CCSP : Certified Cloud Security Professional (CCSP) : Part 21

CCSP : Certified Cloud Security Professional (CCSP) : Part 21

  1. In which cloud service model is the customer required to maintain the OS?

    • Iaas
    • CaaS
    • PaaS
    • SaaS

    Explanation: 
    In IaaS, the service is bare metal, and the customer has to install the OS and the software; the customer then is responsible for maintaining that OS. In the other models, the provider installs and maintains the OS.

  2. When using a PaaS solution, what is the capability provided to the customer?

    • To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The provider does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    • To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    • To deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools that the consumer supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    • To deploy onto the cloud infrastructure provider-created or acquired applications created using programming languages, libraries, services, and tools that the provider supports. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
    Explanation: 
    According to “The NIST Definition of Cloud Computing,” in PaaS, “the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

  3. What are SOC 1/SOC 2/SOC 3?

    • Audit reports
    • Risk management frameworks
    • Access controls
    • Software developments
    Explanation: 
    An SOC 1 is a report on controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. An SOC 2 report is based on the existing SysTrust and WebTrust principles. The purpose of an SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 report is also based on the existing SysTrust and WebTrust principles, like a SOC 2 report. The difference is that the SOC 3 report does not detail the testing performed.

  4. Gathering business requirements can aid the organization in determining all of this information about organizational assets, except:

    • Full inventory
    • Criticality
    • Value
    • Usefulness
    Explanation: 
    When we gather information about business requirements, we need to do a complete inventory, receive accurate valuation of assets (usually from the owners of those assets), and assess criticality; this collection of information does not tell us, objectively, how useful an asset is, however.

  5. In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?

    • Physical
    • All of the above
    • technological
    • Administrative
    Explanation: 
    Layered defense calls for a diverse approach to security.

  6. The BIA can be used to provide information about all the following, except:

    • BC/DR planning
    • Risk analysis
    • Secure acquisition
    • Selection of security controls
    Explanation: 
    The business impact analysis gathers asset valuation information that is beneficial for risk analysis and selection of security controls (it helps avoid putting the ten-dollar lock on the five-dollar bicycle), and criticality information that helps in BC/DR planning by letting the organization understand which systems, data, and personnel are necessary to continuously maintain. However, it does not aid secure acquisition efforts, since the assets examined by the BIA have already been acquired.

  7. Which of the following are cloud computing roles?

    • Cloud service broker and user
    • Cloud customer and financial auditor
    • CSP and backup service provider
    • Cloud service auditor and object
    Explanation: 
    The following groups form the key roles and functions associated with cloud computing. They do not constitute an exhaustive list but highlight the main roles and functions within cloud computing:
    – Cloud customer: An individual or entity that utilizes or subscribes to cloud based services or resources.
    – CSP: A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations or individuals, usually for a fee; otherwise known to clients “as a service.
    – Cloud backup service provider: A third-party entity that manages and holds operational responsibilities for cloud-based data backup services and solutions to customers from a central data center.
    – CSB: Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple CSPs. It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. The CSB can be utilized as a “middleman” to broker the best deal and customize services to the customer’s requirements. May also resell cloud services.
    – Cloud service auditor: Third-party organization that verifies attainment of SLAs.

  8. Which of the following are considered to be the building blocks of cloud computing?

    • CPU, RAM, storage, and networking
    • Data, CPU, RAM, and access control
    • Data, access control, virtualization, and services
    • Storage, networking, printing, and virtualization

  9. Which of the following is considered a physical control?

    • Fences
    • Ceilings
    • Carpets
    • Doors
    Explanation: 
    Fences are physical controls; carpets and ceilings are architectural features, and a door is not necessarily a control: the lock on the door would be a physical security control. Although you might think of a door as a potential answer, the best answer is the fence; the exam will have questions where more than one answer is correct, and the answer that will score you points is the one that is most correct.

  10. What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?

    • Quantum-state
    • Polyinstantiation
    • Homomorphic
    • Gastronomic
    Explanation: 
    Homomorphic encryption hopes to achieve that goal; the other options are terms that have almost nothing to do with encryption.

  11. Which of the following are distinguishing characteristics of a managed service provider?

    • Be able to remotely monitor and manage objects for the customer and proactively maintain these objects under management.
    • Have some form of a help desk but no NOC.
    • Be able to remotely monitor and manage objects for the customer and reactively maintain these objects under management.
    • Have some form of a NOC but no help desk.
    Explanation: 
    According to the MSP Alliance, typically MSPs have the following distinguishing characteristics:
    – Have some form of NOC service
    – Have some form of help desk service
    – Can remotely monitor and manage all or a majority of the objects for the customer
    – Can proactively maintain the objects under management for the customer
    – Can deliver these solutions with some form of predictable billing model, where the customer knows with great accuracy what her regular IT management expense will be

  12. To protect data on user devices in a BYOD environment, the organization should consider requiring all the following, except:

    • Multifactor authentication
    • DLP agents
    • Two-person integrity
    • Local encryption
    Explanation: 
    Although all the other options are ways to harden a mobile device, two-person integrity is a concept that has nothing to do with the topic, and, if implemented, would require everyone in your organization to walk around in pairs while using their mobile devices.

  13. Tokenization requires two distinct _________________ .

    • Authentication factors
    • Personnel
    • Databases
    • Encryption
    Explanation: 
    In order to implement tokenization, there will need to be two databases: the database containing the raw, original data, and the token database containing tokens that map to original data. Having two-factor authentication is nice, but certainly not required. Encryption keys are not necessary for tokenization. Two-person integrity does not have anything to do with tokenization.

  14. DLP can be combined with what other security technology to enhance data controls?

    • DRM
    • Hypervisor
    • SIEM
    • Kerberos
    Explanation: 
    DLP can be combined with DRM to protect intellectual property; both are designed to deal with data that falls into special categories. SIEMs are used for monitoring event logs, not live data movement. Kerberos is an authentication mechanism. Hypervisors are used for virtualization.

  15. What is the intellectual property protection for a confidential recipe for muffins?

    • Patent
    • Trademark
    • Trade secret
    • Copyright
    Explanation:
    Confidential recipes unique to the organization are trade secrets. The other answers listed are answers to other questions.

  16. Every security program and process should have which of the following?

    • Severe penalties
    • Multifactor authentication
    • Foundational policy
    • Homomorphic encryption
    Explanation: 
    Policy drives all programs and functions in the organization; the organization should not conduct any operations that don’t have a policy governing them. Penalties may or may not be an element of policy, and severity depends on the topic. Multifactor authentication and homomorphic encryption are red herrings here.

  17. DLP solutions can aid in deterring loss due to which of the following?

    • Inadvertent disclosure
    • Natural disaster
    • Randomization
    • Device failure
    Explanation: 
    DLP solutions may protect against inadvertent disclosure. Randomization is a technique for obscuring data, not a risk to data. DLP tools will not protect against risks from natural disasters, or against impacts due to device failure.

  18. All policies within the organization should include a section that includes all of the following, except:

    • Policy adjudication
    • Policy maintenance
    • Policy review
    • Policy enforcement
    Explanation: 
    Explanation: All the elements except adjudication need to be addressed in each policy. Adjudication is not an element of policy.

  19. Proper implementation of DLP solutions for successful function requires which of the following?

    • Physical access limitations
    • USB connectivity
    • Accurate data categorization
    • Physical presence
    Explanation: 
    DLP tools need to be aware of which information to monitor and which requires categorization (usually done upon data creation, by the data owners). DLPs can be implemented with or without physical access or presence. USB connectivity has nothing to do with DLP solutions.

  20. What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?

    • AES
    • Link encryption
    • One-time pads
    • Homomorphic encryption
    Explanation: 
    AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments