Chapter 7 All in One Flashcards
Which of the following regulations specifies the length that financial records must be kept?
A. HIPAA
B. EU
C. SOX
D. Safe Harbor
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 318). McGraw Hill LLC. Kindle Edition.
C. SOX
Explanation:
SOX specifies how long financial records must be kept and preserved, as well as many other regulations for transparency and confidentiality protection. The EU and HIPAA guidelines are for European Union privacy protections and healthcare data protection, respectively. The Safe Harbor program is not a series of regulations, but rather a voluntary program to bridge the gap between privacy rules and the laws of the United States and Europe.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 318). McGraw Hill LLC. Kindle Edition.
Which type of audit report would be suited for the general public to review to ensure confidence in a system or application?
A. SAS 70
B. SOC 1
C. SOC 2
D. SOC 3
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 318). McGraw Hill LLC. Kindle Edition.
D. SOC 3
Explanation:
D. SOC 3 audit reports are meant for general consumption and are to be shared with a wider and open audience. The other types of audit reports listed—SAS 70, SOC 1, and SOC 2—are all restricted-use audit reports that are only used internally, with current customers, or with regulators.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 318). McGraw Hill LLC. Kindle Edition.
Which of the following would not be part of an audit scope statement?
A. Deliverables
B. Cost
C. Certifications
D. Exclusions
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 318). McGraw Hill LLC. Kindle Edition.
B. Cost
Explanation:
B. Cost would not be part of an audit scope statement. The audit scope statement covers the breadth and depth of the audit as well as the timing and tool sets used to conduct it. Cost is not part of the audit scope at this level, nor is it part of the planning and discussion between management and the auditors. The deliverables, exclusions, and certifications covered or required are all part of the audit scope statement.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 318). McGraw Hill LLC. Kindle Edition.
Which of the following would be appropriate to include in an audit restriction?
A. Time when scans can be run
B. Type of device the auditors use
C. Length of audit report
D. Training of auditors
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
A. Time when scans can be run
Explanation:
Specifying the time when scans can be run would be appropriate for an audit restriction, so as to ensure they do not impact production operations or users. The type of devices the auditors use, the length of the final report and deliverables, and the particular training of the auditors would not be part of audit restrictions.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
What is the correct sequence for audit planning?
A.Define objectives, define scope, conduct audit, lessons learned
B.Define scope, conduct audit, prepare report, remediate findings
C.Conduct audit, prepare report, remediate findings, verify remediation
D.Define objectives, conduct audit, prepare report, management approval
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
A. Define objectives, define scope, conduct audit, lessons learned
Explanation:
Define objectives, define scope, conduct audit, and lessons learned is the correct sequence for audit planning. The other options have either incorrect choices, choices that are really subsections of the real sections, or incorrect ordering.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
Which of the following is not a domain of ISO/IEC 27001:2018?
A. Personnel
B. Systems
C. Network
D. E-mail
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
D. E-mail
Explanation:
E-mail is not a domain covered under ISO/IEC 27001:2013. The other options—personnel, systems, and network—are all separate and distinct domains under the standard.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
Which of the following is not a specialized regulatory requirement for data?
A. HIPAA
B. FIPS 140-2
C. PCI
D. FedRAMP
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
B. FIPS 140-2
Explanation:
FIPS 140-2 is a certification and accreditation program for cryptographic modules, not a specialized regulatory requirement for data. HIPAA for healthcare records and systems, PCI for credit cards and financial systems, and FedRAMP for United States federal government cloud systems are all specialized regulatory requirements.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 319). McGraw Hill LLC. Kindle Edition.
Which of the following is the best definition of “risk profile”?
A. An organization’s willingness to take risk
B.A publication with statistics on risks taken by an organization
C.A measure of risks and possibility of successful exploit D.An audit report on an organization’s risk culture
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 320). McGraw Hill LLC. Kindle Edition.
A. An organization’s willingness to take risk
Explanation:
The “risk profile” is an organization’s willingness to take risks and how it evaluates and weighs those risks. The other choices are all incorrect with regard to what a risk profile is.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 320). McGraw Hill LLC. Kindle Edition.
9.Which of the following is responsible for data content and business rules within an organization?
A. Data custodian
B. Data steward
C. Database administrator
D. Data curator
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 320). McGraw Hill LLC. Kindle Edition.
B. Data steward
Explanation:
The data steward is responsible for overseeing data content, ensuring that applicable policies are applied to access controls, and ensuring that appropriate approvals have been obtained before access is granted. Data custodian is another term for the data owner. Although the data custodian (owner) has overall responsibility for data and its protection within a system or application, the data steward is the one who handles the actual operations processes of granting access and ensuring policies are followed. The database administrator role is a technical position that does the actual administration of a database but is not responsible for setting policy or granting access to data. Data curator is an extraneous answer.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 320). McGraw Hill LLC. Kindle Edition.
When can risk be fully mitigated?
A. After a SOC 2 audit
B. When in compliance with SOX
C. When using a private cloud
D. Never
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 320). McGraw Hill LLC. Kindle Edition.
D. Never
Explanation:
D. Risk can never be fully mitigated within any system or application. Risk can be lowered and largely mitigated, but it can never be fully mitigated, as any system with users and access will always have some degree of possible successful exploit.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 320). McGraw Hill LLC. Kindle Edition.
Which of the following shows the correct names and order of risk ratings?
A. Minimal, Low, Moderate, High, Critical
B. Low, Moderate, High, Critical, Catastrophic
C. Mitigated, Low, Moderate, High, Critical
D. Low, Medium, Moderate, High, Critical
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
A. Minimal, Low, Moderate, High, Critical
Explanation:
Minimal, Low, Moderate, High, and Critical are the correct names and order of risk ratings for a system or application, based on the classification of the data and the specific threats and vulnerabilities that apply to it. The other answers are either out of order or contain invalid names for risk ratings.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
Which of the following is not one of the major risk frameworks?
A. NIST
B. ENISA
C. GAPP
D. ISO/IEC 31000:2018
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
C. GAPP
Explanation:
The Generally Accepted Privacy Principles (GAPP) is not a major framework for risk to a system or application but is instead focused on principles of privacy risks. NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them directly.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
What does ENISA stand for?
A. European National Information Systems Administration
B. European Network and Information Security Agency
C. European Network Intrusion Security Aggregation
D. European Network and Information Secrecy Administration
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
B. European Network and Information Security Agency
Explanation:
ENISA stands for European Network and Information Security Agency.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
Where do Russian data privacy laws allow for data on Russian citizens to reside?
A. Anywhere that conforms to Russian security policies
B. Russian or EU hosting facilities
C.Any country that was part of the Soviet Union
D. Russian data centers
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
D. Russian data centers
Explanation:
D. Russian law requires data on Russian citizens to be kept in Russian data centers only, based on Russian Law 526-FZ, which became effective September 1, 2015. It requires specifically that any collection, storing, or processing of personal information or data on Russian citizens must be done on systems that are physically located within the political borders of the Russian Federation.
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 321). McGraw Hill LLC. Kindle Edition.
In a cloud environment, who is responsible for collecting data in response to an eDiscovery order?
A. The cloud customer
B. The cloud provider
C. The data owner
D. The cloud customer and cloud provider
Carter, Daniel. CCSP Certified Cloud Security Professional All-in-One Exam Guide, Third Edition (p. 322). McGraw Hill LLC. Kindle Edition.
D. The cloud customer and cloud provider
Explanation: