Question 1

ALE : Annualized Loss Expectancy

Accepted Answer

ALE = SLE ARO Formula for estimation of the cost of an accepted risk in a given year -- i.e. if the accepted vulnerability is exploited by an attacker, ALE is the dollar cost estimate for the loss. The ALE equals the single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). The SLE = asset value exposure factor Exposure factor describes the loss that will happen to the asset as a result of the attack (expressed as percentage value lost) -- e.g. if an assets will be wholly lost in an attack, the exposure factor is 100%... if 30% will be lost, the exposure factor is 30%, etc.

Question 2

API : Application Programming Interface

Accepted Answer

A set of functions, routines, tools, or protocols for building applications. APIs are leveraged by developers to save time and increase availability as the API offers a set of working programatic methods to build connectivity without bespoke coding. At issue for the Cloud Security Professional is that APIs are functional only and cannot be assumed to represent good security practices.

Question 3

ARO : Annualized Rate of Occurrence

Accepted Answer

An estimated number of times a threat will be successfully exploited within a year -- e.g. if two laptops are stolen each month then the ARO is 2 12 = 24 times per year. ARO is an element of the ALE calculation: ALE = SLE ARO

Question 4

auditability

Accepted Answer

The ability to properly capture, analyze, and report on any and all events that happen within a system or application, such as data access and modification, user actions and processes, controls and compliance, and regulatory and contractual compliance.

Question 5

authentication

Accepted Answer

The process of comparing credentials presented by a user, application, or service to a set of known stored values that have been previously issued or verified by the authentication system. e.g. A user is given an email address and password when provisioned to the system; later the user provides that verified and valid email address and password to the system for matching -- if these credentials match and are still valid, the user is granted access to the system.

Question 6

authorization

Accepted Answer

The process of granting or denying privileges to a system, network, or application after successful authentication has been preformed; these privileges (such as read, write, execute) are based on an approved set of constrained features enforced by a policy / rule set.

Question 7

backdoor

Accepted Answer

Backdoors can be created by developers or hackers: A backdoor is a method of accessing a system that bypasses the normal (official) authentication and authorization processes. Backdoors can be unauthorized methods that are discovered by malicious actors to get into a system, or they can be methods that are purposefully employed by developers or support staff to access systems for maintenance or other support activities.

Question 8

baseline

Accepted Answer

A baseline is a constrained configuration standard or a state in time "snap shot" for a known good system state. Baselines are often employed in change management to establish a "gold image" as in the baseline configuration of a workstation, or, as a fall back option as in "we will patch the system and fail-back to the baseline if patching causes availability issues."

Question 9

big data

Accepted Answer

Refers to the collection, processing, and analysis of data sets that are so large that traditional data processing and analysis tools are inadequate to properly handle them. The concept of 'big data' is often applied outside of this formal definition to reference predictive analysis and user analytics of data sets.

Question 10

BYOD : Bring Your Own Device

Accepted Answer

The practice of allowing employees of an organization to use their personally owned computers, phones, tablets, or other electronic resources to access the computing resources of the firm, rather than using IT provided and supported devices.

Question 11

business continuity

Accepted Answer

The capability of an organization to continue the operation of systems or applications at a predetermined level after an incident or disruption of service. Business continuity encompasses the full range of possible service disruptions and how a company can minimize, mitigate, and respond to them and keep business operations running, available, and secure. i.e. BC is a daily, operational, discipline.

Question 12

BIA : Business Impact Analysis

Accepted Answer

A structured methodology to identify and evaluate the possible risks and threats that operations or services could be impacted by, as well as the possible or likely extent of impact and disruption.

Question 13

chain of custody

Accepted Answer

The formal documentation showing the chronological control and disposition of physical or electronic evidence. This documentation includes creation, all changes of possession, and final disposition. Note that any evidence with probative value may be offered to the court -- i.e. chain of custody is not required for evidence to be admissible.

Question 14

CAB : Change Advisory Board

Accepted Answer

A group that assists the change team and change management process by evaluating, prioritizing, and approving change requests.

Question 15

change manager

Accepted Answer

An individual who ensures that the change management process is properly executed; this person also directly handles low-level tasks related to the change process.

Question 16

cloud application

Accepted Answer

An application that is never installed on a local server or desktop but is instead accessed via a network or the Internet. A cloud application merges the functionality of a local application with the accessibility of a web-based application.

Question 17

CAMP : Cloud Application Management for Platforms

Accepted Answer

Within PaaS implementation, CAMP serves as the framework and specification for managing platform services, encompassing a RESTful protocol for managing services, the model for describing and documenting the components that comprise that platform, and the language describing the overall platform, and its components and services, as well as metadata about it.

Question 18

cloud auditor

Accepted Answer

An auditor that is specifically responsible for conducting audits of cloud systems and cloud applications. The cloud auditor is responsible for assessing the effectiveness of the cloud service and identifying control deficiencies between the cloud customer and the cloud provider, as well as the cloud broker if one is used.

Question 19

cloud backup

Accepted Answer

The process of using a cloud-based backup system, with files and data being sent over the network to a public or private cloud provider for backup, rather than running traditional backup systems within a data center.

Question 20

cloud backup service provider

Accepted Answer

A public or private cloud service's organization that offers backup services to either the public or organizational clients either on a free basis or using various costing models based on either the amount of data or the number of systems.

Question 21

cloud backup solutions

Accepted Answer

Services that run within a public or private cloud offering backup solutions -- either through client-based software that does automatic or scheduled backups or through manual backups initiated by a user or system.

Question 22

cloud computing

Accepted Answer

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Five (5) essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service Three (3) service models: IaaS, PaaS, and SaaS Four (4) deployment models: community cloud, hybrid cloud, private cloud, and public cloud

Question 23

cloud computing reseller

Accepted Answer

An organization that sells and offers cloud services, and possibly cloud support services, to various organizations and works as a middleman between the cloud customer and cloud provider.

Question 24

CCM : Cloud Control Matrix

Accepted Answer

A formally published guide by the Cloud Security Alliance (CSA) that enables cloud customers to evaluate a prospective cloud provider in regard to its security posture. The CCM can also be used by cloud providers to structure its security program and services.

Question 25

cloud customer

Accepted Answer

An organization or individual that utilizes and consumes resources and services from a cloud provider. This can be in the form of free public services and systems or private and fee-based applications or solutions.

Question 26

cloud data portability

Accepted Answer

The ability to move data between cloud providers.

Question 27

cloud database

Accepted Answer

A database that is installed in a cloud environment and accessed via the network or the Internet by a user or application. Because the database is being installed in a cloud environment instead of a typical server environment, elasticity, scalability, and high availability can be achieved and maximized.

Question 28

cloud deployment model

Accepted Answer

The cloud deployment models are public, private, hybrid, and community; these describe how the cloud service is delivered through a set of particular configurations and virtual resources.

Question 29

cloud enablement

Accepted Answer

The creation of a public cloud environment through the offering of services or infrastructure.

Question 30

cloud management

Accepted Answer

The oversight and operations management of a cloud environment by the cloud service provider, whether it is a public or private cloud environment.

Question 31

cloud migration

Accepted Answer

The process of moving services, systems, applications, or data from a traditional data-center hosting model into a cloud environment.

Question 32

cloud OS

Accepted Answer

Typically used to denote an operating system (OS) in a Platform as a Service (PaaS) implementation and to signify that the implementation is within a cloud environment.

Question 33

cloud provider

Accepted Answer

A service provider that makes storage or software applications available via the Internet or private networks to customers. Since they are offered as a service, the platform and underlying software, as well as operations and security systems, are maintained by the provider and abstracted from the customer.

Question 34

cloud provisioning

Accepted Answer

The process of allocating cloud resources from the cloud provider to the cloud customers based on specific requests and requirements of the customers as far as the number of virtual machines and their specific computing resources.

Question 35

CSA : Cloud Security Alliance

Accepted Answer

The most prominent and well-known organization to raise awareness of best practices for security within a cloud environment.

Question 36

cloud server hosting

Accepted Answer

The hosting and location of servers within a virtualized cloud environment, rather than the virtual or physical hosting that's done in a traditional data center.

Question 37

cloud service

Accepted Answer

Capabilities offered via a cloud provider and accessible via a client.

Question 38

cloud service broker

Accepted Answer

A partner that serves an an intermediary between a cloud service customer and cloud service provider.

Question 39

cloud service category

Accepted Answer

A group of cloud services that have a common set of features or qualities.

Question 40

cloud service partner

Accepted Answer

One that holds a relationship with either a cloud service provider or a cloud service customer to assist with cloud services and their delivery.

Question 41

cloud service user

Accepted Answer

One that interacts with and consumes services offered by a cloud service provider.

Question 42

cloud testing

Accepted Answer

The testing of systems, services, or applications by leveraging cloud platforms and resources to simulate the size and scale of real-world traffic and users.

Question 43

Common Criteria

Accepted Answer

A set of international guidelines and specifications for the evaluation of IT security resources to ensure those resources meet an agreed-upon set of security standards. The Common Criteria for Information Technology Security Evaluation is formalized as an international standard in ISO/IEC 15408.

Question 44

community cloud

Accepted Answer

A cloud infrastructure provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (for example, mission, security requirements, policy, or compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of these, and it may exist on or off premises.

Question 45

configuration management

Accepted Answer

Establishing a controlled means of consistency throughout a system's lifecycle, based on its requirements and technical specifications to properly ensure configuration controls, performance standards, and design requirements.

Question 46

container

Accepted Answer

A software package that contains all of the code, configurations, and libraries needed for an application to operate, packaged inside a single unit.

Question 47

XSS : cross-site scripting

Accepted Answer

A web application vulnerability that allows an attacker to inject client-side scripts into web pages that are then viewed and executed by other users. The goal of XSS from an attacker's perspective is to bypass the security controls of an application, such as an access control with a same-origin policy.

Question 48

DAR : Data at Rest

Accepted Answer

Data that resides on a system in persistent storage, such as disks, tapes, databases, or any other type of storage device.

Question 49

data dispersion

Accepted Answer

The feature of cloud storage where data is spread across data centers or wide geographic areas for redundancy and speed. The degree of dispersion is typically based on the needs of the application and the level of service procured by the cloud customer.

Question 50

DIT : Data in Transit

Accepted Answer

Data that flows over a networked connection -- either through public unsecured networks or internal protected corporate networks.

Question 51

DIU : Data in Use

Accepted Answer

Data within a system or application that is currently being processed or is in use -- either through the computing resources or residing in memory.

Question 52

DLP : Data Loss Prevention

Accepted Answer

An overall strategy and process for ensuring that users cannot send sensitive or protected information outside of networks or systems that are secured and protected. This can be related to the intentional attempt by users to transfer such information, but it also applies to preventing the accidental sending or leaking of data.

Question 53

data portability

Accepted Answer

The ability to easily move data from one system to another without having to re-enter it.

Question 54

DoS : Denial-of-Service attack

Accepted Answer

An attempt to make computing resources or a network unavailable to its intended users by denying legitimate traffic access totally or by degrading performance to unacceptable levels.

Question 55

direct identifiers

Accepted Answer

Information that specifically applies to a unique individual, such as name, address, phone number, e-mail address, or unique identifying numbers or codes.

Question 56

DRS : Distributed Resource Scheduler

Accepted Answer

A utility from VMware that balances computing demands and available resources within the virtualized environment.

Question 57

DAST : Dynamic Application Security Testing

Accepted Answer

The testing of an application while it is in an operational state with currently running systems, applications, and networks.

Question 58

DO : Dynamic Optimization

Accepted Answer

The process of moving and reallocating virtual machines and resources within a cluster environment to maintain optimal performance with balanced and distributed resource utilization.

Question 59

eDiscovery

Accepted Answer

The process of discovering and securing electronic data for use in criminal or civil legal cases.

Question 60

encryption

Accepted Answer

The process of encoding and securing data so that only authorized parties in possession of the correct information, credentials, or keys can access it.

Question 61

enterprise application

Accepted Answer

An application that runs on a large and distributed scale and is deemed mission critical to a company or an organization.

Question 62

enterprise cloud backup

Accepted Answer

A cloud-based backup and recovery service similar to those offered for personal use but scaled and focused on large-scale and organizational-level services.

Brainscape's Knowledge GenomeTM

CCSP Vocabulary Flashcards

Brainscape's Knowledge Genome^TM