Sample Exam Questions Flashcards
Test your knowledge and get to learn the style of the test makers.
The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on __________.
A. Number of transactions per year
B. Dollar value of transactions per year
C. Geographic location
D. Jurisdiction
A: Number of transactions per year
The four merchant levels in PCI are distinguished by the number of transactions that merchant conducts in a year.
For business continuity and disaster recovery (BCDR) purposes, the contract between cloud provider and customer should include all of the following EXCEPT __________.
A. Which party will be responsible for initiating a BCDR response activity
B. How a BCDR response will be initiated
C. How soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue service
D. How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event
D: How much a new cloud provider will charge the customer in the event data has to be ported from the current cloud provider because of a disruptive event.
The contract between cloud customer and current cloud provider has no bearing on what the customer will have to pay a new provider.
Which of the following is NOT a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment?
A. Pooled resources in the cloud
B. Shifting from CapEx to OpEx to support IT expenditures
C. The time savings and efficiencies offered by the cloud service
D. Branding associated with which cloud provider might be selected
D: Branding associated with which cloud provider might be selected
Brand value is not part of standard cost-benefit analysis.
Which of the following is an aspect of IT costs that should be reduced by moving to the cloud?
A. Personnel training
B. Personnel turnover
C. Loss due to depreciation of IT assets
D. Loss due to an internal data breach
C: Loss due to depreciation of IT assets
Constant reinvestment in IT assets (which are almost always obsolete by the time they’re marketed, much less by the time they’re deployed in operational environments) is plagued with losses due to depreciation the systems never retain the value of their initial price. Moving to cloud reduces this cost considerably.
Why might an organization choose to comply with NIST SP 800-series standards?
A. Price
B. Ease of implementation
C. International acceptance
D. Speed
A: Price
The NIST standards are not particularly easy or fast to implement (in fact, they require continual improvement), and they are not recognized or mandated outside of the US government federal sector.
Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?
A. ISO 27002
B. Payment Card Industry Data Security Standard (PCI DSS)
C. NIST SP 800-37
D. Health Insurance Portability and Accountability Act (HIPAA)
A: ISO 27002
ISO 27002 is used for choosing security controls in order to comply with the ISMS, which is contained in ISO 27001.
The Statement on Auditing Standards (SAS) 70, published by the American Institute of Certified Public Accountants (AICPA), was, for a long time, the definitive audit standard for data center customers. It was replaced in 2011 by the __________.
A. SABSA
B. SSAE 16
C. Biba
D. NIST SP 800-53
B: SSAE 16
SSAE 16 replaced SAS 70 as the preferred audit standard for data center customers in 2011; it is scheduled to be replaced by the end of 2018, by SSAE 18.
Which US federal law instigated the change from SAS 70 audit standard to SSAE 16?
A. NIST 800-53
B. HIPAA
C. Sarbanes-Oxley Act (SOX)
D. Gramm-Leach-Bliley Act (GLBA)
C: Sarbanes-Oxley Act (SOX)
This question is a bit more oblique than some of the others and requires the candidate to have some depth of understanding of laws, regulations, and standards. SOX was the congressional response to several high-profile scandals involving publicly traded corporations involved in nefarious activities, in collusion with or not truly addressed by the auditors who should have reported this behavior. As a result of SOX, the American Institute of Certified Public Accountants changed from SAS 70 standard to SSAE 16.
The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud provider, which report would you MOST like to see?
A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3
C: SOC 2, Type 2
The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.
The SSAE 16 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 16 audits and some haven’t, which SOC report might be the best to use for your initial review of several different cloud providers, in order to narrow down the field of potential services in a fast, easy way?
A. SOC 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3
D: SOC 3
The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.
The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on __________.
A. Dollar value of transactions over the course of a year
B. Number of transactions over the course of a year
C. Location of the merchant or processor
D. Dollar value and number of transactions over the course of a year
B: Number of transactions over the course of a year
Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party?
A. 1
B. 3
C. 5
D. 7
D: 7
What distinguishes the FIPS 140-2 security levels for cryptographic modules?
A. The level of sensitivity of data they can be used to protect
B. The amount of physical protection provided by the product, in terms of tamper resistance
C. The size of the IT environment the product can be used to protect
D. The geographic locations in which the product is permitted to be used
B: The amount of physical protection provided by the product, in terms of tamper resistance
The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts.
For the US government agencies, what level of data sensitivity / classification may be processed by cryptographic modules certified according to the FIPS 140-2 criteria?
A. Controlled Unclassified Information (CUI)
B. Secret
C. Top Secret
D. Sensitive Compartmentalized Information (SCI)
A: Controlled Unclassified Information (CUI)
FIPS 140-2 is only for sensitive but unclassified (SBU) data such as CUI.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “insecure direct object references.” Which of these is a method to counter the risks of insecure direct object references?
A. Performing user security training
B. Check access each time a direct object reference is called by an untrusted source.
C. Install high-luminosity interior lighting throughout the facility.
D. Append each object with sufficient metadata to properly categorize and classify based on asset value and sensitivity.
B: Check access each time a direct object reference is called by an untrusted source.
Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “missing function level access control.” Which of these is a technique to reduce the potential for a missing function level access control?
A. Run a process as both user and privileged user, and determine similarity.
B. Run automated monitoring and audit scripts.
C. Include browser buttons / navigation elements to secure functions.
D. Enhance user training to include personnel.
A: Run a process as both user and privileged user, and determine similarity.
The above method will help you to determine if there are any functions that regular users should not have access to and thereby demonstrate that you are missing necessary controls.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?
A. HTML escape all HTML attributes.
B. Train users to recognize unvalidated links.
C. Block all inbound resource requests.
D. Implement audit logging.
B: Train users to recognize unvalidated links.
Oddly enough, this may be a good topic to explain during user training; when an attacker is trying to conduct an attack by exploiting unvalidated redirects and forwards, it is often in conjunction with a social engineering / phishing attack.
The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes “unvalidated redirects and forwards.” Which of the following is a good way to protect against this problem?
A. Don’t use redirects / forwards in your applications.
B. Refrain from storing credentials long term.
C. Implement security incident / event monitoring (security information and event management (SIEM) / security information management (SIM) / security event management (SEM) solutions.
D. Implement digital rights management (DRM) solutions.
A: Don’t use redirects / forwards in your applications.
Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid this problem altogether, and, redirects / forwards are not necessary for efficient use.
You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether your current applications in the on-premises environment will function properly with the providers’s hosted systems and tools. This is a(n) __________ issue.
A. Interoperability
B. Portability
C. Availability
D. Security
A: Interoperability
This is the definition of cloud migration interoperability challenges.
You are the security subject matter expert (SME) for an organization considering a transition from the legacy environment into a hosted cloud provider’s data center. One of the challenges you’re facing is whether the provider will have undue control over your data once it is within the provider’s data center; will the provider be able to hold your organization hostage because they have your data? This is a(n) __________ issue.
A. Interoperability
B. Portability
C. Availability
D. Security
B: Portability
This is the definition of cloud migration portability: the measure of how difficult is might be to move the organization’s systems / data from a given cloud host to another cloud host.
Privileged user account access should be _________.
A. Temporary
B. Pervasive
C. Thorough
D. Granular
A: Temporary
Privileged users should only have privileged access to specific systems / data for the duration necessary to perform their administrative function; any longer incurs more risk than value.
The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, in the event of a data breach, a cloud customer will likely need to comply with all of the following data breach notification requirements EXCEPT __________.
A. Multiple state laws
B. Contractual notification requirements
C. All standards-based notification schemes
D. Any applicable federal regulations
C: All standards-based notification schemes
The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. According to the CSA, which of the following is NOT an aspect of due diligence that the cloud customer should be concerned with when considering a migration to a cloud provider?
A. Ensuring that any legacy applications are not dependent on internal security controls before moving them to the cloud environment
B. Reviewing all contractual elements to appropriately define each party’s roles, responsibilities, and requirements
C. Assessing the provider’s financial standing and soundness
D. Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as legacy environment
D: Vetting the cloud provider’s administrators and personnel to ensure the same level of trust as legacy environment
The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular level of control.
The Cloud Security Alliance (CSA) publishes, the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they’ve selected goes out of business. What do we call this problem?
A. Vendor lock-in
B. Vendor lock-out
C. Vendor incapacity
D. Unscaled
B: Vendor lock-out
This is the definition of vendor lock-out.
Vendor lock-in is when data portability is limited, either through unfavorable contact language or technical limitations.
Vendor incapacity and unscaled are not meaningful terms and are used as distractors.
When should cloud providers allow PaaS customers shell access to the servers running their instances?
A. Never
B. Weekly
C. Only when the contract stipulates that requirement
D. Always
A: Never
According to (ISC)2 CCSP Training Guide (page 60), PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multi-tenant environment.
In PaaS environment, user access management often requires that data about user activity be collected, analyzed, audited, and reported against rule-based criteria. These criteria are usually based on __________.
A. International standards
B. Federal regulations
C. Organizational policies
D. Federation directives
C: Organizational policies
Organizational policies dictate rules for access entitlement.
The cloud computing characteristic of elasticity promotes which aspect of the CIA triad?
A. Confidentiality
B. Integrity
C. Availability
D. None
D: None
Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.
Your organization has migrated into a PaaS configuration. A network administrator within the cloud provider has accessed your data and sold a list of your users to a competitor. Who is required to make data breach notification in accordance with all applicable laws?
A. The network admin responsible
B. The cloud provider
C. The regulators overseeing your deployment
D. Your organization
D: Your organization
The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider may be liable for financial costs… but those damages can only be recovered long after the notifications have been made by the cloud customer.
In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, “Does it seem as if this vendor is subject to any pending acquisitions or mergers?” In gather data to answer this question, what are you trying to avoid?
A. Vendor lockout
B. Due care
C. Third-party dependencies
D. Regulatory oversight
A: Vendor lockout
Vendor lockout can occur when your provider no longer offers the service for which you contracted; it is possible that a merger or acquisition of your provider might lead to that circumstance.
The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements.
The different merchant tier requirements will dictate __________.
A. Different types of audits each must conduct
B. Different amount of audits each must conduct
C. Different control sets based on tier level
D. Different cost of controls based on tier level
B: Different amount of audits each must conduct
Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.
The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements.
Approximately how many controls are listed in the PCI DSS?
A. Around a dozen
B. About 20
C. About 100
D. Over 200
D: Over 200
Which US federal government entity was the regulator for the American Safe Harbor program and is now in charge of administering the Privacy Shield program?
A. State Department
B. Privacy Protection Office
C. Federal Trade Commission
D. Department of Health and Human Services
C: Federal Trade Commission
Using cloud storage is considered __________ under most privacy frameworks and laws.
A. Illegal
B. Data collection
C. Opt-in
D. Processing
D: Processing
Processing includes any manipulation, use, movement, or alteration of data – i.e. pretty much anything that can be done with or to data is “processing” (including making and manipulating hard-copy versions of data).
The Safe Harbor program, while no longer used, allowed US companies to collect and process privacy information about EU citizens. The program was included in which law?
A. FISMA
B. The EU Data Directive
C. HIPAA
D. Sarbanes-Oxley Act
B: The EU Data Directive
Which of the following should NOT be true about any tests performed during forensic analysis?
A. tests should be repeatable by opposing attorneys
B. tests should be standard to the forensics industry
C. tests should be performed by trained, certified professionals
D. tests should be tailored and customized for specific purposes
D: tests should be tailored and customized for specific purposes
The Reporting phase of forensic investigation usually involves presenting findings to __________.
A. Senior management
B. Regulators
C. The court
D. Stakeholders
C: The court
You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrong-doing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection / analysis.
What should probably be your response?
A. Yes. You want it because it gives you the most granular and comprehensive view of the pertinent data.
B. Yes. You want to be able to inspect it before law enforcement has the opportunity to review it.
C. No. You don’t want the liability of possibly disclosing someone else’s privacy data
D. No. You don’t want the liability of possibly damaging someone else’s property
C: No. You don’t want the liability of possibly disclosing someone else’s privacy data.
In a mult-tenant environment, it is quite likely that any particular piece of hardware will contain data from many customers. In this case, your company may become liable for violating privacy laws for accessing privacy data belonging to another cloud customer, which would increase your company’s exposure (something that could be disastrous because the company is already under investigation).
__________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.
A. Due care
B. Due diligence
C. Liability
D. Reciprocity
B: Due diligence
Due care is about understanding and implementing common best practices (e.g. policies and standards); due diligence is the work of ensuring that these best practices are working as designed and are suited to your business. By looking to ensure that “protection is applied” – i.e. that best practices are working as designed – this is an example of due diligence.
Liability is the measure of responsibility an entity has for providing due care; option C is incorrect.
Answer D has no meaning in this context and is a distractor.
You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purpose, this make the data __________.
A. Inadmissible
B. Less believable, if the changes aren’t documented
C. Harder to control
D. Easily refutable
B: Less believable, if the changes aren’t documented
All forensics processes and activity should be documented with extreme scrutiny. It is very important for your actions to be documented and repeatable in order for them to remain credible.
Evidence is only inadmissible if it has no probative value; that is, if it has no bearing on the case. Modified data is still admissible, as long as the modification process was documented and presented along with the evidence.
In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper __________.
A. Training credential
B. License
C. Background check
D. Approved toolset
B: License
There are certain jurisdictions where forensic data / IT analysis requires licensure (the stats of Texas and Michigan, for example); it is important for you to determine whether this is the case in your jurisdiction before proceeding with any forensic efforts.
When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize ___________.
A. Electronic data
B. Hardware
C. Electronic data and the hardware on which it resides
D. Only data extracted from hardware
C: Electronic data and the hardware on which it resides
Courts can issue seizure orders for anything and everything – i.e. favor the answer with the most expansive authority.
A and B are too limited; D is absurd.
Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going to be very difficult to review for pertinence to the case.
Which security control mechanism may also be useful in the e-discovery effort?
A. Trained and aware personnel
B. An egress monitoring solution (DLP)
C. A digital rights management (DRM) solution
D. A multifactor authentication implementation
B: An egress monitoring solution (DLP)
Typically, a discovery tool is a primary component of a DLP solution. All other options describe important facets of an overall organizational security program but are not especially helpful in e-discovery efforts.
You are the security manager for a software company that uses PaaS in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company.
If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with __________ as well as the lawsuit.
A. Spoliation
B. Fraud
C. Jurisdiction
D. Recompositing
A: Spoliation
“Spoliation” is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the ground for another lawsuit.
You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month.
Which law is applicable in this instance?
A. Belgian law
B. The General Data Protection Act
C. NIST SP 800-53
D. The Federal Information Systems Management Act
B: The General Data Protection Act
You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft.
The prosecutor can use the material you delivered because of __________.
A. The doctrine of plain view
B. The silver platter doctrine
C. The General Data Protection Act
D. The Federal Information System Management Act
B: The silver platter doctrine
The “silver platter doctrine” allows law enforcement to act on probable cause when evidence of a crime is within their presence; option A is incorrect.
You are the security manager for a retail sales company that uses a SaaS public cloud service. One of your employees uploads sensitive information they were NOT authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefitting the administrator and causing harm to your organization.
After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$ 125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation.
If the jury determines that 25 percent of the evidence shows that the situation was your organization’s fault and 75 percent of the evidence shows that the situation was the cloud provider’s fault, what is the likely outcome?
A. Your organization owes the cloud provider $31,250
B. The cloud provider owes your organization $93,750
C. Neither side owes the other party anything
D. The cloud provider owes your organization $125,000
D: The cloud provider owes your organization $125,000
Except in jurisdictions where contributory negligence is a factor in the proceedings, civil courts use a standard of “preponderance of evidence,” so the entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of the breach.
What was the first international privacy standard specifically for cloud providers?
A. NIST SP 800-37
B. PIPEDA
C. PCI
D. ISO 27018
D: ISO 27018
ISO 27018 breaks down privacy requirements for cloud providers, including an annual audit mandate.
Who should perform the gap analysis following an audit?
A. The security office
B. The auditor
C. A department other than the audit target
D. An external audit body, other than the original auditor
C: A department other than the audit target
Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, where the personnel in the target department may be constrained by habit and tradition.
You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the CSA STAR program, the Uptime Institute’s Tier certification motif, and __________.
A. NIST Risk Management Framework (SP 800-37)
B. FedRAMP
C. ISO 27034
D. EuroCloud Star Audit program
D: EuroCloud Star Audit program
The ECSA is designed as a cloud service certification motif for organizations located in Europe.
NIST (which also administers FedRAMP) is designed specifically for federal agencies in the United States and is not applicable to European providers.
ISO 27034 deals with an organization’s use of security controls for software; while this may be pertinent to your organization, it is not a comprehensive view of cloud services and is not as beneficial or equivalent to the CSA STAR or Uptime Institute certification.
An audit against the __________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.
A. SAS 70 standard
B. SSAE 16 standard
C. ISO 27002 certification criteria
D. NIST SP 800-53
C: ISO 27002 certification criteria
The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001.
The SAS 70 and SSAE 16 are audit standards for service providers and include review of some security controls but does not constitute a cohesive program review – and, the SAS 70 is outdated.
NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37.
You’re a sophomore at a small, private, medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?
A. Sarbanes-Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Educational Rights and Privacy Act (FERPA)
A: Sarbanes-Oxley Act (SOX)
In the United States, who manages the Safe Harbor / Privacy Shield program for voluntary compliance with EU data privacy laws?
A. Department of State
B. Department of Interior
C. Department of Trade
D. Department of Commerce
D: Department of Commerce
Which of the following countries does NOT have a federal privacy law that complies with the EU Data Directive/Privacy Regulations?
A. Argentina
B. Israel
C. Australia
D. Brazil
D: Brazil
Which of the following is NOT a way in which an entity located outside the EU can be allowed to gather / process privacy data belonging to EU citizens?
A. Be located in a country with a nationwide law that complies with the EU laws
B. Appeal to the EU High Court for permission
C. Create binding contractual language that complies with the EU laws
D. Join the Safe Harbor / Privacy Shield program in its own country
B: Appeal to the EU High Court for permission
The EU Data Directive and General Privacy Regulation prohibit entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:
Their own country has nationwide laws that comply with the EU laws.
The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.
The entity voluntarily subscribes to its own nation’s Safe Harbor / Privacy Shield program.
There is no process for the entity to appeal to the EU for permission to do so, however.
The Organization for Economic Cooperation and Development (OECD) is a multinational entity that creates non-binding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the __________.
A. Transient data principle
B. Security safeguards principle
C. Longtrack resiliency principle
D. Arbitrary insulation principle
B: Security safeguards principle
The principles are:
Collection limitation principle Data quality principle Use limitation principle Security safeguards principle Openness principle Individual participation principle Accountability principle
Which one of the following technologies allows you to utilize your existing TCP / IP network to manage data storage elements using IP traffic?
A. Internet Small Computer System Interface (iSCSI)
B. Fibre Channel
C. Fibre Channel over Ethernet (FCoE)
D. Storage area networks (SAN)
A: Internet Small Computer System Interface (iSCSI)
The current American Institute of Certified Public Accountants (APICA) standard was created in reaction to what US federal law?
A. Gramm-Leach-Bliley Act (GLBA)
B. Sarbanes-Oxley Act (SOX)
C. Family Education Rights and Privacy Act (FERPA)
D. Payment Card Industry Data Security Standards (PCI DSS)
B: Sarbanes-Oxley Act (SOX)
SSAE 16 was created by the APICA in direct response to new guidance in SOX.
What is the PRIMARY incident response goal?
A. Remediating the incident
B. Reverting to the last known good state
C. Determining the scope of the possible loss
D. Outcomes dictated by business requirements
D: Outcomes dictated by business requirements
Not an easy question: Different industries and different organizations will have different goals. Each organization will determine for itself what the primary goal of incident response will be, and this might differ from incident to incident, depending on the nature of the incident itself.
You are in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements?
A. 10 inches
B. 8 inches
C. 18 inches
D. 2 feet
D: 2 feet
An event is something that can be measured within the environment. An incident is a(n) __________ event.
A. Deleterious
B. Negative
C. Unscheduled
D. Major
C: Unscheduled
All activity in the environment can be considered events. Any event that was not planned or known is an incident.
You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes.
Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which of the following functionalities will you consider absolutely essential?
A. DDoS protections
B. Constant data mirroring
C. Encryption
D. Hashing
C: Encryption
If your company is involved in e-commerce, it is almost impossible that you are not using credit cards for online transactions; ergo, PCI DSS applies and encryption or tokenization will be required.
You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes.
Your company has decided to expand its business to include selling and monitoring life-support equipment for medical providers. What characteristic do you need to ensure is offered by your cloud provider?
A. Full automation of security controls within the cloud data center
B. Tier 4 of the Uptime Institute certifications
C. Global remote access
D. Prevention of ransomware infections
B: Tier 4 of the Uptime Institute certifications
The changing nature of your business will require a much more stringent set of operating standards, to include an increase in Uptime Institute Tier levels; because you’re no longer just using the cloud for backup and long-term storage and are now using it in direct support of health and human safety, Tier 4 is required.
When designing a cloud data center, which of the following aspects is NOT necessary to ensure continuity of operations?
A. Access to clean water
B. Broadband data connection
C. Extended battery backup
D. Physical access to the data center
C: Extended battery backup
Backup powers does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator.
You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on-premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management?
A. Building a completely new data center
B. Leasing a data center that is currently owned by another firm
C. Renting private cloud space in a Tier 2 data center
D. Staying with the current data center
A: Building a completely new data center
This answer is arrived at through a process of elimination:
B is not optimal because of potential for vendor lock-in, restrictions on buildout, and privacy concerns.
C is not optimal because Tier 2 is not sufficient for medical use.
D is not optimal because there must be a reason to consider a new option.
When building a new data center within an urban environment, which of the following is probably the MOST restrictive aspect?
A. The size of the plot
B. Utility availability
C. Staffing
D. Municipal codes
D: Municipal codes
In any large metropolitan area, government restrictions on development and construction can severely limit how you use your property; this can be a significant limiting factor in building a data center.
It is important to include __________ in the design of underfloor plenums if that are also used in wiring.
A. Mantraps
B. Sequestered channels
C. Heat sinks
D. Tight gaskets
D: Tight gaskets
When cables come up through a raised floor that is being used as a cold air feed, we don’t want cold air bleeding around the cables in an unplanned manner; this can cause inefficiencies in air flow control. Gaskets are required at all points where cable comes through the floor, to restrict air flow and reduce the possibility of cold air escaping.
You are designing a private cloud data center for an insurance underwriter, to be located in a major metropolitan area. Which of the following airflow management schemes is preferable?
A. Hot aisle
B. Cold aisle
C. Either hot aisle or cold aisle
D. Free flow
C: Either hot aisle or cold aisle
Which of these characteristics of a virtualized network adds risks to the cloud environment?
A. Redundancy
B. Scalability
C. Pay-per-use
D. Self-service
A: Redundancy
Virtual switches are widely used in virtualized networks. Unlike physical switches, which only lose one connection if a connecting cable is lost, virtual switches can be connected to multiple VMs via a single cable; if a cable is lost in a virtualized network, that can affect tens or dozens of devices.
Security best practices in a virtualized network environment would include which of the following?
A. Using distinct ports and port groups for various VLANs on a virtual switch rather than running them through the same port
B. Running iSCSI traffic unencrypted in order to have it observed and monitored by NIDS
C. Adding HIDS to all virtual guests
D. Hardening all outward-facing firewalls in order to make them resistant to attack
A: Using distinct ports and port groups for various VLANs on a virtual switch rather than running them through the same port
It’s possible to route multiple VLANs through a switch port (physical or virtual) with proper frame tagging. However, to optimize isolation of subnets and processes in a virtual network environment, it is better to use different ports instead.
Which of the following is a risk that stems from a pooled-resources environment?
A. They have plenty of revenue and can afford it
B. They are gravely concerned with insider threats
C. Loss of data to widespread insider threat
D. Loss of data to law enforcement seizure of neighboring assets
D: Loss of data to law enforcement seizure of neighboring assets
Modern managed cloud service providers will often use secure KVM devices within their data centers. These devices are extremely expensive compared to their non-secured counterparts. Which fo the following is one of the reasons cloud service providers do this?
A. The risk of transferring data from one customer to another is significant
B. The risk of devices leaving the cloud data center is significant
C. It makes physical inventories much easier to maintain
D. Audit purposes
A: The risk of transferring data from one customer to another is significant
Secure KVMs support drastically isolated operations; they cut down on the possibility of data being inadvertently shared from one customer to another.
A truly airgapped machine selector will __________.
A. Terminate a connection before creating a new connection
B. Be made of composites and not metal
C. Have total Faraday properties
D. Not be portable
A: Terminate a connection before creating a new connection
Referred to as “break before make,” these devices often take the form of manual push-button controls; as the button is pushed, the current connection is forced to physically separate, and when the button is fully engaged, the new connection is made.
Which of the following cloud data center functions do NOT have to be performed on isolated networks?
A. Customer access provision
B. Management system control interface
C. Storage controller access
D. Customer production activities
D: Customer production activities
The production activities will make full use of pooled resources, so they will not be isolated (unless the customer is paying for that specific characteristic of service).
TLS uses __________ to authenticate a connection and create a shared secret for the duration of the session.
A. SAML 2.0
B. X.509 certificates
C. 802.11X
D. The Diffie-Hellman process
B: X.509 certificates
TLS uses X.509 certificates to establish a connection and create a symmetric key that lasts for only one session.
Halon is not illegal to use for data center fire suppression. What is the reason it was outlawed?
A. It poses a threat to health and human safety when deployed
B. It can harm the environment
C. It does not adequately suppress fires
D. It causes undue damage to electronic systems
B: It can harm the environment
Halon does pose a threat to health and human safety; but, it was outlawed because, as a CFC (chlorofluorocarbon), it depletes ozone – i.e. harms the environment.
Which of the following is NOT a goal of a site survey?
A. Threat definition
B. Human interaction
C. Electricity
D. HVAC
C: Electricity
Updating virtual machine management tools will require __________.
A. An infusion of capital
B. An alternate data center
C. Sufficient redundancy
D. Peer review
C: Sufficient redundancy
Because updating the virtualization toolset may require server downtime, it is essential to have a sufficient amount of redundant machines to roll out the update over the environment without significant disruption of operations.
Before deploying a specific brand of virtualization toolset, it is important to configure it according to __________.
A. Industry standards
B. Prevailing law of that jurisdiction
C. Vendor guidance
D. Expert opinion
C: Vendor guidance
Toolset vendors will specify secure configurations of their products; these must be followed in order to fulfill due care requirements.
Which of the following is essential for getting full security value from your system baseline?
A. Capturing and storing an image of the baseline
B. Keeping a copy of upcoming suggested modifications to the baseline
C. Having the baseline vetted by an objective third party
D. Using a baseline from another industry member so as not to engage in repetitious efforts
A: Capturing and storing an image of the baseline
An image of the baseline should be stored securely, preferably in more than one location. It is essential to have a copy on hand for reconstructing the environment during contingency operations, and it is also useful for audit / review purposes.
A loosely coupled storage cluster will have performance and capacity limitations based on the __________.
A. Physical backplane connecting it
B. Total number of nodes in the cluster
C. Amount of usage demanded
D. The performance and capacity in each node
D: The performance and capacity in each node
In a loosely coupled storage cluster, each node acts as an independent data store that can be added or removed from the cluster without affecting other nodes. This, however, means that the overall cluster’s performance / capacity depends on each node’s own maximum performance / capacity.
A honeypot can be used for all the following purposes EXCEPT __________.
A. Gathering threat intelligence
B. Luring attackers
C. Distracting attackers
D. Delaying attackers
B: Luring attackers
It is very important to distinguish the purpose of the honeypot: It is NOT for luring in attackers; a lure is an invitation and inviting an attack decreases the organizations ability to have the attacker prosecuted or conduct successful litigation against the attacker.
Which of the following should honeypots contain?
A. Inward-facing connections
B. Network schematics
C. Production data
D. Detection systems
D: Detection systems
The honeypot is used to gather information about the attacker, the attacker’s tools, and the attacker’s techniques.
When applying patches, it is necessary to do all of the following EXCEPT __________.
A. Test the patch in a sandbox that simulates the production environment
B. Put the patch through the formal change management process
C. Be prepared to roll back to the last known good build
D. Inform users of any impact / interruptions
B: Put the patch through the formal change management process
In many cases, patches are released to deal with an imminent vulnerability / risk. Some organizations will give blanket pre-approval for applying these patches and having the formal change management process approve the patch after the fact.
Which of the following aspects of a cloud environment is MOST likely to add risk to the patch management process?
A. Variations in user training / familiarity with the cloud
B. A cloud services contract that specifies which parties are responsible for which aspects of patching
C. VMs located physically in one location but operating in a different time zone
D. The prevalence of attacker activity at the time the patch is applied
C: VMs located physically in one location but operating in a different time zone
If patches are rolled out across an environment where users are operating VMs at different times, there is a possibility that VMs will not be patched uniformly, which could lead to data disruption.
Synthetic performance monitoring may be preferable to real user monitoring (RUM) because __________.
A. It costs less.
B. It is a more accurate depiction of user behavior.
C. It is more comprehensive.
D. It can take place in the cloud.
C: It is more comprehensive
Synthetic agents can simulate user activity in a much faster, much broader, manner than real users; and, the agents perform these actions 24/7 without rest.
Synthetic or directed monitoring is a method to monitor your applications by simulating users – directing the path taken through the application.
You are the security manager for an organization with a cloud-based production environment. You are tasked with setting up the event monitoring and logging systems. In your jurisdiction, private entities are allowed to monitor all activity involving their systems, without exception. Which of the following best describes a logging motif you would recommend?
A. Logging every event, at all levels of granularity, including continual screen shots, keystroke logging, and browser history.
B. Sufficient logging to reconstruct a narrative of events at some later date
C. Only logging data related to incidents after they have occurred
D. Logging specific data sets recommended by industry standards and guidelines
B: Sufficient logging to reconstruct a narrative of events at some later date
Logging should suffice for the purpose of reconstructing the pertinent information (who, what, where, when, etc.) necessary to form a narrative of what transpired.
Which of these subsystems is probably MOST important for acquiring useful log information?
A. Fan
B. RAM
C. Clock
D. UPS
C: Clock
The clock needs to be synched throughout the environment so that all activity can be contextualize and mapped and the true narrative of events can be reconstructed later.
You are the security officer for a small nonprofit organization. You are tasked with performing a risk assessment for your organization; you have one month to complete it. The IT personnel you work with have been with the organization for many years and have built the systems and infrastructure from the ground up. They have little training and experience in the field of risk. Which type of risk assessment would you choose to conduct?
A. Quantitative
B. Qualitative
C. Pro forma
D. Informal
B: Qualitative
Qualitative risk assessments are preferable in situations where the organization has personnel who understand the IT environment but might not have a lot of experience with risk functions and where the organization does not have a great deal of time or money to spend on the project.
Which of the following will likely BEST help you predict the annualized rate of occurrence (ARO) of a specific loss?
A. Threat intelligence data
B. Historical data
C. Vulnerability data
D. Aggregation analysis
B: Historical data
While previous activity is not a great predictor of future outcomes (especially in the field of IT security), it is the best that we have.
You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which costs $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. In order to establish the true annualized loss expectancy (ALE), you would need all the following information EXCEPT __________.
A. The amount or revenue generated by the plant
B. The rate at which the plant generates revenue
C. The length of time it would take to rebuild the plant
D. The amount of product the plant creates
D: The amount of product the plant creates
Which comes first?
A. Accreditation
B. Operation
C. Maintenance
D. Certification
D: Certification
Certification and accreditation is a two-step process for security management / risk management of systems:
Step 1, Certification is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system; this process ensures that security threats are identified and plans for mitigation are in place.
Step 2, Accreditation is the process of accepting the residual risks associated with the continued operation of a system (net mitigation actions taken) and granting approval to operate the system for a specified period of time.
Symmetric encryption involves ___________.
A. Two key pairs, mathematically related
B. Unknown parties, sharing information
C. Signed certificates
D. A shared secret
D: A shared secret
In symmetric encryption, a single key is used to both encrypt and decrypt a message – this is often referred to as a shared secret.
According to ISO 27034, there is one Organizational Normative Framework (ONF) in the organization, and __________ Application Normative Framework (ANF(s)) for each application within the organization.
A. Many
B. Three
C. No
D. One
D: One
Which of the following is an informal industry term for moving applications from a legacy environment into the cloud?
A. Instantiation
B. Porting
C. Grandslamming
D. Forklifting
D: Forklifting
In the testing phase of the software development life cycle (SDLC), software performance and __________ should both be reviewed.
A. Quality
B. Brevity
C. Requirements
D. Security
D: Security
Performance and security both need to be reviewed for adequacy.
Which phase of the SDLC is most likely to involve crypto-shredding?
A. Define
B. Design
C. Test
D. Disposal
D: Disposal