Flash Cards
1
Q
Who determines under what circumstances a private cloud meets the policies and needs of an organization’s strategic goals and contractual requirements (from a technical perspective)?
A
Cloud architect
2
Q
This open source IaaS platform was developed to assist IaaS cloud providers in creating, deploying, and managing services through a single “stack” of features for the cloud environment.
A
Apache CloudStack
3
Q
This term refers to the increasing diversity of cloud services available today as opposed to those same services being provided locally or on premise.
A
Anything-as-a-Service
4
Q
This form of cloud storage involves the enterprise and storage service being separate, with data stored outside the confines of the enterprise environment.
A
Public cloud storage
5
Q
This term refers to the idea of leveraging cloud computing as a way of creating offsite storage with little or no hardware requirements for the enterprise.
A
Online backup
6
Q
The purpose of this document is to ensure appropriate security requirements and controls are applied to all U.S. federal government information and information management systems.
A
NIST 800-53
7
Q
This form of cloud storage applies to storing mobile device data in the cloud while providing access to the stored data from anywhere.
A
Mobile cloud storage
8
Q
This type of cloud storage involves using both public cloud and enterprise private cloud storage.
A
Hybrid cloud storage
9
Q
This term describes software applications that help the business in solving enterprise problems.
A
Enterprise application
10
Q
This term refers to an open source platform for cloud computing and IaaS in a private cloud environment.
A
Eucalyptus
11
Q
This term refers to the accreditation used to distinguish between secure and well-established crypto modules produced in the private sector. It stands as a certification for those producers who need them to be used in regulated industries that typically collect, store, transfer, and share data that is deemed to be sensitive in nature but not classified.
A
FIPS 140-2
12
Q
What is the term used when a virtual desktop infrastructure is outsourced to a third party?
A
Desktop as a Service
13
Q
This term refers to the ability of individuals to store their data over the Internet using a storage service provider as opposed to the data being stored locally on a disk or tape backup.
A
Cloud backup solutions
14
Q
This term describes a kind of computing model that relies on sharing compute resources in a remote location as opposed to the use of local servers or personal devices to handle computing processes.
A
Cloud computing
15
Q
What is an organization that buys hosting services with the intent of reselling them to its own customers?
A
Cloud computing reseller
16
Q
The testing of load and performance capabilities on the services and applications provided by cloud computing providers is designed to ensure optimal performance and scalability under varying conditions. What is it called?
A
Cloud testing
17
Q
One type of hosting occurs when hosting services are made available on demand. As opposed to a single physical or virtual server, cloud services are set up to utilize multiple connected servers that are part of the cloud infrastructure.
A
Cloud server hosting
18
Q
This type of database is accessible from the cloud provider on demand over the Internet to the user/customer.
A
Cloud database
19
Q
This specification is engineered to ease the management of multiple applications, which include packaging and delivery across public and private cloud platforms.
A
Cloud Application Management for Platforms (CAMP)
20
Q
This term refers to the processes involved with making available cloud providers, clients, and applications, resulting in the creation of a public cloud computing environment.
A
Cloud enablement
21
Q
The term, often used in place of Platform as a Service (PaaS), describes an association with cloud computing.
A
Cloud OS
22
Q
What is the processes involved in the transitioning of a part or all of a company’s data, applications, and services from a traditional on-premises enterprise environment to one in the cloud where information can be accessed from anywhere, anytime?
A
Cloud migration
23
Q
The service provider that offers storage, computing, and/or software applications that are available across the Internet from anywhere, anytime.
A
Cloud provider
24
Q
The ability for a consumer or user to be able to move their associated applications and/or data between competing cloud providers or between public and private clouds.
A
Cloud portability
25
Selecting which applications and services that will reside in the public cloud, and which will not, is the first stage in the process resulting in the deployment of a company’s cloud strategy. What is it known as?
Cloud provisioning
26
The person who adapts, ports, and deploys applications to a target environment.
Cloud application architect
27
The process of utilizing cloud management tools to ensure that cloud computing services are working properly through the use of software and technologies designed for operation and monitoring of cloud applications, data, and services.
Cloud management
28
A shortened phrase used to describe applications accessed via the cloud. These applications are never installed locally and are always accessed over the Internet.
Cloud apps
29
A type of storage whereby an organization’s data is stored in and accessible from any location of distributed and connected components of cloud computing.
Cloud storage
30
This person is responsible for all for the implementation, monitoring, and maintenance of the cloud environment either within the organization or on behalf of an organization as a vendor.
Cloud administrator
31
These individuals are tasked with development for the cloud infrastructure. Their development efforts may include client tools, solutions engagements, and system components.
Cloud developer
32
A third party who manages and distributes remote, cloud-based data backup services, and solutions from a central datacenter location.
Cloud backup service provider
33
Software that is hosted in the cloud on remote servers and performs accounting functions.
Cloud computing accounting software
34
One type of cloud storage wherein cloud and enterprise storage both reside inside the enterprise behind the firewall.
Private cloud storage
35
This enables the IT infrastructure to become more adaptive to changing business needs and requirements.
Cloud data architecture
36
This service offers customers the ability to rent hardware, OS, storage, and network capacity over the Internet from a cloud service provider.
Infrastructure as a Service
37
This form of cloud storage involves storing an individual’s data in the cloud, allowing that person access from anywhere, anytime
Personal cloud storage
38
A collection of distributed and connected resources used for storing and managing data online in the cloud.
Storage cloud
39
This model hosts software by a cloud vendor or service provider and is available to customers over network resources.
Software as a Service
40
These technologies describe what enables cloud computing to be a real and highly scalable service offering due to decreased costs and resource sharing across multiple tenants and environments.
Virtualization technologies
41
These cloud computing and services are designed for a particular vertical industry such as banking, healthcare, or some other specific-use application.
Vertical cloud computing
42
This term describes what happens when a customer is unable to leave, migrate, or transfer to an alternate cloud provider due to technical or nontechnical constraints.
Vendor lock-in
43
A model for examining the nature and severity of threats whose name is derived from and based on the following six categories: Spoofing identity, Tampering with data, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
STRIDE threat model
44
This term refers to a type of testing environment where untested code changes and experimentation from the production can occur safely in isolation. It is usually used in the context of software development, including web development and revision control.
Sandbox
45
When testing an application or software product in an operating state, we use this.
Dynamic application security testing (DAST)
46
This method of computer access control uses authentication factors from at least two of three categories of knowledge factors; what the user knows, what the user has, and/or what the user is.
Multifactor authentication
47
This term is used in describing capabilities of a network to differentiate and provide differing qualities of service to various types of network traffic over different communication technologies such as ATM, Ethernet, and IP routed networks.
Quality of service (QoS)
48
The encapsulation of application software from the underlying operating system on which it is executed
Virtualization encapsulation
49
This security discipline is about enabling the right individual’s access to the right resources at the right time for the right reasons.
Identity access management (IAM)
50
This standard is designed for the exchange of authentication and authorization data between security domains.
Security Assertion Markup Language (SAML)
51
Routines, standards, protocols, and tools for connecting software applications to web-based services, applications, or tools.
Application programming interface (API)
52
This term identifies an arrangement among multiple enterprises that allows subscribers or users to use the same identification data or credentials, and to obtain access to the networks and all associated resources of the enterprises participating in the arrangement.
Federated identity management
53
This type of filter, appliance, or server plug-in is used to apply a set of rules to HTTP conversations in real time as a way of protecting from common attacks such as cross-site scripting or SQL injection.
A web application firewall (WAF)
54
This standard, which introduces definitions, concepts, principles, and processes involved in application security, provides an overview of application security.
ISO/IEC 27034-1
55
This involves making a structurally similar yet inauthentic copy of an organization’s data that is then used strictly for purposes of software testing and user training
Data masking
56
This subset of an ONF contains only information necessary for reaching a targeted level of trust for a specific business application.
Application Normative Framework (ANF)
57
This is a set of technologies aimed at analyzing source code, byte code, and binaries for coding and design conditions that show indications of security vulnerabilities.
Static application security testing (SAST)
58
A security technology used for the monitoring and analysis of database activity. It operates independently of the database management system (DBMS) and is independent of any native DBMS-resident auditing or native logs such as trace or transaction logs.
Database activity monitoring (DAM)
59
When the number of users connected to a system or systems exceeds the number that can be fully supported simultaneously.
Oversubscription
60
Using two or more storage servers in tandem in order to increase performance, capacity, and/or reliability. This technique also distributes the workloads and ensures access to all files from all servers at all times regardless of physical location of data.
Storage clusters
61
The framework of items that contains all of the components of application security best practices that are catalogued and leveraged by the enterprise.
Organizational Normative Framework (ONF)
62
This type of cloud offering is provisioned for open use by the public. It can be owned, managed, or operated by any combination such as a business, academic institution, or government organization and exists on the premises of the cloud provider.
Public cloud
63
One phase of the SDLC where all functional features of the system used in development are described independently of any computer platform.
Logical design
64
This international standard was developed to develop and maintain an information systems management system (ISMS), which is composed of interrelated elements that organizations use to manage information security risks and to support the CIA triad.
ISO/IEC 27001:2013
65
These are often used as decoys and consist of a computer, data, or a network site that appear to be part of a legitimate network but are in fact bogus. They are isolated and monitored for activity in the hopes of discovering information about possible malicious attacks or attackers.
Honeypots
66
The use of many smaller disks, as opposed to a single large one, that when configured allows the drives to be placed in a group, thereby increasing performance and redundancy and reducing the chances of data loss.
Redundant array of inexpensive disks (RAID)
67
These devices are used to securely store and manage encryption keys. The keys can be used for such purposes as securing data transmissions and protecting log files.
Hardware Security Module (HSM)
68
This configuration is used to isolate network components, such as web servers, that are accessible by untrusted networks and therefore external attacks.
Demilitarized zone (DMZ)
69
A set of processes and structures used to effectively manage all risks to an enterprise.
Enterprise risk management
70
This type of storage is broken down into objects, which include additional metadata (content type, redundancy required, creation dates, etc.) They are accessed through APIs and often a web interface.
Object storage
71
This term describes the relationship between shareholders and stakeholders versus senior management of the corporation.
Corporate governance
72
This controls the entire infrastructure. As such, part of it will be exposed to customers independent of their location, thus making it a highly valued asset to be protected.
Management plane
73
This term describes the granting the right of access to a program, process, or user.
Authorization
74
This term describes the process or act of verification of eligibility of a station, originator, or individual to access specific categories of information. It is also designed to protect against fraudulent transmissions by establishing validity of the transmission or its originator.
Authentication
75
Still a developing concept, this partly addresses the management of network components, the objective of which is to provide a control plane that can manage network traffic via an abstraction layer as opposed to direct device management.
Software defined networking (SDN)
76
This service replicates data across the global Internet.
Content delivery network (CDN)
77
This framework is designed to enable cooperation between cloud consumers and provider in demonstrating appropriate risk management.
Security Alliance’s Cloud Control Matrix (CCM)
78
A managed database service, usually stored and operated in the cloud.
Database as a Service
79
This methodology and toolset allow security professionals to leverage a common set of solutions to fulfill common needs in assessing the status of both their internal IT and cloud provider’s security capabilities and to create a roadmap to meet those needs.
TCI Reference Architecture
80
This type of risk assessment uses a set of methods, principles, and rules based on the use of numbers. It also supports cost–benefit analyses of alternative risk responses.
Quantitative risk assessment
81
This monitors inbound and outbound data packets from the device on which it is installed and alerts users or admins only if suspicious activity is detected.
Host intrusion-detection systems (HIDS)
82
This particular cloud infrastructure is composed of two or more distinct and different cloud infrastructures (private, community, or public) and still remains a unique entity while bound together by standardized or proprietary technologies that enables data and application portability (e.g., cloud bursting, for load balancing between clouds).
Hybrid cloud
83
The database used for mapping DNS domain names to various types of data such as IP addresses. This hierarchical database permits us to use human-readable or “friendly” names, such as www.isc2.org, to locate computers and resources associated with that name without having to know the IP address associated with the object.
Domain Name System (DNS)
84
A newer, more secure form of the original, that involves a suite of extensions to add security to the DNS protocol that enables DNS responses to be validated. Specifically, it provides for origin authority, data integrity in responses, and authenticated denial of existence.
Domain Name System Security Extensions (DNSSEC)
85
This type of cloud infrastructure is provisioned for use by a single entity (organization, corporation, etc.) consisting of many consumers. It can be owned, operated, and/or managed by the organization itself, a third party, or some combination of the two and may exist either on or off premises.
Private cloud
86
This type of cloud infrastructure is designed for use by a specific community of organizations with shared concerns (e.g., mission, security requirements, policy, and/or compliance considerations).
Community cloud
87
This type of networking model for cloud deployments is designed with standard perimeter protection mechanisms, with the underlying storage and IP networks converged to maximize benefits for the cloud workload.
Converged networking model
88
This term is often referred to as a device but is actually a method of analyzing risk in software systems. It involves a centralized collection and monitoring of security- and event-related logs from in-scope systems. It then provides for the correlation of different events and early detection of attacks.
Security information and event management (SIEM)
89
This type of assessment typically employs methods, principles, or rules for assessing risk based on non-numerical values such as high, medium, and low.
Qualitative assessment
90
This protocol allows separate channels to carry presentation data, serial device communication, licensing, and highly encrypted data (keyboard and mouse activity).
Remote Desktop Protocol (RDP)
91
This networking model uses a layered approach with physical switches at the top layer and logical separation occurring at the hypervisor level.
Traditional networking model
92
This term describes datacenter networks, logically divided into smaller, isolated networks that share the physical networking gear but operate separately without visibility into other logical networks.
Multitenancy
93
This determines in which legal jurisdiction a dispute will be heard when a conflict of law occurs.
Doctrine of the Proper Law
94
This particular SOC report on controls at service organizations is relevant to the user entities’ internal controls over financial reporting.
Service Organizations Controls 1 (SOC 1)
95
This law was passed as a means to protect shareholders as well as the general public from accounting errors and fraudulent practices.
Sarbanes-Oxley Act (SOX)
96
The process of identifying, collecting, documenting, structuring, and communicating information from various sources in order to enable educated and swift decision making to occur.
Information gathering
97
This banking law was enacted as a way of controlling the ways that financial institutions safeguard the private information of individuals with whom they conduct business.
Gramm-Leach-Bliley Act (GLBA)
98
The rules, statues, and body of law that define conduct that is prohibited by the government and are designed to protect the safety and well-being of the public.
Criminal law
99
This term refers to processes involved where electronic data is sought, located, secured, and searched for with the intent of using it as evidence in criminal or civil proceedings.
eDiscovery
100
This international law introduces significant changes for data processor and controllers, including the concept of consent, transfers abroad, the right to be forgotten, establishment of the role of “data protection officer” access requests, home state regulation, and increased sanctions.
EU General Data Protection (EGDP) Regulation 2012
101
This law from 1986 was created as part of the Electronic Communications Privacy Act and provides for privacy protection of certain types of electronic communication and computing services from unauthorized access or interception.
Stored Communication Act
102
This body of rights, obligations, and remedies describes the remedies and reliefs for anyone suffering harm as a result of the wrongful act or acts of another.
Tort law
103
This report on Controls at a Service Organization are focused on the security, availability, processing integrity, confidentiality, and privacy of the organization and its controls.
Service Organization Controls 2 (SOC 2)
104
This 1988 act relates to the regulation with respect to the handling of personal information about individuals, including the collection, use, storage, and disclosure of personal information, and access to and the ability to correct misinformation.
Australian Privacy Act 1988
105
In 1996 this healthcare law was passed that provided national standards for electronic healthcare transactions, and national identifiers for providers, health plans, and employers
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
106
This process is a way of deliberately destroying the encryption keys used to originally encrypt data.
Crypto-shredding
107
This technique involves the splitting up and storing of encrypted information across different cloud storage services. It is virtually impossible to reconstruct without the proper keys.
Bit splitting
108
This important activity determines the impact of losing support of any particular resource to an organization, helps establish the escalation of that loss over time, identifies the minimum resources needed to recover the support or asset, and prioritizes the recovery processes and supporting systems.
Business impact analysis (BIA)
109
This term refers to the security and encryption designed to prevent unauthorized copying and limitation of distribution to those who have purchased the rights.
Digital Rights Management (DRM)
110
This activity is designed to prevent unauthorized data exfiltration.
Data loss prevention
111
These mechanisms act to restrict a list of possible actions down to allowed or permitted actions.
Control
112
This special mathematical code allows encryption hardware and/or software to encrypt and decipher encrypted messages.
Encryption key
113
The overt or secret writing technique using a bidirectional mathematical algorithm that transforms plain text into unintelligible cipher text.
Encryption
114
This method of erasure uses strong magnets for scrambling data on magnetic media such as hard drives and tape so that data is not recoverable.
Degaussing
115
This special type of encryption or encryption technique allows encrypted data to be processed without first decrypting. It is extremely slow due to the intense mathematical calculations and as a result is not practical at this time.
Homomorphic encryption
116
This cloud model provides a complete infrastructure and allows companies to install software on provisioned servers and control the configuration of all devices.
Infrastructure as a Service (IaaS)
117
This activity revolves around the generation, storage, distribution, deletion, archiving, and application of keys in accordance with security policies.
Key management
