CCSP : Certified Cloud Security Professional (CCSP) : Part 23
-
Best practices for key management include all of the following, except:
- Ensure multifactor authentication
- Pass keys out of band
- Have key recovery processes
- Maintain key security
Explanation:
We should do all of these except for requiring multifactor authentication, which is pointless in key management. -
Data labels could include all the following, except:
- Distribution limitations
- Multifactor authentication
- Confidentiality level
- Access restrictions
Explanation:
All the others might be included in data labels, but multifactor authentication is a procedure used for access control, not a label. -
What is the correct order of the phases of the data life cycle?
- Create, Use, Store, Share, Archive, Destroy
- Create, Archive, Store, Share, Use, Destroy
- Create, Store, Use, Archive, Share, Destroy
- Create, Store, Use, Share, Archive, Destroy
Explanation:
The other options are the names of the phases, but out of proper order. -
Cryptographic keys should be secured ________________ .
- To a level at least as high as the data they can decrypt
- In vaults
- With two-person integrity
- By armed guards
Explanation:
The physical security of crypto keys is of some concern, but guards or vaults are not always necessary. Two-person integrity might be a good practice for protecting keys. The best answer to this question is option A, because it is always true, whereas the remaining options depend on circumstances. -
What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?
- One-time pads
- Link encryption
- Homomorphic encryption
- AES
Explanation:
AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method. -
What are third-party providers of IAM functions for the cloud environment?
- AESs
- SIEMs
- DLPs
- CASBs
Explanation:
Data loss, leak prevention, and protection is a family of tools used to reduce the possibility of unauthorized disclosure of sensitive information. SIEMs are tools used to collate and manage log data. AES is an encryption standard. -
Data labels could include all the following, except:
- Data value
- Data of scheduled destruction
- Date data was created
- Data owner
Explanation:
All the others might be included in data labels, but we don’t usually include data value, since it is prone to change frequently, and because it might not be information we want to disclose to anyone who does not have need to know. -
What are the U.S. Commerce Department controls on technology exports known as?
- ITAR
- DRM
- EAR
- EAL
Explanation:
EAR is a Commerce Department program. Evaluation assurance levels are part of the Common Criteria standard from ISO. Digital rights management tools are used for protecting electronic processing of intellectual property. -
All of these are methods of data discovery, except:
- Label-based
- User-based
- Content-based
- Metadata-based
Explanation:
All the others are valid methods of data discovery; user-based is a red herring with no meaning. -
The various models generally available for cloud BC/DR activities include all of the following except:
- Private architecture, cloud backup
- Cloud provider, backup from another cloud provider
- Cloud provider, backup from same provider
- Cloud provider, backup from private provider
Explanation:
This is not a normal configuration and would not likely provide genuine benefit. -
Which kind of SSAE audit reviews controls dealing with the organization’s controls for assuring the confidentiality, integrity, and availability of data?
- SOC 1
- SOC 2
- SOC 3
- SOC 4
Explanation:
SOC 2 deals with the CIA triad. SOC 1 is for financial reporting. SOC 3 is only an attestation by the auditor. There is no SOC 4. -
To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except:
- Access to audit logs and performance data
- DLP solution results
- Security control administration
- SIM, SEIM. and SEM logs
Explanation:
While the provider might share any of the other options listed, the provider will not share administration of security controls with the customer. Security controls are the sole province of the provider. -
Which kind of SSAE audit report is most beneficial for a cloud customer, even though it’s unlikely the cloud provider will share it?
- SOC 3
- SOC 1 Type 2
- SOC 2 Type 2
- SOC 1 Type 1
Explanation:
The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider. -
When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is:
- Many states have data breach notification laws.
- Breaches can cause the loss of proprietary data.
- Breaches can cause the loss of intellectual property.
- Legal liability can’t be transferred to the cloud provider.
Explanation:
State notification laws and the loss of proprietary data/intellectual property pre-existed the cloud; only the lack of ability to transfer liability is new. -
What is the term we use to describe the general ease and efficiency of moving data from one cloud provider either to another cloud provider or down from the cloud?
- Obfuscation
- Elasticity
- Mobility
- Portability
Explanation:
Elasticity is the name for the benefit of cloud computing where resources can be apportioned as necessary to meet customer demand. Obfuscation is a technique to hide full raw datasets, either from personnel who do not have need to know or for use in testing. Mobility is not a term pertinent to the CBK. -
Countermeasures for protecting cloud operations against internal threats include all of the following except:
- Mandatory vacation
- Least privilege
- Separation of duties
- Conflict of interest
Explanation:
Conflict of interest is a threat, not a control. -
The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement?
- IaaS
- SaaS
- Community cloud
- PaaS
Explanation:
IaaS entails the cloud customer installing and maintaining the OS, programs, and data; PaaS has the customer installing programs and data; in SaaS, the customer only uploads data. In a community cloud, data and device owners are distributed. -
Countermeasures for protecting cloud operations against external attackers include all of the following except:
- Continual monitoring for anomalous activity.
- Detailed and extensive background checks.
- Regular and detailed configuration/change management activities
- Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines.
Explanation:
Background checks are controls for attenuating potential threats from internal actors; external threats aren’t likely to submit to background checks. -
User access to the cloud environment can be administered in all of the following ways except:
- Provider provides administration on behalf the customer
- Customer directly administers access
- Third party provides administration on behalf of the customer
- Customer provides administration on behalf of the provider
Explanation:
The customer does not administer on behalf of the provider. All the rest are possible options. -
Countermeasures for protecting cloud operations against internal threats include all of the following except:
- Extensive and comprehensive training programs, including initial, recurring, and refresher sessions
- Skills and knowledge testing
- Hardened perimeter devices
- Aggressive background checks
Explanation:
Hardened perimeter devices are more useful at attenuating the risk of external attack.
Subscribe
0 Comments
Newest