Chapter 7 Practice Exam 1 (Ben Malisow) Flashcards

Question 1

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all  the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. What is the term for this kind of arrangement?

A. Public-key infrastructure (PKI)
B. Portability
C. Federation
D. Repudiation

Answer

A

C. Federation

Explanation:
This is the definition of federation.
PKI is used to establish trust between parties across an untrusted medium, portability is the characteristic describing the likelihood if being able to move data away from one cloud provider to another and repudiation is when a party to a transaction can deny having taken part in that transaction

Question 2

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all  the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. You want to connect your organization to 13 other organizations. You consider using the cross-certification model but then decide against it. What is the most likely reason for declining that option?

A. It is impossible to trust more than two organizations.
B. If you work for the government, the maximum parties allowed to share data is five.
C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.
D. Data shared among that many entities loses its inherent value.

Answer

A

C. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.

Explanation:
In the cross-certification model, every participating organization has to review and approve every other organization; this does not scale well, and once the number of organizations gets fairly substantial, it becomes unwieldy

Option A is incorrect because it is possible to trust more than two organizations

Option B is not true.
There is no law/rule that limits the government to sharing data to five or less parties

Option D is incorrect.
Sharing data does not automatically affect the value of the data.

Question 3

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all  the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. In order to pass the user IDs and authenticating credentials of each user among the organizations, what protocol, language, or technique will you most likely utilize?

A. Representational State Transfer (REST)
B. Security Assertion Markup Language (SAML)
C. Simple Object Access Protocol (SOAP)
D. Hypertext Markup Language (HTML)

Answer

A

B. Security Assertion Markup Language (SAML)

Explanation:
SAML 2.0 is currently the standard used to pass security assertions across the Internet.
REST and SOAP are ways of presenting data and executing operations on the Internet, and HTML is a way of displaying web pages

Question 4

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all  the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you don’t use cross-certification, what other model can you implement for this purpose?

A. Third-party identity broker
B. Cloud reseller
C. Intractable nuanced variance
D. Mandatory access control (MAC)

Answer

A

A. Third-party identity broker

Explanation:
A third party identity broker can serve the purpose of checking and approving all participants to the federation so that the participants dont have to perform that task.
A cloud reseller is an entity that sells cloud services without maintaining its own data center.
Option C is gibberish
MAC is used to define access relations betweens subjects and objects

Question 5

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all  the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you are in the United States, one of the standards you should adhere to is _______________.

A. National Institute of Standards and Technology (NIST) 800-53
B. Payment Card Industry (PCI)
C. ISO 27014
D. European Union Agency for Network and Information Security (ENISA)

Answer

A

A. National Institute of Standards and Technology (NIST) 800-53

Explanation:
NIST Special Publication 800-53 pertains to US federal information systems, guiding the selection of controls according to the Risk Management Framework
PCI is a contractual standard for commercial entities that take credit card payments, not applicable to the government.
ENISA publishes a European standard, which is also not applicable to the United States
ISO is not required for government systems in the US

Question 6

Q

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all  the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources. If you are in Canada, one of the standards you will have to adhere to is _______________.

A. FIPS 140-2
B. PIPEDA
C. HIPAA
D. EFTA

Answer

A

B. PIPEDA

Explanation:
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information.
The Federal Information Processing Standard (FIPS) 140-2 standard certifies cryptologic components for use by American federal government entities
The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers.
The European Free Trade Association (EFTA) is not a standard; it is a group of European countries.

Question 7

Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which of the following benefits will the CSA CCM offer your organization?

A. Simplifying regulatory compliance
B. Collecting multiple data streams from your log files
C. Ensuring that the baseline configuration is applied to all systems
D. Enforcing contract terms between your organization and the cloud provider

Answer

A

A. Simplifying regulatory compliance

Explanation:
The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks.
The CCM does not aid in collecting log files; that is the function of a security information and event management (SIEM), search engine marketing (SEM), or security information management (SIM) tool.
The CCM will not help ensure that the baseline is applied to systems; automated configuration tools are available for that purpose (Although this might be interpreted as desirable; the CCM will help you select appropriate controls for your baseline, but it wont check to see if those are applied)
Contract terms are not enforced by the CCM; the service-level agreement (SLA) should be the mechanism for that task.

Question 8

Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.
Which of the following regulatory frameworks is not covered by the CCM?

A. ISACA’s Control Objectives for Information and Related Technologies (COBIT)
B. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) privacy law
C. The ALL-TRUST framework from the environmental industry
D. The U.S. Federal Risk and Authorization Management Program (FedRAMP)

Answer

A

C. The ALL-TRUST framework from the environmental industry

Explanation:
Option C is a nonsense term made up as a distractor.
All the other frameworks are addressed in the CCM.

Question 9

Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selecting and applying the proper controls to meet your organization’s regulatory needs?

A. The Consensus Assessments Initiative Questionnaire (CAIQ)
B. The Open Web Application Security Project (OWASP) Top Ten
C. The Critical Security Controls (CSC) list
D., National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2

Answer

A

A. The Consensus Assessments Initiative Questionnaire (CAIQ)

Explanation:
The CAIQ is a self-administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls.
The OWASP Top Ten is used to indicate trends in poor design of web applications.
The CSC may be a useful tool for choosing and implementing appropriate controls, but it comes from the Center for Internet Security (CIS), not the CSA.
The FIPS 140-2 lists only approved cryptographic tools and is published by NIST.

Question 10

Q

You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. What is probably the best benefit offered by the CCM?

A. The low cost of the tool
B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort
C. Simplicity of control selection from the list of approved choices
D. Ease of implementation by choosing controls from the list of qualified vendors

Answer

A

B. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort

Explanation:
The CCM allows you to note where specific controls (some of which you might already have in place) will address requirements listed in multiple regulatory and contractual standards, laws and guides.
Option A is a misnomer because the CCM is free of charge.
Options C and D are incorrect because the CCM does not list either specific controls or vendors

Question 11

Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective is set up in such a way that the members own various pieces of the network themselves, pool resources and data, and communicate and share files via the Internet. This is an example of what cloud model?

A. Hydrogenous
B. Private
C. Public
D. Community

Answer

A

D. Community

Explanation:
This is a community cloud, because various parties own different elements of it for a common purpose.
A private cloud would typically be owned by a single entity, hosted at a cloud provider data center.
A public cloud would be open to anyone and everyone
Hydrogenous is a word that does not have relevant meaning in this context.

Question 12

Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective wants to create a single sign-on experience for all members of the collective, where assurance and trust in the various members are created by having each member review all the others’ policies, governance, procedures, and controls before allowing them to participate. This is an example of what kind of arrangement?

A. Security Assertion Markup Language (SAML)
B. Cross-certification federation
C. Third-party certification federation
D. JavaScript Object Notation (JSON)

Answer

A

B. Cross-certification federation

Explanation:
The cross-certification model of federated identity requires all participants to review and confirm all the others.
SAML is the format most used for identity assertions in a federated environment.
JSON is a communications format for exchanging objects online

Question 13

Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective exchanges music files in two forms: images of written sheet music and electronic copies of recordings. Both of these are protected by what intellectual property legal construct?

A. Trademark
B. Copyright
C. Patent
D. Trade Secret

Answer

A

B. Copyright

Explanation:
A copyright protects expressions of ideas, usually creative expression
Music, whether written or recorded, falls into this category.
Trademarks are for data that is associated with a bran of a company.
Patents are usually for processes or inventions.
Trade secrets are business elements kept from public disclosure - music would not usually fit into this category as its value is derived from its distribution in the marketplace

Question 14

Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the participants in the collective using a third-party certification model, who would be the federated service provider(s) in that structure?

A. The third party
B. A cloud access security broker (CASB)
C. The various members of the collective
D. The cloud provider

Answer

A

C. The various members of the collective

Explanation:
In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers.
In a third-party certification model, the third party is the identity provider; this is often a CASB.
The cloud provider is neither a federated identity provider nor a federated service provider, unless the cloud provider is specifically chosen as the third party providing this function; in this question, option C is more general and requires no assumptions, so it is the correct choice

Question 15

Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. You are fairly certain the complaint is not applicable and that the material in question does not belong to anyone else. What should you do in order to comply with the law?

A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.
B. Leave the material up, do an investigation, and post the results of the investigation alongside the material itself once the investigation is complete.
C. Ignore the complaint.
D. Leave the material up until such time as the complainant delivers an enforceable governmental request, such as a warrant or subpoena.

Answer

A

A. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.

Explanation:
This is the correct process, according to the law.
The rest are not proper procedures for complying with the law and are therefore incorrect and inadvisable

Question 16

Q

You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. Upon investigation, you determine that the material in question is the sheet music for a concerto written in 1872. What should you do in order to comply with the law?

A. Contact the current owners of the copyright in order to get proper permissions to host and exchange the data.
B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.
C. Apply for a new copyright based on the new usage of the material.
D. Offer to pay the complainant for the usage of the material.

Answer

A

B. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.

Explanation:
Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose.
This material certainly exceeds the time of any copyright protection.
All other options are invalid.

Question 17

Q

Bob is designing a data center to support his organization, a financial services firm. What Uptime Institute tier rating should Bob try to attain in order to meet his company’s needs without adding extraneous costs?

A. 1
B.2
C. 3
D. 4

Answer

A

C. 3

Explanation:
Tier 3 should probably suffice for Bobs purposes, providing sufficient redundancy and resiliency.
Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for organizations providing health and human services (hospitals and trauma centers, for instance)
Tiers 1 and Tiers 2 are probably not sufficient and might only be considered for non-constant situations, such as archiving and backup

Question 18

Q

Bob is designing a data center to support his organization, a financial services firm. Bob’s data center will have to be approved by regulators using a framework under which law?

A. Health Industry Portability and Accountability Act (HIPPA)
B. Payment Card Industry (PCI)
C. Gramm–Leach–Bliley Act (GLBA)
D. Sarbanes–Oxley Act (SOX)

Answer

A

C. Gramm–Leach–Bliley Act (GLBA)

Explanation:
GLBA mandates requirements for securing personal account information in the financial and insurance industries; Bobs company provides financial services, so he will definitely need to comply with GLBA.
If Bobs company is publicly traded, he may have to comply with SOX, but we do not know enough about Bobs company from the question to choose that answer.
HIPAA is a requirement for only medical providers and their business associates.
PCI is not law.

Question 19

Q

Bob is designing a data center to support his organization, a financial services firm. Which of the following actions would best enhance Bob’s efforts to create redundancy and resiliency in the data center?

A. Ensure that all entrances are secured with biometric-based locks.
B. Purchase uninterruptible power supplies (UPSs) from different vendors.
C. Include financial background checks in all personnel reviews for administrators.
d. Make sure all raised floors have at least 24 inches of clearance.

Answer

A

B. Purchase uninterruptible power supplies (UPSs) from different vendors.

Explanation:
Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing flaw, the other should not, if it comes from a different producer.
The other suggestions are all suitable but do not offer redundancy or resiliency.

Question 20

Q

Bob is designing a data center to support his organization, a financial services firm. How long should the uninterruptible power supply (UPS) provide power to the systems in the data center?

A. 12 hours
B. An hour
C. 10 minutes
D. Long enough to perform graceful shutdown of the data center systems

Answer

A

D. Long enough to perform graceful shutdown of the data center systems

Explanation:
Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing electrical load that was previously handled by utility power.
However, the absolutely baseline for battery power is just long enough for all systems to complete their transactions without losing data

The other options are incorrect, because they use finite, specific durations; there is no single value that is optimum for all organizations.

Question 21

Q

You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a _______________.

A. Functional requirement
B. Nonfunctional requirement
C. Regulatory issue
D. Third-party function

Answer

A

B. Nonfunctional requirement

Explanation:
It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering; you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement

If you were creating security products, security would be a functional requirement; games are not security products.
A game with security flaws is still a game and fulfills the purpose.
Option A is therefore incorrect (although hotly debated among IT security personnel - remember, the game can exist without a security department, but the security department couldn’t exist without games.
Thus far, regulations have not imposed particular security conditions on delivered products by statute
This does not obviate all liability from shipping defective products, of course; the need for due care and due diligence remains.
However, this is a much lower threshold than direct statutory guidance, which exists in fields other than software development (to date)
Option C is incorrect

Outsourcing may or may not be used when performing software security reviews; there is not enough information in the question to determine which method your company uses, so option D is too specific for the vague data provided.

Question 22

Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of _______________.

A. Static testing
B. Dynamic testing
C. Code review
D. Open source review

Answer

A

B. Dynamic testing

Explanation:
Testing the product in a runtime context is dynamic testing
Because this is being done in runtime, it is neither code review nor static testing; options A and C are incorrect

Using a small pool of specified individuals is not truly open source, which would involve releasing the game to the public.

Option D is incorrect.

Question 23

Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. To optimize this situation, the test will need to involve _______________.

A. Management oversight
B. A database administrator
C. A trained moderator
D. Members of the security team

Answer

A

C. A trained moderator

Explanation:
The moderator will serve to guide the experience in an objective, dispassionate manner, without influencing the test, as well as help document the outcomes

Having managers in attendance would present a form of unnecessary micromanagement; option A is wrong

There is no need for a database administrator (DBA) to be involved in the test; option B is wrong

The security team should use the data gathered from the test, but they do not need to be present for the testing; option D is incorrect

Question 24

Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Of the parties listed, who should most be excluded from the test?

A. Management
B. Security personnel
C. Billing department representatives
D. The game developers

Answer

A

D. The game developers

Explanation:
It is absolutely essential that the developers are not present during the actual testing as they are likely to influence the test unduly, purposefully or otherwise

The other parties do not need to participate in the testing process but are not as undesirable as the developers; all the other options are incorrect

Question 25

Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. It is absolutely crucial to include _______________ as part of this process.

A. Managerial oversight
B. Signed nondisclosure agreements
C. Health benefits
D. The programming team

Answer

A

B. Signed nondisclosure agreements

Explanation:
Having the test participants provide signed nondisclosure agreements is an absolutely essential part of this process; they will be exposed to proprietary material and need to be held accountable for any disclosures they might mike.

Managerial oversight is not at all necessary at this level of development and would actually be a form of micromanagement; option A is incorrect

Health benefits are in no way appropriate for temporary, unpaid testers; option C is only a distractor

Programmers should be prevented from participating in testing as they have inherent bias and may unfuly influence the results

Question 26

Q

You are the IT security manager for a video game software development company. Which of the following is most likely to be your primary concern on a daily basis?

A. Health and human safety
B. Security flaws in your products
C. Security flaws in your organization
d. Regulatory compliance

Answer

A

C. Security flaws in your organization

Explanation:
The most grave concern to your company is the loss of proprietary information 0 that is, your games, which are your property and means of profit

Security flaws in your organization could lead to a total loss of your property, which could end your business

This is one of the very few questions where health and human safety is not the correct answer to a security issue; there just isnt much danger involved in either producing or consuming video games (aside from dated, anecdotal reports of seizures resulting from flashing images, which lacked scientific substantiation)
Though this will be something you must consider (such as workplace violence issues), it will not be a daily activity

Security flaws in your products will most likely not be critical or of grave impact; people who hack your game after shipping may be able to include additional functionality or violate some elements of copy protection, but this is not as threatening as pre-release exposure of the material

Current laws do not dictate much in the way of either content or functionality for software (other than very specific industries, such as health care or financial services

Question 27

Q

You are the IT security manager for a video game software development company. Which type of intellectual property protection will your company likely rely upon for legally enforcing your rights?

A. Trademark
B. Patent
C. Copyright
D. Trade secret

Answer

A

C. Copyright

Explanation:
Software is protected by copyright
All the other options are forms of intellectual property protections but not applicable to software for the most part (trademarked names and characters may be important, but not as important as the copyright)

Question 28

Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Results gathered from this activity are _______________.

A. Useless
B. Harmful
C. Desirable
D. Illegal

Answer

A

C. Desirable

Explanation:
This is a very pragmatic and helpful means of gathering inputs that are unpredictable and difficult to simulate and that mimic conditions under which the software will operate

All the other options are incorrect

Question 29

Q

You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Trying to replicate this phenomenon in a testbed environment with internal testing mechanisms is called _______________.

A. Source code review
B. Deep testing
C. Fuzz testing
D. White-box testing

Answer

A

C. Fuzz testing

Explanation:
Fuzz testing is the term used to describe the use of known bad or randomized inputs to determine what unintended results may occur

Source code review, just like it sounds, is a review of the actual program code; option A is incorrect

Deep testing is a made-up term; option B is incorrect

White box testing is a term used to describe a form of code review; option D is incorrect

Question 30

Q

You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following methods could be used to determine if your ownership rights were violated?

A. Physical surveillance of their property and personnel
B. Communications tapping of their offices
C. Code signing
D. Subverting insiders

Answer

A

C. Code signing

Explanation:
Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes

All the other options represent solutions that not only lack efficacy but are also often illegal

Question 31

Q

You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following legal methods are you likely able to exercise to defend your rights?

A. Criminal prosecution
B. Public hearings
C. Civil court
D. Arrest and detention

Answer

A

C. Civil court

Explanation:
Enforcement of copyright is usually a tortious civil action, as a conflict between private parties

Only crimes involve arrest, detention and prosecution; most copyright cases such as this would not be tried as a crime, and the government would not be involved (other than in the form of the judge/court)

Options A and D are incorrect

Public hearings are not used t gain restitution for harmful acts; option B is incorrect

Question 32

Q

You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You suggest that a(n) _______________ service model will best meet this requirement.

A. IaaS
B. PaaS
C. SaaS
D. TaaS

Answer

A

B. PaaS

Explanation:
A platform as a service (PaaS) environment will likely provide the best option for testing the game; the provider will offer various OS platforms for the game to run on, giving your company the opportunity to reach as many customers (using various platforms) as possible, raising your potential for market penetration

Although infrastructure as a service (IaaS) is not a terrible option and would give your team additional control of the entire test, it would also require the team to duplicate many platforms and OSs, requiring a much greater level of effort and additional expertise at what would likely be a much greater cost
Option B is preferable to option A

A software as a service (SaaS) model will not allow your team to install and run the game; option C is incorrect

Question 33

Q

You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You remind them that it is absolutely crucial that they perform _______________ before including any sample player or billing data.

A. Vulnerability scans
B. Intrusion detection
C. Masking
D. Malware scans

Answer

A

C. Masking

Explanation:
To attenuate the risks of inadvertent disclosure inherent in untested software, it is essential to obfuscate any raw production data (such as potential personally identifiable information (PII) before including it in any test environment

The other options represent activity that is obviously beneficial but secondary to the importance of masking production data.

Think of it this way: even if there is a vulnerability, breach, or malware in the test environment, if raw data is included something of value is lost; if dummy or masked data is the only content included, nothing of value is lost.

Question 34

Q

Which of the following is not an essential element defining cloud computing?

A. Broad network access
B. Metered service
C. Off-site storage
D. On-demand self-service

Answer

A

C. Off-site storage

Explanation:
Off-site storage is not intrinsic to the definition of cloud computing; all the other options are.

Question 35

Q

Which of the following is not an essential element defining cloud computing?

A. Rapid elasticity
B. Pooled resources
C. On-demand self-service
D. Immediate customer support

Answer

A

D. Immediate customer support

Explanation:
Immediate customer support may be an option offered by some cloud providers, but it is not a defining characteristic of the industry.
All the other options are.

Question 36

Q

In what cloud computing service model is the customer responsible for installing and maintaining the operating system?

A. IaaS
B. PaaS
C. SaaS
D. QaaS

Answer

A

A. IaaS

Explanation:
In the infrastructure as a service (IaaS) model, the customer is responsible for everything up from the hardware layer

In platform as a service (PaaS) and software as a service (SaaS), this will be performed by the provider; options B and C are incorrect

QaaS is an invented term and not meaningful; option D is wrong

Question 37

Q

Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contract) for ending the contract at any point prior to the scheduled date. This is best described as an example of _______________.

A. Favorable contract terms
B. Strong negotiation
C. Infrastructure as a service (IaaS)
D. Vendor lock-in

Answer

A

D. Vendor lock-in

Explanation:
Vendor lock-in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer.

These contract terms can be described as favorable only from the providers perspective; option D is preferable to option A for describing this situation

There was no description of negotiation included in the question; option B is incorrect

IaaS is a service model and doesnt really apply to anything in this context; option C is incorrect

Question 38

Q

There are two general types of smoke detectors. Which type uses a small portion of radioactive material?

A. Photoelectric
B. Ionization
C. Electron pulse
D. Integral field

Answer

A

B. Ionization

Explanation:
Ionization detectors usually use a small amount of americium in the detection chamber

Photoelectric detectors use a light source instead. Option A is incorrect

Options C and D are incorrect because they are meaningless in this context

Question 39

Q

You are the privacy data officer for a large hospital and trauma center. You are called on to give your opinion of the hospital’s plans to migrate all IT functions to a cloud service. Which of the following Uptime Institute tier-level ratings would you insist be included for any data center offered by potential providers?

A. 1
B. 2
C. 3
D. 4

Answer

A

D. 4

Explanation:
Because the nature of a life-support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes.
All the other options are incorrect

Question 40

Q

What is the most important factor when considering the lowest temperature setting within a data center?

A. System performance
B. Health and human safety
C. Risk of fire
D. Regulatory issues

Answer

A

B. Health and human safety

Explanation:
Bare skin sticks to cold metal

Most modern systems dont suffer performance degradation at the lower ends of the temperature spectrum; its the higher temperatures that are of concern for that aspect of the data center.

Option B is preferable to Option A

Similarly, high temperature invokes a greater risk of fire, not low temperature, and this environment aspect is perhaps the factor least impacting risk of fire anyway. Option C is incorrect

Any regulatory issues stemming from a workplace that is too cold correlates directly with risks to health and human safety, so option B is still preferable to Option D.

Question 41

Q

Storage controllers will typically be involved with each of the following storage protocols except _______________.

A. Internet Small Computer Systems Interface (iSCSI)
B. RAID
C. Fibre Channel
D. Fibre Channel over Ethernet

Answer

A

B. RAID

Explanation:
This question might be susceptible to overthinking because it is simplistically straightforward: RAID is not a protocol - its a configuration mechanism

All the other options are storage protocols that will involve storage controllers

Question 42

Q

When you’re using a storage protocol that involves a storage controller, it is very important that the controller be configured in accordance with _______________.

A. Internal guidance
B. Industry standards
C. Vendor guidance
D. Regulatory dictates

Answer

A

C. Vendor guidance

Explanation:
While it is important to follow internal policy, industry standards and regulations when they are applicable, vendor guidance will most often offer the most detailed, specific settings for the particular product in question; the other forms of guidance do not usually specify individual products/versions.
This does not mean using the default configuration; the vendor will continue to publish suggestions and recommendations for optimizing performance and security of the product after it goes into distribution in order to meet evolving needs and threats

Question 43

Q

What is the importance of adhering to vendor guidance in configuration settings?

A. Conforming with federal law
B. Demonstrating due diligence
C. Staying one step ahead of aggressors
D. Maintaining customer satisfactionj

Answer

A

C. Staying one step ahead of aggressors

Explanation:
Applying vendor configurations is an excellent method for demonstrating due diligence in IT security efforts.

Always remember that proper documentation of the action is also necessary

Federal law rarely dictates application of vendor guidance, or any other specific security method for individual platforms; option A is incorrect

Aggressors will almost always be on the offensive and adapt attack methodology faster than our industry creates defenses; even vendor guidance is usually repetitive.
Option C is incorrect.

Customers rarely have any idea of (or reason to know) configuration settings; option D is incorrect

Question 44

Q

Which of the following is a true statement about the virtualization management toolset?

A. It can be regarded as something public facing.
B. It must be on a distinct, isolated management network (virtual local area network [VLAN]).
C. It connects physically to the specific storage area allocated to a given customer.
D. The responsibility for securely installing and updating it falls on the customer.

Answer

A

B. It must be on a distinct, isolated management network (virtual local area network [VLAN]).

Explanation:
All management functions should take place on a highly secure, isolated network.

The toolset may be available via remote access but is not in any way to be considered public facing; option A is incorrect.

Resource pooling contradicts direct connections to any particular storage mechanism; option C is incorrect.

Usually virtualization management will be a responsibility of the provider because it is a crucial element for all customers; option D is incorrect

Question 45

Q

In order to ensure proper _______________ in a secure cloud network environment, consider the use of Domain Name System Security Extensions (DNSSEC), Internet Protocol Security (IPSec), and Transport Layer Security (TLS).

A. Isolation
B. Motif
C. Multitenancy
D. Signal modulation

Answer

A

A. Isolation

Explanation:
Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies)

In order to do this, the use of technologies like those listed in the question is warranted

Options B and D have no meaning in this context and are therefore incorrect.

Question 46

Q

Domain Name System Security Extensions (DNSSEC) provides all of the following except _______________.

A. Payload encryption
B. Origin authority
C. Data integrity
D. Authenticated denial of existence

Answer

A

A. Payload encryption

Explanation:
DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer (the other options)
This does not include payload encryption - confidentiality is not an aspect of DNSSEC

Question 47

Q

All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________.

A. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications
B. Starting with a clean installation (hardware or virtual) of the desired OS
C. Including only the default account credentials and nothing customized
D. Halting or removing all unnecessary services

Answer

A

C. Including only the default account credentials and nothing customized

Explanation:
Default credentials are the bane of security, everywhere.
This is definitely the correct answer because it should not be part of the baseline build.

All the other options are actual baselining functions.

Question 48

Q

All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________.

A. Removing all nonessential programs from the baseline image
B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems
C. Including the baseline image in the asset inventory and configuration management database
D. Configuring the host OS according to the baseline requirements

Answer

A

B. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems

Explanation:
Baseline systems need current partches/configuration updates in order to be used to replicate production systems

All the other options are actual baselining functions

Question 49

Q

All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline, except _______________.

A. Auditing the baseline to ensure that all configuration items have been included and applied correctly
B. Imposing the baseline throughout the environment
C. Capturing an image of the baseline system for future reference, versioning, and rollback purposes
D. Documenting all baseline configuration elements and versioning data

Answer

A

B. Imposing the baseline throughout the environment

Explanation:
Beforer applying the baseline to the environment, it is important to determine if there are any offices/systems that will require exceptions; not all baselines meet all business needs.

All the other options are actual baselining functions

Question 50

Q

You are the IT director for a small contracting firm. Your company is considering migrating to a cloud production environment. Which service model would best fit your needs if you wanted an option that reduced the chance of vendor lock-in but also did not require the highest degree of administration by your own personnel?

A. IaaS
B. PaaS
C. SaaS
D. TanstaafL

Answer

A

B. PaaS

Explanation:
With a platform as a service (PaaS), the cloud provider will administer both the hardware and the OS, but you will be in charge of managing t he applications and data.

There is less likelihood of vendor lock-in with PaaS than software as a service (SaaS), because your data will not be put into any proprietary format (option B is preferable to option C)

With infrastructure as a service (IaaS), your company will still retain a great deal of the administrative responsibility, so PaaS is a better option; option B is preferable to A

Option D has no applicability in this context and is incorrect.

Question 51

Q

You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration and will return to operating fully on-premises after the period of increased activity. This is an example of _______________.

A. Cloud framing
B. Cloud enhancement
C. Cloud fragility
D. Cloud bursting

Answer

A

D. Cloud bursting

Explanation:
Cloud bursting is the industry term usually associated with this type of practice

All the other options are not terms with any particular meaning in this context

Question 52

Q

You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which facet of cloud computing is most important for making this possible?

A. Broad network access
B. Rapid elasticity
C. Metered service
D. Resource pooling

Answer

A

B. Rapid elasticity

Explanation:
While all aspects of cloud computing are necessary to provide a true cloud service, this type of business flexibility is possible because of rapid (close to instant) elasticity, the means to scale your usage up and down as needed

All the other options are facets of cloud computing but are not as pertinent to the question

Question 53

Q

You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which deployment model best describes this type of arrangement?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

Answer

A

D. Hybrid cloud

Explanation:
This is an excellent description of the hybrid model, where the customer owns elements of the infrastructure (the on-premises traditional environment) and the cloud provider owns other elements (the cloud environment used for the temporary additional demand)

All the other options are cloud deployment models but do not suit this particular case

Question 54

Q

You are the security manager for a research and development firm. Your company does contract work for a number of highly sensitive industries, including aerospace and pharmaceuticals. Your company’s senior management is considering cloud migration and wants an option that is highly secure but still offers some of the flexibility and reduced overhead of the cloud. Which of the following deployment models do you recommend?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

Answer

A

A. Private cloud

Explanation:
A private cloud is the best option for work in highly regulated industries or industries that involve sensitive assets

The other options simple are not preferable as option A for this question

Question 55

Q

You are the IT director for a small engineering services company. During the last year, one of your managing partners left the firm, and you lost several large customers, creating a cash flow problem. The remaining partners are looking to use a cloud environment as a means of drastically and quickly cutting costs, migrating away from the expense of operating an internal network.
Which cloud deployment model would you suggest to best meet their needs?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid cloud

Answer

A

C. Public cloud

Explanation:
A public cloud will be the easiest, least expensive option and probably offer the simplest transition

The other options are not as preferable as C for this question

Question 56

Q

You run an online club for antique piano enthusiasts. In order to better share photo files and other data online, you want to establish a cloud-based environment where all your members can connect their own devices and files to each other, at their discretion. You do not want to centralize payment for such services as Internet service provider (ISP) connectivity, and you want to leave that up to the members. Which cloud deployment model would best suit your needs?

A. Private cloud
B. Community cloud
C. Public cloud
D. Hybrid Cloud

Answer

A

B. Community cloud

Explanation:
This is an optimum situation for the use of a community cloud model

The other options are not as preferable as B for this question

Question 57

Q

Full isolation of user activity, processes, and virtual network segments in a cloud environment is incredibly important because of risks due to _______________.

A. Distributed denial of service (DDoS)
B. Unencrypted packets
C. Multitenancy
D. Insider threat

Answer

A

C. Multitenancy

Explanation:
The fact that many various customers (including some that may be competitive with, or even hostile to, each other) will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud environment

DDoS is an availability threat, not something to do with confidentiality, so isolation does not serve much purpose in reducing it. Option A is incorrect

Question 58

Q

You are the security manager for a small European appliance rental company. The senior management of your company is considering cloud migration for the production environment, which handles marketing, billing, and logistics. Which cloud deployment model should you be most likely to recommend?

A. Private cloud
B. Community cloud
C. Public Cloud
D. Hybrid Cloud

Answer

A

A. Private cloud

Explanation:
Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data.

A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location

The other options simply are not as preferable as A for this question

Question 59

Q

You are the security manager for a data analysis company. Your senior management is considering a cloud migration in order to use the greater capabilities of a cloud provider to perform calculations and computations. Your company wants to ensure that neither the contractual nor the technical setup of the cloud service will affect your data sets in any way so that you are not locked in to a single provider. Which of the following criteria will probably be most crucial for your choice of cloud providers?

A. Portability
B. Interoperability
C. Resiliency
D. Governance

Answer

A

A. Portability

Explanation:
Portability is the term used to describe the ease with which a customer can move from one cloud provider to another; the higher the portability, the less chance for vendor lock-in

Interoperability describes how systems work together (or dont); because the question did not mention the use of your own companys system, interoperability does not seem to be a major concern in this case

Question 60

Q

Migrating to a cloud environment will reduce an organization’s dependence on _______________.

A. Capital expenditures for
B. IT Operational expenditures for
C. IT Data-driven workflows
D. Customer satisfaction

Answer

A

A. Capital expenditures for

Explanation:
As a cloud customer, the organization is not responsible for making up-front infrastructure purchases, which are capital expenditures

Cloud customers do, however, make continual operational expenditures for IT resources, in modern business is driven by data as much as any other input, regardless of sector or industry; this does not change whether the organization operates in the cloud or in the traditional IT environment

The cloud does not obviate the need to satisfy customers.

Question 61

Q

Firewalls, DLP (data loss prevention or data leak protection) and digital rights management (DRM) solutions, and security information and event management (SIEM) products are all examples of _______________ controls.

A. Technical
B. Administrative
C. Physical
D. Competing

Answer

A

A. Technical

Explanation:
These technical controls, automated system that perform security functions.

An argument could be made that there is an administrative component to these controls as well: the firewall rules, the DLP data discovery strategy etc - these are expressed in the form of a list or set of criteria, which might be viewed as an administrative control.
However, the system itself (which is what the question asked is still a technical control

Question 62

Q

Fiber-optic lines are considered part of Layer _______________ of the Open Systems Interconnection (OSI) model.

A. 1
B. 3
C. 5
D. 7

Answer

A

A. 1

Explanation:
The lines themselves are physical, which puts them at Layer 1

All the other options are simply incorrect

Question 63

Q

It is probably fair to assume that software as a service (SaaS) functions take place at Layer _______________ of the OSI model.

A. 1
B. 3
C. 5
D. 7

Answer

A

D. 7

Explanation:
Layer 7 is the applications entry point to networking

All the other options are simply incorrect

Question 64

Q

Because of the nature of the cloud, all access is remote access. One of the preferred technologies employed for secure remote access is _______________.

A. VPN
B. HTML
C. DEED
D. DNS

Answer

A

A. VPN

Explanation:
A virtual private network (VPN) creates a trusted path across an untrusted (often public) network (such as the Internet

It is highly recommended for cloud operations.

Answer 65

A

C. Tokenization

Explanation:
Tokenization is an approved alternative to encryption for complying with Payment Card Industry (PCI) requirements

Obfuscation and making dont really serve the purpose because they obscure data, making it unreadable; storing payment information that is unreadable does not aid in the efficiency of future transactions.

Moreover, neither technique meets PCI requirements.

Hashing does not serve the purpose because it is a one-way conversion of data; there is no way to retrieve payment information for future transactions once it has been hashed.

Answer 66

A

D. Inverse signifiers

Explanation:
This term has no meanining in this context and is only a distractor

All the other mechanisms can be (and are) used by DLP solutions to sort data

Answer 67

A

C. Wait three weeks before making a final decision.

Explanation:
Many security solutions, particularly DLP and similar tools, require a learning curve as they become acustomed to a new sets/configurations in order to discriminate between false positives and actual data loss.
One week is not enough time to get an accurate determination of the efficacy of these products, and waiting to gather more data over time is a good idea.

Answer 68

A

D. Senior management

Explanation:
Senior management is always responsible for determining the risk appetite of any organization, regardless of where and how it operates

Neither the cloud provider, nor the ISP, nor federal regulators determine the risk appetite of your organization

Answer 69

A

B. Interoperability

Explanation:
Because you will be creating proprietary software, you will probably be most concerned with how it will function across many platforms, in a virtualized environment, and in an environment that you do not own or operate.

Interoperability describes how well a system related to other systems

Answer 70

A

B. PaaS

Explanation:
Platform as a service (PaaS) allows a software development team to test their product across multiple OSs and hosting platforms, without the need for the customer to manage each one.

Although infrastructure as a service (IaaS) could offer similar cross-platform benefits, it would require additional effort and expertise on the part of the customer, which would not be nearly as appealing and efficient.

Answer 71

A

A. NIST 800-37

Explanation:
Both ISO 31000 and National Institute of Standards and Technology (NIST) 800-37 are risk management frameworks.

Control Objectives for Information and Related Technology (COBIT) is ISACA’s framework for managing IT and IT controls, largely from a process and governance perspective.
Though it includes elements of risk management, NIST 800-37 is still closer in nature to ISO 31000, so option A is preferable to B

ITIL (Information Technology Infrastructure Library) is a framework mostly focused on service delivery as opposed to risk management; option C is incorrect.

The General Data Protection Regulation (GDPR) is a European Union Law regarding privacy information, not risk management

Answer 72

A

C. European Union Agency for Network and Information Security (ENISA)

Explanation:
The ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security is the publication

All the other options are standards bodies but do not have a publication that matches the description in the question as well.

Answer 73

A

D. Cloud Security Alliance (CSA)

Explanation:
The Cloud Security Alliance is a volunteer organization that includes members from various industries and sectors and is focused on cloud computing.

It relies largely on member participation for developing standards.

All the other options are standard bodies that involve a specific board or other centralized authority for publishing requirements

Answer 74

A

A. The individual described by the privacy data

Explanation:
Option A is the definition of the data subject.
All the other options define other privacy-related roles

Answer 75

A

B. The entity that collects or creates the privacy data

Explanation:
Option B is the definition of the data controller.

All the other options define other privacy related roles.

Answer 76

A

C. The entity that uses privacy data on behalf of the controller

Explanation:
Option C is the definition of the data processor

All the other options define other privacy-related roles

Answer 77

A

B. The data controller

Explanation:
The data controller makes the determination of purpose and scope of privacy related data sets.

The other options are the names of other privacy-related roles

Answer 78

A

D. The data custodian

Explanation:
The data custodian is usually tasked with securing and maintaining the privacy data on a regular basis, on behalf and under the guidance of the controller and steward

The other options are the names of other privacy-related roles

Answer 79

A

D. The database administrator

Explanation:
The custodian is usually that specific entity in charge of maintaining and securing the privacy-related data on a daily basis, as an element of the datas use.

The compliance office might be considered a representative of the data controller (your company), or perhaps the data steward, depending on how much actual responsibility and interaction with the data you have on a regular basis.

The cloud provider (and anyone working for the provider) would be considered the data processor under most privacy regulations

Your company is the data controller, the legal entity ultimately responsible for the data

Answer 80

A

B. Jurisdiction

Explanation:
The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics

Jurisdiction is usually dictated by location instead, which should be included in the contract but is probably not useful to include the SLA

All the other options are excellent examples of items that can and should be included in the SLA.

Answer 81

A

A. Data format type and structure

Explanation:
When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock-in

Availability may be an aspect of portability; the ease and speed at which the customer can access their own data can influence how readily the data might be moved to another provider.
However, this is less influential than the format and structure of the data; option A is preferable to option B

Storage space little to do with vendor lock-in

A list of OSs the provider offers might be influential for the customers decision of which provider to select, but it is not typically a constraining factor that would restrict portability.

Answer 82

A

B. Financial penalties

Explanation:
The contract usually stipulates what kind of financial penalties are imposed when the provider fails to meet the SLAs

This is a huge motivating element for the provider

Regulatory oversight usually affecrs the customer, not the provider

The performance details are often included in the SLA but arent the motivating factor

In a perfect world, option D would be the correct answer; B is a better answer though

Answer 83

A

C. Suspension of service

Explanation:
The cloud provider is usually allowed to suspend service to the customer if the customer fails to meet the contract requirements (specifically, not paying for the service in accordance with the contract terms)
This can be fatal to a customers operations and is a great motivation to make timely payments

Answer 84

A

B. Enhanced user experience

Explanation:
Audits dont really provide any perceptible effect on user experience

All the other options are good reasons for performing audits

Answer 85

A

D. Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

Explanation:
The Cloud Controls Matrix is an excellent tool for determining completeness and possible replication of security controls

FIPS 140-2 is a list of cryptographic system products approved for use by the US federal customers

Answer 86

A

D. FedRAMP

Explanation:
Federal Risk and Authorization Management program (FedRAMP) is the US program for federal entities operating in the cloud.

Answer 87

A

B. Virtualization

Explanation:
A ubiquitous baseline configuration used in a virtualized environment can serve as an artifact for auditors and enhance the audit process.

The other options are common facets of cloud computing but do not typically serve the purpose of auditing

Answer 88

A

B. Variable keystrokes

Explanation:
Variable, in general, arent useful for authentication; authentication requires a match against a template or a known quantity.

Answer 89

A

C. OISame

Explanation:
This is a nonsense term, with no meaning in this context.

All the other options are actual common identity federation standards

Answer 90

A

B. Who you know

Explanation:
Multifactor authentication doesnt typically utilize associative identification

Answer 91

A

D. Remote access

Explanation:
Because the cloud environment can be accessed for any location (assuming good connectivity), the cloud customer is not required to maintain an expensive operational facility, either for primary or backup purposes.

All the other options are common aspects of cloud computing, but dont particularly serve BC/DR purposes.

Answer 92

A

A. Rapid elasticity

Explanation:
Rapid elasticity allows the cloud customer to scale cloud operations as necessary, including during contingency operations; this is extremely useful for BC/DR activities

All the other options are common aspects of cloud computing but dont particularly serve BC/DR purposes

Answer 93

A

A. On-demand self-service |

Explanation:
On-demand self-service allows the cloud customer to provision those production rersources during contingency without any delay in ordering or allocating those resources

All the other options are common aspects of cloud computing but dont particularly serve BC/DR purposes

Answer 94

A

B. Data classification

Explanation:
The data classification process is the organizations formal means of determining value of its assets; this is extremely important to BC/DR efforts in that it can be useful in determining the critical path to be maintain during contingency events

The SDLC is a system development/acquisition tool; it doesnt particularly assist in BC/DR efforts.

Honeypots are a threat intelligence tool; they dont serve any useful BC/DR purpose

identity management is a part of the entitlement process but does not add any value to BC/DR efforts

Answer 95

A

B. Data loss prevention or data leak protection (DLP)

Explanation:
DLP solutions typically have the capability to aid in asset valuation and location, both important facets of the BC/DR process.

All the other options are common security tools but dont really serve to enhance BC/DR Effortss

Answer 96

A

A. Geographical separation of data centers

Explanation:
Because cloud data is typically spread across more than one data center and these data centers can be geographically separated, a single natural disaster event may be less likely to reduce access to the data

All the other options are common aspects of cloud computing but dont particularly serve BC/DR purposes

Answer 97

A

C. Egress monitoring solutions

Explanation:
Egress-monitoring solutions do not typically predict contingency-level events and are not useful for the purpose

Answer 98

A

A. Premature return to normal operations

Explanation:
A hasty return to normal operations can put operations and personnel at risk if whatever caused the contingency situation has not yet been fully resolved

Answer 99

A

D. Full testing of the plan

Explanation:
A full test of the BC/DR plan can result in an actual disaster because it may involve interruption of service; the simulation can become the reality

Answer 100

A

A. Hardware emulation

Explanation:
In containerization, the underlying hardware is not emulated; the containers run on the same underlying kernel, sharing the majority of the base OS.

Answer 101

A

D. Sanitization

Explanation:
Secure sanititization is not included in all (or even many) SDLC models

The other options are typically SDLC steps

Answer 102

A

C. Hardware confirmation

Explanation:
Hardware confirmation is a meaningless term in this respect.

All the other options represent common capabilities of API gateways

Answer 103

A

D. Hardware

Explanation:
Cloud customers, with rare exceptions, will not be allowed to add hardware to the cloud data center.

All the other options are various types of firewalls that a customer could implement in a cloud managed services environment;

Answer 104

A

B. The client

Explanation:
In a typical TLS handshake, the client sends the message (called ClientHello) that initiates the negotiation of the session

Answer 105

A

C. Public-key infrastructure (PKI) certificates

Explanation:
TLS usually relies on PKI certificates authenticated and issues by a third party

Answer 106

A

A. Symmetric key

Explanation:
In TLS, the parties will establish a shared secret, or symmetric key, for the duration of the session.

All the other options are incorrect because they are not the form of cryptography used for the session keys in a TLS session

Answer 107

A

A. The production team

Explanation:
In DevOps, the programmers continually work in close conjunction with the production team to ensure that the project will meet their needs.

Answer 108

A

C. Working prototypes

Explanation:
The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs.
The Manifesto refutes all other elements of programming that slow down this effort, including documentation, planning, process and specific tools

Answer 109

A

C. Open source

Explanation:
Open source software includes programs where customers (or even the public) can view the softwares source code.
Freeware and shareware are licensing arrangements and ways of distributing intellectual property.

Malware is harmful software designed for attack purposes.

Answer 110

A

B. SOAP replaces binary messaging with XML.

Explanation:
XML works better over the Internet than the binary messaging of the older technologies.

SOAP is not particularly lightweight; in fact, it is kind of cumbersome.

SOAP is not especially more secure than DCOM or COBRA

SOAP is newer than the other technologies; however, that is not the reason it is preferable in a web context.

Answer 111

A

C. URIs

Explanation:
REST calls web resources by using uniform resource identifiers (URIs)

Answer 112

A

A. JavaScript Object Notation (JSON)

Explanation:
JSON outputs are common for REST applications.

All the other options are incorrect because they are not the form of output one would expect from REST.

Answer 113

A

B. User training

Explanation:
Sensitive data is often exposed inadventently because of user error of lack of knowledge about the material.
User training can offset a significant portion of this risk by informing users about the value of data assets and the proper use of controls and behaviors.

Physical access control is important, but less for controlling exposure and more for preventing theft.
Option B is preferable to A in this context.

Policies are crucial but dont actually offset the risk; they are the underlying structure for creating programs and methods for dealing with the risk.

Answer 114

A

B. Admin access is prevented.

Explanation:
Administrators will access devices during maintenance mode; blocking admin access would be contrary to the entire point of the activity.
All the other options are conditions that are true during maintenance mode.

Answer 115

A

C. As a live instance

Explanation:
Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device.
VMs are moved as image snapshots when they are transitioned from production to storage; option A is incorrect.

During live migration, the VM moves in unencrypted form.

Answer 116

A

B. User input

Explanation:
IDS/IPS solutions do not elicit user input

All the other options are mechanisms used by IDS/IPS solutions to detect threats

Answer 117

A

D. Useless

Explanation:
Because the honeypot/honeynet is meant to be observed, production data in any form should not be included

All the other options are insufficient for the question

Answer 118

A

B. The public

Explanation:
The public does not have a need to know regarding proof of vulnerability scans.
All the other options are legitimate recipients of proof of vulnerability scans.

Answer 119

A

B. Trademark

Explanation:
Logos and other identifying material are subject to trademark protections.
The other options are also ways to protect intellectual properly, but they are not usually associated with logos.

Answer 120

A

C. Civil suit

Explanation:
Intellectual property disputes are usually settled in civil court, as a conflict among private parties

Because there was no agreement between your company and the competitor in question, there is no contract, so no breach of contract dispute is pertinent.

Although statutes concerning intellectual property protections exist, they are usually in the form of torts (that is, laws that define how civil ac4tions can pursue restitution for private harm)
This is not the government prosecuting someone in order to protect the public; criminal proceedings are rare when it comes to enforcing intellectual property rights.

The military does not often get involved in intellectual property disputes and most often uses the civil courts when it does.

Answer 121

A

C. Whoever first applied for legal protection of the logo

Explanation:
Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body.
In the case of conflicting usage (or infringement), courts will take many criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth.
But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question.

All the other options may be factors the court takes into account when making its decision, but option C is the best answer.

Answer 122

A

D. SOC 3

Explanation:
This is the definition of a SOC 3

All the other options are SSAE 18 reports but not the correct answer.

Answer 123

A

D. SOC 3

Explanation:
This is the purpose of the SOC 3 report.

All the other options are SSAE 18 reports but not the correct answer

Answer 124

A

B. Australia

Explanation:
Both Australia and New Zealand have privacy laws that conform to EU privacy legislation

All the other options are examples of countries that do not.

Answer 125

A

A. Japan

Explanation:
Japans privacy law is sufficient to meet EU legislative requirements

Alaska is not a country - it is a state.

Brainscape's Knowledge GenomeTM

Chapter 7 Practice Exam 1 (Ben Malisow) Flashcards

Brainscape's Knowledge Genome^TM