LearnZapp Practice 4 Flashcards
Access should be granted based on all of the following except _______
A. Policy
B. Business needs
C. Performance
D. Acceptable risk
C. Performance
Explanation:
Performance should not determine who gets access to which data
Which of the following methods of addressing risk is most associated with insurance?
A. Transference
B. Avoidance
C. Acceptance
D. Mitigation
A. Transference
Explanation:
Avoidance halts the business process, mitigation entails using controls to reduce risk, acceptance involves taking on the risk, and transference usually involves insurance
Which security technique is most preferable when creating a limited functionality for customer service personnel to review account data related to sales made to your clientele?
A. Anonymization
B. Masking
C. Encryption
D. Training
B. Masking
Explanation:
Masking allows customer service representatives to review clients sales and account information without revealing the entirety of those records
In order for American companies to process personal data belong to EU citizens, they must comply with the Privacy Shield program. The program is administered by the US Department of Transportation and the ____________
A. US State Department
B. Fish and Wildlife
C. Federal Trade Commission
D. Federal Communication Commission (FCC)
C. Federal Trade Commission
Explanation:
The FTC is the local US enforcement arm for the most Privacy Shield Activity
Which type of web application monitoring most closely measures actual activity?
A. Synethetic performance monitoring
B. Real user monitoring
C. SIEM
D. DAM
B. Real user monitoring
Explanation:
RUM harvests infomration from actual user activity, making it the most realistic depiction of user behavior
Which of the following is a risk posed by the use of virtualization?
A. Internal threats interrupting service through physical accidents
B. The ease of transporting stolen virtual images
C. Increased susceptibility of virtual systems to malware
D. Electromagnetic pulse
B. The ease of transporting stolen virtual images
Explanation:
Because virtual machines are stored as imaged files, an attacker able to access the stored files would have a
Your company operates in a highly cooperative market, with a high degree of information sharing between participants. Senior management wants to migrate to a cloud enviornment but is concerned that providers will not meet the companys collab needs. WHich deployment model would best suit the compmanys needs?
A. Public
B. Private
C. Community
D. Hybrid
C. Community
Explanation:
A community cloud entails all participants to have some degree of ownership and responsibility for the cloud environment; this is the preferred model for coop ownership and collaboration among a group with a shared
An event is something that can be measured within the environment. An incident is a ___________ event
Deleterious
B. Negative
C. Unscheduled
D. Major
C. Unscheduled
Explanation:
All the activity in the environment can be considered events. Any event that was not planned or known is an incident. In the security industry, we often ascribe negative effects to the term incident, but incidents are not always mlaicious
Why is the deprovisioning element of the identification component of identitiy and access management so important?
A. Extra accounts costs so much extra money
B. Open but assigned accounts are vulnerabilities
C. User tracking is essential to peformance
D. Encryption has to be mantained
B. Open but assigned accounts are vulnerabilities
Explanation:
Unused accounts that remain open can serve as attack vectors
According to the CSA, which of the followinig is not an aspect of due dilligence that the cloud customer should be concerned with when considering a migration to a cloud provider?
A. Ensuring that any legacy applications are not dependent on internal security contorols before moving them to the cloud environment
B. Reviewing all contract elements to approprioately define each parttys roles, responsibilities and requirements
C. Assessing the providers financial standing and soundness
D. Vetting the cloud providers administratiors and personnel to ensure the same level of trust as the legacy envioronment
D. Vetting the cloud providers administratiors and personnel to ensure the same level of trust as the legacy envioronment
Explanation:
The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular leve2l of control
A hosted based firewall in a virtualized cloud environment might have aspects of all the following types of controls except ________
A. Administrative
B. Deterrent
C. Corrective
D. Preventive
B. Deterrent
Explanation:
A firewall uses aspects of adminnistrative controls. The firewall policy is a set of rules that dictate the type of traffic and source/destination of that traffic
What is an important term in the field of data forensics that refers to maintaining control of evidenbe?
A. eDiscovery
B. Probably cause
C. Chain of custody
D. The Doctrine of Property
C. Chain of custody
Explanation:
Chain of custody refers to documenting control of evidence from the time it is collected until it is presented to the court
Which of the follopwing factors would probably most affect the design of a cloud data center?
A. Geographic location
B. Functional purpose
C. Cost
D. Aesthetic intent
A. Geographic location
Explanation:
APIs are defined as which of the following?
A. A set of protocols, and tools for building software applications to access a web based sofdtware application or tool
B. A set of standards for building software applications to access a web based software application or tool
C. Aset of routiunes, standards, protocols and tools for building software applications to access a web based software application or tool
D. A set of routiunes and tools for building software applications to access web based software applications
C. Aset of routiunes, standards, protocols and tools for building software applications to access a web based software application or tool
Explanation:
Dynamic software security testing should include _________
A. Source code review
B. User training
C. Pentest
D. Known bad data
D. Known bad data
Explanation:
Also known as fuzz testing, dynamioc methods should ionclude known bad inputs in order to determine how the program will handle the wrong data
Which of the following best describes data masking?
A. A method where the last few numbers in a dataset are not obscured. These are often used for authentication
B. A method for creating similar but inauthentic datasets used for software testing and user training
C. A method used to protect prying eyes from data such as social security numbers and credit card data
D. Data masking involves stripping out all similar digits in a string of numbers so as to obscure the original number
B. A method for creating similar but inauthentic datasets used for software testing and user training
Explanation:
Where should multiple egress points be included?
A. At thee power distribution substation
B. Within the data center
C. In every building on the campus
D. In thje security operations center
C. In every building on the campus
Explanation:
Health and human safety is a paramount goal of securityy
Which of the following best represents the REST approach tyo APIs?
A. Built on protocol standards
B. Lightweight and scalable
C. Relies heavily on XML
D. Only supports XML output
B. Lightweight and scalable
Explanation:l
In the EU, with its implementation of privacy directives and regulations, treats individual privacy as _______
A. a passing fad
B. A human right
C .A legal obligation
D. A business expense
B. A human right
Explanation:
What artifact which should already exist within the organization - can be used to determine the critical assets necessary to protect in the BCDR activity?
A. Quantitative risk analysis
B. Qualitative risk analysis
C. Business impact analysis
D. Risk appetite
C. Business impact analysis
ExplanatiON:
The BIA is designed for this purpose; to determine the critical path of assets/resources/data within the organization
Which of the following is not a risk management framework?
A. NIST SP 800-37
B. ENISA
C. KRI
D. ISO 31000-2009
C. KRI
Explanation:
Key risk indicators are useful but they are not a framework
Which of the following is not a factor an organization might use in the cost benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from IT investment as capital expenditures to operational expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with whichc cloud provider might be selected
D. Branding associated with whichc cloud provider might be selected
Explanation:
The brand associated with the cloud provider should not influence the cost-benefit analysis
Which of the following best describes the Organizational normative Framework?
A. A container for components of an applications security, best practices, catalogued and leveraged by the organization
B. A framework of contpainers for all components of application security, best practioces, catalogued and leveraged by the organization
C. A set of application security and best practices catalogued and leveraged by the organization
D .A framework of containers for some of the components of application security, best practices, catalogued and lneveraged by the organization
B. A framework of contpainers for all components of application security, best practioces, catalogued and leveraged by the organization
Explanation:
Which kind of SSAEW audit report is a cloud customner most likely to receive from a cloud provider?
A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 1 Type 2
D. SOC 3
D. SOC 3
Explanation:
The SOC 3 is the least detailed, so thje provider is not concerned about revealing it