Cloud - CCSP Flashcards
Your organization has just been served with an eDiscovery order. Because the organization has moved to a cloud environment, what is the biggest challenge when it comes to full compliance with an eDiscovery order?
Data Discovery.
Data discovery in a cloud environment encounters significant challenges due to the distributed nature of cloud computing. A primary concern of EDiscovery is determining all of the applicable data and locating it for collection and preservation.
Your organization is considering a move to a cloud environment and is looking for certifications or audit reports from cloud providers to ensure adequate security controls and processes. Which of the following is NOT a security certification or audit report that would be pertinent. A.FedRAMP B. PCI DSS C. FIPS 140-2 D. SOC Type 1
C.FIPS 140-2 is a security standard from the U.S federal government that pertains to the accreditation of cryptographic modules. Is important to security processes and controls, is not a cert or audit report that is responsive to overall security controls, policies, or operations
You are developing a new process for data discovery for your organization and are charged with ensuring that all applicable data is included. Which of the following is not on of the three methods of data discovery? A. Metadata B. Content Analysis C. Labels D. Classification
D. Classification is the overall process of using certain attributes about data and then applying appropriate security controls to that data. Classification is applied after data discover has been completed and it pertains only to the application of security controls, no the actual process of discovering or determine data.
Management has requested that security testing be done against their live cloud-based applications, with the testers not having internal knowledge of the system. Not attempting to actually breach systems or inject data is also a top requirement . Which of the following would be the appropriate approach to take? A. Static application security testing B. Penetration testing C. Runtime application self-protection D. Dynamic application security testing
D. Dynamic application security testing is done against a system or application in its aural runtime state, and where the testers do not have specific knowledge about the configurations or technologies employed on it.
Which Cloud Category would allow for the LEAST amount of customization by the cloud customer?
SaaS. The entire system and application is under the controls of the cloud provider, the cloud customer will only have minimal options for customization, which typically is limited to branding or the selection of default options or settings.
Which phase of the risk management process involves an organization deciding how to mitigate risk that is discovered during the course of an audit? A. Assessing B. Framing C. Responding D. Monitoring
C. Responding
This is the stage of the risk managment process where an organization will determine, based on the exact nature of the risk finding, as well as the potential costs and efforts involved with mitigation, which is the appropriate direction to take
You have decided to use SOAP ast he protocol fo exchanging information between services for your application. Which of the following is the only data format that can be used with SOAP?
C. The SOAP protocol only uses XML as a dat format for exchanging information
A cloud provider is looking to provide a higher level of assurance to current and potential cloud customers about the design and effectiveness of their security controls. Which of the following audit reports would the cloud provider choose as the most appropriate to accomplish this goal?
A.SAS-70
B. SOC 1
C. SOC 2
D. SOC 3
SOC 3
These reports are done to test controls in place within an organization for financial or other systems.
At which stage of the software development lifecycle is the most appropriate place to begin the involvement of security A. Requirements gathering B. Design C. Testing D. Development
A. Security should be involved at all times in the SDLC process.
Which is not one of the main considerations with data archiving? A. Format B. Regulatory requirements C. Testing D. Encryption
D. Encryption
Although encryption will be used in many archiving solutions and implementations. It’s is not always a requrirement and will be largely subjective, based on the type of data and the archiving method chosen.
While an audit is being conducted, which of the following could cause management and the auditors to change the original plan in order to continue with the audit A. Cost overruns B. Impact on systems C. Regulatory changes D. Software version changes
B. Impact on systems.
Which of the following threat models has elevation of privileges as one of its key components and concerns
- DREAD
- STRIDE
- HIPAA
- SOX
B. Stride
The E in Stride threat model stands for elevation of privilege. Elevation of privilege occurs as a threat to apps and systems that use a common login method and the display specific functions or data to users based on their role, with admin users having the same initial interface as regular users
Type of risk assessment based on documentation review and making informed judgement calls about risk from operational procedures and system designs
Qualitative - base on documentation and other data about systems and applicants that are not easily converted into numerical values for comparison
With a SOC 2 auditing report, which of the following principles must alswwys be included A. Security B. Processing integrity C. Privacy D. Availability
A. The SOC 2 auditing reports are built on a set of five principles: Security, processing integrity, privacy, availability, and confidentiality
What is sued to isolate test systems from a prod system in a cloud environment for testing or devolpment purposes?
Sandboxing
