Pocket Prep 4 Flashcards
Which of the following ways is how a business addresses regulatory compliance challenges in the cloud?
A. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, containers
B. Security policies, golden images, Cloud Service Customer (CSC) defined service level agreements, contracts
C. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts
D. Security policies, annual audits, Cloud Service Provider (CSP) defined service level agreements, contracts
C. Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts
Explanation:
Correct answer: Security policies, annual audits, Cloud Service Customer (CSC) defined service level agreements, contracts
There are many things that a business should do to address regulatory compliance challenges in the cloud or simply secure the corporation’s information and information systems. It begins with having security policies. The process is first governance and board of directors oversight. Then risk management must be done to understand the threat environment more completely. Then we can create security policies.
One of the things the policies should specify is that audits should be performed. The customer might need to be audited by a third party if there is a legal compliance requirement. Otherwise, knowing that the CSP has been audited by a third party and what the results of that audit are would be beneficial to know (SOC reports and such). Depending on the customer and the provider, it is possible that the customer could be involved in the actual audit of the cloud service provider.
Side note: A third party audit is an audit done by an external company such as Deloitte or pwc. It is now third because first, there is the CSC. Second, there is the CSP. So, adding an external auditor brings the count to three. It is possible to go to a fourth party if the audit company hires contractors to do some of the work.
The CSC should define the Service Level Agreements (SLA) that they require. The CSP may need to help them work this out, but the customer should specify what they need.
The SLAs are part of the contracts that need to be established with the CSP.
What is not part of this is golden images or containers. The golden image is our stable virtual machine image that should be used to deploy a specific virtual machine. Containers are a contained environment that is portable to run specific code. Having golden images certainly can help with compliance, but it would not be in the same category as the rest of these options.
Reference:
(ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 272.
The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 297-298.
An attacker deleting log files maps to which letter of the STRIDE acronym for cybersecurity threat modeling?
A. E
B. I
C. D
D. R
D. R
Explanation:
Microsoft’s STRIDE threat model defines threats based on their effects, including:
Spoofing: The attacker pretends to be someone else Tampering: The attacker damages data integrity Repudiation: The attacker can deny that they took some action that they did take Information Disclosure: The attacker gains unauthorized access to sensitive data Denial of Service: The attacker can harm the availability of a service Elevation of Privilege: The attacker can access resources that they shouldn’t be able to access
Deleting log files is likely an effort to cover the attacker’s tracks and is related to repudiation (R).
Reference:
(ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 172-173.
The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 153-156.
Federation is a term MOST closely associated with which of the following concepts?
A. Multivendor Pathway Connectivity
B. Tenant Partitioning
C. HVAC
D. Access Control
D. Access Control
Explanation:
Correct answer: Access Control
Cloud customers have various options for securing access to their systems, including using federation or SAML to control cloud access from the customer’s IAM system or using identity as a Service (IDaaS) offerings provided by the CSP.
Tenant partitioning involves keeping tenants from affecting one another in multitenant environments, multivendor pathway connectivity improves network resiliency by using multiple ISPs and cable paths, and HVAC stands for heating, ventilation, and air conditioning.
Reference:
(ISC)2 CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 193-197, 201-202.
The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 114-119.
D. Access Control
A corporation is using both the storage and processing capabilities of a cloud Platform as a Service (PaaS) provider. The data that they possess contains personally identifiable information (PII). It is essential to protect this data throughout its lifecycle.
When the customer support team is working to resolve a customer’s issue and they log in to a database to search for information regarding a customer’s purchase, which phase of the lifecycle are they in?
A. Archive phase
B. Store phase
C. Use phase
D. Create phase
C. Use phase
Explanation:
Correct answer: Use phase
When data is being looked at by the customer support team, it is in the use phase.
The create phase is the initial creation point of the data. The Cloud Security Alliance (CSA) says in their guidance 4.0 document that the create phase also includes modification and alteration of the data. It is not necessary to agree, many do not. However, this exam is a joint venture between the CSA and ISC2, so it could be useful to know.
The store phase should be entered into as soon as the data is created. If the data needs to be stored for years into the future in case of need, then that storage is referred to as archival, or the archive phase.
Reference:
(ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 67.
The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 59-60.
Marsha works for a large automobile manufacturer. They have experienced a data breach that has resulted in names, addresses, Vehicle Identification Numbers (VINs), model, year, and color as well as other information being in the hands of a bad actor. This occurred because of another corporation’s mishandling of the data. This other corporation handles part of the operations for the manufacturing company. This other corporation left it exposed on an internet-accessible site.
What security issue is this?
A. Accidental cloud data disclosure
B. System vulnerabilities
C. Cloud storage data exfiltration
D. Unsecured third-party resources
D. Unsecured third-party resources
Explanation:
This is a third party issue. The third party, the other corporation, mishandled the data. They left it unsecured on a third-party site. This is the best answer because of the other corporation’s involvement.
This could be considered accidental cloud data disclosure. However, the Cloud Security Alliance (CSA), in their Pandemic 11 list, has cloud data disclosure as a problem from within a corporation. If the original company had left the data on the internet unsecured, then they are at fault.
This is not cloud storage data exfiltration because the CSA looks at that as simply a company mishandling data that leads to the exposure of storage resources. Again, the big distinction is actually the handling of the data by another corporation.
System vulnerabilities include issues within the software, the code, the library, the binaries, etc. There is no problem like that in this scenario. This is an unsecured issue from the third party’s handling of the data.
Reference:
(ISC)² CCSP Certified Cloud Security Professional Official Study Guide, 3rd Edition. Pg 105-106.
The Official (ISC)² CCSP CBK Reference, 4th Edition. Pg 142.
At which stage of the incident response process will the IRT work to bring the organization back to a secure state, including fixing the underlying cause of the incident?
A. Detect
B. Recover
C. Respond
D. Post-Incident
B. Recover
Explanation:
An incident response plan (IRP) should lay out the steps that the incident response team (IRT) should carry out during each step of the incident management process. This process is commonly broken up into several steps, including:
Prepare: During the preparation stage, the organization develops and tests the IRP and forms the IRT. Detect: Often, detection is performed by the security operations center (SOC), which performs ongoing security monitoring and alerts the IRT if an issue is discovered. Issues may also be raised by users, security researchers, or other third parties. Respond: At this point, the IRT investigates the incident and develops a remediation strategy. This phase will also involve containing the incident and notifying relevant stakeholders. Recover: During the recovery phase, the IRT takes steps to restore the organization to a secure state. This could include changing compromised passwords and similar steps. Additionally, the IRT works to address and remediate the underlying cause of the incident to ensure that it is completely fixed. Post-Incident: After the incident, the IRT should document everything and perform a retrospective to identify potential room for improvement and try to identify and remediate the root cause to stop future incidents from happening.
A cloud services provider may be classified as which of the following roles?
A. Data Processor
B. Data Owner
C. Data Owner
D. Data Custodian
A. Data Processor
Explanation:
There are several roles and responsibilities related to data ownership, including:
Data Owner: The data owner creates or collects the data and is responsible for it. Data Custodian: A data custodian is responsible for maintaining or administrating the data. This includes securing the data based on instructions from the data owner. Data Steward: The data steward ensures that the data’s context and meaning are understood and that it is used properly. Data Processor: A data processor uses the data, including manipulating, storing, or moving it. Cloud providers are data processors.
An organization implemented new system and communication protections that prevents users from altering and misconfiguring systems and communication processes. What type of protection did the organization implement?
A. Separation of system and user functionality
B. Boundary protection
C. Security function isolation
D. Denial of Service (DoS) protection
A. Separation of system and user functionality
Explanation:
Separating system and user functions is critical for system and communication security. This is separation of duties and is a key security concept that protects users from modifying or incorrectly configuring systems and communication processes.
In a way, this is security function isolation, but the proper security term is “separation of duty.”
Boundary protection would be a firewall, or something of that sort, at the edge of the network, Local Area Network (LAN), or subnet. In the cloud, they also exist on the edge of micro segments or security groups.
DoS protection is a good thing to have, but that is firewalls or Intrusion Prevention Systems (IPS) or other products that have the ability to recognize the packets that are involved in a DoS attack and can trash those packets to stop the attack.
In the cloud, there is a sharing of systems between all the tenants on a physical server. It is possible to allocate space within the Central Processing Unit (CPU) and memory for specific virtual machines and applications. If a virtual machine requires a certain minimum amount of space, it is necessary to create which of the following?
A. Pooling
B. Reservations
C. Shares
D. Limits
B. Reservations
Explanation:
If a certain Virtual Machine (VM) requires a certain amount of capability at all times, it is critical to allocate that to the VM. This is done though reservations.
Hypervisors allow for the creation of virtual machines within a server. They do that by creating pools (pooling) of resources. It is the abstraction of the physical capability of the machines (the CPU, memory, network, and so on). These pools are shared (shares) among the tenants within a server.
A limit can be placed on the VM so that it will not expand beyond a certain point. This is great to control costs so that there is not a surprise bill at the end of the month.
Nica has been hired by a law firm to manage their information security department. It has been determined that they will be closing down their on-premises data center after they complete their move to the cloud. This law firm handles legal affairs for a hospital located in the USA. Which laws are most relevant to this client?
A. The Health Information Portability and Accountability Act (HIPAA) and the Personal Information Protection and Electronic Act (PIPEDA)
B. The California Consumer Privacy Act (CCPA) and the Health Information Portability and Accountability Act (HIPAA)
C. Sarbanes Oxley (SOX) and the Gramm Leach and Bliley Act (GLBA)
D. The Personal Information Protection and Electronic Act (PIPEDA) and Sarbanes Oxley (SOX)
B. The California Consumer Privacy Act (CCPA) and the Health Information Portability and Accountability Act (HIPAA)
Explanation:
Correct answer: The California Consumer Privacy Act (CCPA) and the Health Information Portability and Accountability Act (HIPAA)
CCPA and HIPAA are the best match to a hospital in the US. The assumption is that the hospital is in California, so it is unlikely to be the other combination of laws. PIPEDA is from Canada.
SOX relates to US businesses, but it is related to financial integrity. GLBA is from the US as well, but it is about protecting the personal information of customers from financial services companies. A hospital could be a financial services company if it sets up payment plans for its customers. It is arguable that SOX does apply to a hospital, but HIPAA absolutely matches the hospital.
Habib has been configuring their Infrastructure as a Service (IaaS) virtual servers. He has connected these servers in a way that the traffic will be distributed evenly between them when they are in production. What is he configuring?
A. High performance
B. Resilience
C. Clustering
D. Load balancing
D. Load balancing
Explanation:
A load-balanced cluster, also known as a load-balanced cluster environment, is a configuration that distributes incoming network traffic across multiple servers or nodes to achieve improved performance, scalability, and availability. In this setup, the cluster operates as a single logical unit, with each server or node sharing the workload and responding to client requests.
Having the servers sharing the load of traffic does provide resilience to the environment. However, what Habib is configuring is load balancing.
With load balancing in place, there can be a higher level of performance, but what Habib is configuring is load balancing.
A cluster is at least two servers working together, but what Habib is configuring is load balancing. The focus of the question is traffic will be distributed.
Which of the following is MOST relevant to an organization’s network of applications and APIs in the cloud?
A. Physical Access
B. User Access
C. Service Access
D. Privilege Access
C. Service Access
Explanation:
Key components of an identity and access management (IAM) policy in the cloud include:
User Access: User access refers to managing the access and permissions that individual users have within a cloud environment. This can use the cloud provider’s IAM system or a federated system that uses the customer’s IAM system to manage access to cloud services, systems, and other resources. Privilege Access: Privileged accounts have more access and control in the cloud, potentially including management of cloud security controls. These can be controlled in the same way as user accounts but should also include stronger access security controls, such as mandatory multi-factor authentication (MFA) and greater monitoring. Service Access: Service accounts are used by applications that need access to various resources. Cloud environments commonly rely heavily on microservices and APIs, making managing service access essential in the cloud.
Physical access to cloud servers is the responsibility of the cloud service provider, not the customer.
Which regulation would be used to build a risk-based policy for cost-effective security for government agencies?
A. Gramm-Leach-Bliley Act (GLBA)
B. Federal Information Security Management Act (FISMA)
C. Health Information Portability Accountability Act (HIPAA)
D. Protected Health Information (PHI)
B. Federal Information Security Management Act (FISMA)
Explanation:
US government agencies must build risk-based policies for cost-effective security. Government agencies are not immune to bad actors attacking them. In the past, the security within government agencies was not very good, so this regulation demands that they do better.
GLBA is an extension to Sarbanes-Oxley that demands that personal data be protected with the financial data. The HIPAA requires that Protected Health Information (PHI) be protected.
An organization is building a new data center. They need to ensure that proper heating and cooling are implemented. What is the recommended minimum and maximum temperature for a data center?
A. 64.4-80.6 degrees F/18-27 degrees C
B. 60.1-75.2 degrees F/15-24 degrees C
C. 62.2-81.0 degrees F/16-27 degrees C
D. 59.5-79.5 degrees F/15-26 degrees C
A. 64.4-80.6 degrees F/18-27 degrees C
Explanation:
Correct answer: 64.4-80.6 degrees F/18-27 degrees C
According to ASHRAE (American Society of Heating, Refrigeration, and Air Conditioning Engineers), the recommended temperature for a data center is a minimum of 64.4 degrees F, and a maximum of 80.6 degrees F. This is 18 - 27 degrees C.
It is possible that you need this for the test. A common question is “Do I need to learn the other measurement standards?” (If I know Fahrenheit, do I have to learn Celsius and vice versa?) If it is on the test, you’ll want to know both measurements.
In the shared responsibility model, the consumer will always be responsible for what in the following service models: Infrastructure as a Service (IaaS), Software as a Service (SaaS,) and Platform as a Service (PaaS) models?
A. Platform security
B. Governance, Risk management, and Complicance (GRC)
C. Identity and access management
D. Application security
B. Governance, Risk management, and Complicance (GRC)
Explanation:
Correct answer: Governance, Risk management, and Complicance (GRC)
In any cloud deployment model, IaaS, PaaS, or SaaS, the cloud consumer will be responsible for any control over the data they store in the cloud. This requires that they do their Governance, Risk management, and Compliance (GRC).
Application security is shared between the customer and the cloud provider and includes setting up and managing identity and access management.
Platform security is the responsibility of the provider in SaaS. It is a shared responsibility in PaaS and the customer’s responsibility in IaaS.