Domain 5: Cloud Security Operations Flashcards by Unknown Unknown

What term is used to describe agreements between IT service providers and customers that describe service-level targets and responsibilities of the customer and provider?

A. OLA
B. SAC
C. SLA
D. SLR

Answer: C. SLA

A service-level agreement (SLA) defines service-level targets and the responsibilities of the IT service provider and customer. An OLA (operational level agreement) is an internal agreement between the IT service provider and another part of the same organization and
supports the service provider’s delivery of the service. Service acceptance criteria (SAC) are the criteria used to determine whether a service meets its quality and functionality goals.
Finally, a service-level requirement (SLR) defines the requirements of a service from the customer’s perspective.

How well did you know this?

Not at all

Perfectly

Sally is building her organization’s communication plans and knows that customers are an important group to include in the plan. What key function does proactive customer communication help with?

A. Notification of breaches
B. Regulatory compliance
C. Managing expectations
D. Problem management

Answer: C. Managing expectations

Proactive customer communications are key to managing expectations. Reactive communications are often used for data breach notification, regulatory compliance, and problem management.

How well did you know this?

Not at all

Perfectly

Juanita has discovered unexpected programs running on her freshly installed Linux system that was built using her cloud provider’s custom Linux distribution, but that did not allow connections from the internet yet. What is the most likely reason for this?

A. Juanita inadvertently installed additional tools during the installation process.
B. The version of Linux automatically downloads helper agents when installed.
C. Cloud vendors often install helper utilities in their own distributions.
D. Attackers have installed applications.

Answer: C. Cloud vendors often install helper utilities in their own distributions.

Juanita knows that the major cloud vendors provide their own customized versions of Linux that often include additional agents and tools to help them work better with the provider’s infrastructure. She should verify that this is the case, but it is the most likely scenario for a freshly built system as described.

How well did you know this?

Not at all

Perfectly

Ben wants to manage operating system and application patches for thousands of machines hosted in an infrastructure as a service vendor’s cloud. What should he do?

A. Use the cloud vendor’s native patch management tools.
B. Use the operating system vendor’s patch management tools.
C. Use manual update processes.
D. Write custom scripts to manage updates.

Answer: A. Use the cloud vendor’s native patch management tools.

When managing systems at scale in the cloud, Ben knows that the best option is often to use the cloud IaaS vendor’s tools, particularly because they are typically designed to handle both operating systems that may have special features to work in the vendor’s environment and applications.

How well did you know this?

Not at all

Perfectly

Jason’s organization is required to provide information about its cloud operating environment, including yearly audit information to regulators in his industry. What is he most likely to be able to provide to the regulators when they ask for a security audit of his hosted
environment?

A. A recent audit conducted by staff from Jason’s organization
B. A recent audit conducted by a third-party auditor hired by Jason’s organization
C. Direct audit permissions for the regulators to audit the cloud provider
D. A copy of the cloud provider’s third-party audit results

Answer: D. A copy of the cloud provider’s third-party audit results

Jason knows that cloud service providers typically do not allow direct or third-party audits of their systems and services, but that they do provide audit results to customers.

How well did you know this?

Not at all

Perfectly

Tracy has set up a cloud hardware security module (HSM) service for her organization in her cloud-hosted environment. What activity is she preparing for?

A. Securely storing and managing secrets
B. Ensuring end-to-end encryption between cloud and on-site systems
C. Managing the security of the underlying hardware in the environment
D. Detecting attacks against hosted systems

Answer: A. Securely storing and managing secrets

A cloud hardware security module (HSM) is used to create, store, and manage secrets.

How well did you know this?

Not at all

Perfectly

Charles wants to be able to create new servers as needed for his environment, using variables and configuration files to configure the systems to meet changing needs. What type of solution should he implement to help with this type of orchestration?

A. A CI/CD pipeline
B. Infrastructure as code
C. A check-in/checkout design
D. An application interface

Answer: B. Infrastructure as code

Charles knows that his situation calls for an infrastructure as code (IaaC) design, which uses code and configuration files or variables to allow rapid deployment using scripts and automated tools. A CI/CD pipeline will often leverage infrastructure as code and automation tools, but it doesn’t directly meet this need. APIs (application programming interfaces)
are used to access data from services, and check- in/checkout design was made up for this question.

How well did you know this?

Not at all

Perfectly

James wants to establish key performance indicators for his service continuity management practice based on ITIL. Which of the following is a useful KPI for service continuity management?

A. The number of business processes with continuity agreements
B. The number of vulnerabilities found in installed software per period of time
C. The number of patches installed per period of time
D. The number of natural disasters in the local area in a year

Answer: A. The number of business processes with continuity agreements

From a service continuity management perspective, the number of business processes with continuity agreements is the only relevant answer from this list. Understanding the number of business practices that have continuity planning in place and assessing which gaps in coverage are critical is a common practice to improve service continuity.

How well did you know this?

Not at all

Perfectly

Zoe wants to speed up her traditional release management process. What modern approach is best suited to an ITIL v4–based rapid-release-oriented organization?

A. Waterfall
B. Agile/DevOps
C. Spiral
D. RAD

Answer: B. Agile/DevOps

Agile and DevOps are well-suited to rapid release cycles, with continuous integration and continuous delivery processes. Waterfall and spiral both tend to take longer periods of time for each release, and RAD is not as widely adopted and not as release focused.

How well did you know this?

Not at all

Perfectly

ITIL v4 includes a seven-step continual improvement model. What item occurs at the end of the process before it starts again?

A. Determining the vision
B. Assessing results
C. Taking action
D. Determining the goal

Answer: B. Assessing results

Assessing results occurs at the end of the seven-step process, helping provide feedback into the next cycle’s vision determination phase.

How well did you know this?

Not at all

Perfectly

Tim puts a server in his virtualization environment into maintenance mode. Which of the following events will occur?

A. Migrates the running virtual machines to other hardware
B. Pauses all running VMs immediately
C. Sends a notification to users, then pauses running VMs
D. Marks the machine as unavailable for new VMs

Answer: A. Migrates the running virtual machines to other hardware

Maintenance mode migrates virtual machines to other hosts or waits until they are powered down to allow for hardware or other maintenance. Tim knows that he’ll need to ensure all VMs are migrated or shut down, and that he can then perform maintenance.

How well did you know this?

Not at all

Perfectly

Kathleen wants to centralize her log capture and analysis capabilities and use automated tools to help her identify likely security issues. What type of tool should she look for?

A. SIEM
B. IPS
C. CASB
D. MITRE

Answer: A. SIEM

Kathleen should look for a security information and event management (SIEM) tool. They’re used to centralized log collection, analysis, and detection capabilities and often have automated methods of finding issues and alerting on them. An IPS (intrusion prevention system) is used to detect and stop attacks, a CASB (cloud application security broker) is used to control and manage access to cloud services, and MITRE is a U.S. government–funded research organization with a heavy focus on security work.

How well did you know this?

Not at all

Perfectly

Elaine wants to ensure that traffic is encrypted in transit. What technology is commonly used to secure data in transit?

A. VLANs
B. TLS
C. DNSSEC
D. DHCP

Answer: B. TLS

TLS (Transport Layer Security) is an encryption protocol used to secure data in transit. VLANs are used to logically separate network segments, DNSSEC is intended to provide security to domain name system requests, and DHCP provides IP addresses and other network configuration information to systems automatically.

How well did you know this?

Not at all

Perfectly

Ujama wants to protect systems in his environment from being accessed via SSH. What should he do if he needs to leave the service available for local connections?

A. Block inbound connections to TCP port 3389 on his firewall.
B. Block outbound connections to TCP port 3389 on his firewall.
C. Block inbound connections to TCP port 22 on his firewall.
D. Block outbound connections to TCP port 22 on his firewall.

Answer: C. Block inbound connections to TCP port 22 on his firewall.

Blocking inbound connections to port 22, the default SSH port will stop attackers and third parties from outside of the network from accessing SSH as long as it hasn’t been changed to another port. TCP3389 is associated with RDP.

How well did you know this?

Not at all

Perfectly

Ron wants to use a central system to store information about system and software configurations and their relationships. What tool is often used for this to support standards-based configuration management practices like those found in ITIL v4?

A. CRM
B. CMDB
C. Configuration item
D. Change catalog

Answer: B. CMDB

A configuration management database (CMDB) is frequently used in mature standards-based configuration management environments where it stores both configuration management and information about relationships between configuration items (CIs). CRMs are customer relationship management tools and aren’t part of the CCSP exam. A change catalog was made up for this question.

How well did you know this?

Not at all

Perfectly

Maria’s manager is concerned about patching for the underlying cloud environment that her platform as a service (PaaS) vendor provides. What should Maria tell her manager?

A. Maria’s organization is responsible for patching and needs to set up a regular patch cycle.
B. The vendor is responsible for patching, and there is no patching that needs to be done by customers in a PaaS environment.
C. Negotiations need to be done with the vendor to determine which organization is responsible for patch management.
D. The contract will determine which organization is responsible for patch management.

Answer: B. The vendor is responsible for patching, and there is no patching that needs to be done by customers in a PaaS environment.

Maria knows that PaaS environments are patched by the vendor and that she does not need to perform patching of the software or cloud service. She may, however, have to decide when to adopt patches or versions— although she won’t be able to delay adopting new versions forever!

How well did you know this?

Not at all

Perfectly

ITIL v4 describes three subprocesses related to availability management. What are these three subprocesses?

A. Designing services for availability, disaster recovery testing, and determining availability targets
B. Availability management, availability metrics, and availability improvement
C. Designing services for availability, availability testing, availability monitoring, and reporting.
D. Availability planning, availability improvement, availability validation

Answer: C. Designing services for availability, availability testing, and availability monitoring and reporting.

The ITIL subprocesses for availability management are designing services for availability, availability testing, and availability monitoring and reporting. Even if you’re not familiar with ITIL, thinking about a standards-based approach to availability might help you design, testing, and monitoring are all logical steps in a process like this.

How well did you know this?

Not at all

Perfectly

Naomi’s organization has recently experienced a data breach. Which of the following parties is least likely to require notification based on existing contracts or regulations?

A. Customers
B. Vendors
C. Regulators
D. Partners

Answer: B. Vendors

Vendors are the least likely to have contractual or regulatory requirements that mean that they must be notified. Vendors often have to tell their customers about breaches, but customers typically do not need to tell their vendors!

How well did you know this?

Not at all

Perfectly

Megan is starting her organization’s change management practices. She has conducted an asset inventory. What step is typically next in a change management process?

A. Creating a baseline
B. Deploying new assets
C. Establishing a CMB
D. Documenting deviations from the baseline

Answer: A. Creating a baseline

Megan’s next step once she has an inventory is to create a baseline. With that in hand she can establish a CMB, deploy new assets configured to meet the baseline, and document deviations that the CMB approves if needed.

How well did you know this?

Not at all

Perfectly

Dan wants to use clipboard-based drag and drop between his virtualized desktops in a Type 2 hypervisor environment. Which of the following steps is most likely to allow him to access additional features that require virtualization environment integration to work?

A. Building the virtual machines as containers
B. Installing guest operating system virtualization tools
C. Installing virtualization environment orchestration tools
D. Building the containers as virtual machines

Answer: B. Installing guest operating system virtualization tools

Guest operating system virtualization tools add additional functionality like use of GPUs, shared clipboards, and drag and drop between guest operating systems, shared folders, and similar features that require additional integration between the guest OS and the underlying
hypervisor and hardware.

How well did you know this?

Not at all

Perfectly

Geoff knows that ITIL v4 focuses on four information security management practices. Which of these processes could involve an SOC 2 Type 2 audit?

A. Design of security controls
B. Security testing
C. Management of security incidents
D. Security review

Answer: D. Security review.

The security review objective focuses on whether security practices and procedures align to risk tolerance for the organization and includes verification and testing like an SOC 2 Type 2 audit does. Design, testing, and management of incidents involve the topics they describe.

How well did you know this?

Not at all

Perfectly

Eleanor wants to build her organization’s change management processes. What is the typical first step for change management efforts?

A. Policy creation
B. Baselining
C. Documentation creation
D. Vulnerability scanning

Answer: B. Baselining

Configuration management typically starts with baselining. While policies and documentation are important, creating a baseline allows organizations to understand what they have and what state it is in, a critical part of the change management practice.

How well did you know this?

Not at all

Perfectly

Theresa is building an automated CI/CD pipeline. She wants to ensure that code that passes through the pipeline is secure before it moves from staging to production. What is her best option if she wants to test the running application?

A. Manual static code review
B. Automated code review
C. Using a web application firewall
D. Using an IPS

Answer: B. Automated code review

Ensuring that the code itself is secure in an automated process requires a tool that can be run as part of the process. That means that the only option from the list that is viable is an automated review of code. Manual static code review isn’t a good fit for a CI/CD pipeline in
most cases due to speed requirements. WAFs and IPSs can help protect the application, but again, they don’t test the code or make the application itself more secure.

How well did you know this?

Not at all

Perfectly

The Cloud Security Alliance’s Cloud Incident Response (CIR) framework documents typical breakdowns for customer versus cloud provider responsibilities in incident response, including pointing to cloud providers as being responsible for almost all risks in an SaaS
environment. In an IaaS environment, who is responsible for network risks?

A. The customer
B. Both the customer and the service provider
C. The service provider
D. Third-party incident responders

Answer: B. Both the customer and the service provider

Since IaaS provides the customer with access to and control over some of the network, they must take responsibility for network-based risks. The IaaS provider provides services and infrastructure, and thus must take responsibility for some of the network-based risks as well. Third-party incident responders do not play a role in risk responsibility in this model.

How well did you know this?

Not at all

Perfectly

Juanita is responsible for a web application that is split between an on-site application environment and a cloud-hosted database. Juanita knows the application performs thousands of small database queries for some transactions. What performance monitoring option is most important to her application’s performance? A. The network routes between the datacenters B. Network throughput between the two datacenters C. The bandwidth between the two datacenters D. Network response time (latency) between the datacenters

**Answer: D. Network response time (latency) between the datacenters** Network latency is the critical factor when transaction volume is key. Bandwidth is less critical for small transactions, even when there are thousands of them. Routes may influence all of these options, but aren’t as critical as the impact they have on the traffic

Kolin needs to collect forensic data from an Azure-hosted VM. What should he do to validate his forensic data after capturing disk snapshots for the VM’s OS and data disks? A. Compare the hashes of the VM’s OS and data disks and the snapshots of each. B. Make two copies of the snapshots and compare hashes between the snapshot hashes. C. Export the VM as a hash, then validate the hash. D. Export the VM as a disk image and compare the disk image’s digital signature to the original.

**Answer: A. Compare the hashes of the VM’s OS and data disks and the snapshots of each.** **Azure’s best practices suggest creating disk snapshots for both the VM’s operating system(OS) and data disks, safely storing the snapshots, then comparing hashes between the images and the originals.** Comparing the hashes of a snapshot to a copy won’t validate it against the original, VMs can’t be exported as hashes, and disk images aren’t signed in a way that makes sense for this type of forensic use. If you’d like to read the full practice document for more detail, you can find it at https://docs.microsoft.com/en- us/azure/architecture/example-scenario/forensics.

Ilya wants to use an ITIL v4–based practice for capacity and performance management. Which of the following is not a typical subprocess for capacity and performance management under ITIL? A. Customer KPI oversight B. Service capacity management C. Component capacity management D. Capacity management reporting

**Answer: A. Customer KPI oversight** Businesses typically don’t manage customer capacity. Instead, they would assess their own capacity, known as business capacity management.

Nick’s organization has experienced a data breach of their cloud-hosted environment. Which of the following is most likely to need to be communicated with based on regulations? A. Vendors B. Customers C. Partners D. Law enforcement

**Answer: B. Customers** Data breach regulations typically focus on customer notification. Nick should work with legal counsel to ensure that his organization is compliant with any notification requirements for his industry and location.

Valerie has created disk images of virtual machines running in her cloud environment. What key digital forensic requirement should she ensure is handled properly if she believes that the information will be used for a legal case in the future? A. Legal hold B. Chain of custody C. Seizure requirements D. Disposal requirements

**Answer: B. Chain of custody** **Valerie should carefully document the chain of custody for the disk images so that they can be considered valid for potential legal action.** Legal hold is the process for preserving data for legal action, not for documenting actions taken with disk images and other forensic artifacts. Seizure is a type of acquisition but isn’t mentioned here, and disposal would occur after the potential legal case.

Asha wants to take advantage of her cloud provider’s ability to schedule instances to match her business practices. What practice will help her handle a large number of instances with different scheduling requirements? A. Using a third-party scheduler B. Enabling auto-scheduling C. Tagging D. Disabling unused instances

**Answer: C. Tagging** **Tagging is a critical part of instance scheduling, but even more so for large numbers of instances.** It allows schedules to be easily applied to all instances with the proper tags. Since Asha wants to use her cloud provider’s scheduling, a third party does not meet her requirements. Auto-scheduling was made up for this question, and disabling unused instances helps with spend, but doesn’t help more than tagging would for scheduling.

Which of the following is not an aspect of host hardening? A. Removing all unnecessary software and services B. Patching and updating as needed C. Adding new hardware to provide increased performance D. Installing a host-based firewall and an intrusion detection system (IDS)

**Answer: C. Adding new hardware to provide increased performance** **Adding new hardware to increase performance is not an element of hardening.** Hardening is the process of provisioning a specific element (in this case, a host) against attack. Audits don’t protect against attacks; they only detect and direct responses to attacks.

Isabella has been asked to review her organization’s patch management scheme. The current process focuses on manual patch installation on a weekly window. Isabella is interested in moving to an automated patch deployment process on a more frequent basis. What risk is most commonly associated with automated patching systems? A. The potential to disrupt systems due to a patching issue or bad patch. B. The inability to report on patches that fail installation. C. The inability to report on patches that are not installed. D. The potential to increase patching speed and accuracy.

**Answer: A. The potential to disrupt systems due to a patching issue or bad patch.** Automated patching systems can cause disruptions if a bad patch is released or if there is an installation problem that is not detected. That means that a human is often in the loop for patching, or that patches are installed in nonproduction environments first where they can be validated prior to further installations. **Automated systems typically can report on patches that fail installation and on systems that do not have patches in place, and it is a desirable feature to speed patching and patch accuracy via automation.**

To enhance virtual environment isolation and security, a best practice is to ___________________. A. Ensure that all virtual switches are not connected to the physical network B. Ensure that management systems are connected to a different physical network than the production systems C. Never connect a virtual switch to a physical host D. Connect physical devices only with virtual switches

**Answer: B. Ensure that management systems are connected to a different physical network than the production systems** The management systems control the entirety of the virtual environment, and are therefore extremely valuable and need to be protected accordingly. When possible, isolating those management systems, both physically and virtually, is optimum.

Deployment management is a component of which service management practice in ITIL v4? A. Problem management B. Release management C. Change management D. IT asset management

**Answer: B. Release management** ITIL v4 categorizes deployment management as part of release management.

Carlos wants to monitor CPU load, temperature, and voltages for his virtual machine. What should Carlos do to achieve this? A. Carlos cannot track temperature and voltages for his virtual system, but he can track load using the underlying hardware. B. Carlos cannot track load, but he can track temperature and voltages for his virtual system and should use the underlying hardware for the VM. C. Carlos cannot track temperature and voltages for a virtual CPU, but he can track load via the operating system. D. Carlos cannot track load and voltages, but he can install a thermal sensor to track his virtual machine’s temperature.

**Answer: C. Carlos cannot track temperature and voltages for a virtual CPU, but he can track load via the operating system.** Carlos knows that virtual machines use virtualized processors and that temperature and voltages can’t be tracked for virtual CPUs. He can track load, and most operating systems have a built-in method for doing so. If voltages and temperature are an ongoing concern, he will need to monitor them at the underlying operating system, hardware, or hypervisor level.

Megan is responsible for ensuring that her organization’s continual service improvement efforts are meeting their goals. What formal role does Megan hold under ITIL? A. CSI manager B. Process architect C. Process owner D. Customer

**Answer: D. Customer** Megan is a process owner and is responsible for the fit-to-purpose for the continual service improvement effort. Continual service improvement managers (CSI managers) improve ITSM processes and services. Process architects ensure that processes work together and support each other effectively, and customers consume or purchase services.

Felicia wants to apply rules to her Amazon AWS VPC to limit the IPs that can contact her servers. What feature should she use to do this? A. Honeypots B. IDS C. IPS D. Network security groups

**Answer: D. Network security groups** Felicia wants to perform firewall-like rules-based filtering, which is a function of network security groups. Honeypots are used to capture and observe attacker behaviors, and IDSs and IPSs are used to detect and, in the case of IPSs, potentially prevent attacks based on behaviors and signatures.

Designing system redundancy into a cloud datacenter allows all the following capabilities except ___________________. A. Incorporating additional hardware into the production environment to support increased redundancy B. Preventing any chance of service interruption C. Load-sharing/balancing D. Planned, controlled failover during contingency operations

**Answer: B. Preventing any chance of service interruption** Risk can’t be entirely prevented, but it can be drastically reduced. **Hardware redundancy, local sharing and balancing, and failure mode design are all common practices when designing redundancy into cloud datacenters.**

Raj is required to provide proof of PCI compliance to his acquiring bank. What should he ask for from his cloud service provider? A. An attestation of compliance B. An SOC 1 Type 1 audit C. An SOC 2 Type 2 audit D. To allow him to conduct a PCI audit of the vendor

**Answer: A. An attestation of compliance** **Cloud providers who are PCI-compliant will typically provide an attestation of compliance upon request. This type of documentation is important for regulators as part of compliance validation.** SOC audits don’t specifically test PCI compliance, and most vendors will not allow customers to conduct PCI assessments of their underlying infrastructure.

Naomi wants to conduct a vulnerability scan of her cloud environment. What requirement is she likely to need to meet with her cloud service vendor for an IaaS environment? A. She can only scan her own internal systems. B. She will have to use the service provider’s scanning tools. C. She can only scan her own external systems. D. She will need to schedule a time and date for the scans.

**Answer: A. She can only scan her own internal systems.** IaaS vendors typically allow customers to scan their own internal systems, but may recommend that certain types of instances with lower resources are not scanned to avoid disruption. While vendors may provide scanning tools, they typically don’t require customers to use them in an IaaS environment. Since external scans can inadvertently impact other customers, external scanning is typically prohibited or limited, and scheduling a time and date may be required for more advanced or specialized testing.

Naomi has completed her vulnerability scan and wants to remediate the systems she has discovered vulnerabilities on. What is a typical patching process for IaaS-hosted systems when concerns exist about the potential impact of patching? A. Use a script to patch each system. B. Stand up new, patched instances, then replace the unpatched systems using load balancers. C. Create new instances with the patches installed, shut down the existing instances, and assign new IP addresses for the new systems. D. Manually patch each system.

**Answer: B. Stand up new, patched instances, then replace the unpatched systems using load balancers.** **Using load balancing to drain load from existing systems and then replacing them with new, patched instances is a common best practice for cloud-hosted service environment patching.** Manual and scripted patching can cause outages, as could re-IPing as systems are swapped over.

When putting a system into maintenance mode, it’s important to do all of the following except ___________________. A. Transfer any live virtual guests off the host B. Turn off logging C. Lock out the system from accepting any new connections D. Notify customers if there are any interruptions

**Answer: B. Turn off logging** Disabling logging would prevent administrators from diagnosing problems. Transferring users, preventing new connections, and notifying customers are all common practices when entering maintenance mode.

The operating system that Jack wants to install in his cloud environment requires a cryptographic store as part of the boot process to ensure that the hardware has been validated. Which of the following tools will allow him to meet this requirement? A. Hardware HSM B. Cloud TPM C. Virtual TPM D. Cloud HSM

**Answer: **

Yarif runs an operating system and then uses a hypervisor running on that operating system to run virtual machines. What type of hypervisor is he running? A. A classic hypervisor B. Type 1 C. An advanced hypervisor D. Type 2

**Answer: **

What key function is described by ITIL’s incident management practice? A. Engaging third-party responders based on best practices. B. Managing problem escalations. C. Restoring a service as soon as possible after an incident. D. Identifying incidents to allow response.

**Answer: **

Lucca has experienced an event that interrupts normal service in his organization. How would ITIL classify this? A. As an incident B. As an SLA violation C. As a problem D. As an MSA violation

**Answer: **

What description best explains the relationship between problems and incidents? A. Every problem is the result of an incident, but not all incidents are problems. B. Problems and incidents are distinct and unrelated. C. Problems are handled by support desks, and incidents are handled by security professionals. D. Every incident is the result of a problem, but not all problems are incidents.

**Answer: **

Olivia wants to establish key performance indicators compatible with ITIL for her availability management practice. Which of the following is not a useful availability KPI? A. Availability of the service relative to SLAs for the service B. The number of service interruptions C. The duration of the service interruptions D. The number of individuals impacted by service interruptions

**Answer: **

What underlies the information security management according to ITIL v4? A. Event filtering and correlation rules B. Security advisories C. Information security policies D. Security alerts

**Answer: **

Emily is in charge of her organization’s deployment management as part of a CI/CD pipeline. What process typically needs to occur for a deployment to occur? A. A change request must be approved. B. The change advisory board must review the change. C. Automated testing and validation must be completed successfully. D. The next version must enter the pipeline.

**Answer: **

Chris wants to capture forensic data in his cloud environment. What type of capture meth odology is most likely to be used for virtual machines in a cloud infrastructure as a service environment? A. Forensic image acquisition using a tool like DD B. Use of the provider’s snapshot tool C. Forensic image acquisition using a tool like DBAN D. Use of the provider’s file copy utilities

**Answer: **

Tools like Terraform, CloudFormation, Ansible, Chef, and Puppet are often associated with what type of strategy? A. Incident response B. Agile SDLC C. Infrastructure as code D. Legal hold

**Answer: **

Alaina wants to align her organization’s service-level management to an ISO standard. Which ISO standard describes service management? A. ISO 20000- 1 B. ISO 27001 C. ITIL v4 D. COBIT

**Answer: **

Rene is an SOC manager and wants to centralize incident and log information. What type of tool should she acquire and implement? A. NOC B. SIEM C. IPS D. DLP

**Answer: **

Amanda wants to use logging from her IaaS cloud environment to determine if an external user is accessing one of her servers. What type of logging should she enable in her cloud provider’s environment to do so? A. System logging B. Performance logging C. Flow logging D. Storage bucket logging

**Answer: **

What risk does an IPS pose that an IDS does not? A. An IPS cannot use signature-based detection. B. An IPS can block legitimate traffic. C. An IPS cannot use behavior-based detection. D. An IPS can fail open, while an IDS cannot.

**Answer: **

Amanda wants to use her SIEM to detect attacks based on network traffic and behavior baselines that adapt to changes over time using learning techniques. What feature is she most likely to use for this purpose? A. AI B. Log correlation C. Threat intelligence D. Reporting

**Answer: **

Kathleen knows that her cloud provider makes a DHCP service available to systems in their IaaS environment. What does she know that her systems will receive from the DHCP server? A. A default gateway, subnet mask, DNS server, and IP address B. A default route, a subnet mask, an IP address, and a MAC address C. An IP address and a MAC address D. An IP address, a subnet mask, a DNS server, and firewall rule definitions for the local network

**Answer: **

Ben wants to secure his virtualization environment. Which of the following is not a common security practice used to help protect virtualization infrastructure and systems? A. Enable secure boot. B. Disable cut and paste between the VM and console. C. Remove unnecessary hardware. D. Use the virtual machine console whenever possible.

**Answer: **

Chelsea wants to prevent network-based attacks against her cloud-hosted system. Which of the following is not an appropriate solution to stop attacks? A. Honeypots B. Firewalls C. Security groups D. Intrusion prevention systems

**Answer: **

Methods for achieving high-availability cloud environments include all of the following except A. Using instances running on alternate CPU architectures B. Multiple system vendors for the same services C. Explicitly documented business continuity and disaster recovery (BC/DR) functions in the service-level agreement (SLA) or contract D. Failover capability back to the customer’s on-premises environment

**Answer: **

Susan’s website is unable to be loaded by her customers due to a system outage. What ITIL practice should Susan invest in to ensure that this does not happen again? A. Availability management B. Deployment management C. Change management D. Capacity management

**Answer: **

Li’s organization uses a software as a service(SaaS) tool for their productivity work. After a recent compromise of user credentials, Li wants to perform digital forensics. What types of information can Li obtain for forensic analysis in an SaaS environment? A. Logs B. Disk images C. VM snapshots D. Network packet capture data

**Answer: **

What ISO/IEC 20000-1 capacity management subprocess is most closely aligned with SLAs with customers? A. Business capacity management B. Service capacity management C. Contract capacity management D. Component capacity management

**Answer: **

Derek wants to set up a 24×7 team to monitor for and respond to security incidents. What should he implement? A. SIEM B. NAS C. SCCM D. SOC

**Answer: **

Hui’s organization uses a tool to automate the configuration, deployment, and coordination of hundreds of small IaaS instances that make up her organization’s application stack. What term best describes this type of tool? A. Scheduling B. Maintenance mode C. Orchestration D. Abstraction

**Answer: **

Megan’s organization uses a tool that captures a system and network behavioral baseline, then monitors for changes from that baseline that may indicate compromises. The tool uses the data it captures to update its model and to become more accurate in its detections. What type of tool is Megan using? A. IPS B. Artificial intelligence C. Log analysis D. Forensic data capture

**Answer: **

Jim has deployed a system that appears to be a vulnerable host on a network. The system is instrumented to capture attacker commands and tools. What type of network security control has Jim deployed? A. A honeypot B. A darknet C. A honeynet D. A bastion host

**Answer: **

Olivia has identified data that she wants to capture as part of a digital forensics effort. What step typically comes after forensic artifacts are identified? A. Analysis B. Documentation C. Presentation D. Preservation

**Answer: **

Mike’s organization is considering adopting an infrastructure as code (IaC) strategy. What should Mike identify as a potential risk in an IaC environment? A. IaC decreases consistency. B. IaC is not easily updated. C. IaC decreases speed. D. IaC can cause errors to spread quickly.

**Answer: **

Keith is preparing to implement a storage cluster for his organization. Which of the following is not a benefit that he can expect to come from using storage clusters? A. Lower cost B. Higher performance C. Greater availability D. Increased capacity

**Answer: **

Lisa wants to maintain a configuration model for her organization that contains all of the information that the organization needs about their CIs(configuration items). What ITIL process should she follow? A. Configuration control B. Configuration identification C. Configuration verification D. Configuration audit

**Answer: **

Dan is considering what key data he should gather about systems in his IaaS environment. He is moving from a traditional on-site datacenter and has the following list of monitoring items he currently tracks. Which of the following will he still be able to track in an IaaS platform? A. CPU utilization B. Fan speed C. System temperature D. CPU voltage

**Answer: **

What term is used to describe a component or service that needs to be managed as part of configuration management efforts in an organization? A. Configuration model B. Configuration record C. Configuration item D. Service asset

**Answer: **

Henry knows that his IaaS provider bills are based on usage for his instances. Which of the following is not usually a billable item for IaaS providers for their typical instances? A. Compute usage B. Network bandwidth usage C. Storage usage D. Latency

**Answer: **

Charles wants to obtain forensic artifacts for his IaaS cloud-hosted systems. Which of the following is not an artifact typically captured for IaaS cloud-hosted systems? A. The hypervisor’s memory state B. Disk volumes C. The instance’s memory state D. Logs from the cloud environment

**Answer: **

Selah wants to conduct a vulnerability scan of her SaaS provider’s service as part of her ongoing security operations responsibility. What should she do? A. Contact the provider and ask about appropriate scan windows. B. Request vulnerability scan data from the vendor. C. Scan the provider on a regular basis whenever she wants to. D. Consider asking the SaaS provider about their own patching and scanning practices.

**Answer: **

Which of the following has the highest impact in determining whether the business continuity and disaster recovery (BC/DR) effort has a chance of being successful? A. Perform an integrity check on archived data to ensure that the backup process is not corrupting the data. B. Encrypt all archived data to ensure that it can’t be exposed while at rest in the long term. C. Periodically restore from backups. D. Train all personnel on BC/DR actions they should take to preserve health and human safety.

**Answer: **

Chris wants to use an ISO standard for collecting, preserving, and identifying electronic evidence. What ISO standard should he select? A. ISO/IEC 27001:2012 B. ISO/IEC 27037:2012 C. ISO/IEC 9000:2016 D. ISO/IEC 27002:2022

**Answer: **

Melissa is responsible for establishing an SOC in her organization. Which of the following services is not a typical SOC offering? A. Vulnerability management B. Threat management C. Incident response D. eDiscovery

**Answer: **

Ryan wants to perform a backup of his GitHub-hosted code repository. What option should he choose to ensure that he has a backup he controls? A. Use GitHub’s built-in backup capability. B. Use the API to clone the repository. C. Use GitHub’s snapshot tool to clone the repository to another repo. D. Use a third-party GitHub repository copy.

**Answer: **

ISO/IEC 20000- 1 includes three subprocesses for capacity management. Which of the following lists matches those three subprocesses? A. Business capacity management, service capacity management, component capacity management B. Staffing capacity management, service capacity management, component capacity management C. Business capacity management, service capacity management, organizational capacity management D. Staffing capacity management, business capacity management, and component capacity management

**Answer: **

Maria is planning her organization’s ISO/IEC 20000-1–based release management plan. Which of the following elements is not typically part of an RDM plan? A. Risk assessment B. Build planning C. Testing D. Decommissioning

**Answer: **

Hannah wants to align her information security management program to ISO/IEC 20000- 1. According to the standard, what must be done with an information security policy? A. Establish, approve, and communicate an information security policy. B. Create and regularly update an information security policy. C. Adopt an ISO/IEC standard template-based information security policy. D. Undergo a third-party review of the organization’s security policy.

**Answer: **

Mike’s VMWare cluster moves virtual machines from heavily loaded hosts to hosts with lower loads. What technology is Mike using? A. Automatic instance management B. Distributed resource scheduling C. Round-robin load balancing D. Instance segregation

**Answer: **

Which of the following is not commonly measured as part of a disk’s hardware monitoring? A. Powered-on time B. Drive temperature C. Drive health D. Used capacity

**Answer: **

ITIL v4 defines four subprocesses for service-level management. Which of the following is not one of the four subprocesses? A. Maintenance of the service-level management framework B. Identification of service requirements C. Pricing structures and penalties D. Service-level monitoring and reporting

**Answer: **

Michelle wants to run an application from low-trust devices. What type of cloud-based solution could help her run the application in a secure way? A. Use a local virtual machine. B. Use a bastion host. C. Use a jumpbox. D. Use a virtual client.

**Answer: **

Because most cloud environments rely heavily on virtualization, it is important to lock down or harden the virtualization software or any software involved in virtualization. Which of the following is not an element of hardening software? A. Removing unused services and libraries B. Maintaining a strict license catalog C. Patching and updating as necessary D. Removing default accounts

**Answer: **

What key document in business continuity management practices ensures that organizations can return to a known, consistent state as well as to a working state? A. The business continuity strategy B. The recovery plan C. The IT service continuity report D. The disaster recovery invocation guideline

**Answer: **

Jason’s company operates their small business in a cloud-hosted environment. After a recent breach, Jason wants to conduct forensics. What should Jason do to ensure his organization conducts proper forensic capture in a cloud environment if he is not a forensic practitioner? A. Follow ISO standards to identify and preserve the data. B. Engage third-party forensic professionals. C. Follow his cloud provider’s best practices to identify and preserve the data. D. Request that his cloud provider perform the forensic efforts.

**Answer: **

Which of the following factors would probably most affect the design of a cloud datacenter? A. Geographic location B. Proximity to population centers C. Cost D. Security requirements

**Answer: **

Rick is creating a policy defining his organization’s change management process. Which of the following is not a common change management policy element? A. Defining the composition of the change management board B. The change management process itself C. A requirement to prevent deviation from the baselines established in the policy D. Enforcement measures

**Answer: **

Which of the following cloud datacenter functions do not have to be performed on isolated networks? A. Customer access provision B. Management system control interface C. Storage controller access D. Customer production activities

**Answer: **

When cloud computing professionals use the phrase ping, power, pipe, which of the following characteristics is not being described? A. Logical connectivity B. Human interaction C. Electricity D. Facility space

**Answer: **

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own datacenter located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which tier of the Uptime Institute rating system should you be looking for, if minimizing cost is your ultimate goal? A. 1 B. 3 C. 4 D. 8

**Answer: **

Isaac is the IT manager for a small surgical center. His organization is reviewing upgrade options for its current, on-premises datacenter. The organization wants to increase its disaster recovery and business continuity capabilities without making significant investments in staffing or technology. Which of the following options should Isaac recommend? A. Building a completely new datacenter B. Adding additional DR/BC capabilities to the existing datacenter C. Moving to a cloud-hosted datacenter D. Staying with the current datacenter

**Answer: **

What does chain- of- custody documentation and tracking help with? A. Nonrepudiation B. Plausible deniability C. Data tampering by investigators D. Engaging with law enforcement

**Answer: **

Ben wants to provide logical separation between the two network segments. What technology is often used to define networks for this purpose? A. DHCP B. VLANs C. VPNs D. STP

**Answer: **

When designing a cloud datacenter, which of the following aspects is not necessary to ensure continuity of operations during contingency operations? A. Access to clean water B. Broadband data connection C. Extended battery backup D. Physical access to the datacenter

**Answer: **