answering this questions is recognizing that the multi tenancy model involves many different customers accessing cloud resources hosted on shared hardware. That makes this a public cloud deployment, regardless of the fact that access to a particular server instance is limited to Matthews company. In a private cloud deployment, only Matthews company would have access to any resources hosted on the same physical hardware. This is not multi tenancy. There is no indication that Matthews organization is combining resources of public and private cloud computing, which would be a hybrid cloud, or that the resource use is limited to members of a particular group which would be a community cloud

Question 2

Q

Zeke is responsible for sanitizing a set of SSDs removed from servers in his organizations datacenter. The drives will be reused on a different project. Which of the following sanitization techniques would be most effective?

A. Cryptographic erasure
B. Physical destruction
C. Degaussing
D. Overwriting

Answer

A

A. Cryptographic erasure

Explanation:
A cryptographic erasure is a strong sanitization technique that involves encrypting the data with a strong encryption engine and then taking the keys generated in that process, encrypting them with a different encryption encryption engine, and destroying the resulting keys of the second round of encryption. This technique is effective on both magnetic and SSDs. Degaussing and overwriting are not effective on SSDs. Physical destruction would effectively sanitize the media but would prevent Zeke from reusing the drives

Question 3

Q

Tina would like to use technology that will allow her to bundle up workloads and easily move them between different operating systems. What technology would best meet this need?

A. Virtual machines
B. Serverless computing
C. Hypervisors
D. Containers

Answer

A

A. Virtual machines

Explanation:
Containers do not provide easy portability because they are dependent upon the host OS. Hypervisors are used to host virtual machines on a device, so that is another incorrect answer. Serverless computing is a PaaS model that allows customers to run their own code on the providers platform without provisioning servers, so that is also incorrect. Virtual machines are self contained and have their own internal OS, so it is possible to move them between different host OS

Question 4

Q

Under the cloud reference architecture, which one of the following activities is not generally part of the responsibilities of the customer?

A. Monitor services
B. Prepare systems
C. Perform business administration
D. Handle problem reports

Answer

A

B. Prepare systems

Explanation:
Under the cloud reference architecture, the activities of customers are to use cloud service, perform service trials, monitor services, administer service security, provide billing and usage reports, handle problem reports, administer tenancies, perform business administration, select and purchase service, and request audit reports. Preparing systems is one of the responsibilities of cloud service providers

Question 5

Q

Seth is helping his organization move their web server cluster to a cloud provider. The goal of this move is to provide the cluster with the ability to grow and shrink based on changing demand. What characteristic of cloud computing is Seth hoping to achieve?

A. Scalability
B. On Demand Self Service
C. Elasticity
D. Broad network access

Answer

A

C. Elasticity

Explanation:
The reality is that Seth will likely achieve all of these goals, but the most relevant one is elasticity. Elasticity refers to the ability of a system to dynamically grow and shrink based on the current level of demand. Scalability refers to the ability of a system to grow as demand increases but does not require the ability to shrink.

Question 6

Q

Sherry is deploying a zero trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?

A. User Identity
B. IP Address
C. Geolocation
D. Nature of requested access

Answer

A

B. IP Address

Explanation:
The defining characteristic of zero trust network architecture is that trust decisions are not based on network location, such as IP address. It is appropriate to use other characteristics such as a users identity, the nature of the requested access, and the users geographic (not network) location

Question 7

Q

Which one of the following hypervisor models is the most resistant to attack?

A. Type 1
B. Type 2
C. Type 3
D. Type 4

Answer

A

A. Type 1

Explanation:
If a cloud provider is able to choose between types of hypervisors, the bare metal (Type 1) hypervisor is preferable to the hypervisor that runs off the OS (type 2) because it will offer less attack surface. Type 3 and 4 hypervisors do not exists

Question 8

Q

Joe is using a virtual server instance running on a public cloud provider and would like to restrict the ports on that server accessible from the internet. What security control would best allow him to meet this need?

A. Geofencing
B. Traffic inspection
C. Network firewall
D. NSGs

Answer

A

D. NSGs

Explanation:
NSGs provide functionality equivalent to network firewalls for cloud hosted server instances. They allow the restriction of traffic that may reach a server instance. Joe would not be able to modify the network firewall rules because those are only available to the cloud provider.
Geofencing would restrict the geographic locations from which users may access the servers, which is not Joes requirement.
Traffic inspection may be used to examine the traffic reaching the instance but is not normally used to create port based restrictions

Question 9

Q

Which of the following cybersecurity threats is least likely to directly affect an object storage service?

A. Disk failure
B. User error
C. Ransomware
D. Virus

Answer

A

D. Virus

Explanation:
Object storage services are susceptible to disk failures and user error that may unintentionally destroy or modify data. They are also vulnerable to ransomware attacks that infect systems with access to the object store and then encrypt data stored on the service. They are unlikely to be affected by traditional viruses because they do not have a runtime environment

Question 10

Q

Vince would like to be immediately alerted whenever a user with access to a sensitive cloud service leaves a defined physical area. What type of security control should he implement?

A. Intrusion prevention system
B. Geofencing
C. Firewall Rule
D. Geotagging

Answer

A

B. Geofencing

Explanation:
Geofencing may be used to trigger actions, such as an alert, when a user or device leaves a defined geographic area. Firewalls and intrusion prevention systems may incorporate geographic information into their decision making processes but would not provide the immediate notification that Vince desires. Geotagging simply annotates log records or other data with the geographic location of the user performing an action but does not directly provide alerting based on geographic location

Question 11

Q

Which of the following characteristics is not a component of the standard definition of cloud computing?

A. Broad network access
B. Rapid provisioning
C. Multitenancy
D. On Demand Self Service

Answer

A

C. Multitenancy

Explanation:
Cloud computing is a model for enabling ubiquitous, convenient on demand network access to a shared pool of configurable computing resources (ie networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition does not include multitenancy, which is a characteristic of public cloud computing but not all cloud computing models

Question 12

Q

Which one of the following sources providers a set of vendor neutral design patterns for cloud security?

A. Cloud Security Alliance
B. AWS
C. Microsoft
D. ICS^2

Answer

A

A. Cloud Security Alliance

Explanation:
CSA provides an enterprise architecture reference guide that offers vendor netural design patterns for cloud security. AWS and Microsoft do provide cloud patterns but they are specific to the service offerings of those vendors.

Question 13

Q

Lori is using an API to access sensitive information stored in a cloud service. What cloud secure data lifecycle activity is Lori engage in?

A. Store
B. Use
C. Destroy
D. Create

Answer

A

B. Use

Explanation:
The use of an API is an example of accessing data programmatically during the Use phase of the lifecycle. If Lori were simply placing data into a cloud service or maintaining data there, that would be an example of the Store phase. Lori is not creating or destroying data; she is simply using the data that is already stored in the cloud service

Question 14

Q

Helen would like to provision a disk volume in the cloud that is mountable from a server. What cloud capability does she want?

A. Virtualized server
B. Object storage
C. Network capacity
D. Block storage

Answer

A

D. Block storage

Explanation:
This is an example of block storage, storage that is available as disk volumes. Object storage maintains files in buckets. Virtualized servers are compute capabilities, not storage capabilities. Network capacity is used to connect servers to each other and the internet and is not used for the storage of data

Question 15

Q

Ben is using the sudo command to carry out operations on a Linux server. What type of access is he using?

A. Service access
B. Unauthorized access
C. User access
D. Privileged Access

Answer

A

D. Privileged Access

Explanation:
The sudo command allows a normal user account to execute administrative commands and is an example of privileged access, not standard user access. There is no indication in the scenario that Ben lacks proper authorization for this access. Service access is the access to resources by system services, rather than individual people

Question 16

Q

Which one of the cryptographic goals protects against the risks posed when a device is lost or stolen?

A. Nonrepudiation
B. Authentication
C. Integrity
D. Confidentiality

Answer

A

D. Confidentiality

Explanation:
The greatest risk when a device is lost or stolen is that sensitive data contained on the device will fall into the wrong hands. Confidentiality protects against the risk. Nonrepudiation is when the recipient of a message can prove the originators identity to a third party. Authentication is a means of proving ones identity. Integrity demonstrates that information has not been modified since transmission

Question 17

Q

What type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

A. Quantitative
B. Qualitative
C. Annualized Loss Expectancy
D. Single Loss Expectancy

Answer

A

B. Qualitative

Explanation:
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale and reputation. Quantitative tools, such as the computation of annualized loss expectancies and single loss expectancies, are only appropriate for easily quantifiable risks

Question 18

Q

Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

A. It has been functionally
B. It has been structurally tested
C. It has been formally verified, designed and tested
D. It has been semi formally designed and tested

Answer

A

B. It has been structurally tested

Explanation:
EAL2 assurance applies when the system been structurally tested. It is the second to lowest level of assurance under the Common Criteria

Question 19

Q

Jake would like to use a third party platform to automatically move workloads between cloud service providers. What type of tool would best meet this need?

A. Cloud access service
B. Database
C. Virtualization
D. Orchestration

Answer

A

D. Orchestration

Explanation:
Orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers. Virtualization platforms allow a cloud provider to host virtual server instance, but they do not provide the ability to migrate workloads between different providers. Databases are a cloud service offering that allows for the organized storage of relational data. Cloud access service brokers (CASBs) allow for the consistent enforcement of security policies across cloud providers

Question 20

Q

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his action?

A. HIPAA
B. PCI DSS
C. SOX
D. GLBA

Answer

A

B. PCI DSS

Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing and transmission of credit card information. HIPAA governs protected health information. The SOX Act regulates the funancial reporting of publicy traded corporations. The Gramm-Leach Billey Act (GLBA) protects personal financial information

Question 21

Q

What type of effort attempts to bring all of an organizations cloud activities under more centralized control?

A. Cloud access service broker
B. Cloud orchestration
C. Cloud governance
D. Cloud migration

Answer

A

C. Cloud governance

Explanation:
Cloud governane programs try to bring all of an organizations cloud activities under more centralized control. They server as a screening body helping to ensure that cloud services user by the organization meet technical, function and security requirements. They also provide a centralized point of monitoring for duplicative services, preventing different business units from spending money on similar services, preventing different business units from spending money on similar services when consolidation would reduce both costs and the complexity of the operating environment. Cloud orchestration tools are designed to manage workloads and seamlessly shift them between cloud service providers.

Question 22

Q

Chris is designing a cryptographic system for use within his company. The company has 1000 employees, and they plan to use an asymmetric encryption system. They would like the system to be set up so that any pair of arbitrary users may communication privately. How many total keys will they need?

A. 500
B. 1000
C. 2000
D. 4950

Answer

A

C. 2000

Explanation:
A symmetric cryptosystems use a pair of keys for each user. In this case, with 1000 users, the system will require 2000 keys

Question 23

Q

Erin is concerned about the risk that a cloud provider user by her organization will fail, so she is creating a strategy that will combine resources from multiple public cloud providers. What term best describes this strategy?

A. Community Cloud
B. Multicloud
C. Private Cloud
D. Hybrid cloud

Answer

A

B. Multicloud

Explanation:
The use of multiple public cloud providers to achieve diversity is known as a multicloud strategy. That is the scenario that Eric is creating. Community clouds are shared cloud resources open to members of an affinity group. Private cloud resources are limited to the use of a single organization. Hybrid

Question 24

Q

Which one of the following would normally be considered an application capability of a cloud service provider?

A. Network capacity
B. Hosted email
C. Block storage
D. Serverless computing

Answer

A

B. Hosted email

Explanation:
Email is an application level service that is offered by cloud providers as a SaaS capability. Block storage and network capacity are IaaS offerings and are infrastructure capabilities. Serverless computing is a PaaS offering and is a platform capability

Question 25

Q

What activity are cloud providers able to engage in because not all users will access the full capacitry of their service offering simultaneously?

A. Oversubscription
B. Overprovisioning
C. Underprovisioning
D. Undersubscription

Answer

A

A. Oversubscription

Explanation:
Oversubscrpition means that cloud providers can sell customers a total capacity that exceed the actual physical capacity of their infrastructure, because in the big picture, customers will never use all of that capacity simultaneously. Undersubscription would be when a cloud provider does not sell all of their available capacity and this would not require that users not access services simultaneously. Overprovisioning occurs when a customer (not a service provider) purchases more capacity than they need. Similarly, underprovisioning occurs when a customer does not purchase enough capacity to meet their needs

Question 26

Q

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datancenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?

A. Public cloud
B. Dedicated cloud
C. Private cloud
D. Hybrid cloud

Answer

A

D. Hybrid cloud

Explanation:
The scenario describes a mix of public cloud and private cloud services. This is an example of a hybrid cloud environment

Question 27

Q

In an IaaS environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service?

A. Customers security team
B. Customers storage team
C. Customers vendor management team
D. Vendor

Answer

A

D. Vendor

Explanation:
In an IaaS environment, security duties follow a shared responsibility model. Since the vendor is responsible for managing the storage hardware, the vendor would retain responsibility for destroying or wiping drives as they are taken out of service. However, it is still the customers responsibility to validate that the vendors sanitization procedures meet their requirements prior to utilizing the vendors storage services

Question 28

Q

Lucca is reviewing his organizations disaster recovery process data and notes that the MTD for the business’s main website is two hours. What does he know about the RTO for the site when he does testing and validation?

A. It needs to be less than two hours
B. It needs to be at least two hours
C. The MTD is too short and needs to be longer
D. The RTO is too short and needs to be longer

Answer

A

A. It needs to be less than two hours

Explanation:
When Lucca reviews the recovery time objective (RTO) data, he needs to ensure that the organization can recover from an outage in less than two hours based on the maximum tolerable downtime (MTD) of two hours

Question 29

Q

Alice and Bob woud like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When Bob receives an encrypted message from Alien, what key does he use to decrypt the plaintext messages contents?

A. Alice’s public key
B. Alice’s private key
C. Bob’s public key
D. Bobs private key

Answer

A

D. Bobs private key

Explanation:
The recipient of a message that was encrypted using asymmetric cryptography always decrypts that message using their own private key. The sender of the message previously encrypted it using the recipients public key. The senders public and private keys are not used in this process

Question 30

Q

Jen works for an organization that assist other companies in moving their operations from on premises datacenters to the cloud. Jen’s company does not operate their own cloud services but assists in the use of services offered by other organizations. What term best describes the role of Jen’s company?

A. Cloud service customer
B. Cloud service partner
C. Cloud service provider
D. Cloud Service broker

Answer

A

B. Cloud service partner

Explanation:
Jens organization is a cloud service partner - an organization that helps cloud service customers use the services offered by cloud service providers. In this case, Jebs clients are cloud service customers and they are moving to services offered by cloud service providers. Cloud service brokers and cloud service providers who offer a managed identity and access management service to cloud customers that integrates security requirements across cloud services

Question 31

Q

Carla is selecting a hardware security module (HSM) for use by her organization. She is employed by an agency of the US federal government and must ensure that the technology she chooses meets applicable federal standards for cryptographic systems. What publication would best help her determine these requirements?

A. NIST 800-53
B. NIST 800-171
C. Common Criteria
D. FIPS 140-2

Answer

A

D. FIPS 140-2

Explanation:
NIST 800-53 provides general cybersecurity standards for federal agencies, whereas NIST 800-171 applies specifically to the use of controlled unclassified information (CUI). The Common Criteria (CC) provide a certification process for hardware and software products. However, the most relevant standard are FIPS 140-2, the security requirements for cryptographic modules. THis guidance is specific to the cryptographic requirements of systems such as HSMs and would have the most directly relevant guidance

Question 32

Q

Ryan is reviewing the design of a new service that will use several offerings from a cloud service provider. The design depends on some unique features offered only by that provider. What should concern Ryan the most about the fact that these service features are not available from other providers?

A. Vendor lock-in
B. Interoperability
C. Auditability
D. Confidentiality

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 7). Wiley. Kindle Edition.

Answer

A

A. Vendor lock-in

Explanation:
The grestest risk in the situation is that the service offering will depend on features provided only by a single vendor, preventing Ryans organization from moving to a different vendor and locking them into their current provider. Interoperability is the concern that services should be able to integrate and work well together. There is no indication that interoperability is at risk in this scenario. There is also no inidcation that the use of this vendor creates any special auditability or confidentiality concerns

Question 33

Q

Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

A. It has been functionally tested.
B.It has been methodically tested and checked.
C. It has been methodically designed, tested, and reviewed.
D . It has been formally verified, designed, and tested.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

D . It has been formally verified, designed, and tested.

Explanation:
EAL7 is the highest level of assurance under the Common Criteria. It applies when a system has been formally verified, designed and tested

Question 34

Q

Which one of the following technologies provides the capability of creating a distributed, immutable ledger?

A. Quantum computing
B. Blockchain
C. Edge computing
D. Confidential computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

B. Blockchain

Explanation:
The blockchain is technology that uses cryptography to create a distributed immutable ledger. It is the technical foundation behind cryptocurrency and many other applications

Question 35

Q

Which one of the following systems assurance processes provides an independent third-party evaluation of a system’s controls that may be trusted by many different organizations?

A. Planning
B. Definition
C. Verification
D. Accreditation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

C. Verification

Explanation:
The veridication process is similar to the certification process in that it validates controls. Verification may go a step further by involving a third party testing service and compiling results that may be trusted by many different organizations.

Accreditation is the act of management formally accepting an evaluating system, not evaluating the system itself.

Question 36

Q

Which one of the following would be considered an example of infrastructure as a service cloud computing?

A. Payroll system managed by a vendor and delivered over the web
B. Application platform managed by a vendor that runs customer code
C. Servers provisioned by customers on a vendor-managed virtualization platform
D. Web-based email service provided by a vendor

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

C. Servers provisioned by customers on a vendor-managed virtualization platform

Explanation:
One of the core capabilities of IaaS is providing servers on a vendor managed virtualization platform.

Question 37

Q

Which of the following is not a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

D. Branding associated with which cloud provider might be selected

Explanation:
The brnad associated with the cloud provider should not influence the cost benefit analysis; the cloud providers brand ( and even which cloud provider an organizes uses) will most likely not even be known to the consumers who have a business relationship with the organization

Question 38

Q

Barry has a temporary need for massive computing power and is planning to use virtual server instances from a cloud provider for a short period of time. What term best describes the characteristic of Barry’s workload?

A. Quantum computing
B. Confidential computing
C. Ephemeral computing
D. Parallel computing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 8). Wiley. Kindle Edition.

Answer

A

C. Ephemeral computing

Explanation:
Ephemeral computing means that you can create computing resources, such as servers and storage spaces, to solve a particular problem then get rid of them as soon you no longer need them.

Question 39

Q

You are reviewing a service-level agreement (SLA) and find a provision that guarantees 99.99% uptime for a service you plan to use. What term best describes this type of provision?

A. Availability
B. Security
C. Privacy
D. Resiliency

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

A. Availability

Explanation:
This type of provision is best described as an availability commitment because the service provider is guaranteeing that the service will be available 99.9% of the time. It could also be described as a security provision because availability is a subset of security, but availability is the better answer in this case.

Question 40

Q

Carlton is selecting a cloud environment for an application run by his organization. He needs an environment where he will have the most control over the application’s performance. What service category would be best suited for his needs?

A. SaaS
B. FaaS
C. IaaS
D. PaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

C. IaaS

Explanation:
Users have the most control over environment hosted on an IaaS platform because they are able to manually adjust the resources assigned to the application

Question 41

Q

Gavin is looking for guidance on how his organization should approach the evaluation of cloud service providers. What ISO document can help him with this work?

A. ISO 27001
B. ISO 27701
C. ISO 27017
D. ISO 17789

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

C. ISO 27017

Explanation:
ISO 27017 provides guidance on the security controls that should be implemented by cloud service providers and would be useful to Gavin in evaluating such as a provider. ISO 27001 is general description of controls appropriate for a cybersecurity program

ISO 27701 provides control guidance for privacy programs

ISO 17789 providers provides a cloud reference architecture and does not offer specific security guidance

Question 42

Q

Ed has a question about the applicability of PCI DSS requirements to his organization’s credit card processing environment. What organization is the regulator in this case?

A. SEC
B. FDA
C. FTC
D. PCI SSC

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

D. PCI SSC

Explanation:
PCI DSS is overseen by the PCI SSC. This is not a responsibility of any other the others listed.

Question 43

Q

Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What cloud service category includes this service?

A. SaaS
B. PaaS
C. IaaS
D. CaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

B. PaaS

Explanation:
Cloud computing systems where the customer only provides application code for execution on a vendor supplied computing platform are examples of PaaS computing

Question 44

Q

Gordon is developing a business continuity plan for a manufacturing company’s IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?

A. Purchasing earthquake insurance
B. Relocating the datacenter to a safer area
C. Documenting the decision-making process
D. Reengineering the facility to withstand the shock of an earthquake

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 9). Wiley. Kindle Edition.

Answer

A

C. Documenting the decision-making process

Explanation:
In a risk acceptance strategy, the organization chooses to take no action other than documenting the risk.

Question 45

Q

Matthew is a data scientist looking to apply machine learning and artificial intelligence techniques in his organization. He is developing an application that will analyze a potential customer and develop an estimate of how likely it is that they will make a purchase. What type of analytic technique is he using?

A. Optimal analytics
B. Descriptive analytics
C. Prescriptive analytics
D. Predictive analytics

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

D. Predictive analytics

Explanation:
Predictive analytics seek to use our existing data to predict future events. In this case, Matthew is seeking to predict the likelihood that a customer will place an order, so he is performing predictive analytics.

Question 46

Q

Which one of the following statements correctly describes resource pooling?

A. Resource pooling allows customers to add computing resources as needed. B. Resource pooling allows the cloud provider to achieve economies of scale.
C. Resource pooling allows customers to remove computing resources as needed.
D. Resource pooling allows customers to provision resources without service provider interaction.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

B. Resource pooling allows the cloud provider to achieve economies of scale.

Explanation:
Resource pooling is the characteristics that allows the cloud provider to meet various demands from customers while remaining financially viable.
The cloud provider can make capital investments that greatly exceed what any single customer could provide on their own and apportion these resources as needed so that the resources are not underutilized or overtaxed

Question 47

Q

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?

A. I
B. II
C. III
D. IV

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

A. I

Explanation:
The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I.

Question 48

Q

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

A. Service-level agreement (SLA)
B. Operational-level agreement (OLA)
C. Memorandum of understanding (MOU)
D. Statement of work (SOW)

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 10). Wiley. Kindle Edition.

Answer

A

A. Service-level agreement (SLA)

Explanation:
The SLA is between a service provider and the customer and documents in a formal manner expectations for availability, performance and other parameters

Question 49

Q

Bianca is preparing for her organization’s move to a cloud computing environment. She is concerned that issues may arise during the change and would like to ensure that they can revert back to their on-premises environment in the case of a problem. What consideration is Bianca concerned about?

A. Reversibility
B. Portability
C. Regulatory
D. Resiliency

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

A. Reversibility

Explanation:
Biancas concern in this situation is reversibility - the ability to back out the change if it does not go well.

Question 50

Q

Which one of the following organizations is not known for producing cloud security guidance?

A. SANS Institute
B. FBI
C. Cloud Security Alliance
D. Microsoft

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

B. FBI

Explanation:
The FBI does not produce cloud security guidance documents.

Question 51

Q

Vince is using a new cloud service provider and is charged for each CPU that he uses, every bit of data transferred over the network, and every GB of disk space allocated. What characteristic of cloud services does this describe?

A. Elasticity
B. On-demand self service
C. Scalability
D. Measured service

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

D. Measured service

Explanation:
Measured service means that almost everything you do in the cloud is metered. Cloud providers measure the number of seconds you use a virtual server, the mount of disk space you consumer, the number of function calls you make and many other measures

Question 52

Q

Who is responsible for performing scheduled maintenance of server operating systems in a PaaS environment?

A. The customer.
B. Both the customer and the service provider.
C. No operating system maintenance is necessary in a PaaS environment.
D. The service provider.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

D. The service provider.

Explanation:
OS do not exist in PaaS environments where they are maintained by the service provider. The customer has no access to or ability to maintain the OS in a PaaS environment

Question 53

Q

When considering a move from a traditional on-premises environment to the cloud, organizations often calculate a return on investment. Which one of the following factors should you expect to contribute the most to this calculation?

A. Utility costs
B. Licensing fees
C. Security expenses
D. Executive compensation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 11). Wiley. Kindle Edition.

Answer

A

A. Utility costs

Explanation:
Organizations moving from an on premises datacenter to the cloud should expect to see a reduction in utiliter expenses due to the reduction in on site equipment

Question 54

Q

Devon is using an IaaS environment and would like to provision storage that will be used as a disk attached to a server instance. What type of storage should he use?

A. Archival storage
B. Block storage
C. Object storage
D. Database storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

B. Block storage

Explanation:
Block storage is used to provide disk volumes and is the appropriate choice in this situation. Object storage is used to store individual files but cannot be mounted as a disk.

Question 55

Q

During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

A. Remove the key from the bucket.
B. Notify all customers that their data may have been exposed.
C. Request a new certificate using a new key.
D. Nothing, because the private key should be accessible for validation.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

C. Request a new certificate using a new key.

Explanation:
The first thing Casey should do is notify her management, but after that, replacing the cert and using proper key management practices with the new vert key should be at the top of their list

Question 56

Q

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

A. Tabletop exercise
B. Parallel test
C. Full interruption test
D, Checklist review

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

D, Checklist review

Explanation:
The checklist review is the least disruptive type of DR test. During a checklist review, team members each review the contents of the DR checklists on their own and suggest any necessary changes

Question 57

Q

Mark is considering replacing his organization’s customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor, and Mark’s company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

A. IaaS
B. CaaS
C. PaaS
D. SaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

D. SaaS

Explanation:
In a SaaS Solution, the vendor manages both the physical infrastructure and the complete application stack, providing the customer with access to a fully managed application

Question 58

Q

Ben has been tasked with identifying security controls for systems covered by his organization’s information classification system. Why might Ben choose to use a security baseline?

A. They apply in all circumstances, allowing consistent security controls.
B. They are approved by industry standards bodies, preventing liability.
C. They provide a good starting point that can be tailored to organizational needs.
D. They ensure that systems are always in a secure state.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 12). Wiley. Kindle Edition.

Answer

A

C. They provide a good starting point that can be tailored to organizational needs.

Explanation:
Security baselines provide a starting point to scope and tailor security controls to your organizations needs.

Question 59

Q

What approach to technology management integrates the three components of technology management shown in this illustration?

A. Agile
B. Lean
C. DevOps
D. ITIL

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

C. DevOps

Explanation:
The DevOps approach to technology management seeks to integrate software development, operations, and quality assurance in a seamless approach that builds collaboration between the three disciplines

Question 60

Q

Stacey is configuring a PaaS service for use in her organization. She would like to get SSH access to the servers that will be executing her code and contacts the vendor to request this access. What response should she expect?

A. Immediate approval of the request.
B. Immediate denial of the request.
C. The vendor will likely request more information before granting the request. D. The vendor will likely ask for executive-level approval of the request.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

B. Immediate denial of the request.

Explanation:
The vendor will immediately deny this request because customers should not have access to underlying infrastructure in a PaaS environment

Question 61

Q

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?

A. Impact
B. RPO
C. MTO
D. Likelihood

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 13). Wiley. Kindle Edition.

Answer

A

D. Likelihood

Explanation:
Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.

Question 62

Q

Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs?

A. OpenID Connect
B. SAML
C. RADIUS
D. Kerberos

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

Answer

A

A. OpenID Connect

Explanation:
OpenID conect is an authentication layer that works with OAuth 2.0 as its underlying authorization framework. It has been widely adopted by cloud service providers and is widely supported.
SAML, RADIUS, and Kerberos are alternative authentication technologies but do not have the same level of seamless integration with OAuth

Question 63

Q

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?

A. Compliance with all laws and regulations
B. Handling information in the same manner the organization would
C. Elimination of all identified security risks
D. Compliance with the vendor’s own policies

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

Answer

A

B. Handling information in the same manner the organization would

Explanation:
The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendors security controls meet the organizations standards.

Question 64

Q

Fran’s company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran’s company considering?

A. SaaS
B. IaaS
C. CaaS
D. PaaS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 14). Wiley. Kindle Edition.

Answer

A

A. SaaS

Explanation:
This is an example of a vendor offering a fully functional application as a webservice service. Therefore, it fits under the definition of SaaS

Answer 65

A

B. Edge computing

Explanation:
In this case, most cloud service models would require transmitting most information back to the cloud. The edge computing service model would be far more appropriate, as it places computing power at the sensor, minimizing the data that must be sent back to the cloud over limited network connectivity

Answer 66

A

C. SAML

Explanation:
SAML is the best choice for providing authenitcation and authorization information, particularly for browser SSO. HTML is used for webpages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup

Answer 67

A

A. Maintaining the hypervisor

Explanation:
In an IaaS server environment, the customer retain responsibility for most server security operations under the shared responsibility model however the vendor would be responsible for all security mechanisms at the hypervisor layer and below

Answer 68

A

C. SaaS

Explanation:
This is an example of providing a fully developed and hosted application to a customer, so it is an example of SaaS computing

Answer 69

A

C. Agile

Explanation:
The DevOps and DevSecOps philosophies are closely linked to the Agile method of software development. The waterfall, modified waterfall and spiral models are more traditional approaches that are not commonly used with DevOps and DevSecOps

Answer 70

A

C. CASB

Explanation:
CASBs are designed to enforce security policies consistently across cloud services and would best meet these needs

Answer 71

A

C. Patching operating systems

Explanation:
In IaaS, the vendor is responsible for hardware and network relates responsibilities.

Answer 72

A

A. Public cloud

Explanation:
In the public cloud computing model, the vendor builds a single platform that is shared among many different customers. This is also known as the multitenancy model

Answer 73

A

C. A cloud IaaS vendor

Explanation:
A cloud IaaS vendor will allow Kristen to set up infrastructure as quickly as she can deploy and pay for it

Answer 74

A

B. IaaS networking is not configurable.

Explanation:
IaaS network is generally configurable by the end customer through the use of network security groups, bandwidth provisioning and similar mechanisms

Answer 75

A

D. Vendor

Explanation:
In a serverless computing model, the vendor does not expose details of the OS to its customers

Answer 76

A

C. ISO 27001

Explanation:
ISO 27001 is an international standard for the creation of an information security management system

Answer 77

A

A. Interoperability

Explanation:
This is the definition of cloud migration interoperability challenges
Portability is the measure of how difficult it might be to move the organizations systems/data from a given cloud host to another cloud host

Answer 78

A

D. Portability

Explanation:
Mike concern’s in this situation is portability - the capability to move workloads easily between environments.

Answer 79

A

C. Services that are elastic are also scalable.

Explanation:
Elasticity refers to the ability of a system to dynamically grow and shrink based on the current level of demand. Scalability refers to the ability of a system to grow as demand increases but does not require the ability to shrink. Services that are elastic must also be scalable, but services that are not scalable are not necessarily elastic

Answer 80

A

D. Reduced overhead of administering the operating system (OS) in the cloud environment

Explanation:
In an IaaS configuration, the customer still has to maintain the OS, so option D is the only answer that is not a direct benefit for the cloud customer

Answer 81

A

B. It would cause additional processing overhead and time delay.

Explanation:
Encryption consumes processing power and time; as with all security controls, additional security means measurably less operational capability - there is always a trade off between security and productivity

Answer 82

A

A. Privacy data security policy; auditing the controls dictated by the privacy data security policy

Explanation:
Due care is the minimal level of effort necessary to perform your duty to others; in cloud security; that is often the care that the customer is required to demonstrate in order to protect the data on its own

Answer 83

A

A. TEE

Explanation:
Confidential computing protects data in use by using a trusted execution environment (TEE).

Answer 84

A

C. Common Criteria

Explanation:
The Common Criteria provide a general certification process for computing hardware that might be used in government applications. FIPS 140-2 provides similar guidance but is specific to cryptographic modules and is not used for generalized hardware. NIST 800-53 provides security control guidance but is not a certification process. FedRAMP provides a certification process for cloud computing services but not for hardware

Answer 85

A

B. Distinguished name (DN)

Explanation:
The distinguished name is is the nomenclature for all entries in an LDAP environment

Answer 86

A

C. Databases

Explanation:
Databases are used to store information that is collected into related tables. Storage could also be used for this purpose, but it does not provide the table structure of a database, so it would not be the best solution

Answer 87

A

B. Confidential computing

Explanation:
Confidential computing is an emerging technology designed to support the protection of data that is actively stored in memory

Answer 88

A

D. Your organization

Explanation:
The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider might be liable for financial costs related to these responsibilities, but those damages can only be recovered long after the notifications have been made by the cloud customer

Answer 89

A

D. Infrastructure as a service (IaaS), private

Explanation:
An IaaS service model allows an organization to retain the most control of their IT assets in the cloud; the cloud customer is responsible for the OS, the applications and the data in the cloud. The private cloud model allows the organization to retain the greatest degree of governance control in the cloud

Answer 90

A

D. The long-term support and patching model for the IoT devices may create security and operational risk for the organization.

Explanation:
Henry’s biggest concern should be the long term security and supportability of the IoT devices. As these devices are increasingly embedded in buildings and infrastructure, it is important to understand the support model and the security model. Both the lack of separate administrative access and the lack of strong encryption can be addressed by placing the IoT devices on a dedicated subnet or network that prevents other users from accessing the devices directly.

Answer 91

A

B. Private cloud

Explanation:
In the private cloud computing model, the cloud computing environment is dedicated to a single organization and does not followed the shared tenancy model

Answer 92

A

A. Hypervisor

Explanation:
Hypervisors enforce isolation between virtual machines and are therefore most susceptible to escape attacks

Answer 93

A

A. Traffic inspection

Explanation:
Traffic inspection technology would allow Steve to examine the content of encrypted HTTPS traffic and detect sensitive information. Port blocking may be used to stop HTTPS traffic entirely, but that would not detect a security violation. Patching and geofencing technologies would play no roles in this scenario

Answer 94

A

B. Cloud site

Explanation:
Hot sites, cold sites and warm sites all require a significant investment in physical facilities. Hot sites and warm sites also require investments in hardware and/or software. Using the cloud provides a way to minimize costs by configuring but not activating resources until they are actually needed.

Answer 95

A

A. Authentication

Explanation:
Authentication is verifying that the user is who they claim to be and assigning them an identity assetion (usually a user ID) based on that identity

Answer 96

A

A. SaaS

Explanation:
SaaS models place the primary burden of security (and other administration) on the service provider

Answer 97

A

A. 1

Explanation:
In a symmetric encryption algorithm, all data is encrypted and decrypted with the same shared secret key. This key is the only key required for the communication

Answer 98

A

C. CA’s public key

Explanation:
When an individual receives a copy of a digital certificate, the person verifies the authenticity of that certificate by using the CA’s public key to validate the digital signature contained on the cert

Answer 99

A

C. Quantum computing

Explanation:
Quantum computing uses advanced particle physics to perform computing tasks in a revolutionary manner that might render modern encryption algorithms insecure

Answer 100

A

C. BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.

Explanation:
Technically, BC efforts are meant to ensure that critical business functions can continue during a disuprtive event, and DR efforts are supposed to support the return of normal operations. However, in practice, the efforts often coincide, use the same plans/personnel and have many of the same procedures