Certified Cloud Security Professional Study Guide Chapter 11 Review Questions (Ben Masilow)

Question 1

What is the lowest level of the CSA Star program?

A. Continuous Monitoring
B. Self-Assessment
C. Hybridization
D. Attestation

Answer 1

B. Self-Assessment

Explanation:
The lowest level is Level 1, which is self-assessment.
Level 2 is an external third-party attestation, and Level 3 is a continuous-monitoring program
Hybridization does not exist as part of the CSA STAR Program

Question 2

Which of the following is a valid risk management metric?

A. CSA
B. KRI
C. SLA
D. SOC

Answer 2

B. KRI

Explanation:
KRI stands for key risk indicator
KRIs help the organization identify and recognize changes to risk

Question 3

Which of the following frameworks focuses specifically on design implementation and oversight of risk management?

A. ISO 31000:2018
B. HIPAA
C. ISO 27017
D. NIST 800-92

Answer 3

A. ISO 31000:2018

Explanation:
ISO 31000:2018 specifically focuses on design implementation and management
HIPAA refers to health care regulations, NIST 800-92 is about log management, and ISO 27017 is about cloud-specific security controls

Question 4

Which of the following identifies the top eight security risks based on likelihood and impact?

A. NIST 800-53
B. ISO 27000
C. ENISA
D. COBIT

Answer 4

C. ENISA

Explanation:
ENISA specifically identifies the top eight security risks based on likelihood and impact

Question 5

The CSA STAR Program consist of three levels

Which of the following is not one of the CSA STAR levels?

A. Self-assessment
B. Third party assessment-based certification
C. SOC 2 Audit Certification
D. Continuous monitoring-based certification

Answer 5

C. SOC 2 Audit Certification

Explanation:
The SOC 2 report is not a part of the CSA Star program.
It is totally different audit reporting standard developed by the AICPA

Question 6

Which ISO standard refers to addressing security risks in a supply chain?

A. ISO 27001
B. ISO/IEC 28000:2007
C. ISO 9000
D. ISO 31000:2018

Answer 6

B. ISO/IEC 28000:2007

Explanation:
ISO/IEC 28000:2007 specifically applies to security controls in supply chains.
The others address other matters

Question 7

Which of the following is not a risk management framework?

A. NIST SP 800-37
B. ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security
C. Key Risk Indicators (KRI)
D. ISO 31000:2018

Answer 7

C. Key Risk Indicators (KRI)

Explanation:
Key risk indicators are useful, but they are not a framework
ISO 31000:2018 is an international standard that focuses on designing, implementing and reviewing risk management processes and practices.
NIST SP 800-37 is the Guide for Implementing the Risk Management Framework (RMF), a methodology for handling all organizational risk in a holistic, comprehensive and continual manner
The European Union Agency for Network and Information Security (ENISA) Cloud Computing: Benefits, Risks, and Recommendations for Information Security identifies the top eight cloud security risks

Question 8

What is an impossible level of risk?

A. Condition Alpha
B. Maximum
C. Reduced
D. Zero

Answer 8

D. Zero

Explanation:
There is no such t hing as zero risk.
All the other answers are distractors

Question 9

Which of the following is not a part of ENISA’s top eight security risks of cloud computing?

A. Vendor lock-in
B. Isolation failure
C. Insecure or incomplete data deletion
D. Availability

Answer 9

D. Availability

Explanation:
ENISA’s top eight security risks of cloud computing do not include availability, even though it is certainly a risk that could be realized

Question 10

Which of the following is a risk management option that halts a business function?

A. Mitigation
B. Acceptance
C. Transference
D. Avoidance

Answer 10

D. Avoidance

Explanation:
Avoidance halts the business process, mitigation entails using controls to reduce risk, acceptance involves taking on the risk, and transference usually involves insurance

Question 11

Which of the following best describes a cloud carrier?

A. A person or entity responsible for making a cloud service available to consumer
B. The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers
C. The person or entity responsible for keeping cloud services running for customers
D. The person or entity responsible for transporting data across the Internet

Answer 11

B. The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers

Explanation:
A cloud carrier is the intermediary who provides connectivity and transport of cloud services between cloud providers and cloud customers

Question 12

Which of the following methods of addressing risk is most associated with insurance?

A. Transference
B. Avoidance
C. Acceptance
D. Mitigation

Answer 12

A. Transference

Explanation:
Transference usually involves insurance
Avoidance halts the business process, acceptance involves taking on the risk, and mitigation entails using controls to reduce risk

Question 13

Which of the following components is part of what a CCSP should review when looking at contracting with a cloud service provider?

A. The physical layout of the data center
B. Background checks for the providers personnel
C. Use of subcontractors
D. Redundant uplink grafts

Answer 13

C. Use of subcontractors

Explanation:
The use of subcontractors can add risk to the supply chain and should be considered; determining how much you can trust the providers management of their vendors and suppliers (including subcontractors) is not important
Conversely, the customer is not likely to be allowed to review the physical design of the data center (or, indeed, even know the exact location of the data center) or the personnel security specifics for the providers staff.
Redundant uplink grafts is a nonsense term used as a distractor

Question 14

The difference between KPIs and KRIs is which of the following?

A. KPIs no longer exist, having been replaced by KRIs
B. KRIs no longer exist, having been replaced by KPIs
C. KRIs are forward looking, while KPIs are backward looking
D. There is no difference between KPIs and KRIs

Answer 14

C. KRIs are forward looking, while KPIs are backward looking

Explanation:
Key risk indicators (KRIs) try to predict future risk, while key performance indicators (KPIs) examine events that have already happened.
the other answers are just distractors

Question 15

Which of the following is not a way to manage risk?

A. Enveloping
B. Mitigating
C. Accepting
D. Transferring

Answer 15

A. Enveloping

Explanation:
Enveloping is a nonsense term, unrelated to risk management.
The rest are valid ways to manage risk

Question 16

Which of the following is not a risk management framework?

A. Hex GBL
B. COBIT
C. NIST SP 800-37
D. ISO 31000:2019

Answer 16

A. Hex GBL

Explanation:
Hex GBL is a reference to a computer part in Terry Pratchetts fictional Discworld universe.
The rest are risk management frameworks

Question 17

Which of the following is not appropriate to include in an SLA?

A. The number of user accounts allowed during a specified period
B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status
C. The amount of data allowed to be transmitted and received between the cloud provider and customer
D. The availability requirements for a given period

Answer 17

B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status

Explanation:
Roles and responsibilities should be included in the contract, not the SLA; a good method to determine whether something might belong in the SLA at all is figuring out whether a numerical value is associated with it - in this case, the element involves names and offices (roles), not numerical values, so its immediately recognizable as something that isnt appropriate for the SLA
Options A, C, D are explicitly defined by exact numbers that describe recurring events/circumstances and are just the sort of elements that belong in the SLA

Question 18

What is the Cloud Security Alliance Cloud Controls Matrix (CCM)?

A. An inventory of cloud service security controls that are arranged into separate security domains
B. An inventory of cloud services security controls that are arranged into a hierarchy of security domains
C. A set of regulatory requirements for cloud service providers
D. A set of software development lifecycle requirements for cloud service providers

Answer 18

A. An inventory of cloud service security controls that are arranged into separate security domains

Explanation:
The CSA CCM is an inventory of cloud service security controls that are arranged into separate security domains, not a hierarchy

Question 19

Which of the following is not one of the types of controls?

A. Transitional
B. Administrative
C. Technical
D. Physical

Answer 19

A. Transitional

Explanation:
Transitional is not a term we associate with types of controls; the rest are

Question 20

Which of the following is not an example of an essential internal stakeholders?

A. IT Analyst
B. IT Director
C. CFO
D. HR DIrector

Answer 20

A. IT Analyst

Explanation:
An IT analyst is generally not high enough of a position to be able to provide quality information to other stakeholders.
However, the IT director would be in such a position, as would the others.