Question 1

The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on __________. A. Number of transactions per year B. Dollar value of transactions per year C. Geographic location D. Jurisdiction

Accepted Answer

A: Number of transactions per year The four merchant levels in PCI are distinguished by the number of transactions that merchant conducts in a year.

Question 2

For business continuity and disaster recovery (BCDR) purposes, the contract between cloud provider and customer should include all of the following EXCEPT __________. A. Which party will be responsible for initiating a BCDR response activity B. How a BCDR response will be initiated C. How soon the customer's data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service D. How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event

Accepted Answer

D: How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event. The contract between cloud customer and current cloud provider has no bearing on what the customer will have to pay a new provider.

Question 3

Which of the following is NOT a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment? A. Pooled resources in the cloud B. Shifting from CapEx to OpEx to support IT expenditures C. The time savings and efficiencies offered by the cloud service D. Branding associated with which cloud provider might be selected

Accepted Answer

D: Branding associated with which cloud provider might be selected Brand value is not part of standard cost-benefit analysis.

Question 4

Which of the following is an aspect of IT costs that should be reduced by moving to the cloud? A. Personnel training B. Personnel turnover C. Loss due to depreciation of IT assets D. Loss due to an internal data breach

Accepted Answer

C: Loss due to depreciation of IT assets Constant reinvestment in IT assets (which are almost always obsolete by the time they're marketed, much less by the time they're deployed in operational environments) is plagued with losses due to depreciation the systems never retain the value of their initial price. Moving to cloud reduces this cost considerably.

Question 5

Why might an organization choose to comply with NIST SP 800-series standards? A. Price B. Ease of implementation C. International acceptance D. Speed

Accepted Answer

A: Price The NIST standards are not particularly easy or fast to implement (in fact, they require continual improvement), and they are not recognized or mandated outside of the US government federal sector.

Question 6

Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework? A. ISO 27002 B. Payment Card Industry Data Security Standard (PCI DSS) C. NIST SP 800-37 D. Health Insurance Portability and Accountability Act (HIPAA)

Accepted Answer

A: ISO 27002 ISO 27002 is used for choosing security controls in order to comply with the ISMS, which is contained in ISO 27001.

Question 7

The Statement on Auditing Standards (SAS) 70, published by the American Institute of Certified Public Accountants (AICPA), was, for a long time, the definitive audit standard for data center customers. It was replaced in 2011 by the __________. A. SABSA B. SSAE 16 C. Biba D. NIST SP 800-53

Accepted Answer

B: SSAE 16 SSAE 16 replaced SAS 70 as the preferred audit standard for data center customers in 2011; it is scheduled to be replaced by the end of 2018, by SSAE 18.

Question 8

Which US federal law instigated the change from SAS 70 audit standard to SSAE 16? A. NIST 800-53 B. HIPAA C. Sarbanes-Oxley Act (SOX) D. Gramm-Leach-Bliley Act (GLBA)

Accepted Answer

C: Sarbanes-Oxley Act (SOX) This question is a bit more oblique than some of the others and requires the candidate to have some depth of understanding of laws, regulations, and standards. SOX was the congressional response to several high-profile scandals involving publicly traded corporations involved in nefarious activities, in collusion with or not truly addressed by the auditors who should have reported this behavior. As a result of SOX, the American Institute of Certified Public Accountants changed from SAS 70 standard to SSAE 16.

Question 9

The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you MOST like to see? A. SOC 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3

Accepted Answer

C: SOC 2, Type 2 The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

Question 10

The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 16 audits and some haven't, which SOC report might be the best to use for your initial review of several different cloud providers, in order to narrow down the field of potential services in a fast, easy way? A. SOC 1 B. SOC 2, Type 1 C. SOC 2, Type 2 D. SOC 3

Accepted Answer

D: SOC 3 The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

Question 11

The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on __________. A. Dollar value of transactions over the course of a year B. Number of transactions over the course of a year C. Location of the merchant or processor D. Dollar value and number of transactions over the course of a year

Accepted Answer

B: Number of transactions over the course of a year

Question 12

Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party? A. 1 B. 3 C. 5 D. 7

Accepted Answer

D: 7

Question 13

What distinguishes the FIPS 140-2 security levels for cryptographic modules? A. The level of sensitivity of data they can be used to protect B. The amount of physical protection provided by the product, in terms of tamper resistance C. The size of the IT environment the product can be used to protect D. The geographic locations in which the product is permitted to be used

Accepted Answer

B: The amount of physical protection provided by the product, in terms of tamper resistance The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts.

Question 14

For the US government agencies, what level of data sensitivity / classification may be processed by cryptographic modules certified according to the FIPS 140-2 criteria? A. Controlled Unclassified Information (CUI) B. Secret C. Top Secret D. Sensitive Compartmentalized Information (SCI)

Accepted Answer

A: Controlled Unclassified Information (CUI) FIPS 140-2 is only for sensitive but unclassified (SBU) data such as CUI.

Question 15

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "insecure direct object references." Which of these is a method to counter the risks of insecure direct object references? A. Performing user security training B. Check access each time a direct object reference is called by an untrusted source. C. Install high-luminosity interior lighting throughout the facility. D. Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.

Accepted Answer

B: Check access each time a direct object reference is called by an untrusted source. Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object.

Question 16

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "missing function level access control." Which of these is a technique to reduce the potential for a missing function level access control? A. Run a process as both user and privileged user, and determine similarity. B. Run automated monitoring and audit scripts. C. Include browser buttons / navigation elements to secure functions. D. Enhance user training to include personnel.

Accepted Answer

A: Run a process as both user and privileged user, and determine similarity. The above method will help you to determine if there are any functions that regular users should not have access to and thereby demonstrate that you are missing necessary controls.

Question 17

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem? A. HTML escape all HTML attributes. B. Train users to recognize unvalidated links. C. Block all inbound resource requests. D. Implement audit logging.

Accepted Answer

B: Train users to recognize unvalidated links. Oddly enough, this may be a good topic to explain during user training; when an attacker is trying to conduct an attack by exploiting unvalidated redirects and forwards, it is often in conjunction with a social engineering / phishing attack.

Question 18

The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem? A. Don't use redirects / forwards in your applications. B. Refrain from storing credentials long term. C. Implement security incident / event monitoring (security information and event management (SIEM) / security information management (SIM) / security event management (SEM) solutions. D. Implement digital rights management (DRM) solutions.

Accepted Answer

A: Don't use redirects / forwards in your applications. Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid this problem altogether, and, redirects / forwards are not necessary for efficient use.

Question 19

You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether your current applications in the on-premises environment will function properly with the providers's hosted systems and tools. This is a(n) __________ issue. A. Interoperability B. Portability C. Availability D. Security

Accepted Answer

A: Interoperability This is the definition of cloud migration interoperability challenges.

Question 20

You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider's data center. One of the challenges you're facing is whether the provider will have undue control over your data once it is within the provider's data center; will the provider be able to hold your organization hostage because they have your data? This is a(n) __________ issue. A. Interoperability B. Portability C. Availability D. Security

Accepted Answer

B: Portability This is the definition of cloud migration portability: the measure of how difficult is might be to move the organization's systems / data from a given cloud host to another cloud host.

Question 21

Privileged user account access should be _________. A. Temporary B. Pervasive C. Thorough D. Granular

Accepted Answer

A: Temporary Privileged users should only have privileged access to specific systems / data for the duration necessary to perform their administrative function; any longer incurs more risk than value.

Question 22

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all of the following data breach notification requirements EXCEPT __________. A. Multiple state laws B. Contractual notification requirements C. All standards-based notification schemes D. Any applicable federal regulations

Accepted Answer

C: All standards-based notification schemes

Question 23

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is NOT an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider? A. Ensuring that any legacy applications are not dependent on internal security controls before moving them to the cloud environment B. Reviewing all contractual elements to appropriately define each party's roles, responsibilities, and requirements C. Assessing the provider's financial standing and soundness D. Vetting the cloud provider's administrators and personnel to ensure the same level of trust as legacy environment

Accepted Answer

D: Vetting the cloud provider's administrators and personnel to ensure the same level of trust as legacy environment The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular level of control.

Question 24

The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they've selected goes out of business. What do we call this problem? A. Vendor lock-in B. Vendor lock-out C. Vendor incapacity D. Unscaled

Accepted Answer

B: Vendor lock-out This is the definition of vendor lock-out. Vendor lock-in is when data portability is limited, either through unfavorable contact language or technical limitations. Vendor incapacity and unscaled are not meaningful terms and are used as distractors.

Question 25

When should cloud providers allow PaaS customers shell access to the servers running their instances? A. Never B. Weekly C. Only when the contract stipulates that requirement D. Always

Accepted Answer

A: Never According to (ISC)2 CCSP Training Guide (page 60), PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multi-tenant environment.

Question 26

In PaaS environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on __________. A. International standards B. Federal regulations C. Organizational policies D. Federation directives

Accepted Answer

C: Organizational policies Organizational policies dictate rules for access entitlement.

Question 27

The cloud computing characteristic of elasticity promotes which aspect of the CIA triad? A. Confidentiality B. Integrity C. Availability D. None

Accepted Answer

D: None Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.

Question 28

Your organization has migrated into a PaaS configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notification in accordance with all applicable laws? A. The network admin responsible B. The cloud provider C. The regulators overseeing your deployment D. Your organization

Accepted Answer

D: Your organization The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider may be liable for financial costs... but those damages can only be recovered long after the notifications have been made by the cloud customer.

Question 29

In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, "Does it seem as if this vendor is subject to any pending acquisitions or mergers?" In gather data to answer this question, what are you trying to avoid? A. Vendor lockout B. Due care C. Third-party dependencies D. Regulatory oversight

Accepted Answer

A: Vendor lockout Vendor lockout can occur when your provider no longer offers the service for which you contracted; it is possible that a merger or acquisition of your provider might lead to that circumstance.

Question 30

The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate __________. A. Different types of audits each must conduct B. Different amount of audits each must conduct C. Different control sets based on tier level D. Different cost of controls based on tier level

Accepted Answer

B: Different amount of audits each must conduct Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.

Question 31

The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Approximately how many controls are listed in the PCI DSS? A. Around a dozen B. About 20 C. About 100 D. Over 200

Accepted Answer

D: Over 200

Question 32

Which US federal government entity was the regulator for the American Safe Harbor program and is now in charge of administering the Privacy Shield program? A. State Department B. Privacy Protection Office C. Federal Trade Commission D. Department of Health and Human Services

Accepted Answer

C: Federal Trade Commission

Question 33

Using cloud storage is considered __________ under most privacy frameworks and laws. A. Illegal B. Data collection C. Opt-in D. Processing

Accepted Answer

D: Processing Processing includes any manipulation, use, movement, or alteration of data -- i.e. pretty much anything that can be done with or to data is "processing" (including making and manipulating hard-copy versions of data).

Question 34

The Safe Harbor program, while no longer used, allowed US companies to collect and process privacy information about EU citizens. The program was included in which law? A. FISMA B. The EU Data Directive C. HIPAA D. Sarbanes-Oxley Act

Accepted Answer

B: The EU Data Directive

Question 35

Which of the following should NOT be true about any tests performed during forensic analysis? A. tests should be repeatable by opposing attorneys B. tests should be standard to the forensics industry C. tests should be performed by trained, certified professionals D. tests should be tailored and customized for specific purposes

Accepted Answer

D: tests should be tailored and customized for specific purposes

Question 36

The Reporting phase of forensic investigation usually involves presenting findings to __________. A. Senior management B. Regulators C. The court D. Stakeholders

Accepted Answer

C: The court

Question 37

You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrong-doing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection / analysis. What should probably be your response? A. Yes. You want it because it gives you the most granular and comprehensive view of the pertinent data. B. Yes. You want to be able to inspect it before law enforcement has the opportunity to review it. C. No. You don't want the liability of possibly disclosing someone else's privacy data D. No. You don't want the liability of possibly damaging someone else's property

Accepted Answer

C: No. You don't want the liability of possibly disclosing someone else's privacy data. In a mult-tenant environment, it is quite likely that any particular piece of hardware will contain data from many customers. In this case, your company may become liable for violating privacy laws for accessing privacy data belonging to another cloud customer, which would increase your company's exposure (something that could be disastrous because the company is already under investigation).

Question 38

__________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control. A. Due care B. Due diligence C. Liability D. Reciprocity

Accepted Answer

B: Due diligence Due care is about understanding and implementing common best practices (e.g. policies and standards); due diligence is the work of ensuring that these best practices are working as designed and are suited to your business. By looking to ensure that "protection is _applied_" -- i.e. that best practices are working as designed -- this is an example of due diligence. Liability is the measure of responsibility an entity has for providing due care; option C is incorrect. Answer D has no meaning in this context and is a distractor.

Question 39

You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purpose, this make the data __________. A. Inadmissible B. Less believable, if the changes aren't documented C. Harder to control D. Easily refutable

Accepted Answer

B: Less believable, if the changes aren't documented All forensics processes and activity should be documented with extreme scrutiny. It is very important for your actions to be documented and repeatable in order for them to remain credible. Evidence is only inadmissible if it has no probative value; that is, if it has no bearing on the case. Modified data is still admissible, as long as the modification process was documented and presented along with the evidence.

Question 40

In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper __________. A. Training credential B. License C. Background check D. Approved toolset

Accepted Answer

B: License There are certain jurisdictions where forensic data / IT analysis requires licensure (the stats of Texas and Michigan, for example); it is important for you to determine whether this is the case in your jurisdiction before proceeding with any forensic efforts.

Question 41

When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize ___________. A. Electronic data B. Hardware C. Electronic data and the hardware on which it resides D. Only data extracted from hardware

Accepted Answer

C: Electronic data and the hardware on which it resides Courts can issue seizure orders for anything and everything -- i.e. favor the answer with the most expansive authority. A and B are too limited; D is absurd.

Question 42

Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going to be very difficult to review for pertinence to the case. Which security control mechanism may also be useful in the e-discovery effort? A. Trained and aware personnel B. An egress monitoring solution (DLP) C. A digital rights management (DRM) solution D. A multifactor authentication implementation

Accepted Answer

B: An egress monitoring solution (DLP) Typically, a discovery tool is a primary component of a DLP solution. All other options describe important facets of an overall organizational security program but are not especially helpful in e-discovery efforts.

Question 43

You are the security manager for a software company that uses PaaS in a public cloud service. Your company's general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with __________ as well as the lawsuit. A. Spoliation B. Fraud C. Jurisdiction D. Recompositing

Accepted Answer

A: Spoliation "Spoliation" is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the ground for another lawsuit.

Question 44

You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month. Which law is applicable in this instance? A. Belgian law B. The General Data Protection Act C. NIST SP 800-53 D. The Federal Information Systems Management Act

Accepted Answer

B: The General Data Protection Act

Question 45

You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft. The prosecutor can use the material you delivered because of __________. A. The doctrine of plain view B. The silver platter doctrine C. The General Data Protection Act D. The Federal Information System Management Act

Accepted Answer

B: The silver platter doctrine The "silver platter doctrine" allows law enforcement to act on probable cause when evidence of a crime is within their presence; option A is incorrect.

Question 46

You are the security manager for a retail sales company that uses a SaaS public cloud service. One of your employees uploads sensitive information they were NOT authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefitting the administrator and causing harm to your organization. After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$ 125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation. If the jury determines that 25 percent of the evidence shows that the situation was your organization's fault and 75 percent of the evidence shows that the situation was the cloud provider's fault, what is the likely outcome? A. Your organization owes the cloud provider $31,250 B. The cloud provider owes your organization $93,750 C. Neither side owes the other party anything D. The cloud provider owes your organization $125,000

Accepted Answer

D: The cloud provider owes your organization $125,000 Except in jurisdictions where contributory negligence is a factor in the proceedings, civil courts use a standard of "preponderance of evidence," so the entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of the breach.

Question 47

What was the first international privacy standard specifically for cloud providers? A. NIST SP 800-37 B. PIPEDA C. PCI D. ISO 27018

Accepted Answer

D: ISO 27018 ISO 27018 breaks down privacy requirements for cloud providers, including an annual audit mandate.

Question 48

Who should perform the gap analysis following an audit? A. The security office B. The auditor C. A department other than the audit target D. An external audit body, other than the original auditor

Accepted Answer

C: A department other than the audit target Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, where the personnel in the target department may be constrained by habit and tradition.

Question 49

You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the CSA STAR program, the Uptime Institute's Tier certification motif, and __________. A. NIST Risk Management Framework (SP 800-37) B. FedRAMP C. ISO 27034 D. EuroCloud Star Audit program

Accepted Answer

D: EuroCloud Star Audit program The ECSA is designed as a cloud service certification motif for organizations located in Europe. NIST (which also administers FedRAMP) is designed specifically for federal agencies in the United States and is not applicable to European providers. ISO 27034 deals with an organization's use of security controls for software; while this may be pertinent to your organization, it is not a comprehensive view of cloud services and is not as beneficial or equivalent to the CSA STAR or Uptime Institute certification.

Question 50

An audit against the __________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements. A. SAS 70 standard B. SSAE 16 standard C. ISO 27002 certification criteria D. NIST SP 800-53

Accepted Answer

C: ISO 27002 certification criteria The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001. The SAS 70 and SSAE 16 are audit standards for service providers and include review of some security controls but does not constitute a cohesive program review -- and, the SAS 70 is outdated. NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37.

Question 51

You're a sophomore at a small, private, medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student? A. Sarbanes-Oxley Act (SOX) B. Health Information Portability and Accountability Act (HIPAA) C. Payment Card Industry Data Security Standards (PCI DSS) D. Family Educational Rights and Privacy Act (FERPA)

Accepted Answer

A: Sarbanes-Oxley Act (SOX)

Question 52

In the United States, who manages the Safe Harbor / Privacy Shield program for voluntary compliance with EU data privacy laws? A. Department of State B. Department of Interior C. Department of Trade D. Department of Commerce

Accepted Answer

D: Department of Commerce

Question 53

Which of the following countries does NOT have a federal privacy law that complies with the EU Data Directive/Privacy Regulations? A. Argentina B. Israel C. Australia D. Brazil

Accepted Answer

D: Brazil

Question 54

Which of the following is NOT a way in which an entity located outside the EU can be allowed to gather / process privacy data belonging to EU citizens? A. Be located in a country with a nationwide law that complies with the EU laws B. Appeal to the EU High Court for permission C. Create binding contractual language that complies with the EU laws D. Join the Safe Harbor / Privacy Shield program in its own country

Accepted Answer

B: Appeal to the EU High Court for permission The EU Data Directive and General Privacy Regulation prohibit entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met: Their own country has nationwide laws that comply with the EU laws. The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data. The entity voluntarily subscribes to its own nation's Safe Harbor / Privacy Shield program. There is no process for the entity to appeal to the EU for permission to do so, however.

Question 55

The Organization for Economic Cooperation and Development (OECD) is a multinational entity that creates non-binding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the __________. A. Transient data principle B. Security safeguards principle C. Longtrack resiliency principle D. Arbitrary insulation principle

Accepted Answer

B: Security safeguards principle The principles are: ``` Collection limitation principle Data quality principle Use limitation principle Security safeguards principle Openness principle Individual participation principle Accountability principle ```

Question 56

Which one of the following technologies allows you to utilize your existing TCP / IP network to manage data storage elements using IP traffic? A. Internet Small Computer System Interface (iSCSI) B. Fibre Channel C. Fibre Channel over Ethernet (FCoE) D. Storage area networks (SAN)

Accepted Answer

A: Internet Small Computer System Interface (iSCSI)

Question 57

The current American Institute of Certified Public Accountants (APICA) standard was created in reaction to what US federal law? A. Gramm-Leach-Bliley Act (GLBA) B. Sarbanes-Oxley Act (SOX) C. Family Education Rights and Privacy Act (FERPA) D. Payment Card Industry Data Security Standards (PCI DSS)

Accepted Answer

B: Sarbanes-Oxley Act (SOX) SSAE 16 was created by the APICA in direct response to new guidance in SOX.

Question 58

What is the PRIMARY incident response goal? A. Remediating the incident B. Reverting to the last known good state C. Determining the scope of the possible loss D. Outcomes dictated by business requirements

Accepted Answer

D: Outcomes dictated by business requirements Not an easy question: Different industries and different organizations will have different goals. Each organization will determine for itself what the primary goal of incident response will be, and this might differ from incident to incident, depending on the nature of the incident itself.

Question 59

You are in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements? A. 10 inches B. 8 inches C. 18 inches D. 2 feet

Accepted Answer

D: 2 feet

Question 60

An event is something that can be measured within the environment. An incident is a(n) __________ event. A. Deleterious B. Negative C. Unscheduled D. Major

Accepted Answer

C: Unscheduled All activity in the environment can be considered events. Any event that was not planned or known is an incident.

Question 61

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which of the following functionalities will you consider absolutely essential? A. DDoS protections B. Constant data mirroring C. Encryption D. Hashing

Accepted Answer

C: Encryption If your company is involved in e-commerce, it is almost impossible that you are not using credit cards for online transactions; ergo, PCI DSS applies and encryption or tokenization will be required.

Question 62

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your company has decided to expand its business to include selling and monitoring life-support equipment for medical providers. What characteristic do you need to ensure is offered by your cloud provider? A. Full automation of security controls within the cloud data center B. Tier 4 of the Uptime Institute certifications C. Global remote access D. Prevention of ransomware infections

Accepted Answer

B: Tier 4 of the Uptime Institute certifications The changing nature of your business will require a much more stringent set of operating standards, to include an increase in Uptime Institute Tier levels; because you're no longer just using the cloud for backup and long-term storage and are now using it in direct support of health and human safety, Tier 4 is required.

Question 63

When designing a cloud data center, which of the following aspects is NOT necessary to ensure continuity of operations? A. Access to clean water B. Broadband data connection C. Extended battery backup D. Physical access to the data center

Accepted Answer

C: Extended battery backup Backup powers does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator.

Question 64

You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on-premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management? A. Building a completely new data center B. Leasing a data center that is currently owned by another firm C. Renting private cloud space in a Tier 2 data center D. Staying with the current data center

Accepted Answer

A: Building a completely new data center This answer is arrived at through a process of elimination: B is not optimal because of potential for vendor lock-in, restrictions on buildout, and privacy concerns. C is not optimal because Tier 2 is not sufficient for medical use. D is not optimal because there must be a reason to consider a new option.

Sample Exam Questions Flashcards

Test your knowledge and get to learn the style of the test makers.

Brainscape's Knowledge GenomeTM

Sample Exam Questions Flashcards

Test your knowledge and get to learn the style of the test makers.

Brainscape's Knowledge Genome^TM