NOT Priority

Question 1

Domains of ISO 27001

Answer 1

Information security policies 
Organization of information security 
Human resource security 
Asset management 
Access control 
Cryptography 
Physical and environmental security 
Operations security 
Communications security 
System acquisition, development, and maintenance 
Supplier relationships 
Information security incident management
Information security aspects of business continuity management 
Compliance

Question 2

NIST Control Families

Answer 2

AC: Access Control
AT: Awareness and Training 
AU: Audit and Accountability 
CA: Security Assessment and Authorization 
CM: Configuration Management 
CP: Contingency Planning 
IA: Identification and Authentication 
IR: Incident Response 
MA: Maintenance 
MP: Media Protection 
PE: Physical and Environmental Protection 
PL: Planning 
PS: Personnel Security 
RA: Risk Assessment 
SA: System and Services Acquisition
SC: System and Communications Protection 
SI: System and Information Integrity 
PM: Program Management

Question 3

List primary set of regulations, standards and guidelines that impact cloud computing

Answer 3

ISO/IEC 27001 
ISO/IEC 27002 
ISO/IEC 27017 
SOC 1, SOC 2, and SOC 3 
PCI DSS 
HIPAA 
NIST SP 800-53 and FedRAMP
NIST 800-145
ISO 17789
ISO 17788

Question 4

TCI Reference Model

Answer 4

Trusted Cloud Initiative (TCI) Reference Model

The TCI reference model is a guide for cloud providers, allowing them to create a holistic architecture (including the physical facility of the data center, the logical layout of the network, and the processes necessary to utilize both) that cloud customers can purchase and use with comfort and confidence.

Question 5

EU Privacy - Collection Limitation Principle

Answer 5

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate with the knowledge or consent of the data subject

Question 6

EU Privacy - Data Quality Principle

Answer 6

Personal data should be relevant to the purposes for which they are to be used and to the extent necessary for those purposes should be accurate complete and kept up to date

Question 7

EU Privacy Principle - Purpose Specification

Answer 7

The purposes for which personal data are collected should be specified no later than at he time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of the change purpose

Question 8

EU Privacy Principle - Use Limitation Principle

Answer 8

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except:

a. with the consent of the data subject
b. by the authority of the law

Question 9

EU Privacy Principle - Security Safeguard Principle

Answer 9

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

Question 10

EU Privacy Principle - Open Principle

Answer 10

The should be a general policy of openness about developments, practices, and policies with respect to personal data

Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their user, as well as the identity and usual residence of the data controller

Question 11

EU Privacy Principle - Individual Participation Principle

Answer 11

Individuals should have the right to:

a. obtain from the data controller or otherwise confirmation of whether or not the data controller has data relating to them
b. to have communicated to them, data relating to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in the form that is readily intelligible to them
c. to be given reasons if a request made under subparagraph a and b is denied and to be able to challenge such denial and
d. to challenge data relating to them and, if the challenge is successful to have the data erased, rectified, completed or amended

Question 12

EU Privacy Principle - Accountable Principle

Answer 12

A data controller should be accountable for complying with measures which give effect to the principles stated above

Question 13

EU Privacy Principle - The Right to be Forgotten/Erased

Answer 13

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of a number of conditions applies

Undue delay is considered about a month

Reasonable steps must be taken to verify the person requesting erasure is the actual data subject

Question 14

Privacy Maturity Model (PMM)

Answer 14

A maturity model for demonstrating an organizations capability maturity around protecting PII, created by AICPA and CICA - American and Canadian CPA standards organizations, based on Capability Maturity Model standard (SSE-CMM) by Canegie-Mellon University Software Engineering Institute (SEI)

Question 15

HIPAA

Answer 15

The handling and protection of PHI is governed by the Health Insurance Portability and Accountability Act

HIPAA controls who can access PHI and under what circumstances they can do so. HIPAA also regulates things like data retention, archiving, and other physical and technical safeguards

Question 16

Cardholder data

Answer 16

Cardholder data is a specific subset of PII that is related to holders of credit or debit cards. This data includes information such as the primary account number (PAN), security codes, expiration dates, and any other information that can be used to identify a particular individual cardholder.

Question 17

Describe US Data Jurisdiction Requirements

Answer 17

strong protections for intellectual property

industry-specific legislation (GLBA for banking/insurance, HIPAA for medical care, and so forth) or with contractual obligations (PCI).

Many strong, granular data breach notification

Question 18

Describe Europe Data Jurisdiction Requirements

Answer 18

Europe provides good intellectual property protections. It has massive, exhaustive, comprehensive personal privacy protections, including the EU General Data Protection Regulation.

Question 19

Describe Asia Data Jurisdiction Requirements

Answer 19

disparate levels of intellectual property protection.
Act on the Protection of Personal Information, Japan adheres to the EU model, and Singapore does the same.

all IT traffic and communications in China must be accessible by the Chinese government.

Question 20

Describe South/Central America Data Jurisdiction Requirements

Answer 20

various intellectual property mechanisms.

Argentina, which with its Personal Data Protection Act is in direct correlation with the EU legislation

Question 21

Describe Australia/New Zealand Data Jurisdiction Requirements

Answer 21

strong intellectual property protections and very strong privacy protections, with the Australian Privacy Act mapping directly to the EU statutes.

Question 22

Cloud Security Alliance 2019 “Egregious Eleven” Threats?

Answer 22

Data breaches
Misconfiguration and inadequate change control
Lack of cloud security architecture and strategy
Insufficient identity, credential, access, and key management
Account hijacking
Insider threat
Insecure interfaces and APIs
Weak control plane
Metastructure and applistructure failures
Limited cloud usage visibility
Abuse and nefarious use of cloud services

Question 23

What should be known in order to decide how to handle risk within an organization?

What are these steps also applied to?

Answer 23

An inventory of all assets (Inventory Assets)
A valuation of each asset (Valuation Assets)
A determination of critical paths, process and assets of which without the organization could not operate (Determination of Criticality))
A clear understanding of risk appetite

BIA

Question 24

What should you expect about Cloud Provider services with respect to Single Points of Failure (SPOF)?

Answer 24

In a cloud environment, customers should expect that the provider has no SPOFs within their facilities and architecture; part of the benefit of moving to the cloud is the ability of cloud providers to offer a robust and resilient service that is not susceptible to failures due to SPOFs.

Question 25

Are all SPOFs critical assets of an organization?

Answer 25

No.

Question 26

How should cloud resources be treated that is comparable to traditional IT environments/architecture?

Answer 26

It is best to treat all resources in a cloud environment as if they are in the DMZ and harden them accordingly.

Question 27

The cloud provider should ensure that all devices in the data center are secured such what conditions are met?

Answer 27

All devices should be hardened:

All guest accounts are removed
All unused ports are closed.
No default passwords remain.
Strong password policies are in effect.
Any admin accounts are significantly secured and logged. All unnecessary services are disabled.
Physical access is severely limited and controlled.
Systems are patched, maintained, and updated according to vendor guidance and industry best practices.

Question 28

What risks should cloud customers focus on?

Answer 28

Customers must bear in mind the risks related to the way they access the cloud, which often takes the form of a bring your own device (BYOD) environment and always involves remote access.

Question 29

What can be done by the CSP or customer to prevent data breaches?

Answer 29

1. Understand CSPs shared responsibility model to protect data
2. Intrusion detection and incident response management
3. CSPs should be transparent about what they do to prevent data breaches and wha the customer must do
4. Prevent misconfiguration and inadequate change control

Question 30

Examples of misconfiguration

Answer 30

Default credentials and settings
excessive permissions
lack of basic security hygiene

Question 31

What should you consider when mitigating threats to IAM and key management?

Answer 31

Use strong passwords and multifactor authentication to protect access to sensitive data.

Understand your cloud provider’s IAM services and examine the tradeoffs between on-prem and cloud-native IAM solutions. Along these lines, you should understand your CSP’s ability to support federated identity and what that means for your organization.

Practice least privilege and allow only the minimal amount of access for cloud users.

Remove unused credentials to minimize exposure through unnecessary accounts.

Develop a robust key management plan that includes key rotation (automatic, where feasible)

Question 32

What can be used to combat/mitigate limited cloud usage visibility?

Answer 32

Cloud Access Security Brokers (CASBs) can play a role in controlling which applications are in use and analyzing the activities within a cloud environment.

Web Application Firewalls (WAFs) are also helpful in providing awareness of connections to cloud services, including analysis of activities and identification of malicious trends.

training and awareness programs that inform employees on how to properly use authorized cloud resources.

Question 33

Cloud based disaster recovery (DR) and business continuity (BC) planning considerations?

Answer 33

Understand how the shared responsibility model applies to BCP/DR.

Understand any supply chain risks that exist (for example, vendor or third-party factors that may impact your ability to conduct BCP/DR activities).

Consider the need to keep backups offsite or with another CSP.

Ensure that SLAs cover all aspects of BCP/DR that concern your organization, including RPOs, RTOs, points of contact, roles and responsibilities, and so on.

SLAs should clearly describe requirements for redundancy and failover, as well as address mitigating single points of failure in the cloud environment.

Question 34

What are considerations in a typical cost benefit analysis of migrating to the cloud?

Answer 34

1. Demand Trends - Steady vs. cyclical demand
2. Staffing - CapEx vs OpEx
3. Loosing or decreasing ownership and control
4. Organizational focus

Question 35

Privacy Shared Concerns in the cloud?

Answer 35

A major challenge for cloud environments

There are currently no international directive, laws or regulations, each country or group of countries might have their own specific directives or no directives at all

Question 36

IaaS Security Considerations/Concerns?

Answer 36

1. Colocation and multitenancy - assume your systems and data are collocated with other tenants and protect them accordingly
2. VM attacks - CSP is responsible for preventing, detecting, and responding to malicious activity between VMs
3. Hypervisor Attacks - exposes host and all VMs and their hosted apps - VM escape
4. Network Security - virtual networks, less physical endpoints, single point access - limited NICs to all VMs
5. Denial of Service attacks
6. Loss of control - lack of control over where VM are located or what data is running on them

Question 37

PaaS Security Considerations?

Answer 37

1. Resource Isolation - if a customer is able to break out of isolation, other customers can be negatively impacted; CSP should NOT give shell access to CSC on host VM
2. User Permissions - each tenant/service must be allowed to manage user level permissions
3. User access management - balance quick provisioning vs proper and secure authentication and authorization; ensure good administration e.g. provisioning and deprovisioning; good intel - monitor, report based on policy, audit, analyze
4. Malware, backdoors, and other malicious threats - Autoscaling can grow impacts and damages of malware

Question 38

SaaS Security Considerations?

Answer 38

1. Data comingling - multi tenancy means application vulnerabilities (e.g. XSS, SQL injection, etc.) can expose potentially all customers data; ensure SaaS has Data Segregation
2. Data access policies - customer should compare SaaS solution vs org data access policies to ensure org data is protected in SaaS solution; ensure access is monitored, logged and reviewed
3. Web Application security - SaaS is exposed to the internet so vulnerable to attack

Question 39

Why does cloud make compliance with laws more complex?

Answer 39

Cloud provider, a 3rd party processor is introduced in the cloud
Questions arise around jurisdiction, where does the data physically reside because that impacts the laws the customer must follow

Question 40

What can CSPs and customers do to mitigate the threat of Unauthorized access or usage?

Answer 40

CSP
Require multiple parties to approve access to customer data, where possible
Mechanism to detect access to customer data and processes to validate access was legitimate

Customers
Use Hardware Security Modules, where possible

Question 41

DLP considerations in cloud

Answer 41

1. Highly distributed and replicated cloud data
2. Performance will be negatively impacted
3. DLP implementation in the cloud are expensive because of the pay for what you use model

Question 42

Data Controls

Answer 42

how to PROTECT/RESTRICT access to Actors by Function, if not authorized, to uphold confidentiality

e.g. use DRM/IRM to protect enterprise date when used or shared

Question 43

IRM Tool Traits

Answer 43

IRM uses data tags/labels or metadata

Rudimentary Reference Checks

Online Reference Checks

Local Agent Checks

Presence of Licensed Media

Support-Based Licensing

Question 44

Rudimentary Reference Checks of IRM tool

Answer 44

The content itself can automatically check for proper usage or ownership. e.g. authz granted for book tests based on contents of book

Question 45

Online Reference Checks

Answer 45

requires user to enter product key that is checked against online database to unlock the product

Question 46

Local Agent Checks

Answer 46

user installs reference tool that checks the protected content against the user’s license

Question 47

Presence of Licensed Media

Answer 47

Some IRM tools require the presence of licensed media, such as disks, in the system while the content is being used. The IRM engine is on the media, often installed with some cryptographic engine that identifies the unique disk and the licensed content and allowing usage based on that relationship.

Question 48

Support-Based Licensing

Answer 48

IRM implementations predicated on the need of continual support for content; this is particularly true of production software. Licensed software might be allowed ready access to updates and patches, while the vendor could prevent unlicensed versions from getting this type of support.

Question 49

Data Processing

Answer 49

Processing is anything that can be done to data: copying it, printing it, destroying it, utilizing it.

Question 50

Cloud secure data lifecycle

Answer 50

1. Create. Data is either generated from scratch or existing data is modified/updated.
2. Store. Data is saved into a storage system or repository.
3. Use. Data is processed by a user or application.
4. Share. Data is made accessible by other users or systems.
5. Archive. Data is transferred from readily accessible storage to a more long-term, static storage state.
6. Destroy. Data is deleted and removed from storage, making it permanently inaccessible and unusable.

Question 51

CSP responsibilities in SaaS?

Answer 51

1. Data segmentation using encryption and other tech

2. Conducting vulnerability scans and pen testing to identify and fix findings before exploited

Question 52

CSA Enterprise Architecture - Description

Answer 52

Cloud Security Alliance Enterprise Architecture is both a methodology and a set of tools that enable security architects, EAs, and risk management professionals to leverage a common set of solutions to fulfill their common needs to be able to assess where their internal IT and cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of the business.

Question 53

CSA Enterprise Architecture - Components

Answer 53

Business Operations Support Services (BOSS)
Information Technology Operation and Support (ITOS)
Services (Presentation, Application, Information, and Infrastructure)
Security and Risk Management

Question 54

What type of disasters should you be concerned with as a security professional?

Answer 54

Malicious cyber attacks
Accidental disruptions
Natural disasters
Major system failures

Question 55

Incident Response Lifecycle

Answer 55

steps taken before, during and after an incident

Question 56

Tenant

Answer 56

One or more cloud service users sharing access to a set of cloud resources

Question 57

Sub-roles of the cloud service provider per ISO 17789?

Answer 57

Operations Manager
Deployment Manager
Cloud Service Manager
Business Manager
Customer Support
Intercloud Provider
Security & Risk Manager
Network Provider

Question 58

Regulators

Answer 58

The entities that ensure organizations are in compliance with the regulatory framework for which they’re responsible. These can be government agencies, certification bodies, or parties to a contract.

For example the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and auditors commissioned to review compliance with contracted or asserted standards (such as PCI DSS and ISO)

Question 59

Cloud service operations manager?

Standard role is defined in?

Answer 59

Oversees and manages the operation and performance of cloud services provided to customers.

Prepares system, monitors services, provide audit data

1SO17789 CSP Role

Question 60

Technical account manager

Answer 60

Provides account support and high-level technical guidance to cloud customers.

Question 61

Deployment manager?

Standard role is defined in?

Answer 61

Define environment and processes
Define and gather metrics
Define deployment steps

ISO 17789

Question 62

Cloud Service Manager?

Standard role is defined in?

Answer 62

Provide service
Deploy and provision service
Service Level Management

ISO 17789

Question 63

Business Manager?

Standard role is defined in?

Answer 63

Manage business plan, customer relations and financial processing

ISO 17789

Question 64

Customer Support?

Standard role is defined in?

Answer 64

Handles customer requests

ISO 17789

Question 65

Intercloud Provider?

Standard role is defined in?

Answer 65

Manage peer cloud services, perform peering, federation, intermediation, aggregation and arbitrage

ISO 17789

Question 66

Security & Risk Manager?

Standard role is defined in?

Answer 66

Manage security and risk
Design/Implement service continuity
Ensure compliance

ISO 17789

Question 67

Network Manager?

Standard role is defined in?

Answer 67

Provide Network connectivity
Deliver network services and network management services

ISO 17789

Question 68

List subroles of Cloud Service Customer (CSC) of ISO 17789

Answer 68

Cloud Service User
Cloud Service Administrator
Cloud Service Business Manager
Cloud Service Integrator

Question 69

Cloud Service Admin?

Standard and Type of subrole?

Answer 69

Monitor service,
Administer security, billing and usage

1SO17789 CSC Role

Question 70

Cloud Service Business Manager

Standard and Type of subrole?

Answer 70

Purchase Service
Request audit reports

1SO17789 CSC Role

Question 71

Cloud Service Integrator?

Standard and Type of subrole?

Answer 71

Connect systems to the cloud

1SO17789 CSC Role

Question 72

List subroles of Cloud Service Partner (CSN) of ISO 17789

Answer 72

Cloud Service Developer
Cloud Auditor
Cloud Service Broker/Cloud Access Security Broker

Question 73

Cloud Service Developer

Standard and Type of subrole?

Answer 73

Design, create, maintain service components
Compose and test services

1SO17789 CSN Role

Question 74

Cloud Service Backup Provider

Is this role part of a security standard? If so which one?

Answer 74

a 3rd party that manages cloud-based back up responsibilities

1SO17789 Role

Question 75

Cloud Computing Adoption Lifecycle

Answer 75

Cloud Proof of Concept
Cloud Strategy and Roadmap Adoption
Cloud Modeling and Architecture Adoption
Cloud Implementation Planning
Cloud Implementation
Cloud Expansion
Cloud Integration and Interoperability
Cloud Collaboration
Cloud Steady State

Question 76

What guidelines should be considered when implementing a cloud solution for the enterprise

Answer 76

1. Involve all stakeholders in the process of aligning the business and legal requirements
2. Establish common objectives for supporting and achieving cloud management practices
3. Monitor, review, and update document cloud management policies and procedures