CHAPTER 8
Practice Exam 2

  1. You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. In reviewing provider options, management considers an offer from Cloud Services Corp., who has contracts with several cloud providers and data centers and has offered to tailor a package of services for your company’s needs. In this case, Cloud Services Corp. is considered a _______________.

    1. Cloud provider
    2. Cloud customer
    3. Cloud reseller
    4. Cloud database

  2. You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. Management has expressed a concern that any cloud provider the company chooses will have your company at a disadvantage—that your company will be at great risk because the provider will have your data and operational capability, and that the provider could hold the data “hostage” in order to raise the price of the service dramatically at the end of the contract term. To address management’s concerns, you should try to find a cloud offering that places a great deal of emphasis on the _______________ trait of cloud computing.

    1. Resource pooling
    2. Scalability
    3. Portability
    4. Metered service

  3. You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. As you consider possible providers, you are careful to check that they each offer the essential traits of cloud computing. These include all of the following except _______________.

    1. Broad network access
    2. Metered service
    3. On-demand self-service
    4. Automatic anti-malware and intrusion prevention

  4. You are the IT director for an automotive parts supply distribution service; your company wants to operate a production environment in the cloud. Your company wants to install its own software solutions in a managed environment to decrease the cost of purchasing and maintaining the hardware of a data center. You should most likely be considering a(n) _______________ offering.

    1. IaaS
    2. PaaS
    3. SaaS
    4. Hybrid

  5. If a company wanted to retain some of its own internal traditional hardware but use the cloud as a means of performing software testing functions, which service and deployment models should it probably use?

    1. PaaS, hybrid
    2. IaaS, private
    3. PaaS, community
    4. SaaS, hybrid

  6. A company wants to absolutely minimize their involvement in administration of IT; which combination of cloud service model and deployment should it consider?

    1. IaaS, private
    2. PaaS, private
    3. SaaS, private
    4. SaaS, public

  7. During a cost–benefit analysis, your company determines that it spends a disproportionate amount of money on software licensing and administration. Which cloud model may best help your company to reduce these costs?

    1. IaaS
    2. PaaS
    3. SaaS
    4. Hybrid

  8. Your company does not have a well-trained, experienced IT staff and is reluctant to spend more money on training personnel (in recent company history, personnel have received training and then immediately quit the company to work for competitors). If senior management considers cloud migration, which deployment model would probably best suit their needs?

    1. Public
    2. Private
    3. Community
    4. Hybrid

  9. Your company operates under a high degree of regulatory scrutiny. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company’s compliance needs. Which deployment model would probably best suit the company’s needs?

    1. Public
    2. Private
    3. Community
    4. Hybrid

  10. Your company operates in a highly competitive market, with extremely high-value data assets. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company’s security needs. Which deployment model would probably best suit the company’s needs?

    1. Public
    2. Private
    3. Community
    4. Hybrid

  11. Your company operates in a highly cooperative market, with a high degree of information sharing between participants. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company’s collaboration needs. Which deployment model would probably best suit the company’s needs?

    1. Public
    2. Private
    3. Community
    4. Hybrid

  12. Your company maintains an on-premises data center for daily production activities but wants to use a cloud service to augment this capability during times of increased demand (cloud bursting). Which deployment model would probably best suit the company’s needs?

    1. Public
    2. Private
    3. Community
    4. Hybrid

  13. A company is considering a cloud migration to a platform as a service (PaaS) environment. Which of the following factors might make the company less likely to choose the cloud environment?

    1. The company wants to reduce overhead costs.
    2. The company operates proprietary software.
    3. The company hopes to reduce energy costs related to operation of a data center.
    4. The company is seeking to enhance its business continuity and disaster recovery 
(BC/DR) capabilities.

  14. Which mechanism best aids to ensure that the cloud customer receives dependable, consistent performance in the cloud environment?

    1. Audits
    2. Service-level agreement (SLA)
    3. Regulators
    4. Training

  15. What is the business advantage of shifting from capital expenditure in an on-premises environment to the operating expenditures of a cloud environment?

    1. Reduces the overall cost
    2. Reduces tax exposure
    3. Reduces cash flow risks
    4. Increases profit

  16. A host-based firewall in a virtualized cloud environment might have aspects of all the following types of controls except _______________.

    1. Administrative
    2. Deterrent
    3. Corrective
    4. Preventive

  17. A virtual network interface card (NIC) exists at Layer _______________ of the OSI model.

    1. 2
    2. 4
    3. 6
    4. 8

  18. Which technology is most associated with tunneling?

    1. IPSec
    2. GRE
    3. IaaS
    4. XML

  19. Secure Shell (SSH) tunneling can include all of the following services except _______________.

    1. Remote log-on
    2. Content filtering
    3. Port forwarding
    4. Command execution

  20. Transport Layer Security (TLS) is a session encryption tool that uses _______________ encryption to create a _______________ session key.

    1. Symmetric, symmetric
    2. Asymmetric, symmetric
    3. Asymmetric, asymmetric
    4. Symmetric, asymmetric

  21. Which of the following architecture frameworks was designed for service delivery entities, from the perspective of how they serve customers?

    1. SABSA (Sherwood Applied Business Security Architecture)
    2. ITIL
    3. COBIT (Control Objectives for Information and Related Technologies)
    4. TOGAF (The Open Group Architecture Framework)

  22. The Cloud Security Alliance (CSA) created the Trusted Cloud Initiative (TCI) to define principles of cloud computing that providers should strive for in order to foster a clear understanding of the cloud marketplace and to enhance that market. Which of the following is not one of the CSA’s TCI fundamental principles?

    1. Delegate or federate access control when appropriate.
    2. Ensure the [trusted cloud] architecture is resilient, elastic, and flexible.
    3. Ensure the [trusted cloud] architecture addresses and supports multiple levels of 
protection.
    4. Provide economical services to all customers, regardless of point of origin.

  23. Data loss prevention or data leak protection (DLP) solutions typically involve all of the following aspects except _______________.

    1. Data discovery
    2. Tokenization
    3. Monitoring
    4. Enforcement

  24. A typical data loss prevention or data leak protection (DLP) tool can enhance the organization’s efforts at accomplishing what legal task?

    1. Evidence collection
    2. Delivering testimony
    3. Criminal prosecution
    4. Enforcement of intellectual property rights

  25. Which of the following activities can enhance the usefulness and abilities of a data loss prevention or data leak protection (DLP) solution?

    1. Perform emergency egress training for all personnel.
    2. Require data owners, stewards, and custodians to properly classify and label data at time of creation or collection.
    3. Require senior management to participate in all security functions, including initial, recurring, and refresher training.
    4. Display security guidance in a variety of formats, including a web page, banner, posters, and hard-copy material.

  26. Data archiving can also provide what production capability?

    1. Enhanced database mechanisms
    2. Near-term data recovery
    3. New data-driven business workflows
    4. Greater management insight into productivity

  27. Data archiving can be required for regulatory compliance as a legal mandate. What other business function is also often tied to archiving?

    1. Marketing
    2. Business continuity and disaster recovery (BC/DR)
    3. Personnel development
    4. Intellectual property protection

  28. Which of the following is probably most important to include in a data archiving policy?

    1. Data format and type
    2. Data classification
    3. Encryption procedures and standards
    4. Data audit and review processes

  29. The destruction of a cloud customer’s data can be required by all of the following except _______________.

    1. Statute
    2. Regulation
    3. The cloud provider’s policy
    4. Contract

  30. Which of the following data storage types is most associated with software as a service (SaaS)?

    1. Content delivery network (CDN)
    2. Databases
    3. Volume storage
    4. Data warehousing

  31. You are the security manager for a bookkeeping firm that is considering moving to a cloud-based production environment. In selecting a cloud provider, your company is reviewing many criteria. One of these is enhancing the company’s business continuity and disaster recovery (BC/DR) capabilities. You want to ensure that the cloud provider you select will allow for migration to an alternate provider in the event of contingencies. The provider you choose should be able to support a migration to an alternate provider within _______________.

    1. 24 hours
    2. 1 hour
    3. Your company’s recovery time objective (RTO)
    4. Your company’s recovery point objective (RPO)

  32. In which phase of the cloud secure data lifecycle does data leave the production environment and go into long-term storage?

    1. Store
    2. Use
    3. Share
    4. Archive

  33. In which phase of the cloud secure data lifecycle should classifications and labels be assigned to data?

    1. Create
    2. Store
    3. Use
    4. Share

  34. Which of the following is not included in the Open Web Application Security Project (OWASP) Top Ten web application security threats?

    1. Injection
    2. Cross-site scripting
    3. Internal theft
    4. Sensitive data exposure

  35. Your organization is developing software for wide use by the public. You have decided to test it in a cloud environment, in a platform as a service (PaaS) model. Which of the following should be of particular concern to your organization for this situation?

    1. Vendor lock-in
    2. Backdoors
    3. Regulatory compliance
    4. High-speed network connectivity

  36. Which of the following management risks can make an organization’s cloud environment unviable?

    1. Insider trading
    2. Virtual machine (VM) sprawl
    3. Hostile takeover
    4. Improper personnel selection

  37. You are the security manager for a company that is considering cloud migration to an infrastructure as a service (IaaS) environment. You are assisting your company’s IT architects in constructing the environment. Which of the following options do you recommend?

    1. Unrestricted public access
    2. Use of a Type I hypervisor
    3. Use of a Type II hypervisor
    4. Enhanced productivity without encryption

  38. Your company uses a managed cloud service provider to host the production environment. The provider has notified you, along with several other of the provider’s customers, that an engineer working for the provider has been using administrative access to steal sensitive data and has been selling it to your competitors. Some of this sensitive data included personally identifiable information (PII) related to your employees. Your company’s general counsel informs you that there are at least three jurisdictions involved that have laws requiring data breach notification for PII. Who has legal liability for the costs involved with making the required notifications?

    1. The cloud provider
    2. Your company
    3. The Internet service provider (ISP)
    4. Your regulators

  39. Which of the following techniques is not recommended for privileged user management?

    1. Increased password/phrase complexity
    2. More frequent password/phrase changes
    3. More detailed background checks
    4. Less detailed audit trail

  40. You are the security officer for a company operating a production environment in the cloud. Your company’s assets have a high degree of sensitivity and value, and your company has decided to retain control and ownership of the encryption key management system. In order to do so, your company will have to have which of the following cloud service/deployment models?

    1. Public
    2. Infrastructure as a service (IaaS)
    3. Hybrid
    4. Software as a service (SaaS)

  41. Which security principle dictates that encryption key management and storage should be isolated from the data encrypted with those keys?

    1. Least privilege
    2. Two-person integrity
    3. Compartmentalization
    4. Separation of duties

  42. Which cloud data storage technique involves encrypting a data set, then splitting the data into pieces, splitting the key into pieces, then signing the data pieces and key pieces and distributing them to various cloud storage locations?

    1. RAID
    2. Secret sharing made short (SSMS)
    3. Homomorphic encryption
    4. Asymmetric encryption

  43. Which theoretical technique would allow encrypted data to be manipulated without decrypting it first?

    1. RAID
    2. Secret sharing made short (SSMS)
    3. Homomorphic encryption
    4. Asymmetric encryption

  44. Which theoretical technology would allow superposition of physical states to increase both computing capacity and encryption keyspace?

    1. All-or-nothing-transform with Reed-Solomon (AONT-RS)
    2. Quantum computing
    3. Filigree investment
    4. Sharding

  45. In a virtualized environment, suspended virtual machine (VM) instances at rest are subject to increased risk because _______________.

    1. There is no way to encrypt instances at rest
    2. Insider threats are greater for data storage locations than processing locations
    3. The instances are saved as image snapshots and highly portable
    4. They are unprotected unless multifactor authentication is required

  46. In a virtualized cloud environment, the management plane is usually responsible for provisioning virtual machine instances with all of the following resources except _______________.

    1. CPU
    2. Memory
    3. User interface
    4. Permanent storage

  47. Which of the following business continuity and disaster recovery (BC/DR) testing methodologies is least intrusive?

    1. Walk-through
    2. Simulation
    3. Tabletop
    4. Full test

  48. In order for an organization to determine if its backup solution is adequate for meeting the recovery point objective (RPO), what must be done?

    1. Conduct full backups at least daily.
    2. Use a data mirroring solution.
    3. Put all backups in the cloud.
    4. Practice a restore from backup.

  49. Which common characteristic of the cloud data center also serves customer business continuity and disaster recovery (BC/DR) needs?

    1. Multitenancy
    2. Virtualization
    3. Redundancy
    4. Software-defined networking

  50. Which phase of the business continuity and disaster recovery (BC/DR) process can result in a second disaster?

    1. Event anticipation
    2. Creating BC/DR plans and policy
    3. Return to normal operations
    4. Incident initiation

  51. Which process artifact aids an organization in determining the critical assets and functions that need to continue operations during a business continuity and disaster recovery (BC/DR) contingency?

    1. Service Organization Control (SOC) 2, Type 2
    2. Business impact analysis (BIA)
    3. Qualitative risk analysis report
    4. Annual loss expectancy (ALE) calculation

  52. In general, a cloud business continuity and disaster recovery (BC/DR) solution will be _______________ than a physical solution.

    1. Slower
    2. Less expensive
    3. Larger
    4. More difficult to engineer

  53. Which of the following is not a common federation technology?

    1. WS-Federation
    2. OWASP
    3. OpenID
    4. OAuth

  54. Which of the following is an audit report on the design of an organization’s controls?

    1. Service Organization Control (SOC) 1
    2. SOC 2, Type 1
    3. SOC 3
    4. SOC 4

  55. Which of the following is not usually suitable for inclusion in a service-level agreement (SLA) for managed cloud services?

    1. Service availability
    2. Number of users and virtual machines
    3. Background checks for provider personnel
    4. Amount of cloud storage

  56. Which of the following is not a typical physical access control mechanism in the cloud data center?

    1. Cage locks
    2. Video surveillance
    3. Rack locks
    4. Fire suppression

  57. Which of the following cloud environment accounts should only be granted on a temporary basis?

    1. Remote users
    2. Senior management
    3. Internal users
    4. External vendors

  58. Which of the following attack vectors is new to the cloud environment and was not typically found in on-premises, legacy environments?

    1. Distributed denial of service (DDoS)
    2. Guest escape
    3. Internal threats
    4. Inadvertent disclosure

  59. Which of the following is a file server that provides data access to multiple, heterogeneous machines and users on the network?

    1. Storage area network (SAN)
    2. Network-attached storage (NAS)
    3. Hardware security module (HSM)
    4. Content delivery network (CDN)

  60. You are the security manager for a retail company that is considering cloud migration to a public, software as a service (SaaS) solution both for your current internal production environment (an on-premises data center) and to host your e-commerce presence. Which of the following is a new concern you should bring up to senior management for them to consider before the migration?

    1. Regulatory compliance for your credit card processing transactions
    2. Inadvertent disclosure by internal (company) personnel
    3. Data disclosure through insufficiently isolated resources
    4. Malicious intrusion by external entities

  61. When a data center is configured such that the backs of the devices face each other and the ambient temperature in the work area is cool, it is called _______________.

    1. Hot aisle containment
    2. Cold aisle containment
    3. Thermo-optimized
    4. Heating, ventilation, and air conditioning (HVAC) modulated

  62. Disciplined cable management is crucial for cloud data centers because it provides greater assurance of only authorized lines operating in the environment and _______________.

    1. Reduces unproductive heating, ventilation, and air conditioning (HVAC) activity
    2. Reduces the risk of slip, trip, and fall hazards
    3. Greatly reduces the environmental footprint
    4. Ensures regulatory compliance

  63. To optimize airflow within a data center according to industry standards, a raised floor used as an air plenum must have at least _______________ of clearance.

    1. One foot
    2. One meter
    3. 24 inches
    4. 30 inches

  64. Raised flooring can serve as both an air plenum and _______________.

    1. A convenient location for RAID arrays
    2. Cool storage for data center personnel meals
    3. A conduit for running cable
    4. Disaster shelter locations

  65. Typically, when raised flooring is used as an air plenum, _______________ air is directed through it.

    1. Warm
    2. Cold
    3. Bleed
    4. Exhaust

  66. There are two general types of smoke detectors. One type uses a light source to detect the presence of particulate matter resulting from a fire, and the other uses _______________.

    1. Electric pulses
    2. Small amounts of radioactive material
    3. Fiber-optic mechanisms
    4. A water-pressure plate

  67. Fire suppression systems are often linked to a detection system. Common detection systems include all of the following except _______________.

    1. Heat
    2. Pressure
    3. Flame
    4. Smoke

  68. FM-200 has all the following properties except _______________.

    1. It’s nontoxic at levels used for fire suppression
    2. It’s gaseous at room temperature
    3. It may deplete the earth’s ozone layer
    4. It does not leave a film or coagulant after use

  69. FM-200 has all the following properties except _______________.

    1. It is colorless
    2. It leaves a faint chemical residue after use
    3. It is liquid when stored
    4. It is nonconducive

  70. Dynamic Host Configuration Protocol (DHCP) servers in a network will provide the clients with all of the following except _______________.

    1. A temporary IP address
    2. Encryption protocols
    3. A default gateway
    4. Time server synchronization

  71. You are the security officer for a cloud deployment. In order to secure data in transit, you can choose to implement all of the following techniques and technologies except _______________.

    1. DNSSEC
    2. TLS
    3. IDS/IPS
    4. IPSec

  72. All of the following techniques are used in OS hardening except _______________.

    1. Removing default accounts
    2. Disallowing local save of credentials
    3. Removing unnecessary services
    4. Preventing all administrative access

  73. You are performing an audit of the security controls used in a cloud environment. Which of the following would best serve your purpose?

    1. The business impact analysis (BIA)
    2. A copy of the virtual machine (VM) baseline configuration
    3. The latest version of the company’s financial records
    4. A Service Organization Control (SOC) 3 report from another (external) auditor

  74. In a cloud environment, prior to putting a node into maintenance mode, all of the following actions should be taken except _______________.

    1. Prevent any new users from logging on or creating any new instances
    2. Migrate any existing guest virtual machines (VMs) to another node
    3. Disable alerts from host-based intrusion detection systems (IDSs), intrusion prevention systems (IPSs), or firewalls
    4. Disable logging functions and tools

  75. A cloud provider conducting scheduled maintenance of the environment should do all the following except _______________.

    1. Notify any customers who may be affected
    2. Require reverification of all user accounts
    3. Follow approved change-management procedures and processes
    4. Confirm that remaining resources are sufficient to manage the minimum load as dictated by service-level agreements (SLAs)

  76. Which of the following is characterized by a set maximum capacity?

    1. A secret-sharing-made-short (SSMS) bit-splitting implementation
    2. A tightly coupled cloud storage cluster
    3. A loosely coupled cloud storage cluster
    4. A public-key infrastructure

  77. Which of the following is an open source cloud-based software project characterized by a toolset that includes components called Nova, Neutron, Heat, Ironic, and Cinder?

    1. OWASP
    2. OAuth
    3. OpenStack
    4. Mozilla

  78. You are the security director for a call center that provides live support for customers of various vendors. Your staff handles calls regarding refunds, complaints, and the use of products customers have purchased. To process refunds, your staff will have access to purchase information, determine which credit card the customer used, and identify specific elements of personal data. How should you best protect this sensitive data and still accomplish the purpose?

    1. Encrypt the data while it is at rest but allow the call center personnel to decrypt it for refund transactions.
    2. Encrypt the data while call center personnel are performing their operations.
    3. Mask the data while call center personnel are performing their operations.
    4. Have the call center personnel request the pertinent information from the customer for every refund transaction.

  79. Which of the following is not typically included as a basic phase of the software development lifecycle (SDLC)?

    1. Define
    2. Design
    3. Describe
    4. Develop

  80. What is the most important input to the software development lifecycle (SDLC)?

    1. Senior management direction
    2. Legislation/regulation
    3. Investor oversight
    4. Business requirements

  81. Which of the following can be included in the cloud security architecture as a means to identify and reject hostile SQL commands?

    1. Web application firewall (WAF)
    2. Application programming interface (API) gateway
    3. Data loss prevention or data leak protection (DLP)
    4. Database activity monitor (DAM)

  82. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Which cloud service or deployment model would probably best suit your needs?

    1. Infrastructure as a service (IaaS)
    2. Platform as a service (PaaS)
    3. Software as a service (SaaS)
    4. Community

  83. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Which of the following tools, technologies, or techniques may be very useful for your purposes?

    1. Data loss prevention or data leak protection (DLP)
    2. Digital rights management (DRM)
    3. Sandboxing
    4. Web application firewall (WAF)

  84. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Previous releases have shipped with major flaws that were not detected in the testing phase; leadership wants to avoid repeating that problem. What tool, technique, or technology might you suggest to aid in identifying programming errors?

    1. Vulnerability scans
    2. Open source review
    3. Service Organization Control (SOC) audits
    4. Regulatory review

  85. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Previous releases have shipped with major flaws that were not detected in the testing phase; leadership wants to avoid repeating that problem. It is important to prevent _______________ from being present during the testing.

    1. Senior management
    2. Marketing department personnel
    3. Finance analysts
    4. Programmers who worked on the software

  86. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. When you explain what impact this will have, you note that _______________ may be decreased by this option.

    1. Speed of development
    2. Thoroughness of documentation
    3. Availability of prototypes
    4. Customer collaboration

  87. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. In order for this to happen, the company will have to increase the involvement of _______________.

    1. Security personnel
    2. Budget and finance representatives
    3. Members of the user group
    4. Senior management

  88. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. This will be typified by which of the following traits?

    1. Reliance on a concrete plan formulated during the Define phase
    2. Rigorous, repeated security testing
    3. Isolated programming experts for specific functional elements
    4. Short, iterative work periods

  89. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management is interested in adopting an Agile development style. This will be typified by which of the following traits?

    1. Daily meetings
    2. A specific shared toolset
    3. Defined plans that dictate all efforts
    4. Addressing customer needs with an exhaustive initial contract

  90. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. The backend of the software will have the data structured in a way to optimize XML requests. Which API programming style should programmers most likely concentrate on for the frontend interface?

    1. Simple Object Access Protocol (SOAP)
    2. Representational state transfer (REST)
    3. Security Assertion Markup Language (SAML)
    4. Data loss prevention or data leak protection (DLP)

  91. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. You recommend the use of STRIDE threat modeling to assess potential risks associated with the software. Which of the following is not addressed by STRIDE?

    1. External parties presenting false credentials
    2. External parties illicitly modifying information
    3. Participants able to deny a transaction
    4. Users unprepared for secure operation by lack of training

  92. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Management has decided that the company will deploy encryption, data loss prevention or data leak protection (DLP), and digital rights management (DRM) in the cloud environment for additional protection. When consulting with management, you explain that these tools will most likely reduce _______________.

    1. External threats
    2. Internal threats
    3. Software vulnerabilities
    4. Quality of service

  93. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Your company has, and wishes to retain, ISO 27034 certification. For every new application it creates, it will also have to create a(n) _______________.

    1. Organizational normative framework (ONF)
    2. Application normative framework (ANF)
    3. Intrinsic normative framework (INF)
    4. Service Organization Control (SOC) 3 report

  94. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting a customer-facing production environment. Many of your end users are located in the European Union (EU) and will provide personal data as they use your software. Your company will not be allowed to use a cloud data center in which of the following countries?

    1. Japan
    2. Australia
    3. Belgium
    4. Chile

  95. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting a customer-facing production environment. Many of your end users are located in the European Union (EU) and will provide personal data as they use your software. Your company will not be allowed to use a cloud data center in which of the following countries?

    1. Argentina
    2. Israel
    3. South Korea
    4. Switzerland

  96. You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting a customer-facing production environment. Many of your end users are located in the European Union (EU) and will provide personal data as they use your software. Your company will not be allowed to use a cloud data center in which of the following countries?

    1. Canada
    2. Singapore
    3. France
    4. Kenya

  97. Which of the following is not a core principle included in the Organisation for Economic Cooperation and Development (OECD) privacy guidelines?

    1. The individual must have the ability to refrain from sharing their data.
    2. The individual must have the ability to correct errors in their data.
    3. The individual must be able to request a purge of their data.
    4. The entity holding the data must secure it.

  98. Who is the entity identified by personal data?

    1. The data owner
    2. The data processor
    3. The data custodian
    4. The data subject

  99. What is the current European Union (EU) privacy legislation that restricts dissemination of personal data outside the EU?

    1. The EU Data Directive
    2. Privacy Shield
    3. The General Data Protection Regulation (GDPR)
    4. Sarbanes–Oxley (SOX)

  100. In order for American companies to process personal data belonging to European Union (EU) citizens, they must comply with the Privacy Shield program. The program is administered by the U.S. Department of Transportation and the _______________.

    1. U.S. State Department
    2. Fish and Wildlife Service
    3. Federal Trade Commission (FTC)
    4. Federal Communication Commission (FCC)

  101. In addition to the Privacy Shield program, what other means can non–European Union (EU) companies use to be allowed to process personal data of EU citizens?

    1. Enhanced security controls
    2. Standard contractual clauses
    3. Increased oversight
    4. Modified legal regulation

  102. Which entity is legally responsible for the protection of personal data?

    1. The data subject
    2. The data controller
    3. The data processor
    4. The data steward

  103. When a company is first starting and has no defined processes and little documentation, it can be said to be at level _______________ of the Capability Maturity Model (CMM).

    1. 1
    2. 2
    3. 3
    4. 4

  104. Which of the following standards addresses a company’s entire security program, involving all aspects of various security disciplines?

    1. ISO 27001
    2. ISO 27002
    3. National Institute of Standards and Technology (NIST) 800-37
    4. Statement on Standards for Attestation Engagements (SSAE) 18

  105. A cloud provider might only release Service Organization Control (SOC 2), Type 2 reports to _______________.

    1. Regulators
    2. The public
    3. Potential customers
    4. Current customers

  106. A cloud provider’s Service Organization Control (SOC) 1 report may not be useful to customers interested in determining the provider’s security posture because the SOC 1 report contains only information about _______________.

    1. Sales projections
    2. Financial reporting
    3. Previous customer satisfaction
    4. Process definition

  107. The Payment Card Industry (PCI) Data Security Standard requires different levels of activity based on participants’ _______________.

    1. Number of personnel
    2. Branch locations
    3. Number of transactions per year
    4. Preferred banking institutions

  108. Which IT product review framework is intended to determine the accuracy of vendor claims regarding security functions of the product?

    1. Underwriters Laboratories (UL)
    2. Federal Information Processing Standard (FIPS) 140-2
    3. Payment Card Industry (PCI) Data Security Standard (DSS)
    4. Common Criteria

  109. What is the lowest level of cryptographic security for a cryptographic module, according to the Federal Information Processing Standard (FIPS) 140-2 standard?

    1. 1
    2. 2
    3. 3
    4. 4

  110. What is the highest level of the Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR) certification program for cloud service providers?

    1. 1
    2. 2
    3. 3
    4. 4

  111. Every cloud service provider that opts to join the Cloud Security Alliance Security, Trust, and Assurance Registry (CSA STAR) program registry must complete a _______________.

    1. Service Organization Control (SOC) 2, Type 2 audit report
    2. Consensus Assessment Initiative Questionnaire (CAIQ)
    3. National Institute of Standards and Technology (NIST) 800-37 Risk Management Framework (RMF) audit
    4. ISO 27001 information security management system (ISMS) review

  112. The term cloud carrier most often refers to _______________.

    1. The cloud provider
    2. The cloud customer
    3. An Internet service provider (ISP)
    4. A cloud manager

  113. In a centralized broker identity federation, which entity typically creates and sends the Security Assertion Markup Language (SAML) token?

    1. The cloud provider
    2. The Internet service provider (ISP)
    3. The broker
    4. The cloud customer

  114. Which of the following tools incorporates and references the requirements listed in all the others?

    1. ISO 27001
    2. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
    3. Federal Risk and Authorization Management Program (FedRAMP)
    4. European Union Agency for Network and Information Security (ENISA)

  115. Which of the following is an example of true multifactor authentication?

    1. Having a login that requires both a password and a personal identification number (PIN)
    2. Using a thumbprint and voice recognition software for access control
    3. Presenting a credit card along with a Social Security card
    4. Signing a personal check

  116. Which of the following is appropriate to include in a service-level agreement (SLA)?

    1. That the provider deliver excellent uptime
    2. That the provider host the customer’s data only within specific jurisdictions
    3. That any conflicts arising from the contract be settled within a particular jurisdiction
    4. The specific amount of data that can be uploaded to the cloud environment in any given month

  117. Which of the following standards is typically used to convey public key information in a public-key infrastructure (PKI) arrangement?

    1. Security Assertion Markup Language (SAML)
    2. X.400
    3. X.509
    4. 802.11

  118. In working with various networking technologies such as Frame Relay, ATM, and Ethernet, the capability of the network to provide better service to selected traffic is called _______________.

    1. QaS
    2. ASP
    3. OLA
    4. QoS

  119. Which type of networking model is optimized for cloud deployments in which the underlying storage and IP networks are combined so as to maximize the benefits of a cloud workload?

    1. Software-defined networking model
    2. Enterprise networking model
    3. Converged networking model
    4. Legacy networking model

  120. Which type of law consists of a body of rules and statutes that define prohibited conduct and is set out to protect the safety and well-being of the public?

    1. Tort
    2. Criminal
    3. Civil
    4. Contract

  121. What is the primary reason for the use of SSDs in the cloud today?

    1. They are faster than traditional spinning drives.
    2. They last longer than traditional spinning drives.
    3. They are easier to replace than traditional spinning drives.
    4. They can be replaced quickly.

  122. Which of the following are risks associated with virtualization?

    1. Loss of governance, snapshot and image security, and sprawl
    2. Public awareness, snapshot and image availability, and sprawl
    3. Increased cost, snapshot and image security, and sprawl
    4. Loss of data

  123. Which of the following is the core of any system handling all input/output (I/O) instructions?

    1. Central processing unit (CPU)
    2. Hypervisor
    3. User interface
    4. Supervising application

  124. Which of the following is an international organization of network designers and architects who work together in establishing standards and protocols for the Internet?

    1. Internet Assigned Numbers Authority (IANA)
    2. International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC)
    3. National Institute of Standards and Technology (NIST)
    4. Internet Engineering Task Force (IETF)

  125. _______________ is a symmetric block type of cipher used to encrypt information and is currently the standard for the U.S. government in protecting sensitive and secret documents.

    1. MD5
    2. Secure Socket Layer (SSL)
    3. Blowfish
    4. Advanced Encryption Standard (AES)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.165.247