CHAPTER 7
Practice Exam 1

  1. You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

    What is the term for this kind of arrangement?

    1. Public-key infrastructure (PKI)
    2. Portability
    3. Federation
    4. Repudiation

  2. You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

    You want to connect your organization to 13 other organizations. You consider using the cross-certification model but then decide against it. What is the most likely reason for declining that option?

    1. It is impossible to trust more than two organizations.
    2. If you work for the government, the maximum parties allowed to share data is five.
    3. Trying to maintain currency in reviewing and approving the security governance and configurations of that many entities would create an overwhelming task.
    4. Data shared among that many entities loses its inherent value.

  3. You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

    In order to pass the user IDs and authenticating credentials of each user among the organizations, what protocol, language, or technique will you most likely utilize?

    1. Representational State Transfer (REST)
    2. Security Assertion Markup Language (SAML)
    3. Simple Object Access Protocol (SOAP)
    4. Hypertext Markup Language (HTML)

  4. You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

    If you don’t use cross-certification, what other model can you implement for this purpose?

    1. Third-party identity broker
    2. Cloud reseller
    3. Intractable nuanced variance
    4. Mandatory access control (MAC)

  5. You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

    If you are in the United States, one of the standards you should adhere to is _______________.

    1. National Institute of Standards and Technology (NIST) 800-53
    2. Payment Card Industry (PCI)
    3. ISO 27014
    4. European Union Agency for Network and Information Security (ENISA)

  6. You work for a government research facility. Your organization often shares data with other government research organizations. You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all 
the other organizations. Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization’s specific storage resources.

    If you are in Canada, one of the standards you will have to adhere to is _______________.

    1. FIPS 140-2
    2. PIPEDA
    3. HIPAA
    4. EFTA

  7. You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.

    Which of the following benefits will the CSA CCM offer your organization?

    1. Simplifying regulatory compliance
    2. Collecting multiple data streams from your log files
    3. Ensuring that the baseline configuration is applied to all systems
    4. Enforcing contract terms between your organization and the cloud provider

  8. You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.

    Which of the following regulatory frameworks is not covered by the CCM?

    1. ISACA’s Control Objectives for Information and Related Technologies (COBIT)
    2. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) privacy law
    3. The ALL-TRUST framework from the environmental industry
    4. The U.S. Federal Risk and Authorization Management Program (FedRAMP)

  9. You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.

    Which tool, also available from the CSA, can be used in conjunction with the CCM to aid you in selecting and applying the proper controls to meet your organization’s regulatory needs?

    1. The Consensus Assessments Initiative Questionnaire (CAIQ)
    2. The Open Web Application Security Project (OWASP) Top Ten
    3. The Critical Security Controls (CSC) list
    4. National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2

  10. You are the security policy lead for your organization, which is considering migrating from your on-premises, traditional IT environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.

    What is probably the best benefit offered by the CCM?

    1. The low cost of the tool
    2. Allowing your organization to leverage existing controls across multiple frameworks so as not to duplicate effort
    3. Simplicity of control selection from the list of approved choices
    4. Ease of implementation by choosing controls from the list of qualified vendors

  11. You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective is set up in such a way that the members own various pieces of the network themselves, pool resources and data, and communicate and share files via the Internet. This is an example of what cloud model?

    1. Hydrogenous
    2. Private
    3. Public
    4. Community

  12. You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective wants to create a single sign-on experience for all members of the collective, where assurance and trust in the various members are created by having each member review all the others’ policies, governance, procedures, and controls before allowing them to participate. This is an example of what kind of arrangement?

    1. Security Assertion Markup Language (SAML)
    2. Cross-certification federation
    3. Third-party certification federation
    4. JavaScript Object Notation (JSON)

  13. You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. Your collective exchanges music files in two forms: images of written sheet music and electronic copies of recordings. Both of these are protected by what intellectual property legal construct?

    1. Trademark
    2. Copyright
    3. Patent
    4. Trade secret

  14. You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. If you create a federated identity management structure for all the participants in the collective using a third-party certification model, who would be the federated service provider(s) in that structure?

    1. The third party
    2. A cloud access security broker (CASB)
    3. The various members of the collective
    4. The cloud provider

  15. You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. You are fairly certain the complaint is not applicable and that the material in question does not belong to anyone else. What should you do in order to comply with the law?

    1. Take the material down, do an investigation, and then repost the material if the claim turns out to be unfounded.
    2. Leave the material up, do an investigation, and post the results of the investigation alongside the material itself once the investigation is complete.
    3. Ignore the complaint.
    4. Leave the material up until such time as the complainant delivers an enforceable governmental request, such as a warrant or subpoena.

  16. You are the IT security subject matter expert for a hobbyist collective that researches and archives old music. You receive a Digital Millennium Copyright Act (DMCA) takedown notice from someone who claims that your collective is hosting music that does not belong to you. Upon investigation, you determine that the material in question is the sheet music for a concerto written in 1872. What should you do in order to comply with the law?

    1. Contact the current owners of the copyright in order to get proper permissions to host and exchange the data.
    2. Nothing. The material is so old it is in the public domain, and you have as much right as anyone else to use it in any way you see fit.
    3. Apply for a new copyright based on the new usage of the material.
    4. Offer to pay the complainant for the usage of the material.

  17. Bob is designing a data center to support his organization, a financial services firm. What Uptime Institute tier rating should Bob try to attain in order to meet his company’s needs without adding extraneous costs?

    1. 1
    2. 2
    3. 3
    4. 4

  18. Bob is designing a data center to support his organization, a financial services firm. Bob’s data center will have to be approved by regulators using a framework under which law?

    1. Health Industry Portability and Accountability Act (HIPPA)
    2. Payment Card Industry (PCI)
    3. Gramm–Leach–Bliley Act (GLBA)
    4. Sarbanes–Oxley Act (SOX)

  19. Bob is designing a data center to support his organization, a financial services firm. Which of the following actions would best enhance Bob’s efforts to create redundancy and resiliency in the data center?

    1. Ensure that all entrances are secured with biometric-based locks.
    2. Purchase uninterruptible power supplies (UPSs) from different vendors.
    3. Include financial background checks in all personnel reviews for administrators.
    4. Make sure all raised floors have at least 24 inches of clearance.

  20. Bob is designing a data center to support his organization, a financial services firm. How long should the uninterruptible power supply (UPS) provide power to the systems in the data center?

    1. 12 hours
    2. An hour
    3. 10 minutes
    4. Long enough to perform graceful shutdown of the data center systems

  21. You are the IT security manager for a video game software development company. For your company, minimizing security flaws in the delivered product is probably a _______________.

    1. Functional requirement
    2. Nonfunctional requirement
    3. Regulatory issue
    4. Third-party function

  22. You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. This is an example of _______________.

    1. Static testing
    2. Dynamic testing
    3. Code review
    4. Open source review

  23. You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. To optimize this situation, the test will need to involve _______________.

    1. Management oversight
    2. A database administrator
    3. A trained moderator
    4. Members of the security team

  24. You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Of the parties listed, who should most be excluded from the test?

    1. Management
    2. Security personnel
    3. Billing department representatives
    4. The game developers

  25. You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. It is absolutely crucial to include _______________ as part of this process.

    1. Managerial oversight
    2. Signed nondisclosure agreements
    3. Health benefits
    4. The programming team

  26. You are the IT security manager for a video game software development company. Which of the following is most likely to be your primary concern on a daily basis?

    1. Health and human safety
    2. Security flaws in your products
    3. Security flaws in your organization
    4. Regulatory compliance

  27. You are the IT security manager for a video game software development company. Which type of intellectual property protection will your company likely rely upon for legally enforcing your rights?

    1. Trademark
    2. Patent
    3. Copyright
    4. Trade secret

  28. You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Results gathered from this activity are _______________.

    1. Useless
    2. Harmful
    3. Desirable
    4. Illegal

  29. You are the IT security manager for a video game software development company. In order to test your products for security defects and performance issues, your firm decides to use a small team of game testers recruited from a public pool of interested gamers who apply for a chance to take part. Gamers are notorious for attempting to perform actions that were never anticipated or intended by the programmers. Trying to replicate this phenomenon in a testbed environment with internal testing mechanisms is called _______________.

    1. Source code review
    2. Deep testing
    3. Fuzz testing
    4. White-box testing

  30. You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following methods could be used to determine if your ownership rights were violated?

    1. Physical surveillance of their property and personnel
    2. Communications tapping of their offices
    3. Code signing
    4. Subverting insiders

  31. You are the IT security manager for a video game software development company. Your development team hired an external game development lab to work on part of the game engine. A few weeks before the initial release of your game, the company that owns the lab publishes a strikingly similar game, with many of the features and elements that appear in your work. Which of the following legal methods are you likely able to exercise to defend your rights?

    1. Criminal prosecution
    2. Public hearings
    3. Civil court
    4. Arrest and detention

  32. You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You suggest that a(n) _______________ service model will best meet this requirement.

    1. IaaS
    2. PaaS
    3. SaaS
    4. TaaS

  33. You are the IT security manager for a video game software development company. In order to test the functionality of online multiplayer game content, your testing team wants to use a cloud service independent from the internal production environment. You remind them that it is absolutely crucial that they perform _______________ before including any sample player or billing data.

    1. Vulnerability scans
    2. Intrusion detection
    3. Masking
    4. Malware scans

  34. Which of the following is not an essential element defining cloud computing?

    1. Broad network access
    2. Metered service
    3. Off-site storage
    4. On-demand self-service

  35. Which of the following is not an essential element defining cloud computing?

    1. Rapid elasticity
    2. Pooled resources
    3. On-demand self-service
    4. Immediate customer support

  36. In what cloud computing service model is the customer responsible for installing and maintaining the operating system?

    1. IaaS
    2. PaaS
    3. SaaS
    4. QaaS

  37. Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contract) for ending the contract at any point prior to the scheduled date. This is best described as an example of _______________.

    1. Favorable contract terms
    2. Strong negotiation
    3. Infrastructure as a service (IaaS)
    4. Vendor lock-in

  38. There are two general types of smoke detectors. Which type uses a small portion of radioactive material?

    1. Photoelectric
    2. Ionization
    3. Electron pulse
    4. Integral field

  39. You are the privacy data officer for a large hospital and trauma center. You are called on to give your opinion of the hospital’s plans to migrate all IT functions to a cloud service. Which of the following Uptime Institute tier-level ratings would you insist be included for any data center offered by potential providers?

    1. 1
    2. 2
    3. 3
    4. 4

  40. What is the most important factor when considering the lowest temperature setting within a data center?

    1. System performance
    2. Health and human safety
    3. Risk of fire
    4. Regulatory issues

  41. Storage controllers will typically be involved with each of the following storage protocols except _______________.

    1. Internet Small Computer Systems Interface (iSCSI)
    2. RAID
    3. Fibre Channel
    4. Fibre Channel over Ethernet

  42. When you’re using a storage protocol that involves a storage controller, it is very important that the controller be configured in accordance with _______________.

    1. Internal guidance
    2. Industry standards
    3. Vendor guidance
    4. Regulatory dictates

  43. What is the importance of adhering to vendor guidance in configuration settings?

    1. Conforming with federal law
    2. Demonstrating due diligence
    3. Staying one step ahead of aggressors
    4. Maintaining customer satisfaction

  44. Which of the following is a true statement about the virtualization management toolset?

    1. It can be regarded as something public facing.
    2. It must be on a distinct, isolated management network (virtual local area network [VLAN]).
    3. It connects physically to the specific storage area allocated to a given customer.
    4. The responsibility for securely installing and updating it falls on the customer.

  45. In order to ensure proper _______________ in a secure cloud network environment, consider the use of Domain Name System Security Extensions (DNSSEC), Internet Protocol Security (IPSec), and Transport Layer Security (TLS).

    1. Isolation
    2. Motif
    3. Multitenancy
    4. Signal modulation

  46. Domain Name System Security Extensions (DNSSEC) provides all of the following except _______________.

    1. Payload encryption
    2. Origin authority
    3. Data integrity
    4. Authenticated denial of existence

  47. All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________.

    1. Updating the OS baseline image according to a scheduled interval to include any necessary security patches and configuration modifications
    2. Starting with a clean installation (hardware or virtual) of the desired OS
    3. Including only the default account credentials and nothing customized
    4. Halting or removing all unnecessary services

  48. All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except _______________.

    1. Removing all nonessential programs from the baseline image
    2. Excluding the target system you intend to baseline from any scheduled updates or patching used in production systems
    3. Including the baseline image in the asset inventory and configuration management database
    4. Configuring the host OS according to the baseline requirements

  49. All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline, except _______________.

    1. Auditing the baseline to ensure that all configuration items have been included and applied correctly
    2. Imposing the baseline throughout the environment
    3. Capturing an image of the baseline system for future reference, versioning, and rollback purposes
    4. Documenting all baseline configuration elements and versioning data

  50. You are the IT director for a small contracting firm. Your company is considering migrating to a cloud production environment. Which service model would best fit your needs if you wanted an option that reduced the chance of vendor lock-in but also did not require the highest degree of administration by your own personnel?

    1. IaaS
    2. PaaS
    3. SaaS
    4. TanstaafL

  51. You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration and will return to operating fully on-premises after the period of increased activity. This is an example of _______________.

    1. Cloud framing
    2. Cloud enhancement
    3. Cloud fragility
    4. Cloud bursting

  52. You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which facet of cloud computing is most important for making this possible?

    1. Broad network access
    2. Rapid elasticity
    3. Metered service
    4. Resource pooling

  53. You are the data manager for a retail company; you anticipate a much higher volume of sales activity in the final quarter of each calendar year than the other quarters. In order to handle these increased transactions, and to accommodate the temporary sales personnel you will hire for only that time period, you consider augmenting your internal, on-premises production environment with a cloud capability for a specific duration, and will return to operating fully on-premises after the period of increased activity. Which deployment model best describes this type of arrangement?

    1. Private cloud
    2. Community cloud
    3. Public cloud
    4. Hybrid cloud

  54. You are the security manager for a research and development firm. Your company does contract work for a number of highly sensitive industries, including aerospace and pharmaceuticals.

    Your company’s senior management is considering cloud migration and wants an option that is highly secure but still offers some of the flexibility and reduced overhead of the cloud. Which of the following deployment models do you recommend?

    1. Private cloud
    2. Community cloud
    3. Public cloud
    4. Hybrid cloud

  55. You are the IT director for a small engineering services company. During the last year, one of your managing partners left the firm, and you lost several large customers, creating a cash flow problem. The remaining partners are looking to use a cloud environment as a means of drastically and quickly cutting costs, migrating away from the expense of operating an internal network.

    Which cloud deployment model would you suggest to best meet their needs?

    1. Private cloud
    2. Community cloud
    3. Public cloud
    4. Hybrid cloud

  56. You run an online club for antique piano enthusiasts. In order to better share photo files and other data online, you want to establish a cloud-based environment where all your members can connect their own devices and files to each other, at their discretion. You do not want to centralize payment for such services as Internet service provider (ISP) connectivity, and you want to leave that up to the members.

    Which cloud deployment model would best suit your needs?

    1. Private cloud
    2. Community cloud
    3. Public cloud
    4. Hybrid cloud

  57. Full isolation of user activity, processes, and virtual network segments in a cloud environment is incredibly important because of risks due to _______________.

    1. Distributed denial of service (DDoS)
    2. Unencrypted packets
    3. Multitenancy
    4. Insider threat

  58. You are the security manager for a small European appliance rental company. The senior management of your company is considering cloud migration for the production environment, which handles marketing, billing, and logistics.

    Which cloud deployment model should you be most likely to recommend?

    1. Private cloud
    2. Community cloud
    3. Public cloud
    4. Hybrid cloud

  59. You are the security manager for a data analysis company. Your senior management is considering a cloud migration in order to use the greater capabilities of a cloud provider to perform calculations and computations. Your company wants to ensure that neither the contractual nor the technical setup of the cloud service will affect your data sets in any way so that you are not locked in to a single provider.

    Which of the following criteria will probably be most crucial for your choice of cloud providers?

    1. Portability
    2. Interoperability
    3. Resiliency
    4. Governance

  60. Migrating to a cloud environment will reduce an organization’s dependence on _______________.

    1. Capital expenditures for IT
    2. Operational expenditures for IT
    3. Data-driven workflows
    4. Customer satisfaction

  61. Firewalls, DLP (data loss prevention or data leak protection) and digital rights management (DRM) solutions, and security information and event management (SIEM) products are all examples of _______________ controls.

    1. Technical
    2. Administrative
    3. Physical
    4. Competing

  62. Fiber-optic lines are considered part of Layer _______________ of the Open Systems Interconnection (OSI) model.

    1. 1
    2. 3
    3. 5
    4. 7

  63. It is probably fair to assume that software as a service (SaaS) functions take place at Layer _______________ of the OSI model.

    1. 1
    2. 3
    3. 5
    4. 7

  64. Because of the nature of the cloud, all access is remote access. One of the preferred technologies employed for secure remote access is _______________.

    1. VPN
    2. HTML
    3. DEED
    4. DNS

  65. You are the security manager for a small retailer engaged in e-commerce. A large part of your sales is transacted through the use of credit and debit cards.

    You have determined that the costs of maintaining an encrypted storage capability in order to meet compliance requirements are prohibitive. What other technology can you use instead to meet those regulatory needs?

    1. Obfuscation
    2. Masking
    3. Tokenization
    4. Hashing

  66. Which of the following mechanisms cannot be used by a data loss prevention or data leak protection (DLP) solution to sort data?

    1. Labels
    2. Metadata
    3. Content strings
    4. Inverse signifiers

  67. You are the security manager for an online marketing company. Your company has recently migrated to a cloud production environment and has deployed a number of new cloud-based protection mechanisms offered by both third parties and the cloud provider, including data loss prevention or data leak protection (DLP) and security information and event management (SIEM) solutions.

    After one week of operation, your security team reports an inordinate amount of time responding to potential incidents that have turned out to only be false-positive reports. Management is concerned that the cloud migration was a bad idea and that it is too costly in terms of misspent security efforts. What do you recommend?

    1. Change the control set so that you use only security products not offered by the cloud provider.
    2. Change the control set so that you use only security products offered by the cloud provider.
    3. Wait three weeks before making a final decision.
    4. Move back to an on-premises environment as soon as possible to avoid additional wasted funds and effort.

  68. In a cloud context, who determines the risk appetite of your organization?

    1. The cloud provider
    2. Your Internet service provider (ISP)
    3. Federal regulators
    4. Senior management

  69. You are the security manager for a small application development company. Your company is considering the use of the cloud for software testing purposes.

    Which of the following traits of cloud functionality is probably the most crucial in terms of deciding which cloud provider you will choose?

    1. Portability
    2. Interoperability
    3. Resiliency
    4. Governance

  70. You are the security manager for a small application development company. Your company is considering the use of the cloud for software testing purposes. Which cloud service model is most likely to suit your needs?

    1. IaaS
    2. PaaS
    3. SaaS
    4. LaaS

  71. ISO 31000 is most similar to which of the following regulations, standards, guidelines, and frameworks?

    1. NIST 800-37
    2. COBIT
    3. ITIL
    4. GDPR

  72. Which of the following entities publishes a cloud-centric set of risk-benefit recommendations that includes a “Top 8” list of security risks an organization might face during a cloud migration, based on likelihood and impact?

    1. National Institute of Standards and Technology (NIST)
    2. International Organization for Standardization (ISO)
    3. European Union Agency for Network and Information Security (ENISA)
    4. Payment Card Industry (PCI)

  73. Which standards body depends heavily on contributions and input from its open membership base?

    1. National Institute of Standards and Technology (NIST)
    2. International Organization for Standardization (ISO)
    3. Internet Corporation for Assigned Names and Numbers (ICANN)
    4. Cloud Security Alliance (CSA)

  74. In regard to most privacy guidance, the data subject is _______________.

    1. The individual described by the privacy data
    2. The entity that collects or creates the privacy data
    3. The entity that uses privacy data on behalf of the controller
    4. The entity that regulates privacy data

  75. In regard to most privacy guidance, the data controller is _______________.

    1. The individual described by the privacy data
    2. The entity that collects or creates the privacy data
    3. The entity that uses privacy data on behalf of the controller
    4. The entity that regulates privacy data

  76. In regard to most privacy guidance, the data processor is _______________.

    1. The individual described by the privacy data
    2. The entity that collects or creates the privacy data
    3. The entity that uses privacy data on behalf of the controller
    4. The entity that regulates privacy data

  77. In most privacy-regulation situations, which entity is most responsible for deciding how a particular privacy-related data set will be used or processed?

    1. The data subject
    2. The data controller
    3. The data steward
    4. The data custodian

  78. In most privacy-regulation situations, which entity is most responsible for the day-to-day maintenance and security of a privacy-related data set?

    1. The data subject
    2. The data controller
    3. The data steward
    4. The data custodian

  79. You are the compliance officer for a medical device manufacturing firm. Your company maintains a cloud-based list of patients currently fitted with your devices for long-term care and quality assurance purposes. The list is maintained in a database that cross-references details about the hardware and some billing data.

    In this situation, who is likely to be considered the data custodian, under many privacy regulations and laws?

    1. You (the compliance officer)
    2. The cloud provider’s network security team
    3. Your company
    4. The database administrator

  80. Which of the following is probably least suited for inclusion in the service-level agreement (SLA) between a cloud customer and cloud provider?

    1. Bandwidth
    2. Jurisdiction
    3. Storage space
    4. Availability

  81. Which of the following items, included in the contract between a cloud customer and cloud provider, can best aid in reducing vendor lock-in?

    1. Data format type and structure
    2. Availability
    3. Storage space
    4. List of available OSs

  82. Which of the following contract terms most incentivizes the cloud provider to meet the requirements listed in the service-level agreement (SLA)?

    1. Regulatory oversight
    2. Financial penalties
    3. Performance details
    4. Desire to maintain customer satisfaction

  83. Which of the following contract terms most incentivizes the cloud customer to meet the requirements listed in the contract?

    1. Financial penalties
    2. Regulatory oversight
    3. Suspension of service
    4. Media attention

  84. Which of the following is not a reason for conducting audits?

    1. Regulatory compliance
    2. Enhanced user experience
    3. Determination of service quality
    4. Security assurance

  85. Which of the following is a tool that can be used to perform security control audits?

    1. Federal Information Processing Standard (FIPS) 140-2
    2. General Data Protection Regulation (GDPR)
    3. ISO 27001
    4. Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

  86. Which of the following dictates the requirements for U.S. federal agencies operating in a cloud environment?

    1. ISO 27002
    2. NIST SP 800-37
    3. ENISA
    4. FedRAMP

  87. Which of the following common aspects of cloud computing can aid in audit efforts?

    1. Scalability
    2. Virtualization
    3. Multitenancy
    4. Metered self-service

  88. Which of the following does not typically represent a means for enhanced authentication?

    1. Challenge questions
    2. Variable keystrokes
    3. Out-of-band identity confirmation
    4. Dynamic end-user knowledge

  89. Which of the following is not a common identity federation standard?

    1. WS-Federation
    2. OpenID
    3. OISame
    4. Security Assertion Markup Language (SAML)

  90. Multifactor authentication typically includes two or more of all the following elements except _______________.

    1. What you know
    2. Who you know
    3. What you are
    4. What you have

  91. Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts?

    1. Multitenancy
    2. Pooled resources
    3. Virtualization
    4. Remote access

  92. Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts?

    1. Rapid elasticity
    2. Online collaboration
    3. Support of common regulatory frameworks
    4. Attention to customer service

  93. Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts?

    1. On-demand self-service
    2. Pooled resources
    3. Virtualization
    4. The control plane

  94. What functional process can aid business continuity and disaster recovery (BC/DR) efforts?

    1. The software development lifecycle (SDLC)
    2. Data classification
    3. Honeypots
    4. Identity management

  95. Which common security tool can aid in the overall business continuity and disaster recovery (BC/DR) process?

    1. Honeypots
    2. Data loss prevention or data leak protection (DLP)
    3. Security information and event management (SIEM)
    4. Firewalls

  96. Which of the following aspects of cloud computing can enhance the customer’s business continuity and disaster recovery (BC/DR) efforts?

    1. Geographical separation of data centers
    2. Hypervisor security
    3. Pooled resources
    4. Multitenancy

  97. Which of the following is not typically used as an information source for business continuity and disaster recovery (BC/DR) event anticipation?

    1. Open source news
    2. Business threat intelligence
    3. Egress monitoring solutions
    4. Weather monitoring agencies

  98. Which of the following aspects of the business continuity and disaster recovery (BC/DR) process poses a risk to the organization?

    1. Premature return to normal operations
    2. Event anticipation information
    3. Assigning roles for BC/DR activities
    4. Preparing the continuity-of-operations plan

  99. Which of the following aspects of the business continuity and disaster recovery (BC/DR) process poses a risk to the organization?

    1. Threat intelligence gathering
    2. Preplacement of response assets
    3. Budgeting for disaster
    4. Full testing of the plan

  100. In container virtualization, unlike standard virtualization, what is not included?

    1. Hardware emulation
    2. OS replication
    3. A single kernel
    4. The possibility for multiple containers

  101. Which of the following is not typically a phase in the software development lifecycle (SDLC)?

    1. Define
    2. Test
    3. Develop
    4. Sanitization

  102. An application programming interface (API) gateway can typically offer all of the following capabilities except _______________.

    1. Rate limiting
    2. Access control
    3. Hardware confirmation
    4. Logging

  103. Cloud customers in a public cloud managed services environment can install all the following types of firewalls except _______________.

    1. Provider operated
    2. Host-based
    3. Third party
    4. Hardware

  104. The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, who initiates the protocol?

    1. The server
    2. The client
    3. The certifying authority
    4. The Internet service provider (ISP)

  105. The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what is the usual means for establishing trust between the parties?

    1. Out-of-band authentication
    2. Multifactor authentication
    3. Public-key infrastructure (PKI) certificates
    4. Preexisting knowledge of each other

  106. The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, what form of cryptography is used for the session key?

    1. Symmetric key
    2. Asymmetric key pairs
    3. Hashing
    4. One asymmetric key pair

  107. DevOps is a form of software development that typically joins the software development team with _______________.

    1. The production team
    2. The marketing team
    3. The security office
    4. Management

  108. The Agile Manifesto for software development focuses largely on _______________.

    1. Secure build
    2. Thorough documentation
    3. Working prototypes
    4. Proper planning

  109. When a program’s source code is open to review by the public, what is that software called?

    1. Freeware
    2. Malware
    3. Open source
    4. Shareware

  110. Why is Simple Object Access Protocol (SOAP) used for accessing web services instead of the Distributed Component Object Model (DCOM) and the Common Object Request Broker Architecture (CORBA)?

    1. SOAP provides a much more lightweight solution.
    2. SOAP replaces binary messaging with XML.
    3. SOAP is much more secure.
    4. SOAP is newer.

  111. How does representational state transfer (REST) make web service requests?

    1. XML
    2. SAML
    3. URIs
    4. TLS

  112. Representational state transfer (REST) outputs often take the form of _______________.

    1. JavaScript Object Notation (JSON)
    2. Certificates
    3. Database entries
    4. WS-Policy

  113. “Sensitive data exposure” is often included on the list of the Open Web Application Security Project (OWASP) Top Ten web application vulnerabilities. In addition to programming discipline and technological controls, what other approach is important for reducing this risk?

    1. Physical access control to the facility
    2. User training
    3. Crafting sophisticated policies
    4. Redundant backup power

  114. During maintenance mode for a given node in a virtualized environment, which of the following conditions is not accurate?

    1. Generation of new instances is prevented.
    2. Admin access is prevented.
    3. Alerting mechanisms are suspended.
    4. Events are logged.

  115. How are virtual machines (VMs) moved from active hosts when the host is being put into maintenance mode?

    1. As a snapshotted image file
    2. In encrypted form
    3. As a live instance
    4. Via portable media

  116. Which of the following is not a typical mechanism used by intrusion detection system (IDS) and intrusion prevention system (IPS) solutions to detect threats?

    1. Signature-based detection
    2. User input
    3. Statistical-based detection
    4. Heuristic detection

  117. When you’re deploying a honeypot/honeynet, it is best to fill it with _______________ data.

    1. Masked
    2. Raw
    3. Encrypted
    4. Useless

  118. The cloud provider should be required to make proof of vulnerability scans available to all of the following except _______________.

    1. Regulators
    2. The public
    3. Auditors
    4. The cloud customer

  119. You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing.

    The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. This intellectual property is likely protected as a _______________.

    1. Copyright
    2. Trademark
    3. Patent
    4. Trade secret

  120. You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing.

    The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. This conflict will most likely have to be resolved with what legal method?

    1. Breach of contract lawsuit
    2. Criminal prosecution
    3. Civil suit
    4. Military tribunal

  121. You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud software as a service (SaaS) provider for business functions that cross several of the locations of your facilities, such as ordering of parts, logistics and inventory, billing, and marketing.

    The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. What will most likely affect the determination of who has ownership of the logo?

    1. Whoever first used the logo
    2. The jurisdiction where both businesses are using the logo simultaneously
    3. Whoever first applied for legal protection of the logo
    4. Whichever entity has the most customers who recognize the logo

  122. Which Statement on Standards for Attestation Engagements (SSAE) 18 audit report is simply an attestation of audit results?

    1. Service Organization Control (SOC) 1
    2. SOC 2, Type 1
    3. SOC 2, Type 2
    4. SOC 3

  123. Which Statement on Standards for Attestation Engagements (SSAE) 18 report is purposefully designed for public release (for instance, to be posted on a company’s website)?

    1. Service Organization Control (SOC) 1
    2. SOC 2, Type 1
    3. SOC 2, Type 2
    4. SOC 3

  124. Which of the following countries has a national privacy law that conforms to European Union (EU) legislation?

    1. The United States
    2. Australia
    3. Jamaica
    4. Honduras

  125. Which of the following countries has a national privacy law that conforms to European Union (EU) legislation?

    1. Japan
    2. Alaska
    3. Belize
    4. Madagascar

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.235.144