Appendix
Answers to Review Questions

Chapter 1: Domain 1: Cloud Concepts, Architecture, and Design

  1. A. PaaS will allow her developers to create and design their software on a variety of operating systems (OSs), increasing the breadth of the market she can sell to. Also, she can use geographically dispersed programmers to work on projects concurrently, and the provider will be responsible for maintaining and updating the OSs as necessary. IaaS is a less attractive option because it would retain the need for Alice’s company to administer the OSs in addition to building their software; it might be less expensive in terms of paying the cloud provider, but the time and effort and personnel necessary to maintain the OSs would offset that cost, probably in a net-negative way. SaaS is not an option; Alice wants her company to build software, not rent it or buy it. Backup as a Service (BaaS) would not be useful for creating, designing, or deploying Alice’s company’s software.
  2. A. Of these four options, multitenancy poses the greatest risk to software developers in the cloud, because developers need to be concerned with two things: protecting their intellectual property (the software they’re making) and protecting resource calls their software makes to the underlying infrastructure (which, if detectable by other cloud customers, could provide information that constitutes a side-channel attack). Metered service doesn’t pose much of a security risk. The SLA might include some security aspects (such as response time), but it’s usually more of a performance-ensuring tool, and this choice is not as good as option A. Remote access, in this particular case, provides more benefit than risk: Alice can utilize work from developers located across the country or across the planet. While she does have to consider the risks inherent in all remote access, those risks are not as significant as the risks due to multitenancy, so option A is still preferable.
  3. C. Turnstiles are a physical security barrier to prevent piggybacking/tailgating (an unauthorized person coming through an entrance behind someone who is authorized), but they don’t really present much protection for intellectual property in this case. Egress monitoring (often referred to as “DLP” solutions) is a great way to reduce the likelihood of intellectual property leaving the owner’s control in an unexpected/unapproved manner. Likewise, strong encryption is useful in the cloud to reduce the impact of theft either from leakage to other cloud tenants or from insider threats (such as malicious admins in the employ of the cloud provider). Finally, digital watermarks aid protection of intellectual property by proving original ownership, which is essential for enforcing intellectual property rights (in the case of software design, mainly copyright protections).
  4. D. While all of these are traits of cloud computing and will likely benefit Alice’s company, from her position as senior manager of the organization she is likely to consider the financial benefit first and foremost.
  5. A. With infrastructure as a service (IaaS), the customer (data owner) will administer the OS and applications. In PaaS, the provider will manage the underlying hardware and the OS. In an on-premises enterprise, the data owner is also the system owner and will be responsible for everything. In an SaaS environment, the cloud provider will handle all aspects of processing, except for adding and manipulating the production data.
  6. B. PCI DSS requires that the CCV (or, sometimes, “CVV” for “card verification value”) only be used in the transaction, not stored. The data described in all the other options may be stored after the transaction is complete.
  7. A. The four merchant levels in PCI are distinguished by the number of transactions that merchant conducts in a year. The dollar value of transactions per year, geographic location, and jurisdiction are not attributes that are evaluated for PCI DSS tier levels.
  8. C. Technically, BC efforts are meant to ensure that critical business functions can continue during a disruptive event, and DR efforts are supposed to support the return to normal operations. However, in practice, the efforts often coincide, use the same plans/personnel, and have many of the same procedures.

    Option A is incorrect; both BC and DR use the RTO and RPO as metrics to determine success.

    Option B is incorrect; BC and DR efforts are not specific to the cause of a disruptive event.

    Option D is incorrect; health and human safety should be paramount in all security efforts, with very few exceptions.

  9. D. The contract between the cloud customer and current cloud provider has no bearing on what the customer will have to pay to a new provider; that will be governed by the contract between the customer and the new provider.

    All the other options are topics that should be addressed in the contract between the current cloud provider and the cloud customer in order to properly address BCDR needs.

  10. A. The customer will have to pay for the costs of modification requested by the customer, regardless of purpose.

    All the other options are simply incorrect, especially option D, which is never true.

  11. D. The brand associated with the cloud provider should not influence the cost–benefit analysis; the cloud provider’s brand (and even which cloud provider an organization uses) will most likely not even be known to the consumers who have a business relationship with the organization.

    The provider does not absorb the cost when the customer’s requests a modification of the SLA. Though an even split of the cost between customer and provider may seem fair, the customer pays for all costs associated with modifications to the SLA by the customer. Finally, customer modifications to their SLA are chargeable expenses that will almost certainly be paid for by the customer.

  12. C. The timing of recurring payments to the provider will probably not be a significant factor in the cost–benefit analysis.

    All the other options are topics that are more important to review when an organization is considering cloud migration.

  13. B. In a traditional environment, enterprise software costs can be exorbitant, and the price of licensing doesn’t even reflect the hidden costs associated with licensing, such as managing the license library. In a cloud arrangement, especially software as a service (SaaS), the customer pays only the contract fee to the cloud provider, and it is the provider’s responsibility to arrange for software licensing and to manage those licenses.

    Option A is incorrect because the number of users should not be affected whether the organization is operating in the cloud or a legacy environment. The exception would be the reduced number of privileged users, because the cloud provider will be handling more administrative tasks in the environment; however, because “privileged” was not specified, option B is still a better answer.

    Option C is incorrect because that may or may not be true of an organization’s migration to the cloud.

    Option D is incorrect because the organization certainly hopes it is not going to lose clientele by moving to the cloud!

  14. A. Cloud providers are purchasing utilities (power, water, Internet connectivity) at such a massive rate that they can realize per-unit cost savings that would far exceed any smaller organizations’ pricing for individual data centers. In this case, economies of scale are very much in favor of the larger entity.

    Option B may or may not be true, depending on the degree of sensitivity and value of the organization’s data and what controls the organization will request/contract for in the cloud.

    Options C and D are not influenced by cloud migration in any way and are wholly dependent on other factors within the organization.

  15. C. Constant reinvestment in IT assets (which are almost always obsolete by the time they’re marketed, much less by the time they’re deployed in operational environments) is plagued with sunk costs; money spent on hardware devices or software licenses is unlikely to be recovered. Avoiding expenditures for IT systems by moving to the cloud means reducing these costs considerably.

    Option A is incorrect; cloud migration should not affect the need for personnel training; employees will just need to be trained in a different manner.

    Options B and D should not be affected by cloud migration in any way; whether your organization has a high personnel turnover rate or risk from internal threat is not based on whether the IT environment is owned or leased.

  16. B. Every security process, tool, and behavior entails a related cost, both financially and operationally. Although a “base price” cloud service might appear extremely affordable compared to the traditional environment, add-ons such as encryption, digital rights management (DRM), security incident/event management (SIM/SEM/SIEM), and intrusion detection/prevention systems (IDS/IPS) may all come with additional cost and may degrade performance, thus reducing the cost savings compared to the cost of operations prior to migration. This is extremely important for the organization to consider before migration, especially if the organization exists in a highly regulated industry.

    Option A is incorrect because the altitude of the cloud data center does not translate into a reduction of the actual financial benefit the organization would realize in moving to the cloud environment.

    Option C is wrong because it should be the opposite of the actual case: losing ownership of the IT assets, and paying only for the use of those assets, should lead directly to a savings over the costs of a traditional IT environment, if compared on a seat-to-seat basis.

    Option D should not be true; the cost of connecting users to the Internet should not be significantly greater if the organization operates in the cloud or with an on-premises data center—if the cost is considerably greater, the organization should never have migrated in the first place.

  17. C. ISO 27001 mandates an ISMS; organizations can be certified according to compliance with 27001.

    National Institute of Standards and Technology (NIST) SP 800-53 is the list of security controls approved for use by U.S. government agencies and a means to map them to the Risk Management Framework.

    The Payment Card Industry Data Security Standard (PCI DSS) is the payment card industry’s framework of compliance for all entities accepting or processing credit card payments.

    NIST SP 800-37 is the Risk Management Framework.

  18. D. The ISO 27001 standard is designed to be product agnostic. The other answers suggest ISO 27001 favors a type of technology, and are therefore incorrect.
  19. C. The ISO standards are almost universally accepted and recognized, and they’re even mandated for certain industries/locales.

    They are not, however, cheap, fast, or easy to adopt, implement, and audit against, so all the other answers are incorrect.

  20. A. The NIST standards are not particularly easy or fast to implement (in fact, they require continual improvement), and they are not widely recognized or mandated outside of the U.S. government federal sector.

    However, they are in the public domain, so an organization would not have to pay for the standards material if the organization chose to use NIST standards.

  21. A. ISO 27002 is used for choosing security controls in order to comply with the ISMS, which is contained in ISO 27001.

    PCI DSS is the payment card industry’s framework of compliance for all entities accepting or processing credit card payments.

    NIST SP 800-37 is the Risk Management Framework.

    HIPAA is the U.S. law regarding patient data privacy in the medical sector.

  22. B. SSAE 18 is the current AICPA audit standard, as of 2018.

    All the other options are distractors: SABSA is an IT architecture framework, Biba is an access control model, and NIST SP 800-53 contains guidance for selecting security controls in accordance with the Risk Management Framework.

  23. D. GLBA is a U.S. federal law pertaining to financial and insurance customer information.

    NIST 800-53 is a standard, not a law, so option A is incorrect.

    Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law concerning medical information, so option B is incorrect.

    SOX affects publicly traded corporations, making option C incorrect.

  24. C. The SSAE 18 is an audit standard, and the SOC reports were specifically designed to report on the suitability of organizations that provide services. This is not to say that SOC reports are not used to assess other types of organizations—they are, but they were not designed for that purpose, so all the other answers are incorrect.
  25. C. The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function.

    The SOC 1 report provides information about financial reporting mechanisms of the target only and is of little interest to the IT security professional, so option A is incorrect.

    The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function, so option B is incorrect.

    The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect.

  26. A. The SOC 1 report provides information about financial reporting mechanisms of the target only. Although this information may be of little use to the IT security professional, it may be of great use to potential investors, if for nothing other than providing some assurance that reporting is valid and believable.

    The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function. While of some interest to the IT security professional, this is of little interest to the investor, so option B is incorrect.

    The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, this is of little interest to the investor, so option C is incorrect.

    The SOC 3 report is only an attestation that the target was audited and that it passed the audit, without detail, so option D is incorrect.

  27. D. The SOC 3 report is an attestation that the target was audited and that it passed the audit, without detail; you could use the SOC 3 reports to quickly narrow down the list of possible providers by eliminating the ones without SOC 3s.

    The SOC 1 report provides information about financial reporting mechanisms of the target only. This information may be of little use to the IT security professional and won’t help you choose a cloud vendor, so option A is incorrect.

    The SOC 2, Type 1 report describes IT security controls designed by the target only but not how effectively those controls function. While of some interest to the IT security professional, it is more comprehensive and detailed than a SOC 3 report, so it would take more time; option B is incorrect.

    The SOC 2, Type 2 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, it is very detailed and comprehensive and wouldn’t be a speedy tool to narrow the field. Option C is incorrect.

  28. D. PCI DSS applies only to those entities that want to engage in the business of taking or processing credit card payments, which would include options A, B, and C. A counseling service is not engaged in commerce involving credit cards and therefore is under no obligation to adhere to the PCI DSS.
  29. B. Because PCI DSS is strictly voluntary, and the PCI Council is not a government body but a consortium of private interests, they cannot detain or imprison anyone.

    They can, however, assess fees, suspend processing privileges, and require more auditing, so the other answers are true and therefore incorrect.

  30. B. The PCI merchant levels are based on how many transactions a compliant entity engages in over the course of a year.

    All the other options are incorrect because the dollar value of transactions and location of the merchant or processor are not the criteria used for determining PCI DSS merchant levels. Only the transactions a compliant entity engages in over the course of a year is the correct answer.

  31. A. Merchant level 1 is for the merchants that engage in the most transactions per year (six million or more). It carries with it the requirement for the most comprehensive, detailed, and repeated security validation actions.

    It may be tempting to choose the highest number when choosing an answer for the highest merchant level. It may be counterintuitive to think that level 1 would be a higher level than a level 4. However, level 1 is the highest merchant level and is the correct answer to this question.

  32. C. The Payment Card Industry Data Security Standard (PCI DSS) requires multiple kinds of technical and nontechnical security requirements (including specific control types) for those entities that choose to subscribe to the standard.

    Option A is partially correct and partially incorrect. While the security requirements are partially technical, some requirements are also nontechnical. Therefore, option A is incorrect.

    Option B is also partially correct and partially incorrect. While the security requirements are partially nontechnical, some requirements are technical. Therefore, option B is incorrect.

    Option C is incorrect because the requirements are technical and nontechnical, not neither technical nor nontechnical.

  33. D. The Payment Card Industry Data Security Standard (PCI DSS) allows for cardholder information at rest to be secured with either tokenization or encryption, but use of one is mandatory.

    The other options are distractors and not dictated by PCI DSS. They can, however, be useful in fulfilling certain credit card support services, such as customer support, where the personnel engaged in the activity (customer support agents, for instance) may need access to a limited set of the cardholder’s account information (for instance, name, mailing address, and date of the payment) but do not have a need to know other elements of that data set (particularly, the full credit card number); masking and obfuscation can satisfy that business need without putting data unduly at risk.

  34. B. The Payment Card Industry Data Security Standard (PCI DSS) disallows the storage of the CVV for any length of time; the CVV may only be used during the payment transaction, and not saved.

    The other options may be stored for future transactions with the same merchant. However, unlike the CVV they may be stored by the merchant.

  35. B. The EAL is a measure of how thoroughly the security features the product vendor claims the product offers have been tested and reviewed, and by whom.

    The EAL does not offer any true measure of how well those security features will work in a production environment so options A and C are incorrect. Whether those features are preferable to other features offered by competing products, or whether the product is “good.” Therefore, option D is incorrect.

  36. A. EAL 1 is for functionally tested products. Option B is incorrect because EAL 3 is for solutions that have been methodically tested and checked.

    Option C, EAL 5 is incorrect because that is for solutions that have been semi-formally designed and tested.

    Option D is incorrect because EAL 7 is for solutions that have been formally verified design and tested.

  37. D. EAL 7 is for those products that have undergone independent third-party testing and verification of security feature design. All other options are distractors and incorrect.

    EAL 1 is for functionally tested products.

    EAL 3 is for solutions that have been methodically tested and checked.

    EAL 5 is for solutions that have been semi-formally designed and tested.

  38. B. The vendor/manufacturer of a given product will pay to have it certified, with the premise that certification costs are offset by premium prices that certified products command and that customers won’t purchase uncertified products.

    NIST does not certify products for Common Criteria. NIST is a U.S. government organization.

    Option C is incorrect because the cloud customer does not pay to have IT products certified.

    Option D is incorrect because the end user is an individual and individuals do not pay to have IT products certified.

    (Note: Of course, the manufacturer/vendor is going to amortize the cost of the certification process across the price of the products they sell, so the customers who purchase the product will eventually “pay” for the certification, but that’s a very oblique and abstract way of reading the question.)

  39. D. NIST publishes the list of validated crypto modules. The other choices are government or non-government organizations that are not involved with publishing the list of cryptographic modules that meet FIPS 140-2 requirements.
  40. C. Vendors seeking HSM certification under FIPS 140-2 send their products to independent laboratories that have been validated as Cryptographic Module Testing Laboratories under the National Voluntary Laboratory Accreditation Program (the Accreditation Program is run by NIST, which approves the laboratories). As of this writing, 21 labs in the United States and Canada are accredited.

    Option A is incorrect because NIST does not perform the review process. NIST approves the independent laboratories that perform the review process.

    Option B is incorrect. Of all the activities that the NSA does perform, reviewing the process for Hardware Security Modules in accordance with FIPS 140-2 is certainly not one of them.

    Option D is incorrect because the ENISA is a European Union organization that supports European Union institutions and stakeholders.

  41. D. The highest security level a product can reach is 4. Option A is incorrect because Level 1 is the lowest level of security. Option B is incorrect because Level 2 simply improves upon the physical security of Level 2. Option C is incorrect because Level 3 improves upon Level 2 certification and adds tamper-detection/response capabilities.
  42. B. The security levels acknowledge different levels of physical protection offered by a crypto module, with 1 offering crypto functionality and no real physical protection and 4 offering tamper-resistant physical features and automatic zeroization of security parameters upon detection of tamper attempts.

    The question asks what distinguishes the security levels for cryptographic modules. Option A focuses on the sensitivity of the data being protected. The sensitivity of the data that is being protected is important when it comes to the cryptographic module being used, but that is not the distinction between the security levels in FIPS 140-2.

    Option C is incorrect because the size of the IT environment the cryptographic module is protecting is not what distinguishes the different levels.

    Option D is not correct because whether the cryptographic module is or is not allowed in a certain geographic location has no bearing on whether or not it works. The cryptographic module either works or it does not, regardless of its location.

  43. A. FIPS 140-2 is only for SBU data. Options B, C, and D are incorrect because FIPS 140-2 certifies cryptographic modules for unclassified data. Secret, Top Secret, and Sensitive Compartmentalized Information all are categorized as classified information when it refers to their sensitivity level.
  44. B. Vendors who want their products certified under FIPS 140-2 must pay the laboratory that performs the evaluation.

    Option A is incorrect because the U.S. government is not in the business of paying for cryptographic module certifications. The U.S. government can require the use of cryptographic modules in certain situations.

    Certification laboratories receive funds for certifying cryptographic modules. They do not pay to have them certified. Therefore, option C is incorrect.

    Option D is incorrect. Users do not pay to have solutions certified.

  45. B. Most of the items on the Top Ten could be addressed with strong coding practices and by adhering to strict internal management processes (on the part of the organization involved in development). A good number of the items that continually appear on the list, such as injection, cross-site scripting, insecure direct object references, security misconfiguration, missing function-level access control, use of components with known vulnerabilities, and unvalidated redirects and forwards, can all be addressed by basic development practices, such as bounds checking/input validation, code validation/verification protocols, and informed oversight of the project.

    Strangely, option A is not correct in this case. Social engineering is perhaps the aspect of information security that is least understood (by users) and easiest to exploit, and it is the attack tactic most likely to succeed. Social engineering training could probably reduce the greatest number of overall security threats in our field today. However, this specific question is all about application security, and the element of social engineering is negligible.

    Option C is not correct because source code testing is only one aspect of code review and would not address as many items on the Top Ten as option B would.

    Option D is not correct for much the same reason option A is incorrect; this question is specifically about application security, and the physical protection element is very minor.

  46. C. In injection attacks (a large percentage of which are called SQL injection, for the prevalence with which attackers target databases with this attack), the attacker enters a string of command code into a user-facing field in an attempt to get the application to run the command. This results in a process that the attacker can leverage or puts the software into a fail state that might negate some of the security controls that are present in normal operation.

    Option A is incorrect; this is a description of social engineering.

    Option B is incorrect; SQL injection does not typically involve malware.

    An attack that allows someone to penetrate a facility is a physical attack. The attacker has to physically be at the facility itself. Option D is incorrect.

  47. C. Attackers attempting injection put command code into a data entry field; if the application has suitable input validation (that is, refusing code strings and confirming that input conforms to field value types), it will block those attacks.

    Injection attacks target applications, not users, so user training has little to do with preventing injection, making option A incorrect.

    The OS usually has little to do with injection attacks, which usually target user-facing web apps that ride on the OS, so option B is not correct.

    Injection attacks are logical, not physical, so locks won’t aid the security effort in this case, making option D incorrect.

  48. A. This answer requires a bit of thought and knowledge of common practices. Throughout the IT industry, many developers attempt to design and implement their own authentication schema. According to OWASP, this approach is almost always a bad idea because of the many vulnerabilities such custom schemes may fail to address. Using approved, tested authentication implementations is a way to avoid this problem.

    Authentication schema should be transparent to users, who will have little or (preferably) no control over that element of communication. Thus, training is not applicable in this case, making option B wrong.

    Input validation is used to counter injection attacks and has no efficacy in authentication implementations, making option C incorrect.

    The X.400 standards are for email communication and are not applicable to session authentication; thus, option D is wrong.

  49. D. HIPAA is the U.S. federal law governing medical information; it has nothing to do with authentication or session management. Failure to follow HIPAA leads to regulatory noncompliance (for those covered by it).

    All the other options are practices that can enhance an attacker’s ability to compromise authentication implementations and sessions.

  50. C. As breaking authentication and session management is a logical attack, lack of physical controls don’t affect such attacks.

    All the other options are practices that can enhance an attacker’s ability to compromise authentication implementations and sessions.

  51. D. In many cases, HTML documents are meant to be seen by the public or new users who do not yet have trust associations (accounts) with the organization, so encrypting every HTML document would be counter to the purpose. Moreover, total encryption of everything, even material that is not particularly sensitive or valuable, incurs an additional cost with no appreciable benefit.

    The other options are all actions that OWASP recommends for reducing the risk of XSS attacks: www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

  52. B. Option B is a incorrect because the answer narrows the risk for only the identity assertions and does not address XSS attack risks. All the other options are actions recommended by OWASP for reducing XSS attack risks.

    This question is particularly difficult as it delves into a level of detail that may or may not appear on the actual exam; however, all source documents listed in the Candidate Information Bulletin, including the OWASP Top Ten, are fair game for the test, so it is best to have at least an understanding of these sources.

  53. A. The URL in option A reveals a location of specific data as well as the format for potential other data (such as other authors’ pages/accounts); this is a classic example of an insecure direct object reference.

    Option B is a DoS program string; C is a SQL database command line (which wouldn’t reveal any information on its own; it would prompt for a password); and option D is just an email address.

  54. B. Untrusted sources calling a direct reference should be authenticated to ensure that the source has authorization to access that object.

    Option A will not aid in insecure direct object risks; this is not a user issue, usually, but a programming issue. Option C is for physical security, while insecure direct object references are logical attacks. Option D does not reduce the risk of insecure direct object references because classification and categorization are not protections themselves but need to be paired with proper control sets in order to provide protection.

  55. C. Default accounts are a continual security problem in the InfoSec space, and one that is relatively easy to address. Any new systems should be checked for default accounts, which should be stripped out before deployment.

    Untrusted users should not have encryption keys, so this is not a misconfiguration; therefore, option A is incorrect.

    A public-facing website can be extremely useful for marketing purposes and is not necessarily a security issue in and of itself, so option B is incorrect.

    Option D might or might not be true; both turnstiles and mantraps are physical security controls, and we can’t be sure whether one or the other is preferable in any given situation, so we don’t know if this is a misconfiguration or a proper configuration. Option C is therefore preferable.

  56. A. Any software with out-of-date builds can be considered misconfigured.

    Option B is bad security practice but not considered a misconfiguration.

    Data owners are supposed to classify/categorize the data under their control, so option C is not a correct answer.

    Preventing users from reaching untrusted resources may be a proper control in a given environment, so option D is not a misconfiguration, and not a correct answer.

  57. B. This question requires some thought. All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option B is the best answer for this specific question: it is a method for reducing risks due to misconfiguration—a repeatable process for hardening systems/software that addresses other bad practices and is itself a good practice. This is the best answer.
  58. C. All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option C is the best answer for this specific question. The other three options are personnel/administrative/managerial controls, where the security misconfiguration is more a technical issue, which requires a technical solution.
  59. B. All the options are examples of good security practices and could therefore arguably be ways to reduce misconfiguration risks. However, option B is the best answer for this specific question. The other three options are personnel/administrative/managerial controls, where the security misconfiguration is more a technical issue, which requires a technical solution.
  60. D. All of these are good security practices, but only option D is a method for detecting and addressing misconfigurations.
  61. A. Users are the most likely source of sensitive data exposure, particularly inadvertently. Ensuring that users know how to handle material properly is an excellent means for addressing the issue.

    Option B is incorrect because firewalls that inspect inbound traffic only will not notice data exposed accidentally or maliciously as it travels outbound.

    Option C is incorrect because it has nothing to do with data disclosure and is instead about business continuity and disaster recovery (BC/DR).

    Option D is incorrect because it has nothing to do with data disclosure and is instead about physical security.

  62. B. Data needs to be categorized according to its value/sensitivity; avoiding accurate categorization is just as troublesome, from a security perspective, as not categorizing the data or overcategorizing it (putting it in a higher category than it deserves).

    All the other options are ways of reducing the risk of sensitive data disclosure. Option A reduces the possibility of disclosure by reducing the amount of data on hand (from the OWASP: “Data you don’t have can’t be stolen”). Option C reduces the chance of disclosing keys, which leads to disclosing the data. Option D reduces the possibility that the form will disclose sensitive data to someone filling it out by prompting with an entry that should be protected.

  63. A. Setting the default to denying access forces all resource requests to be verified, thus ensuring that no particular function may be run without explicitly ensuring that it was called by an authorized user.

    Option B is used to deter cross-site scripting attacks, so it is incorrect.

    Option C is correct but insufficient; option A includes a more restrictive mode, so is therefore a better choice.

    Option D is used to deter the possibility of insecure direct object references, so it is incorrect.

  64. A. The method in option A will help you determine if there are functions that regular users should not have access to and thereby demonstrate that you are missing necessary controls.

    According to the OWASP, “automated tools are unlikely to find these problems,” so option B is incorrect.

    Option C is incorrect because it is the exact opposite of what you’re trying to accomplish; this is an example of what happens when function-level access controls are missing.

    Option D in no way addresses the problem of missing function-level access controls, which is a technical problem, not a user issue.

  65. D. Having the user authenticate the intentional request is a way to reduce the automated, forged requests attackers might submit as part of CSRF; CAPTCHA is a great way to reduce the likelihood of success for automated attacks.

    Option A is incorrect because HTTP requests are usually made by the browser, without the user’s knowledge; the user has no perspective of such requests, so this wouldn’t be a useful mechanism in prevention.

    Option B is incorrect because it’s unrealistic. Removing all browsers would decrease the utility of the systems to the point where productivity would be negligible.

    Option C is incorrect for similar reasons; the danger from CSRF is not because of links to the target website but because of the browser behavior.

  66. D. This is a description of social engineering, not CSRF, which is a browser-based attack.

    All the other options are possible exploits an attacker might try to accomplish with a CSRF attack.

  67. B. This is the option OWASP recommends as the very least form of protection. Having a unique, unpredictable token for each session reduces the likelihood an attacker will be able to reuse tokens known by the browser or craft tokens that can be used in future attacks.

    Option A is not optimal or sensible because it would inhibit all web traffic and remote access.

    Option C is not optimal or sensible because it would severely limit your online capabilities.

    Option D is not sensible because all browsers use stored tokens/cookies, and no browser is preferable for the purpose over others.

  68. B. This is not an easy question and requires an understanding of how component libraries are used in software design.

    Option B is preferable to the others because, according to the OWASP, publishers of component libraries do not often patch old components but rather issue the fixed component(s) as a new version. This is also why option D is incorrect.

    Options A and C are two ways of stating the same thing, and not optimal; trying to use this method would require every one of your software packages to be wholly written by your programmers, which is actually not more secure than using published component libraries because the risk of additional human error and lack of review is introduced to the process.

  69. B. This is not an easy question and requires an understanding of how component libraries are used in software design.

    Option B makes the most sense; some vulnerabilities are known to exist only when a component is used in a specific way or with specific services; if the programmers are not including that way of using the component or the risky service, then the vulnerability would not pose a threat to the software they are creating and may therefore be acceptable.

    Option A is not correct because an underwriter would be unlikely to cover a claim resulting solely from negligence; using a component with a known vulnerability and putting the product/user at risk knowingly would probably invalidate any insurance policy.

    Option C might conceivably be considered correct in a fashion; different countries have different legislation/regulations, and a vulnerability that could cause noncompliance in one country might not in another. However, this is a rather tortured reading of the question, requiring some convoluted reasoning, and this option is therefore not the best answer.

    Option D is not correct because a hidden vulnerability, by definition, is not a known vulnerability.

  70. B. Staying current with published vulnerabilities for your component is crucial. This might not be simple as there are many versions of design components, and nomenclature is not always uniform.

    Option A is incorrect because even standard libraries are subject to vulnerabilities, so you have to review notifications about those as well.

    Option C is not correct; this is a method for reducing the risk of cross-site scripting (XSS) attacks.

    Option D will not work as users have no influence or effect on which components are used in software design.

  71. B. Oddly enough, this may be a good topic to explain during user training; when an attacker is trying to conduct an attack by exploiting unvalidated redirects and forwards, it is often in conjunction with a social engineering/phishing aspect. Users trained to recognize social engineering/phishing indicators might be able to avoid susceptibility to these attacks.

    Option A is not correct; this is a method for reducing the risk of cross-site scripting (XSS) attacks.

    Option C is not correct; it is ridiculous and would result in preventing all remote access.

    Option D is not correct; audit logging would only track activity, not prevent a user from being directed/forwarded to an attack site.

  72. A. Basic as it may seem, not including redirects and forwards within your software is an easy way to avoid the problem altogether, and redirects/forwards are not necessary for efficient usage.

    Option B is a incorrect because this type of attack is not aimed at stored credentials.

    Options C and D are both incorrect because neither of those types of solutions detect or prevent this type of attack.

  73. A. This is the definition of cloud migration interoperability challenges. Portability is the measure of how difficult it might be to move the organization’s systems/data from a given cloud host to another cloud host. Stability has no specific meaning here and is just a distractor. Security might be an element of this challenge but is not the optimum answer; the question posed a concern about functionality, not disclosure or tainting the information.
  74. B. This is the definition of cloud migration portability, the measure of how difficult it might be to move the organization’s systems/data from a given cloud host to another cloud host. Interoperability issues involve whether the cloud customer’s legacy services/data will interface properly with the provider’s systems. Stability has no specific meaning here and is just a distractor. Security might be an element of this challenge, but it is not the optimum answer; the question posed a concern about functionality, not disclosure or tainting the information.
  75. D. This is the definition of a regulatory issue. Option B might also be a factor in this kind of issue, but because the subject of privacy or any specific related topic (such as personally identifiable information [PII], the European Union General Data Protection Regulation) was not mentioned, option D is the better answer. Resiliency issues involve the provider’s ability to handle disruptive externalities, such as natural disasters, system failures, and utility outages. Performance issues address the ability of the provider to meet the customer’s IT needs.
  76. D. This is not an easy question. In the context of the question, the cloud customer is trying to ascertain whether they are getting what they’re paying for; that is, a way for them to audit the cloud provider and the service as a whole. This is not a regulatory issue, as it concerns the contractual agreement between the provider and the customer, not a third party performing oversight. It is also not a privacy issue (primarily; privacy concerns might be part of the contract, but it’s not the prevailing aspect of the issue here). Resiliency issues involve the provider’s ability to handle disruptive externalities, such as natural disasters, system failures, or utility outages.
  77. B. Encryption consumes processing power and time; as with all security controls, additional security means measurably less operational capability—there is always a trade-off between security and productivity. Option A is gibberish and only a distractor. Option C is incorrect because vendor lock-out does not result from encryption; it is what might happen if the cloud provider goes out of business while holding your data. Data subjects are the individuals whose personally identifiable information (PII) an organization holds; usually, they will not know or care if something is encrypted (unless there is a breach of that PII, and then investigators will want to determine how that PII was protected) and would probably welcome total encryption, even though that might mean a decrease in operational capability.
  78. C. Security should be commensurate with asset value, as determined by management; putting extra security on everything in an environment is usually not cost effective. The other options don’t make sense. For example, encryption doesn’t affect the potential for physical theft, encryption can be implemented organization-wide, and access controls can be placed on encrypted information as well as unencrypted.
  79. C. Discretion is not an element of identification and has no meaning in this context. All the other options are aspects of the identification portion of IAM.
  80. B. Of these options, HR is most likely to participate in identity provisioning; HR will usually validate the user’s identity against some documentation (driver’s license, passport, etc.) as part of the user’s initial employment process and then pass confirmation of validation along to whatever entity issues system sign-on credentials. None of the other entities usually takes part in user identification.
  81. B. Unused accounts that remain open can serve as attack vectors. All the other options are not associated with identity and access management.
  82. D. Job performance is not a germane aspect of account review and maintenance; that is a management concern, not an access control issue. All the other options are legitimate access control concerns.
  83. A. This is not an easy question. The best answer to the question does not appear on the list; that would be the data owner, because the data owner should be the ultimate arbiter of who has what access to the data under the owner’s control. However, of these options, A is the best; the user’s manager will have the greatest amount of insight into the role of the user within the organization and therefore will understand best which data the user needs to access. The security manager does not have this insight, and the task of reviewing all access for all users within the organization would be far too large an undertaking for that position. Accounting and incident response play no part in reviewing ongoing user account applicability.
  84. C. LDAP is used in constructing and maintaining centralized directory services, which are vital in all aspects of IAM. SSL and IPSec are used to create secure communication sessions—important, but not most applicable for IAM. AADT is a fictitious term used as a distractor.
  85. D. The additional capabilities of privileged users make their activities riskier to the organization, so these accounts bear extra review. The number of encryption keys a user has is meaningless out of context; the amount of risk is the issue, not the number of keys. The user’s type (regular versus privileged) is not an indicator, itself, of trustworthiness. Additional review activity for privileged users is an extra control we place on privileged users, not a reason for doing so.
  86. D. The efficacy of frisking administrators and managers is doubtful, and the harm to morale and disparity of enforcement likely outweighs any security benefit. All the other options could and should be included in privileged account review.
  87. C. Which bank branch a privileged user frequents is unlikely to be of consequence. Too much money can indicate that the privileged user is accepting payment from someone other than the employer, which can be an indicator of malfeasance or corruption. Too little money can indicate that the privileged user is subject to undue financial stress, which might be the result of behavior that makes the privileged user susceptible to subversion, such as a drug habit, family problems, or excess gambling. Specific senders and recipients of personal funds can indicate untoward activity on the part of the privileged user.
  88. D. There is no specific rule for the timeliness of privileged user account reviews. However, as a matter of course, privileged user accounts should be reviewed more often than the accounts of regular users because privileged users can cause more damage and therefore entail more risk.
  89. A. Privileged users should have privileged access to specific systems/data only for the duration necessary to perform their administrative function; any longer incurs more risk than value. The other options are not associated with appropriate privilege access management.
  90. C. The CSA points out that data breaches come from a variety of sources, including both internal personnel and external actors. Although breaches might be overt or covert, or large or small, we don’t usually think of them in these terms, and the CSA doesn’t discuss them that way, so options A and D aren’t correct. Option B is just incorrect because subterranean is not associated with the CSA’s Notorious Nine list of common threats.
  91. A. Data breach notification laws are plentiful; organizations operating in the cloud are almost sure to be subject to one or more such laws. Option B is incorrect because the CSA does not suggest that an organization that operates in the cloud environment and suffers a data breach may be required to reapply for cloud service. Option C is unlikely because most cloud customers won’t have physical access to/control of devices; moreover, a breach does not always entail sanitization. Option D does not make sense, either; regulations are imposed on organizations, as legal mandates, and an organization does not get to choose which regulations affect it.
  92. D. The cost of detection exists whether or not the organization suffers a breach. All other options are costs an organization will likely face as the result of a breach.
  93. C. This question requires a bit of thought. Option C is correct because an organization is not required to subscribe to all standards but instead only the standards it selects (or are imposed on it through regulation). However, most cloud customers will have to comply with multiple state laws (at the very least, the laws of the states where the customer’s organization resides, where the data center resides, and where its end clientele reside); any contractual requirements (between the cloud customer and its consumers, vendors, or service providers, such as, for example, Payment Card Industry Data Security Standard [PCI DSS]); and any federal regulations that govern that cloud customer’s industry.
  94. A. Data loss can be the result of deliberate or accidental behavior. The other options are less correct than option A.
  95. B. Bad policy won’t explicitly lead to data loss, but it might hinder efforts to counter data loss. However, misplaced crypto keys can result in a self-imposed denial of service, bad backup procedures can result in failure to retain data (a form of data loss), and accidental overwrites occur all the time—hence the need for proper backups.
  96. D. All. Service traffic hijacking can affect all portions of the CIA triad. Through hijacking, an attacker could eavesdrop on legitimate communication (breaching confidentiality), insert inaccurate/incorrect data into legitimate communication (damaging integrity), and/or redirect legitimate users from valid services (making the legitimate sources unavailable). Although all of the answers are correct, option D is the most comprehensive and therefore the best answer.
  97. B. Users sharing account credentials is a fairly common (although undesirable) practice and one that can lead to significant misuse of the organization’s resources and greatly increase risk to the organization. Although ending all user activity would make our IT environments so much more secure and defensible, it would also make them utterly useless from a productivity standpoint, so option A is incorrect. Option C is incorrect because the CSA recommends multifactor authentication as a means to reduce the risk of hijacking. Though not documented on the CSA’s website, the CSA most certainly does not recommend the prohibition of interstate commerce in order to diminish the likelihood of account/service traffic hijacking. Therefore, option D is an incorrect answer.
  98. C. Cloud computing users are especially susceptible to hijacking attacks because all of their use is contingent on remote access; users in a traditional internal environment are not passing as much traffic over untrusted infrastructure (the Internet), and the type of traffic is often different (where identity credentials are passed only to servers/systems that are locally, physically connected to the user’s device).

    Scalability might be seen as an attribute of cloud computing that increases the potential for hijacking attacks because a proliferation of users means more attack surface. But even that aspect is contingent on the users accessing cloud resources remotely, so option C is still a better answer than A.

    The metered service nature of cloud computing has nothing to do with a hijacking threat; metered service indicates that the customer pays only for those resources users consume.

    Cloud customers pool resources might be of concern when considering hijacking attacks because poorly configured cloud environments could leave one cloud customer subject to attack by another tenant in that same environment. But, again, hijacking is predicated on attacking data in transit, so it is the remote access aspect that is the best answer for this question.

  99. A. Because a significant percentage of cloud customer interactions with the cloud environment will utilize APIs, the threat of insecure APIs is of great concern in cloud computing.

    Option B is incorrect because APIs are not inherently insecure and it is unlikely that the CSA has stated that they are.

    Option C is incorrect because it is predicated on the inaccurate notion that all APIs are inherently insecure and that the vulnerabilities of all known APIs have been published.

    Lastly, option B is inaccurate because APIs are not known carcinogens. To be a carcinogen, the carcinogen needs to be a substance that causes cancer in living tissue. As far as we know, APIs do not cause cancer.

  100. A. The continuous modification of APIs issued/designed by cloud providers introduces the potential for vulnerabilities to be created in interfaces that were previously thought to be vetted and secure. Increased complexity necessarily means increased potential for vulnerability. And third-party modifications may lead to user credentials being unknowingly exposed to those third parties.

    Automation is not inherently a source of threats/vulnerabilities, so option B is not correct.

    Options C and D are not true.

  101. B. APIs will be used for many tasks that could have a significant negative impact on the organization, so any vulnerabilities are of great concern.

    Not all API interaction involves administrative access, so option A is wrong.

    APIs may or may not be cursed.

    Secure code practices can be used to design robust APIs, so option D is incorrect.

  102. C. If users can’t access the cloud provider, then the operational environment is, for all intents and purposes, useless. DoS attacks that affect availability of cloud services are therefore a great concern.

    A lot of attackers/criminals operate internationally; this has no bearing on whether an organization operates in the cloud or otherwise. Option A is incorrect.

    There are laws prohibiting DoS attacks, so option B is incorrect.

    The volume of DoS traffic necessary to disrupt modern cloud providers is rather significant, so these types of attacks are not simple. Option D is incorrect.

  103. D. Denial-of-service attacks staged from multiple machines against a specific target is the definition of a DDoS. All the other options are either fictitious or are not typically associated with the definition of DDoS.
  104. B. In a managed cloud service context, one malicious cloud administrator could ostensibly victimize a great number of cloud customers, making the impact much greater than a sole insider in the legacy environment.

    The other options are not applicable to the insider threat.

  105. A. Because users in cloud customer organizations often do not pay directly for cloud services (and are often not even aware of the cost of use), scalability can be a significant management concern; individuals, offices, or departments within the organization can create dozens or even hundreds of new virtual systems in a cloud environment, for whatever purpose they need or desire, and the cost is realized only by the department in the organization that is charged with paying the bill. This type of abuse hinges on the immense scalability of cloud services and is frequently not associated with any malicious intent but is instead an inadvertent result of well-intentioned or careless behavior.

    The other options are not applicable to the threat of abuse of cloud services.

  106. D. The cloud customer will not have any insight into the personnel security aspects of the cloud provider; when an organization contracts out a service, the organization loses that granular level of control.

    It is imperative that the cloud customer determine whether any application dependencies exist in the legacy environment before migrating to the cloud.

    Reviewing the contract between the cloud customer and provider is an essential element of due diligence.

    Determining the long-term financial viability of a cloud provider is a way to avoid losing production capability/data in the cloud.

  107. B. This is the definition of vendor lockout.

    Vendor lock-in is when data portability is limited, either through unfavorable contract language or technical limitations.

    Vendor incapacity and unscaled are not meaningful terms in the context of cloud computing.

  108. D. A hub is a (mostly archaic) network device that simply connects physical machines together; it cannot serve the purpose of network segmentation.

    All the other options are segmentation methods/tools. Option C may be perceived as a viable answer because bridges connect network segments (allowing a segmented network, but not really creating segmentation), but option D is a better choice for this question.

  109. A. Knowing exactly where and what your assets are, from an IT security professional’s perspective, allows you to better apply uniform and ubiquitous governance and controls across the environment. Without these clear demarcations, that task becomes more difficult.

    Nothing is impossible; these tasks may become more challenging, but not impossible. So options B and C are incorrect.

    Option D is not true because lack of physical endpoints may actually reduce the threat of physical theft/damage.

  110. A. PaaS customers should never be given shell access to underlying infrastructure because any changes by one customer may negatively impact other customers in a multitenant environment.

    All the other options are simply incorrect.

  111. B. Mass permissions assigned to multiple instances may be susceptible to inadvertent authorization creep and permission inheritance over time as users shift roles and responsibilities and are assigned to new tasks and teams and as new users come into the existing, fluid environment.

    All the other options are just wrong, with at least one nonsensical element in each.

  112. C. Organizational policies dictate rules for access entitlement.

    International standards do not apply to every organization’s internal needs and individual user roles, so option A is incorrect.

    Not all organizations are bound by all (or any) federal regulations, but all organizations should have policies regarding user access rules, so option B is incorrect.

    Option D is a nod to Star Trek and also incorrect.

  113. A. Authentication is verifying that the user is who they claim to be and assigning them an identity assertion (usually a user ID) based on that identity.

    Authorization is granting access based on permissions allocated to a particular user/valid identity assertion.

    Nonrepudiation is the security concept of not allowing a participant in a transaction to deny that they participated.

    Regression is a statistical concept not relevant to the question in any way.

  114. B. This is the definition of authorization.

    Authentication is verifying that the user is who they claim to be and assigning them an identity assertion (usually a user ID) based on that identity.

    Nonrepudiation is the security concept of not allowing a participant in a transaction to deny that they participated.

    Regression is a statistical concept not relevant to the question in any way.

  115. B. In access management, the user is first authenticated (their identity verified and validated as correct), then authorized (permissions granted based on their valid identity), and given access.
  116. B. PaaS environments are attractive for software development because they allow testing of software on multiple operating systems that are administered by the cloud provider. Software developers routinely use backdoors as development and administrative tools in their products; these backdoors, if left in software when it ships, are significant vulnerabilities.

    All cloud environments, including PaaS, rely on virtualization, have multitenancy, and are scalable, so those options are not correct.

  117. C. Backdoors that were used legitimately during the development process can sometimes be left in a production version of the delivered software accidentally, when developers forget to remove them. Sometimes, these products ship with backdoors purposefully placed there for administrative and customer service functions as well.

    Option A is incorrect as backdoors are not a control.

    Option B is incorrect because backdoors don’t serve as DoS protection in any way.

    Option D is incorrect because backdoors are not distractions for attackers, but means for attack.

  118. C. This is an example of typical SQL injection. All the other options are also attacks listed in the Open Web Application Security Project (OWASP) Top Ten, but they do not have the characteristics as the one contained in the question.
  119. A. This is the definition of a cross-site scripting attack. Options B and C are also attacks listed in the Open Web Application Security Project (OWASP) Top Ten. Option D is not in the Top Ten and is made up as a fictitious option.
  120. D. This is likely a security misconfiguration, as crypto keys must not be disclosed or the cryptosystem does not provide protection; most successful attacks on cryptosystems have been configuration/implementation attacks, not mathematical or statistical. The other options are all also in the Open Web Application Security Project (OWASP) Top Ten.
  121. B. In the cloud environment, it is very easy for a user to generate a new virtual instance; that is one of the advantages of the cloud. However, this can pose a problem for management, as users might generate many more instances than expected because the users don’t usually realize (or have to pay) the per-instance costs associated with doing so. However, the organization will have to pay the full price of many more instances at the end of each billing cycle, and exceeding the allotted amount dictated by the contract can be quite expensive. In the traditional environment, this would not pose a risk because the number of possible instances is limited by the resource capacity within the organization and additional instances don’t have attendant direct costs. All the other options are not cloud-specific risks; they also exist in the traditional environment.
  122. D. A Type 2 hypervisor is run on top of an existing operating system, greatly increasing the potential attack surface.

    Option A does not make logical sense; a Type 1 hypervisor is not more straightforward than other hypervisors. Option A is not the correct answer.

    Option B is not true. A Type 1 hypervisor has a smaller attack surface, not a larger one.

    Option C is not true in general. Type 2 hypervisors are not necessarily less protected than other hypervisors. Option C is not the correct answer.

  123. B. Option B is the only element that lends itself well to a discrete, objective metric; the other options might be something the customer is interested in but will often have little control over; if the customer is insistent on those points, they should be included in the contract, not the SLA.
  124. B. Usually, when a provider does not meet the terms specific in the SLA, the provider will not be paid for a period of service; this is the strongest, most immediate tool at the customer’s disposal. The other options simply are not true.
  125. D. In an IaaS configuration, the customer still has to maintain the OS, so option D is the only answer that is not a direct benefit for the cloud customer.
  126. C. This is the textbook definition of an incident versus event. However, this question is not easy, because many sources in the IT security field define incidents differently; it’s common to think of incidents as events that have an adverse impact, or incidents are something that require response. However, option C is the correct answer.
  127. D. Elasticity is a beneficial characteristic in that it supports the management goal of matching resources to user needs, but it does not provide any security benefit.
  128. B. Cloud customers can test different hardware/software implementations in the cloud without affecting the production environment and use this information to make decisions before investing in particular solutions. Option A is not true because the cloud does not store physical assets. Option C is not accurate because production data in the cloud must still be secured. And option D is not true because cloud hosting is not free; there is some cost (even if that cost is less than it would be for comparable on-premises hosting).
  129. D. The American Institute of Certified Public Accountants publishes the SSAE 18 standard. NIST is a U.S. government entity that publishes many standards for federal agencies, so option A is incorrect. ENISA is a European Union (EU) standards body, so option B is incorrect. The GDPR is an EU law about privacy data, so option C is incorrect.
  130. D. SOC reports are the audit reporting mechanisms dictated by SSAE 18. SOX is a federal law targeting publicly traded corporations in the United States. SSL is a way to conduct secure online transactions. SABSA is an architecture framework.
  131. C. The SOC 1 audit report is not for security controls; it is for financial reporting controls. The AICPA SOC 2 Type 1 audit report reviews the controls an organization has selected and designed. Both the CAIQ and the CCM are tools created by the CSA to review an organization’s controls across several frameworks, regulations, and standards.
  132. C. The SOC 2 Type 2 reviews the implementation of security controls. The SOC 1 reviews financial reporting controls, not security controls. The SOC 2 Type 1 reviews the design and selection of security controls, not implementation. The SOC 3 is only an attestation of an audit, so option C is better.
  133. A. Due care is the minimal level of effort necessary to perform your duty to others; in cloud security, that is often the care that the cloud customer is required to demonstrate in order to protect the data it owns. Due diligence is any activity taken in support or furtherance of due care. This answer, then, is optimum: the due care is set out by the policy, and activities that support the policy (here, auditing the controls the policy requires) are a demonstration of due diligence.

    The General Data Protection Regulation (GDPR) and GLBA are both legislative mandates; these might dictate a standard of due care, but they are not the due care or due diligence, specifically.

    Door locks and turnstiles are physical security controls; they both might be examples of due care efforts, but neither demonstrates due diligence.

    Due care and diligence can be demonstrated by either internal or external controls/
processes; there is no distinction to be made based on where the control is situated.

  134. B. The distinguished name (DN) is the nomenclature for all entries in an LDAP environment.

    A domain name is used to identify one or more IP addresses. For instance, Microsoft.com and google.com are domain names. Option A is incorrect.

    A directory name is typically associated with a file system structure and not something related to LDAP. Option C is incorrect.

    “Default Name” is not a common term, and is made up. Option D is not the correct answer.

  135. B. Inversion is not part of the IAM process at all and has no meaning in this context. All the other options are elements of identification.
  136. C. By creating a need for two identity assertions or authentication elements to access assets, two-person integrity prevents a single person from gaining unauthorized access and forces a would-be criminal to join up with at least one other person to conduct a crime. This reduces the possibility of the crime taking place.

    All the other options are simply untrue and are therefore exceedingly poor choices for answers to CCSP test questions.

  137. D. The PCI DSS is a voluntary standard, having only contractual obligation. All the other options are statutes, created by lawmaking bodies.
  138. C. Because the cloud customer will retain ownership of some elements of hardware, software, or both at the customer’s location (for instance, security hardware modules [HSMs]), client-side key management could be considered a hybrid cloud model.

    Option A is incorrect because the scenario stated in the question does not identify a threat.

    Option B is incorrect because the scenario stated in the question does not identify a risk. Allowing the customer to retain their own encryption keys is actually less risky than sharing their encryption keys with the provider.

    Option D is incorrect because the provider does not have a right to the customer’s encryption keys, so, there cannot be an infringement on the provider’s rights.

  139. C. With a private cloud deployment, the customer gets to dictate governance requirements, which is a significant benefit for customers in highly regulated industries.

    Private clouds typically cost more than public cloud deployments, so option A is incorrect.

    Performance is not necessarily enhanced (or decreased) by any of the cloud deployment models, so option B is incorrect.

    Retaining a higher degree of control over the cloud environment will necessarily require the cloud customer to have more maintenance capability, not less, so option D is incorrect.

  140. B. In SaaS, the cloud provider might license and deliver commercially available software for the customer, via the cloud (hosted application management), or provide the customer access to the provider’s proprietary software (software on demand).

    All the other options are incorrect. The options contain legitimate words put together to form gibberish.

  141. D. The cloud customer is ultimately responsible for all legal repercussions involving data security and privacy; the cloud provider might be liable for financial costs related to these responsibilities, but those damages can only be recovered long after the notifications have been made by the cloud customer.

    All the other options are incorrect because they do not correctly identify who is required to make data breach notifications in accordance with all applicable laws. That responsibility rests with the cloud customer.

  142. D. An IaaS service model allows an organization to retain the most control of their IT assets in the cloud; the cloud customer is responsible for the operating system, the applications, and the data in the cloud. The private cloud model allows the organization to retain the greatest degree of governance control in the cloud; all the other deployment models would necessitate giving up governance control in an environment with pooled resources.
  143. C. With SaaS, the cloud customer is responsible only for the data in the cloud; the cloud provider is responsible for the underlying IT infrastructure, the operating system, and the applications; maintenance for this service model will be minimal, compared to the others. A public cloud deployment will reduce costs even more, as it is the least expensive of the options—with the least amount of control for the cloud customer.

    All the other options would include some degree of administration of the cloud resources on the part of the cloud customer and so are not as optimal as option C.

Chapter 2: Domain 2: Cloud Data Security

  1. C. In application-level encryption, the application will encrypt data before it is placed in the database. In transparent encryption, the entire database is encrypted. Symmetric-key encryption is a kind of encryption and not truly indicative of a strategy used in database encryption. Homomorphic encryption is an experimental, theoretical process that might allow processing encrypted information without the need to decrypt it first.
  2. C. Because the tool will require at least some installation and reporting capability within the cloud environment, it is essential to coordinate with the cloud provider to ensure that the solution you choose will function properly and is allowed by the provider. Option A is true, but not a major concern; that is a benefit of SIEM/SEM/SIM tools. Option B is not true because dashboards can often misconstrue pertinent reporting data when they are used to chase management goals instead of distilling raw data appropriately. Option D is not true because management should not be involved in such granular decisions.
  3. C. In crypto-shredding, the purpose is to make the data unrecoverable; saving a backup of the keys would attenuate that outcome because the keys would still exist for the purpose of recovering data. All other steps outline the crypto-shredding process.
  4. A. Cloud customers are allowed to encrypt their own data and manage their own keys; crypto-shredding is therefore possible. Degaussing is not likely in the cloud because it requires physical access to the storage devices and because most cloud providers are using solid-state drives (SSDs) for storage, which are not magnetic. Physical destruction is not feasible because the cloud customer doesn’t own the hardware and therefore won’t be allowed to destroy it. Overwriting probably won’t work because finding all data in all aspects of the cloud is difficult and the data is constantly being backed up and securely stored, so a thorough process would be very tricky.
  5. A. Crypto-shredding is for secure sanitization, not portability. The other methods all enhance portability.
  6. D. The owner of intellectual property will not change whether the material is stored in the cloud or in a legacy environment. Moving into the cloud will probably result in more use of personal devices, requiring users to install local DRM agents, so option A is true, making it not a suitable answer to this question. Options B and C are also true, due to the nature of cloud computing, and are therefore also not suitable for this question.
  7. A. Option A creates a conflict of interest and does not enforce separation of duties.

    The best practice is to not store cryptographic keys with the data they encrypt, to avoid a potential conflict of interest and to enforce separation of duties. Each of the other choices is a reasonable choice and therefore not the answer to this question.

  8. D. A long-term storage facility may or may not be located underground; the security of that facility (and the data contained therein) is not dependent on this aspect. Option A is a security concern because loss of the keys may result in losing the data (by losing access to the data), and keeping the keys with the data they protect increases risk. Both the format of the data and the media on which it resides (options B and C) are important to bear in mind, as either (or both) may be outmoded by the time the data might need to be retrieved from the archive; data and formats do not age well.
  9. B. Data dispersion is basically RAID in the cloud, with data elements parsed and stored over several areas/devices instead of stored as a unit in a single place. RAID (and data dispersion) does aid in BC/DR activities by increasing the robustness and resiliency of stored data, but BC/DR is a much more general discipline, so it is not the optimum answer for the question. SDN is used for abstracting network control commands away from production data, and CDN is usually used for ensuring quality of streaming media.
  10. A. Where RAID used data striping across multiple drives, with data dispersion this technique is referred to as “chunking,” or sometimes “sharding” when encryption is also used. The other options are not common data dispersion terms used in cloud computing and have no meaning in this context.
  11. C. Erasure coding is the practice of having sufficient data to replace a lost chunk in data dispersion, protecting against the possibility of a device failing while it holds a given chunk; parity bits serve the same purpose in a traditional RAID configuration. The other options are not common data dispersion terms used in cloud computing and have no meaning in this context.
  12. D. Data dispersion can’t aid in inadvertent loss caused by an errant user; if the user accidentally deletes/corrupts a file, that file will be deleted/corrupted across all the storage spaces where it is dispersed. The technique does, however, protect against the other risks. It enhances confidentiality because an attacker gaining illicit access to a single storage space will only get a chunk of the data, which is useless without the other chunks. This same aspect also protects loss when law enforcement seizes a specific storage device/space when they are investigating another tenant at the same cloud provider your organization uses. And loss of availability due to single device failure is probably the primary reason for having data dispersion (like RAID before it).
  13. B. Volume storage allows all the functions described in the question. Object storage has data arranged in a file structure, and databases arrange data in tables and relational schemes; neither of these options offers the functions described in the question. Synthetic is not a cloud memory configuration option.
  14. A. Object storage is usually arranged in a file hierarchy. Volume storage has data with no defined structure (only memory space), and databases ar-range data in tables and relational schemes; neither of these options offers the functions described in the question. Synthetic is not a cloud memory con-figuration option.
  15. B. Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) require the organization to appropriately inventory and classify data assets so the tool knows what to protect. DLP does not aid in protections for DDoS or natural disasters, which affect availability, not confidentiality (DLP only enhances confidentiality efforts). Option C is not a benefit of implementing an egress monitoring solution.
  16. C. Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) will often include a discovery function, which will locate data assets according to criteria defined by the organization. DLP solutions cannot arbitrate contract breaches or perform personnel evaluations. Usually, DLPs also do not apply additional access controls; that is typically a characteristic of a digital rights management (DRM) solution.
  17. C. Egress monitoring solutions (often referred to as DLP tools, where DLP stands for data loss protection or data leak prevention, or some combination of these terms) will often include an agent that resides on client devices in order to inspect data being shared/sent by end users. DLP tools do not inspect incoming packets, with or without stateful inspection; this is the job of firewalls. DLP solutions do not typically use biometrics in any way.
  18. B. DRM is mainly designed to protect intellectual property. It can also sometimes be used for securing PII, but intellectual property is a better answer here. Plans and policies aren’t usually protected in this manner, and marketing material is usually meant to be disseminated, so it does not require protection.
  19. D. DRM is often deployed to ensure that copyrighted material (frequently software) is only delivered to and used by licensed recipients. Patents are more complicated and not often distributed to a mass market, so DRM does not assist in that way. Trademarks are representations of a brand and meant to be distributed, so DRM does not protect them. PII is not typically a type of intellectual property.
  20. A. Persistence is the trait that allows DRM protection to follow protected files wherever they might be stored/copied. The other options are not characteristics associated with DRM solutions.
  21. A. Automatic expiration is the trait that allows DRM tools to prevent access to objects when a license expires or to remove protections when intellectual property moves into the public domain. The other options are not characteristics associated with DRM solutions.
  22. C. Continuous audit trail is the trait that allows DRM tools to log and exhibit all access to a given object. The other options are not characteristics associated with DRM solutions.
  23. A. Mapping to existing access control lists (ACLs) is the trait that allows DRM tools to provide additional access control protections for the organization’s assets. The other options are not characteristics associated with DRM solutions.
  24. A. The Cloud Secure Data Lifecycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD).

    Options B and D are phases of CSU-SAD but do not immediately follow Create.

    Option C is not a phase of CSU-SAD.

  25. C. The Cloud Secure Data Lifecycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD).

    Options A and B are phases of CSU-SAD but do not immediately precede Share.

    Option D is not a phase of CSU-SAD.

  26. D. The Cloud Secure Data Lifecycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). This is not truly a cycle because data does not continue after the destroy phase (that is to say, the same data or process does not go back to create after destroy).

    Option A might be considered true because the CSU-SAD cycle is not unique to (ISC)2, but this is not the best answer; option D is preferable because it is not truly a cycle.

    Options B and C are incorrect because activity in each of the phases involves security aspects and all phases relate to how data is involved in the cloud.

  27. A. The Cloud Secure Data Lifecycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). The best practice for categorizing/classifying data is to do so when it is first created/collected so that the proper security controls can be applied to it throughout the rest of the cycle.

    Options B and D are phases of the CSU-SAD but are not the proper times to be applying classification/categorization; that would be too late in the cycle.

    Option C is not a phase of CSU-SAD.

  28. B. The Cloud Secure Data Lifecycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). Crypto-shredding (also called cryptographic erasure) is the preferred method of data sanitization for a cloud environment; this should take place in the final phase of the cycle, destroy.

    Option A is incorrect because data dispersion is a means of making data more resilient and secure; in the final phase of the cycle, we want to get rid of the data, not make it resistant to loss.

    Option C is incorrect because cryptoparsing is a made-up term and used here as a distractor.

    Option D is incorrect because cryptosporidium is a microorganism and is not associated with InfoSec.

  29. D. The Cloud Secure Data Lifecycle phases are, in order, Create, Store, Use, Share, Archive, Destroy (a good mnemonic might be CSU-SAD). Archiving (the fifth phase) is the process of moving data out of the production environment and into long-term storage.

    The other phases in the options are create, store, and share and are therefore incorrect.

  30. D. Object storage stores data as objects (hence the name), often arranged in a hierarchical structure.

    Volume storage is not a hierarchal cloud storage structure and is therefore an incorrect answer for this question.

    Option B is incorrect because databases are applications in both traditional and cloud computing.

    A CDN is a geographically distributed network of proxy servers and their data centers. Option C is incorrect because it is not a form of cloud storage.

  31. A. In volume storage, the user is assigned a logical drive space into which anything (such as raw data, objects, or applications) may be saved or installed, similar to a mounted drive on a traditional network.

    Databases store data in an arrangement of characteristics and values, not in an unstructured drive space, so option B is incorrect.

    CDNs are for distributing data with less chance of quality loss, so option C is incorrect.

    Object storage arranges data as objects in a structured hierarchy, so option D is incorrect.

  32. C. CDNs are often used to place large stores of multimedia data in a location geographically near to the end users who will consume that data; this approach is designed mostly to accomplish a reduction in data degradation due to distance between resource and user.

    Volume storage assigns a logical, unstructured drive space to the user, so option A is incorrect.

    Databases store data in an arrangement of characteristics and values, so option B is incorrect.

    Neutral storage is not a form of cloud storage, so option D is incorrect.

  33. B. The PaaS model allows the cloud customer to install and run applications in the cloud environment. With a database, the cloud customer can store data in a database administered by the cloud provider but can then tailor applications and services for reaching into and manipulating that database.

    Ephemeral and long-term storage take place in the software as a service (SaaS) model, and there is no such thing as “nefarious data storage,” so the other options are incorrect.

  34. B. Data dispersion is the cloud version of using RAID arrays, protecting data by spreading it across multiple volumes/devices.

    Options A and C are terms that have no meaning in this context.

    Crypto-shredding is a form of device/media sanitization utilizing cryptography and has nothing to do with RAID, so option D is incorrect.

  35. C. Similar to parity bits in RAID, erasure coding is used in cloud data dispersion implementations to create a situation where data can still be recovered even if a segment or portion of the dispersed data is lost (due to drive failure, disaster, etc.).

    Options A and B have no meaning in this context.

    Transposition is a cryptographic technique and does not relate to RAID in any way, so option D is also incorrect.

  36. A. DLP, also referred to as egress monitoring, is used to detect and prevent sensitive data from leaving the organization’s control without proper approval.

    Because it is designed to prevent the egress of only certain data sets, options B and C are not correct.

    Controlling data outside the reach of the organization is difficult at best. While there are some mechanisms that might accomplish this, DLP is not specifically designed for that purpose, so option D is incorrect.

  37. D. Commercial DLP products that monitor speech in real time and censor conversations are not yet widely available.

    A proper DLP solution will monitor all the technologies in the other options, so those are incorrect.

  38. B. Inference is an attack technique that derives sensitive material from an aggregation of innocuous data; DLP tools, thus far, do not have this capability.

    All the other techniques listed may be used by DLP solutions to detect sensitive data before it leaves the control of the owner.

  39. C. A cloud customer can install applications on a PaaS environment, usually as they see fit and without prior coordination with the provider.

    If you are introducing hardware into the cloud environment, you will need permission from your cloud provider, regardless of the deployment model you use. Therefore, option A is incorrect (and unlikely to occur, as permission is probably not going to be granted).

    Although the provider may offer an egress monitoring function as an add-on service, which would be permissible for you to use, the use of an outside vendor’s product may have to be reviewed by the provider before implementation, based on a number of other variables (such as the other possible answers). Option C is preferable, so option B is incorrect.

    Affecting all images on a host may impact other customers in a multitenant environment, so option D is not the correct answer.

  40. B. All security functions come with an attendant negative productivity effect: the most secure environment will be the least productive, and the most productive will be the least secure. Egress monitoring tools will have an overhead cost in terms of production impact and loss of efficiency and speed. This may affect the cost savings that were realized in a cloud migration from the legacy environment, and senior management needs to understand this trade-off.

    Implementing an egress monitoring solution should not incur any additional risks of external attack, so option A is incorrect.

    Because the tool has already been purchased, explaining the purchase price is irrelevant at this point, so option C is incorrect.

    If it was germane (and it was likely not), you should have explained how the tool works before purchasing it; explaining at this point might be interesting but is not as important as option B, so option D is incorrect.

  41. A. In order to “train” the egress monitoring solution properly, you’ll need to inform it as to which data in your organization is sensitive…and, in order to do that, you’ll need to determine what information your data owners deem sensitive; a survey is a way to do that.

    A proper egress monitoring solution should not affect or be affected by the firewalls, routers, or hypervisors, so options B, C, and D are incorrect.

  42. B. It will take a while for the tool to “learn” the particulars of your environment and to be conditioned properly. A significant number of false-positive indications will be expected in the near term, until you can hone the responses to properly meet your organization’s needs.

    The tool will not work optimally immediately upon implementation, so option A is incorrect.

    Egress monitoring tools do not affect morale or revenues, so options C and D are incorrect.

  43. B. It’s unlikely that any egress monitoring tools will be able to detect sensitive data captured, stored, and/or sent as graphic image files, which is the usual form of screenshots.

    A proper egress monitoring tool should be able to detect all the other types of activity, so the other options are incorrect.

  44. A. This is a tricky question. In the cloud environment, we know that all users will be entering the environment through remote access; in many cases, this will include the use of their personal devices. In order for egress monitoring solutions to function properly, all devices accessing the production environment must have local agents installed, and that requires signed user agreements.

    It would be unnecessary (and intrusive, and cumbersome) to install agents on all assets in the cloud data center, which includes not only your organization’s assets but also those of all the other cloud tenants in that data center. This might even be illegal. Option B is incorrect.

    Assuming you could install (or even know) all the routers between your users and the cloud data center is ridiculous; option C is incorrect.

    Getting your customer to install an egress monitoring client would be nice, in theory…but also pointless. Your customers don’t work for you; they are outside your organization. Egress monitoring tools are used to prevent sensitive data from leaving your environment; by the time it has reached a customer, sensitive information is far outside your control and the egress monitoring tool would be of no use. Option D is therefore incorrect.

  45. A. Egress monitoring tools combined with DRM and SIEM enhance the security value of each because you create in-depth/layered defense.

    Project management software does not really have anything to do with security, so option B is incorrect.

    Insurance is a risk transfer mechanism and does not aid in risk mitigation efforts; egress monitoring is for risk mitigation, so option C is incorrect.

    The Tier certification program is for the cloud provider and is not used by the cloud customer, so option D is incorrect.

  46. C. These are all possible settings for a modern egress monitoring solution. However, the best option, in light of the question, is to query the user as to their intent; this aids the user in understanding and knowing when sensitive data might be leaving the organization accidentally, through a mistake on the user’s part. The other options are more severe and restrictive; these will enhance security but reduce productivity and are management and technological controls instead of awareness tools, so they are incorrect answers for this question.
  47. B. The fact that cloud data centers are designed with multiple redundancies of all systems and components won’t really have any bearing on your decision and implementation of your egress monitoring solution.

    Because data will move across nodes in the data center and will take different forms (such as live data in a virtualized instance or snapshotted data saved in a file store when a virtual machine is not being used at a specific moment), you will have to determine how the tool will function in that environment, and whether it was designed for cloud usage. Option A is incorrect.

    Option C is true for any environment, not just the cloud; all security functions necessarily negatively impact operations and production. Option B is a better answer.

    Option D is also correct; without administrative privileges to the underlying hardware (which customers should not have), the customer may not be able to install monitoring agents everywhere necessary for those tools to work properly.

  48. A. Egress monitoring solutions do not facilitate access control efforts in any way.

    Egress monitoring tools do, however, provide all the functions listed in the other options, so those are incorrect.

  49. D. The term data of relief doesn’t really mean anything and is therefore the correct answer for this question.

    Encryption is used in all other aspects of cloud data.

  50. A. The user is not really an aspect of an encryption deployment, although it may be argued that the user will need to refrain from disclosing their own key(s) to anyone else.

    The other three options are the components of an encryption deployment.

  51. B. An authorized user will still be able to access and decrypt the data for which they’ve been granted permissions, so encryption will not offer any protections for that threat.

    Volume storage encryption will, however, protect against all the other threats, because any outsider (that is, a person who does not have access to the volume operating system) will be able to steal only encrypted data, which they should not be able to decrypt in a timely fashion. Therefore, all the other options are incorrect.

  52. D. TLS is encryption used in a communication session, not a storage volume.

    All the other options are examples of object storage encryption options, so they are incorrect.

  53. B. SSL is encryption used in a communication session, not a storage volume.

    All the other options are examples of database encryption options, so they are incorrect.

  54. A. The application contains the encryption engine used in application-level encryption.

    The operating system is responsible for providing the resources an application needs and for running the applications. The operating system does not do application-level encryption, so option B is incorrect.

    Option C is incorrect because application-level encryption is performed by the application that interfaces with the database.

    The application-level encryption engine may or may not reside in the same volume as the database engine, so option D is incorrect.

  55. B. Encrypting specific tables within the database is one of the options of transparent encryption; this is not true of the other options, so they are incorrect.
  56. C. Application-level encryption involves encrypting the data before it enters the fields of the database; it is much more difficult to search and review data that has been encrypted, so this reduces the functionality of the database.

    All the other options are incorrect because they are not database encryption techniques.

  57. D. Best practice is to not keep the encryption keys alongside the data they’ve been used to encrypt.

    Options A and B are both viable but not as good as option D, which is more general and includes them both.

    Option C is clearly incorrect because it is counter to the best practice advice offered by (ISC)2.

  58. C. Data retention periods should be established in policy regardless of the projected lifetime of the media the data resides on. All the other options do/should influence data retention periods.
  59. A. Event monitoring tools can help detect external hacking efforts by tracking and reporting on common hack-related activity, such as repeated failed login attempts and scanning. It is unlikely that these tools could predict physical device theft; they could, of course, report on a device that is no longer connected to the environment after it has been removed by noting a lack of event activity, but that’s not quite the same thing. Event monitoring tools don’t aid in data classification/categorization; egress monitoring and digital rights management tools might provide that function, though. Social engineering attacks are mostly transparent to the majority of logical tools (the exception being social engineering efforts combined with IT traffic, such as phishing, which might be detected by email filters and sophisticated firewalls).
  60. B. Event monitoring tools can be used to predict system outages by noting decreases in performance; repeated performance issues can be an indicator a device is failing. While an event monitoring tool might be able to detect a user who continually conducts unproductive activity or fails to complete certain functions, it is impossible to determine if the source of the problem is lack of training. These tools in no way serve to detect conflict of interest or enforce mandatory vacation, which are managerial/administrative controls.
  61. C. Event monitoring tools can detect repeated performance issues, which can be used by administrators and architects to enhance performance/productivity. These tools don’t aid in the managerial function of noting individual workload, nor do they reduce log file sizes (indeed, they might add to the size of log files) or have anything to do with lighting.
  62. A. Event monitoring tools can detect repeated performance issues, which can be indicative of improper temperature settings in the data center; also, some system monitoring metrics, such as CPU temperature, can directly indicate inadequate HVAC performance. These tools do not aid in cloud migration (which is the task of architects and administrators) nor in risk decisions (which is the task of senior management); they also don’t provide any kind of assistance with fire.
  63. C. Event logs are used to reconstruct a narrative of activity; they tell the story of what happened, how it happened, and so forth. This is crucial for evidentiary purposes. Event logging tools do not aid in any of the other options (especially acoustic dampening, which is gibberish in this context).
  64. D. The manual element of log review is tedious and necessarily slow because it requires a trained, knowledgeable person to perform the task; these tools can greatly increase the amount of log data that can be reviewed, in a much shorter amount of time. These tools do not, however, aid in any of the other options.
  65. B. Public keys have to be shared in order for asymmetric cryptography to function properly; that is their purpose. Private keys, on the other hand, must remain secret, known only to the individuals to whom they are assigned.

    Seeding key generation processes with pseudorandom numbers makes decryption that much more difficult and is a desired practice, so option A is incorrect.

    Losing keys to encrypted data means that the data stays encrypted, which is a way of applying a denial-of-service attack on yourself, so option C is incorrect.

    Symmetric keys, known as shared secrets, ought to be transmitted to recipients over a different medium than the mode of communication intended for the encrypted traffic. If the users intend to use encrypted email, for instance, they should pass the keys via telephone. Option D is therefore incorrect.

  66. B. The customer service representative may need to see a partial version of the customer’s SS number to verify that the customer is who they claim to be, but that representative does not need to see the full number, which would create an unnecessary risk.

    The shipping department definitely needs the customer’s address in order to send things to the customer, so option A is not correct.

    The billing department needs the customer’s full credit card number to process payments, so option C is incorrect.

    HR needs the employee’s full license number in order to verify and validate the employee’s identity, so option D is not correct.

  67. D. Conflation is not a masking technique and is meaningless in this context. All the others are suggested as possible masking techniques.
  68. C. While deletion is a very good way to avoid the possibility of inadvertently disclosing production data in a test environment, it also eliminates the usefulness of the data set as a plausible approximation of the production environment, greatly reducing the quality of the testing.

    The other options modify the raw production data into something that approximates the real environment without disclosing real data, to a greater or lesser extent; some are better than the others, but they are all better than deletion for testing purposes.

  69. A. Static masking involves modification of an entire data set, all at once. This would be a good method to create a sample data set for testing purposes.

    Static testing for customer service use would be overkill; replicating all the customer accounts at once so that the fraction of customers who contact customer service may receive assistance is inefficient and cumbersome, and customer account information is likely to change between static updates, making it less useful. Therefore, option B is incorrect.

    Neither regulators nor shareholders need to see masked data, so both options C and D are incorrect.

  70. B. Dynamically masking a user’s account information each time a customer service representative accesses that data is an efficient, secure means of masking data as necessary.

    Trying to mask each data element as it is called by an application in a test environment would be unwieldy and not likely to provide accurate test data, so option A is incorrect.

    Neither incident response nor BC/DR purposes need masked data, so both options C and D are incorrect.

  71. C. Using an algorithm to mask data suggests that the same algorithm, if learned or reverse-engineered by an aggressor, could be used on the masked data to reveal the production data.

    Algorithmic masking causes no more risk to production data than the other masking methods, so option A is incorrect.

    Accidental disclosure might be interpreted as the same thing as determining the original data from the masked set, so option B might be considered accurate, but option C is a better way of stating the risk, so B is incorrect.

    Option D is about the use of the deletion technique for masking, not algorithmic, so it is incorrect.

    This is not an easy question, and it involves some abstract thought to arrive at the correct answer.

  72. B. The user’s name is a direct identifier, explicitly stating who that person is. The user’s age is not a direct identifier because it doesn’t specify a certain person, but it is a piece of demographic information that could be used to narrow down the user’s identity from a group of users of different ages, so it is an indirect identifier.

    Username and password are identity assertions and authentication credentials, not identifiers. The username might be a direct identifier, but the password is neither a direct nor an indirect identifier (especially if it is kept secret, as it should be). Option A is thus incorrect.

    Option C is incorrect because both elements could be considered direct identifiers (depending on the jurisdiction) if the user’s machine is considered a legal representation of the user.

    Option D is incorrect because both elements are indirect identifiers.

  73. D. Anonymization is the process of removing identifiers from data sets so that data analysis tools and techniques cannot be used by malicious entities to divine personal or sensitive data from nonsensitive aggregated data sets.

    All the other answers are incorrect because they are not part of the anonymization process.

  74. B. PCI requires that credit card numbers and other cardholder data be obscured when stored for any length of time. Encryption is one approved method; tokenization is another.

    GLBA, COPA, and SOX do not specifically require obscuring stored data, so those options are incorrect.

  75. B. Tokenization will require, at a minimum, a database for the tokens and another for the stored sensitive data.

    One database will not suffice; a single database holding both the tokens and the sensitive data they represent would not be in compliance with any standard requiring data to be obscured. Option A is thus incorrect.

    Option C might be an answer some readers choose; it is easy to overthink this question. You might consider that the data requires two databases (one for tokens, one for sensitive data), and that access control would require a third database (for authentication credentials); however, the tokenization methodology does not strictly require that access be controlled through an authentication server. Option C is therefore incorrect. Be sure not to read more into the question than appears at face value.

    Option D is incorrect; that’s just too many databases.

  76. B. Inference is an attack strategy, not a reason for implementing tokenization.

    All the other options are good reasons to implement tokenization, and they are therefore not correct.

  77. A. In the traditional environment, a RAID array is a set of disks/drives on which data 
is spread to enhance the availability, security, and resiliency of the data. In the cloud, 
bit-splitting/data dispersion performs this same function in much the same way.

    All the other options have nothing to do with spreading data across multiple storage areas.

  78. B. Bit-splitting involves chopping data sets up into segments and storing those segments in multiple places/devices. An attacker getting access to one segment won’t be gaining anything of value because one segment of the data set would most likely make no sense out of context.

    Bit-splitting may or may not function as an access control method; option B is preferable to A.

    Bit-splitting may or may not move data across jurisdictions, which may or may not be useful to the data owner; option B is preferable to C.

    Bit-splitting does not, in itself, provide access logs; option D is incorrect.

  79. A. When law enforcement entities wish to seize assets (including data), they must cooperate with other law enforcement agencies in other jurisdictions if the data is not contained fully within their own. This may aid a data owner who is concerned about the risk of losing their data in a multitenant environment if another tenant conducts illicit activity and law enforcement seizes an entire data storage device as part of an investigation, accidentally collecting data belonging to innocent parties.

    Attackers are jurisdiction-agnostic; they don’t care where data is stored or what laws apply. Option B is thus incorrect.

    Authorized users can access bit-split data regardless of the location and can disclose information worldwide; option C is incorrect.

    Bit-splitting does not pertain to types of access roles; option D is incorrect.

  80. C. Bit-splitting, as with many security methods/technologies, carries a significantly greater overhead than data sets that don’t use this method. Bit-splitting, in particular, takes an extensive amount of processing to perform.

    Bit-splitting should make a data set more secure and decrease the chance of unauthorized access, so options A and B are incorrect.

    It is unlikely that bit-splitting would violate regulatory standards; even if that were to be the case, it is always true that bit-splitting carries greater overhead, so option C is preferable to D.

  81. A. This is not a simple question and requires the reader to think through the situation suggested by each answer. Option A is correct because the data owner may opt to perform bit-splitting across multiple cloud services to enhance security (not all the “eggs” will be in one “basket”). When this is the case, the data owner will have additional dependencies: all the vendors involved in storing the various data elements.

    There should be no additional management concern; if bit-splitting is not compliant with the data owner’s policy, it won’t be adopted. Option B is incorrect.

    Bit-splitting implementations should be transparent to users; option C is incorrect.

    There are plenty of vendors offering bit-splitting solutions; option D is incorrect.

  82. C. Ironically, data dispersion can lead to some additional risk of loss of availability, depending on the method/breadth of the dispersion. If the data is spread across multiple cloud providers, there is a possibility that an outage at one provider will make the data set unavailable to users, regardless of location. However, there are methods for attenuating this threat, and bit-splitting usually provides greater availability of data over traditional storage without dispersion.

    Data dispersion should have no effect on physical theft risks and would actually serve to minimize the opportunity for an attacker to acquire useful sensitive data as the data would be on several geographically disparate devices. Option A is incorrect.

    Bit-splitting should have no effect on public image whatsoever; option B is incorrect.

    Bit-splitting does not have an attendant fire risk; option D is incorrect.

  83. B. This is the definition of homomorphic encryption.

    All the other answers are incorrect.

  84. B. Real-time analytics allows for reactive and predictive operations (such as recommending other, related products) based on customers’ current and past shopping behavior.

    All the other answers are data discovery approaches but not used for this particular application (options C and D are two names for the same thing).

  85. D. The Agile approach to data analysis offers greater insight and capabilities than previous generations of analytical technologies.

    Options B and C are other data discovery technologies, but neither is the correct answer.

    Option A is incorrect because obverse polyglotism is just a made up term that does not have any relevance as an answer to the question.

  86. D. Data hover is a made up term which is not a data discovery technique. All the other answers are actual data discovery techniques.
  87. A. This is the definition of metadata: data about data, usually created by systems (hardware and/or software) when the data is captured/collected.

    Options B and C are also data discovery techniques, but not involving metadata.

    Data hover is a made up term and is therefore, not a data discovery technique, so option D is incorrect.

  88. C. The data owners, presumably the personnel closest to and most familiar with the data, should be the ones labeling it.

    The other answers are incorrect because they are not the data owners.

  89. C. For the most efficient classification/categorization process, and to streamline the application of proper controls, data labeling should be performed when the data is first being collected/created.

    Options A and B are incorrect because they are not part of a data labeling process.

    Option D is incorrect because the discovery tools need to have the data labeled to work properly.

  90. A. Egress monitoring tools (often referred to as DLP) are specifically designed to seek out and identify data sets based on content; this is part of how they operate. They can be used for or in conjunction with content-based data discovery efforts.

    Digital rights management (DRM) is an additional access control solution for objects, so option B is incorrect.

    Internet Small Computer System Interface (iSCSI) allows storage controller commands to be sent over a Transmission Control Protocol (TCP) network and has nothing to do with data discovery; thus, option C is incorrect.

    Fibre Channel over Ethernet (FCoE) is a standard for approaching fiber-media speeds of data transfer on an Ethernet network; it has nothing to do with data discovery, so option D is incorrect.

  91. D. Inheritance has nothing to do with content analysis; it is usually referring to object-oriented traits derived from originating objects.

    All the other answers are characteristics of content that can be used in content-analysis methods of data discovery.

  92. B. Because dashboards are often used for management purposes (graphical representations of technical data), management pressures often result in skewed data dashboarding (“no red!”), which can lead to the “data” being used for fallacious decisions.

    All the other answers are not affected by dashboarding at all and are incorrect.

  93. D. A data discovery effort can only be as effective as the veracity and quality of the data it addresses. Bad data will result in ineffective data discovery.

    All the other answers do not impact data discovery efforts and are only distractors. (Poor bandwidth might slow down data discovery, but it won’t have true negative impact, so option D is still better.)

  94. C. Label assignment is a task of the data owner—the cloud customer, not the provider.

    All the other answers are requirements for the cloud provider to meet the data discovery needs of the customer and should be negotiated before migration.

  95. D. The cloud customer will have to determine which levels of performance/responsibilities on the part of the provider will be necessary to meet the customer’s needs for data discovery. These should be codified in the contract/service-level agreement (SLA).

    The other answers are general regulations and standards; they will not contain specific guidance for every customer’s needs and are only distractors.

  96. D. This is a difficult question and requires insight on the practice of classifying data and a good understanding of the material. While the determination of what sorts of data need to be protected may come from external sources (laws, standards, regulations, etc.), the classification of data for each data owner/cloud customer will be specific to that entity. Therefore, the cloud customer will have to impose data classification schema on itself and its own data.

    The other answers represent external entities, some of whom might require that certain information be handled with a certain duty or care (such as Payment Card Industry [PCI] mandates for cardholder information). However, these entities will not impose a classification scheme on the data owner or cloud customer; that responsibility falls on the data owner or cloud customer to do for itself and the data under its control.

  97. D. This is a difficult, and somewhat tricky, question. Each organization has to decide, for itself, how to classify its own data. With that said, many factors bear on this determination: external regulations and drivers, the type of industry in which the organization operates, and so forth. But the kinds of data the organization uses, and how that data is sorted, will differ for every organization, and each must make its own determination on how to best sort that data.

    All the other answers are factors that an organization might consider when creating a classification scheme, but they are not mandatory for every organization. Option D is still the best answer for this question.

  98. B. This is another difficult question. Classification of data is an element of labeling, insofar as labeling is the grouping of data into discrete categories and types. Labels must be affixed to objects and data sets in accordance with an overall policy that lists objective criteria to guide the data owner(s) in assigning the appropriate label; this is a form of classification.

    Option A might be considered apt, as labeling and classification fall generally under the auspices of “security,” but option B is more specific and therefore correct.

    Classification is not considered a facet of data control or data markup. Therefore, options C and D are incorrect.

  99. B. An organization could implement an automated tool that assigns labels based on certain criteria (location of the source of the data, time, creator, content, etc.), much like metadata, or the organization could require that data creators/collectors assign labels when the data is first created/collected, according to a policy that includes discrete, objective classification guidance.

    Option A is incorrect because even though the word pair may seem pretty technical, together they are meaningless with respect to data classification.

    It may be true that data classification can be correct or incorrect, however, option C is not as good of an answer as option B. The goal for the data owner is to correctly classify the data and not to incorrectly classify the data. So, option C is incorrect.

    It is difficult to imagine data classification that only takes place at a certain time of day. Therefore, it is not likely to be the correct answer and certainly option D is not as good an answer as option B.

  100. A. Color is unlikely to be a characteristic for which data is classified, much less reclassified. Although some exceptions might exist (motion picture production, satellite imagery, paint vendors, etc.), those would be far from the norm, and the other answers are much more general cases and would apply to many more organizations. Therefore, color is the correct answer (in the negative), and the rest are incorrect (because they are true).
  101. C. The purposes of classifying/categorizing data is to create proper associated control sets for each data type and aid the efficiency and cost-effectiveness of applying those controls to that data.

    While dollar value may be a good metric for assessing data type in many organizations, it is not the only such trait, and not for all organizations; option C is still a better answer, so A is wrong.

    Metadata may or may not be used in a classification/categorization scheme; option B is incorrect.

    Policies are not assigned to data types; a policy will dictate how data classifications/categories are assigned to data. Option D is incorrect.

  102. B. Data transforming from raw objects to virtualized instances to snapshotted images back into virtualized instances and then back out to users in the form of raw data may affect the organization’s current classification methodology; classification techniques and tools that were suitable for the traditional IT environment might not withstand the standard cloud environment. This should be a factor of how the organization considers and perceives the risk of cloud migration.

    Multitenancy should be a consideration of cloud migration for the potential risks of data leakage and disclosure but not because of data transformation. Option A is not correct.

    Remote access and physical distance should not include aspects of data transformation that are not already considered in the traditional IT environment, so options C and D are incorrect.

  103. D. The cloud customer, as the PII data owner, is ultimately legally responsible for all losses of PII data. The customer may be able to recoup some of the costs of damages related to the breach by placing financial liability on the provider through the use of strong contract terms and conditions, but all legal responsibility falls on the customer, in all cases.

    The other options are parties that may have some partial or contributory responsibility for the breach (especially, in this case, the provider, who was negligent), but the ultimate responsibility lies with the customer.

  104. D. The subject is the human being to whom the PII applies.

    The other answers are not data subjects, and are therefore incorrect.

  105. B. In a PII context, the processor is any entity that processes data on behalf or at the behest of the data owner. In the case of most managed cloud service arrangements, that will be the cloud service provider. (The cloud customer may also process its own data, but the customer is the data owner/controller.)

    Options A, C, and D are all incorrect. The cloud customer provides the subject’s PII to the cloud provider for processing. The regulator ensures that the PII is protected properly and the individual is the data subject. So, options A, C, and D are incorrect answers.

  106. A. In a PII context, the controller is the entity that creates/collects, owns, or manages the data—that is, the data owner. In a managed cloud service arrangement, that would be the cloud customer.

    Options B, C, and D are all incorrect. The cloud provider is the entity that processes the PII data. The regulator ensures that the PII is protected properly and the individual is the data subject.

  107. B. This is not a simple question, and it requires a bit of insight into uses of data. The most suitable answer here is “viewing,” as it is entirely passive; the viewer is not performing any action on the data. “Processing,” in a PII context, is any manipulation of the data, to include securing or destroying it, in electronic or hard-copy form. In a “viewing” action, the processor would be displaying the data to the viewer, while the viewer is only receiving it, not storing it or using it. Note that the answer did not involve “using,” which definitely would be a processing action.

    All the other answers are examples of processing and therefore not correct.

  108. B. The United States has some federal PII laws that apply to specific sectors (the government itself [Privacy Act], medical providers [Health Information Portability and Accountability Act], financial and insurance vendors [Gramm-Leach-Bliley Act], etc.), but not a single, overarching federal law that addresses PII in a uniform, nationwide manner.

    All the other options list countries that have such laws, and those options are therefore incorrect.

  109. A. Under HIPAA, the subject must opt in to information sharing—that is, the subject (the patient) must explicitly state, in writing and with a signature, who the vendor is allowed to share personal information with, such as family members, spouses, parents, and children. (Under HIPAA, this personal information is referred to as electronic private health information [ePHI].) The vendor is prohibited from sharing the patient’s data with anyone else.

    Under HIPAA, the patient does not have to opt out of information sharing; the default situation is to not share patient data. Option B is incorrect.

    HIPAA does not require any kind of screening or template, so Options C and D are incorrect.

  110. B. Under GLBA, financial and insurance vendors are allowed to share account holders’ personal data with other entities (including other businesses owned by the same vendor) unless the account holder explicitly states, in writing, that the vendor is not allowed to do so. The vendor is required to provide a form for opting out of data sharing when the account holder creates the account and annually every subsequent year.

    Option A is incorrect; under GLBA, the default situation allows banks and insurance providers (owned by the same entity) to share customer data—the customer must opt out of this arrangement if the customer doesn’t want information shared.

    Options C and D are incorrect because they do not relate to the sharing of PII data by a bank or insurer.

  111. B. The EU is probably at the forefront of global efforts to sanctify and enshrine personal privacy; the current statutes and precedents based on court decisions have clearly denoted Europe’s intent to treat individual privacy as a human right.

    Options A and D are simply incorrect.

    It is very possible to consider option C as correct because European businesses are held to strict standards regarding the privacy data under their control. However, option B has more significance and is more general, so it is the proper selection among this list.

  112. B. The EU regulations associated with personally identifiable information (PII) belonging to EU citizens prohibit that data to be utilized in any way in any country that does not have a national privacy law commensurate with the EU regulations. Of this list, only the United States has no such law. Indeed, the EU regulations might very well be taken to be aimed directly at the United States, and probably for good reason; the United States has not proven to be a good steward of or even recognize the importance of personal privacy.
  113. C. The right to be forgotten is the EU’s codification of an individual’s right to have any data store containing their own personal data purged of all personally identifiable information (PII). There are, of course, some obvious exceptions (such as law enforcement databases).

    The other answers are not as accurate; “the right to be forgotten” is a very well-known and important aspect of the GDPR.

  114. B. Under current laws and regulations, ultimate liability for the security of privacy data rests on the data controller—that is, the cloud customer. A PLA would require the cloud provider to document expectations for the cloud customer’s data security, which would be an explicit admission of liability. There is little motivation for cloud providers to take on this additional liability (and the costs associated with it) with no mandate or market force pushing them to do so.

    Option A is wrong because the provider’s liability is already limited under current legal schemes; the PLA would not enhance that limitation.

    Options C and D are wrong because agreements (as contracts) are both binding and enforceable, and even if they were not, those are not reasons.

  115. C. The CMM is not included in the CSA CCM and, indeed, is not even a security framework.

    All the other options are included in the CSA CCM and are therefore not correct answers for this question.

  116. D. The DMCA deals with intellectual property and not specifically with personal privacy. It is not included in the CSA CCM.

    All the other answers are laws that are included in the CSA CCM and are therefore not correct answers for this question.

  117. A. DRM solutions are mainly designed to protect intellectual property assets (and mainly those covered by copyright, hence the name), but they can also be used to provide enhanced protection to other electronic information. All the other options are forms of electronic information, while option A is a piece of hardware; DRM does not enhance hardware security, so this is the correct answer.
  118. A. Deploying DRM usually requires installing a local agent on each device intended for use in that environment; with BYOD, that means getting all users to agree and install that agent because they own the devices.

    DRM is an enhanced security protocol, so option B is incorrect.

    The cloud is not specifically necessary for DRM implementations, even in BYOD environments, so option C is incorrect.

    Any DRM solution involving a BYOD environment must be suitable for all devices, not just a certain selection, because the organization can’t easily mandate which devices are used (otherwise, it’s not BYOD). Option D is incorrect.

  119. B. In a BYOD environment, users might bring any number of devices/operating systems to the network, and any DRM solution selected for the purpose must interact well with all of them.

    The organization cannot dictate specific packages in a BYOD environment—otherwise it is not BYOD—so option A is incorrect.

    Turnstiles are for physical access control and have no bearing on BYOD or DRM, so option C is incorrect.

    BYOD and DRM should have no effect on BC/DR vendors (or the numbers thereof), and vice versa, so option D is incorrect.

  120. D. The CSA CCM does not deal with whether security controls are feasible or correct from a business perspective, only whether they are applicable to an organization under certain regulations.

    All the other answers are incorrect because they are too specific and not required by any regulation/legislation. Therefore, options A, C, and D are poor choices and also incorrect answers.

  121. B. For DRM to work properly, each resource needs to be outfitted with an access policy so that only authorized entities may make use of that resource.

    All the other answers are distractors.

  122. B. DRM and DLP work well to address complementary security issues—namely, asset classification/categorization and discovery, along with access and dissemination of those assets.

    RIS is a made-up term, so option A is not correct.

    Adjusting BIOS settings is not particularly relevant to DRM in any way, so option C is incorrect.

    TEMPEST is a program for harvesting data from electromagnetic emanations, so option D is not correct.

  123. C. Access rights following the object in whatever form or location it might be or move to is the definition of persistence, one of the required traits for a DRM solution of any quality.

    All the other answers are traits that should be included in DRM solutions but do not match the definition in the question, so they are incorrect.

  124. A. Capturing all relevant system events is the definition of a continuous audit trail, one of the required traits for a DRM solution of any quality.

    All the other answers are traits that should be included in DRM solutions but do not match the definition in the question, so they are incorrect.

  125. D. The question describes dynamic policy control, one of the required traits for a DRM solution of any quality.

    All the other answers are traits that should be included in DRM solutions but do not match the definition in the question, so they are incorrect.

  126. C. The question describes automatic expiration, one of the required traits for a DRM solution of any quality.

    All the other answers are traits that should be included in DRM solutions but do not match the definition in the question, so they are incorrect.

  127. B. The question describes support for existing authentication security infrastructure, one of the required traits for a DRM solution of any quality.

    All the other answers are traits that should be included in DRM solutions but do not match the definition in the question, so they are incorrect.

  128. D. This is not an easy question and requires some interpretation and abstract thought. All of the elements listed are extremely important aspects of the data retention policy. However, using proper data retrieval procedures is the one without which all the others may become superfluous. An organization can perform thorough backups in a timely manner and secure them properly at an excellent location, but if those backups can’t be used to restore the operational environment, they are pointless.

    All the other options are important, but option D is probably the most important.

  129. B. The question states the definition of archiving.

    Deletion involves using the operating system or an application to obscure the location of an object or file, so option A is wrong.

    Crypto-shredding is a secure sanitization technique using cryptographic techniques, so option C is wrong.

    Storing is a general term covering all retention of data, so option B is a better answer than option D.

  130. A. Not all policies are temporary or have expected durations; usually, policy is an enduring piece of governance that will continue until such time as it is revoked.

    All the other options are elements that should usually be included in policies.

  131. D. Secure sanitization is intended to ensure that there is no possible way for the data to be recovered; a backup copy would defeat the entire purpose.

    All the other answers are goals of secure sanitization.

  132. C. Deletion, using basic system assets (usually the operating system), mainly involves removing pointers to and addresses of the files or objects that are the targets of deletion. This leaves the raw data remaining on the storage resource, and it could be recovered later.

    Options A and B both include secure destruction methods, but they are not exclusive (obviously, because there are two of them), so therefore they are untrue and also incorrect.

    Option D does not make practical sense; if users could not delete files/objects, common workplace activity would become burdensome and difficult.

  133. C. The preferred methods of secure sanitization require physical access to (and control of) the hardware on which the data is stored; in the cloud, this belongs to the cloud provider, and the cloud customer will not be allowed to perform destructive procedures.

    Options A, B, and D are incorrect because the question is about the difficulty of performing data destruction in the cloud computing environment. Often, the only reliable form of data destruction is to destroy the hardware where it is stored. None of these options address that question the way that option C does.

  134. A. One of the benefits of using managed cloud services is that most providers are constantly performing backup and preservation activities in order to ensure that customers do not lose data. This can make it complicated for customers to even locate all their stored data, much less permanently destroy it.

    Delete commands are certainly allowed in the cloud. Otherwise, cloud providers would eventually run out of storage space. Option B is incorrect.

    Option C is incorrect because ISPs do not have the authority to prohibit the destruction of data by data owners.

    It may be unclear who the “end client” is in option D. If the end client is the individual, then it does not make sense that the individual would prohibit the destruction of data by the cloud provider, given that the cloud provider owns the hardware itself.

  135. D. Secure sanitization would affect storage resources where more than one customer stores their data; truly secure destructive measures would likely result in destroying data belonging to someone else.

    Law enforcement can destroy their own data, however, law enforcement is not permitted to destroy data that belongs to other individuals. Option A is therefore incorrect.

    Option B is incorrect because data destruction is required from time to time in the cloud as part of system maintenance.

    Fortunately, option C is incorrect. If data renewed itself automatically in the cloud then cloud providers would eventually run out of storage space.

  136. C. Destroying the drive, disk, and media where the data resides is the only true, complete method of data destruction.

    Options A and B are also good methods for data destruction, but neither is the best method.

    Option D is incorrect because a legal order is not a secure method of data destruction and therefore it cannot be the correct answer.

  137. B. Cloud data storage likely uses solid-state drives (or disks), which are not affected by degaussing because they don’t use magnetic properties to store data.

    Option A is incorrect because it is untrue. A gauss is a unit of magnetism. Not all data storage devices in the cloud are magnetic. Some storage space does not require magnetism to work. Solid State Drives (SSDs) are an example of a type of storage space that does not rely on magnetism to store data.

    Federal law does not prohibit degaussing of magnetic media in the United States so option C is incorrect.

    Option D is incorrect because process of degaussing magnetic media does not produce a blast and therefore it does not produce a blast radius.

  138. D. Overwriting is the practice of filling the entire storage of the target data with randomized characters (usually involving multiple passes and a final pass with a single, repeated character). In the cloud, this is untenable for many reasons, including the fact that cloud data is constantly moving from one storage resource to another and is not kept in a single, identifiable logical location for an extended period of time (which is actually a security benefit). Without you knowing which storage resources to overwrite, overwriting is impossible.

    All the other options are only distractors. Options A and C describe elements of the overwriting process but not reasons why it’s challenging in the cloud. Option B is true, but overwriting does not require physical access, so the option is incorrect.

  139. B. Regulators do not disapprove of secure sanitization; it is an acceptable form of secure data destruction if implemented properly.

    All the other answers are actual reasons overwriting is not a viable secure sanitization method in the cloud.

  140. A. Crypto-shredding relies on the eventual destruction of the final keys; if keys are not under the management of the customer, they may be replicated or difficult to dispose of.

    The lack of physical access to the cloud environment should not affect the crypto-shredding process, so option B is incorrect.

    External attackers should not affect the crypto-shredding process, so option C is incorrect.

    Crypto-shredding should not require input or activity from users, so option D is incorrect.

  141. B. The proper procedure for crypto-shredding requires two cryptosystems: one to encrypt the target data, the other to encrypt the resulting data encryption keys.

    All the other answers are wrong and just distractors.

  142. D. If users inadvertently erase or modify data, an archived backup copy could be useful for restoring the original, correct version.

    All the other answers are incorrect; archiving does none of those things.

  143. B. An archived data set could be useful for investigative purposes, especially if it covers a significant period of time and includes multiple copies. The archived versions may be used as a reference to determine when a certain malicious activity occurred, which is useful during an investigation.

    All the other answers are incorrect; archiving does not aid in these functions.

  144. A. Archiving may be required by regulation, and archived versions of the environment or data may be used to create deliverables for auditors, especially if the archive included event logs.

    Archived data is not an optimum gauge of performance because it is not “live” data—that is, the archived data is no longer in the operational environment and so is not a useful indicator of how well that environment currently operates. Option B is therefore incorrect.

    Archiving has nothing to do with investment; option C is incorrect.

    Archiving may occur as the result of policy but is not an enforcement tool; thus, option D is incorrect.

  145. D. Many cloud providers will offer archiving services as a feature of the basic cloud service; realistically, most providers are already performing this function to avoid inadvertent loss of customer data, so marketing it is a logical step. However, because the customer is ultimately responsible for the data, the customer may elect to use another, or an additional, archive method. The contract will stipulate specific terms, such as archive size, duration, and so on.

    Either the cloud customer or provider (or both) may perform archiving, depending on the contract terms, so options A and B are incorrect.

    Regulators do not perform archiving; option C is incorrect.

  146. A. The policy for data archiving and retention must include guidance on the length of time data is expected to remain stored.

    Describing or prescribing the physical specifications of a secure archive facility is probably beyond the responsibility or requirements of a data owner (and belowground storage is not a requirement for archiving and retention), so option B is incorrect.

    Although it is important to task and train personnel to take part in data restoration from archived data, naming the specific personnel in the policy is not an optimum or useful practice, so option C is incorrect.

    Although management is responsible for publishing and promulgating policy and governance, the name of the specific manager is not the essential element (but their office or position is). Regulators don’t personally approve internal policies of the organizations they oversee, so option D is incorrect.

  147. B. It is important to indicate the data format and media type for long-term storage in order to ensure restoration capability; outdated or obsolete data formats and media may not be useful for restoration of data to the operational environment several years after it has been stored.

    Options A and C are not correct because specific names don’t belong at the policy level of governance; the specific names (or identification credentials) of allowed third-party recipients should be included at the process/procedure level of governance, and a list of offices or departments whose data will be archived can be included in the policy.

    Option D is not correct because the particular ISP should not have any bearing on the archiving policy.

  148. C. Once the policies have been published and put into force, the names and contact information of the people who crafted them are no longer useful or germane.

    All the other options represent entities that the organization may want to contact in the event of a security incident or breach and so should be included in security procedure documentation.

  149. B. This is a question that requires some thought. All the answers are processes or elements that should be included in the security operations’ procedures except for option B; the cloud customer will not get to select, or probably even know, what tools and devices the cloud provider has put into place, so this will not be included in the customer’s procedures.
  150. D. Option D is the definition of nonrepudiation.

    Option A is a description of confidentiality.

    Option B is an element of the Atomicity, Consistency, Isolation, Durability (ACID) test to enhance the utility and security of a database.

    Option C is a technique to reduce the likelihood of nonrepudiation but not the definition of the term.

Chapter 3: Domain 3: Cloud Platform and Infrastructure Security

  1. C. It’s best to have your backup at another cloud provider in case whatever causes an interruption in service occurs throughout your primary provider’s environment; this will be more complicated and expensive, but it provides the best redundancy and resiliency. Using the same provider for production and backup is not a bad option, but it entails the risk of the same contingency affecting both copies of your data. Having either the backup or the production environment localized does not provide the best protection, so neither option B nor option D is desirable.
  2. B. A trained and experienced moderator can guide the participants through the activity, enhancing their training and noting pitfalls and areas for improvement. Option A is not preferable because having the participants gathered together ensures their full attention and provides interaction that remote participation might not yield. Option C is a baseline; all participants should have copies of the policy as a matter of course. Option D is not useful in a tabletop exercise; only critical participants in the organization should take part in the tabletop.
  3. B. This is a difficult question that requires a great deal of thought. Option B is correct because appropriate cloud data security practices will require encrypting a great deal of the data, and having the keys will be necessary during contingency operations in order to access the backup; without the keys, you won’t be able to access your data. Option A is not correct because using the cloud for BC/DR will allow personnel to access the backup from anywhere they can get broadband connectivity, not specifically a recovery site. Option C is not correct because the customer will rarely have physical access to servers in the cloud environment. Option D is not correct because forensic analysis is not a significant consideration in BC/DR; it is much more important for incident response.
  4. A. A full test will involve both the production environment and the backup data; it is possible to create an actual disaster during a full test by ruining the availability of both. Therefore, it is crucial to have a full backup, distinct from the BC/DR backup, in order to roll back from the test in case something goes horribly wrong. Option B is incorrect because not all personnel will have tasks to perform; most personnel will have to evacuate from the facility only during a full test. Option C is incorrect because the cloud provider should not initiate the test, and the test should not take place at a random moment. Option D is not correct because the regulators’ presence will not add any value to the test.
  5. A. Security Assertion Markup Language (SAML) is based on XML. HTTP is used for port 80 web traffic; HTML is used to present web pages. ASCII is the universal alphanumeric character set.
  6. A. Option A is the definition of the term;the other answers are not.
  7. C. The administrative offices of a cloud data center rarely are part of the critical functions of the operation; a data center could likely endure the loss of the administrative offices for a considerable length of time, so redundancy here is probably not cost effective.

    All the other items are part of the critical path and need redundancies.

  8. D. Option D is the definition of a cloud carrier, from National Institute of Standards and Technology (NIST) Special Publication (SP) 500-292.

    All the other options are incorrect, as defined by NIST SP 500-292.

  9. B. The question describes a software-defined network (SDN).

    A VPN is used for creating an encrypted communications tunnel over an untrusted medium, so option A is incorrect.

    ACLs are used as centralized repositories for identification, authentication, and authorization purposes, so option C is incorrect.

    RBAC is an access control model used to assign permissions based on job functions within an organization, so option D is incorrect.

  10. B. The NBI usually handles traffic between the SDN controllers and SDN applications.

    Options A and C are incorrect because neither of those options lists any of the SDN infrastructure, be that the controllers or the applications. Option D may be arguably correct, as there might be an NBI handling that traffic between those nodes, but option B is more specific and always true for this definition, so it is the better choice.

  11. D. Option D is really a definition of a CDN (content delivery network).

    All the other options are aspects of SDNs.

  12. B. The question describes an HSM.

    KMB is a nonsense term used as a distractor, so it is incorrect.

    TGT is a term associated with Kerberos single sign-on systems and is incorrect.

    The TCB includes the elements of hardware and software (usually in the operating system) that ensure that a system can only be controlled by those with the proper permissions (i.e., admins with root control), so it is also incorrect.

  13. C. The compute nodes of a cloud data center can be measured in terms of how many central processing units (CPUs) and how much random access memory (RAM) is available within the center.

    Option A is incorrect because routers would be considered a part of the networking of a data center (and because option C is a better answer).

    Option B involves applications and how traffic flows between them and storage controllers; it has nothing to do with the compute nodes and is therefore wrong.

    Option D might obliquely be considered correct because it’s technically true (compute nodes will include both virtual and hardware machines), but option C is a much better and more accurate choice.

  14. C. Cancellations is not a term used to describe a resource allotment methodology. All of the other options are such terms.
  15. A. The question is the definition of reservations.

    Options B and D are also resource apportioning methods, but they do not fall under the definition described in the question.

    Option C is incorrect because it has no meaning in this context.

  16. D. The question describes limits.

    Options A and B are also resource apportioning methods, but they do not fall under the definition described in the question.

    Option C is because it has no meaning in this context.

  17. B. The question describes shares.

    Options A and D are also resource apportioning methods, but they do not fall under the definition described in the question.

    Option C is incorrect because it has no meaning in this context.

  18. A. A bare-metal hypervisor is a Type 1 hypervisor.

    Option B describes another type of hypervisor; the other options are incorrect because there is no such thing as a Type 3 or Type 4 hypervisor.

  19. B. The question describes a Type 2 hypervisor.

    Option A describes another type of hypervisor; the other options are incorrect because there is no such thing as a Type 3 or Type 4 hypervisor.

  20. B. A Type 2 hypervisor relies on the underlying operating system (OS) to operate properly; the underlying OS offers a large attack surface for aggressors.

    A Type 1 hypervisor boots directly from the hardware; it’s much easier to secure a machine’s Basic Input/Output System (BIOS) than an entire OS, so option B is better than option A.

    Options C and D are incorrect because there is no such thing as a Type 3 or Type 4 hypervisor.

  21. D. VMs are snapshotted and simply stored as files when they are not being used; an attacker who gains access to those file stores could ostensibly steal entire machines in highly portable, easily copied formats. Therefore, these cloud storage spaces must include a significant amount of controls.

    Options A and C are simply untrue.

    Option B is untrue when crypto-shredding is utilized.

  22. C. While options A and B are both also true, C is the most significant reason cloud data centers use VMs. If the cloud provider had to purchase a new box for every user, the cost of cloud services would be as much as running a traditional environment (or likely cost even more), and there would be no reason for any organization to migrate to the cloud, especially considering the risks associated with disclosing data to a third party.

    Option D is simply untrue. VMs are not easier to operate than actual devices.

  23. D. The question describes what the hypervisor does. (Note that the answer “operating system” would also work here but was not one of the options.)

    Option A is incorrect; the allocation of resources is not performed manually.

    The router directs traffic between networks; it does not apportion resources. Therefore, option B is incorrect.

    A VM makes resource calls; option C is incorrect.

  24. B. Object storage is, literally, a means of storing objects in a hierarchy such as a file tree.

    All the other options are terms used to describe cloud storage areas without file structures.

  25. B. Snapshotted VM images are usually kept in object storage, as files.

    All the other options are incorrect and option C is not a type of storage.

  26. C. Only the most trusted administrators and managers will have access to the cloud data center’s management plane. These will usually be cloud provider employees, but some cloud customer personnel may be granted limited access to arrange their organization’s cloud resources.

    Regulators do not operate a customer’s management plane, so option A is incorrect.

    Option B is ambiguous. However, a consumer of data is unlikely to have been given the elevated privileges necessary of operate the management plane in a cloud environment. Option B is incorrect.

    Option D is also an ambiguous answer. Only the most trusted administrators and managers have access to the cloud data center’s management plane. A privacy data subject is neither a most trusted administrator nor a trusted manager. Therefore, option D is incorrect.

  27. D. The contract is probably the cloud customer’s best tool for avoiding vendor lock-in; contract terms will establish how easy it is to migrate your organization’s data to another provider in a timely, cost-effective manner.

    Options A and B are also important ways to avoid vendor lock-in, but D is the best answer.

    Option C is incorrect and will not aid in avoiding vendor lock-in.

  28. C. The regulator(s) overseeing your industry/organization will make the final determination as to whether your cloud configuration is suitable to meet their requirements. It is best to coordinate with your regulator(s) when first considering cloud migration.

    Cloud providers, cloud customers, and ISPs are not particularly concerned about whether an organization’s migration is satisfactory from a compliance perspective. The words, “compliance perspective” should automatically bring to mind regulator(s). Options A, B, and D are therefore incorrect answers.

  29. D. Vendor lock-out occurs when the provider suddenly leaves the market, as during a bankruptcy or acquisition. The risks associated with lock-out include denial of service, because of total unavailability of your data. The best way to handle these risks is to have another, full backup of your data with another vendor and the ability to reconstitute your operating environment in a time frame that doesn’t exceed your recovery time objective (RTO).

    The other options do not aid in addressing vendor lock-out.

  30. A. Because the cloud provider owns and operates the cloud data center, the provider will craft and promulgate the governance that determines the control selection and usage. This is another risk the cloud customer must consider when migrating into the cloud; the customer’s governance will no longer have direct precedence over the environment where the customer’s data is located.

    Both the cloud customer and the regulator(s) may have specific control mandates that might require the customer to deploy additional security controls (at the customer side, within the data, as agents on the user devices, or on the provider side or in application programming interfaces [APIs] as allowed by the service model or contract), so options B and C are also partially true, but A is a better answer as it is more general.

    Option D untrue because the end user does not determine which controls are selected for the cloud data center and how they are deployed. That is the responsibility of the cloud provider.

  31. B. The question describes a guest escape.

    Options A and C are other risks of operating in the cloud. Option D can lead to A or B, but B describes the more specific situation and therefore the correct answer.

  32. A. The question describes host escape.

    Options B and C are other risks of operating in the cloud. Option D can lead to A or B, but A is the more specific situation and therefore the correct answer.

  33. D. Because most cloud users don’t see direct costs in creating new VM instances (the bills usually go to a single point of contact in the organization, not the user or the user’s office), they may tend to create additional VMs at a significant rate, without realizing the attendant cost. This is largely because it is so easy to do and has no apparent cost, from their perspective.

    All the other options do not cause virtualization sprawl.

  34. C. Sprawl needs to be addressed from a managerial perspective because it is caused by allowed user actions (usually in a completely authorized capacity).

    Options A and D mean the same thing and could be considered as contributing to sprawl because the technological capabilities of virtualization create the ease of use that can cause sprawl. However, option C is a better answer.

    Option B is incorrect; sprawl occurs within the organization.

  35. D. Because all cloud access is remote access, the risks to data in transit are dramatically heightened in the cloud.

    The other options exist in both the traditional environment and the cloud but are probably actually reduced in the cloud because cloud providers can use economies of scale to invest in means to reduce those risks in ways that individual organizations would not be able to.

  36. B. Defense in depth, or layered defense, is perhaps the most fundamental characteristic of all security concepts.

    Options A and C are security aspects of some environments, and option A is likely to be a necessary trait of managed cloud services, but they are not fundamentals—they are specifics.

    Option D is specifically an administrative control; the question is looking for a fundamental aspect of security. Option B is more general (it applies to all types of security, in all industries and uses) and therefore is the correct choice for this question.

  37. B. A secure baseline configuration, applied and maintained automatically, ensures the optimum security footprint with the least attack surface.

    All the other options are benefits of automated configuration but are not specifically security enhancements.

  38. B. The Security Assertion Markup Language (SAML) is probably the most common protocol being used for identity federation at the moment.

    Options A and C are not identity federation protocols.

    Option D is a federation specification, but it also uses SAML tokens.

  39. C. This is a very popular function of federated identity.

    Single sign-on (SSO) is similar to federation, but it is limited to a single organization; federation is basically SSO across multiple organizations. Option A is incorrect.

    Options B and D are threats listed in the Open Web Application Security Project (OWASP) Top Ten; they are incorrect.

  40. A. The cross-certification federation model is also known as a web of trust.

    Proxy is another model for federation, so option B is incorrect.

    Single sign-on is similar to federation, but it is limited to a single organization; option C is incorrect.

    Option D does not have relevance in this context and therefore incorrect as an answer.

  41. B. In the proxy federation model, the third party acts on behalf of the member organizations, reviewing each to ensure that they are all acceptable to the others.

    Cross-certification is another model for federation, so option A is incorrect.

    Single sign-on is similar to federation, but it is limited to a single organization; option C is incorrect.

    Option D does not have relevance in this context and is therefore incorrect as an answer.

  42. A. In a web of trust federation model, all of the participating organizations are identity providers; each organization will assign identity credentials to its own authorized users, and all the other organizations in the federation will accept those credentials.

    A trusted third party, regulators, and clientele are not involved in the web of trust model, so the other options are incorrect.

  43. A. In a web of trust model, each member organization usually supplies both the access/identification credentials and the resources that the users want to access, so the organizations are both the identity providers and service providers in a web of trust federation model.

    A trusted third party, regulators, and clientele are not involved in the web of trust model, so the other options are incorrect.

  44. D. While it’s likely the participating organizations will be subject to other federal regulations, HIPAA covers electronic patient information, so it will definitely be applicable in this case.

    GLBA covers financial and insurance service providers, so option A is incorrect.

    FMLA dictates how employers give vacation time to employees, so option B is not correct.

    PCI DSS is a contractual, not regulatory, standard, so option C is incorrect.

  45. C. The question describes authorization.

    Options A and B are part of the overall identity and access management (IAM) process, as is option C, but they do not specifically describe granting access to resources.

    Federation is a means of conducting IAM across organizations; option C is more specific, so D is incorrect.

  46. D. Redacting is an editorial process of excising sensitive information from disclosed data. All the other options are elements of identity management.
  47. C. This is a complicated question and requires thinking through the portions of the identification process.

    Identification of personnel is usually verified during the hiring process, when HR checks identification documents (such as a passport or birth certificate) to confirm the applicant’s identity, often as part of a tax registration process.

    Options A and B include offices that may play a role in the identification process, but it is usually HR that does the actual verification.

    Option D, “Sales” is untrue. If a Sales department exists in an organization, it does not perform the verification part of the provisioning element of the identification process.

  48. C. Cloud providers may be reluctant to grant physical access, even to their customers, on the assumption that allowing access would disclose information about security controls. In some cases, cloud customers won’t even know the location(s) of the data center(s) where their data is stored.

    The other options are all untrue. Data in the cloud and controls in the cloud can most certainly be audited. So, options A and B are incorrect. D is untrue; there are regulators for all industries, including those that operate in the cloud.

  49. D. In many circumstances, a cloud audit will depend on which information a cloud provider discloses, which makes auditing difficult and less trustworthy.

    Option A is incorrect because cryptography is sometimes present in traditional environments and audits still take place.

    Option B is incorrect; auditors’ opinions are not relevant.

    Option C is untrue; equipment does not resist auditing—it is inanimate and unfeeling.

  50. A. Because cloud audits are often the result of third-party assertions, recipients of cloud audit reports may be more skeptical of the results than they would have been of traditional audits, in which the recipients may have performed firsthand.

    Option B is untrue. The difficulty of standards is not a hindrance to audit.

    Option C is untrue. Paperwork does not hinder audits.

    Option D is not only untrue, but also hilarious. If you have ever been involved in an audit, you know that there are plenty of auditors to go around.

  51. B. The “sensitive information,” in this case, is whatever knowledge of the data center’s security controls and processes might be gathered by physically visiting the data center. Even though a cloud customer cannot get access to the facility, this also means that other cloud customers (some of whom may be inimical to another customer’s interests) also will not have access, so none would have advantage over the other(s).

    Option A is incorrect because qualified personnel are still required whether a cloud environment has limited access to their data center or not. In fact, security may be degraded by having unqualified personnel rather than qualified personnel working in the cloud data center.

    Option C is incorrect because reducing jurisdictional exposure does not enhance security.

    There may be a correlation between ensuring statutory compliance and enhancing security as it applies to limiting access to the cloud data center. However, option B is a better answer because it is certainly true. Therefore, option D is not the best answer to the question.

  52. B. Because VMs don’t take updates when they are not in use (snapshotted and saved as image files) and updates may be pushed while the VMs are saved, it’s important to ensure that they receive updates when they are next instantiated.

    A physical tracking mechanism won’t be of much aid for virtual devices because they aren’t physically stolen like hardware boxes, so option A is incorrect.

    Having an ACL in the image baseline would create a situation where every user from every cloud customer could access every VM in the data center; option C is incorrect.

    Write protection is used in forensic analysis of machines (virtual or otherwise); it would not be useful in an operational baseline. Option D is incorrect.

  53. A. Version control can be difficult in a virtual environment because saved VMs don’t receive updates. Ensuring that each VM is the correct version is a function of configuration management (CM), and CM controls can be built into the baseline.

    Each organization will have its own training and awareness program, and there is no one-size-fits-all solution that is appropriate; this does not belong in the baseline. Option B is incorrect.

    Having a baseline that cannot be copied is pointless; option C is incorrect.

    Keystroke loggers will create a huge volume of detailed, stored data that will pose more of a security risk (and may actually be a violation of customer privacy regulations) than any benefit it offers; option D is incorrect.

  54. C. Event logging is essential for incident management and resolution; this can be set as an automated function of the CM tools.

    Not all systems need or can utilize biometrics; option A is incorrect.

    Usually, tampering refers to physical intrusion of a device; since the question is about VMs, it is probably not applicable. Option B is incorrect.

    Hackback is illegal in many jurisdictions; option D is incorrect.

  55. B. A specified configuration built to defined standards and with a controlled process can be used to demonstrate that all VMs within an environment include certain controls; this can greatly enhance the efficiency of an audit process.

    The VM’s image has very little to do with physical security or training; options A and C are incorrect.

    Baseline images are the opposite of customization; option D is incorrect.

  56. C. The baseline will contain the suite of security controls applied uniformly throughout the environment.

    A VM image audit is unlikely to involve any form of physical security; A is incorrect.

    Baselines won’t predictively show malicious activity; B is incorrect.

    Baselines also do not have anything to do with user training and awareness; option D is incorrect.

  57. B. Having an additional backup with a different provider means that if your primary provider becomes unusable for any reason (including bankruptcy or unfavorable contract terms), your data is not held hostage or lost.

    Custom VMs may or may not work in a new environment; this is actually a risk when porting data out of the production environment; option A is incorrect.

    Performance probably will not increase if data is replicated to another cloud provider; in fact, you will probably lose some load balancing capability you might have had if you kept the data and backups together. Option C is incorrect.

    Having two providers will always be more costly than a single provider; option D is incorrect.

  58. D. Having the backup within the same environment can allow easy rollback to a last known good state or to reinstantiate clean VM images after minor incidents (e.g., a malware infection in certain VMs).

    Ease of compliance will not be determined by the location of the backup, so option A is incorrect.

    Traveling should not be a major cost for cloud usage; option B is incorrect.

    The location of the backups won’t have any effect on user training; option C is incorrect.

  59. D. Having your data backed up and accessible in the cloud eliminates any need for having a distinct hot site/warm site separate from your primary operating environment; instead, your personnel can recover operations from anywhere with a good broadband connection.

    Cloud BC/DR capability does not remove the necessity of security personnel and appropriate policies; both options A and B are incorrect.

    Option C makes no sense as an answer to the question. It is unclear how you can cut costs by eliminating your old access credentials. In fact, it is difficult to imagine how that is a true statement. Therefore, option C is a poor choice and option D is the best choice.

  60. D. Without ISP connectivity, nobody will be able to use the Internet and, thus, the cloud. Of course, realistically, without Internet connectivity not much business will get done anyway, for most organizations, regardless of whether they were operating in the cloud or on-premise.

    Option A is incorrect because the loss of any, single, cloud administrator is unlikely to gravely affect your organization’s RTO.

    The loss of a specific VM will probably not gravely affect your organization’s RTO. VMs can be reinstantiated with ease. Option B is incorrect.

    The loss of your policy and contract documentation cannot gravely affect your organization’s RTO. Option C is untrue.

  61. C. Health and human safety is always paramount in all security activity.

    All the other options are assets that should be protected, but nothing is as important as option C, so they are incorrect answers for this question.

  62. B. The recovery point objective (RPO) is a measure of data that can be lost in an outage without irreparably damaging the organization. Data replication strategies will most affect this metric, as the choice of strategy will determine how much recent data is available for recovery purposes.

    Recovery time objective (RTO) is a measure of how long an organization can endure an outage without irreparable harm. This may be affected by the replication strategy, but not as much as the RPO. Option A is incorrect.

    The maximum allowable downtime (MAD) is how long an organization can suffer an outage before ceasing to be an organization. This is not dependent on the RPO, and the data replication strategy won’t have much effect on it at all. Option C is incorrect.

    The mean time to failure (MTTF) is a measure of how long an asset is expected to last (usually hardware), as determined by the manufacturer/vendor. The data replication strategy will have no bearing on this whatsoever. Option D is incorrect.

  63. D. A data backup/archive can offer your organization an operational “reachback” capability, where admins can assist users in recovering data lost by accident or carelessness.

    The backup/archive does not aid in any of the areas in the other options. So, options A, B, and C are incorrect.

  64. B. When using two different cloud providers, a cloud customer runs the risk that data/software formats used in the operational environment can’t be readily adapted to the other provider’s service, thus causing delays during an actual failover.

    Risks of physical intrusion are neither obviated nor enhanced by choosing to use two cloud providers; option A is incorrect.

    Using a different cloud provider for backup/archiving actually reduces the risks of outages due to vendor lock-in/lock-out and natural disasters, so options C and D are not correct.

  65. B. Theoretically, all the options are possibly true. However, option B is the most likely to occur and is fairly common in practice; the cost and risk of moving operations from one environment/provider to another is sizable, so staying with the secondary provider (making them the new primary) is a good way to reduce some of the risk involved in returning to normal.
  66. A. The business requirements will determine the crucial aspects of BC/DR.

    All the other options may constitute some input that will influence the BC/DR, but they are not the prevailing factors, so are incorrect.

  67. C. The business impact analysis (BIA) is designed for this purpose: to determine the critical path of assets/resources/data within the organization. It is a perfect tool to use in shaping the BC/DR plan.

    The risk analyses options and the risk appetite option may provide input for the BIA, but they are not what is used to determine the critical assets necessary to protect in the BC/DR activity. So, options A, B, and D are incorrect.

  68. D. If the contingency operation will last for any extended period of time, it is important to know whether all the same service expectations can be met by the backup provider as were available in the production environment.

    All the other questions are important, but not as crucial as option D, so they are incorrect.

  69. C. BC/DR responsibilities must be negotiated and codified in the contract; initiation could be something performed by provider or customer, depending on circumstances, so the parties must agree before those circumstances are realized.

    It is exceedingly unlikely that “any user” in a managed cloud services arrangement can invoke a BC/DR action. Option D is therefore a poor choice for the answer to the question.

  70. C. Without a full test, you can’t be sure the BC/DR plan/process will work the way it is intended.

    Audits are good, but they will not demonstrate actual performance the way a test will, so options A and B are incorrect.

    It is important that the BC/DR capacity and performance be included in the contract, but that will not truly ensure that the functionality exists; a test is required, so option D is incorrect.

  71. A. All of these are important, but without regular updates, the information will soon become outdated and a lot less useful.
  72. C. This is not an easy question, because every plan/policy should include mention of the governance documents that drive the formation of the plan/policy; however, these can be included by reference only—you don’t need to include full copies of these governance documents.

    All the other options should be included in the BC/DR plan/policy.

  73. D. This question is difficult. You want your BC/DR plan/process to include sufficient detail such that it could be followed by someone with the right background (perhaps IT for certain roles, security for others, etc.) but without any experience or specific training in that role. This is because a contingency of the scope that would require initiation of BC/DR activities might involve dramatic, significant external forces to the point where the personnel normally tasked with BC/DR actions are not available (for instance, natural disasters, fire, civil disruption, etc.), so the tasks may need to be completed by whoever is available at the time.

    The BC/DR plan/process should be written and documented in such a way that someone with the requisite skills can use it. It is unlikely that typical users or regulators have the requisite skills to perform many of the BC/DR activities. Therefore options A and C are poor choices for answers to the question.

    It is tempting to choose option B, however, option D is a better answer because it ensures that someone with the requisite skills will be able to read the BC/DR plan and perform the activities they document. Having to rely on essential BC/DR team members being present and available to follow the plan is risky. So option B is incorrect.

  74. C. A premature return to normal operations can jeopardize not only production, but personnel; if the contingency that caused the BC/DR action is not fully complete/addressed, there may still be danger remaining.

    The BC/DR plan/process should take into account both the absence of essential personnel and telecommunications capabilities, so options A and D are incorrect.

    Option B does present a serious problem for the organization, but C is still a greater risk, so B is incorrect.

  75. C. Not returning to normal operations in a timely fashion can cause you to exceed the RTO and the MAD.

    During a contingency, some of the requirements your organization faces may relax somewhat; for instance, if a life-threatening natural disaster occurs, regulators will likely understand if some of the normal compliance activities/controls are not fully incorporated while personnel and assets are moved to safety (depending on the nature of the industry, of course). Options A and B are therefore incorrect; option C poses a greater risk.

    Option D is a distractor; not all organizations need encrypted communications during contingencies.

  76. A. Depending on your industry and the nature of your data, moving information into another jurisdiction may affect or invalidate your regulatory compliance.

    Cloud providers, wherever they are located, should compensate for environmental and physical security factors, so this should have no impact on your potential risk; options B and C are incorrect.

    Option D is incorrect because it is blanket statement that is not always true. In fact, for some organizations, the physical location where their data is stored can have serious regulatory consequences.

  77. C. ENISA’s approach to cloud risk assessments does not specifically address this type of assurance, probably because of the wide variety of possible regulators and the difficulty in crafting a risk assessment that would address them all.

    All the other options are assurance efforts that ENISA’s cloud risk assessment is meant to enhance, so they are incorrect answers for this question.

  78. D. ENISA includes “programmatic management” as a defining trait of cloud computing, even specifying “through WS API.” This is not included in the definition published by (ISC)2 (or by NIST).

    All the other characteristics are included in the (ISC)2 (and NIST) definitions.

  79. D. The only reason organizations accept any level of risk is because of the potential benefit also afforded by a risky activity.

    Profit is not the hallmark of every opportunity (or every organization—many organizations are nonprofit or government-based), so option A is incorrect.

    Likewise, not all risky activities offer a chance to enhance performance, so option B is incorrect.

    Cost is not a benefit, so that doesn’t even make sense in the context of the question; option C is not correct and a distractor.

  80. D. The cloud greatly enhances opportunities for collaboration between organizations, mostly by giving external parties some limited access to the owner’s data in the cloud. While there is risk in this situation, the truly comparable risk in the traditional environment would result from sending data outside the organization to external collaborators. (Furthermore, the organization has to balance this risk against the cost of business of not being able to collaborate, if data is never shared with third parties.)

    Option A is ridiculous; data should be secured whether it is in an on-premise environment or in the cloud.

    Option B does not create a true equivalence; disclosing data under controlled conditions is not the same as public disclosure.

    Option C is not equivalent to the costs/benefits of the other forms of collaboration; it would be too cumbersome for the organization to truly benefit from collaboration in a modern business environment.

  81. C. Under current legal frameworks, some risks (such as legal liability for privacy data breaches) cannot be transferred to a contracted party, so the data owners (that is, cloud customers) will still retain those risks.

    Option A is ridiculous; risks can and should be mitigated, even in the cloud.

    Option B is not correct; cloud migration will require some risk acceptance, but that is true for everything except avoided risk.

    Option D is incorrect; cloud providers can choose not to offer services or not to accept certain clients.

  82. C. As the models increase in level of abstraction and service, the customer’s control over the environment decreases.
  83. B. Sharing resources with other, unknown customers (some of whom may be competitors of or even hostile to the organization) is a risk not faced by organizations that maintain their own, on-premise data centers.

    All the other answers are threats that exist in both environments and are therefore incorrect.

  84. D. Because supply chain dependencies can affect service, the cloud customer will need assurance that any third-party reliance is secure.

    Regulators and end users do not provide security to the enterprise, so options A and B are incorrect.

    The vendors used for on-premise security will no longer affect the data, so option C is incorrect.

  85. D. It is possible that a cloud provider will be unable to handle an increased load during contingency situations where all its customers are demanding additional resources far beyond their usual contracted rate. While this is unlikely (many cloud providers, especially the major operators in the market, have resources that greatly exceed any possible demand by their customers), it could conceivably occur if a significant number of customers experience an immediate and dramatic need for capacity, such as during a major BC/DR event (a region-wide natural disaster or a physical attack on a city). This is not something that would affect an on-premise solution; your organization’s data center is not affected by others’ demand for resources (although the on-premise environment may be affected by the same contingency that causes cloud resource exhaustion, of course).

    All the other options portray risks faced by both cloud and on-premise environments.

  86. B. Guest escape (a malicious user leaving the confines of a VM and able to access other VMs on the same machine) is less likely to occur and to have a significant impact in an environment provisioned for and used by a single customer.

    In a public cloud, this is more likely and would be more significant, so option A is incorrect.

    The service model doesn’t specifically dictate the likelihood of occurrence or impact (both PaaS and IaaS could be in a private or public cloud, which is the more important factor), so both options C and D are incorrect.

  87. B. Because of multitenancy and shared resources in the cloud, law enforcement may seize a cloud customer’s assets (a physical device, a data set, etc.) and inadvertently capture assets belonging to another, unsuspected/innocent organization. This could not happen in a situation where all individual organizations only kept their own assets on their own premises.

    All the other options include risks that exist in the traditional, on-premise environment, as well as the cloud, so they are incorrect.

  88. C. This is not an easy question; the simple answer seems to be option A, which is true for data stored/saved/migrated to the cloud (and property that already has been created in the cloud), but for new intellectual property created in the cloud, strong contract language in favor of the customer’s rights is very necessary. Without clear-language support about the customer’s ownership of all intellectual property created in the cloud data center, the cloud provider could, ostensibly, make a claim on such property, as the provider’s resources were used in a collaborative effort to create that property.

    Options B and D are security controls used to protect all sorts of assets, including intellectual property, but they are not as specifically addressing the creation of new intellectual property in the cloud the way explicit contract clauses would, so option C is still the better answer.

  89. B. While it is possible that one guest VM seeing the resource calls of another VM could possibly allow one guest to see the other’s data, it’s much more likely that a user seeing another user’s use of resources, rather than raw data, would allow the viewer to infer something about the victim’s behavior/usage/assets.

    Likewise, it may be possible for the viewer to leverage knowledge of this usage as part of a social engineering attack, but that would be subsequent to the inference itself; option B is still better than C.

    Lack of resource isolation does not affect physical intrusions, which is just a distractor here.

  90. B. Social factors should not/don’t affect the level of entropy in a random number generator.

    However, all the other factors listed in the other answers do, and that means that a malicious user in the cloud would be more likely (statistically) to guess/predict the random number used to create/seed an encryption key made in that same cloud environment. Cloud customers should take this into account when designing/planning their cloud configuration.

  91. C. Without uniformity of data formats and service mechanisms, there is no assurance that a customer would be able to easily move their cloud operation from one provider to another; this can result in lock-in.

    All the other options are not affected by lack of standards.

  92. A. Many cloud providers prohibit activities that are common for administrative and security purposes but can also be construed/used for hacking; this includes port scanning and penetration testing. These restrictions can reduce the customer’s ability to perform basic security functions.

    While geographical dispersion of cloud assets might make securing those assets more difficult in the notional sense (customer administrators can’t physically visit the devices that host their data), remoteness does not necessarily inhibit good security practices, which can be performed at a remove. This is not as detrimental as rules against port scanning/pen testing, so option B is incorrect.

    There are no rules against user training or laws against securing your own assets, in the cloud or otherwise; options C and D are incorrect.

  93. A. Brewer-Nash was specifically created for managed services arrangements, where an administrator for a given customer might also have access to a competitor’s data/environment; the model requires that administrators not be assigned to competing customers. In the modern cloud provider model, a cloud data center administrator will almost definitely have access to many customers from the same industry (i.e., competitors) but probably won’t even know it.

    All the other options are access control security models; cloud administrators will not (or should not) be assigning access rights, so all these options are wrong.

  94. B. Administrative and support staff are usually not part of the critical path of a data center; they are nonfunctional-requirement elements, not functional requirements.

    All the other options are mission-critical elements of the cloud data center and must have redundancy capabilities.

  95. B. To avoid a situation where severing a given physical connection results in severing its backup as well (such as construction/landscaping, etc.), have redundant lines enter on different sides of the building.

    For health and human safety, multiple egress points from each facility is preferred (and often required by law); option A is incorrect.

    Emergency lighting should receive power regardless of their proximity to the power source, and parking vehicles near generators is a bad idea from a safety perspective; option C is incorrect.

    Not all facilities need to withstand earthquakes; this may be true of data centers in California, but not in Sydney, so it is not an industry-wide best practice. Option D is incorrect.

  96. D. People entering the facility can be vectored through a single security checkpoint as a means of enhancing access control; multiple lines of ingress are not necessary (although multiple lines of egress are essential to ensure health and human safety).

    All the other options are facility elements that require redundancy.

  97. C. A recovery from backup into the production environment carries the risk of failure of both data sets—the production set and the backup set. This can cause cataclysmic harm to the organization.

    Recovering in the primary facility would probably be cheaper than having a different test facility, so option A is incorrect.

    A proper test is worth the financial expenditure, so option B is incorrect.

    Option D is incorrect because any BCDR plan would account for sufficient personnel workspace.

  98. B. Assuming your facility is not available during contingency operations allows you to better approximate an emergency situation, which adds realism to the test.

    Though option A is an act of benevolence on the part of the organization towards the community, option B is still a better answer for the question.

    Option C is an act of benevolence on the part of the organization towards the employee, option B is still a better answer for the question.

    Option D is incorrect because it makes assumptions that cannot be counted upon. Regulatory oversight should not be avoided, and should always be assumed.

  99. B. In an infrastructure as a service (IaaS) model, the provider is only responsible for provisioning the devices and computing/storage capacity; the customer is responsible for everything else, including the security of the applications.

    All the other answers are incorrect because those individuals/organizations do not accept responsibility for securing cloud-based applications.

  100. A. According to ENISA, custom IAM builds can become weak if not properly implemented.

    Strong contract language in favor of the customer is always desirable for the customer, so option B is incorrect.

    Training for specific conditions is always advisable, so option C is incorrect.

    There is nothing wrong with having encryption take place before data is sent to the cloud, so option D is incorrect.

  101. D. With strong contract terms, the cloud customer may be able to recover monetary damages (and even penalties) from the cloud provider as a result of a loss suffered by the customer; however, legal liability remains with the cloud customer.

    The other answers are not relevant in this context.

  102. B. Revoking credentials that might be lost when a device goes missing is a way to mitigate the possibility of those credentials being used by an unauthorized person.

    Punishing a user and notifying law enforcement does not prevent data from being disclosed; options A and C are incorrect.

    Tracking devices may assist recovery efforts, but it won’t protect against data disclosures during the period the device is not under the organization’s control; option D is incorrect.

  103. B. Of all these options, only B is not something that will reveal untoward behavior.
  104. D. Multifactor authentication offers additional protections for assets that are critical to the organization.

    All logins should utilize strong passwords, whether they are critical or not, so option A is incorrect.

    Some form of physical perimeter security is useful, but not necessarily chain-link fences, and not only for critical assets (perimeter security will protect all assets on the campus), so option B is incorrect.

    Homomorphic encryption is a theoretical technology; option C is incorrect.

  105. A. An asset that is not tracked will not be maintained properly, and an improperly maintained asset provides an avenue for attack.

    Options B and D are management issues, not security issues; option A is preferable to both of them.

    Option C is incorrect; users don’t care if their devices are catalogued and annotated. Option C is a poor choice for an answer to the question.

  106. A. Data formatted in a manner that allows its reuse in other environments is essential for portability.

    None of the other options are relevant to the issue of data portability.

  107. B. Testing is a great way to enhance assurance that applications will work in the new environment.

    None of the other options are relevant to the issue of application portability.

  108. C. The RTO must always be less than the MAD.

    It is good to know that services will operate in the alternate environment and that first response contact info is current, but neither determines the speed with which services and data will be available during contingency operations; options A and B are incorrect.

    Regulators will usually not dictate MAD/RTO for a given organization; option D is incorrect.

  109. D. Of the listed options, knowing how other customers feel about a provider may be the most valuable data point; it is the most realistic depiction of whether an organization realized projected/anticipated benefits after a migration.

    Options A and B are just marketing materials and should not, by themselves, be all that convincing for making a migration decision.

    Option C is a good factor to consider, but it is only a very small piece of what migration entails; D is still a much better option.

  110. C. Because cloud access is remote access, pen tests will be remote tests; it doesn’t really matter what the physical origin of the simulated attack is.

    All the other options are items the provider will want to know before the customer launches the test.

  111. D. Performing live deception and trickery against employees of the cloud provider (or its suppliers/vendors) could be construed as unethical and possibly illegal, especially without their knowledge and/or consent. Social engineering probably won’t be involved in penetration tests run by customers.

    All the other options are legitimate activities a customer might perform during a penetration test (with provider permission).

  112. D. In most jurisdictions, the activity involved in penetration testing would be considered criminal, and quite serious, and the provider would be justified in seeking law enforcement involvement and prosecution.

    None of the other answers make sense with respect to the question.

  113. B. Because all penetration tests launched by the customer require notifying the provider beforehand (and getting permission), the simulation loses quite a bit of realism. In the traditional environment, where the organization had full control over its own assets, penetration tests could involve double-blind status, which was much more realistic.

    Everyone uses remote access for cloud activity, so option A is incorrect.

    Cloud customers will not be able to deploy malware as part of a test because that is a crime, so option C is wrong.

    Regulators are not involved in penetration tests, so option D is incorrect.

  114. D. Virtualization allows for the scalability and cost reduction available in managed cloud services.

    All the other options are incorrect because they do not cite the technology that creates most of the cost saving in the cloud environment. Only virtualization provides this cost savings.

  115. D. In the traditional environment, the cloud customer must pay for a device for every user, which requires additional capacity that is almost never fully used; this represents a cost with no associated benefit. Moving into a virtualized environment allows the organization to only pay for resources that are utilized and not for underutilized or unused capacity.

    The risks and regulatory requirements for an organization do not go away when the organization moves into the cloud, so there is no cost savings associated with these elements. Therefore, all of the other options are incorrect.

  116. C. An organization operating in the cloud should not need as many IT personnel as would be required to operate a traditional enterprise with the same level of services for users; this can represent a significant cost savings.

    Moving into the cloud reduces neither risk nor data; options A and D are incorrect.

    Arguably, the cloud customer may realize some cost savings through cloud migration because the customer will not be solely responsible for acquiring, deploying, and managing security controls. However, security controls still exist—they are, instead, the responsibility of the cloud provider, and the price of applying them is enclosed in the cost of the cloud service. Moreover, this savings is not nearly as significant as the savings realized through reduction in personnel, so option C is still preferable.

  117. B. Because virtual machine images are stored as imaged files, an attacker able to access the stored files would have a much easier time transporting those files than transporting actual drives/machines.

    Option A actually represents a risk in the physical environment that is reduced by the use of virtual machines and is incorrect.

    VMs are not any more or less susceptible to malware or EMP, so options C and D are incorrect.

  118. C. Both the hypervisor and the OS orchestrate access to resources (the hypervisor coordinates requests from VMs, and the OS coordinates requests from applications).

    Option A is incorrect because the CPU in a traditional environment performs calculations, while the operating system manages resources and performs process scheduling.

    The security team in a traditional environment has a narrow and focused role, not like the operating system that manages the entire system and its resources.

    Pretty Good Privacy is an application that performs a specific, limited role. Option D is incorrect.

  119. D. Solid-state drives (SSDs) are currently the most efficient and durable storage technology, so cloud providers will favor them.

    All the other options are older technologies that employ magnetic media in one form or another, while SSD employs electronic circuitry to store data.

  120. C. In object storage, data objects/files are saved in the storage space along with relevant metadata such as content type and creation date.

    Options A and B are different names for the same type of storage arrangement and incorrect.

    Option D has no meaning in this context.

  121. C. NIST’s definition of cloud carrier is “an intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers.”

    Of the choices, option C best represents this definition.

  122. D. The hypervisor orchestrates assignment of resources and is responsible for avoiding and resolving contention.

    The router manages traffic flow, which might be considered as resolving contention issues for resource requests outside the local device (for example, from a given device to the storage cluster) but wouldn’t handle resource requests inside a given device (such as a VM on the device making a request to the device CPU), so option D is a better answer.

    An emulator virtualizes programs, not machines, and is not responsible for orchestrating resource calls, so option B is incorrect.

    Regulators do not manage resources, so option C is incorrect.

  123. D. Security controls operating on a guest VM OS are only active while the VM is active; when the VM is stored, it is snapshotted and saved as a file, so those controls won’t be active either.

    All user access to the VMs will be done remotely; option A is simply incorrect.

    Security controls on OSs that are not scanned or subject to version control may be out of date or not optimized, but they will still function (just not as well), so option D is still preferable to B and C.

  124. A. Solid-state drives (SSDs) are usually more expensive, per drive, than their counterparts. However, as the industry matures, this is changing rapidly. Moreover, cloud providers are usually buying devices at such a scale and under such a budget that individual price differentials for device types is not the main criteria for making purchase decisions.

    Size and shape are not defining criteria of SSDs or tapes; options B and C are irrelevant (and also somewhat wrong).

    The physical nature of the drive does not affect its vulnerability to malware; option D is incorrect.

  125. B. SSD technology offers a great increase in speed and efficiency.

    SSDs are not typically more difficult to install or administer than traditional technology, nor are they more likely to fail than other storage devices, so all the other options are incorrect.

  126. B. Because SSDs do not use magnetic properties to store data, degaussing is not a suitable means of sanitizing SSDs.

    All the other options are untrue and are therefore inappropriate answers.

  127. C. Theoretically, all combinations of security controls are preferable to any one security control used by itself (this is the principle of layered defense). All of the potential responses are therefore true. However, of this list, the pairing that makes the most sense is option C, because encrypting the data while also spreading it across multiple storage devices/locations increases the protection each one offers against certain common threats (in this case, physical theft of a storage device, failure of a device, legal seizure of a device in a multitenant environment, etc.).
  128. C. Theoretically, all combinations of security controls are preferable to any one security control used by itself (this is the principle of layered defense). All of the potential responses are therefore true. However, of this list, the pairing that makes the most sense is option C, because adding another layer of access control on objects while also detecting outbound motion of objects increases the protection each one offers against certain common threats (in this case, internal threats, escalation of privilege, unauthorized or inadvertent dissemination of data, etc.).
  129. C. Every organization is responsible for performing its own risk assessment for its own particular business needs.

    Cloud providers will not perform risk assessments on behalf of their customers.

    Regulatory bodies and legislative entities do not perform risk assessments.

  130. C. The best method for avoiding vendor lock-in is to have strong contract language favorable to the customer; the entity best equipped to craft contracts is the office of the general counsel.

    Senior management can assist the organization to avoid vendor lock-in by tasking the correct resources (offices/personnel) to perform vendor selection activities, but option A is not as accurate as C.

    Security personnel will have the technical skills and knowledge to properly determine the organization’s IT needs and can inform general counsel as to what services/resources will best meet the organization’s needs, but these entities are not as adept and trained at crafting contract language as the attorneys. Options B and D are not preferable to C.

  131. B. Using distinct cloud providers for production and backup ensures that the loss of one provider, for any reason, will not result in a total loss of the organization’s data.

    None of the other options address vendor lock-out and are therefore unsuitable as answers.

  132. C. Users in a cloud environment may not realize the attendant costs that come along with creating many new virtual instances, and the ease with which new instances are created allows users to do so without much effort.

    While DDoS and phishing may include an element of user gullibility and ignorance, at least one party (the attacker) is not engaged in inadvertent activity—their behavior is very purposeful. Options A and B are incorrect.

    While inadvertent action can often result in incidents, disasters are usually at a much greater scale and aren’t as likely to be the result of unknowing action; option D is incorrect.

  133. B. Management plane breach allows an attacker to gain full control of the environment and can affect all aspects of the CIA triad.

    DDoS and physically attacking the utility lines, options A and D, only affect availability, which is a significant negative impact but not as bad as option B, which can affect integrity and confidentiality as well.

    Guest escape is a breach limited to a specific device and the virtual machines on that device; this is not as much impact as breaching the management plane, which gives full access to the entire environment.

  134. A. Controlling access is optimized by minimizing access.

    All the other options are incorrect.

  135. D. Usually, mantrap areas control access to sensitive locations within a facility, not an entrance to the facility.

    None of the other options address vendor lock-out and are therefore unsuitable as answers.

  136. C. Health and human safety is a paramount goal of security; all facilities must have multiple emergency egress points.

    All the other options are distractors as they are included in option C.

  137. B. In the traditional environment, when all resources are owned, controlled, and used by the organization’s personnel, loss of isolation will only expose data to other members of the organization; isolation failure in the cloud environment may expose data to people outside the organization, a more significant impact.

    All the other options are risks that have similar likelihoods and impacts in the cloud and traditional environments and are therefore incorrect.

  138. B. Security and productivity/operations are always trade-offs.

    Option A is a generalization that may or may not be true depending on several variables. Some security controls are inexpensive to implement.

    Senior management approval may be required before security controls can be implemented, however, some may not need prior approval. It depends on the organization and how it is managed. Option C is incorrect.

    Option D is another generalization that may or may not be true. Whether a security control will work in the cloud environment as well as they worked in the traditional environment depends on the control and how it is implemented. Option B is a better choice.

  139. A. Because cloud providers may use data centers that span state (or even national) borders, new legal risks may be introduced to the customer’s organization after cloud migration.

    All the other options are risks faced by organizations in both the cloud and traditional environments and are therefore incorrect.

  140. A. In the traditional environment, if DDoS prevented the organization’s connectivity with the Internet or other organizations, users still had access to their own data but simply could not share it or use it in external transactions; this hampered productivity, but not availability. In the cloud, without connectivity outside the organization, users cannot reach their data, which is an availability issue.

    DDoS does not affect value, confidentiality, or liability; all the other options are incorrect.

  141. D. DDoS prevents all these things except for data integrity. DDoS only prevents communication; it does not usually result in modified data.
  142. C. In some instances, more virtualized machines will entail a relative increase in the number of software seat licenses, which can be a significant expense.

    Typically, cloud customers do not pay extra for additional consumption of floor space or power usage for the number of virtual machines; these costs are rolled into the per-instance price, so options A and B are incorrect.

    Option D is incorrect; users don’t require more training if they have more virtual assets.

  143. D. When performing BC/DR tests, it is useful to create scenarios that are unpredictable and vary from previous tests so as to better approximate conditions of an actual disaster.

    All the other answers represent elements that should avoid variables as much as possible and are incorrect.

Chapter 4: Domain 4: Cloud Application Security

  1. A. The ONF lists all the controls used in all the applications within an organization; each ANF lists the particular controls used in each application the organization has. Standard Application Security is a made-up term therefore options C and D are incorrect.
  2. D. Each application will have its own ANF, derived from the organization’s ONF. This can be a difficult question because there are many ANFs in the organization, but only one for each application. The reader needs to examine the question carefully.
  3. C. SOAP necessarily uses XML.

    HTML is a language used to tag text files so that they can be displayed with different fonts, colors, graphics and hyperlinks. HTML is not used in SOAP. Option A is incorrect.

    Option B is incorrect because X.509 is a standard and the question is about a programming language.

    Option D is incorrect because HTTP is protocol and the question is about a programming language.

  4. B. Generally, a REST interaction involves the client asking the server (through an application programming interface [API]) for data, sometimes as the result of processing; the server processes the request and returns the result. In REST, an enduring session, where the server has to store some temporary data about the client, is not necessary.

    These interactions obviously involve servers and clients, so options C and D are not correct.

    Using REST does not eliminate the need for credentials, so option A is not correct.

  5. B. Roy Fielding, the author of the PhD dissertation that created REST, was also the author of HTTP, so it’s no surprise the command set is the same.

    All the other options are incorrect because the REST APIs do not use HTML, XML or ASCII as protocol verbs.

  6. C. The web is mainly HTTP, which is a RESTful protocol.

    All the other options are incorrect because they do not answer the question about the architecture of the World Wide Web.

  7. A. Servers can return REST requests to clients in a number of formats, including XML and JSON.

    X.509 certificates are used for passing session encryption information, not data requests, so option B is incorrect.

    Servers usually return data requests in some sort of display format, not plain text or ASCII, so option C is incorrect.

    HTML responses would simply be an entire web page, not specific data, so option D is incorrect.

  8. D. All the other options are simply words used in other contexts. They are incorrect.
  9. B. All the other options are risks that exist in the traditional environment as well as the cloud.
  10. C. In order for developers to properly create and secure applications, they will need to understand the extent of resource sharing (public/private/hybrid/community) and level of control (infrastructure as a service [IaaS], platform as a service [PaaS], software as a service [SaaS]) the organization will expect in the cloud environment.

    Each of the other options includes at least one element that programmers don’t need to know (specifically, the native language, Internet service provider [ISP], country code) and is therefore incorrect.

  11. B. A trial run in the cloud will reveal any functionality/performance loss before a permanent cloud migration.

    Option A doesn’t reduce any risk for a specific application; it trades the risk of one application not operating correctly with the risk of another application not working correctly. This answer is wrong.

    All applications should be reasonably patched and updated, whether it is in the traditional environment or the cloud. Option C is incorrect.

    An emulator won’t reduce the risk of degraded performance; it will probably result in degraded performance. Option D is incorrect.

  12. D. Not all programs (or organizations) will require database access, or even use databases, and hashing is not a common requirement.

    All the other functions are expected in the majority of cloud operations.

  13. A. In PaaS, the customer is responsible for the administration (and security) of applications.

    Neither regulators nor programmers are responsible for the security of the applications in the production environment. That is the responsibility of the cloud customer.

    It may appear as though the cloud provider should be responsible for application security, however, as the cloud customer acquires more responsibility for their cloud environment, the cloud provider assumes less responsibility. Option B is incorrect.

  14. D. Performance and security both need to be reviewed for adequacy.

    In this context, quality would be synonymous with performance and requirements, so D is a better answer than A or C.

    Brevity is not a trait we look for in testing, even though it may be desirable in programming, so B is incorrect.

  15. A. In the Define phase, we’re trying to determine the purpose of the software, in terms of meeting the users’ needs; therefore, we may solicit input from the user community in order to figure out what they really want.

    Options B and C are other phases of the SDLC, but not all SDLC models incorporate user input in these phases, so the options are not correct.

    Option D is not a phase of the SDLC and is incorrect.

  16. D. Disposal is the only phase concerned with the sanitization of media or destruction of data.

    All the other options are also SDLC phases, however, crypto-shredding is much more likely to be used in the disposal phase.

  17. B. Design is the correct answer, as this is where the requirements gathered during the Define phase are mapped to system designs.

    All the other options are SDLC phases where requirements are not mapped to software construction.

  18. D. Function is usually the functional requirement, describing what action the tool/process satisfies.

    All the others are usually nonfunctional requirements. Exceptions to this are when the characteristic listed is the actual desired function. For instance, if the product is a tool that enunciates text so that a blind user can hear the words, then sound would be the functional requirement. If the product is a security tool such as a firewall or data loss prevention (DLP) solution, then security would be a functional requirement. Otherwise, these are nonfunctional requirements for standard products.

  19. C. Traditional apps won’t usually require encryption in all phases of the data lifecycle because data is protected in several stages in the traditional environment without the need for additional controls. In the cloud environment, however, data exposed at any point in the lifecycle might constitute an inadvertent disclosure, so cloud apps require encryption for data at rest and in motion (and usually in use as well).

    Even traditional apps require IAM and field validation functions, so options A and D are incorrect.

    Most anti-DDoS activity will be performed by hardware and communication software run by the cloud provider or Internet service provider (ISP); developers should not typically need to include anti-DDoS elements in their programs. Option B is incorrect.

  20. A. Because the cloud is a multitenant environment, one of the concerns that developers should consider is how well the application prevents other applications/users from observing its operation and resource calls. In the traditional environment, this is not usually required because the organization owns the underlying infrastructure (as a single tenant) and there is very little risk in exposing the application’s functionality.

    Inference framing is a nonsense term, used here only as a distractor.

    Software should include known secure components, and testing should include known bad data (fuzz testing), whether it is going to be used in the cloud or in a traditional environment, so options C and D are incorrect.

  21. D. The cloud provider may have controls that restrict logging, or the delivery of log data, in the environment; this can make it complicated for cloud developers to include that functionality/security element in cloud apps.

    All the other options are things that can (and should) be done with software whether the application is being used in traditional or cloud environments, so those options are incorrect.

  22. D. Using only known secure libraries and components in software design may slow down development efforts but shouldn’t impact how the application runs.

    All the other options are security controls that will degrade performance because they require additional overhead; these options are incorrect.

  23. D. This is the definition of escalation of privilege (sometimes referred to as “elevation of privilege”).

    Inversion is a nonsense term in this context and just a distractor.

    Options B and C are threat modeling elements but are not correct answers for this question.

  24. A. The STRIDE threat model does not deal with business continuity and disaster recovery (BC/DR) actions.

    All the other options are elements of STRIDE (escalation of privilege, repudiation, and spoofing, respectively) and are therefore not correct.

  25. D. Users in the production environment will leverage whatever tools and techniques they can in order to get their job done in a better, faster way, often regardless of whether this complies with security policies.

    All the other options are untrue and therefore cannot be the correct answer. For test-taking purposes, be very suspicious of words like, “constantly” and “can’t ever” in answer choices.

  26. B. Because many programs are currently constructed from “building block” components found in code libraries, any security issues within specific components may not be understood or identified by coders who don’t know the code inside the component.

    Option A is an unfair generalization.

    Option C is another broad generalization that may or may not be true. Option B is a better answer.

    Option D does not relate to the question about the SDLC and is therefore a poor choice for an answer.

  27. D. Obviously, using multiple forms of code review will produce more secure results than any one form of review, in the same way that having multiple forms of security controls (physical, logical, administrative, etc.) will provide better security than just one type.

    The question is which is the “most” secure form of code testing and review. That would be the most extensive. Since the correct answer is a combination of open source and proprietary, the least secure would be least extensive. Option A is strictly open source so that is incorrect. Option C is neither open source nor proprietary, which is even less extensive. Option C is incorrect. Proprietary/internal is also less extensive than Option D. So Option B is incorrect.

  28. B. This is the textbook definition of these terms. All the other options are incorrect answers.
  29. B. Business needs and risk acceptable to senior management should drive all organizational decisions, including access. Specific user or object access will, of course, be delegated down from senior management to a manageable layer of the organization, but the principle applies.

    This decision, however, should be informed by pertinent externalities, which include regulatory mandates (option A), user requirements and management requests (option C), and, to some degree, the trade-off of performance and security (option D, and both characteristics should also be dictated by senior management as an aspect of acceptable risk). While these externalities and options all play a part in determining appropriate access, they are all subordinate to business needs and acceptable risk, which are paramount; B is still the best answer to this question.

  30. C. The data owner is responsible for the disposition of the data under their control; this includes access decisions.

    The cloud provider is not typically the data owner; option A is incorrect.

    Ostensibly, senior management is the data owner (the organization, as a whole, is the legal owner of the data, and the senior managers are the legal representatives of the organization). However, in practice, this responsibility can be (and usually is) delegated down to a manageable level, where the data owner for a given data set understands it best and can provide a sufficiently granular control of that data set. This is rarely senior management and is more likely department heads, branch managers, or some other form of middle management. Option C is preferable to B.

    System administrators will usually be the literal granters of access, insofar as admins will modify access control systems that allow or disallow access for specific individuals or roles. However, the sysadmin does not make the decision of who is granted access and instead responds to direction from data owners (middle management); again, option C is preferable to D.

  31. D. PGP is an email encryption tool, not an identity federation standard. All the other options are federation standards.
  32. B. OpenID Connect is a federation protocol that uses representational state transfer (REST) and JavaScript Object Notation (JSON); it was specifically designed with mobile apps in mind, instead of only web-based federation.

    WS-Federation is a federation protocol that is part of the WS-Security family of standards and reliant on Simple Object Access Protocol (SOAP), so option A is incorrect.

    Option C is incorrect; SOC 2 is a type of Statement on Standards for Attestation Engagements (SSAE) 18 audit report, not a federation standard.

    OWASP is a volunteer group of and for web app developers, not a federation standard or protocol, so option D is incorrect.

  33. B. Because there is no transitive property of identification and authentication, knowing a trusted entity is not sufficient for validating an identity assertion.

    All the other options are typical authentication mechanisms and so are incorrect.

  34. A. At the ATM, the customer will use the card (something you have) and enter a PIN (something you know). This is true multifactor authentication.

    A password and PIN are both something you know, so option B is incorrect.

    Using a voice sample and fingerprint are two forms of something you are, so option C is incorrect.

    A birth certificate and credit card are both something you have, so option D is incorrect.

  35. B. Multifactor authentication should be considered for operations that have a significant risk or that deal with highly sensitive data (for instance, privileged user logins or when handling financial transactions).

    Requiring multifactor authentication for every transaction is an undue burden on both the users and the systems and is a needless addition of extra overhead, so option A is incorrect.

    All cloud access will entail remote login; this is a common operation, so adding multifactor authentication is an unnecessary burden in most cases. Option C is incorrect.

    The decision to use multifactor authentication should be based on the risk of the operation and the sensitivity of the data, not on whether it takes place in the traditional or online environment, so option D is incorrect.

  36. C. A WAF is a Layer 7 tool.

    All the other options are incorrect.

  37. D. WAFs recognize HTTP traffic and can respond to traffic that matches prohibited rulesets or conditions.

    Option A is technically correct; a WAF can be given a ruleset that recognizes certain forms of attack traffic. However, this answer is too general, and D is a much better response for this question.

    Options B and C are protocols not usually inspected by WAFs and are therefore incorrect.

  38. D. WAFs can be used to attenuate the possibility that cross-site scripting attacks will be successful.

    WAFs do not protect against social engineering or physical attacks in any way, so options A and B are incorrect.

    Option C is a nonsense term and is therefore incorrect.

  39. C. A DAM is a Layer 7 tool.

    All the other options are incorrect.

  40. A. DAMs can be used to reduce the possibility that SQL injection attacks will be successful.

    DAMs do not protect against cross-site scripting, insecure direct-object reference, or social engineering attacks in any way, so options B, C, and D are incorrect.

  41. C. The XML gateway can provide this functionality; it acts as a reverse proxy and can perform content inspection on many traffic protocols.

    The WAF and DAM are also security tools that inspect traffic but do not usually handle SFTP content, so options A and B are incorrect.

    Option D, single sign-on, concerns authentication functions, not communications traffic, and is only a distractor in this context.

  42. B. An API gateway translates requests from clients into multiple requests to many microservices and delivers the content as a whole via an API it assigns to that client/session.

    XML gateways, WAFs, and DAMs are also tools used frequently in cloud-based enterprises, but they do not handle microservice requests in a meaningful way.

  43. B. While it would be wonderful, for security purposes, to know the identity of attackers before or while they’re making an attack, this is information the attacker doesn’t usually share.

    All the other options are methods firewalls can use to recognize attacks.

  44. C. TLS maintains the confidentiality and integrity of communications, often between a web browser and a server.

    In this context, privacy and security mean much the same thing; privacy is synonymous with confidentiality, which is a subset of the overall topic of security. Therefore, option A is repetitive and not correct.

    TLS does not optimize performance or add any sort of enhancement, so options B and D are incorrect.

  45. A. TLS uses symmetric key crypto for each communications session in order to secure the connection; the session key is uniquely generated each time a new connection is made.

    Options B and C are names for another type of encryption. Asymmetric encryption is also used in establishing a secure TLS connection; however, the keys used in this portion of the process will not change from session to session, and therefore these options are incorrect.

    Option D is a nonsense term and is therefore incorrect.

  46. B. A VPN is a temporary, synthetic encrypted tunnel between two endpoints (often a client and a server).

    Option A is subtly misleading; the VPN secures the connection between two endpoints, not the ends of the connection. This option is incorrect.

    Option C is not correct; VPN is not used for encrypting databases—it is used for encrypting communications.

    Option D is incorrect; the symmetric key used in VPN is shared only between two parties (the endpoints), and the elements of the asymmetric key pair are either held by only one party (the owner of each private key) or by anyone at all (public key).

  47. C. Users may not offer enough coverage for larger software products that have a great deal of functionality; it can be useful to also use automated agents to checks paths that users might not often attempt or utilize.

    The developers should not be involved in any form of testing the software as they have an inherent conflict of interest, so options A and B are incorrect.

    Dynamic testing does not involve social engineering; option D is incorrect.

  48. C. This is the definition of “conflict of interest.”

    All the other answers are incorrect.

  49. C. A sandbox can be used to run malware for analysis purposes as it won’t affect (or infect) the production environment; it’s worth noting, though, that some malware is sandbox-aware, so additional anti-malware measures are advisable.

    Options A, B, and D are not correct because the sandbox should be completely disconnected (air-gapped) from the production environment so that users can’t perform productive activity there.

  50. C. Software that has either been purchased from a vendor or developed internally can be tested in a sandboxed environment that mimics the production environment in order to determine whether there will be any interoperability problems when it is installed into actual production.

    All the other options aren’t uses for sandboxes and are incorrect.

  51. A. Virtualized applications can run on platforms that wouldn’t otherwise allow them to function, such as running Microsoft apps on a Linux box.

    Because the virtualization engine encapsulates the application from the native runtime environment, patches can’t be applied through virtualized programs; option B is incorrect.

    Virtualization really doesn’t have anything to do with access control; option C is incorrect.

    The overhead of running a software virtualization engine will actually add to system overhead, not decrease it, so option D is incorrect.

  52. D. Application virtualization allows the software to run on a simulated environment on the device without the need to install it on the device.

    Virtualization really doesn’t have anything to do with access control; option A is incorrect.

    Virtualization neither detects nor responds to DDoS; option B is incorrect.

    Virtualization does not replace encryption; if data needs to be secure within the virtualization environment, encryption may still have to be utilized. Option C is incorrect.

  53. B. ISO 27034 dictates that an organization will have a collection of security controls used for all software within that organization; this collection is called the ONF.

    All the other options are distractors and incorrect.

  54. B. Each application in an organization compliant with ISO 27034 will be assigned an Application Normative Framework (ANF), which lists all the controls assigned to that application.

    Technically, the controls for each application within an organization compliant with ISO 27034 will be listed in the Organizational Normative Framework (ONF), because the ONF is the list of all controls for all applications; however, for a given application, only the controls used for that application are listed in an ANF, so option B is a preferable answer to A.

    TTF (time to failure) has no meaning in this context, so option C is incorrect.

    FTP (File Transfer Protocol) is a protocol for transferring files and not applicable here; option D is incorrect.

  55. A. SAST is often referred to as white-box testing.

    Black-box testing does not include access to source code, which is required for SAST. Option B is therefore incorrect.

    Option C is a combination of black-box and white-box testing so option C is an incorrect answer for this question.

    Option D has no meaning in this context.

  56. D. In SAST, testers review the source code of an application in order to determine security flaws and operational errors.

    While determining “software outcomes” may be considered a possible goal of SAST, “source code” is a much better answer as it is more specific and applicable to the question. Option D is still preferable.

    SAST does not check user performance or system durability; options B and C are incorrect.

  57. B. DAST is often referred to as black-box testing.

    White-box testing requires the tester to have access to source code, which is not provided in DAST. Option A is therefore incorrect.

    Option C is a combination of black-box and white-box testing so option C is an incorrect answer for this question.

    Option D has no meaning in this context.

  58. B. DAST is performed while the application is running.

    Software testing should not take place in the production environment; option A is incorrect.

    DAST, like other forms of testing, may or may not take place in the cloud and is not confined to any particular service model (although it is unlikely to occur in software as a service [SaaS] environments); options C and D are incorrect.

  59. B. Vulnerability scans use signatures of known vulnerabilities to detect and report those vulnerabilities.

    Vulnerability scans do not typically require administrative access to function; option A is incorrect.

    Both malware libraries and forensic analysis of existing vulnerabilities may be used to create the signatures that vulnerability scanning tools utilize to detect and report vulnerabilities; however, these answers are too specific (limiting the answer), making option B a better answer than either C or D.

  60. D. Because vulnerability scanning tools require vulnerability signatures to operate effectively, unknown vulnerabilities that might exist in the scanned system won’t be detected (no signature has been created by vendors until a vulnerability is known). User errors are not detected by vulnerability scans; option A is incorrect. Scans can’t tell you whether you’ve picked the optimum security controls for your environment; option B is incorrect. Vulnerability scanning tools may or may not detect cloud-based vulnerabilities, depending on the tool used, the level of access to the target environment, and the settings applied to the scanner; option C is less accurate than option D.
  61. A. A penetration test requires the tester to analyze the security of an environment from the perspective of an attacker; this also includes actually taking action that would result in breaching that environment.

    Penetration tests may or may not be comprehensive, depending on the intended scope and area of analysis. Option B is incorrect.

    While it’s nice to think of any security assessment as total, that is an extreme term, like all or never; such terms can rarely be used in security because there are no absolutes when dealing with risk, and it has no meaning in this context. Option C is not correct.

    Although the cost of a penetration test will vary according to a vast range of variables, it will rarely be considered inexpensive, especially relative to other forms of security testing. Option D is not correct.

  62. D. Also called fuzz testing, dynamic testing methods should include known bad inputs in order to determine how the program will handle the “wrong” data (will it fail into a state that is less secure than normal operations, etc.).

    Source code review is not part of dynamic testing; option A is incorrect.

    For accurate quality testing, user familiarity with the target software should be minimal and should not be assessed; option B is not correct.

    Penetration includes active steps to overcome security measures; this is rarely the purpose of software testing; option C is not the best answer.

  63. B. User surveys are not an element of active security testing, although they might be used in acceptance testing. All of the other options are included in the OWASP guide to active security testing.
  64. D. Privacy review testing is not included in the OWASP guide to active security testing, although it might be included as an aspect of compliance testing (for organizations in highly regulated industries). All of the other options are included in the OWASP guide to active security testing.
  65. A. While session management testing is included in the OWASP guide to active software security testing, session initiation is not. All of the other options are included in the OWASP guide to active security testing.
  66. C. Intuition testing is not part of the OWASP guide to active security testing. All of the other options are included in the OWASP guide to active security testing.
  67. C. This metric is usually expressed as a percentage of lines of code. For example, “SAST covered 90% of the source code.”

    The number of testers involved means very little when discussing testing coverage; this is a distractor and not correct.

    In some cases, testing reports might include a statistic representing the number of flaws discovered in the code; however, this is usually not a pertinent metric (undetected flaws can’t be measured, so counting the ones that have doesn’t add to your surety the code is secure), and code coverage is used more often. Option C is preferable to option B.

    Testing should first occur in an environment where the software has not even been exposed to the possibility of malware infection. Option D is incorrect.

  68. C. In dynamic software security testing, the objective is to test a significant sample of the possible logical paths from data input to output.

    User coverage is a distractor and has no real meaning in this context; option A is incorrect.

    Code coverage is the metric used in static testing, making option B incorrect.

    While it would be nice to test each and every data pathway through an application, with both known good and known bad data, that could be unrealistic, depending on the number of possible branches in the application; this goes up exponentially every time another option/choice is added to the program. Total coverage is not a metric—it’s a hope. Option D is incorrect.

  69. D. Known good data is used to determine if the software fulfills the business requirements for which it was acquired. Known bad data tests the ability of the software to handle inputs and conditions that might put it into a fail state; these inputs and conditions can be invoked either purposefully (by attackers) or inadvertently (by users who make mistakes).

    Testing does not attempt to mimic managers, regulators, or vendors, so the other answers are incorrect.

  70. B. This is not a simple question, and more than one answer could be construed as correct, but option B is the best answer. Tracking and monitoring personnel training is absolutely vital in order to demonstrate regulatory requirements (and many, if not all, organizations are obligated to comply with some regulation that mandates user training) and legal requirements (as an element of due diligence in the modern workplace).

    Option A is the other answer that could be perceived as accurate, but there is a bit of nuance that makes it less preferable than B. Security is a business requirement—it may not be a functional requirement, but it is a requirement nonetheless. Therefore, these two terms are repetitive; security requirements are just a subset of business requirements. Option B is still the better answer.

    Options C and D do not make sense in this context.

  71. B. Training is usually a formal process involving detailed information. This is for those personnel who are involved with the specific topic or task for which the training is intended (for example, personnel involved in business continuity and disaster recovery [BC/DR] activities should get specific, detailed training on how to perform those actions).

    Option A incorrect because not all personnel require task-centric training. Training required for all personnel in an organization cannot be task-centric training, by definition (not all personnel perform the same tasks).

    Options C and D are incorrect because they would only answer a subset of the question. Management personnel would receive management training and HR personnel would receive HR training. The correct answer is task-centric training is for specific personnel.

  72. A. Awareness efforts are usually intended to reach as wide an audience as possible within the organization, for generalized information. For instance, fire drills are awareness exercises; everyone in the facility needs to know how to get out and where to go.

    Specific personnel, management personnel, and HR personnel would all receive task-centric training in addition to the awareness instruction that all personnel receive. Options B, C, and D are incorrect.

  73. D. Modern developers usually aren’t writing code—they are recombining library components in novel ways to create new functionality. They may not understand the security risks associated with their work, especially for the cloud environment, which entails a different set of challenges from the traditional environment, which the developers might be more familiar with.

    Options A and B are actually the same concept, reworded, which is patently untrue: depending on the cloud deployment and service models the organization chooses to use, software developers may or may not be crucial (for instance, in a software as a service [SaaS] public cloud, many organizations won’t even need internal development teams).

    Option C is just wrong: security controls can be added to software after it has been fielded. This is just not a best practice, as it is usually less effective and more expensive (in terms of both money and overhead).

  74. B. Because cloud operations are so dependent on encryption protections in all data life-cycle phases, developers will have to accommodate the additional overhead and interoperability encryption requires.

    The hacking threat (foreign or otherwise) does not change whether the target is the cloud or the (connected) traditional environment; option A is incorrect.

    Likewise, the threat of DDoS attacks does not increase; if anything, it may decrease, because the cloud provider may be more resistant to such attacks than individual organizations would be. Option C is not correct.

    Regulatory requirements may or may not change when moving into the cloud. Moreover, developers are not likely to be the ones interpreting and responding to these new mandates; that is a level of abstraction above developer insight into software requirements. Option D is not preferable to B.

  75. D. Because shared resources in the cloud may mean increased opportunity for side-channel attacks, developers will have to design programs to function in a way that ensures process isolation.

    Management oversight should not change from a policy perspective, regardless of where the processing is taking place; option A is incorrect.

    There is no additional workload resulting from cloud migration; in fact, the load should decrease, because the cloud customer cannot impose governance on the cloud provider. Option B is wrong.

    Malware threat does not increase or decrease in the cloud environment; option C is incorrect.

  76. B. Masking allows customer service representatives to review clients’ sales and account information without revealing the entirety of those records (for instance, obscuring credit card numbers except for the last four digits).

    Anonymization strips out identifying information from a record. This would not aid in limiting customer service personnel from viewing sensitive data, but it would make it impossible for customer service personnel to know who they were communicating with and leave them unable to identify customers, which would defeat the purpose of their existence. Option A is incorrect.

    Encryption of sales/account records would not limit customer service personnel in their review of account records. It would either disallow them to see the records at all or allow them to see the entirety of the records (depending on whether the representatives were given keys to that encrypted data). Option C is incorrect.

    Training does not limit access; option D is incorrect.

  77. A. While some development models allow for user involvement in the entirety of the process, user input is most necessary in the Define phase, where developers can understand the business/user requirements—what the system/software is actually supposed to produce, in terms of function and performance. All the other options are beneficial phases to gauge user input, but not as crucial as option A.
  78. A. The earlier security inputs are included in the project, the more efficient and less costly security controls are overall. The Define phase is the earliest part of the SDLC. All the other options are later phases and incorrect.
  79. D. During testing, getting outside perspective is invaluable, for both performance and security purposes; internal development and review capabilities are enhanced by augmentation from external parties.

    All the other phases are not normally appropriate for external participation.

  80. A. Once the system is deployed operationally, continuous security monitoring, including periodic vulnerability assessments and penetration testing, is recommended. All the other options are security functions that should take place in phases prior to the system’s deployment.
  81. C. Security and operations are always inversely related; excessive controls necessarily degrade performance.

    Excessive use of controls should not lead to more data breaches; if anything, it may reduce their occurrence. However, it is more likely that there will be no effect. Option A is incorrect.

    Many controls don’t affect the electromagnetic spectrum in any way. Option B is incorrect.

    Regulations don’t usually mandate a maximum set of controls but rather a minimum. Option D is incorrect.

  82. D. From a simple financial perspective (which is often the managerial perspective), money spent on excessive anything is money wasted; spending to no good effect is detrimental.

    Overuse of controls should not result in greater risks of DDoS, malware, or environmental threats in any way. Options A, B, and C are incorrect.

  83. A. If excessive controls impact the user/customer experience to the extent that system response speeds and results are delayed significantly, and performance is degraded to the point where competitors’ systems are far superior, customer dissatisfaction can be a severe problem.

    Some security controls (particularly physical controls) can affect health and human safety, such as if extraneous fencing/walls/barriers are put in place to control access/egress, and this hinders emergency escape from facilities. However, not all security controls pose this risk, so option B is a bit too specific; option A is still preferable.

    Security controls should not affect stock price or, in and of themselves, negate insurance needs (risk mitigation does not automatically offset the benefits of risk transference). Options C and D are incorrect.

  84. D. The problem in this case is not so much that policies have been violated or that, in a more literal sense, the unapproved APIs are being used to access the data, the problem is that the violations are so pervasive and extensive that taking any immediate direct action (such as the responses in options A, B, and C) might interfere with business activity in a drastic and potentially harmful way. Because of this, the matter needs to be dealt with as a business decision and requires that senior management make a determination before action is taken.
  85. A. Again, before taking any action that might impact operations, it would probably be best to figure out the actual user needs being met by the unapproved APIs, and the severity of impact if they were removed from service, before performing the actions described in options B, C, and D.
  86. D. It’s hard to argue with success; operational capability and security are always a trade-off, but this kind of productivity increase with little attendant cost is probably too good to pass up. It also seems evident that the existing policy is far too restrictive and limiting and that it is not being accepted by a significant number of users; trying to mandate its acceptance, and enforcing it with punitive measures, especially in the face of the overwhelming success of the violations, is most likely counter to the company’s overall interests. It is best to revisit the policy itself, determine why it didn’t meet user needs originally, and modify it so as to meet the demands of both the users and senior management (as well as whatever other externalities may have been the foundation of the policy). Options A, B, and C may be attractive, but they are all less preferable than D.
  87. D. APIs chosen by users may or may not have integral security and probably weren’t chosen according to how secure they are; because the company will continue to be exposed to additional risks from these (and future) APIs, additional security controls are absolutely necessary.

    However, personnel actions and draconian enforcement efforts at this point would be pointless and vindictive, and probably counter to the company’s interests. Options A, B, and C are incorrect.

  88. B. Because untrusted APIs may not be secured sufficiently, increased vigilance for the possibility of introducing malware into the production environment is essential.

    It is impossible to encrypt devices that don’t belong to the organization. Option A is incorrect.

    Securing access to user-owned devices is admirable, but it has no effect at all on securing the device (or production environment) from risks due to installed APIs; option C is incorrect.

    This is a security question, and option D addresses performance; this is incorrect.

  89. A. In order to detect possible erroneous or malicious modification of the organization’s data by unauthorized or security-deficient APIs, it’s important to take representative samples of the production data on a continual basis and perform integrity checks.

    Additional personnel security measures will not, in this case, yield any relevant security benefit; options B and D are not correct.

    It is always good to refer to regulations in policies; this isn’t something to be performed in response to the policy change but should have been included when the policy was created. Option C is incorrect.

  90. C. Additional user training would be helpful in this situation, particularly any information that helps users understand the reasons APIs from unknown sources might be less secure and the potential impacts from using them.

    All the other answers are incorrect; securing the connection between endpoints and the cloud is irrelevant in protecting against risks caused by software installed on the client devices.

  91. B. Cryptography for the two main types of APIs is required; this is TLS for representational state transfer (REST) and message-level encryption for Simple Object Access Protocol (SOAP).

    SSL has been deprecated because of severe vulnerabilities; this eliminates options A and C. Whole drive encryption protects against loss or theft of a device but does not secure API access to the data, which eliminates option D.

  92. D. Accountability is the end purpose of all IAM efforts; all the other options are the elements of IAM that support this effort.
  93. A. Regulatory compliance has historically driven IAM efforts. All the other options can to some extent drive IAM efforts, however, they do not have as much influence as regulatory factors. Therefore options B, C, and D are incorrect answers.
  94. C. Both physical and logical controls are possible (and necessary) to implement in both environments.

    Options A and B are really only feasible if the organization is using a cloud service (or other managed service); the terms managed and provider suggest this. This makes these options less desirable for a question that also includes the traditional environment.

    It is not reasonable to expect that the organization can impose administrative controls in a cloud environment (for the provider environment), so option D is not correct.

  95. B. The data owner is most familiar with the risks and impacts associated with the data sets under their control.

    The data subject may grant permission for a data owner to have the subject’s data but will not govern the granular assignment of access rights. Option A is incorrect.

    The data processor does not have the right to grant data access and must only act at the direction of the data owner. Option C is incorrect.

    Regulators dictate how data must be secured, and possibly in what manner, but do not supervise explicit access to that data. Option D is incorrect.

  96. C. Performance should not determine who gets access to which data; all the other options are the factors for making this determination.
  97. D. Federation allows users from multiple member organizations to access resources owned by various members.

    All the other answers are simply not correct.

  98. C. Federation allows ease of use for access to multiple resource providers; this provides a transparent user mechanism.

    The goal of federation is to enhance the user experience, the exact opposite of making the environment more hostile to them.Option A is incorrect.

    Option B is incorrect because it is meaningless in this context.

    Option D is incorrect. Users typically do not pay for the organization’s IT environment.

  99. C. WAFs apply rulesets to web traffic, which uses HTTP. All the other answers are incorrect.
  100. C. These are both Layer 7 tools. All the other answers are incorrect.
  101. B. Aside from encryption, PCI DSS allows for tokenization as a means to protect account and cardholder data at rest.

    Tokenization is not encryption; there is no encryption engine and no key involved in the process. Option A is incorrect.

    Tokenization does not necessarily enhance or detract from the user experience; option C is incorrect.

    Management is not allowed any additional oversight into any particular function by tokenization; option D is incorrect.

  102. A. By offloading privacy data to a tokenizing third party, merchants can free themselves of the contractual burdens for protecting cardholder data at rest.

    The data owner is the merchants themselves, and the data subject is the person to whom the privacy data applies, so privacy data cannot be outsourced to either of these, and options B and C are incorrect.

    The PCI Council is the body that promulgates and enforces the PCI DSS; they will not process data on behalf of any merchant. Option D is incorrect.

  103. C. This answer requires some thought about how the original data is displayed and its properties.

    Option A masks only one letter in a four-letter string; this is not sufficient because the original string could be identified with a very low-work factor, brute-force attack of only 26 possible combinations.

    Option B is likewise easy to break; it only reverses the content of the string, which is very simple to determine, and would allow easy recovery of any other similar strings in the data set.

    Option D mixes numeric characters into what was originally only an alphabetic string; this may detract from the utility of the string if the masked version is to be used for software testing.

    Option C completely obscures the original content but retains the qualities of the original (all alphabetic characters). It may affect the use of the string by mixing uppercase and lowercase, but this is still the best choice of the four possible answers.

  104. D. Installing malware on systems owned by someone else may be illegal in many jurisdictions. While on-premises sandboxes are fine for this purpose, it may be a felony if performed in the cloud.

    All the other options are good uses of cloud-based sandboxes.

  105. C. It is important to verify and validate the program at each stage of the SDLC.

    Adding functionality at each stage of the SDLC is the definition of scope creep, which is what we’d like to avoid. Option A is incorrect.

    Management should not have to shepherd software through the development process; this is the process of the development team. Option B is incorrect.

    Option D is a distractor and makes no actual sense.

  106. A. It is important to verify and validate the program at each stage of the SDLC.

    Adding functionality at each stage of the SDLC is the definition of scope creep, which is what we’d like to avoid. Option A is incorrect.

    Management should not have to shepherd software through the development process; this is the process of the development team. Option B is incorrect.

    Option D makes no sense: you can’t repurpose something that has just been developed.

  107. A. When security is created as an aspect of the software itself, there is less need to acquire and apply additional security controls to mitigate risks after deployment. Option B is also wrong for this same reason.

    Options C and D are incorrect because the inclusion of security aspects in software design should not affect interoperability in any significant way.

  108. C. ISO 27034 addresses the sets of controls used in software throughout the environment.

    800-37 is the Risk Management Framework, which is about the organization’s overall security, not software development, so option A is incorrect.

    The AICPA is a standards-making body, not a standard itself, so option B is incorrect.

    HIPAA deals with health care privacy, so option D is incorrect.

  109. D. It is important to consider software development as having a defined process and an eventual endpoint for the useful life of the product.

    Not every organization is a software development company. Even in software development companies, not everyone participates in development (there are other departments/offices, such as sales, accounting, etc.). Option A is a poor choice.

    Option B is only a correct answer if the organization is a software development company. Otherwise, it is not a correct answer. Option B is incorrect.

    If software development poses the most significant risk to your organization, you probably shouldn’t be doing software development. Option C is incorrect.

  110. A. Running the software and allowing users to operate it is a great form of dynamic testing, which simulates both known good and known bad inputs.

    Dynamic testing does not involve source code review or social engineering; options B and C are incorrect.

    Penetration tests occur in the production environment, not on pre-deployment software; option D is incorrect.

Chapter 5: Domain 5: Cloud Security Operations

  1. D. This is not an easy question; different industries and different organizations will have differing goals. Each organization will determine for itself what the primary goal of incident response will be, and this may even differ from incident to incident, depending on the nature of the incident itself (in other words, a given organization may set priorities such that the primary goal of incident response in a disaster is continuity of operations, while the goal in responding to unauthorized access may be halting data disclosure).
  2. D. The minimum recommended height of a raised floor in a data center is 24 inches. All other options are incorrect.
  3. B. The raised floor in a data center will serve as an air plenum (usually for cold air) and a wiring chase. All the other options are incorrect.
  4. D. The preferred method is cold aisle containment (hot aisle containment, where the inlets on racks face each other, is all right too). Options A and B are the same incorrect answer, just worded differently; if the exhaust fans on one rack face into the inlet vents on another rack, you would end up blowing warm air into the components, defeating the purpose of airflow management. Perpendicular racks will not optimize your airflow.
  5. C. All activity in the environment can be considered events. Any event that was not planned or known is an incident. In the security industry, we often ascribe negative effects to the term incident, but incidents are not always malicious; they are only unscheduled.

    All the other options are incorrect.

  6. A. This is a difficult, nuanced question. Options A–C are true; each element would affect the design of a cloud data center (D is not something that should be included in data center design). But the physical location of the data center would include legal constraints (based on jurisdiction), geological/natural constraints (based on altitude, proximity to water formations/flooding, climate, natural disaster, etc.), price, and other variables. Therefore, location would most likely have the greatest impact on the design of the facility.
  7. D. Language of the customers is irrelevant, assuming they can pay. All the other options are factors that must be considered in data center design.
  8. B. This is not an easy question. All the options are correct except C. Option B is the most correct because it will lead to maximizing performance, value, and profitability.
  9. D. The goal of automating service enablement is probably paramount for any cloud service provider (of the qualities listed), because it allows for the most scalability and offers the most significant reduction in costs (which mainly come from personnel) and therefore the most profitability. The details of “public cloud,” “IaaS,” and “North America” are distractors in this context as they are irrelevant—this answer would be true for any cloud provider offering any type of services.

    Options A and B are not true because most cloud providers of any appreciable size are purchasing hardware on a scale that makes the per-unit failure rate fairly irrelevant; the bulk nature of IT purchases by cloud providers makes differences in MTTR and MTBF between vendors and products statistically insignificant.

    Option C is incorrect because RTO is a quality involving business continuity and disaster recovery (BC/DR) planning, not IT architecture.

  10. C. Network segmentation allows providers to create zones of trust within the cloud environment, tailoring the available services to meet the needs of a variety of clients and markets.

    SDN does not really involve monitoring outbound traffic (that is done by egress monitoring solutions) or inbound traffic (that is usually performed by firewalls and routers), nor does it really prevent DDoS attacks (nothing can prevent such attacks, and risk reduction is usually done by routers), so all the other options are incorrect.

  11. B. The ability to log activity is useful for many security purposes (such as monitoring and forensics); having that purposefully included in SaaS applications reduces the need to have a different tool added to the environment to achieve that same goal and reduces the possibility that any additional interface won’t perform optimally.

    The other options are all about enhancing the customer’s ability to perform business function or meeting the customer’s business needs. Although this is paramount from the customer’s perspective and may tangentially fulfill some security purpose (increased processing capacity may, for instance, allow the use of additional encryption, where the overhead may otherwise deter the use of that tool), these are not direct security purposes and therefore are not correct answers to this specific question.

  12. D. California is known for suffering massive destruction from earthquakes, and physical design is the means with which this risk is addressed.

    All the other options either involve a nonphysical risk (DRM will be necessary, because the entertainment industry relies heavily on copyrighted material) or a method other than physical design to address a risk (floods are physical threats, but insurance is an administrative control for risk transfer), so D is the best choice of these options.

  13. A. For the purposes described in the question, a Tier 1 data center should suffice; it is the cheapest, and you need it only for occasional backup purposes (as opposed to constant access). The details of location and market are irrelevant.

    Tiers 3 and 4 would be much more expensive, and they are not necessary for your business purposes; options B and C are thus incorrect.

    There is no Tier 8 in the Uptime Institute system.

  14. C. If your company is involved in e-commerce, you are most likely using credit cards for online transactions; if you’re using credit cards, you are almost certainly constrained by the Payment Card Industry Data Security Standard (PCI DSS) or one of the other contractual standards like it. Because of this, you will be required to encrypt or tokenize all stored cardholder data, and for long-term storage, encryption is the cheaper, more durable process.

    DDoS and mirroring are availability protections, and availability is not your company’s main concern for cloud services from the question description; long-term storage is not focused on availability. Options A and B are thus incorrect.

    Hashing is an integrity protection, and though hashes may be useful in this case (to determine whether stored data is accurate), they won’t be as important as compliance with credit card standards. Option C is the preferable answer compared to D.

  15. C. ISO is the only truly international standard on this list of choices; all the rest are either American laws or standards (options A and D) or European (option B).
  16. B. The changing nature of your business will require a much more stringent set of operating standards, to include an increase in Uptime Institute tier levels; because you’re no longer just using the cloud for backup and long-term storage and are now using it in direct support of health and human safety, Tier 4 is required.

    Fully automated security controls are useful from the provider’s perspective (allowing more profitability and scalability), but this is not a major concern of the customer. Option A is incorrect.

    Global remote access and reducing the risk of malware infections (to include ransomware) are basic functions of almost all cloud providers; these functions aren’t useful discriminators when choosing cloud providers because all cloud providers have them. Options C and D are thus incorrect.

  17. C. Backup power does not have to be delivered by batteries; it can be fed to the data center through redundant utility lines or from a generator.

    All the other elements are necessary for safe and secure data center operations, for both the personnel and the equipment within the data center.

  18. A. This answer is mostly arrived at through a process of elimination.

    Option B is not optimum because of the potential for vendor lock-in, restrictions on buildout, and privacy concerns.

    Option C is not optimum because Tier 2 is not sufficient for medical uses.

    Option D is not optimum because there was obviously a reason to consider a new option.

    We are therefore left with option A, which is the most expensive of the choices but allows the greatest amount of control and security.

  19. D. In any large metropolitan area, government restrictions on development and construction can severely limit how you use your property; this can be a significant limiting factor in building a data center.

    The size of the plot may or may not matter, depending on if you are allowed to build up or dig down to make use of additional space—these options will be limited by municipal building codes, so option D is preferable to option A.

    Utilities and personnel are usually easy to acquire in an urban setting, so options B and C are incorrect.

  20. C. In a rural location, the positioning and depth of first responders (fire, law enforcement, paramedics, etc.) may be severely limited in comparison to an urban setting.

    Natural disasters affect all locations, rural or urban, so a rural setting is not any more or less limiting in planning accordingly; option A is incorrect.

    Oddly enough, because of the very limited need for personnel within modern data centers with significant automation, recruiting and placing the number of people necessary to serve the purpose should not be too difficult; option B is not correct.

    One of the appeals of a rural setting is that building codes are often rudimentary or nonexistent. Option D is incorrect.

  21. C. All the other options are incorrect.
  22. A. The range suggested by the ASHRAE Technical Committee 9.9 is 64 to 81 degrees Fahrenheit. All the other options are distractors (although D is particularly distracting, because it is lower than the recommended range, but that is not what the question is asking).
  23. D. Being damp does not make people more susceptible to trickery.

    Moisture in the air can, however, create mold/mildew, short circuits, and rust, so all the other options are incorrect.

  24. B. The return air temperature will be slightly higher than anywhere else inside the data center because the air has been warmed by passing through the equipment (thus cooling the equipment but warming the air). Using this as a temperature set point will result in much cooler air feeding the server inlets, which takes more energy, which will be more expensive.

    Options A and C are incorrect because that air is already cold; using these locations as set points will not consume as much energy and may result in somewhat warmer air entering the servers. This will be less expensive than option B.

    Option D is an outlying distractor; if you set your heating, ventilation, and air conditioning (HVAC) controls to respond to the temperature outside the data center, your HVAC units are responding to temperatures that have nothing to do with the internal environment. In effect, you’d be trying to adjust the temperature of the outside world, which is ridiculous.

  25. D. The HVAC system is a heat exchange, swapping warm internal air from the data center to the outside world and drawing fresh air through the HVAC chillers to feed the internal environment.

    All the other options are incorrect because they will have the opposite effect by pushing warm air into those areas that cools air is supposed to be.

  26. D. When cables come up through a raised floor used as a cold air feed, we don’t want cold air bleeding around the cables in an unplanned manner; this can cause inefficiencies in airflow control. Gaskets are required at all points where cable comes through the floor, to restrict airflow and reduce the possibility of cold air escaping.

    All the other options are incorrect because we want to minimize obstructions in underfloor plenums we use for airflow. Options A, B, and C do not accomplish this.

  27. D. While minimizing equipment in the operational environment can aid in many efforts, including cable management, it is not strictly an aspect of cable management, so this is the best choice from those available. All the other options are definitely aspects of cable management.
  28. B. Cable management is an ongoing process. All the other options are incorrect because they are time based intervals rather than continuous.
  29. C. It shouldn’t matter which design you use as long as airflow is managed. Neither hot nor cold aisle containment is preferable to the other, so options A and B are incorrect. Airflow does need to be managed, though, so option D is incorrect as well.
  30. B. This is a difficult question because almost all of the options are true—they will all have an effect on the cost of running HVAC systems.

    Because HVAC operates as a heat exchange, the outside environment will dictate how much power is needed to force warm air out of the data center. The warmer the climate in the location of the data center, the more energy it will take to exchange the heat, and the more costly the HVAC operation. This is the most significant factor.

    Option A is incorrect and it is the only choice that does not affect energy costs; hot and cold aisle containment should be equivalent in terms of operational costs.

    The initial cost of the HVAC units themselves will probably have an effect on operational costs because better equipment will cost more money, but it will also be more efficient and therefore less expensive to operate than cheaper alternatives. However, the effect still won’t be as significant as the external climate, so option C is still not as good as option B.

    Good cable management will make airflow more efficient and therefore make HVAC less expensive, but this will not be as dramatic in impact on operating costs as the external environment. Once again, option B is preferable to option D.

  31. D. Usually, different political regions are served by different utility providers; placing your data center on such a boundary may make it feasible to have redundant, overlapping power providers.

    Municipalities typically limit selection of power providers by granting an artificial monopoly to a single provider; option A is incorrect.

    Rural settings are often only served by a single provider because the demand is not sufficient to support competition; option B is incorrect.

    Coasts do not affect the availability of multiple power providers; option C is a distractor.

  32. B. While maintaining a library of software licenses is important, it is not part of the practice we ordinarily consider “hardening.”

    The other options are all aspects of software hardening.

  33. C. Audits usually aren’t considered an element of hardening. Hardening is the process of provisioning a specific element (in this case, a host) against attack. Audits don’t protect against attack; they only detect and direct response to attacks.

    All the other options are aspects of host hardening.

  34. B. Users are not an aspect of configuration management.

    All the other options are elements of secure configuration management.

  35. A. HTTPS is not a storage protocol. All the other options are.
  36. B. Virtual switches are widely used in virtualized networks. Unlike physical switches, which only lose one connection if a connecting cable is lost, virtual switches can be connected to multiple virtual machines via a single cable; if a cable is lost in a virtualized network, that can affect tens or dozens of devices. In this context, the benefits offered by scalability come with attendant risks.

    The other options are characteristics that don’t cause additional risk to the environment; in fact, redundancy reduces risk.

  37. A. It is possible to route multiple VLANs through a switch port (physical or virtual) with proper frame tagging. However, to optimize isolation of subnets and processes in a virtual network environment, it is better to use different ports instead.

    iSCSI traffic should be encrypted as another layer of defense within the environment; option B is wrong.

    HIDSs may or may not be cost-effective, depending on the value and sensitivity of the data on each guest; the additional overhead may not justify their use. Option C is incorrect.

    Firewalls should be hardened regardless of the nature of the network whether virtual or physical.

  38. B. The management systems control the entirety of the virtual environment and are therefore extremely valuable and need to be protected accordingly. When possible, isolating those management systems, both physically and virtually, is optimum.

    All the other options are incorrect because they imply that virtual and physical cannot coexist when in fact they need to coexist to work correctly.

  39. A. When an active virtual machine is moved from a given host to another (for instance, when the host is going into maintenance state), it is passed along the network without encryption. Theoretically, an insider threat observing the line along which the virtual machine is moving could capture/copy it in its entirety.

    All the other options are not risks specific to a virtualized environment and are therefore incorrect.

  40. D. In a pooled environment, law enforcement may acquire physical or logical assets (drives, data stores, etc.) that include your organization’s data, even if your organization was not the target of the investigation.

    All the other options are not risks due to pooled resources; they exist in all environments. These options are not correct.

  41. C. The cost of each device is spread across many machines in the data center; unlike a desktop-based environment, where every user and every machine need their own KVM setup, just a few devices can serve an entire data center.

    While the cloud provider may generate a great deal of revenue, no company likes to throw away money unnecessarily; option A is incorrect.

    Cloud providers are not typically invested in KVM vendors. Option B is incorrect.

    Option D is simply incorrect.

  42. D. The range suggested by the ASHRAE Technical Committee 9.9 is 64 to 81 degrees Fahrenheit. All the other options are incorrect (although A is particularly distracting, because it is higher than the recommended range, but that is not what the question is asking).
  43. A. Secure KVMs support drastically isolated operations; they cut down on the possibility of data being inadvertently shared from one customer to another.

    Option B is incorrect because devices will not leave the cloud data center simply because they are not managed by secure KVMs.

    Option C is incorrect because using secure KVMs will not have an effect on physical inventories.

    Option D does contain enough information to be the correct answer. “Audit purposes” is ambiguous.

  44. A. Referred to as “break before make,” these devices often take the form of manual pushbutton controls; as the button is pushed, the current connection is forced to physically separate, and when the button is fully engaged, the new connection is made.

    Options B and C have more to do with risks of electromagnetic emanations than with air-gapped selectivity; even air-gapped devices can leak data through emanations.

    Option D is incorrect because portability is not a property we seek in device selectors.

  45. D. The production activities will make full use of pooled resources, so they will not be isolated (unless the customer is paying for that specific characteristic of service).

    All the other options are functions that should take place on isolated networks/segments.

  46. B. Broadcast packets sent by machines outside the VLAN will reach machines outside the VLAN that are on the same network/segment.

    All the other options are characteristics of a VLAN.

  47. A. Gateway devices enforce the VLAN rules and can allow or deny outbound traffic.

    Communications traffic from a VLAN may or may not be encrypted; option B is incorrect.

    Repeaters are used to enhance signals along a line over a certain distance; they have nothing to do with VLANs. Option C is incorrect.

    Option D makes no sense in this context.

  48. B. TLS uses X.509 certificates to establish a connection and create a symmetric key that lasts for only one session.

    SAML is used for federation authentication/identification; option A is incorrect.

    802.11 is the suite of wireless standards; option C is incorrect.

    Diffie-Hellman uses asymmetric key pairs to create a symmetric key; option D is incorrect.

  49. B. This question is an outlier because it is one of the few such questions where the answer is not that it poses a threat to health and human safety (although, in fact, it does; option A is true, but incorrect). Halon was not prohibited because of this property. Halon was outlawed because it, like other CFCs (chlorofluorocarbons), was blamed for depleting the earth’s ozone layer. Halon is still allowed in some very specialized cases (such as fire-suppression systems on aircraft), but this is an exception.

    Options C and D are incorrect and untrue.

  50. B. User interaction with the cloud is not described in this term. All the other options are characteristics of cloud computing mentioned in ping, power, pipe.
  51. C. The penetration test is not part of the site survey, which is one of the initial steps in securing/auditing a facility. The penetration test will, however, probably make use of the site survey information later.

    All the other options are goals of the site survey.

  52. B. There is no such thing as zero risk; there will always be some chance of service interruption, no matter how minimized.

    All the other options are capabilities allowed by redundancy.

  53. D. Before flooding an enclosed space with a gas that will displace oxygen, it is important to ensure that all personnel are out of the area. While this requires personnel training, such training is ineffective without a system to support this capability. Option C is true, but not as accurate as option D.

    Options A and B are incorrect because they do not make senses given the question is about a system that displaces oxygen in the facility.

  54. A. The logical design should come before the physical design; function dictates form. Audit and revision come after creation.
  55. C. While physical controls that inhibit movement affect personnel, they are not regarded as personnel controls. All the other options are examples of personnel controls.
  56. C. Because updating the virtualization toolset may require server downtime, it is essential to have a sufficient amount of redundant machines to roll out the update over the environment without significant disruption of operations.

    Option A assumes that there isn’t already enough of whatever the infusion of capital will purchase. Option A is incorrect.

    Thankfully, option B is incorrect. It would be costly to obtain an alternate data center each time the virtual machine management tools are updated.

    Peer review is not required when updating virtual machine management tools. Option D is incorrect.

  57. B. It is important to limit access to the virtualization toolset to those administrators, engineers, and architects who are vital for supporting the virtualized environment and nobody else.

    The other options are incorrect because they do not restrict access to the virtualization management tool set as specifically as role-based access control does. If someone’s role changes and they no longer require access, then their access should be terminated.

  58. C. Toolset vendors will specify secure configurations of their products; these must be followed in order to fulfill due care requirements.

    Standards and laws don’t usually specify builds for products or brands, so options A and B are incorrect.

    Expert opinion, while useful, is not sufficient to demonstrate due care in many cases; option D is not the best response.

  59. B. In order to understand, optimize, and re-create your secure baseline, proper and full documentation is absolutely essential.

    Personnel training is important for secure system use, but it is not an element of baselining. Option A is incorrect.

    A secure baseline for a given system may include HIDS and/or encryption, but they are not essential elements, so options C and D are incorrect.

  60. A. An image of the baseline should be stored securely, preferably in more than one location (to include the archive, the disaster kit, and any alternate site, to name a few). It is essential to have a copy on hand for reconstructing the environment during contingency operations, and it is also useful for audit/review purposes.

    Option B is incorrect because planned modifications are not yet part of the actual baseline.

    Option C may be a good answer in some situations; however, it is not essential, and option A is still a better answer.

    Option D is incorrect because every environment (and, therefore, the baseline used in that environment) should be exclusively tailored for the organization using that environment.

  61. D. In order to ensure timely application of patches, patching may receive blanket approval and only be reviewed by the committee or board after the fact for final approval.

    Requiring normalized processing for patching may delay patching and expose the organization to undue risk; option A is thus incorrect.

    Patching still needs to involve testing and confirmation to avoid interoperability and additional security problems, making option B incorrect.

    Third parties can identify security problems as well as vendors; external patches need to be considered as well as vendor patches. Option C is thus incorrect.

  62. D. Clustering does not preclude the time and diligence necessary to perform patching or updates.

    All the other options are attributes provided by host clustering.

  63. C. Tokenization is a method for obscuring or protecting data using two distinct databases, not a resource allocation method.

    All the other options are methods for allocating shared resources.

  64. D. In a loosely coupled storage cluster, each node acts as an independent data store that can be added or removed from the cluster without affecting other nodes. This, however, means that the overall cluster’s performance/capacity depends on each node’s own maximum performance/capacity.

    The physical backplane can be a limiting factor in a tightly coupled architecture but has less effect in a loosely coupled cluster; option A is incorrect.

    Because each node in a loosely coupled cluster has its own limitations, the number of nodes will not affect overall performance. Option B is incorrect.

    Option C is incorrect because “usage demanded” is not a factor in performance and capacity of a loosely coupled storage cluster.

  65. B. Auditing is probably even more important during maintenance mode than normal operation because administrator activity is almost always involved.

    All the other options are necessary measures for maintenance mode.

  66. D. Almost invariably, stand-alone hosting will cost more than pooled resources and multitenancy.

    All the other options are characteristics of stand-alone hosting.

  67. D. In many cases, the customer will no longer have an on-premises environment after a cloud migration.

    All the other options are methods cloud providers use to achieve “high availability” environments.

  68. B. Behavioral detection looks for activity beyond the norm of the organization’s usual traffic. Unique attacks would most likely fall into this category.

    Unique attacks would not be detected by signature matching because no signatures exist for unique attacks; option A is incorrect.

    Content filtering is less a means of detection and more a means of controlling traffic that users/systems are exposed to; while it may be useful for mitigating the possibility of malware infection, it’s less suited to the purpose posed in the question. Option C is incorrect.

    Firewalls don’t work with biometrics; option D is a distractor.

  69. C. Internet service providers don’t usually offer firewall services.

    All the other options are locations/ways to implement firewalls.

  70. B. It is very important to distinguish the purpose of the honeypot. It is not for luring in attackers; a lure is an invitation, and inviting an attack decreases the organization’s ability to have the attacker prosecuted or conduct successful litigation against the attacker.

    All the other options are purposes of a honeypot.

  71. D. The honeypot is used to gather information about the attacker, the attacker’s tools, and the attacker’s techniques.

    The honeypot should not contain anything of value; all the other options are incorrect.

  72. C. It’s preferable to have compartmentalized zones of trust within the production environment and not allow total access with one set of credentials.

    All the other options are aspects that should be used in cloud access.

  73. B. Historically, when encryption had been used as a security mechanism, it was not defeated by attacking the encryption directly but rather by subverting the encryption implementation.

    All the other options are actual methods for breaking encryption but are not the best answer for this question.

  74. D. Cloud vendors do not typically assign individual administrators permanently to specific accounts. All the other options (A–C) are methods used to reduce risks associated with privileged accounts.
  75. C. All the options are useful for enhancing the security and efficacy of the BC/DR effort, but only option C ensures that the BC/DR has a likely chance of success.
  76. B. Patches can, and often do, create interoperability problems.

    All the other options are functions offered by patching.

  77. B. In many cases, patches are released to deal with an imminent vulnerability/risk. Some organizations will give blanket preapproval for applying these patches and having the formal change management process approve the patch after the fact.

    All the other options are activities that should take place with patching.

  78. B. Not all patches are necessary for all environments. Automated patching won’t always account for variations in organizations and could cause interoperability problems in some.

    Users don’t usually apply patches and aren’t involved in automatic patching; option A is incorrect.

    It is rare that an automated patch tool will be exploited to install malware; option C is incorrect.

    Automated patching is faster and more efficient than manual patching; option D is incorrect.

  79. A. When a VM instance is inactive, it is saved as a snapshot image in a file; patches can’t be applied until the instance is running. Automated patching set to a certain scheduled time may miss inactive VMs.

    Patches can be applied remotely or locally; option B is not true or correct.

    Patching may be the responsibility of the cloud customer or provider, depending on the service model, type, and contract. Option C is incorrect.

    Cloud service providers should apply patches ubiquitously throughout their service environment; option D is incorrect.

  80. A. Because a multitenant environment may have a variety of different configurations for various customers, a given patch might interfere with a certain number of customers due to interoperability problems.

    Option B is untrue. Patches do work with SaaS models. Option B is incorrect.

    Option C is untrue. Patches do work with private cloud builds. Option C is incorrect.

    On the contrary, vendors do issue patches to cloud providers. Option D is incorrect.

  81. C. Manual patching requires a significant degree of effort and time and is simply not feasible in a large enterprise, much less in the vast environment of the cloud.

    Manual patching is slower than automated patching. Option A is incorrect.

    Option B is incorrect; this is true in both traditional and cloud environments.

    Option D is incorrect; users should not be performing patching.

  82. D. Patching is a mundane, repetitive process, and people have trouble focusing on such tasks, especially for the number of times necessary to patch a cloud environment. Automation can aid in addressing this aspect of patching.

    With human involvement in patching, there is an opportunity to be aware of imminent patch impacts and to determine applicability of the patch before it is applied; options A and B are incorrect.

    Option C is a risk involved with all patching and not limited to manual patching; option D is preferable as it is specific to the question.

  83. C. It is perfectly reasonable to not want to use the first version of a patch as there may be interoperability problems or even additional vulnerabilities contingent with its implementation. However, for as long as your environment remains unpatched, you are subject to attack through that new vulnerability.

    All the other options are untrue.

    The cloud provider will not suspend your access or sue your organization if you delay patching because of concerns about interoperability afterwards. Options A and B are incorrect.

    Option D is incorrect. The opposite may actually be true. Your end clients may appreciate that you delay or test the patch before installing it on production systems.

  84. B. If your organization doesn’t apply a patch for a known vulnerability, regulators may claim the organization was not performing adequate due diligence and penalize it accordingly.

    None of the other entities listed in the other options can assess penalties, so they are incorrect. (End clients may try to recover damages realized from an attack through a known vulnerability, but those penalties will be imposed by a court if the end clients conduct successful litigation.)

  85. C. If patches are rolled out across an environment where users are operating virtual machines (VMs) at different times, there is a possibility that VMs will not be patched uniformly, which could lead to data disruption.

    Option A is incorrect. Users should not be performing patching.

    Option B is incorrect; a contract specifying who is responsible for specific patching activities actually reduces risk by enhancing the probability of proper patch application.

    Option D is incorrect; attacker activity should be irrelevant to the patch process.

  86. B. RUM harvests information from actual user activity, making it the most realistic depiction of user behavior.

    Synthetic monitoring approximates user activity but is not as exact as RUM; option A is incorrect.

    SIEM monitors more than web applications, so option C is not ideal for this question.

    DAM is an OSI Layer 7 tool for monitoring database activity, specifically, so it is not the ideal answer for this question.

  87. C. Depending on the jurisdiction, RUM may entail unlawful surveillance, so the practitioner must take this into account and plan accordingly.

    Option A is incorrect. False positives are typical for real-user monitoring systems.

    Option B has no relevance in this context. Option B is incorrect.

    Sandboxed environments are not a concern when using real-user monitoring for web application activity analysis. Option D is incorrect.

  88. C. Synthetic agents can simulate user activity in a much faster, broader manner and perform these actions 24/7 without rest.

    All the other options are incorrect; synthetic agents may cost more than RUM, are less accurate than actual user activity, and both can take place on the cloud.

  89. B. Logging should suffice for the purpose of reconstructing the pertinent information (who, what, where, when, etc.) necessary to form a narrative of what transpired. This will be different for every organization and environment (so option D is incorrect). You will have to make this determination for your organization.

    Logging everything would result in log storage that exceeds the amount of data in the production environment and would actually make it more difficult to locate pertinent information. Option A is incorrect.

    Option C is incorrect. Logging data after the fact is impossible.

  90. D. It is important for the log review to be performed by someone who understands the normal operations of the organization so that they can discern between regular activity and anomalous behavior. This person also needs a security background so they can recognize common attack patterns/activity.

    Option A sounds great, but the better answer is option D. A person with knowledge of the operation is a better fit than someone who is trained to review logs.

    Options B and C are incorrect. Auditors are not the ones who should be reviewing logs for an organization.

  91. C. The clock needs to be synched throughout the environment so that all activity can be contextualized and mapped and a true narrative of events can be reconstructed later.

    All the other options are incorrect because they are simply IT terms. When it comes to useful logs, having the correct time relevant to all logged activity is vital.

  92. B. Response to anomalous activity detected by the SIEM tool will still require human involvement.

    All the other options are functions that the SIEM system can perform on its own as automated tasks.

  93. B. Because the logs are essential to reconstructing a record of what occurred within the environment, they are a valuable target for attackers. They therefore need a sufficient level of protection commensurate with the data/systems they are about.

    We don’t want to have less protection on the logs than on the systems they monitor; the controls on those systems were chosen according to what threats and risks they may be exposed to—the level of security provided by those controls are, at a minimum, required for the log data. Option A is incorrect.

    Encryption may or may not be used for securing log data, depending on the level of sensitivity of the systems/data they are protecting; option C is too specific and thus incorrect.

    NIST guidelines are not suitable for all organizations and uses; option D is too broad and incorrect.

  94. D. While historical information, especially that specific to the organization’s industry, can be useful in assessing threats, risk must be considered independently from other occurrences; whether something has occurred elsewhere does not necessarily directly affect the likelihood it will or will not occur for a certain target.

    All the other options are elements typically considered in the risk context.

  95. D. We usually do not evaluate our customer base as an aspect of risk management. All the other options are aspects of common risk management practices.
  96. B. While all the options are somewhat true, because all of that information can be used to provide the most comprehensive risk picture, the best answer among those listed is money; it is a discrete, numeric metric that can be used both for comparison to countermeasure/control cost and for recompense efforts (insurance claims, lawsuits, etc.).
  97. B. Qualitative risk assessments are preferable in situations where the organization has personnel who understand the IT environment but may not have a lot of experience with risk functions and where the organization does not have a great deal of time or money to spend on the project.

    A quantitative risk assessment requires a significant budget of time and money as well as well-trained, experience personnel familiar with risk; option A is not correct.

    Options C and D are incorrect; these are not types of risk assessments.

  98. B. The monetary value of the asset is the most objective, discrete metric possible and the most accurate for the purposes of SLE determination.

    The other options are factors that may bear on how you determine the dollar value of the asset but are not as useful as option B.

  99. B. While previous activity is not a great predictor of future outcomes (especially in the field of IT security), it is the best source we have.

    Threat intelligence information is useful but not as good as historical data in predicting ARO; option A is not as good as option B.

    Vulnerability scans and aggregation do not really aid in predicting rate of occurrence at all; options C and D are incorrect.

  100. A. The threat vector is the multiplier involved in determining exposure factor; of the options listed, this is the best answer (and, other than C, the only one that actually has bearing on EF).
  101. C. Absent any other information about a total physical loss, we can consider the rate of occurrence as 1: We would not expect the plant to burn down more than once in a year. In fact, we would expect that unless the plant was involved in some particularly flammable activity, the ARO would be less than 1 (that is, a fire is not expected every year) due to controls involved in the planning and building process of the plant (location of flammable material, fire-resistant construction techniques, etc.).

    Options B and D are incorrect. The ARO is a number, not a dollar amount.

    It is unlikely that the plant would burn down 12 times a year or every month. Option A is incorrect.

  102. D. What we can’t determine from the available information is the actual annualized loss expectancy (ALE); the cost of the physical plant itself is not the actual value of the asset, so it’s impossible to determine the ALE and therefore impossible to compare the ALE against the cost of possible controls and countermeasures.

    All the other options are incorrect; we can’t make a suitable choice from the available information.

  103. D. Unless this number is being used to determine the measures of options A or B, or we’re trying to better estimate the cost of the impact of the first occurrence (i.e., including the value of lost product in the single loss expectancy [SLE]), the amount of product the plant creates is not as important as the attendant revenue that amount generates for the company.

    All the other options are factors we need to know: The amount of revenue and the pace at which it is generated by the plant and the duration of downtime for the plant in the event of fire (so as to calculate possible lost revenue) will help us arrive at the annualized loss expectancy (ALE). In fact, additional information would also be useful, such as potential loss of market share if product was not delivered for the duration of the downtime, etc.

  104. B. The fire suppression system is the most cost-effective, reasonable means of dealing with the risk, if we use the formula for determining annualized loss expectancy (ALE).

    First, we need to determine the single loss expectancy (SLE) and annualized rate of occurrence (ARO). ARO can be assumed to be 1; absent any other information about the plant, we don’t expect more than one fire per year (and perhaps less, but we don’t have that information, either). The SLE is $36 million ($24 million for the cost of rebuilding the plant, assuming no increase in costs over the previous construction, plus $2 million per month of lost revenue, for the six months it will take to rebuild).

    Therefore, the ALE is $36 million (36 [SLE] × 1 [ARO]).

    Either the fire suppression system or the insurance policy would be appealing, from a strictly financial standpoint, if we only compared the ALE to the annualized cost of the countermeasure ($15 million for the suppression system, $12 million for the insurance policy).

    However, other factors have a bearing on this consideration too. For instance, fire poses a threat to health and human safety; obviating such risks should be a paramount concern to senior management. An insurance policy doesn’t truly protect people, it only offsets the damages people experience through loss. Also, the insurance policy would be a recurring, continual cost; it costs less than the fire suppression system in the first year of the plant’s operation ($12 million for insurance versus $15 million for the system), but once the system is purchased, though it may need upkeep and maintenance, we can assume it won’t cost the same amount in future years, and it probably won’t cost anywhere near as much as the continual costs of the insurance.

    All the other options are not as good as B.

  105. A. Because risk can never be mitigated to zero (there is no such thing as “no risk” or “perfect security”), there will always be some residual risk after risk mitigation; this residual risk must be accepted.

    Risk mitigation does not always involve risk transfer, or risk avoidance. “Risk attenuation” is not an industry-standard term associated with risk management Options B, C, and D are incorrect.

  106. B. Secondary risk is any risk resulting from enacting a control/countermeasure to the original risk. In this case, a fire suppression system that displaces oxygen is a means to mitigate the original risk (fire) but adds a new risk (suffocating people).

    All the other options are not causes of secondary risk (except if we draw out unreasonable conclusions from the most extreme, ridiculous cases, for example, “the secondary risk is the risk that the control doesn’t work”).

  107. D. The best means to address risk is completely dependent on the business needs of the specific entity and process. Mitigation may or may not be the optimum choice.

    All the other options are true statements about risk mitigation.

  108. D. A risk assessment may, indeed, be an estimate of a moving target, but it is invaluable in terms of measuring risk at any given point in time.
  109. D. In the certification/accreditation model of system approval, certification is the fundamental step.

    All other options are incorrect because certification comes first in the certification/accreditation model of system approval.

  110. C. The RMF is based on perceived risk as opposed to threats (threats may factor into risk assessment but are not the driver for the RMF).

    All the other options are true regarding the RMF.

  111. D. In symmetric encryption, a single key is used to both encrypt and decrypt a message. This is often referred to as a shared secret.

    Two key pairs are not used in symmetric encryption; option A is incorrect.

    Parties most often must be known to each other using symmetric encryption; option B is incorrect.

    Certificates require public-private key pairs, which is not an element of symmetric encryption; option C is incorrect.

  112. B. In symmetric encryption, the key must usually be passed through a different medium than will be used for sending and receiving the encrypted messages.

    DH is usually used for asymmetric encryption, to establish a temporary symmetric key; option A is incorrect.

    Option C describes asymmetric encryption and is therefore incorrect.

    Option D describes hashing and is therefore incorrect.

Chapter 6: Domain 6: Legal, Risk, and Compliance

  1. C. The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA (American Institute of Certified Public Accountants) audit standard.

    ISO 27001 is an international audit standard.

    The Sarbanes-Oxley Act (SOX) is a U.S. law pertaining to publicly traded corporations.

    There is no such thing as the IEC 43770 standard.

  2. B. The STAR program has three tiers.
  3. A. Tier 1 is the lowest tier of the STAR program, involving only self-assessment.
  4. C. The Diffie-Hellman key exchange process is designed to allow two parties to create a shared secret (symmetric key) over an untrusted medium. RADIUS is an outmoded access control service for remote users. RSA is an encryption scheme. TACACS is a network access protocol set used through a centralized server.
  5. C. A party who does not perform sufficient due diligence in choosing a contractor can be held accountable for the actions made by that contractor. In current privacy and data laws, this is usually the government’s perspective regarding wrongdoing on the part of cloud providers.

    All the other options are incorrect because they are simply legal terms that do not correctly answer the question.

  6. D. An affidavit is only a form of formal testimony presented to the court. All the other options are enforceable governmental requests.
  7. D. Streamlining is a nonsense term in this context. All the other options represent normal ways of addressing risk. Mitigation is the use of controls to attenuate the impact or likelihood (or both) of risk, acceptance is allowing the business to function with no further action, and avoidance is halting the business function.
  8. B. The collection limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict data collection to only information that is necessary for the transaction, and only with the knowledge and permission of the individual. The other options are meaningless in this context.
  9. A. The data quality principle requires any entity that gathers personally identifiable information (PII) about a person to ensure that the data remains valid and accurate and allows for corrections by the data subject. The other answers are meaningless in this context.
  10. D. The purpose specification principle requires any entity that gathers personally identifiable information (PII) about a person to clearly state the explicit purpose for which the PII will be used. The other answers are meaningless in this context.
  11. A. The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected. The other answers are meaningless in this context.
  12. B. The security safeguards principle requires any entity that gathers personally identifiable information (PII) about a person to protect that data against unauthorized access and modification. The other answers are meaningless in this context.
  13. D. The openness principle requires any entity that gathers personally identifiable information (PII) about a person to allow that person to access the information. The other answers are meaningless in this context.
  14. B. The EU crafted first the EU Data Directive and then the General Data Protection Regulation largely according to the OECD guidelines. The US Congress has (at the time of this writing) made no broad federal privacy law and instead has treated personal privacy on an industry-by-industry basis. The Politburo no longer exists. The ISO is not a lawmaking body.
  15. B. The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:
    • Their own country has nationwide laws that comply with the EU laws.
    • The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.
    • The entity voluntarily subscribes to its own nation’s Privacy Shield program.

    There is no process for the entity to appeal to the EU for permission to do so, however.

  16. A. The Privacy Shield program is for non-EU entities that also do not exist in a country with a nationwide privacy law; no entity is required to join the program, but those who don’t are prevented from collecting and processing EU citizen privacy data. Entities within the EU are already subject to the EU General Data Protection Regulation law and therefore are not eligible or benefited by the Privacy Shield program.
  17. B. The United States does not have a general nationwide privacy law that complies with the EU privacy statutes; it instead has created industry-specific privacy laws. Canada has a law (Personal Information Protection and Electronic Documents Act) that conforms with the EU laws, as does Switzerland and Japan.
  18. D. Brazil does not yet have federal privacy laws sufficient to be considered acceptable for EU compliance. Israel, Australia, and Argentina all do.
  19. D. The Department of Commerce manages the Privacy Shield program in the United States; the Departments of State and Interior do not. There is no Department of Trade.
  20. A. SOX is only applicable to publicly traded corporations, not all companies. HIPAA may be applicable to the data you work with as a medical student, if you work with patient data. Your payment and personal data is governed by PCI DSS. FERPA protects your personal student information.
  21. B. The FedRAMP standard dictates that American federal agencies must retain their data within the boundaries of the United States, including data within cloud data centers.

    FISMA is the federal law requiring agencies to comply with National Institute of Standards and Technology (NIST) guidance; option A is broader than B, so B is better in this case.

    Options C and D are not American laws and therefore not applicable.

  22. B. Level 2 of the CSA STAR program requires third-party assessment of the provider.

    Level 1 is a self-assessment; option A is incorrect.

    Level 3 requires continual monitoring by a third party; option C is incorrect.

    There is no Level 4 of the STAR program.

  23. A. This is an example of due care.

    Due diligence is the processes and activities used to ensure that due care is maintained; option B is incorrect.

    Liability is the measure of responsibility an entity has for providing due care; option C is incorrect.

    Option D has no meaning in this context.

  24. D. The CCSP candidate is probably most familiar with the European Union’s (EU’s) Data Directive and General Data Protection Regulation in this regard. The directive allows every member country to create its own law that is compliant with the directive; the regulation mandates that all countries comply with the regulation itself.

    Both directives and regulations can be enforced by either member states or EU international tribunals; option A is not correct.

    Both directives and regulations are statutory; option B is not correct.

    Both directives and regulations deal with both internal EU matters and those that extend outside Europe; option C is not correct.

  25. C. A government service provider is not allowed to refuse service if an individual refuses to participate in data collection.

    Option A is incorrect. There is no requirement for hardcopy.

    Option B is incorrect because the provider is a government agency.

    Option D is incorrect. The scenario in the question is illegal whether or not the visitor is asked about their nationality.

  26. C. All the other options are incorrect.
  27. D. The GDPR describes requirements for data collection by and transfers to data controllers and processors.

    All the other options are incorrect.

  28. B. This is the definition of shadow IT: unplanned costs from uncontrolled user activity.

    This does not constitute a data breach because no data has been disclosed to unauthorized entities; option A is incorrect.

    This is not an intrusion because no external entity has gained access to the environment; option C is incorrect.

    While shadow IT may be considered a particular kind of insider threat, we usually consider insider threats as malicious, and shadow IT is typically the result of benign intentions. Option B is better than option D.

  29. D. The ISO 27001 certification is for the information security management system (ISMS), the organization’s entire security program.

    The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct.

    The SOC reports are how SSAE 18 audits are conducted; option C is incorrect.

  30. B. This is what a SOC 2, Type 1 report is for.

    The SOC 1 is for financial reporting; the SOC 2, Type 2 is to review the implementation (not design) of controls; and the SOC 3 is just an attestation that an audit was performed. All these options are incorrect.

  31. B. This is the definition of a gap analysis.

    SOC reports are specific kinds of audits; option A is incorrect.

    The scoping statement is a pre-audit function that aids both the organization and the auditor to determine what, specifically, will be audited. Option C is incorrect.

    Federal guidelines are government recommendations on how something should be done. Option D is incorrect.

  32. C. The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001.

    The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct.

    NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37; option D is incorrect.

  33. D. While the auditor is not a law enforcement entity, they will likely have an ethical, if not legal, requirement to report illicit activities discovered during the audit.

    All the other options are incorrect as they are all facets of audit scoping.

  34. B. Auditors may find it necessary to speak to particular individuals in order to locate artifacts and understand the environment. Although there may be some limitation on particular points of contact and nature of interviews, there cannot be a total prohibition.

    All the other options are incorrect as they are all facets of audit scoping.

  35. D. The ECSA is designed as a cloud service certification motif for organizations located in Europe.

    NIST (which also administers FedRAMP) is designed specifically for federal agencies in the United States and is not applicable for European providers, so options A and B are incorrect.

    ISO 27034 deals with an organization’s use of security controls for software; while this may be pertinent to your organization, it is not a comprehensive view of cloud services and is not as beneficial or equivalent to the CSA STAR or Uptime Institute certifications. Option D is preferable to option C.

  36. C. Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, whereas the personnel in the target department may be constrained by habit and tradition.

    Options A and B are incorrect because this poses a conflict of interest.

    Option D is incorrect. Audits often reveal sensitive information that does not need to be shared with an external audit body that was not part of the original audit.

  37. A. An IT security audit is not intended to locate financial fraud; it may, however, lead to such revelations unintentionally. There are specific other audits that exist for this purpose.

    All the other options are incorrect because they are intended goals for IT security audits.

  38. D. ISO 27018 describes privacy requirements for cloud providers, including an annual audit mandate.

    Option A is incorrect because NIST SP 800-37 describes the Risk Management Framework and is not an international privacy standard.

    The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. Option B is incorrect.

    Option C is incorrect because the PCI DSS is specifically for merchants who accept credit cards, not cloud providers (while cloud providers may process credit cards, and therefore must follow PCI DSS, option D is preferable, and a better answer).

  39. D. Aside from industry-specific legislation, the United States does not have any federal laws outlining how citizens’ privacy data should be treated.

    All the other entities have published such guidance, and those options are therefore incorrect.

  40. B. With rare exceptions, digital forensics does not include creation of data (other than the forensic reports regarding the analysis of data). While this could arguably be considered an aspect of digital forensics as well, the other options are more suited to describing digital forensics, so this is the best negative answer.
  41. D. This is the definition of extradition.

    Applicable law is the regulation/legislation affecting a certain circumstance. Option A is incorrect.

    Judgments are legal conclusions or decisions. Option B is incorrect.

    Option C is incorrect because criminal law is the body of law that pertains to crime.

  42. A. Civil courts (for example, in a breach of contract case) are held to the “preponderance of evidence” standard.

    All the other options are incorrect because they do not hold to the preponderance of the evidence requirement.

  43. D. Except in jurisdictions where contributory negligence is a factor in the proceedings, civil courts use a standard of “preponderance of evidence,” so the entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of the breach. Because the question did not specify the case was in contributory negligence jurisdiction, option D is the best answer because it is the most likely outcome.

    Options A, B, and C are incorrect because they are 25%, 75% and 0% of the full weight of the breach.

  44. B. The silver platter doctrine allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.

    The doctrine of plain view allows law enforcement to act on probable cause when evidence of a crime is within their presence; option A is incorrect.

    The GDPR is a European Union (EU) privacy law and not applicable here; option C is incorrect.

    FISMA is the American law requiring federal agencies to adhere to National Institute of Standards and Technology (NIST) standards; option D is incorrect.

  45. B. As of May 2018, the GDPR is the law throughout all EU member states, superseding any existing local laws.

    Belgian law will be superseded at that point, and the GDPR has primacy over Belgian law. Option A is incorrect.

    Options C and D are an American standard and law, respectively, and are not applicable to companies in the European Union (EU), so they are therefore incorrect.

    It’s important to note that the GDPR covers all entities that are located and/or operate in the EU, regardless of other details such as where the business entity stores the data or where the customers are located.

  46. A. A litigation hold notice is required to prevent possible destruction of pertinent evidence that may be used in the case.

    An audit scoping letter outlines the parameters for an audit engagement; option B is incorrect.

    Options C and D do not have meaning in this context.

  47. A. Spoliation is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the grounds for another lawsuit.

    Destroying evidence is not fraud; fraud can be a crime or tort on its own, but option B is incorrect.

    Jurisdiction describes the geographical area over which a court has power; option C is incorrect.

    Recompositing is a made-up word and has no meaning in this context. Option D is incorrect.

  48. A. In an SaaS model, the customer has little insight into event logs and traffic analysis useful for evidentiary purposes. The customer will largely be reliant on the cloud provider to locate, collect, and deliver this information for e-discovery.

    Regulators do not take part in e-discovery; option B is incorrect.

    In this situation, your company is the cloud customer and will not have a great deal of access to event logs, which may be a crucial element of e-discovery; options C and D are incorrect.

  49. B. Multitenancy in the cloud is a direct result of sharing resources; many customers use the same underlying hardware infrastructure. A seizure of hardware assets by law enforcement investigating another cloud customer could conceivably result in the seizure of your company’s data because it happened to be residing on the same hardware when that hardware was seized.

    The other options are aspects of cloud computing but do not have anything to do with the risk of unauthorized disclosure due to seizure by law enforcement.

  50. D. Your company will not be allowed to destroy any data for the duration of the legal case because that might constitute tampering with potential evidence.

    All the other aspects of software development may continue as long as no destructive measures or methods are utilized; all the other options are incorrect.

  51. D. While e-discovery may be a painful, monotonous, expensive process, a vast data dump of the organization’s entire data store would entail massive risk and liability.

    The other options are simply incorrect.

  52. B. Typically, a discovery tool is a primary component of a DLP solution. This might be employed for purposes of identifying and collecting pertinent data.

    All the other options describe important facets of an overall organizational security program but are not especially helpful in e-discovery efforts.

  53. C. Courts can issue seizure orders for anything and everything.

    All the other options are either incorrect because they are too limited (A and B) or just absurd (D).

  54. C. In order to deliver credible, believable expert testimony, it’s important that your personnel have more than an amateur’s understanding and familiarity with any forensic tools they use to perform analysis. Formal training and certification are excellent methods for creating credibility.

    Scripting testimony is usually frowned on by the court; coaching witnesses how to perform and what to expect in court is all right, but it does not lead to credibility. Option A is incorrect.

    Your expert witnesses are not allowed to withhold any evidence from their testimony if it is pertinent to the case, even if that evidence aids the other side. Option B is incorrect.

    You should pay your employees for their time, regardless of whether they’re performing on the job site or in a courtroom, but this has nothing to do with enhancing credibility. Option D is incorrect.

  55. B. There are certain jurisdictions where forensic data/IT analysis requires licensure (the American states of Texas, Colorado, and Michigan, for example); it is important for you to determine whether this is the case in your jurisdiction before proceeding with any forensic efforts.

    It is important for forensic investigators to have proper training, background checks, and approved tools in every jurisdiction, so all the other options are incorrect as they are not specific enough.

  56. B. All forensics processes and activity should be documented with extreme scrutiny. It is very important for your actions to be documented and repeatable in order for them to remain credible.

    Evidence is only inadmissible if it has no probative value—that is, if it has no bearing on the case. Modified data is still admissible, as long as the modification process was documented and presented along with the evidence. Option A is incorrect.

    Option C is ambiguous as to its meaning and is therefore an incorrect choice for an answer.

    Option D is true if the data modification process is not documented and presented in detail.

  57. C. The battery is a crime and may be prosecuted as such, and the act may also result in the victim suing the attacker for damages.

    Options A and B are not sufficient compared to C.

    Option D is a distractor in this case; battery is not a form of racketeering, unless linked to a larger pattern of crimes.

  58. B. The attacker is the one who committed the crime and is therefore likely to be prosecuted (prosecuted denotes a criminal trial, as opposed to a civil suit).

    It is unlikely that the company would be prosecuted for causing the crime because the company did not engage in the wrongful behavior; in this case, there was a very specific attacker and victim. Option A is incorrect.

    The victim does not get prosecuted for crimes committed against them. Option C is incorrect.

    If you had ordered the attack, or somehow caused it to occur, you might be prosecuted, but this is not detailed in the question and is an unlikely circumstance; option D is incorrect.

  59. B. This is an example of due diligence.

    Due care is the duty owed by one entity to another, in terms of a reasonable expectation; option A is incorrect.

    Liability is the measure of responsibility an entity has for providing due care; option C is incorrect.

    Answer D has no meaning in this context; option D is incorrect.

  60. C. Snapshotting an entire virtual machine or memory device is an excellent method for capturing its current data and settings at a specific moment.

    Hypervisors do not particularly aid in evidence collection, although they may provide log data; option C is still preferable to option A.

    Pooled resources actually complicate evidence collection; option B is quite wrong.

    Live migration does not aid in evidence collection; option D is incorrect.

  61. B. Backups can serve to provide excellent forensics about incidents that have already occurred and also serve to provide an operational reach-back capability for users that have accidentally lost data or modified it incorrectly.

    While highly trained forensic personnel will be very useful in forensic activities, that is not usually an operational benefit. Option A is incorrect.

    The more secure the data archive, the less useful it is for operational purposes; option C is not as good as option B.

    Option D is wrong because homomorphic encryption is still theoretical and currently serves no actual purpose.

  62. D. File hashes can serve as integrity checks for both configuration management (to determine which systems are not configured to the baseline) and audit purposes (as artifacts/common builds of systems for audit review).

    Backups and constant uptime may aid in availability efforts for operational purposes, but they don’t really help in configuration management; options A and B are incorrect.

    Multifactor authentication provides neither configuration management nor forensic benefits; option C is wrong.

  63. A. Because RAM is inherently volatile, and virtual resources are simulated only for limited time periods, virtual RAM is probably the most volatile data store.

    Hardware RAM is probably as volatile as virtual RAM, but the virtualization aspect of option A may make it a more suitable answer for this particular question.

    Log data and drive storage should both be durable and not volatile at all, so options C and D are incorrect.

  64. C. In a multitenant environment, it is quite likely that any particular piece of hardware will contain data from many customers. In this case, your company may become liable for violating privacy laws for accessing privacy data belonging to another cloud customer, which would increase your company’s exposure (something that could be disastrous because the company is already under investigation).

    None, some, or all of the other options might be true, however, the liability of possibly disclosing someone else’s privacy data is an overwhelming business risk; therefore, option C is the best answer.

  65. C. This is a very difficult question as all the options are correct. However, the ultimate recipient of all forensic evidentiary collection and analysis—the entity getting the reports—will be the court, in order to make a final determination of its merits and insights.
  66. C. It’s important to present a full view of the evidence, including any alternative findings that were considered but eliminated through reason. This serves many purposes, not the least of which is strengthening your case in the minds of those who hear your testimony.

    Your professional opinion is vital, but your personal opinion should not have bearing on the case; option A is incorrect.

    Option B is only incorrect because it limits the presentation to your side of the case, where C is broader and more accurate.

    Unless instructed by counsel, bringing up similar past activity is not germane to the current case; option D is incorrect.

  67. A. An integrity check comparing the copy to the original is essential so that the report can demonstrate that none of the data was lost or tampered with before analysis begins.

    All the other options are simply incorrect for integrity check purposes.

  68. B. The evidence custodian is the person designated to maintain the chain of custody for the duration of the investigation. All the other options could be roles of people who are tasked with custodianship.
  69. D. It is important that any changes to the data only be made in purposeful, specific ways; a write-blocker helps to ensure that extraneous changes aren’t made to the data.

    The other options are not necessary for accessing an electronic storage file for forensic purposes. Options A, B, and C are incorrect.

  70. D. You do not want to have unique testing techniques used in your analysis, because those may not be repeatable or accepted by other experts (or the court).

    All the other options are traits of forensic testing we do want our tests to include.

  71. D. U.S. laws do not, for the most part, consider cell phone numbers an element of PII; in the EU, they are.

    All the other options are PII elements under both jurisdictions.

  72. B. The GDPR contains the provisions under which the Privacy Shield program was implemented.

    All the other options are all U.S. law and therefore incorrect.

  73. C. The EU General Data Protection Regulation (GDPR) requires that multinationals using standard contractual clauses get those clauses approved by the privacy office in every EU member state where the company will operate. Italy and Germany are both EU member states; Brazil is not.
  74. D. Processing includes any manipulation, use, movement, or alteration of data—pretty much anything that can be done with or to data is “processing” (including making and manipulating hard-copy versions of data).

    Storing data in the cloud is not illegal in most jurisdictions (as long as certain rules are followed, for specific industries and data sets); option A is incorrect.

    Storing often happens at or soon after the time of collection, but they are not the same function; option B is incorrect.

    Opt-in is the concept under which a data subject must give clear consent to personally identifiable information (PII) data collection and use; option C is incorrect.

  75. C. The FTC is in charge of the Privacy Shield program.

    The State Department is involved with controlling some exports, under the International Traffic in Arms Regulations (ITAR) regulations; option A is incorrect.

    There is no Privacy Protection Office; option B is meaningless term and is incorrect.

    HHS is in charge of managing the Health Information Portability and Accountability Act (HIPAA); option D is incorrect.

  76. C. The CMM is a way of determining a target’s maturity in terms of process documentation and repeatability.

    The CSA STAR and EuroCloud Star programs are certifications based on applicable control sets and compliance with standards and regulations, not process maturity; options A and D are incorrect.

    The RMF is National Institute of Standards and Technology (NIST) guidance on how to assess risk in an environment; option B is incorrect.

  77. C. SOC 2 reports were not designed for dissemination outside the target organization.

    All the other options are incorrect.

  78. B. In order to protect extremely sensitive material that is discussed in the SOC 2, Type 2, the provider may request that you sign an NDA and limit distribution.

    The provider is the entity that should be seeking CSA STAR certification, not the customer; option C is incorrect.

    Be wary of any provider that asks for security deposits and/or acts of fealty; options A and D are incorrect.

  79. A. The AICPA, the OECD, and the EU have all outlined certain basic expectations for entities that are privacy data controllers; these expectations are extremely similar in the documentation produced by all three.

    All the other options are forms of legislation or regulators that do have some content that addresses privacy; however, option A is the most specific and preferable answer because the privacy principles of the AICPA, OECD, and EU are so very similar.

  80. D. The PCI DSS is extremely thorough and wide-reaching.

    All the other options are just wrong.

  81. D. The different merchant tiers are based on the number of transactions a specific merchant conducts annually.

    All the other options are incorrect.

  82. B. Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.

    All PCI DSS–compliant merchants must meet all the control and audit requirements of the standard; options A and C are incorrect.

    PCI DSS does not dictate costs of controls; option D is wrong.

  83. D. U.S. federal entities are prohibited from using cryptosystems that are not compliant with FIPS 140-2.

    All the other options are incorrect because they are not related to FIPS 140-2.

  84. A. Vendor lock-out can occur when your provider no longer offers the service for which you contracted; it is possible that a merger or acquisition of your provider might lead to this circumstance.

    All the other options are incorrect because they are not relevant in terms of the question.

Chapter 7: Practice Exam 1

  1. C. This is the definition of federation. PKI is used to establish trust between parties across an untrusted medium, portability is the characteristic describing the likelihood of being able to move data away from one cloud provider to another, and repudiation is when a party to a transaction can deny having taken part in that transaction.
  2. C. In the cross-certification model, every participating organization has to review and approve every other organization; this does not scale well, and once the number of organizations gets fairly substantial, it becomes unwieldy.

    Option A is incorrect because it is possible to trust more than two organizations.

    Option B is not true. There is no law/rule that limits the government to sharing data to five or less parties.

    Option D is incorrect. Sharing data does not automatically affect the value of the data.

  3. B. SAML 2.0 is currently the standard used to pass security assertions across the Internet. REST and SOAP are ways of presenting data and executing operations on the Internet, and HTML is a way of displaying web pages.
  4. A. A third-party identity broker can serve the purpose of checking and approving all participants to the federation so that the participants don’t have to perform that task. A cloud reseller is an entity that sells cloud services without maintaining its own data centers. Option C is gibberish. MAC is used to define access relationships between subjects and objects.
  5. A. NIST Special Publication 800-53 pertains to U.S. federal information systems, guiding the selection of controls according to the Risk Management Framework. PCI is a contractual standard for commercial entities that take credit card payments, not applicable to the government. ENISA publishes a European standard, which is also not applicable to the United States. ISO is not required for government systems in the United States.
  6. B. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law governing protection of personal information. The Federal Information Processing Standard (FIPS) 140-2 standard certifies cryptologic components for use by American federal government entities. The Health Information Portability and Accountability Act (HIPAA) is an American law regulating patient information for medical providers. The European Free Trade Association (EFTA) is not a standard; it is a group of European countries.
  7. A. The CSA CCM will aid you in selecting and implementing appropriate controls for various regulatory frameworks. The CCM does not aid in collecting log files; that is the function of a security information and event management (SIEM), search engine marketing (SEM), or security information management (SIM) tool. The CCM will not help ensure that the baseline is applied to systems; automated configuration tools are available for that purpose (although this answer might be interpreted as desirable; the CCM will help you select appropriate controls for your baseline, but it won’t check to see if those are applied). Contract terms are not enforced by the CCM; the service-level agreement (SLA) should be the mechanism for that task.
  8. C. Option C is a nonsense term made up as a distractor. All the other frameworks are addressed in the CCM.
  9. A. The CAIQ is a self-administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls. The OWASP Top Ten is used to indicate trends in poor design of web applications. The CSC may be a useful tool for choosing and implementing appropriate controls, but it comes from the Center for Internet Security (CIS), not the CSA. The FIPS 140-2 lists only approved cryptographic tools and is published by NIST.
  10. B. The CCM allows you to note where specific controls (some of which you might already have in place) will address requirements listed in multiple regulatory and contractual standards, laws, and guides. Option A is a misnomer because the CCM is free of charge. Options C and D are incorrect because the CCM does not list either specific controls or vendors.
  11. D. This is a community cloud, because various parties own different elements of it for a common purpose. A private cloud would typically be owned by a single entity, hosted at a cloud provider data center. A public cloud would be open to anyone and everyone. Hydrogenous is a word that does not have relevant meaning in this context.
  12. B. The cross-certification model of federated identity requires all participants to review and confirm all the others. SAML is the format most often used for identity assertions in a federated environment. JSON is a communications format for exchanging objects online.
  13. B. A copyright protects expressions of ideas, usually creative expression. Music, whether written or recorded, falls into this category. Trademarks are for data that is associated with a brand of a company. Patents are usually for processes or inventions. Trade secrets are business elements kept from public disclosure—music would not usually fit into this category as its value is derived from its distribution in the marketplace.
  14. C. In federations where the participating entities are sharing data and resources, all of those entities are usually the service providers. In a third-party certification model, the third party is the identity provider; this is often a CASB. The cloud provider is neither a federated identity provider nor a federated service provider, unless the cloud provider is specifically chosen as the third party providing this function; in this question, option C is more general and requires no assumptions, so it is the correct choice.
  15. A. This is the correct process, according to the law. The rest are not proper procedures for complying with the law and are therefore incorrect and inadvisable.
  16. B. Copyrights expire after a certain duration and then fall into the public domain, where they can be used by anyone for any purpose. This material certainly exceeds the time of any copyright protection. All other options are invalid.
  17. C. Tier 3 should probably suffice for Bob’s purposes, providing sufficient redundancy and resiliency. Tier 4 probably offers more than what Bob needs; it will cost considerably more than a Tier 3 implementation and is most likely only necessary for organizations providing health and human safety services (hospitals and trauma centers, for instance). Tiers 1 and 2 are probably not sufficient and might only be considered for non-constant situations, such as archiving and backup.
  18. C. GLBA mandates requirements for securing personal account information in the financial and insurance industries; Bob’s company provides financial services, so he will definitely have to comply with GLBA. If Bob’s company is publicly traded, he may have to comply with SOX, but we don’t know enough about Bob’s company from the question to choose that answer. HIPAA is a requirement only for medical providers and their business associates. PCI is not a law.
  19. B. Using different vendors for multiple systems of the same type adds not only redundancy but also resiliency; if one product has an inherent manufacturing flaw, the other should not, if it comes from a different producer. The other suggestions are all suitable but do not offer redundancy or resiliency.
  20. D. Traditionally, it would be optimum if the UPS lasted as long as necessary until the generator is able to resume providing the electrical load that was previously handled by utility power. However, the absolute baseline for battery power is just long enough for all systems to complete their transactions without losing data.

    The other options are incorrect, because they use finite, specific durations; there is no single value that is optimum for all organizations.

  21. B. It is preferable that your games do not have security flaws in them, but this is not a core aspect of the product you are delivering: you are delivering entertainment, which is the primary goal; security is therefore a nonfunctional requirement.

    If you were creating security products, security would be a functional requirement; games are not security products. A game with security flaws is still a game and fulfills the purpose. Option A is therefore incorrect (although hotly debated among IT security personnel—remember, the game can exist without a security department, but the security department couldn’t exist without games).

    Thus far, regulations have not imposed particular security conditions on delivered products by statute. This does not obviate all liability from shipping defective products, of course; the need for due care and due diligence remains. However, this is a much lower threshold than direct statutory guidance, which exists in fields other than software development (to date). Option C is incorrect.

    Outsourcing may or may not be used when performing software security reviews; there is not enough information in the question to determine which method your company uses, so option D is too specific for the vague data provided.

  22. B. Testing the product in a runtime context is dynamic testing.

    Because this is being done in runtime, it is neither code review nor static testing; options A and C are incorrect.

    Using a small pool of specified individuals is not truly open source, which would involve releasing the game to the public. Option D is incorrect.

  23. C. The moderator will serve to guide the experience in an objective, dispassionate manner, without influencing the test, as well as to help document the outcomes.

    Having managers in attendance would present a form of unnecessary micromanagement; option A is wrong.

    There is no need for a database administrator (DBA) to be involved in the test; option B is wrong.

    The security team should use the data gathered from the test, but they don’t need to be present for the testing; option D is incorrect.

  24. D. It is absolutely essential that the developers are not present during the actual testing as they are likely to influence the test unduly, purposefully or otherwise.

    The other parties don’t need to participate in the testing process but are not as undesirable as the developers; all the other options are incorrect.

  25. B. Having the test participants provide signed nondisclosure agreements is an absolutely essential part of this process; they will be exposed to proprietary material and need to be held accountable for any disclosures they might make.

    Managerial oversight is not at all necessary at this level of development and would actually be a form of micromanagement; option A is incorrect.

    Health benefits are in no way appropriate for temporary, unpaid testers; option C is only a distractor.

    Programmers should be prevented from participating in testing as they have inherent bias and may unduly influence the results; option D is wrong.

  26. C. This is not an easy question and requires some concerted thought. The most grave concern to your company is the loss of proprietary information—that is, your games, which are your property and means of profit. Security flaws in your organization could lead to a total loss of your property, which could end your business.

    This is one of the very few questions where “health and human safety” is not the correct answer to a security issue; there just isn’t much danger involved in either producing or consuming video games (aside from dated, anecdotal reports of seizures resulting from flashing images, which lacked scientific substantiation). Though this will be something you must consider (such as workplace violence issues), it will not be a daily activity. Option A is incorrect.

    Security flaws in your products will most likely not be critical or of grave impact; people who hack your game after shipping may be able to include additional functionality or violate some elements of copy protection, but this is not as threatening as pre-release exposure of the material. Option B is incorrect.

    Current laws do not dictate much in the way of either content or functionality for software (other than very specific industries, such as health care or financial services); option D is incorrect.

  27. C. Software is protected by copyright. All the other options are forms of intellectual property protections but not applicable to software for the most part (trademarked names and characters may be important, but not as important as the copyright).
  28. C. This is a very pragmatic and helpful means of gathering inputs that are unpredictable and difficult to simulate and that mimic conditions under which the software will operate.

    All the other options are incorrect.

  29. C. Fuzz testing is the term used to describe the use of known bad or randomized inputs to determine what unintended results may occur.

    Source code review, just like it sounds, is a review of the actual program code; option A is incorrect.

    Deep testing is a made-up term; option B is incorrect.

    White-box testing is a term used to describe a form of code review; option D is incorrect.

  30. C. Digitally signing software code is an excellent method for determining original ownership and has proven effective in major intellectual property rights disputes.

    All the other options represent solutions that not only probably lack efficacy but are also often illegal.

  31. C. Enforcement of copyright is usually a tortious civil action, as a conflict between private parties.

    Only crimes involve arrest, detention, and prosecution; most copyright cases such as this would not be tried as a crime, and the government would not be involved (other than in the form of the judge/court). Options A and D are incorrect.

    Public hearings are not used to gain restitution for harmful acts; option B is incorrect.

  32. B. A platform as a service (PaaS) environment will likely provide the best option for testing the game; the provider will offer various OS platforms for the game to run on, giving your company the opportunity to reach as many customers (using various platforms) as possible, raising your potential for market penetration.

    Although infrastructure as a service (IaaS) is not a terrible option and would give your team additional control of the entire test, it would also require the team to duplicate many different platforms and OSs, requiring a much greater level of effort and additional expertise at what would likely be a much greater cost. Option B is preferable to option A.

    A software as a service (SaaS) model will not allow your team to install and run the game; option C is incorrect.

    TaaS is a made-up term with no meaning in this context, making option D incorrect.

  33. C. To attenuate the risks of inadvertent disclosure inherent in untested software, it is essential to obfuscate any raw production data (such as potential personally identifiable information [PII]) before including it in any test environment.

    The other options represent activity that is obviously beneficial but secondary to the importance of masking production data. Think of it this way: even if there is a vulnerability, breach, or malware in the test environment, if raw data is included something of value is lost; if dummy or masked data is the only content included, nothing of value is lost.

  34. C. Off-site storage is not intrinsic to the definition of cloud computing; all the other options are.
  35. D. Immediate customer support may be an option offered by some cloud providers, but it is not a defining characteristic of the industry. All the other options are.
  36. A. In the infrastructure as a service (IaaS) model, the customer is responsible for everything up from the hardware layer.

    In platform as a service (PaaS) and software as a service (SaaS), this will be performed by the provider; options B and C are incorrect.

    QaaS is an invented term and not meaningful; option D is wrong.

  37. D. Vendor lock-in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer.

    These contract terms can be described as favorable only from the provider’s perspective; option D is preferable to option A for describing this situation.

    There was no description of negotiation included in the question; option B is incorrect.

    IaaS is a service model and doesn’t really apply to anything in this context; option C is incorrect.

  38. B. Ionization detectors usually use a small amount of americium in the detection chamber.

    Photoelectric detectors use a light source instead. Option A is incorrect.

    Options C and D are incorrect because they are meaningless in this context.

  39. D. Because the nature of a life-support effort requires absolute availability, nothing less than a Tier 4 data center will serve your purposes. All the other options are incorrect.
  40. B. Bare skin sticks to cold metal.

    Most modern systems don’t suffer performance degradation at the lower ends of the temperature spectrum; it’s the higher temperatures that are of concern for that aspect of the data center. Option B is preferable to option A.

    Similarly, high temperature invokes a greater risk of fire, not low temperature, and this environmental aspect is perhaps the factor least impacting risk of fire anyway. Option C is incorrect.

    Any regulatory issues stemming from a workplace that is too cold correlates directly with risks to health and human safety, so option B is still preferable to option D.

  41. B. This question might be susceptible to overthinking because it is simplistically straightforward: RAID is not a protocol—it’s a configuration mechanism.

    All the other options are storage protocols that will involve storage controllers.

  42. C. While it is important to follow internal policy, industry standards, and regulations when they are applicable, vendor guidance will most often offer the most detailed, specific settings for the particular product in question; the other forms of guidance do not usually specify individual products/versions. This does not mean using the default configuration; the vendor will continue to publish suggestions and recommendations for optimizing performance and security of the product after it goes into distribution in order to meet evolving needs and threats.
  43. B. Applying vendor configurations is an excellent method for demonstrating due diligence in IT security efforts. Always remember that proper documentation of the action is also necessary.

    Federal law rarely dictates application of vendor guidance, or any other specific security method for individual platforms; option A is incorrect.

    Aggressors will almost always be on the offensive and adapt attack methodology faster than our industry creates defenses; even vendor guidance is usually reactive. Option C is incorrect.

    Customers rarely have any idea of (or reason to know) configuration settings; option D is incorrect.

  44. B. All management functions should take place on a highly secure, isolated network.

    The toolset may be available via remote access but is not in any way to be considered public-facing; option A is incorrect.

    Resource pooling contradicts direct connections to any particular storage mechanism; option C is incorrect.

    Usually, virtualization management will be a responsibility of the provider because it is a crucial element for all customers; option D is incorrect.

  45. A. Isolation in the cloud is imperative, largely because of multitenancy (not to support it, as option C implies). In order to do this, the use of technologies like those listed in the question is warranted.

    Options B and D have no meaning in this context and are therefore incorrect.

  46. A. DNSSEC is basically DNS with the added benefit of certificate validation and the usual functions that certificates offer (the other options). This does not include payload encryption—confidentiality is not an aspect of DNSSEC.
  47. C. Default credentials are the bane of security, everywhere. This is definitely the correct answer because it should not be part of the baseline build.

    All the other options are actual baselining functions.

  48. B. Baseline systems need current patches/configuration updates in order to be used to replicate production systems.

    All the other options are actual baselining functions.

  49. B. Before applying the baseline to the environment, it is important to determine if there are any offices/systems that will require exceptions; not all baselines meet all business needs.

    All the other options are actual baselining functions.

  50. B. With platform as a service (PaaS), the cloud provider will administer both the hardware and the OS, but you will be in charge of managing the applications and data. There is less likelihood of vendor lock-in with PaaS than software as a service (SaaS), because your data will not be put into a proprietary format (option B is preferable to option C).

    With infrastructure as a service (IaaS), your company will still retain a great deal of the administrative responsibility, so PaaS is a better option; option B is preferable to A.

    Option D has no applicability in this context and is incorrect.

  51. D. Cloud bursting is the industry term usually associated with this type of practice.

    All the other options are not terms with any particular meaning in this context.

  52. B. While all aspects of cloud computing are necessary to provide a true cloud service, this type of business flexibility is possible because of rapid (close to instant) elasticity, the means to scale your usage up and down as needed.

    All the other options are facets of cloud computing but are not as pertinent to the question.

  53. D. This is an excellent description of the hybrid model, where the customer owns elements of the infrastructure (the on-premises traditional environment) and the cloud provider owns other elements (the cloud environment used for the temporary additional demand).

    All the other options are cloud deployment models but do not suit this particular case.

  54. A. A private cloud is the best option for work in highly regulated industries or industries that involve very sensitive assets.

    The other options simply are not as preferable as option A for this question.

  55. C. A public cloud will be the easiest, least expensive option and probably offer the simplest transition.

    The other options are not as preferable as C for this question.

  56. B. This is an optimum situation for the use of a community cloud model.

    The other options are not as preferable as B for this question.

  57. C. The fact that many various customers (including some that may be competitive with, or even hostile to, each other) will be utilizing the cloud environment concurrently means that isolating each is of the utmost importance in the cloud environment.

    DDoS is an availability threat, not something to do with confidentiality, so isolation does not serve much purpose in reducing it. Option A is incorrect.

    Unencrypted message traffic is not the prevailing, general reason for the need for isolation; it might be one specific, particular aspect of a confidentiality concern, but option C is preferable to B.

    Insider threat is not countered by isolation in the same way that isolation protects against threats due to multitenancy; option C is preferable to D.

  58. A. Because of European personal data privacy laws, it is extremely important for your company to be sure that the data does not leave the borders of a country approved to handle such data. A private cloud model is the best means for your company to be sure that the data is processed in a data center residing in a particular geophysical location.

    The other options simply are not as preferable as A for this question.

  59. A. Portability is the term used to describe the ease with which a customer can move from one cloud provider to another; the higher the portability, the less chance for vendor lock-in.

    Interoperability describes how systems work together (or don’t); because the question did not mention the use of your own company’s systems, interoperability does not seem to be a major concern in this case. Option B is incorrect.

    Resiliency is how well an environment can withstand duress. While this is of obvious importance to all organizations in the cloud, it is usually seen as a defense against availability concerns, while the question has more to do with portability; option A is still preferable to option C.

    Nothing in the question suggests a need for the company to retain some form of governance; option D is incorrect.

  60. A. As a cloud customer, the organization is not responsible for making up-front infrastructure purchases, which are capital expenditures.

    Cloud customers do, however, make continual operational expenditures for IT resources, in the form of their payments to cloud providers. Option B is incorrect.

    Modern business is driven by data as much as any other input, regardless of sector or industry; this does not change whether the organization operates in the cloud or in the traditional IT environment. Option C is incorrect.

    The cloud does not obviate the need to satisfy customers. Option D is incorrect.

  61. A. These are technical controls, automated systems that perform security functions.

    An argument could be made that there is an administrative component to these controls as well: the firewall rules, the DLP data discovery strategy, etc.—these are expressed in the form of a list or set of criteria, which might be viewed as an administrative control. However, the system itself (which is what the question asked) is still a technical control. Option A is preferable to option B.

    Because these devices/systems do not deter physical intrusion, but rather logical intrusion, they are not considered physical controls. Option C is incorrect.

    “Competing” is not a control type; option D is incorrect.

  62. A. The lines themselves are physical, which puts them at Layer 1.

    All the other options are simply incorrect.

  63. D. Layer 7 is the application’s entry point to networking.

    All the other options are simply incorrect.

  64. A. A virtual private network (VPN) creates a trusted path across an untrusted (often public) network (such as the Internet). It is highly recommended for cloud operations.

    Hypertext Markup Language (HTML) is used for displaying web pages; it is not inherently secure. Option B is incorrect.

    DEED is an invented term with no meaning in this context. Option C is incorrect.

    Domain Name System (DNS) is for resolving IP addresses to URLs; it has no inherent security benefits. Option D is incorrect.

  65. C. Tokenization is an approved alternative to encryption for complying with Payment Card Industry (PCI) requirements.

    Obfuscation and masking don’t really serve the purpose because they obscure data, making it unreadable; storing payment information that is unreadable does not aid in the efficiency of future transactions. Moreover, neither technique meets PCI requirements. Options A and B are incorrect.

    Hashing does not serve the purpose because it is a one-way conversion of data; there is no way to retrieve payment information for future transactions once it has been hashed. Option D is incorrect.

  66. D. This term has no meaning in this context and is only a distractor.

    All the other mechanisms can be (and are) used by DLP solutions to sort data.

  67. C. Many security solutions, particularly DLP and similar tools, require a “learning curve” as they become accustomed to new data sets/configurations in order to discriminate between false positives and actual data loss. One week is not enough time to get an accurate determination of the efficacy of these products, and waiting to gather more data over time is a good idea.

    The origin of the products probably does not matter in any significant way; options A and B are incorrect.

    Hastily migrating out of the current cloud environment (whether to another cloud provider or back on-premises) is reactionary and could prove expensive. Option D is incorrect.

  68. D. Senior management is always responsible for determining the risk appetite of any organization, regardless of where and how it operates.

    Neither the cloud provider, nor the ISP, nor federal regulators determine the risk appetite of your organization. Options A, B, and C are incorrect.

  69. B. Because you will be creating proprietary software, you will probably be most concerned with how it will function across many platforms, in a virtualized environment, and in an environment that you do not own or operate. Interoperability describes how well a system relates to other systems.

    Portability is always a concern for cloud customers, as it is an indication of how likely the customer is to be subject to the risk of vendor lock-in. However, because you are using your own proprietary software and not that of another company, this is not a major issue in this case. Option A is incorrect.

    Resiliency is how well an environment can withstand duress. Although this is of obvious importance to all organizations, it is usually seen as a defense against availability concerns; the question has more to do with interoperability, and thus option B is still preferable to option C.

    Nothing in the question suggests a need for the company to retain some form of governance; option D is incorrect.

  70. B. Platform as a service (PaaS) allows a software development team to test their product across multiple OSs and hosting platforms, without the need for the customer to manage each one.

    Although infrastructure as a service (IaaS) could offer similar cross-platform benefits, it would require additional effort and expertise on the part of the customer, which would not be nearly as appealing and efficient. Option A is incorrect.

    Software as a service (SaaS) does not allow the customer to install software and would be useless for this purpose, making option C incorrect.

    LaaS is not a cloud service model and has no meaning in this context. Option D is incorrect.

  71. A. Both ISO 31000 and National Institute of Standards and Technology (NIST) 800-37 are risk management frameworks.

    Control Objectives for Information and Related Technology (COBIT) is ISACA’s framework for managing IT and IT controls, largely from a process and governance perspective. Though it includes elements of risk management, NIST 800-37 is still closer in nature to ISO 31000, so option A is preferable to B.

    ITIL (Information Technology Infrastructure Library) is a framework mostly focused on service delivery as opposed to risk management; option C is incorrect.

    The General Data Protection Regulation (GDPR) is a European Union law regarding privacy information, not risk management; option D is incorrect.

  72. C. The ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security is the publication.

    All the other options are standards bodies but do not have a publication that matches the description in the question as well.

  73. D. The Cloud Security Alliance is a volunteer organization that includes members from various industries and sectors and is focused on cloud computing. It relies largely on member participation for developing standards.

    All the other options are standards bodies that involve a specific board or other centralized authority for publishing requirements.

  74. A. Option A is the definition of the data subject.

    All the other options define other privacy-related roles.

  75. B. Option B is the definition of the data controller.

    All the other options define other privacy-related roles.

  76. C. Option C is the definition of the data processor.

    All the other options define other privacy-related roles.

  77. B. The data controller makes the determination of purpose and scope of privacy-related data sets.

    The other options are the names of other privacy-related roles.

  78. D. The data custodian is usually tasked with securing and maintaining the privacy data on a regular basis, on behalf and under the guidance of the controller and steward.

    The other options are the names of other privacy-related roles.

  79. D. The custodian is usually that specific entity in charge of maintaining and securing the privacy-related data on a daily basis, as an element of the data’s use.

    The compliance officer might be considered a representative of the data controller (your company), or perhaps the data steward, depending on how much actual responsibility and interaction with the data you have on a regular basis. Option A is not as accurate as option D.

    The cloud provider (and anyone working for the provider) would be considered the data processor under most privacy regulations; option B is incorrect.

    Your company is the data controller, the legal entity ultimately responsible for the data. Option C is incorrect.

  80. B. The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics. Jurisdiction is usually dictated by location instead, which should be included in the contract but is probably not useful to include in the SLA.

    All the other options are excellent examples of items that can and should be included in the SLA.

  81. A. When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock-in.

    Availability may be an aspect of portability; the ease and speed at which the customer can access their own data can influence how readily the data might be moved to another provider. However, this is less influential than the format and structure of the data; option A is preferable to option B.

    Storage space has little to do with vendor lock-in; option C is incorrect.

    A list of OSs the provider offers might be influential for the customer’s decision of which provider to select, but it is not typically a constraining factor that would restrict portability. Option D is incorrect.

  82. B. The contract usually stipulates what kind of financial penalties are imposed when the provider fails to meet the SLAs (for instance, waiver for payment of a given service term). This is a huge motivating element for the provider.

    Regulatory oversight usually affects the customer, not the provider; option A is incorrect.

    The performance details are often included in the SLA but aren’t the motivating factor; option C is incorrect.

    In a perfect world, option D would be the correct answer; B is a better answer to this question, however.

  83. C. The cloud provider is usually allowed to suspend service to the customer if the customer fails to meet the contract requirements (specifically, not paying for the service in accordance with the contract terms). This can be fatal to a customer’s operations and is a great motivation to make timely payments.

    Option A is incorrect because the cloud provider would be the entity that would face financial penalties for not fulfilling the SLA.

    Options B and D are incorrect because regulatory oversight and media attention cannot be controlled by the contract between cloud provider and customer.

  84. B. Audits don’t really provide any perceptible effect on user experience.

    All the other options are good reasons for performing audits.

  85. D. The Cloud Controls Matrix is an excellent tool for determining completeness and possible replication of security controls.

    FIPS 140-2 is a list of cryptographic system products approved for use by U.S. federal customers; option A is incorrect.

    The GDPR is a European Union law regarding privacy; ostensibly, an audit could be performed to ensure that an organization is meeting the law’s requirements, but the law itself is not a tool for the purpose. Option B is incorrect.

    ISO 27001 details the information security management system an organization can adopt; it is not specifically a tool for reviewing cloud security controls. Option C is not correct.

  86. D. Federal Risk and Authorization Management Program (FedRAMP) is the U.S. program for federal entities operating in the cloud.

    The International Organization for Standardization (ISO) is an international standards body and does not dictate American government practices. Option A is incorrect.

    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 is the Risk Management Framework (RMF) not specifically related to the cloud; option D is preferable to option B.

    The European Union Agency for Network and Information Security (ENISA) is a European Union standards body and does not dictate American government practices. Option C is incorrect.

  87. B. A ubiquitous baseline configuration used in a virtualized environment can serve as an artifact for auditors and enhance the audit process.

    The other options are common facets of cloud computing but do not typically serve the purpose of auditing.

  88. B. Variables, in general, aren’t useful for authentication; authentication requires a match against a template or a known quantity.

    All the other options are typical methods for enhancing authentication.

  89. C. This is a nonsense term, with no meaning in this context.

    All the other options are actual common identity federation standards.

  90. B. Multifactor authentication doesn’t typically utilize associative identification.

    All the other options are typical aspects used in multifactor authentication.

  91. D. Because the cloud environment can be accessed from any location (assuming good connectivity), the cloud customer is not required to maintain an expensive operational facility, either for primary or backup purposes.

    All the other options are common aspects of cloud computing, but don’t particularly serve BC/DR purposes.

  92. A. Rapid elasticity allows the cloud customer to scale cloud operations as necessary, including during contingency operations; this is extremely useful for BC/DR activities.

    All the other options are common aspects of cloud computing but don’t particularly serve BC/DR purposes.

  93. A. On-demand self-service allows the cloud customer to provision those production resources during a contingency without any delay in ordering or allocating those resources.

    All the other options are common aspects of cloud computing but don’t particularly serve BC/DR purposes.

  94. B. The data classification process is the organization’s formal means of determining value of its assets; this is extremely important to BC/DR efforts in that it can be useful in determining the critical path to be maintained during contingency events.

    The SDLC is a system development/acquisition tool; it doesn’t particularly assist in BC/DR efforts. Option A is incorrect.

    Honeypots are a threat intelligence tool; they don’t serve any useful BC/DR purpose. Option C is incorrect.

    Identity management is a part of the entitlement process but does not add any value to BC/DR efforts; option D is incorrect.

  95. B. DLP solutions typically have the capability to aid in asset valuation and location, both important facets of the BC/DR process.

    All the other options are common security tools but don’t really serve to enhance BC/DR efforts.

  96. A. Because cloud data is typically spread across more than one data center and these data centers can be geographically separated, a single natural disaster event may be less likely to reduce access to the data.

    All the other options are common aspects of cloud computing but don’t particularly serve BC/DR purposes.

  97. C. Egress-monitoring solutions do not typically predict contingency-level events and are not useful for the purpose.

    All the other options represent information sources that can aid in predicting BC/DR events.

  98. A. A hasty return to normal operations can put operations and personnel at risk if whatever caused the contingency situation has not yet been fully resolved.

    All the other options are common aspects of BC/DR preparation and do not typically pose a threat to the organization.

  99. D. A full test of the BC/DR plan can result in an actual disaster because it may involve interruption of service; the simulation can become the reality.

    All the other options are common aspects of BC/DR preparation and do not typically pose a threat to the organization.

  100. A. In containerization, the underlying hardware is not emulated; the container(s) run on the same underlying kernel, sharing the majority of the base OS.

    All the other options are aspects of containerization.

  101. D. Secure sanitization is not included in all (or even many) SDLC models.

    The other options are typical SDLC steps.

  102. C. Hardware confirmation is a meaningless term in this respect.

    All the other options represent common capabilities of API gateways.

  103. D. Cloud customers, with rare exception, will not be allowed to add hardware to the cloud data center.

    All the other options are various types of firewalls that a customer could implement in a cloud managed services environment.

  104. B. In a typical TLS handshake, the client sends the message (called ClientHello) that initiates the negotiation of the session.

    All the other options are incorrect.

  105. C. TLS usually relies on PKI certificates authenticated and issued by a trusted third party.

    All the other options are incorrect because they are not the usual means of establishing trust between the parties in a typical TLS session.

  106. A. In TLS, the parties will establish a shared secret, or symmetric key, for the duration of the session.

    All the other options are incorrect because they are not the form of cryptography used for the session key in a TLS session.

  107. A. In DevOps, the programmers continually work in close conjunction with the production team to ensure that the project will meet their needs.

    All the other options are simply incorrect.

  108. C. The Agile Manifesto specifically advocates for getting sample systems into the hands of the users as soon as possible in order to ensure that development is meeting customer needs. The Manifesto refutes all other elements of programming that slow down this effort, including documentation, planning, processes, and specific tools.
  109. C. Open source software includes programs where customers (or even the public) can view the software’s source code.

    Freeware and shareware are licensing arrangements and ways of distributing intellectual property. Options A and D are incorrect.

    Malware is harmful software designed for attack purposes; option B is incorrect.

  110. B. XML works better over the Internet than the binary messaging of the older technologies.

    SOAP is not particularly lightweight; in fact, it is kind of cumbersome. Option A is not true.

    SOAP is not especially more secure than DCOM or CORBA; option C is incorrect.

    SOAP is newer than the other technologies; however, that is not the reason it is preferable in a web context. Option B is still preferable to D.

  111. C. REST calls web resources by using uniform resource identifiers (URIs).

    Extensible Markup Language (XML) may be used for REST, but it is not a requirement as it is in Simple Object Access Protocol (SOAP). Option A is incorrect.

    Security Assertion Markup Language (SAML) is a form of XML used in passing identity assertions; option B is incorrect.

    Transport Layer Security (TLS) is a secure virtual private network (VPN) mechanism, not an element of SOAP. Option D is incorrect.

  112. A. JSON outputs are common for REST applications.

    All the other options are incorrect because they are not the form of output one would expect from REST.

  113. B. Sensitive data is often exposed inadvertently because of user error or lack of knowledge about the material. User training can offset a significant portion of this risk by informing users about the value of data assets and the proper use of controls and behaviors.

    Physical access control is important, but less for controlling exposure and more for preventing theft. Option B is preferable to A in this context.

    Policies are crucial but don’t actually offset the risk; they are the underlying structure for creating programs and methods for dealing with the risk. Option B is preferable to C in this case.

    Backup power has nothing to do with data exposure, therefore option D is incorrect.

  114. B. Administrators will access devices during maintenance mode; blocking admin access would be contrary to the entire point of the activity.

    All other options are conditions that are true during maintenance mode.

  115. C. Live migration is the term used to describe the movement of functioning virtual instances from one physical host to another and how VMs are moved prior to maintenance on a physical device.

    VMs are moved as image snapshots when they are transitioned from production to storage; option A is incorrect.

    During live migration, the VM moves in unencrypted form. Option B is incorrect.

    Live migration goes over the network; portable media is not necessary. Option D is incorrect.

  116. B. IDS/IPS solutions do not elicit user input.

    All the other options are mechanisms used by IDS/IPS solutions to detect threats.

  117. D. Because the honeypot/honeynet is meant to be observed, production data in any form should not be included.

    All the other options are insufficient for the question; D is, by far, the best answer.

  118. B. The public does not have a need to know regarding proof of vulnerability scans.

    All the other options are legitimate recipients of proof of vulnerability scans.

  119. B. Logos and other identifying material are subject to trademark protections.

    The other options are also ways to protect intellectual property, but they are not usually associated with logos.

  120. C. Intellectual property disputes are usually settled in civil court, as a conflict among private parties.

    Because there was no agreement between your company and the competitor in question, there is no contract, so no breach of contract dispute is pertinent. Option A is incorrect.

    Although statutes concerning intellectual property protections exist, they are usually in the form of torts (that is, laws that define how civil actions can pursue restitution for private harm). This is not the government prosecuting someone in order to protect the public; criminal proceedings are rare when it comes to enforcing intellectual property rights. Option B is incorrect.

    The military does not often get involved in intellectual property disputes and most often uses the civil courts when it does. Option D is incorrect.

  121. C. Trademark protection is provided to those who apply for it, to either a state or federal trademark registration body. In the case of conflicting usage (or infringement), courts will take many criteria into account, including which party has first claim on the trademark (that is, who used it the longest), the location(s) where the trademark is used, the possibility for confusion among customers, and so forth. But for a specific location and specific business purpose, the deciding element will probably be which party first registered the trademark in question.

    All the other options may be factors the court takes into account when making its decision, but option C is the best answer.

  122. D. This is the definition of a SOC 3.

    All the other options are SSAE 18 reports but not the correct answer.

  123. D. This is the purpose of the SOC 3 report.

    All the other options are SSAE 18 reports but not the correct answer.

  124. B. Both Australia and New Zealand have privacy laws that conform to EU privacy legislation.

    All the other options are examples of countries that do not.

  125. A. Japan’s privacy law is sufficient to meet EU legislative requirements.

    Alaska is not a country—it is a state. Option B is wrong.

    Neither Belize nor Madagascar has privacy laws sufficient to meet EU requirements; options C and D are incorrect.

Chapter 8: Practice Exam 2

  1. C. A cloud reseller is a firm that contracts with both cloud providers and customers in order to arrange custom services.

    The cloud provider(s), in this case, would be those entities selling services to Cloud Services Corp. Option A is incorrect.

    The cloud customer, in this case, would be your company. Option B is incorrect.

    No aspect of the question describes a cloud database specifically. Option D is incorrect.

  2. C. Portability is the aspect of cloud computing that describes the ability to move data and operations away from a given cloud provider (either to another cloud provider or to an on-premise solution).

    All the other options are aspects of cloud computing but do not aid in addressing the concerns described in the question.

  3. D. While many cloud providers will offer these services (as well as many others), they are not defining characteristics of cloud computing.

    All the other options are defining characteristics of cloud computing.

  4. B. A platform as a service (PaaS) model will probably best suit your company’s needs as it allows the customer (your company) to install software and load data onto a hardware infrastructure owned and operated by the provider.

    An infrastructure as a service (IaaS) solution may be viable for this situation, because it allows the same functionality, but it also requires the customer (your company) to install and maintain the OS(s) that run the software. In looking to decrease cost of investment and maintenance, the PaaS model is probably preferable. Option A is not as good as option B, in this case.

    A software as a service (SaaS) model does not allow the customer to install software; option C is incorrect.

    A hybrid cloud model usually requires the customer to maintain at least part of the hardware infrastructure; in accordance with the description of the situation in this question, option D is not as optimum as option B.

  5. A. Platform as a service (PaaS) models are particularly useful for performing software testing because the customer can install and run their own programs across multiple OSs/systems. A hybrid model is used to describe a situation where ownership of the infrastructure is split between the provider and the customer.

    A software as a service (SaaS) or infrastructure as a service (IaaS) model would not be optimum for software testing; options B and D are incorrect.

    A community cloud model involves the joint ownership of infrastructure among many providers and customers; option C is not correct.

  6. D.  A software as a service (SaaS) model reduces customer involvement more than the other models; a public cloud deployment likewise reduces customer participation in ownership and maintenance of infrastructure.

    Infrastructure as a service (IaaS) and platform as a service (PaaS) models require the customer to participate in some administration of the environment; options A and B are incorrect.

    A private cloud entails customer involvement in at least the detailing of governance of the environment; option C is incorrect.

  7. C. In a software as a service (SaaS) model, the cloud provider is tasked with acquiring and managing the software licenses; the scale of a cloud provider’s operations can allow them to reduce the per-seat cost of software considerably.

    The customer is still responsible for some software licensing and maintenance activities (and therefore costs) in infrastructure as a service (IaaS) and platform as a service (PaaS) models; options A and B are incorrect.

    A hybrid deployment usually entails the customer maintaining some infrastructure elements, and that usually would also include software licensing requirements. Option D is incorrect.

  8. A. A public cloud deployment would probably best meet the needs of a company without a robust, trained IT staff. The cloud provider will be responsible for the greatest degree of administration and maintenance compared to the other options.

    Options B, C, nor D would not be the optimal choices for a cloud deployment model in this case, because each of those requires personnel with more experience/training. Options B, C, and D are incorrect.

  9. B. A private cloud arrangement allows the customer to have greater control of the governance and policy within an environment.

    All the other options are cloud deployment models that allow the customer less control over the environment as a whole.

  10. B. A private cloud model can allow the customer to have the greatest assurance of confidentiality compared to the other models.

    Options A, C, and D provide less confidentiality than option B and are therefore incorrect.

  11. C. A community cloud entails all participants to have some degree of ownership and responsibility for the cloud environment; this is the preferred model for cooperative ownership and collaboration among a group with a shared interest/goal.
  12. D. A hybrid model, where ownership fluctuates between exclusive control of the customer (private) and provider (public) only during times of increased demand, is almost a textbook description of this arrangement and translates very well for cloud-bursting techniques.
  13. B. A customer using proprietary software in a PaaS environment faces the risk that updates to the underlying OS(s) and/or hardware infrastructure will not be compatible with the customer’s software and will affect productivity.

    Cloud migration can, however, aid in reducing overhead costs, including energy costs associated with operating a data center, and can enhance BC/DR capability through the provider’s increased investment in redundancy and continuity.

  14. B. The service-level agreement creates financial incentive for the cloud provider to meet the customer’s needs on a consistent basis.

    Audits and regulators might help this effort, somewhat, by ensuring that the provider adheres to certain mandates and standards, but these are less convincing (and occur after the fact of delivery) than profit motive. Options A and C are incorrect.

    Training does not really aid the efforts described in the question; option D is incorrect.

  15. C. By spreading costs over time, a business can reduce the risk that there will be a lack of money at any given time, impacting operations.

    A shift from a capital expenditure scheme to an operational expenditure arrangement does not necessarily mean that overall costs decrease; in fact, costs might very likely increase because the sum of the OpEx installments may total more than the CapEx would have been. Option A is incorrect.

    CapEx usually reduces tax exposure because it allows for depreciation of assets, whereas OpEx does not. Option B is not correct.

    Whether the business uses CapEx or OpEx financing does not necessarily increase or decrease profit. Option D is incorrect.

  16. B. This is a complicated question and requires a significant amount of understanding of control types.

    A firewall uses aspects of administrative controls. The firewall policy is a set of rules that dictate the type of traffic and source/destination of that traffic. Option A is incorrect.

    Firewalls can be set to change activity in reaction to detected threats, which is a corrective action; option C is incorrect.

    Firewall rules can also prevent certain kinds of traffic/access; option D is incorrect.

    However, the effect of a deterrent control is the result of its perception by someone who might engage in wrongdoing—unless it is perceived, the control is not really a deterrent. Most firewalls don’t function in that manner; they are transparent to both legitimate users and attackers. Option B is therefore correct.

  17. A. All of the other options are incorrect. Option D is incorrect because there is no Layer 8 in the Open Systems Interconnection (OSI) model.
  18. B. Generic routing encapsulation (GRE) is a tunneling mechanism, specifically designed for the purpose.

    Internet Protocol Security (IPSec) may or may not involve tunneling. Option A is incorrect.

    Infrastructure as a service (IaaS) may or may not use tunneling for remote access/
administration; option C is incorrect.

    Extensible Markup Language (XML) is a format for communicating data; option D is incorrect.

  19. B. SSH does not offer content filtering. It does offer all the services listed in the other options.
  20. B. TLS uses asymmetric encryption to create a symmetric session key.
  21. B. ITIL was specifically designed to address service delivery entities (in particular, British telecommunications providers), and how they provide service to their customers.

    SABSA is a means of looking at security capabilities from a business perspective; option A is incorrect.

    COBIT is designed for all types of business, regardless of their purpose; option C is incorrect.

    TOGAF is a means to incorporate security architecture with the overall business architecture; option D is incorrect.

  22. D. The TCI does not, specifically, require cost-effectiveness of cloud services.

    All the other options are principles detailed in the TCI.

  23. B. Tokenization is not typically an aspect of DLP solutions. All the other options are.
  24. A. The data discovery facet of DLP solutions can aid an organization in gathering applicable evidence, especially in response to a legal request such as a subpoena (this is often termed e-discovery).

    Tools cannot deliver testimony; only people can testify. Option B is incorrect.

    DLP solutions do not perform prosecutorial work; that is the function of law enforcement agencies. Option C is incorrect.

    While DLP tools can locate intellectual property assets, they do not, strictly speaking, enforce the rights attendant to those assets. Option A is still preferable to D in this case.

  25. B. DLP tools can function better if appropriate and accurate classification and labeling is applied throughout the environment and done on a consistent basis.

    All the other options are good aspects of a security program but not exactly germane to DLP function.

  26. B. Depending on the availability of the archive, it may be possible to use it to recover production data that has been accidentally or inadvertently deleted or destroyed.

    Archiving does not really offer any of the other benefits; when data is taken out of the production environment and put into long-term storage, the organization loses the capability to manipulate it and create new assets from it. Options A, C, and D are incorrect.

  27. B. Having a suitable backup, away from the main production environment, allows the organization to recover from contingency operations that have interrupted or affected the production environment.

    All the other options are not benefits directly associated with data archiving.

  28. A. In order to use the archive for recovery (either on a large scale for contingency operations or for granular recovery as a means of data discovery), the data needs to be of a format and type that can be utilized by the organization’s systems and environment. Saving data in the wrong format can be equivalent to losing the data.

    All the other options are important aspects of a data archiving policy but are not as important as option A (for instance, data that is not encrypted might pose a risk of loss, but data in the wrong format may not be recoverable at all).

  29. C. The cloud provider cannot typically require the destruction of the customer’s data simply because of its own (provider’s) policy. If this is an aspect of the contract between the provider and customer, that is another issue (and listed as another option in this question).

    The other options are all sources that may dictate the customer’s destruction of data.

  30. A. CDNs are often used in conjunction with SaaS services to deliver high-quality data of large sizes (often multimedia).

    Databases and data warehousing are typically associated with platform as a service (PaaS), where the provider owns and maintains the infrastructure and data management engine but the customer can install programs and interfaces to manipulate the data. Options B and D are incorrect.

    Volume storage is typically associated with infrastructure as a service (IaaS); option C is incorrect.

  31. C. The RTO is the measure of time after an interruption at which the company needs to resume critical functions; any service migration must take place within that time.

    RTOs vary for every organization; there is no set answer for all organizations. Options A and B might be correct for a given organization but incorrect in the general case because it’s impossible to know an organization’s RTO without knowing more about the organization.

    The RPO is a measure of data that can be lost, not time; option D is incorrect.

  32. D. This action defines the archive phase. All the other options are incorrect.
  33. A. Data should be labeled and classified as soon as it is created/collected.

    All the other options are incorrect.

  34. C. Internal theft is not listed in the OWASP Top Ten, probably because the list concerns web application security, not security overall.

    All the other options are included in the OWASP Top Ten.

  35. B. Backdoors are a particularly prevalent risk in software development because programmers legitimately use backdoors for ease of use and speed of delivery but may mistakenly (or even purposefully) leave the backdoors in the software after development, creating a hidden and significant vulnerability.

    All the other options should be concerns of any cloud customer, but they are not of specific or increased concern for this situation.

  36. B. Because the cost of creating new instances in the cloud environment is transparent to many users/offices, there is a significant likelihood that users/offices will create many new virtual machine (VM) instances without the knowledge/oversight of management. This can result in a very expensive surprise at the end of the payment period, when the organization receives the bill from the cloud provider.

    All the other options are management risks that do not have anything specific to do with the cloud environment and should not affect it/be affected by it.

  37. B. The Type I hypervisor is preferable, as it offers less attack surface.

    All the other options increase risk and should not be recommended.

  38. B. Under current laws, the owner of the PII is legally responsible for data breach notifications, regardless of the circumstances of the breach; in this case, your company is the PII owner.

    All the other options are incorrect because those entities are not the owner of the PII.

  39. D. If anything, the audit trail for privileged users should be more detailed than that for regular users.

    All the other options are recommended techniques for privileged user management.

  40. C. Managing the encryption keys on-premises necessitates some elements of a hybrid cloud model; the key management is done on-premises, and the production takes place in the cloud.

    A public cloud arrangement would preclude the customer hosting the key management system on its premises; option A is incorrect.

    The service model is slightly irrelevant to where the key management system is located; whereas customer-hosted key management is usually associated with an SaaS model, it is not strictly required. Options B and D are incorrect.

  41. D. Separation of duties dictates that one person/entity cannot complete an entire transaction alone. In the case of encryption, a single entity should not be able to administer the issuing of keys, encrypt the data, and store the keys, because this could lead to a situation where that entity has the ability to access or take encrypted data.

    All the other options are security principles but are not intrinsically applicable to the concept of storing encryption keys away from encrypted data.

  42. B. Option A is incorrect because RAID is a storage virtualization technology, used in traditional environments, that combines physical disks components into one or more logical units.

    Homomorphic encryption is a theoretical conversion of data into ciphertext that can be analyzed as if it were in its original form. Option C is incorrect.

    Option D is incorrect because it uses public and private key pairs to encrypt and decrypt data.

  43. C. Option A is incorrect because RAID is a storage virtualization technology, used in traditional environments, that combines physical disks components into one or more logical units.

    SSMS involves encrypting a data set, then splitting the data into pieces, splitting the key into pieces, then signing the data pieces and key pieces and distributing them to various cloud storage locations. Option B is incorrect.

    Option D is incorrect because it uses public and private key pairs to encrypt and decrypt data.

  44. B. This is a description of quantum computing.

    Option A is incorrect because it refers to a data transformation.

    Option C is a made up term and is therefore incorrect.

    Option D is incorrect because it is a data dispersion term.

  45. C. Saved virtual instances are simply inert files, and they are very easy to copy and move.

    Encryption may be applied to data at rest (even VM snapshots); option A is incorrect.

    Insider threats within the cloud data center probably pose just as much risk to the storage nodes as the processing nodes; option B is incorrect.

    Option D is incorrect.

  46. C. The user interface to the virtualized instance can be handled by a variety of mechanisms, but it is not the function of the management plane.

    All the other options are resources provisioned to the virtual machine(s) by the management plane.

  47. C. The tabletop testing method is the least intrusive type of BC/DR test. All the other options are BC/DR testing methods that are more intrusive.
  48. D. There is no way to know if the backup actually serves the purpose until the organization tests a restoration.

    The other options are all backup options but do not actually demonstrate whether the backup is suitable for the business continuity and disaster recovery (BC/DR) requirements.

  49. C. The ubiquitous redundancy of systems and capabilities within most cloud data centers not only serves the provider’s requirement to meet customer service-level agreements but also enhances the data center’s (and the customer’s) resistance to disasters and interruptions.

    All the other options are characteristics of a cloud data center, but they don’t serve much BC/DR purpose; option C is the best choice.

  50. C. Returning to normal operations can result in a second disaster if the conditions created by the initial disaster (which created the need to run the BC/DR plan) have not fully been addressed/resolved.

    An inadvertent initiation of the plan can result in a disaster, but that would only be one disaster, not two; for instance, if senior management got faulty information during the event anticipation phase and decided to switch to contingency operations, but there was no actual causative event, that would be a single disaster. Options A and D are incorrect.

    The act of planning and crafting policy cannot take the form of a disaster. Option B is incorrect.

  51. B. The BIA lists the assets of the organization and states their importance, value, and criticality. This can easily be used for BC/DR planning purposes.

    The SOC is an audit report; this does not aid in BC/DR planning. Option A is incorrect.

    The risk analysis and ALE calculation are used to select reasonable and cost-effective controls suitable for the environment; this does not aid in BC/DR efforts. Options C and D are incorrect.

  52. B. Typically, the cost of using the cloud for contingency operations will be much less than creating a physical alternate operating site.

    Usually, a cloud solution may also be faster and easier to engineer than a physical solution; options A and D are incorrect.

    “Larger,” in this context, has no meaning, because the “size” of the cloud is a misnomer; option C is incorrect.

  53. B.  The Open Web Application Security Project (OWASP) is a volunteer organization that devises standards and solutions for web application development. All the other options are common federation technologies.
  54. B. The SOC 2 ,Type 1 audit reviews management’s selection of controls for the organization’s environment.

    The SOC 1 audit reviews the accuracy and correctness of the organization’s financial reporting. Option A is incorrect.

    The SOC 3 is an attestation of an audit. Option C is incorrect.

    There is no SOC 4 report. Option D is incorrect.

  55. C. The SLA won’t typically include direct mention of the sorts of personnel security measures undertaken by the cloud provider. This may be mentioned, obliquely, in another part of the contract (that is, there may be some language that states that the provider is responsible for ensuring the trustworthiness of its personnel), but it is not a useful SLA element.

    All the other options are excellent items to include in an SLA.

  56. D. Fire suppression systems are physical control mechanisms commonly found in cloud data centers but are not an element of access control.

    All the other options are common physical access control mechanisms in a cloud data center.

  57. D. If external vendors need access to the cloud environment, that access should only be granted on an extremely limited and temporary basis.

    All the other options are common cloud access types and don’t necessarily need to be limited in duration.

  58. B. Guest escape is a prevailing threat in a virtualized, multitenant cloud environment and was not commonly found in traditional environments (those environments were typically not virtualized and did not serve more than one customer, the owning organization).

    All the other threats are currently faced by cloud customers but also existed in the traditional environment.

  59. B. This is the description of a NAS device.

    A SAN typically presents storage devices to users as attached/mounted drives. Option A is incorrect.

    An HSM is designed for encryption generation and management; option C is incorrect.

    A CDN typically replicates multimedia content at multiple, geographically diverse locations to ensure high quality for recipients. Option D is incorrect.

  60. C. Because of the multitenant nature of public cloud services, processes and resources that are not properly isolated may create a situation where data could be disclosed to other cloud customers (neighboring tenants). This is a new threat that may result from the migration.

    All the other options are existing threats in the company’s current environment.

  61. A. This is a description of hot aisle containment.

    Cold aisle containment is a configuration where the fronts of devices face each other. Option B is incorrect.

    Option C is not relevant in this context. Option C is incorrect.

    Option D does not describe the data center configuration in the question. Option D is incorrect.

  62. A. Unused or poorly managed cabling can impede efficient air flow, increasing HVAC and energy costs and increasing the difficulty of optimizing temperature.

    While it is possible that mismanaged cabling could cause slip/trip/fall hazards, this is much less common in modern data centers; option A is preferable in this case.

    Cabling does not really have much of an environmental footprint, so discipline applied to cabling won’t affect the environment much, one way or the other; option C is incorrect.

    Regulators do not usually enforce cable management; option D is incorrect.

  63. C. The industry standard is 24 inches. All the other options are incorrect.
  64. C. Ideally, raised flooring should be used for no other purpose because any objects in that location would impede airflow. Therefore, options A, B, and D are incorrect because they defeat the purpose of the raised flooring design.
  65. B. Cold air is usually put through raised flooring because warm air naturally rises and using the raised flooring to conduct warm air would require an unnecessary and inefficient expenditure of energy.

    All the other options are incorrect as they include warmer air.

  66. B. Ionization-based smoke detectors use trace amounts of a radionuclide (often americium) to detect the presence of particulate matter in the detection chamber when smoke particles interrupt the constant electric current.

    Neither type uses the techniques described in the other options, as they are all incorrect answers.

  67. B. Pressure detection is not a common detection technology.

    All the other options are common fire detection methods.

  68. C. FM-200 is used as a replacement for older Halon systems specifically because it (unlike Halon) does not deplete the ozone layer.

    All the other options are true statements about FM-200 used in fire suppression.

  69. B. One of the properties that makes it desirable for fire suppression in a data center is that FM-200 does not leave a residue.

    All the other options are true statements about FM-200.

  70. B. DHCP servers do not normally orchestrate encryption.

    All the other options are common functions of DHCP servers.

  71. C. This question is challenging because it requires some abstract thought and all answers seem correct at first glance. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) do not secure data; they detect attack activity.

    Domain Name System Security Extensions (DNSSEC) protects data in transit by reducing the risk of DNS poisoning; Transport Layer Security (TLS) and Internet Protocol Security (IPSec) reduce the risk of eavesdropping and interception of data.

  72. D. Administrative access may be limited but not prevented.

    All the other options are common steps of OS hardening.

  73. B. The baseline configuration can be used as a template of controls applied throughout the environment.

    The BIA and financial records may offer an auditor insight into asset valuation/risk but will not provide meaningful data for a control audit. Options A and C are incorrect.

    The SOC 3 report is only an attestation by an auditor that an audit has taken place; it does not provide any useful information about security controls.

  74. D. During maintenance mode, all maintenance activities should still be logged and tracked.

    All the other actions are recommended for a cloud node entering maintenance mode.

  75. B. This action is pointless and excessive; the option is a distractor.

    All the other options are actions the cloud provider should undertake when conducting scheduled maintenance.

  76. B. By definition, the tightly coupled cluster has a maximum capacity, whereas the loosely coupled cluster does not.

    The other options do not have a set maximum capacity and are therefore incorrect.

  77. C. OpenStack is an open source project for creating cloud environments regardless of hardware brand.

    Open Web Application Security Project (OWASP) is an open source web application development project and does not involve the use of any of the tools mentioned in the question. Option A is incorrect.

    OAuth is a set of standards for identity federation. Option B is incorrect.

    Mozilla is a company that produces and administers open source software such as the Firefox web browser. Option D is incorrect.

  78. C. Masking the data (such as replacing the majority of the credit card number with Xs, leaving only the last four digits in view) should suffice for the purpose; it allows the call center personnel to determine which card was used in the sale but does not reveal the card number to the call center.

    Encrypting the data in storage but allowing call center personnel to decrypt it creates a vast opportunity for fraud and abuse; option A is incorrect.

    Encrypting the data while the call center is trying to make the refund would be counterproductive; the call center personnel would be unable to determine which card gets the refund. Option B is incorrect.

    Relying on the customer to provide the correct card number invites inaccuracy and exposes the transaction to fraud; option D is not correct.

  79. C. Describe is not a common phase in the SDLC; the software should be described in the Define phase.

    All the other options are common phases of the SDLC.

  80. D. Business requirements are paramount because they incorporate the elements of all the other options as well as additional inputs.
  81. D. A DAM can recognize and block malicious SQL traffic.

    A WAF is a Layer 7 firewall that understands hostile HTTP traffic. Option A is incorrect.

    An API gateway filters API traffic. Option B is incorrect.

    DLP solutions are used for egress monitoring, not incoming SQL commands. Option C is incorrect.

  82. B. PaaS is optimum for software testing as it allows the software to run across multiple platforms/OSs.

    All the other options are service/deployment models that are not as optimum for software testing as PaaS.

  83. C. Sandboxing allows software to be run in an isolated environment, which can aid in error detection.

    Software testing should not include raw production data, so there is no purpose for using DLP and DRM solutions; options A and B are incorrect.

    The WAF is used to filter web traffic; in the testing environment, there should not be any live traffic going to the software. Option D is incorrect.

  84. B. Open source review can detect flaws that a structured testing method might not.

    Vulnerability scans will only detect known problems, not programming defects that have not yet been identified; option A is incorrect.

    Neither SOC audit nor regulatory review have anything to do with finding software flaws; options C and D are incorrect.

  85. D. Programmers have a vested interest in, and a specific perspective of, software they create. They can unduly influence testing outcomes, even unintentionally. It is best to prevent programmers from attending testing of software they helped create.

    All the other options are personnel who do not need to be present but will not necessarily cause undue influence of the testing process.

  86. B. The Agile method reduces the dependence and importance of documentation in favor of functioning software versions.

    All the other options are elements that will most likely be increased by transitioning to an Agile model.

  87. C. Agile requires interaction between developers and personnel who will use the software.

    All the other options are not essential roles in Agile development.

  88. D. Agile development is usually organized in relatively short iterations of effort, between a week and a month in duration.

    Dependence on planning is directly contrary to Agile methodology; option A is incorrect.

    In Agile, prototyping is favored over testing; option B is incorrect.

    Agile relies on cooperative development instead of stovepiped expertise; option C is incorrect.

  89. A. Agile development often involves daily meetings (called Scrums).

    Agile methodology spurns the use of specific tools and concrete planning; options B and C are incorrect.

    Agile also favors customer collaboration and prototyping instead of an elaborate contract mechanism; option D is incorrect.

  90. A. SOAP is a web service programming format that requires the use of XML.

    REST relies more often on uniform resource identifiers (URIs) than XML; option B is incorrect.

    SAML is a protocol for passing identity assertions over the Internet; option C is incorrect.

    DLP is a data egress monitoring tool; option D is incorrect.

  91. D. STRIDE does not address user security training.

    All the other options are aspects addressed by the STRIDE model.

  92. D. Every additional security measure might reduce a potential threat but definitely will reduce productivity and quality of service. There is always an overhead cost of security.
  93. B. ISO 27034 compliance requires an ANF for every application within the organization.

    Under 27034, the organization only needs one ONF, of which every ANF is a subset. Option A is incorrect.

    There is no INF. The term is a distractor; option C is incorrect.

    SOC 3 reports are for the Statement on Standards for Attestation Engagements (SSAE) standard, not ISO 27034; option D is incorrect.

  94. D. Chile does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do (Belgium is in the EU).
  95. C. South Korea does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do.
  96. D. Kenya does not currently have a federal privacy law that conforms to EU legislation. All the other options are countries that do (France is in the EU).
  97. C. This is an aspect of the current European Union (EU) legislation, known colloquially as “the right to be forgotten”—it is not an aspect of the OECD principles.

    All the other options are included in the OECD principles.

  98. D. The data subject is the person who is identified by personal data.

    All the other options are other privacy-data-related roles.

  99. C. The GDPR is the current prevailing EU privacy data legislation. It replaced the Data Directive. Privacy Shield is the program under which entities in non-adhering countries can still be allowed to process the personal data of EU citizens. SOX is an American law.
  100. C. The FTC is the local U.S. enforcement arm for most Privacy Shield activity.

    All the other options are U.S. government agencies not involved with Privacy Shield.

  101. B. Companies that are not in countries that have laws in accordance with the EU privacy regulations can instead opt for creating contract language that voluntarily complies with the laws.

    All the other options are incorrect because they do not allow non–European Union companies to process personal data of EU citizens.

  102. B. The data controller is legally liable for protecting any privacy data it has. All the other options are other data privacy roles that do not have ultimate legal responsibility.
  103. A. Level 1 is the initial level of maturity for a company and its processes; activity may be performed in an ad hoc manner.

    All the other options are greater maturity levels of the CMM.

  104. A. The ISO 27001 standard reviews an organization’s security in terms of an information security management system (ISMS), which involves a holistic view of the entire security program.

    ISO 27002 is a standard for applying controls to the ISMS; option B is incorrect.

    NIST 800-37 is the Risk Management Framework; option C is incorrect.

    SSAE is an audit standard for financial reporting and the controls within an environment; option D is incorrect.

  105. D. Because of the sensitive nature of the material covered in the SOC 2, Type 2 report, a cloud provider might not be willing to share it with any entity that does not have a financial stake in the cloud service.

    All the other options are entities that are unlikely to receive a SOC 2, Type 2 report from a cloud provider.

  106. B. The SOC 1 report reviews the accuracy and completeness of an organization’s financial reporting mechanisms.

    All the other options are incorrect.

  107. C. There are four PCI merchant levels, based on the number of transactions an organization conducts per year.

    All the other options are incorrect answers.

  108. D. The Common Criteria is a framework for reviewing product security functions, as stated by the vendor.

    The UL is a standards and certification entity concerned with product safety; option A is incorrect.

    FIPS 140-2 is a standard for certifying cryptographic modules; option B is incorrect.

    PCI DSS is a security standard for credit card merchants and processors; option C is incorrect.

  109. A. The lowest level of the FIPS 140-2 standard is 1. All the other options are incorrect.
  110. C. There are three levels of the CSA STAR program, and 3 is the highest. All the other options are incorrect.
  111. B. The CAIQ is the CSA’s mechanism for STAR applicants to evaluate their own service.

    The SOC reports are part of the Statement on Standards for Attestation Engagements (SSAE) 18 audit standard; option A is incorrect.

    The NIST RMF is only mandated for U.S. federal agencies and not part of the CSA purview; option C is incorrect.

    The ISMS is one of the ISO standards and not part of the CSA purview; option D is incorrect.

  112. C. Cloud carrier is a term describing the intermediary between cloud customer and provider that delivers connectivity; this is typically an ISP.

    Options A and B are other typical cloud computing roles; option D is a not a term with any meaning in this context.

  113. C. In a centralized broker federation, the broker (typically a third party) acting as the identity provider, creates the SAML identity assertion tokens and delivers them to the relying parties.

    All the other options are distractors and not entities that are assigned specific roles in a federation motif.

  114. B. The CCM is a tool for determining control coverage for compliance with a variety of standards and regulations.

    All the other options are standards or regulations.

  115. D. The check involves two kinds of security elements: something you have (the check) and something you are (the biometric control, the signature).

    Option A is two elements of the same kind: something you know. This is incorrect.

    Option B is two elements of the same kind: something you are. This is incorrect.

    Option C is two elements of the same kind: something you have. This is incorrect.

  116. D. SLA elements should be objective, numeric values, for repeated activity.

    Options B and C are useful elements to be included in the contract, but not specifically the SLA. Options B and C are incorrect.

    Option A is too ambiguous; “excellent” is not a discrete value. Option A is incorrect.

  117. C. Option A is incorrect because software-defined networking refers to a networking architecture consisting of three layers: application, control, and infrastructure.

    Enterprise networking is a general term, not specifically related to the cloud. Option B is incorrect.

    Legacy networking or traditional networking is designed for traditional networks that use physical devices and components rather than virtual. Option D is incorrect.

  118. D. Quality of service (QoS) refers to the capability of a network to provide better service for certain traffic regardless of network type or topology.

    The other options contain uppercase and lowercase letters that may or may not be related to the cloud. Option D is the only option that answers the question correctly. The acronym QoS represents Quality of Service. QoS is used to set priorities for specific types of data to dependably run high-priority applications and traffic.

  119. C. Optimized for cloud deployments, the converged networking model combines the underlying storage and IP networks to maximize the benefits of a cloud workload.
  120. B. Criminal law is set out in rules and statutes created by a government, prohibiting certain activities as a means of protecting the safety and well-being of its citizens. Violations generally consist of both monetary and/or loss of liberty punishments.

    Tort law refers the body of laws that provide remedies to individuals who have been caused harm by unreasonable acts of others. Negligence is the most common type of tort lawsuit. Therefore, option A is incorrect.

    Option C is incorrect because civil law pertains to contracts, property, and family law as opposed to crimes like murder and theft that are associated with criminal law.

    Contracts are agreements between parties to exchange goods and services; Option D is incorrect.

  121. A. Solid-state disks (SSDs) are used in cloud computing today because they operate at high speeds as compared to traditional spinning drives.

    Option B is incorrect. SSDs do not necessarily last longer than magnetic drives.

    Options C and D are incorrect because SSDs are not noticeably easier or quicker to replace than traditional drives.

  122. A. The primary risks associated with virtualization are loss of governance, snapshot and image security, and sprawl.

    Options B and C are incorrect. Public awareness and increased costs are not risks associated with virtualization.

    Option D is incorrect because the loss of data is not associated with virtualization anymore than the loss of data is associated with non-virtualization.

  123. A. The central processing unit (CPU) is the core of any and all systems, handling all the basic I/O instructions as they originate from the software.

    The question focuses on the handling of all input/output (I/O) instructions. Only the CPU does that. Options B, C, and D function as a result of the CPU handling all of I/O for the hypervisor, user interface, and supervising application. The CPU is the core of computing systems. Options B, C, and D are incorrect.

  124. D. The IETF is an international organization of network designers and architects who work together in establishing standards and protocols for the Internet.

    IANA oversees global IP address allocation among other Internet tasks. IANA does not establish standards and protocols for the Internet. Option A is incorrect.

    Option B is incorrect because the ISO/IEC develops, maintains and promotes standards in information technology and information communication technology.

    Option C is incorrect because NIST is a federal government standards body in the US.

  125. D. The Advanced Encryption Standard (AES) is currently used to encrypt and protect U.S. government sensitive and secret data. There are variants, but the most common is 256-bit, which is virtually impossible to break today.

    Option A is incorrect because MD5 is a cryptographic hash function used to verify that a file has not been altered.

    SSL uses certificates to create a secure connection using encryption. Option B is incorrect.

    Blowfish is a symmetric-key block cipher that has been replaced by AES encryption. The U.S. government uses AES and not Blowfish. Option C is incorrect.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.6.77