Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCSK Practice Tests - CSA Security Guidance v4 > Cloud Controls Matrix (CCM) > Flashcards

Cloud Controls Matrix (CCM) Flashcards

1
Q

If you wanted to determine whether a certain cloud environment satisfied data backup and recovery requirements, which Domain of the CCM should you refer to?
A. Governance and Risk Management
B. Human Resources Security
C. Mobile Security
D. Business Continuity Management and Operational Resilience

A

Answer: D
The BCR Domain in the CCM includes data backup and recovery controls. See BCR-01 in the CCM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which Domain of the CCM might be used to determine if a cloud environment is in compliance with ITIL Service Management requirements?
A. Application and Interface Security
B. Change Control and Configuration Management
C. Datacenter Security
D. Threat and Vulnerability Management

A

Answer: B
The CCC Domain addresses elements of the ITIL Service Management requirements. See CCC-02 and CCC-03 in the CCM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which Domain of the CCM is used to demonstrate the commitment of senior leadership to an information security program?
A. Audit Assurance and Compliance
B. Change Control and Configuration Management
C. Governance and Risk Management
D. Infrastructure and Virtualization

A

Answer: C
GRM-05 in the CCM specifically addresses senior management’s commitment to the information security program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which Domain of the CCM addresses the roles of employees and contractors in the cloud environment?
A. Datacenter Security
B. Human Resources Security
C. Interoperability and Portability
D. Supply Chain Management, Transparency, and Accountability

A

Answer: B
HRS-07 in the CCM specifically addresses the roles and responsibilities of employees, contractors, and third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Domain of the CCM addresses the concept of least privilege?
A. Application and Interface Security
B. Audit Assurance and Compliance
C. Identity and Access Management
D. Mobile Security

A

Answer: C
IAM-02, IAM-06, IAM-08, and IAM-10 in the CCM specifically address the concept of least privilege. Least privilege is also mentioned in the Infrastructure and Virtualization Domain, but this was not one of the options listed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which control listed in the CCM prohibits the use of non-approved applications in the cloud environment?
A. MOS-03
B. STA-02
C. TVM-03
D. WPA2

A

Answer: A
MOS-03 requires the cloud environment to be governed by a policy limiting the use of non-approved applications or applications from untrusted sources.
WPA2 is not a control in the CCM; it is a wireless security standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which control listed in the CCM recommends using file integrity monitoring when creating an operating system baseline?
A. GRM-10
B. HRS-03
C. IAM-02
D. IVS-07

A

Answer: D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which control listed in the CCM discusses policies for encryption key generation?
A. EKM-01
B. EKM-02
C. EKM-03
D. EKM-04

A

Answer: B
Policies addressing encryption key generation are mentioned in EKM-02.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which type of cloud architecture is control HRS-02 applied to? [select all that apply]
A. Physical
B. Network
C. Compute
D. Storage
E. Application
F. Data

A

Answer: F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which type of cloud architecture is control IAM-11 applied to? [select all that apply]
A. Physical
B. Network
C. Compute
D. Storage
E. Application
F. Data

A

Answer: A, B, C, D, E, F
IAM-11 applies to all architectures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which type of cloud architecture is control IVS-07 applied to? [select all that apply]
A. Physical
B. Network
C. Compute
D. Storage
E. Application
F. Data

A

Answer: C
IVS-07 applies to the Computer architecture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

According to the CCM, which type of cloud service model requires a mechanism to monitor and quantify the types, volumes, and costs of information security incidents?
A. IaaS
B. PaaS
C. SaaS
D. All of the above
E. None of the above

A

Answer: D
SEF-05 applies to all types of cloud service models.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

According to the CCM, which cloud service model requires that the provider ensure the integrity of all virtual machine images at all times?
A. IaaS
B. PaaS
C. SaaS
D. All of the above
E. None of the above

A

Answer: A
IVS-02 applies to the IaaS model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

According to the CCM, which entity is responsible for ensuring that security vulnerability assessment tools are “virtualization aware”?
A. the cloud provider
B. the cloud customer
C. the regulator
D. the taxpayer

A

Answer: A
IVS-05 is the responsibility of the provider. Regulators and taxpayers are generally outside the scope of cloud security responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

According to the CCM, which entity is responsible for ensuring the operating system baseline template of a virtualized machine is hardened appropriately?
A. the cloud provider
B. the cloud customer
C. neither the provider nor the customer
D. both the provider and the customer

A

Answer: D
IVS-07 is the responsibility of both the cloud provider and the customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are the security officer for a medical college in the United States. Which of the following standards/laws/frameworks from the CCM should most likely apply to your cloud environment? [select all that apply]
A. PIPEDA
B. COPPA
C. FERPA
D. HIPAA
E. GDPR
F. ENISA IAF

A

Answer: C, D
FERPA is a US federal law that applies to academic providers. HIPAA is a US federal law that applies to medical providers.
PIPEDA is a Canadian law. COPPA is a US law that only applies to minors. GDPR is a European law. ENISA is a European standards body.

17
Q

You are the security officer for a retailer in Germany. Which of the following standards/laws/frameworks from the CCM should most likely apply to your cloud environment? [select all that apply]
A. NERC CIP
B. NIST SP 800-53
C. BSI
D. GDPR
E. PCI DSS

A

Answer: C, D, E
BSI is a German privacy law. GDPR is a European privacy law. PCI DSS is a contractual standard for processing payment card information.
NERC CIP is a US law for electrical power providers. NIST SP 800-53 is applicable to US federal government agencies.

18
Q

You are the security officer for a Japanese automotive manufacturer. Which of the following standards/laws/frameworks from the CCM should most likely apply to your cloud environment? [select all that apply].
A. COBIT
B. ISO 27001
C. FERPA
D. HIPAA
E. GDPR

A

Answer: A, B
COBIT and ISO are both international standards, often used in industrial settings.
FERPA and HIPAA are both only applicable to US entities in specific sectors. GDPR is a European privacy law.

19
Q

You are the security officer for a charity in Ottawa. Which of the following standards/laws/frameworks from the CCM should most likely apply to your cloud environment? [select all that apply]
A. HIPAA
B. ITAR
C. PIPEDA
D. NZISM
E. NERC CIP

A

Answer: C
PIPEDA is a Canadian privacy law.
HIPAA, ITAR, and NERC CIP are only applicable to US entities. NZISM is only applicable to entities in New Zealand.

CCSK Practice Tests - CSA Security Guidance v4 (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions