Certified Cloud Security Professional Study Guide Chapter 6 Review Questions (Ben Masilow) Flashcards
What is the cloud service model in which the customer is responsible for administration of the OS?
A. IaaS
B. PaaS
C. SaaS
D. QaaS
A. IaaS
Explanation:
In IaaS, the cloud provider only owns the hardware and supplies the utlities.
The customer is responsible for the OS, programs, and data.
In PaaS and SaaS, the provider also owns the OS. There is no QaaS tf
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except _______
A. Access to audit logs and performance data
B. SIM, SIEM, and SEM logs
C. DLP solution results
D. Security control administration
D. Security control administration
Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer
In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?
A. Statues
B. The contract
C. Security control matrix
D. HIPAA
B. The contract
Explanation:
The contract between the provider and the customer enhances the customers trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures)
Statutes, however, largely leave customers liable.
The security control matrix is a tool for ensuring compliance with regulations
HIPAA is a statue
Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3
D. SOC 3
Explanation:
The SOC 3 is the least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting, and not relevant.
The SOC 2 Type 2 is much more detailed and will most likely be held closely by the provider
Which kind of SSAE audit report is most beneficial for a cloud customer, even though its unlikely the cloud provider will share it without additional protections?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3
B. SOC 2 Type 2
Explanation:
The SOC 3 is least detailed, so the provider is not concerned about revealing it.
The SOC 1 Types 1 and 2 are about financial reporting and not relevant.
The SOC Type 2 is much more detailed and will most likely be held closely by the provider
The auditor should not ________
A. Review documents
B. Physically visit the business location
C. Perform system scans
D. Deliver consulting services
D. Deliver consulting services
Explanation:
The auditor should be impartial to the success of the target organization; consulting creates a conflict of interest
Hardening the operating system refers to all of the following except ______
A. Limiting administrator access
B. Removing anti-malware agents
C. Closing unused ports
D. Removing unnecessary services and libraries
B. Removing anti-malware agents
Explanation:
Removing anti-malware agents.
Hardening the operating system means making it more secure.
Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure.
But removing anti-malware agents would actually make the system less secure.
If anything, anti-malware agents should be added, not removed, as part of the hardening process.
The cloud customers trust in the cloud provider can be enhanced by all of the following except ______
A. Audits
B. Shared administration
C. Real-time environmental controls
D. SLAs
C. Real-time environmental controls
Explanation:
Real-time environmeantal controls will not provider meaningful information and will not enhance trust.
All the others will and do
User access to the cloud environment can be administered in all of the following ways except: _______
A. Customer directly administers access
B. Customer providers administration on behalf of the provider
C. Provider provides administration on behalf of the customer
D. Third party provides confirmation on behalf of the customer
B. Customer providers administration on behalf of the provider
Explanation:
The customer does not administer on behalf of the provider.
All the rest are possible options
Which kind of SSAE audit reviews the organizations controls for assuring the the confidentiality, integrity, and availability of data?
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
B. SOC 2
Explanation: The SOC 2 details with the CIA triad. SOC 1 is for financial reporting SOC 3 is only an attestation by the auditor There is no SOC 4
Which kind of SSAE report provides only an attestation by a certified auditor?
A. SOC 1
B. SOC 2
C. SOC 3
D. SOC 4
C. SOC 3
Explanation: SOC 2 deals with the CIA triad. SOC 1 is for financial reporting SOC 3 is only an attestation by the auditor. There is no SOC 4
Which of the following is a cloud provider likely to provide its customers in order to enhance the customers trust in the provider?
A. Site visit access
B. Financial reports to shareholders
C. Audit and performance log data
D. Backend administrative access
C. Audit and performance log data
Explanation:
The provider may share audit and performance log data with the customer.
The provider will most likely not share A and D since they reveal too much information about the providers security program.
B is already public information and does not enhance trust.
In all cloud models, the customer will be given access and ability to modify which of the following?
A. Data
B. Security controls
C. User Permissions
D. OS
A. Data
Explanation:
The customer always owns the data and will therefore always have access to it.
The customer will never have administrative access to the providers security controls, regardless of the model.
The customer may or may not have administrative control over use permissions
The customer only has administrative power over the OS in an IaaS model
In all cloud models, security controls are driven by which of the following?
A. Virtualization Engine
B. Hypervisor
C. SLAs
D. Business Requirements
D. Business Requirements
Explanation:
Security is always contingent on business drivers and beholden to operational needs.
The virtualization engine does not dictate security controls, and the hypervisor may vary (depending on its type and implementation)
The SLAs do not drive security control; they drive performance goals
In all cloud models, the _______ will retain ultimate liability and responsibility for any data loss or disclosure
A. Vendor
B. Customer
C. State
D. Administrator
B. Customer
Explanation:
The customer currently always retains legal liability for data loss, even if the provider was negligent or malicious