Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CCSP 2023 > LeanZapp Practice 3 > Flashcards

LeanZapp Practice 3 Flashcards

1
Q

What should data archiving and retention policies include?

A. Names of personnel allowed to receive backup media, if third party off site archiving services are used
B. Explicit statement of data format and types of storage media
C. A list of personnel whose data will be archived on a regular basis
D. Which ISP should be used for backup procedures

A

B. Explicit statement of data format and types of storage media

Explanation:
It is important to indicate the data format and media type for long term storage in order to ensure restoration capability; outdated or obsolete data formats and media may not be useful for restoration of data to the operational environment several years after it has been stored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on premises environment into the cloud. Which cloud service model should she most likely consider for her company’s purposes?

A. PaaS
B. SaaS
B. BaaS
D. IaaS

A

A. PaaS

Explanation:
PaaS will allow her developers to create and design their software on a variety of OSs, increasing the breath of the market she can sell to. Also, she can use geographically dispersed programmers increasing the breadth of the market she can sell to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What the the optimal number of entrances to the cloud data center campus?

A. One
B. Two
C. three
D. Four

A

A. One

Explanation:
Controlling access is optimized by minimizing access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is considered a technological control?

A. Firewall software
B. Fireproof safe
C. Fire extinguisher
D. Firing personal

A

A. Firewall software

Explanation:
A firewall is a technological control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is not an essential element defining cloud computing?

A. Broad network access
B. Metered service
C. Offsite storage
D. On demand self service

A

C. Offsite storage

Explanation:
Offsite storage is not intrinsic of the definition of cloud computing; all the other options are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The architecture of the World Wide Web, as it works today is _________

A. JSON
B. DoS
C. REST
D. XML

A

C. REST

Explanation:
The web is mainly HTTP, which is a RESTful protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In the cloud, the data processor is usually _______

A. The party that assigns access rights
B. The cloud customer
C. The cloud provider
D. The cloud access security broker

A

C. The cloud provider

Explanation:
In legal terms, when data processor is defined, it refers to anyone who stores, handles, moves or manipulates data on behalf of the data owner or controll. In the cloud computing realm, this is the cloud provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When building a new data center within an urban environment, which of the following is probably the most restrictive aspect?

A. The size of the plot
B. Utility availability
C. Staffing
D. Municipal codes

A

D. Municipal codes

Explanation:
In any large metro area, government restrictions on development and construction can severely limit how you use your property; this can be significant limiting factor in building a data center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DLP solutions can aid in deterring loss due to which of the following?

A. Malicious disclosure
B> Performance issues
C. Bad policy
D. Power failure

A

A. Malicious disclosure

Explanation:
DLP tools can identify outbound traffic that violates the organizations policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk should always be considered from a business perspective. Risk is often balanced by corresponding _________

A. Profit
B. Performance
C. Cost
D. Opportunity

A

D. Opportunity

Explanation:
The only reason organizations accept any level of risk is because of the potential benefit by a risky activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

____________ is an agentless means of ensuring a VMs security baseline does not change over time by examining such things as physical location and network settings

A. ECC
B. VMI
C. HIDS
D. NIDS

A

B. VMI

Explanation:
Virtual machine introspection is an agentless means of ensuring a VMs security baseline does not change over time by examining things such as physical address, network settings and installed OS. These ensure that the baseline has not been inadvertently or maliciously tampered with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In working with various networking technologies such as Frame Relay, ATM and Ethernet, the capability of the network to provide better service to select traffic is called:

A. QaS
B. ASP
C. OLA
D. QoS

A

D. QoS

Explanation:
Quality of service refers to the capability of a network to provide better service for certain traffic regardless of the network type or topology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following best describes the purpose of a DMZ?

A. Isolates public facing network elements that would otherwise be vulnerable to attack
B. Isolates email servers that are Internet facing and protects them from attacks
C. Provides network elements such as routers that are Internet facing to protect them from attack
D. Tracks incoming attack patterns

A

A. Isolates public facing network elements that would otherwise be vulnerable to attack

Explanation:
A DMZ isolates network elements that are public facing and would otherwise be vulnerable to attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following best describes a qualitative risk assessment?

A. Typically employs a set of methods, principles or rules for assessing risk based on numerical categories
B. Typically employs a set of methods, principles or rules for assessing risk based on numbers
C. Typically employs a set of methods, principles or rules for assessing risk based on nonnumerical categories
D. Typically employs a set of methods, principles or rules for assessing risk based on threat categories

A

C. Typically employs a set of methods, principles or rules for assessing risk based on nonnumerical categories

Explanation:
As opposed to quantitative assessments, which use specific numerical values such as 1,2 and 3, qualitative assessments use nonnumerical categories that are relative in nature such as high medium or low

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In regard to most privacy guidance, the data controller is _________

A. The individual described by the privacy data
B.The entity that collects or creates the privacy data
C. The entity that uses privacy data on behalf of the controller
D. The entity that regulates privacy data

A

B.The entity that collects or creates the privacy data

Explanation:
Option B is the definition of the data controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following laws resulted from a lack of independence in audit practices?

A. HIPAA
B. GLBA
C. SOX
D. ISO 27064

A

C. SOX

Explanation:
SOX was passed primarily to address the issues if audit independence, poor board over sight, and transparency of findings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When designing a cloud data center, which of the following is not necessary to ensure continuity of operations during contingency operations?

A. Access to clean water
B. Broadband data connection
C. Extended battery backup
D. Physical access to the data center

A

C. Extended battery backup

Explanation:
Backup power does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Availability refers to which of the following?

A. The amount of uptime in any given 30 day period
B. The amount of uptime specified in the SLA
C. Whether authorized users can access services and/or data
D. The amount of uptime promised by the cloud vendor

A

C. Whether authorized users can access services and/or data

Explanation:
Availability is one of the three legs of the CIA triad, this represents when services and/or data can be accessed in an authorized manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the two general delivery modes for SaaS model?

A. Ranked and free
B. Hosted application management and software on demand
C. Intrinsic motivation complex and undulating perspective details
D. Framed and modular

A

B. Hosted application management and software on demand

Explanation:
In SaaS, the cloud provider might license and deliver commercially available software for the customer, via the cloud or provide the customer access to the providers proprietary software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following aspects of cloud computing can enhance the customers business and continuity and disaster recovery efforts?

A. Ondemand self service
B. Pooled resources
C. Virtualization
D. The control plane

A

A. Ondemand self service

Explanation:
On demand self service allows the cloud customer to provisioned those production resources during a contingency without any delay in ordering or allocating those resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

To protect data on user devices in BYOD environment, the organization should consider requiring all of the following except:

A. DLP agents
B. Local encryption
C. MFA
D. Two person integrity

A

D. Two person integrity

Explanation:
Although all the other options are ways to harden a mobile device, two person integrity is a concept that has nothing to do with the topic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

During a cost benefit analysis, your company determines that it spends a disproportionate amount of money on software licensing and administration. Which cloud model may best help your company reduce these costs?

A. IaaS
B. PaaS
C. SaaS
D. Hybrid

A

C. SaaS

Explanation:
In SaaS model, the cloud provider is tasked with acquiring and managing the software licenses; the scale of a cloud providers operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

According to CSA, an organization that operates in the cloud environment and suffers a data breach may be required to __________

A. Notify affected users
B. Reapply for cloud services
C. Scrub all affected physical memory
D. Change regulatory framework

A

A. Notify affected users

Explanation:
Data breach notification laws are plentiful; organizations operating in the cloud are almost sure to be subject to one or more such laws

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following attack vectors is new to the cloud environment and was not typically found in on premises, legacy environments?

A> DDoS
B. Guest Escape
C. Internal Threats
D. Inadvertent Disclosure

A

B. Guest Escape

Explanation:
Guest Escape is prevailing threat in a vritualized, multi tenant cloud environment and was not commonly found in traditional environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
____________ often uses access control and encryption to prevent unauthorized copying and limitation of distribution to only those who pay A. PCI B. IRM C.SDN D. Doctrine of the Proper Law
B. IRM Explanation: Information rights management is a means to prevent unauthorized copying and limitation of distribution to only those who pay for content
26
If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would be best? A. IaaS B. PaaS C. SaaS D. Hybrid
B. PaaS Explanation: PaaS allows the cloud customer to install any kind of software, includi9ng software to be tested, on an architecture that includes any desired OSs
27
Which of the following is an example of 2FA? A. Strong passwords B. Unique user ID and password C. Something you know D. User ID and physical characteristics
D. User ID and physical characteristics Explanation: Only option D involves two distinct factor
28
Which of the following is not an acceptable means of sanitizing hardware? A. Burning B. Deletion C. Industrial Shredding D. Drilling
B. Deletion Explanation: Hardware cannot be sanitizied by deleting data. Deleting, an an operation, does not erase the data; it simply removes the logical pointers to the data for processing purposes
29
Software developers should receive cloud specific training that highlights the challenges involved with having a production environment that operates in the cloud. One of these chalennges is __________ A. The massive additional hacking threat, especially from foreign sources B. The prevalent use of encryption in all data life cycle phases C. Drastic increase of risk due to DDoS attacks D. Additional regulatory mandates
B. The prevalent use of encryption in all data life cycle phases Explanation: Because cloud operations are so dependent on encryption protections in all data life cycle phases, developers will have to accomodate the additional overhead and interoperability encryption requires
30
WHich of the following SOC report subtypes spans a period of time? A. SOC 2 B. SOC 3 C. SOC 1 D. Type II
D. Type II Explanation: A SOC Type II report is designed around a period of time as opposed to a specific point in time
31
Which type of framework contains only the information required for a specific business application to reach a targeted level of trust? A. ONF B. ISMS C. RIsk assessment D. ANF
D. ANF Explanation: An ANF is a subset of an ONF that contains only the information required for a specific business application to reach the targeted level of trust. There is many to one relationship between the ANF and ONF
32
When putting a system into maintenance mode, its important to do all the following except: A, Transfer any live virtual guest off of the host B. Turn off logging B. Lockout the system from accepting new guests D. Notify customers if there are any interruptions
B. Turn off logging Explanation: Auditing is probably even more important during maintenance mode than normal operation because administrator activity is almost always involved
33
The TLS protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what form cryptography is used for the session key? A. Symmetric Key B. Asymmetric key C. Hashing D. One asymmetric pair
A. Symmetric Key Explanation: In TLS, the parties will establish a shared secret, symmetric key, for the duration of the session
34
Which of the following would make a good provision to include in the SLA between cloud customer and provider?\ A. Location of the data center B. Amount of data uploaded/downloaded during a pay period C. Type of personnel security controls for network admins D. Physical security barriers on the perimeter of the data center campus
B. Amount of data uploaded/downloaded during a pay period Explanation: Option B is the only element that lends itself well to a discrete, objective metric
35
Of the following control techniques/solutions, which can be combined to enhance the protections offered by each? A. Razor tape/background checks B. Least privilege/generators C. DLP/DRM D. Personnel badging/secure baselines
C. DLP/DRM Explanation: Theoretically, all combinations of security controls are preferable to any one security control used by itself.
36
The PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Merchants are assigned different tiers under PCI DSS based on: A. Availability B. Redundancy C. Location of their corporate headquarters D. Number of transactions per year
D. Number of transactions per year Explanation: The different merchant tiers are based on the number of transactions a specific merchant conducts annually. All the other options are incorrect
37
Why might an organization choose to comply with ISO 27001 standard? A. Price B. Ease of implementation C. International acceptance D. Speed
C. International acceptance Explanation: The ISO standards are almost universally accepted and recognized and they are even mandated for certain industries/locales
38
Which of the following is one of the benefits of a private cloud deployment? A. Less cost B. Higher performance C. Retaining control of governance D. Reduction in need for maintenance capability on the customer side
C. Retaining control of governance Explanation: With a private cloud deployment, the customer gets to dictate government requirements, which is a significant benefit for customers in highly regulated industries
39
The OWASP Top Ten often includes invalidated redirects and forwards. Which of the following is a good way to protect against the problem? A. Dont use redirects/forwards in your applications B. Refrain from storing credentials long term C. Implement SIEM/SIM D. Implement DRM solutions
A. Dont use redirects/forwards in your applications Explanation: Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid the problem altogether, and redirects/forwards are not necessary for efficient usage
40
Which of the following is not a component of the STRIDE model? A. Spoofing B.Repudiation C. Information Disclosure D. External pentest
D. External pentest Explanation:
41
From a security perspective, automation of configuration aids in ___________ A. Enhancing performance B. Reducing potential attack vectors C. Increasing ease of use of the systems D. Reducing the need for administrative personnel
B. Reducing potential attack vectors Explanation: A secure baseline configuration, applied and maintained automatically, ensures the optimum security footprints with the least attack surface All the other options are benefits of automatic configuration but are not specifically security enhancements
42
A DAM functions at layer _______ of the OSI model A. 1 B. 2 C. 5 D. 7
D. 7 Explanation: A DAM is a Layer 7 appliance
43
MTD/MAD is a measure of which of the following: A. A point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible B. The optimal time it takes to recovery a system after an outage C. A weak point in a specific program that makes it unrecoverable after an outage has occurred D. A point in time before an incident occurs
A. A point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible Explanation: The maximum tolerable downtime/maximum allowable downtime is a point in time after an outage has occurred and beyond which recovery becomes extremely difficult or impossible
44
TLS uses _________ to authenticate a connection and create a shared secret for the duration of the session A. SAML 2.0 B. X.509 certs C. 802.11x D. The Diffie Hellman Process
B. X.509 certs Explanation: TLS uses X.509 certs to establish a connection and create a symmetric key thats last for only one session. SAML is used for federation authentication/identification; option A is incorrect
45
Who should be involved in review and maintenance of user accounts/access? A. The user's manager B. The security manager C. The account department D. The incident response team
A. The user's manager Explanation: The best answer would be the data own, because the data owner should be the ultimate arbiter of who has what access to the data under the owners control.
46
A ______ specifies which users or system processes have access to a specific object such as an application or process in addition to what operations they can perform A. DNS B. SDN C. ACL D. SLA
C. ACL Explanation: An access control list specifies which users or system processes have access to an object
47
What is probably the single most important way of countering the highest number of items on the OWASP Top Ten? A. Social engineering training B. Disciplined coding practices and processes C. White box source code testing D. Physical controls at all locations at which the application is eventually used
B. Disciplined coding practices and processes Explanation:
48
Cloud providers will probably not allow ________ as part of a customers pen test A. Network mapping B. Vulnerability scanning C. Reconnaissance D. Social engineering
D. Social engineering Explanation: Performing live deception and trickery against employees of the cloud provider could be construed as unethical and possible illegal, especially without their knowledge and/or consent. Social engineering probably wont be involved in pentests run by customers
49
The TLS protocol creates a secure communications channel over public media (such as the Internet). IN a typical TLS session, who intiiates the protocol? A.The server B. The client C. The certifying authority D. The ISP
B. The client Explanation: In a typical TLS handshake, the client sends the message that initiates the negotiation of the session
50
Bit splitting also provides security against data breaches by _________ A. Removing all access to unauthorized parties B. Ensuring that an unauthorized user only gets a useless fragment of data C. Moving data cross jurisdictional boundaries D. Tracking all incoming access requests
B. Ensuring that an unauthorized user only gets a useless fragment of data Explanation: Bit splitting involves chopping data sets up into segments and storing those segments in multiple places/devices An attacker getting access to one segment wont be gaining anything of value because one segment of the data set would most likely make no sense out of context
51
How are virtual machines moved from active hsots when the host is being put into maintenance mode? A. As a snapshotted image file B. In encrypted form C. As a live instance D. Via portable media
C. As a live instance Explanation: Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device
52
The CSA CCM lists security controls from all the following frameworks except __________ A. ISACAs Control Objective for Information of Related Technology B. PCI DSS C. CMM D. ISO 27001
C. CMM Explanation: The CMM is not included in the CSA CCM and indeed is not even a security framework
53
DRM tools should enforce _________, which is interoperability with the organizations other access control activities A. Persistence B. Support for existing authentication security infrastructure C. Continuous audit trail D. Dynamic policy control
B. Support for existing authentication security infrastructure Explanation: The question describes support for authentication security infrastructure, one of the required traits for a DRM solution of any quality
54
An audit against the _________ will demonstrate that an organization has a holistic, comprehensive security program A. SAS 70 Standard B. SSAE 18 Standard C. SOC 2, Type 2 Report matrix D. ISO 27001 cert requirements
D. ISO 27001 cert requirements Explanation: The ISO 27001 cert is for the info security management system, the organizations entire
55
The term auditability means which of the following? A. A particular service or data that is covered under state or federal regulations B. Someone being in a state of readiness for auditing C. The state of data being covered by audit standards of the AICPA D. AICPA standard for SCO reports
B. Someone being in a state of readiness for auditing Explanation: Something is said to be auditable when it is in a state of readiness of auditing
56
You are the security manager for a company that is considering cloud migration to an IaaS environment. You are assisting your companys IT architects in constructing the environment. Which of the following options do you recommend? A. Unrestricted public access B. Use of a Type 1 Hypervisor C. Use of a Type 2 hypervisor D. Enhanced productivity without encryption
B. Use of a Type 1 Hypervisor Explanation: The Type 1 hypervisor is preferable, as it offers less attack surface
57
DRM solutions (sometimes referred to as infomration rights management or IRM) can be used to protext all sorts of sensitive data but are usually particularly designed to secure _________ A. PII B. Intellectual property C. Plans and policies D. Marketing material
B. Intellectual property Explanation: DRM is mainly designed to protect intellectual property. It can also sometimes be used for securing PII, but intellectual property is a better answer here.
58
What is the term used to describe the loss of access to data because the cloud provider has ceased operation? A. Closing B. Vendor lock out C. Vendor lock in D. Masking
B. Vendor lock out Explanation: Vendor lock in is the result of a lack of portability, for any number of reasons. Masking is a means to hide raw datasets from users who do not have need to know.
59
Which of the following risks is probably most significant when choosing to use one cloud provider for your operational environment and another for BCDR backup/archive? A. Physical intrusion B. Proprietary formats/lack of interoperability C. Vendor lock in/lock out D. Natural disasters
B. Proprietary formats/lack of interoperability Explanation: When using two different cloud providers, a cloud customer runs the risk that data/software formats used in the operational environment cant be readily adapted to the other providers service, thus causing delays during an actual failover
60
You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. What additional risk are you accepting? A. The cloud provider will suspend your access for violating its terms of service B. The cloud provider may sue your organization for breach of contract C. Your organization is subject to the vulnerability the patch addresses D. Your end clients will no longer trust tour organization and this will hurt your revenue
C. Your organization is subject to the vulnerability the patch addresses Explanation: It is perfectly reasonable to not want to use the first version of a patch as there may be interoperability problems or even additional vulnerabilities contingent with its implementation. However, for as long as your environment remains unpatched, you are subject to attack through that new vulnerability
61
The OWASP Top Ten list sometimes includes missing function level access control. Which of these is a techqniue to reduce the potential for a missing function level access control? A. Set the default to deny all access to functions, and require authentication/authorization for each access request B. HTML escape all HTML attributes C. Restrict permissions based on an ACL D. Refrain from including direct access information in URLs
A. Set the default to deny all access to functions, and require authentication/authorization for each access request Explanation: Setting the default to denying access forces all resource requests to be verified, thus ensuring that no particular function may be ran without explicitly ensuring that it was called by an autyhorized user
62
0All of the following might be used as data discovery characteristics in a content analysis based data discovery effort except ___________ A. Keywords B. Pattern matching C. Frequency D. Inheritance
D. Inheritance Explanation: Inheritance has nothing to do with content analysis; it is usually referring to object oriented traits derived from originating objects
63
Industry best practices dictate that cloud customers do not ________ A. create their own IAM solutions B. Create contract language that favors them over the provider C. Retrain personnel for cloud operations D. Encrypt data before it reaches the cloud
A. create their own IAM solutions Explanation: According to ENISA, custom IAM builds can become weak if not properly implemented
64
According to OWASp recommendations, active software security testing should include all of the following except ______ A. Information gathering B. User surveys C. Configuration and deployment management testing D. Identity management testing
B. User surveys Explanation: User surveys are not an element of active security testing, although they might be used in acceptance testing. All of the other options are included in the guide to active security testing
65
If the cloud is used for BCDR purposes, the loss of __________ could gravely affect your organizations RTO A. Any cloud admin B. A specific VM C. Your policy and contract documentation D. ISP connectivity
D. ISP connectivity Explanation: Without ISP connectivity, nobody will be able to use the Internet and thus, the cloud. Ofcourse realistically, without internet connectivity, not much business will get done anyway
66
What do you need to do in order to fully ensure that a BCDR action will function during a contingency? A. Audit all performance functions B. Audit all security functions C. Perform a full scale test D. Mandate this capability in the contract
C. Perform a full scale test Explanation: Without a full test, you cant be sure the BCDR plan/process will work the way it is intended
67
You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management? A. Building a completely new data center B. Leasing a data center that is currently owned by another firm C. Renting private cloud space in a Tier 2 data center D. Staying with current data center
A. Building a completely new data center Explanation"
68
PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Approximately how many controls are listed in the PCI DSS? A. Around a dozen B. About 20 C. About 100 D. Over 200
D. Over 200 Explanation: The PCI DSS is extremely thorough and wide reaching
69
How often should the CMB meet? A. Whenever regulations dictate B. Often enough to address organizational needs and attenuate frustration with delay C. Every week D. Annually
B. Often enough to address organizational needs and attenuate frustration with delay Explanation: Frustrated employees and manages can increase risk to the organization by implementing their own, unapproved modifications to the environment.
70
Which of the following is an open source cloud based software project characterized by a toolset that includes components called Nova, Neutron, Heat, Ironic and Cinder? A. OWASP B. OAuth C. OpenStack D. Mozilla
C. OpenStack Explanation: OpenStack is an open source project for creating cloud environments regardless of hardware brand. OWASP is an open source web application development project and does not involve the use of any of the tools mentionedin the question
71
Your organization is migrating the production environment to an IaaS cloud implementation. Your users will need to be able to get access to their data and share data with other users in a defined way, according to a hierarchy. You should configure the cloud memory as _____________ A. Object storage B. Volume Storage C. Synthetic storage D. Databases
A. Object storage Explanation: Object storage is usually arranged in a file hierarchy. Volume storage has data with no defined structure
72
OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the __________ A. Volcanic principle B. Inherency principle C. Repo principle D. openness principle
D. openness principle Explanation: The openness principle requires any entity that gathers PII about a person to allow that person to access the information
73
In IaaS arrangement, all of the following are examples of object storage encryption except ___________ A. File level encryption B. DRM C. Application level encryption D. TLS
D. TLS Explanation: TLS is encryption used in a communication session, not a storage volume
74
Which of the following is not a method for enhancing data portability? A. Cryptoshredding B. Using standard data formats C. Avoiding proprietary services D. Favorable contract terms
A. Cryptoshredding Explanation: Cryptoshredding is for secure sanitization, not portability
75
All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _________ A. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications B. Starting with a clean installation (hardware or virtual) of the desired OS C. Including only the default account credentials and nothing customized D. Halting or removing all unnecessary services
C. Including only the default account credentials and nothing customized Explanation: Default credentials are the bane of security everywhere, THis is definitely the correct answer because it should not be part of the baseline build
76
___________ is an example of due care and ____________ is an example of due diligence A. Privacy data security policy; auditing the controls dictated by the privacy data security policy B. GDPR; GLBA C. Locks on doors; turnstiles D. Perimeter defenses; internal defenses
A. Privacy data security policy; auditing the controls dictated by the privacy data security policy Explanation: Due care is the mininal level of effort necessary to perform your duty to others; in cloud security, that is often the care that the cloud customer is required to demonstrate in order to protect the data its owns`
77
What is the amount of fuel that should be on hand to power generators for backup datacenter power, in all tiers, according to the Uptime Institute? A. 1 B. 1,000 C. 12 hours D. As much as needed to ensure all systems may be gracefully shut down and data securely stored
C. 12 hours Explanation:
78
The application normative framework is best described as which of the following? A. A stand alone framework for storing security practices for the Organizational Normative Framework (ONF) B. A subset of the Organizational Normative Framework (ONF) C. A superset of the Organizational Normative Framework (ONF) D. The complete Organizational Normative Framework
B. A subset of the Organizational Normative Framework (ONF) Explanation: Remember there is a one to many ratio of ONF to application normative framework; each organization has one Organizational normative Framework and many ANFs
79
Task centric training is typically for __________ A. All personnel B. Specific personnel C. Management personnel D. HR personnel
B. Specific personnel Explanation: Training is usually a formal process involving detailed information. This is for those personnel who are involved with the specific topic or tasks for which the training is intended
80
WHich of the following is an example of useful and sufficient data masking of the string CCSP? A. XCSP B. PSCC C. TtLp D. 3X91
C. TtLp Explanation: This answer requires some thought about how the original data is displayed and its properties
81
The BCDR plan/policy should include all of the following except ________ A. Tasking for the office responsible for maintaining/enforcing the plan B. Contact information for essential entities, including BCDR personnel and emergency services agencies C. Copies of the laws/regulations/standards governing specific elements of the plan D. Checklists for BCDR personnel to follow
C. Copies of the laws/regulations/standards governing specific elements of the plan Explanation:
82
Which of the following best describes SAML? A. A standard for developing secure application management logistics B. A standard for exchanging authentication and authorization data between security domains C. A standard for exchanging usernames and passwords across devices D. A standard used for directory synchronization
B. A standard for exchanging authentication and authorization data between security domains Explanation:
83
Which common characteristic of the cloud data center also servers customer business continuity and disaster recovery needs? A. Multitenancy B. Virtualization C. Redundancy D. Software defined networking
C. Redundancy Explanation: The ubiquitous redundancy of systems and capabilities within most cloud data centers not only serves the provides requirements to meet customer service level agreements but also enhances the data centers resistance to disasters and interruptions
84
Storage controllers will be used in conjunction with all the following protocols except __________ A. HTTPS B. iSCSI C. Fibre Channel D. Fibre Channel over Ethernet
A. HTTPS Explanation: HTTPS is not a storage protocol
85
OWASP Top Ten list often includes using components with known vulnerabilities. Which of the following is a good way to protect against this problem? A> Using only components your organization has written B. Update to current versions of component libraries as soon as possible C. Never use anyone elses component library D. Apply patches to old component libraries
B. Update to current versions of component libraries as soon as possible Explanation:
86
________________ is the process of transitioning all or part of a companys data, applications and services from onsite premises behind the firewall to the cloud A. Forklifting B. Cloud portability C. Cloud enablement D. Cloud migration
D. Cloud migration Explanation: Cloud migration is the process of transitioning all or part of a companys data, applications, and services from onsite premises behind the firewall to the cloud. This enables information to be provided over the internet to an on demand basis
87
Which of the following is not an example of an essential internal stakeholder? A. IT analysts B. IT director C. CFO D. HR Director
A. IT analysts Explanation: An IT analyst is generally not high enough of a position to be able to provide quality information to other stakeholders. However, the IT director would be in such a position as would the others
88
The goals of DLP solution implementation include all of the following except: A. Policy enforcement B. Elasticity C. Data discovery D. Loss of mitigation
B. Elasticity Explanation: DLP does not have anynthing to do with elasticity, which is the capability of the environment to scale up or down according to demand
89
You are the security policy lead for your organization, which is considering migrating from your on premises, traditional IT environment into the cloud. You are reviewing the CSA CCM as a tool for your organization. Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selectingn and applying the proper controls to meet your organizations regulatory needs? A. The CAIQ B. OWASP Top Ten C. CSC List D. NIST FIPS 140-2
A. The CAIQ Explanation: The CAIQ is a self administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls. The OWASP Top Ten is used to indicate trends in poor design of web applications
90
DLP solutions may use all of the following techniques to identify sensitive data except ____________ A. Pattern matching B. Inference C. Keyword identification D. Metadata tags
B. Inference Explanation: Inference is an attack technique that dervies sensitive material from an aggregation of innocuous data; DLP tools, thus far do not have this capability
91
When data labels are being used in an environment (for discovery and other purposes), when should the labels be applied? A. During the risk assessment B. As part of the BIA C. At collection/creation D .When the discovery tools are implemented
C. At collection/creation Explanation: For the most efficient classification/categorization process, and to streamline the application of proper controls, data labelling should be performed when the data is first being collected/created
92
Encryption is an essential tool for affording security to cloud based operations. While it is possible to encrypt every system, piece of data and transaction that takes place on the cloud, why might that not be the optimum choice for an organization? A. Key length variances dont provide any actual additional security B. It would cause additional processing overhead and time delay C. it might result in vendor lockout D. The data subjects might be upset by this
B. It would cause additional processing overhead and time delay Explanation: Encryption consumes processing power and time; as with all security controls, additional security means measurably less operational capability
93
Firewalls can detect attack traffic by using all these methods except _________ A. Known past behavior in the environment B. Identity of the malicious user C. Point of origination D. Signature matching
B. Identity of the malicious user Explanation: While it would be wonderful, for security purposes, to know the identify of attackers before or while they are making an attack, this is information the attack doesnt usually share
94
In a virtualized cloud environment, the management plane is usually responsible for provisioning virtual machine instances with all of the following resources except _________ A. CPU B. Memory C. User Interface D. Permanent Storage
C. User Interface Explanation: The user interface to the virtualized instance can be handled by a variety of mechanisms, but it is not the function of the management plane All the other options are resources provisioned to the virtual machines by the management plane
95
Which of the following is a possible negative aspect of bit spltting? A. It may require trust in additional third parties beyond the primary cloud service provider B. There may be cause for management concern that the technology will violate internal policy C. Users will have far greather difficulty understand the implementation D. Limited vendors make acquisition and support challenging
A. It may require trust in additional third parties beyond the primary cloud service provider
96
The OWASP Top Ten list often includes cross site request forgery. Which of the following is a good way to deter CSRF attacks? A. Have your website refuse all HTTP resource requests B. Ensure that all HTTP resource requests include a unique, unpredictable token C. Dont allow ecommerce on your website D. Process all user requests with only one brand of browser, and refuse all resource requests from other browsers
B. Ensure that all HTTP resource requests include a unique, unpredictable token Explanation: This is the option OWASP recommends as the very least form of protection.
97
What has enabled cloud computing to become a real and scalable service offering due primarily to savings, sharing capabilities and allocation of resources across multiple tenants and environments? A. Virtualization technologies B. Storage technologies C. International agreements D. Increases in computing power
A. Virtualization technologies Explanation: Virtualization technologies have been the driving force behind enabling cloud computing to become a real and scalable service due to the savings, sharing and allocation of resources across multiple tenants and environments
98
In designing a data center to meet their own needs and provide optimum revenue/profit, the cloud provide will most likely aim to enhance __________ A. Functionality B. Automation of services C. Aesthetic value D. Inherent value
B. Automation of services Explanation: All the options are correct except C. Option B is the most correct because it will lead to maximizing performance, value and profitability
99
Backdoors are sometimes left in software by developers _______ A. In lieu of other security controls B. As a means to counter DoS attacks C. In advetently or on purpose D. As a way to distract attackerts
C. In advetently or on purpose Explanation: BAckdoors that were used legit during the development process can sometimes be left in a production version of the delivered software accidentally, when developers forget to remove them
100
A cloud provider might only release SOC 2 Type 2 Reports to ____________ A. Regulators B. The public C. Potential customers D. Current customers
D. Current customers Explanation: Because of the sensitive nature of the material covered in the SOC 2 Type 2 report, a cloud provider might not be willing to share it with any entity that does not have a financial stake in the cloud service
101
Access to specific data should be granted by _____________ A. The data subjects B. The data owners C. The data processors D. The data regulators
B. The data owners Explanation: The data owner is most familiar with the risks and impacts associated with the data sets under their control. The data subject may grant permission for a data owner to have the subjects data but will not govern the granular assignment of access rights
102
Which of the following is considered an administrative control? A. Access control process B. Keystroke logging C. Door locks D. Biometric authentication
A. Access control process Explanation: A process is an administrative control; sometimes, the process includes elements of other types of controls, but the process itself is administrative
103
If bit splitting is used to store data across multiple jurisdiction, how may this enhance security? A. By making seize of data by law enforcement more difficult B. By hiding it from attackers in a specific jurisdiction C. By ensuring that users can only accidentally disclose data to one geographic area D. By restricting privilege user access
A. By making seize of data by law enforcement more difficult Explanation: When law enforcement entities wish to seize assets (including data), they must cooperate with other law enforcement agencies in other jurisdictions if the data is not contained fully within their own
104
Which of the following models offers the capability of using an application solution running on a vendors or cloud providers infrastructure? A. SaaS B. IaaS C. PaaS D. AaaS
A. SaaS Explanation: SaaS offers the user the capability of using the vendors or cloud providers application solution on their existing infrastructure
105
A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the service providers? A. Each organization B. A trusted third party C. The regulator overseeing their industry D. All of their patients
A. Each organization Explanation: In a web of trust model, each member organization usually supplies both the access/identification credentials and the resources that the users want to access, so the organizations are both the identity providers and service providers in a web of trust federation model
106
What is the federal agency that accepts applications for new patents? A. USDA B. USPTO C. OSHA D. SEC
B. USPTO Explanation: The US Patent and Trademark Office accepts, reviews and approves applications for new patents
107
When applying patches, it is necessary to do all of the following except ____________ A. Test the patch in a sandbox that simulates the production environment B. Put the patch through the formal change management process C. Be prepared to roll back to the last known good build D. Inform users of any impacts or interruptions
B. Put the patch through the formal change management process Explanation: In many cases, patches are released to deal with an imminent vulnerability/risk
108

CCSP 2023 (54 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions