CCSP Domain 2: Architecture and Design

Question 1

An email is an example of what type of data?

A. Structured data
B. Semi-structured data
C. RFC-defined data
D. Unstructured data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 24). Wiley. Kindle Edition.

Answer 1

D. Unstructured data

Explanation:
Emails and other freeform text are examples of unstructured data. Structured data like the data found in databases is carefully defined, whereas semi structured data like XML or JSON applies structure without being tightly controlled. While email itself is defined by an RFC, the term RFC defined data is not used in this context

Question 2

Nick wants to ensure that data is properly handled once it is classified. He knows that data labeling is important to the process and will help his data loss prevention tool in its job of preventing data leakage and exposure. When should data be labeled in his data lifecycle?

A. Creation
B. Storage
C. Use
D. Destruction

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 24). Wiley. Kindle Edition.

Answer 2

A. Creation

Explanation:
Data labeling typically occurs during the Creation phase of the data lifecycle. Data labels may also be changed or added during use as data is modified.

Question 3

Jacinda is planning to deploy a data loss prevention (DLP) system in her cloud environment. Which of the following challenges is most likely to impact the ability of her DLP system to determine whether sensitive data is being transmitted outside of her organization?

A. Lack of data labeling
B. Use of encryption for data in transit
C. Improper data labeling
D. Use of encryption for data at rest

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 24). Wiley. Kindle Edition.

Answer 3

B. Use of encryption for data in transit

Explanation:
Jacinda is likely to face challenges using her DLP system due to the broad and consistent use of encryption for data in transit or data in motion in cloud environments. She will need to take particular care to design and architect her environment to allow the DLP system to have access to the traffic it needs.

Question 4

Susan wants to ensure that super user access in her cloud environment can be properly audited. Which of the following is not a common item required for auditing of privileged user access?

A. The remote IP address
B. The account used
C. The password used
D. The local IP address

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 24). Wiley. Kindle Edition.

Answer 4

C. The password used

Explanation:
Passwords are intentionally not captured or logged since creating an audit log that contains passwords would be a significant security issue.

Question 5

Ben’s organization uses the same data deletion procedure for their on-site systems and their third-party-provided, cloud-hosted systems. Ben believes there is a problem with the process currently in use, which involves performing a single-pass zero-wipe of the disks and volumes in use before they are reused. What problem with this approach should Ben highlight for the cloud environment?

A. Crypto-shredding is a secure option for third-party-hosted cloud platforms.
B. Zero-wiping alone is not sufficient, and random patterns should also be used.
C. Zero- wiping requires multiple passes to ensure that there will be no remnant data. D. Drives should be degaussed instead of wiped or crypto-shredded to ensure that data is fully destroyed at the physical level.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 24). Wiley. Kindle Edition.

Answer 5

A. Crypto-shredding is a secure option for third-party-hosted cloud platforms.

Explanation:
Cryptographic erasure, or cryptoshredding, is the only way to ensure that drives and volumes hosted by third parties are securely cleared. Zero wiping may result in remnant data, particularly where drives are dynamically allocated space in a hosted environment. Degaussaing or other physical destruction is typically not possible with third party hosted systems without a special contract and dedicated hardware

Question 6

Jason has been informed that his organization needs to place a legal hold on information related to pending litigation. What action should he take to place the hold? Restore the files from backups so that they match the dates for the hold request. Search for all files related to the litigation and provide them immediately to opposing counsel. Delete all the files named in the legal hold to limit the scope of litigation. Identify scope files and preserve them until they need to be produced.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 25). Wiley. Kindle Edition.

Answer 6

D. Drives should be degaussed instead of wiped or crypto-shredded to ensure that data is fully destroyed at the physical level.

Explanation:
Legal holds require organizations to identify and preserve data that meets the holds scope. Jason should identify the files and preserve them until they are required. Restoring files might erase important data, deleting files is completely contrary to the concept of the hold, and holds do not require immediate production - they are just what they sound like, a requirement to hold the data

Question 7

Murali is reviewing a customer’s file inside of his organization’s customer relationship management tool and sees the customer’s Social Security number listed as XXX-XX-8945. What data obfuscation technique has been used?

A. Anonymization
B. Masking
C. Randomization
D. Hashing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 25). Wiley. Kindle Edition.

Answer 7

B. Masking

Explanation:
Masking data involves replacing data with alternate characters like X or *. This is typically done via controls in the software or database itself, as the underlying data remains intact in the database. Anonymization or identification removes data that might allow individuals to be identified. Randomization or shuffling data moves it around, disassociating the data but leaving real data in place to be tested

Question 8

An XML file is considered what type of data?

A. Unstructured data
B. Restructured data
C. Semi-structured data
D. Structured data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 25). Wiley. Kindle Edition.

Answer 8

C. Semi-structured data

Explanation:
XML and JSON are both examples of semi structured data. Other examples CSV files, XML, NoSQL Databases and HTML files

Question 9

Lucca wants to implement logging in an infrastructure as a service cloud service provider’s environment for his Linux instances. He wants to capture events like creation and destruction of systems, as part of scaling requirements for performance. What logging tool or service should he use to have the most insight into these events?

A. Syslog from the Linux systems
B. The cloud service provider’s built-in logging function
C. Syslog-NG from the Linux systems
D. Logs from both the local event log and application log from the Linux systems

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 25). Wiley. Kindle Edition.

Answer 9

B. The cloud service provider’s built-in logging function

Explanation:
The providers own logging function is the best option as information about systems being created and destroyed wont exist on the local systems, and thus syslog, syslog-ng, and local logs wont work.

Question 10

Joanna’s company uses a load balancer to distribute traffic between multiple web servers. What data point is often lost when traffic passes through load balancers to local web servers in a cloud environment?

A. The source IP address
B. The destination port
C. The query string
D. The destination IP address

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 25). Wiley. Kindle Edition.

Answer 10

A. The source IP address

Explanation:
Original source IP addresses may not be visible in the local web server log. Fortunately, load balancer logs can be used if they are available.

Question 11

Isaac is using a hash function for both integrity checking and to allow address data to be referenced without the actual data being exposed. Which of the following attributes of the data will be not be lost when the data is hashed?

A. Its ability to be uniquely identified
B. The length of the data
C. The formatting of the data
D. The ability to sort the data based on street number

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 25-26). Wiley. Kindle Edition.

Answer 11

A. Its ability to be uniquely identified

Explanation:
Hashing converts variable length data to fixed length outputs, meaning that the length, formatting and the ability to perform operations on the data using strings or numbers will be list. Its ability to be uniquely identified wont be lost - Isaac just needs to know the hash of a given address to continue to reference that data element

Question 12

Amanda’s operating procedures for secure data storage require her to ensure that she is using data dispersion techniques. What does Amanda need to do to be compliant with this requirement?

A. Delete all data not in secure storage.
B. Store data in more than one location or service.
C. Avoid storing data in intact form, requiring data from more than one location to use a data set.
D. Geographically separate data by at least 15 miles to ensure that a single natural disaster cannot destroy it.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer 12

B. Store data in more than one location or service.

Explanation:
Data dispersion is the practice of ensuring that important data is stored in more than one location or service. It does not necessarily require specific distances or geographic limits, doesnt require deletion of data not in secure storage and doesnt require you to use multiple data sets to access data

Question 13

Lisa runs Windows instances in her cloud-hosted environment. Each Windows instance is created with a C: drive that houses the operating system and application files. What type of storage best describes the C: drive for these Windows instances?

A. Long-term storage
B. Ephemeral storage
C. Raw storage
D. Volume-based storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer 13

B. Ephemeral storage

Explanation:
Storage that is associated with an instance that will be destroyed when the instance is shut down is ephemeral storage.

Question 14

Steve is working to classify data based on his organization’s data classification policies. Which of the following is not a common type of classification?

A. Size of the data
B. Sensitivity of the data
C. Jurisdiction covering the data
D. Criticality of the data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer 14

A. Size of the data

Explanation:
The size of the data or files is not typically a data classification type or field. Sensitivity, jurisdiction and criticality are all commonly used to classify data

Question 15

Chris is reviewing his data lifecycle and wants to take actions in the data creation stage that can help his data loss prevention system be more effective. Which of the following actions should he take to improve the success rate of his DLP controls?

A. Data labeling
B. Data classification
C. Hashing
D. Geolocation tagging

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 26). Wiley. Kindle Edition.

Answer 15

A. Data labeling

Explanation:
Data labels can help DLP systems identify and manage data, so Chris should ensure that data is labeled as part of its creation process to help his DLP identify and protect it

Question 16

Gary is gathering data to support a legal case on behalf of his company. Why might he digitally sign files as they are collected and preserve them along with the data in a documented, validated way?

A. To allow for data dispersion
B. To ensure the files are not copied
C. To keep the files secure by encrypting them
D. To support nonrepudiation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer 16

D. To support nonrepudiation

Explanation:
Chain of custody documentation, often including actions like hashing files to ensure they are not changed from their original form, is commonly done to support nonrepudiation

Question 17

Valerie is performing a risk assessment for her cloud environment and wants to identify risks to her organization’s ephemeral volume-based storage used for system drives in a scalable, virtual machine–based environment. Which of the following is not a threat to ephemeral storage?

A. Inadvertent exposure
B. Malicious access due to credential theft
C. Poor performance due to its ephemeral nature
D. Loss of forensic artifacts

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer 17

C. Poor performance due to its ephemeral nature

Explanation:
Ephemeral storage will have the performance of its overall storage type, so low performance isnt an expected issue. Inadvertent exposure, malicious access and loss of forensic artifacts are all concerns for ephemeral storage

Question 18

Which storage type is most likely to have remnant data issues in an environment in which the storage is reused for other customers after it is reallocated if it is not crypto-shredded when it is deallocated and instead is zero-wiped?

A. Ephemeral storage
B. Raw storage
C. Long-term storage
D. Magneto-optical storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer 18

B. Raw storage

Explanation:
Raw storage provides direct access to a disk, and without crypto shredding is likely to have remnant data on the disk after it is used.

Question 19

Kathleen wants to perform data discovery across a large data set and knows that some data types are more difficult to perform discovery on than others. Which of the following data types is the hardest to perform discovery actions on?

A. Unstructured data
B. Semi-structured data
C. Rigidly structured data
D. Structured data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer 19

A. Unstructured data

Explanation:
Unstructured data is the most difficult to perform discovery against because the data is unlabeled and requires discovery to be done using searches or other techniques that can handle arbitrary data.

Question 20

Isaac wants to filter events based on the country of origin for authentications. What log information should he use to perform a best-effort match for logins?

A. userID
B. IP address
C. Geolocation
D. MAC address

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 27). Wiley. Kindle Edition.

Answer 20

C. Geolocation

Explanation:
While it isnt always perfectly accurate, geolocation, data attempts to identify the location of a given IP address. Isaac can use that data to attempt to match authentication events to logins, although VPNs and other tools may obscure the actual login location for users

Question 21

Charleen wants to use a data obfuscation method that allows realistic data to be used without the data being actual data associated with specific users or individuals. What data obfucation method should she use?

A. Hashing
B. Shuffling
C. Randomization
D. Masking

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer 21

B. Shuffling

Explanation:
While there may be some concerns about read data being used, Charleens goal is to have actual data for testing, making shuffling her best option

Question 22

Michelle wants to track deletion of files in an object storage bucket. What potential issue should she be aware of if her organization makes heavy use of object-based storage for storage of ephemeral files?

A. The logging may not be accurate.
B. Logging may be automatically disabled if too many events occur.
C. Creation and deletion events cannot be logged in filesystems.
D. The high volume of logging may increase operational costs.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer 22

D. The high volume of logging may increase operational costs.

Explanation:
Michelle should be aware that logging deletion events, like any other high volume event, may incur additional costs for her organizations.

Question 23

Diana is outlining the labeling scheme her organization will use for their data. Which of the following is not a common data label?

A. Creation date
B. Data monetary value
C. Date of scheduled destruction
D. Confidentiality level

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer 23

B. Data monetary value

Explanation:
Data confidentiality level is often contained in a label, but the monetary value is not a common data label. Creation and scheduled destruction date are also common data labels

Question 24

Susan wants to be prepared for legal holds. What organizational policy often accounts for legal holds?

A. Data classification policy
B. Retention policy
C. Acceptable use policy
D. Data breach response policy

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer 24

B. Retention policy

Explanation:
Retention policies often include language that addresses legal holds because holds can impact retention practices and requirements. Data classification, acceptable use and data breach response policies typically do not include legal hold language

Question 25

Henry wants to follow the OWASP guidelines for key storage. Which of the following is not a best practice for key storage?

A. Keys must be stored in plaintext to allow for access.
B. Keys must be protected in both volatile and persistent memory.
C. Keys stored in databases should be encrypted using key encryption keys.
D. Keys should be protected in storage to ensure that they are not modified or changed inadvertently.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 28). Wiley. Kindle Edition.

Answer 25

A. Keys must be stored in plaintext to allow for access.

Explanation:
Keys should never be stored in plaintext format and should instead be stored in a secure manner - typically encrypted in a hardware security module or other key vault

Question 26

Marco wants to implement an information rights management tool. What phase of the data lifecycle relies heavily on IRM to ensure the organization retains control of its data?

A. Create
B. Store
C. Share
D. Destroy

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer 26

C. Share

Explanation:
While IRMs are useful through many of the phases of the cloud data lifecycle, Marco knows that sharing data is when an IRM is most heavily used to ensure that data is not inadvertently exposed or misused

Question 27

JSON is an example of what type of data?

A. Structured data
B. Semi-structured data
C. Unstructured data
D. Labeled data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer 27

B. Semi-structured data

Explanation:
JSON is an example of semi structure data. Other examples include CSV files, XML, NoSQL databses and HTML files

Question 28

Charleen wants to perform data discovery on her organization’s data, which is stored in archival storage hosted by her organization’s cloud service provider. What issue should she point out about this discovery plan?

A. It may be slow and costly due to how archival storage is designed and priced.
B. The data may not exist because it has been archived.
C. The discovery process cannot be run against archival storage because it is not online under normal circumstances.
D. The data will need to be decrypted before being scanned for discovery purposes.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer 28

A. It may be slow and costly due to how archival storage is designed and priced.

Explanation:
Cloud archival storage is typically designed primary as a storage location with infrequent and smaller scale access, not for large scale interactive access like a discovery process will use. It is likely to be a slow and potentially costly effort if the data is scanned while in the archival location

Question 29

Ujama’s manager has asked him to perform data mapping to prepare for his next task. What will Ujama be doing?

A. Adding data labels to unstructured data
B. Matching fields in one database to fields in another database
C. Identifying the storage locations for files of specific types on system drives
D. Building a file and folder structure for data storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer 29

B. Matching fields in one database to fields in another database

Explanation:
Data mapping is the process of matching fields in databases to allow them to be integrated or for purposes such as data migration

Question 30

Lin wants to ensure that her organization’s data labels remain with the data. How should she label her data to give it the best chance of retaining its labels?

A. Embed the labels in the filename.
B. Add the labels to the file’s content at the beginning of the file.
C. Add labels to the file metadata.
D. Add the labels to the file’s content at the end of the file.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer 30

C. Add labels to the file metadata.

Explanation:
Adding labels as part of the files metadata is a common practice and is less likely to be changed than including them in the file name

Question 31

Nina’s organization has lost the cryptographic keys associated with one of their cloud-based servers. What can Nina do to recover the data the keys were used to protect?

A. Generate new keys to recover the data.
B. Use the passphrase for the keys to recover the keys.
C. Reverse the hash that was used to encrypt the data.
D. The data is lost and Nina cannot recover it.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 29). Wiley. Kindle Edition.

Answer 31

D. The data is lost and Nina cannot recover it.

Explanation:
Key escrow and backup is incredibly important, and once a key is lost, it cannot be recovered and the data should be considered lost. Generating a new key will not decrypt the data, the passphrase isnt sufficient to recover keys and hashing is not a form of encryption and cannot be reversed

Question 32

Madani is planning to perform data discovery on various data sets and files his organization has. On which type of data will discovery be most easily performed?

A. Unstructured data
B. Semi-structured data
C. Encrypted data
D. Structured data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer 32

D. Structured data

Explanation:
Madani knows that structured data is well defined and organized and will be the easiest to perform discovery actions on

Question 33

Ashley tracks the handling of a forensic image, including recording who handles it, when it was collected and when each transfer occurs, and why the transfer occurred. What practice is Ashley performing?

A. Documenting chain of custody
B. Ensuring repudiation
C. A legal hold
D. Forensic accounting

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer 33

A. Documenting chain of custody

Explanation:
Ashley is documenting the chain of custody for the image to ensure it can be used in court.

Question 34

Which of the following is not a common goal of data classification policies?

A. Identifying classification levels
B. Assigning responsibilities
C. Defining roles
D. Mapping data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer 34

D. Mapping data

Explanation:
Data mapping is a term used to describe matching fields in databases to allow data migration or integration. Data classification policies do identify classification levels, assign responsibilities and define roles

Question 35

Hiroyuki wants to optimize his organization’s data labeling process. How and when should he implement data labeling to be most efficient and effective?

A. Manual labeling at the data creation stage
B. Automated labeling at the data creation stage
C. Automated labeling at the data use stage
D. Manual labeling at the data use stage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer 35

B. Automated labeling at the data creation stage

Explanation:
Labeling data at creation ensures that it can be properly handled through the rest of its lifecycle. Automated labeling is preferable where possible to avoid human error and to accommodate the volume of data that most organizations create

Question 36

Jen wants to ensure that keys used by individuals in her organization can be handled properly. Which of the following is not a best practice for handling long-term keys in use by humans?

A. Anonymize access using the key
B. Identify the key user
C. Identify when the key is used
D. Uniquely tag the keys

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer 36

A. Anonymize access using the key

Explanation:
Anonymizing access using a key removes the ability to provide accountability and works against organizational best practices. Identifying the key, the user and when and how it is used supports accountability for usage

Question 37

Danielle wants to ensure that the data stored in her cloud-hosted datacenter is properly destroyed when it is no longer needed. Which of the following options should she choose?

A. Physical destruction of the media
B. Crypto-shredding
C. Degaussing
D. Overwriting

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 30). Wiley. Kindle Edition.

Answer 37

B. Crypto-shredding

Explanation:
Cryptoshredding is the only viable option in environments controlled or managed by a third party organization in most circumstances. Physical destruction is not permitted or supported by third party provider, nor is degaussing, which will also not work on many modern drives

Question 38

Charles wants to use tokenization as a security practice for his organization’s data. What technical requirement will he have to meet to accomplish this?

A. He will need to encrypt his data.
B. He will need two distinct databases.
C. He will need to use a FIPS 140-2 capable cryptographic engine to create tokens.
D. He will need to deidentify the data.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer 38

B. He will need two distinct databases.

Explanation:
Tokenization relies on two distinct databases, one with actual data and one with tokenized data. Token servers then pull the data the token represents from the real data database when needed. This process does not require encryption, specify FIPS requirements or involve deidentification practices

Question 39

Once Charles has his two databases ready, what step comes next in the tokenization process?

A. Data discovery to identify sensitive data
B. Tokenization of the index values
C. Hashing each item in the database
D. Randomization of data in the database to prepare for tokenization

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer 39

A. Data discovery to identify sensitive data

Explanation:
With the source database ready and a tokenization database prepared to be populated, the next step is to identify which data should be tokenized. Not all data is sensitive and thus not all data needs to be tokenized. Once you know what data will be tokenized, you can tokenize it - sometimes by hashing the data. Randomization is not part of this process

Question 40

Jack wants to understand how data is used in his organization. What tool is often used to help IT professionals understand where and how data is used and moved through an organization?

A. Data classification
B. Data mapping
C. Dataflow diagrams
D. Data policies

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer 40

C. Dataflow diagrams

Explanation:
Dataflow diagrams are a critical part of organizational understanding of how data is created, moves and is used throughout an organization. They often include details like ports, protocols, data elements and classification and other details that can help you understand not only where data is but how it gets there and what data is in use

Question 41

Annie has a database with a field titled “chosen name” and she has another database with a field titled “name.” She knows that these fields are used for the same purpose in her organization and wants to use data from both databases. What process could she use to match these and other fields to allow her to do so more easily?

A. Data mapping
B. Column consolidation
C. Data labeling
D. Columnar aggregation

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer 41

A. Data mapping

Explanation:
Annie should map the data between the database fields and then use the mappings to help her sort and manage data as needed. Data labeling is used to tag data with important information like classification, creation date or time, or other elements. Column consolidation and columnar aggregation were made up

Question 42

Which of the following items is not commonly included in dataflow diagrams?

A. Data types or fields
B. Services
C. Systems
D. Data lifespan information

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer 42

D. Data lifespan information

Explanation:
Data lifespan is not a typical entry in a dataflow diagram, since they focus on flows, not policies. Data types, fields of names, services, systems, ports, protocols, and security details are all commonly included in dataflow diagrams

Question 43

Jim’s organization wants to implement cryptographic erasure as their primary means of destroying data when they are done with it. What first step is required to support this through the data’s lifecycle?

A. Hash all of the data at creation.
B. Zero-wipe drives before they are used to ensure no previous data is resident.
C. Encrypt the drive or volume at creation.
D. All of the above.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 31). Wiley. Kindle Edition.

Answer 43

C. Encrypt the drive or volume at creation.

Explanation:
Encrypting the drive or volume at creation ensures that any data written to the drive or volume through its lifespan will be encrypted and that destruction of the encryption key will result in secure destruction of the data

Question 44

Charles wants to store data in a relational database, which uses columns and tables that describe the data. Which of the following types of data cannot be easily stored in a relational database other than as a text blob?

A. Structured data
B. Semi-structured data
C. Unstructured data
D. All of the above

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer 44

C. Unstructured data

Explanation:
Unstructured data does not have the structure required to be easily stored in a database. Semi structured data and structured data is easier to store in a relational database since it has descriptors and elements that make it easier to map into fields

Question 45

Olivia wants to write a data retention policy for her organization. Which list best describes common components of a retention policy?

A. Retention periods, regulatory compliance requirements, data classification, data deletion and lifespan, and archiving and retrieval procedures
B. Retention periods, logging, data classification, data deletion processes, and compliance requirements
C. Data classification requirements, regulatory compliance requirements, data creation and tagging requirements, and data retrieval procedures
D. Regulatory and compliance requirements and mapping to retention periods for the organization, legal hold processes, and data deletion requirements

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer 45

A. Retention periods, regulatory compliance requirements, data classification, data deletion and lifespan, and archiving and retrieval procedures

Explanation:
Retention policies often include retention periods, regulatory and compliance requirements, data classification impacts on retention, how and when data should be deleted, and archiving and retrieval processes. In addition, Olivia may want to include monitoring, maintenance, and enforcement

Question 46

Hui wants to revoke a certificate issued by her information rights management (IRM) system. How can she verify that the certificate has been revoked?

A. Issue a new certificate using the same information as the original certificate.
B. Attempt to access the data using her own certificate.
C. Check the IRM’s certificate revocation list.
D. Delete the private keys for the original certificate.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer 46

C. Check the IRM’s certificate revocation list.

Explanation:
An IRM needs to maintain a certificate revocation list that allows users and applications to validate certificates, just like any other service that uses certificates. That means that Hui should be able to check to see if the revoked certificate is in the list to validate her actions. Issuing a new cert using the same info, accessing the data using her own cert, or deleting the private keys will not invalidate the existing certificate

Question 47

Frank’s organization is preparing to adopt an information rights management tool. What IRM capability focuses on providing rights to individuals based on their roles to ensure appropriate data access?

A. Tagging
B. Data labeling
C. Encryption
D. Provisioning

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer 47

D. Provisioning

Explanation:
The provisioning capability of IRM systems focuses on providing rights to individuals based on roles and job functions.

Question 48

Randy is following his organization’s data classification policy and tags data that was identified in the organization’s business impact analysis. What type of classification is Randy performing?

A. Criticality
B. Jurisdiction
C. Security
D. Sensitivity

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 32). Wiley. Kindle Edition.

Answer 48

A. Criticality

Explanation:
Business impact analysis helps to determine what data is needed to continue the operations of the business. This is an assessment of the criticality of the data and Randy knows that the data he flags may be necessary in the event of a disaster or other business continuity issue

Question 49

Susan is concerned that her organization doesn’t understand how a critical application works in their cloud environment. Recent issues indicate that her organization’s developers and cloud architects have different ideas about how systems and services work together. What should Susan prepare to help document and explain how systems and services work together?

A. Data classification
B. A business impact analysis
C. A dataflow diagram
D. Data mapping

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer 49

C. A dataflow diagram

Explanation:
Susan should prepare a dataflow diagram to share with her application developers and cloud architects to make sure that the application and service environment is correctly documented.

Question 50

Jane is considering data dispersion as a security and availability strategy for her organization. What risk should she highlight as the most significant potential problem if her organization does adopt a multivendor approach to dispersion?

A. Data dispersion makes it difficult to encrypt data.
B. Geographic dispersion may impact performance.
C. An outage at a provider may result in data not being available.
D. Most cloud vendors do not offer support for dispersion.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer 50

C. An outage at a provider may result in data not being available.

Explanation:
The most common risk, and thus the most impactful risk in this list, is the potential for a provider outage to result in the inability to access dispersed data

Question 51

Selah is implementing an information rights management system. What requirement will she encounter if she wants to control files on workstations and laptops?

A. The need to deploy a cloud-native server
B. The need to install an agent on endpoint devices
C. The need to deploy an on-site server
D. The need to install an agent on cloud-based systems

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer 51

B. The need to install an agent on endpoint devices

Explanation:
Installation of a local agent is typically required by IRM systems to ensure data is properly handled on endpoint systems. The questions doesnt specify the use of a server either in the cloud or locally, and the endpoints mentioned are are not cloud based

Question 52

Audio and video files are examples of what type of data?

A. Unstructured data
B. Sensitive data
C. Labeled data
D. Structured data

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer 52

A. Unstructured data

Explanation:
Unstructured data includes data like images, audio, video, word processing files and other data that does not have a formally defined structure like structured data does. There’s no information that indicates that this is sensitive information, and there isnt any mention of labeling in the question

Question 53

Wayne wants to perform data discovery on a very large data set stored in a cloud service using a tool that is hosted in a different cloud service, which will require copying the data to the cloud where the tool resides. What is the primary cost concern he should consider when evaluating an option like this?

A. The cost of the storage tier the data is currently in
B. Ingress and egress fees for moving the data between cloud services
C. The cost of logs generated by the discovery process in the cloud where it is hosted D. The cost of logs generated by the discovery process in the cloud where the data resides

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 33). Wiley. Kindle Edition.

Answer 53

B. Ingress and egress fees for moving the data between cloud services

Explanation:
Ingress and egress fees are often some of the highest expenses involved in this effort
Since the data is already contained in a storage tier, no new expenses should arise. Logs are text based and can be stored efficiently, so it is unlikely that log files will be a major cost driver

Question 54

Amanda’s organization uses a chain of custody process for forensic data and has captured a drive image from a compromised system hosted in their cloud environment. Amanda wants to analyze the drive without causing issues that might result in repudiation of the drive image or an issue with the chain of custody of the image. What actions should she take to analyze the drive?

A. Analyze the drive while connected to a forensic write-protect device.
B. Analyze the drive using only approved forensic software.
C. Make a copy of the original image, validate it, and then analyze the copy.
D. Log all actions taken on the original copy of the drive to maintain a chain of custody.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 33-34). Wiley. Kindle Edition.

Answer 54

C. Make a copy of the original image, validate it, and then analyze the copy.

Explanation:
Amanda knows that the original drive should be preserved, and actions should only be taken on a forensic copy. Working with the original, regardless of the process, is not a forensic best practice

Question 55

Which of the following is not a common information rights management tool control capability?

A. Preventing taking a screenshot or photo of the displayed text
B. Disabling copying of text
C. Preventing local copies from being saved
D. Disallowing printing

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer 55

A. Preventing taking a screenshot or photo of the displayed text

Explanation:
While IRM systems can control actions on the system, taking a photo (or even a screenshot) of displayed text is typically outside of their capabilities. Preventing copying, printing and making copies are all common IRM features

Question 56

Felix operates his organization’s cloud resources in multiple countries, including member states of the European Union. What is the most significant concern Felix should express about conducting data discovery across data sets contained in their cloud storage?

A. Costs may vary across difference regions, making it difficult to estimate the price for the discovery.
B. Regulatory requirements will vary across different locations and may make compliance difficult during discovery.
C. Structured data will be harder to process than unstructured data, making inter-region discovery challenging.
D. Encryption may not be allowed between regions, making the discovery less secure.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer 56

B. Regulatory requirements will vary across different locations and may make compliance difficult during discovery.

Explanation:
Regulatory compliance is important for organizations and Felix needs to point out that discovery across multiple countries and regions may involve a complex set of regulations to comply with. Costs may vary in different regions, but that is not the primary concern Felix needs to raise. There isnt any mention in the question of whether data is structured or not, and while encryption import and export may be covered by law, discovery can be conducted using local tools in each region if necessary

Question 57

Jason wants to lower the ongoing cost of using storage in his cloud infrastructure as a service environment for logs and other data that is infrequently accessed. What should he consider doing with the data?

A. Delete the data to save costs.
B. Archive the data to a lower cost storage tier.
C. Move the data to a third-party service provider to reduce costs.
D. Archive the data to a higher performance storage tier.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer 57

B. Archive the data to a lower cost storage tier.

Explanation:
Archiving data to a lower cost and typically lower performance storage tier is a common strategy for cloud data retention. Examples like Amazons Glacier allow for long term storage with infreqeunt or slow access and may come with additional costs for retrieval, but optimize costs when data is unlikely to be accessed. Deleting the data does not allow it to be used, moving to a third party service provider is more complex, and moving to a higher performance storage tier does not meet his cost needs

Question 58

Frank knows that his organization adds data labels for data during its creation. What additional phase of the cloud data lifecycle often includes data labels as data is combined or modified?

A. Store
B. Use
C. Sharing
D. Deletion

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 34). Wiley. Kindle Edition.

Answer 58

B. Use

Explanation:
The Use phase of the data lifecycle often includes modification of data and thus will require labels to change or be added

Question 59

Chris wants to send data from his web application to client systems securely. What encryption protocol should he use?

A. SSL
B. MD5
C. SHA-1
D. TLS

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer 59

D. TLS

Explanation:
TLS, or Transport Layer Security, is the encryption protocol of choice for web application traffic

Question 60

Kathleen’s organization uses a technique known as bit-splitting that breaks up encrypted information across multiple cloud services to make it more difficult to acquire and recover the data. What cloud data concept best describes activities like this?

A. Data dispersion
B. Data mapping
C. Business continuity
D. Dataflows

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer 60

A. Data dispersion

Explanation:
Data dispersion best fits this description, and bit splitting is a form of data dispersion, although it is one that is more frequently associated with malicious use to avoid forensic analysis and investigations

Question 61

Gurleen’s organization has preserved data due to a legal hold, but the data has hit the end of its retention timeframe due to statutory requirements. What should Gurleen do?

A. Contact the appropriate government agency about the statute to inquire about the legal hold.
B. Delete the data based on the statutory requirements.
C. Continue to preserve the data to meet the legal hold requirements.
D. Make a copy of the data for the legal hold and delete the original data.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer 61

C. Continue to preserve the data to meet the legal hold requirements.

Explanation:
Legal holds normally take precedence over other deletion requirements. While Gurleen should check with her organizations legal counsel, in general she should continue to preserve the data

Question 62

Quentin’s organization uses ephemeral storage that is attached to systems when they are instantiated in the organization’s cloud-hosted environment. What will happen when the instances are terminated?

A. The volume will be retained to be used with a future instance.
B. The volume will be wiped and reused for the next instance owned by Quentin’s organization that is instantiated.
C. The data will be moved to a long-term storage tier until it is manually deleted.
D. The storage will be wiped and reclaimed by the provider to be allocated elsewhere.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer 62

D. The storage will be wiped and reclaimed by the provider to be allocated elsewhere.

Explanation:
Ephemeral storage that is associated with instances in most cloud providers infrastructure is wiped and reclaimed for reallocation when instances are terminated. If the instance were merely shut down, the storage would be retained for when the system was reactivated

Question 63

Renee wants to set a retention period for log files in her data retention policy that minimizes the ongoing cost of retention. What retention period should she select for ephemeral logs that do not have a contractual or legal requirement for retention?

A. 45 days
B. 6 months
C. 3 years
D. 7 years

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 35). Wiley. Kindle Edition.

Answer 63

A. 45 days

Explanation:
Ephemeral data is often kept for shorter time periods like 45 days, a time period sufficient to allow investigations without building up large volumes of data that will not be used and which can be expensive to store. Longer term storage may be required by law or contracts or due to specific contractual requirements

Question 64

Brian has been tasked with performing a cryptographic erasure process on an encrypted drive. What steps does he need to take to ensure that the data is securely destroyed?

A. Destroy all copies of the encryption key.
B. Encrypt, then decrypt the drive.
C. Decrypt, then re-encrypt the drive with a new key.
D. Degauss the drive, then zero-wipe it.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 36). Wiley. Kindle Edition.

Answer 64

A. Destroy all copies of the encryption key.

Explanation:
While it may seem quite simple, securely erasing all copies of the encryption key is all that it takes to complete the destruction process for crypto shredding

Question 65

Lincoln wants to identify threats to the availability of data stored in a long-term storage service like Amazon’s Glacier. Which of the following threats should he identify as impacting availability?

A. Service outages
B. Credential theft
C. Improper permissions
D. Lack of encryption

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 36). Wiley. Kindle Edition.

Answer 65

A. Service outages

Explanation:
Service outages are the only direct threat to availability on this list

Question 66

Theresa wants to identify endpoint systems rather than users for her information rights management system. What is typically used to identify a system to an IRM?

A. A system name
B. An IP address
C. A user ID and password
D. A certificate

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 36). Wiley. Kindle Edition.

Answer 66

D. A certificate

Explanation:
Information rights management systems typically rely on certs to identify systems. They can be issued centrally and managed as well as used for digital signatures and encryption

Question 67

Derek’s organization uses a cryptographic one-way function applied to data in a database to allow it to be referenced without using the actual data. What anonymization technique are they using?

A. Anonymization
B. Masking
C. Hashing
D. Shuffling

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 36). Wiley. Kindle Edition.

Answer 67

C. Hashing

Explanations:
Dereks organization is using hashing, which uses a one way cryptographic function to replace data with values that can be referenced without exposing the actual data. Anonymization focuses on removing data that can be associated with specific users or individuals, masking uses alternate characters to conceal data and shuffling switches data around while retaining actual data for testing

Question 68

Henry stores his cloud environment’s log files in a filesystem designed for durability and performance for logs. What type of storage is he using?

A. Long-term storage
B. Ephemeral storage
C. Raw storage
D. Volume-based storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 36). Wiley. Kindle Edition.

Answer 68

A. Long-term storage

Explanation
Long term storage is storage that is intended to continue to exist and is often used for logs or data storage. Storage that is associated with an instance that will be destroyed when the instance is shut down is ephemeral storage. Raw storage is storage that you have direct access to like a hard drive or an SSD

Question 69

Alaina’s organization uses a secrets management service provided by their cloud service provider. Alaina knows that the secrets are critical to the operations of the service and wants to implement a “break-glass” emergency procedure in case the service is unavailable. Which of the following is not a common best practice for this type of secrets recovery capability?

A. Build an automated backup system for secrets.
B. Test the restore process for secrets regularly.
C. Use a second instance in the original provider’s cloud for the backup system.
D. Encrypt backups and place them on secure storage.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 36-37). Wiley. Kindle Edition.

Answer 69

C. Use a second instance in the original provider’s cloud for the backup system.

Explanation:
OWASPs Secrets Management Cheatsheet describes three main requirements for break glass secrets backup environments:
ensuring automated backups are in placed and executed regularly based on the number of secrets and their lifecycle, frequently testing the restore procedures, and encrypting backups and placing them on secure, monitored storage

Question 70

Alaina wants to implement secrets detection to help identify issues with secrets exposure. Which of the following techniques will most easily help her organization detect poor practices in internal test environments without undue risk?

A. Use a secrets manager for development, test, and production to keep secrets secure.
B. Use standard test secrets and search for them.
C. Use multiple detection utilities to reduce the chance of missing a secret.
D. Use high entropy secrets to limit the possibility of guessed secrets.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer 70

B. Use standard test secrets and search for them.

Explanation:
Using standard test secrets makes them easier to detect if they are in an exposed location. Since Alaina specifically has an internal test environment, this is the right location to use standard secrets

Question 71

Angie wants to move 100 terabytes of her organization’s data to archival class storage in her cloud provider’s environment. Which of the following decision points will be most impactful when deciding on cost of the new solution?

A. The amount of data to be archived
B. The type of data
C. The sensitivity of the data
D. Retrieval time

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer 71

D. Retrieval time

Explanation:
Retrieval time, the amount of time before data can be accessed, is a primary driver for the cost of archival storage in cloud environments

Question 72

What process is shown in the following figure?

A. Field hashing
B. Table matching
C. String comparison
D. Data mapping

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 37). Wiley. Kindle Edition.

Answer 72

D. Data mapping

Explanation:
The figure shows a data mapping process between two database tables matching names, phone numbers and email addresses. String comparisons compares two strings to determine if they are the same.

Question 73

Wei’s organization is implementing an information rights management system. What IRM process ensures that users receive the rights and privileges they need to access files protected by the IRM?

A. Tagging
B. Provisioning
C. Labeling
D. Data mapping

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 37-38). Wiley. Kindle Edition.

Answer 73

B. Provisioning

Explanation:
Provisioning for IRM systems gives users the rights and permissions that they need to access files they have rights to.

Question 74

Dana is preparing to move her organization’s data to cloud archival storage. Which of the following is the most important consideration related to performance for archival storage?

A. The cost of the storage
B. Data access patterns
C. The volume or amount of data
D. The amount of time the data will be stored for

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer 74

B. Data access patterns

Explanation:
Data access patterns are one of the most important things to understand before selecting archival storage. Archival storage classes and services often focus on inexpensive, low frequency, slow access, but other options can include more dynamic access capabilities

Question 75

What role defined by a data classification policy holds the overall responsibility for data and is typically a member of senior management?

A. The data custodian
B. The data owner
C. The data processor
D. The data user

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer 75

B. The data owner

Explanation:
Data owners are defined by data classification policies and hold overall responsibility for data that they own. Data custodians are responsible for the data, ensuring access control, proper storage and other operational controls.

Question 76

Elaine’s organization has suffered a data breach, and tokenized data has been exposed. What concern should Elaine express about the tokenized data?

A. It can be un-hashed to reveal the original data.
B. Tokenized data does not create a data breach concern.
C. Tokenized data is only a concern if the database it is matched with is also exposed. D. Tokenized data could be decrypted if the encryption key for the tokens was also stolen.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer 76

C. Tokenized data is only a concern if the database it is matched with is also exposed

Explanation:
Tokenized data is only a concern if the database with original data that it references is also exposed.

Question 77

Asha wants to be able to easily restore files in her cloud service environment if a change is accidentally made. What feature could she use to allow easy restoration?

A. Enable versioning.
B. Use a daily backup process.
C. Set up recurring snapshots.
D. Enable automatic archiving.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer 77

A. Enable versioning.

Explanation:
Versioning tools like those found in Amazons S3 environment allow you to revert to a previous version if an inadvertent change occurs, if data is corrupted, or if the file is deleted.

Question 78

Brian is reviewing his organization’s secrets management policies and practices. Which of the following is not a practice that they should use?

A. Reduce the number of people with administrative access to the secret store.
B. Regularly rotate secrets.
C. Maximize the rights of important secrets to reduce the total number of secrets required.
D. Enable logging and alerting on secrets access and usage.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 38). Wiley. Kindle Edition.

Answer 78

C. Maximize the rights of important secrets to reduce the total number of secrets required.

Explanation:
The concept of least privilege is used for secrets too, and maximizing it is a bad idea. Brian should instead seek to limit the rights a given secret provides to constrain the impact of a potential breach or misuse

Question 79

Chris wants to audit access to highly sensitive data stored in his cloud provider’s block storage service. What type of logging should he enable to monitor for use of privileged accounts to access specific buckets?

A. Enable authentication logging.
B. Enable access logging.
C. Enable bandwidth monitoring.
D. Enable timestamps.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer 79

B. Enable access logging.

Explanation:
Access logging will allow Chris to monitor for access to specific buckets by individuals, including privileged accounts

Question 80

Jaime is performing data discovery and wants to search for a specific term in the unstructured data she’s working with. What type of discovery is she performing?

A. Label-based discovery
B. Metadata-based discovery
C. Content-based discovery
D. Structure-based discovery

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer 80

C. Content-based discovery

Explanation:
Jamie is performing content based discovery by searching for specific terms in unstructured data. Label based discovery would rely on data labels

Question 81

Mike has become aware of a certificate’s private key that has been exposed as part of an incident. What should Mike do first to limit the potential impact of the exposure?

A. Immediately issue a new certificate and securely transmit it to the user.
B. Immediately revoke the certificate and add it to the certificate revocation list.
C. Search for all locations of the certificate to understand what impact its exposure may have.
D. Interview the user or owner to identify why the certificate was exposed.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer 81

B. Immediately revoke the certificate and add it to the certificate revocation list.

Explanation:
Mike should immediately revoke the cert so that any malicious use will be limited. He may then want to determine why the cert was exposed and issue a new cert to ensure that the user or owner can continue to perform their job

Question 82

Dan’s DLP deployment has been experiencing false positives when keying on pattern matching, resulting in extra work for his organization’s security team. What can he do to best improve the DLP’s performance if the DLP is currently relying on pattern matching as the primary means of identifying sensitive information?

A. Tag data with its sensitivity level.
B. Apply a data lifecycle and delete unneeded data to reduce the data being monitored.
C. Classify data based on a classification scheme.
D. Use regular expressions to improve the pattern matching algorithm’s success rate.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer 82

A. Tag data with its sensitivity level.

Explanation:
Tagging data will help the DLP manage it appropriately without having to rely on pattern matching. Reducing the overall amount of data may help, but Dans first priority should be using more effective methods.

Question 83

Olivia’s cloud environment uses ephemeral machines that are instantiated and shut down as utilization grows and shrinks. She is concerned about the ability to determine what system an event occurred on. What key data element should she ensure is recorded when each machine sends log data?

A. The system’s IP address
B. An administrative user associated with the system
C. A unique tag for each system instance
D. The system’s deletion time

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 39). Wiley. Kindle Edition.

Answer 83

C. A unique tag for each system instance

Explanation:
Tags are important tool when working with ephemeral systems. While IP addresses may be reused and admin accounts are likley to be the same across systems, tags can be unique, allows events to be tracked to an instance. The systems deletion time should be logged, as should the time it is instantiated, but this obviously wouldnt be in every log event created by the machine

Question 84

Valerie’s organization is legally allowed to dispose of specific operational data after 7 years and has an automated disposal process that removes the data based on lifecycle tags. Valerie has recently been informed that the data from one customer has been placed on a legal hold. What should she do?

A. Delete the data; the law allows disposal at 7 years, regardless of legal holds. B. Preserve the data requested until the legal hold is over.
C. Retain the full data set until the legal hold is over.
D. Make a copy of all of the data, move it to alternate storage, and delete the original to meet both legal requirements.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 39-40). Wiley. Kindle Edition.

Answer 84

B. Preserve the data requested until the legal hold is over.

Explanation:
Legal holds typically override other agreements and lifecycles. Valerie should preserve only the data requested or covered by legal hold, and she should continue with normal practices for the remaining data

Question 85

Heikki is preparing to deploy a data loss prevention system. He has prioritized, categorized, and labeled his data. What will he need to do to ensure that the system can help secure his organization’s data?

A. Establish DLP policies.
B. Perform data matching.
C. Define the data lifecycle.
D. Train users.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 40). Wiley. Kindle Edition.

Answer 85

A. Establish DLP policies.

Explanation:
Heikkis next step will be to set up policies that apply appropriate controls to the data that he has categorized and labeled. Once those policies are set, he can train users and run the DLP

Question 86

Kara is performing data discovery on a large number of pictures and uses the data embedded in the photos, including the time it was taken, the camera, and similar data. What type of discovery is she performing?

A. Metadata-based discovery
B. Content-based discovery
C. Tag-based discovery
D. Label-based discovery

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 40). Wiley. Kindle Edition.

Answer 86

A. Metadata-based discovery

Explanation:
Kara is performing metadata-based discovery using the metadata that already exists in most digital photos. Content based discovery might compare the photos looking for specific subjects and label or tag based discovery would leverage data labels

Question 87

Rick is informed that the development team for one of his organization’s applications is using tokenized data for customer information. What does Rick know based on this information?

A. The actual customer information is stored in the tokenized database.
B. The customer data is secure because tokens cannot be breached.
C. A breach of the token database would result in a customer data breach.
D. The tokenized data can be looked up against a database that contains customer data.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 40). Wiley. Kindle Edition.

Answer 87

D. The tokenized data can be looked up against a database that contains customer data.

Explanation:
Rick knows that tokenized data can be looked up against a database that contains the original customer data, allowing it to be accessed as needed. The actual customer data is stored in a separate database, meaning that a breach of the token database would not result in a customer data breach. The customer data is more secure but could still be breached if attackers leveraged the tokens and their lookup capability

Question 88

As part of an incident response process, Jack wants to validate the integrity of system instances running in his cloud environment. What can he do to quickly and efficiently check that the virtual machine images have not been modified?

A. Check the cloud provider’s logs for modifications to the machine.
B. Check hashes of machine instances against a hash of the original.
C. Check timestamps and dates for files on the machine against the original.
D. Rebuild the machine and manually compare it against the original.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 40). Wiley. Kindle Edition.

Answer 88

B. Check hashes of machine instances against a hash of the original.

Explanation:
Hashes can be used to validate whether an image has been modified, but it is important to note that a running machine will have a different hash than the original. Jack may need to check specific file hashes instead. Cloud provider logs may not show changes to an instance, timestamps are time consuming to check and may be notified when files are copied, and rebuilding the machine will typically result in differences

Question 89

Tara has backups for her cloud service stored in the long-term storage service her cloud service provider provides and in a separate third-party long-term backup environment. What concept has Tara implemented?

A. Deduplication
B. Dispersion
C. Protected supply chain
D. Lifecycle management

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 41). Wiley. Kindle Edition.

Answer 89

B. Dispersion

Explanation:
Dispersion is the concept of ensuring that data is in multiple locations so that a single failure, event or loss cannot result in the destruction or loss of the data. Deduplication involves removing duplicates from a data set; protected supply and lifecycle management are how data is managed throughout its life and doesnt specifically describe where data is stored for redundancy

Question 90

Christina’s organization operates branches in multiple countries but wants to archive its data in the organization’s primary cloud-hosting environment in North America. What is the most important concern she should raise about centralizing data in this scenario?

A. The need to ensure regulatory compliance
B. The potential for exposure as the data is moved
C. Transfer speeds from international locations
D. The fact that permissions may need to be remapped due to the move

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 41). Wiley. Kindle Edition.

Answer 90

A. The need to ensure regulatory compliance

Explanation:
When data is created and used in other countries, it may be subject to regulations specific to those countries. Christina should point out that regulatory compliance is critical and could prove complex in this scenario. Exposure issues should be accounted for through best practices like using encryption for all transfers. Transfer speeds for archival data are typically not as critical as for operational data and permissions should be set to be appropriate for the data regardless of location

Question 91

What cloud data lifecycle phase occurs at the question mark shown in the following figure?

A. Archive
B. Distribute
C. Encrypt
D. Use

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 41). Wiley. Kindle Edition.

Answer 91

D. Use

Explanation:
The Use stage occurs after Classification and before Transfer or Archiving

Question 92

Ben has used a hashing algorithm on a file. Which of the following is not something he will know about the output?

A. It will be of fixed length.
B. It will be nonreversible.
C. Identical files will generate identical output.
D. Two different files can be hashed to the same output.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 41). Wiley. Kindle Edition.

Answer 92

D. Two different files can be hashed to the same output.

Explanation:
Ben knows that hashes are a one way functions and cannot be reverse. They generate fixed length output from variable length input, and identical files will generate identical output. Two different files should never generate the same output

Question 93

Jacinda wants to implement an information rights management solution. What phase of the cloud data lifecycle will rely heavily on the IRM to ensure that privileges are appropriately managed?

A. Create
B. Store
C. Share
D. Destroy

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 42). Wiley. Kindle Edition.

Answer 93

C. Share

Explanation:
IRM can be particularly useful during the sharing stage of the cloud data lifecycle since information rights management tools can ensure privileges are access to data are appropriately managed as data moves around the organization and potentially leaves it

Question 94

What cloud data lifecycle stage occurs at the question mark shown in the following image?

A. Storage
B. Encryption
C. Labeling
D. Provisioning

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 42). Wiley. Kindle Edition.

Answer 94

A. Storage

Explanation:
Storage occurs after creation in the cloud data lifecycle. Labeling is typically done as part of the creation process. Proivisioning may be done at any time but is often associated with use. Encryption is not a stage in the cycle

Question 95

Naomi’s organization has removed addresses, names, and phone numbers from data sets while retaining customer information like orders and website activity. What data obfuscation technique has she used?

A. Anonymization
B. Hashing
C. Shuffling
D. Tokenization

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 42). Wiley. Kindle Edition.

Answer 95

A. Anonymization

Explanation:
Naomi has attempted to anonymize the data by removing personally identifiable data. Hashes use a one way cryptographic function to reference data without having the data itself exposed or in use.

Question 96

Melissa is designing her organization’s data retention policy. Which of the following is not a common component of a data retention policy?

A. Retention periods
B. Data value
C. Regulatory compliance
D. Data classification

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 42). Wiley. Kindle Edition.

Answer 96

B. Data value

Explanation:
Data value is typically not included in a data retention policy. Instead, retention periods, compliance requirements and data classification are included as well as lifecycle requirements and arching and retrieval procedures

Question 97

Gary’s cloud provider gives him direct access to actual drives in servers as part of his hosting plan. What type of storage is Gary using when he installs operating systems and applications on those drives?

A. Long-term storage
B. Ephemeral storage
C. Raw storage
D. Volume-based storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (pp. 42-43). Wiley. Kindle Edition.

Answer 97

C. Raw storage

Explanation:
Raw storage is storage that you have direct access to like a hard drive or an SSD that has access to the underlying device. Long term storage is storage that is intended to continue to exist and is often used for logs or data storage.

Question 98

Maria has implemented an information rights management tool for her cloud-hosted SharePoint site. What requirement will her organization’s SharePoint users need to meet to access controlled files?

A. They will need to access the files only via local fileshares.
B. They will need to use multifactor authentication for all file access.
C. They will need to open the files using tools that support IRM.
D. They will need to request access to each file before opening it.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 43). Wiley. Kindle Edition.

Answer 98

C. They will need to open the files using tools that support IRM.

Explanation:
IRM tools require that client devices and applications support IRM or that they access files via web applications that can provide IRM controls

Question 99

Angelo is implementing a data discovery process. Which of the following steps should he begin with to help speed up the discovery process?

A. Map data to compliance requirements.
B. Extract and catalog metadata.
C. Scan for sensitive data.
D. Classify data.

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 43). Wiley. Kindle Edition.

Answer 99

B. Extract and catalog metadata.

Explanation:
Using existing metadata will help Angelo with his data discovery process, so he should start with that. Once he has the metadata processed, he can use it to speed up other cataloging efforts like scanning for sensitive data, classifying data and mapping the data to compliance requirements

Question 100

Bob has contracted with his cloud service provider to allow his organization to directly access SSDs in his environment due to specialized requirements and to certify that the drives have been physically destroyed after they are removed from use by his organization. What type of storage is Bob using?

A. Long-term
B. Raw storage
C. Ephemeral storage
D. Block storage

Chapple, Mike; Seidl, David. (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests (p. 43). Wiley. Kindle Edition.

Answer 100

B. Raw storage

Explanation:
This is an example of raw storage, which directly presents underlying hardware to users