WGU C838 - Managing Cloud Security Test Bank (Latest update) (2023/2024) ACTUAL EXAM QUESTIONS TESTED 2023/2024

WGU Course C838 - Managing Cloud Security Which phase of the cloud data life cycle allows both read and process functions to be performed? A Create B Archive C Store D Share correct answerA Which phase of the cloud data security life cycle typically occurs simultaneously with creation? A Share B Store C Use D Destroy correct answerB Which phase of the cloud data life cycle uses content delivery networks? A Destroy B Archive C Share D Create correct answerC Which phase of the cloud data life cycle is associated with crypto-shredding? A Share B Use C Destroy D Store correct answerC Which cloud data storage architecture allows sensitive data to be replaced with unique identification symbols that retain all the essential information about the data without compromising its security? A Randomization B Obfuscation C Anonymization D Tokenization correct answerD Which methodology could cloud data storage utilize to encrypt all data associated in an infrastructure as a service (IaaS) deployment model? A Sandbox encryption B Polymorphic encryption C Client-side encryption D Whole-instance encryption correct answerD There is a threat to a banking cloud platform service. The developer needs to provide inclusion in a relational database that is seamless and readily searchable by search engine algorithms. Which platform as a service (PaaS) data type should be used? A Short-term storage B Structured C Unstructured D Long-term storage correct answerB Which platform as a service (PaaS) storage architecture should be used if an organization wants to store presentations, documents, and audio files? A Relational database B Block C Distributed D Object correct answerD Which technique scrambles the content of data using a mathematical algorithm while keeping the structural arrangement of the data? A Dynamic masking B Format-preserving encryption C Proxy-based encryption D Tokenization correct answerB Which encryption technique connects the instance to the encryption instance that handles all crypto operations? A Database B Proxy C Externally managed D Server-side correct answerB Which type of control should be used to implement custom controls that safeguard data? A Public and internal sharing B Options for access C Management plane D Application level correct answerD Which element is protected by an encryption system? A Ciphertext B Management engine C Data D Public key correct answerC A cloud administrator recommends using tokenization as an alternative to protecting data without encryption. The administrator needs to make an authorized application request to access the data. Which step should occur immediately before this action is taken? A The tokenization server returns the token to the application. B The tokenization server generates the token. C The application collects a token. D The application stores the token. correct answerD A company has recently defined classification levels for its data. During which phase of the cloud data life cycle should this definition occur? A Use B Create C Share D Archive correct answerB Which jurisdictional data protection includes dealing with the international transfer of data? A Financial modernization B Secure choice authorization (SCA) C Sarbanes-Oxley act (SOX) D Privacy regulation correct answerD Which jurisdictional data protection controls the ways that financial institutions deal with the private information of individuals? A Stored communications act (SCA) B Health insurance portability and accountability act (HIPAA) C Gramm-Leach-Bliley act (GLBA) D Sarbanes-Oxley act (SOX) correct answerC Which jurisdictional data protection safeguards protected health information (PHI)? A Directive 95/46/EC B Safe harbor regime C Personal Data Protection Act of 2000 D Health Insurance Portability and Accountability Act (HIPAA) correct answerD How is the compliance of the cloud service provider's legal and regulatory requirements verified when securing personally identifiable information (PII) data in the cloud? A Contractual agreements B Third-party audits and attestations C e-Discovery process D Researching data retention laws correct answerB Which security strategy is associated with data rights management solutions? A Unrestricted replication B Limited documents type support C Static policy control D Continuous auditing correct answerD Who retains final ownership for granting data access and permissions in a shared responsibility model? A Customer B Developer C Manager D Analyst correct answerA Which data retention solution should be applied to a file in order to reduce the data footprint by deleting fixed content and duplicate data? A Backup B Caching C Archiving D Saving correct answerC Which data retention method is stored with a minimal amount of metadata storage with the content? A File system B Redundant array C Object-based D Block-based correct answerD What is a key capability of security information and event management? A Intrusion prevention capabilities B Automatic remediation of issues C Centralized collection of log data D Secure remote access correct answerC Which data source provides auditability and traceability for event investigation as well as documentation? A Storage files B Packet capture C Network interference D Database tables correct answerB Which data source provides auditability and traceability for event investigation as well as documentation? A Network segmentation B Ephemeral storage C Database schema D Virtualization platform logs correct answerD Which technology is used to manage identity access management by building trust relationships between organizations? A Single sign-on B Multifactor authentication C Federation D Biometric authentication correct answerC Which term describes the action of confirming identity access to an information system? A Coordination B Concept C Access D Authentication correct answerD Which cloud computing tool is used to discover internal use of cloud services using various mechanisms such as network monitoring? A Data loss prevention (DLP) B Content delivery network (CDN) C Cloud access security broker (CASB) D Web application firewall (WAF) correct answerC Which cloud computing technology unlocks business value through digital and physical access to maps? A Multitenancy B Cloud application C Application programming interface D On-demand self-service correct answerC Which cloud computing tool may help detect data migrations to cloud services? A Uniform resource locator (URL) filtering B Cloud security gateways C Cloud data transfer D Data loss prevention correct answerD What is a key component of the infrastructure as a service (IaaS) cloud service model? A Allows choice and reduces lock-in B Supports multiple languages and frameworks C Ease of use and limited administration D High reliability and resilience correct answerD What is a key capability of infrastructure as a service (IaaS)? A Hosted application management B Converged network and IT capacity pool C Leased application and software licensing D Multiple hosting environments correct answerB Which option should an organization choose if there is a need to avoid software ownership? A Software as a service (SaaS) B Platform as a service (PaaS) C Containers as a service (CaaS) D Infrastructure as a service (IaaS) correct answerA Which cloud model offers access to a pool of fundamental IT resources such as computing, networking, or storage? A Infrastructure B Platform C Application D Data correct answerA In which situation could cloud clients find it impossible to recover or access their own data if their cloud provider goes bankrupt? A Vendor lock-in B Multitenant C Multicloud D Vendor lock-out correct answerD Which cloud deployment model is operated for a single organization? A Consortium B Hybrid C Public D Private correct answerD Which cloud model provides data location assurance? A Hybrid B Private C Community D Public correct answerB Which cloud model allows the consumer to have sole responsibility for management and governance? A Hybrid B Community C Private D Public correct answerC Which technology allows an organization to control access to sensitive documents stored in the cloud? A Digital rights management (DRM) B Database activity monitoring (DAM) C Identity and access management (IAM) D Distributed resource scheduling (DRS) correct answerA Which security technology can provide secure network communications from on-site enterprise systems to a cloud platform? A Domain name system security extensions (DNSSEC) B Internet protocol security (IPSec) virtual private network (VPN) C Web application firewall (WAF) D Data loss prevention (DLP) correct answerB How do immutable workloads effect security overhead? A They reduce the management of the hosts. B They automatically perform vulnerability scanning as they launch. C They restrict the amount of instances in a cluster. D They create patches for a running workload. correct answerA Which document addresses CSP issues such as guaranteed uptime, liability, penalties, and dispute mediation process? A General data protection regulation (GDPR) B Service organization control 3 (SOC 3) C Service level agreement (SLA) D Common criteria assurance framework (CC) correct answerC Which design principle of secure cloud computing ensures that the business can resume essential operations in the event of an availability-affecting incident? A Disaster recovery B Resource pooling C Access control D Session management correct answerA Which design principle of secure cloud computing ensures that users can utilize data and applications from around the globe? A Portability B Scalability C On-demand self-service D Broad network access correct answerD Which design principle of secure cloud computing involves deploying cloud service provider resources to maximize availability in the event of a failure? A Elasticity B Resiliency C Scalability D Clustering correct answerB Which item should be part of the legal framework analysis if a company wishes to store prescription drug records in a SaaS solution? A Sarbanes-Oxley Act B Health Insurance Portability and Accountability Act C Federal Information Security Modernization Act D U.S. Patriot Act correct answerB Which standard addresses practices related to acquisition of forensic artifacts and can be directly applied to a cloud environment? A NIST SP 500-291 B ISO/IEC 27001 C NIST SP 800-145 D ISO/IEC 27050-1 correct answerD Which regulation in the United States defines the requirements for a CSP to implement and report on internal accounting controls? A HIPAA B SOX C FERPA D GDPR correct answerB Which legislation must a trusted cloud service adhere to when utilizing the data of EU citizens? A GDPR B EMTALA C APPI D SOX correct answerA Which logical design decision can be attributed to required regulation? A Database writes/second B Retention periods C Retention formats D Database reads/second correct answerB Which service model influences the logical design by using additional measures in the application to enhance security? A Hybrid cloud B Public cloud C Software as a service (SaaS) D Platform as a service (PaaS) correct answerC Which environmental consideration should be addressed when planning the design of a data center? A Heating and ventilation B Utility power availability C Expansion possibilities and growth D Telecommunications connections correct answerA Which result is achieved by removing all nonessential services and software of devices for secure configuration of hardware? A Hardening B Maintenance C Patching D Lockdown correct answerA What is a component of device hardening? A Patching B Unit testing C Versioning D Configuring VPN access correct answerA Which technology typically provides security isolation in infrastructure as a service (IaaS) cloud computing? A Application instance B System image repository C Virtual machines D Operating systems correct answerC Which technology an administrator to remotely manage a fleet of servers? A KVM switch B VPN concentrator C Bastion host D Management plane correct answerD What part of the logical infrastructure design is used to configure cloud resources, such as launching virtual machines or configuring virtual networks? A Management orchestration software B Management plane C Identity access management D Database management correct answerB Which action enhances cloud security application deployment through standards such as ISO/IEC 27034 for the development, acquisition, and configuration of software systems? A Applying the steps of a cloud software development life cycle B Providing developer access to supporting components and services C Outsourcing the infrastructure and integration platform management D Verifying the application has an appropriate level of confidentiality and integrity correct answerA Which type of agreement aims to negotiate policies with various parties in accordance with the agreed-upon targets? A Privacy-level (PLA) B Service-level (SLA) C User license (ULA) D Operation-level (OLA) correct answerB Which regulation requires a CSP to comply with copyright law for hosted content? A SCA B DMCA C SOX D GLBA correct answerB Which element is a cloud virtualization risk? A Guest isolation B Electronic discovery C Licensing D Jurisdiction correct answerA Which risk is related to interception of data in transit? A Virtualization B Man-in-the-middle C Software vulnerabilities D Traffic blocking correct answerB Which method is being used when a company evaluates the acceptable loss exposure associated with a cloud solution for a given set of objectives and resources? A Business impact analysis B Business continuity planning C Risk appetite D Risk management correct answerC The security administrator for a global cloud services provider (CSP) is required to globally standardize the approaches for using forensics methodologies in the organization. Which standard should be applied? A International organization for standardization (ISO) 27050-1 B Sarbanes-Oxley Act (SOX) C Cloud controls matrix (CCM) D International electrotechnical commission (IEC) 27037 correct answerA Which detection and analysis technique is performed to capture a point-in-time picture of the entire stack at the time of an incident? A Collect metadata during alert B Examine configuration data C Create a snapshot using API calls D Review data access logs correct answerC A CSP operating in Australia experiences a security breach that results in disclosure of personal information that is likely to result in serious harm. Who is the CSP legally required to notify? A Information commissioner B Australian privacy foundation C Asian-Pacific privacy control board D Cloud Security Alliance correct answerA A CSP provides services in European Union (EU) countries that are subject to the network information security (NIS) directive. The CSP experiences an incident that significantly affects the continuity of the essential services being provided. Who is the CSP required to notify under the NIS directive? A Data protection regulator B Competent authorities C Personal Information Protection Commission D Provider's services suppliers correct answerB A cloud customer is setting up communication paths with the cloud service provider that will be used in the event of an incident. Which action facilitates this type of communication? A Incorporating checks on API calls B Using existing open standards C Identifying key risk indicators (KRIs) D Performing a vulnerability assessment correct answerB Which security control does the software as a service (SaaS) model require as a shared responsibility of all parties involved? A Platform B Infrastructure C Data D Application correct answerD Which description characterizes the application programming interface (API) format known as representational state transfer (REST)? A Supports only extensible markup language (XML) B Provides a framework for developing scalable web applications C Delivers a slower performance with complex scalability D Tolerates errors at a high level correct answer Which issue occurs when a web browser is sent data without proper validation? A Insecure direct object access (IDOA) B Cross-site request forgery (CSRF) C Cross-site scripting (XXS) D Lightweight directory access protocol (LDAP) injection correct answerC Which security testing approach is used to review source code and binaries without executing the application? A Regression testing B Dynamic application security testing C Static application security testing D Fuzz testing correct answerC Which issue can be detected with static application security testing (SAST)? A Authentication B Performance C Threading D Malware correct answerC Which approach is considered a black-box security testing method? A Static application security testing B Binary code inspection C Dynamic application security testing D Source code review correct answerC Which primary security control should be used by all cloud accounts, including individual users, in order to defend against the widest range of attacks? A Multi-factor authentication B Logging and monitoring C Perimeter security D Redundant infrastructure correct answerA Which cloud infrastructure is shared by several organizations and supports a specific population that has shared concerns (e.g., mission, security requirements, policy, compliance considerations)? A Public B Community C Hybrid D Private correct answerB Which problem is known as a common supply chain risk? A Domain spoofing B Runtime application self-protection C Data breaches D Source code design correct answerC Which phase of the software development life cycle includes determining the business and security requirements for the application to occur? A Designing B Developing C Defining D Testing correct answerC Which phase of the software development life cycle includes writing application code? A Defining B Designing C Implementing D Developing correct answerD Which method should the cloud consumer use to secure the management plane of the cloud service provider? A Network access control list B Disablement of management plane C Agent-based security tooling D Credential management correct answerD Which security threat occurs when a developer leaves an unauthorized access interface within an application after release? A Deprecated API B Easter egg C Persistent backdoor D Development operations correct answerC Which process prevents the environment from being over-controlled by security measures to the point where application performance is impacted? A Trusted cloud initiative (TCI) B Community cloud C Quality of service (QoS) D Private cloud correct answerC Which open web application security project (OWASP) Top 9 Coding Flaws leads to security issues? A Direct object reference B Cross-site scripting C Denial-of-service D Client-side injection correct answerA Which identity management process targets access to enterprise resources by ensuring that the identity of an entity is verified? A Provisioning B Federation C Authentication D Policy management correct answerC Which technology improves the ability of the transport layer security (TLS) to ensure privacy when communicating between applications? A Whole-disk encryption B Advanced application-specific integrated circuits (ASICs) C Virtual private networks (VPNs) D Volume encryption correct answerB Which multi-factor authentication (MFA) option uses a physical universal serial bus (USB) device to generate one-time passwords? A Transaction authentication numbers B Biometrics C Hard tokens D Out-of-band passwords correct answerC Which cloud infrastructure is shared by several organizations with common concerns, such as mission, policy, or compliance considerations? A Private cloud B Community cloud C Public cloud D Hybrid cloud correct answerB Which type of cloud deployment model is considered equivalent to a traditional IT architecture? A Public B Private C Hybrid D Community correct answerB Which security method should be included in a defense-in-depth, when examined from the perspective of a content security policy? A Technological controls B Contractual enforcement of policies C Training programs D Strong access controls correct answerA Which attack vector is associated with cloud infrastructure? A Seizure and examination of a physical disk B Licensing fees tied to the deployment of software based on a per-CPU licensing model C Data storage locations in multiple jurisdictions D Compromised API credentials correct answerD Which risk is associated with malicious and accidental dangers to a cloud infrastructure? A Regulatory noncompliance B Natural disasters C Personnel threats D External attacks correct answerC Which cloud-specific risk must be considered when moving infrastructure operations to the cloud? A Natural disasters B Lack of physical access C Denial of service D Regulatory violations correct answerB Which risk is controlled by implementing a private cloud? A Eavesdropping B Unauthorized access C Denial-of-service (DoS) D Physical security correct answerD Which countermeasure enhances redundancy for physical facilities hosting cloud equipment during the threat of a power outage? A Tier 2 network access providers B Radio frequency interference (RFI) blocking devices C Multiple and independent power circuits to all racks D Automated license plate readers (ALPR) at entry points correct answerC Which countermeasure helps mitigate the risk of stolen credentials for cloud-based platforms? A Key management B Multifactor authentication C Data sanitization D Host lockdown correct answerB Which control helps mitigate the risk of sensitive information leaving the cloud environment? A Web application firewall (WAF) B Disaster recovery plan (DRP) C Identity and access management (IAM) D Data loss prevention (DLP) correct answerD Which countermeasure mitigates the risk of a rogue cloud administrator? A Multifactor authentication B Data encryption C Platform orchestration D Logging and monitoring correct answerD Which consideration should be taken into account when reviewing a cloud service provider's risk of potential outage time? A The type of database B The amount of cloud service offerings C The unique history of the provider D The provider's support services correct answerC Which cloud security control eliminates the risk of a virtualization guest escape from another tenant? A Dedicated hosting B Hardware hypervisor C File integrity monitor D Immutable virtual machines correct answerA Which cloud security control is a countermeasure for man-in-the-middle attacks? A Backing up data offsite B Reviewing log data C Using block data storage D Encrypting data in transit correct answerD Which data retention policy controls how long health insurance portability and accountability act (HIPAA) data can be archived? A Applicable regulation B Data classification C Enforcement D Maintenance correct answerA Which disaster recovery (DR) site results in the quickest recovery in the event of a disaster? A Hot B Cold C Reserve D Passive correct answerA Where should the location be for the final data backup repository in the event that the disaster recovery plan is enacted for the CSP of disaster recovery (DR) service? A Local storage B Cloud platform C Company headquarters D Tape drive correct answerB Which technology should be included in the disaster recovery plan to prevent data loss? A Offsite backups B Locked racks C Video surveillance D System patches correct answerA Which disaster recovery plan metric indicates how long critical functions can be unavailable before the organization is irretrievably affected? A Maximum allowable downtime (MAD) B Recovery point objective (RPO) C Mean time to switchover (MTS) D Recovery time objective (RTO) correct answerA Which assumption about a CSP should be avoided when considering risks in a disaster recovery (DR) plan? A Continuity planning B Costs will remain the same C Level of resiliency D Provider's history correct answerC An architect needs to constrain problems to a level that can be controlled when the problem exceeds the capabilities of disaster recovery (DR) controls. Which aspect of the plan will provide this guarantee? A Ensuring data backups B Evaluating portability alternatives C Managing plane controls D Handling provider outages correct answerD Which aspect of business continuity planning considers the alternatives to be used when there is a complete loss of the provider? A Managing plane controls B Ensuring resiliency C Managing cloud provider outages D Considering portability options correct answerD What is a key method associated with a risk-based approach to business continuity planning? A Applying internal authentication and credential passing B Leveraging software-defined networking C Using existing network technology D Considering the degree of continuity required for assets correct answerD Which testing method must be performed to demonstrate the effectiveness of a business continuity plan and procedures? A Failover B Penetration C DAST D SAST correct answerA Which process involves the use of electronic data as evidence in a civil or criminal legal case? A eDiscovery investigations B Due diligence C Cloud governance D Auditing in the cloud correct answerA Which standard addresses the privacy aspects of cloud computing for consumers? A ISO 27018:2014 B ISO 27017:2015 C ISO 27001:2013 D ISO 19011:2011 correct answerA Which international standard guide provides procedures for incident investigation principles and processes? A ISO/IEC 27034-1:2011 B ISO/IEC 27037:2012 C ISO/IEC 27001:2013 D ISO/IEC 27043:2015 correct answerD Which group is legally bound by the general data protection regulation (GDPR)? A Only corporations located in countries that have adopted the GDPR standard B Only corporations headquartered in the EU C Only corporations that have operations in more than one EU nation D Only corporations that processes the data of EU citizens correct answerD Which action is required for breaches of data under the general data protection regulation (GDPR) within 72 hours of becoming aware of the event? A Reporting to the supervisory authority B Informing consumer credit reporting services C Notifying the affected persons D Suspending the processing operations correct answerA Which penalty is imposed for privacy violations under the general data protection regulation (GDPR)? A Penalty up to 2% of gross income B Penalty up to 10 million Euros C Penalty up to 5% of gross income D Penalty up to 20 million Euros correct answerD Why is eDiscovery difficult in the cloud? A The process is time consuming. B The client may lack the credentials to access the required data. C The customer is responsible for their data on a multitenant system. D The cloud service provider may lack sufficient resources. correct answerB Which artifact may be required as a data source for a compliance audit in a cloud environment? A Customer SLAs B Quarterly revenue projections C Change management details D Annual actual-to-budgeted expense reports correct answerC Which artifact may be required as a data source for a regulatory compliance audit (i.e., HIPAA, PCI-DSS) in a cloud environment? A System performance benchmarks B Annual actual-to-budgeted expenses C System configuration details D Quarterly revenue projections correct answerC Which item would be a risk for an enterprise considering contracting with a cloud service provider? A Suspension of service if payment is delinquent B No SLA exclusion penalties C 99.99% up time guarantees D Very expensive SLA provider penalties correct answerA Which risk during the eDiscovery process would limit the usefulness of the requested data from the cloud by third parties? A Authentication B Discovery by design C Native production D Direct access correct answerC Which type of control is important in order to achieve compliance for risk management? A Technical B Validation C Security D Privacy correct answerC Which requirement is included when exceptions, restrictions, and potential risks are highlighted in a cloud services contract? A Virtual machine and operating system B Regulatory and compliance C Load balancer algorithm D Stockholder expectations correct answerB Which item is required in a cloud contract? A Specifications for unit testing B Penalties for failure to meet SLA C Strategy for the SDLC D Diagrams for data flow structures correct answerB Which factor exemplifies adequate cloud contract governance? A The frequency with which contracts are renewed B The emphasis of privacy controls in the contract C The flexibility of data types in accordance with a contract D The bandwidth that is contractually provided correct answerA All of the following can result in vendor lock-in except: A Proprietary data formats B Statutory compliance C Unfavorable contract D Insufficient bandwidth correct answerB When a cloud customer uploads PII to a cloud provider, who becomes ultimately responsible for the security of that PII? A Cloud customer B The individuals who are the subjects of the PII C Cloud provider D Regulators correct answerA The generally accepted definition of cloud computing includes all of the following characteristics except: A On-demand services B Measured or metered service C Resource pooling D Negating the need for backups correct answerD All of these are reasons because of which an organization may want to consider cloud migration, except: A Reduced operational expenses B Elimination of risks C Reduced personnel costs D Increased efficiency correct answerB The cloud deployment model that features organizational ownership of the hardware and infrastructure, and usage only by members of that organization, is known as: A Public B Hybrid C Motive D Private correct answerD All of these are features of cloud computing except: A Rapid scaling B On-demand self-service C Broad network access D Reversed charging configuration correct answerD Cloud Access Security Brokers (CASBs) might offer all the following services except: A IAM B BC/DR/COOP C Single sign-on D Key escrow correct answerB The cloud deployment model that features joint ownership of assets among an affinity group is known as: A Community B Hybrid C Public D Private correct answerA If a cloud customer wants a secure, isolated sandbox in order to conduct software development and testing, which cloud service model would probably be best? A PaaS B IaaS C Hybrid D SaaS correct answerA If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad? A Availability B Integrity C Authentication D Confidentiality correct answerA Which of the following is not a common cloud service model? A Programming as a Service B Software as a Service C Platform as a Service D Infrastructure as a Service correct answerA The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as: A Private B Public C Hybrid D Latent correct answerB Cloud vendors are held to contractual obligations with specified metrics by: A Discipline B SLAs C Regulations D Law correct answerB We use which of the following to determine the critical paths, processes, and assets of an organization? A Business requirements B BIA C RMF D CIA triad correct answerB If a cloud customer wants a bare-bones environment in which to replicate their own enterprise for BC/DR purposes, which cloud service model would probably be best? A Hybrid B IaaS C PaaS D SaaS correct answerB The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as: A Vendor closure B Vendor lock-out C Vendor lock-in D Vending route correct answerB If a cloud customer wants a fully-operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? A Hybrid B SaaS C PaaS D IaaS correct answerB All of these technologies have made cloud service viable except: A Cryptographic connectivity B Smart hubs C Virtualization D Widely available broadband correct answerB If a service or solution does not meet all of the specified key characteristics listed below, it is said to be not true cloud computing. Please select the valid cloud computing characteristics out of the terms identified below. Each correct answer represents a complete solution. Choose all that apply. 1) Measured system 2) Broad network access 3) Resource pooling 4) Measured service 5) On-demand self-service 6) Selected self-service 7) Rapid expansion A All but 1 & 6 B All but 2 & 5 correct answerA _______ drive security decisions. A Public opinion B Business requirements C Surveys D Customer service responses correct answerB The process of hardening a device should include which of the following? A Encrypting the OS B Performing thorough personnel background checks C Using video cameras D Updating and patching the system correct answerD Which of the following is considered a physical control? A Doors B Ceilings C Carpets D Fences correct answerD The process of hardening a device should include all of the following, except: A Improve default accounts B Close unused ports C Delete unnecessary services D Strictly control administrator access correct answerA Which of the following is considered an administrative control? A Keystroke logging B Access control process C Biometric authentication D Door locks correct answerB All the following are ways of addressing risk, except: A Mitigation B Reversal C Acceptance D Transfer correct answerB In which cloud service model is the customer only responsible for the data? A SaaS B PaaS C IaaS D CaaS correct answerA In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type? A All of these B Administrative C Physical D Technological correct answerA To protect data on user devices in a BYOD environment, the organization should consider requiring all of the following, except: A DLP agents B Local encryption C Multifactor authentication D Two-person integrity correct answerD Devices in the cloud datacenter should be secure against attack. All the following are means of hardening devices, except: A Using a strong password policy B Removing default passwords C Strictly limiting physical access D Removing all admin accounts correct answerD The BIA can be used to provide information about all of the following, except: A BC/DR planning B Secure acquisition C Risk analysis D Selection of security controls correct answerB The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified? A Contract B RMF C BIA D MOU correct answerA Which of the following is considered a technological control? A Firing personnel B Firewall software C Fireproof safe D Fire extinguisher correct answerB In which cloud service model is the customer required to maintain and update only the applications? A SaaS B CaaS C IaaS D PaaS correct answerD In a cloud environment, encryption should be used for all the following, except: A Long-term storage of data B Near-term storage of virtualized images C Secure sessions/VPN D Profile formatting correct answerD Gathering business requirements can aid the organization in determining all of this information about organizational assets, except: A Criticality B Value C Usefulness D Full inventory correct answerC What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? A Polyinstantiation B Quantum-state C Gastronomic D Homomorphic correct answerD In which cloud service model is the customer required to maintain the OS? A SaaS B PaaS C IaaS D CaaS correct answerC Risk appetite for an organization is determined by which of the following? A Contractual agreement B Legislative mandates C Senior management D Appetite evaluation correct answerC Which of the following best describes risk? A Everlasting B The likelihood that a threat will exploit a vulnerability C Transient D Preventable correct answerB What is the risk left over after controls and countermeasures are put in place? A High B Null C Pertinent D Residual correct answerD The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data. correct answerAnonymization XaaS refers to the growing diversity of services available over the Internet via cloud computing as opposed to being provided locally, or on-premises. correct answerAnything as a Service (XaaS) An open source cloud computing and infrastructure as a service (IaaS) platform developed to help IaaS make creating, deploying, and managing cloud services easier by providing a complete stack of features and components for cloud environments. correct answerApache CloudStack A subset of the organizational normative framework (ONF) that contains only the information required for a specific business application to reach the targeted level of trust. correct answerApplication Normative Framework (ANF) A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or web tool. correct answerApplication Programming Interfaces (APIs) Software technology that encapsulates application software from the underlying operating system (OS) on which it is executed. correct answerApplication Virtualization The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station, or originator. correct answerAuthentication Establishes identity by asking who you are and determining whether you are a legitimate user. correct answerAuthentication The granting of right of access to a user, program, or process. correct answerAuthorization Eliminating the risk that is simply too high and cannot be compensated for with adequate control mechanism--a risk that exceeds the organization's appetite. correct answerAvoidance Usually involves splitting up and storing encrypted information across different cloud storage services. correct answerBit Splitting A blank volume that the customer or user can put anything into and it might allow more flexibility and higher performance. correct answerBlock storage An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. correct answerBusiness Impact Analysis (BIA) 1 The identity of persons who handle evidence between the time of commission of the alleged offense and the ultimate disposition of the case. It is the responsibility of each transferee to ensure that the items are accounted for during the time they are in his possession, that they are properly protected, and that there is a record of the names of the persons from whom he received the items and to whom he delivered those items, together with the time and date of such receipt and delivery. 2 The control over evidence. Lack of control over evidence can lead to its being discredited completely. Chain of custody depends on being able to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence so that it cannot in any way be changed and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering. correct answerChain of Custody Refers to a documentation that records all evidences need to be tracked and monitored from the time they are recognized as evidence and acquired for that purpose. correct answerChain of custody A third-party entity offering independent identity and access management (IAM) services to CSPs and cloud customers, often as an intermediary. correct answerCloud Access Security Broker (CASB) This individual is typically responsible for the implementation, monitoring, and maintenance of the cloud within the organization or on behalf of an organization (acting as a third party). correct answerCloud Administrator Short for cloud application, cloud app is the phrase used to describe a software application that is never installed on a local computer. Instead, it is accessed via the Internet. correct answerCloud App (Cloud Application) Typically responsible for adapting, porting, or deploying an application to a target cloud environment. correct answerCloud Application Architect A specification designed to ease management of applications—including packaging and deployment—across public and private cloud computing platforms. correct answerCloud Application Management for Platforms (CAMP) Someone who determines when and how a private cloud meets the policies and needs of an organization's strategic goals and contractual requirements from a technical perspective. Also responsible for designing the private cloud, being involved in hybrid cloud deployments and instances, and having a key role in understanding and evaluating technologies, vendors, services, and other skillsets needed to deploy the private cloud or to establish and function the hybrid cloud components. correct answerCloud Architect A third-party entity that manages and distributes remote, cloud-based data backup services and solutions to customers from a central data center. correct answerCloud Backup Service Provider Enable enterprises or individuals to store their data and computer files on the Internet using a storage service provider rather than storing the data locally on a physical disk, such as a hard drive or tape backup. correct answerCloud Backup Solutions A type of computing, comparable to grid computing, that relies on sharing computing resources rather than having local servers or personal devices to handle applications. correct answerCloud Computing Accounting software that is hosted on remote servers. correct answerCloud Computing Accounting Software Describes the main characteristics relevant to cloud computing and its customers. correct answerCloud computing certification A company that purchases hosting services from a cloud server hosting or cloud computing provider and then resells them to its own customers. correct answerCloud Computing Reseller Ensures the various storage types and mechanisms utilized within the cloud environment meet and conform to the relevant service-level agreements (SLAs) and that the storage components are functioning according to their specified requirements. correct answerCloud Data Architect A database accessible to clients from the cloud and delivered to users on demand via the Internet. correct answerCloud Database Focuses on development for the cloud infrastructure. This role can vary from client tools or solutions engagements through systems components. Although developers can operate independently or as part of a team, regular interactions with cloud administrators and security practitioners are required for debugging, code reviews, and relevant security assessment remediation requirements. correct answerCloud Developer The process of making available one or more of the following services and infrastructures to create a public cloud computing environment: cloud provider, client, and application. correct answerCloud Enablement Software and technologies designed for operating and monitoring the applications, data, and services residing in the cloud. Cloud management tools help to ensure a company's cloud computing-based resources are working optimally and properly interacting with users and other services. correct answerCloud Management The process of transitioning all or part of a company's data, applications, and services from onsite premises behind the firewall to the cloud, where the information can be provided over the Internet on an on-demand basis. correct answerCloud Migration A phrase frequently used in place of platform as a service (PaaS) to denote an association to cloud computing. correct answerCloud Operating System (OS) The ability to move applications and their associated data between one cloud provider and another or between public and private cloud environments. The ability to move applications and associated data between one cloud provider and another, or between legacy and cloud environments. correct answerCloud Portability A service provider who offers customers storage or software solutions available via a public network, usually the Internet. correct answerCloud provider The deployment of a company's cloud computing strategy, which typically first involves selecting which applications and services will reside in the public cloud and which will remain onsite behind the firewall or in the private cloud. correct answerCloud Provisioning A type of hosting in which hosting services are made available to customers on demand via the Internet. Rather than being provided by a single server or virtual server, cloud server hosting services are provided by multiple connected servers that comprise a cloud. correct answerCloud Server Hosting Provides administrative assistance for the customer and the customer's data and processing needs. Examples include Amazon Web Services, Rackspace, and Microsoft's Azure. correct answerCloud Service Provider (CSP) Typically a third-party entity or company that looks to extend or enhance value to multiple customers of cloud-based services through relationships with multiple cloud service providers (CSPs). It acts as a liaison between cloud services customers and CSPs, selecting the best provider for each customer and monitoring the services. correct answerCloud Services Brokerage (CSB) The storage of data online in the cloud, wherein a company's data is stored in and accessible from multiple distributed and connected resources that comprise a cloud. correct answerCloud Storage Load and performance testing conducted on the applications and services provided via cloud computing—particularly the capability to access these services—to ensure optimal performance and scalability under a variety of conditions. correct answerCloud Testing Helps to review and analyze change and exception requests. correct answerCMB meeting In a community cloud configuration, resources are shared and dispersed among an affinity group. correct answerCommunity cloud The compute parameters of a cloud server are the number of central processing units (CPUs) and the amount of random access memory (RAM). correct answerCompute A service where data is replicated across the global Internet. A form of data caching, usually near geophysical locations of high use demand, for copies of data commonly requested by users. correct answerContent Delivery Network (CDN) Acts as a mechanism to restrict a list of possible actions down to allowed or permitted actions. correct answerControl The legal protection for expressions of ideas is known as "copyright" and it doesn't include ideas, specific words, slogans, recipes, or formulae. correct answerCopyright The relationship between the shareholders and other stakeholders in the organization versus the senior management of the corporation. correct answerCorporate Governance Involves all legal matters where the government is in conflict with any person, group, or organization that violates statutes. correct answerCriminal law The process of deliberately destroying the encryption keys that were used to encrypt the data originally. Involves encrypting the data with a strong encryption engine, and then taking the keys generated in that process, encrypting them with a different encryption engine, and destroying the keys. correct answerCrypto-Shredding A powerful tool to regularly review, inventory, and inspect usage and condition of the information that an organization owns. correct answerData audit Refers to the responsibility of the data owner which takes place in the Create phase and is assigned according to an overall organizational motif based on a specific characteristic of the given dataset. correct answerData classification Auditing and preventing unauthorized data exfiltration. correct answerData Loss Prevention (DLP) A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training. correct answerData Masking Describes the ease of moving information from one cloud provider to another or away from the cloud provider and back to a legacy enterprise environment. correct answerData portability A legal activity that might result in a host machine being confiscated or inspected by law enforcement or plaintiffs' attorneys. correct answerData seizure Provides some sort of structure for stored data; it is backend storage in the datacenter, accessed by users utilizing online apps. correct answerDatabase A database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. correct answerDatabase Activity Monitoring (DAM) In essence, a managed database service. correct answerDatabase as a Service (DBaaS) Refers to a kind of data analysis which is an outgrowth of the possibilities offered by the regular use of the cloud, also known as "big data." correct answerDatamining Entails multiple differing security controls protecting the same assets with a variety of technological levels. correct answerDefense in depth Using strong magnets for scrambling data on magnetic media such as hard drive and tapes. Involves applying strong magnetic fields to the hardware and media where the data resides, effectively making them blank. correct answerDegaussing Isolates network elements such as email servers that, because they can be accessed from trustless networks, are exposed to external attacks. correct answerDemilitarized Zone (DMZ) Refers to any type of attack that could cause the application to be unavailable. correct answerDenial of service Removes or reduces the authority and execution of security controls in the environment. correct answerDeployment model A form of virtual desktop infrastructure (VDI) that a third party outsources and handles. correct answerDesktop as a Service (DaaS) Focuses on security and encryption to prevent unauthorized copying, thus limiting distribution to only those who pay. correct answerDigital Rights Management (DRM) Reflects all the modifications to the environment in the asset inventory. correct answerDocumentation Describes the organization's responses during the test and performs some minimal actions. correct answerDry run The process of testing an application or software product in an operating state. correct answerDynamic Application Security Testing (DAST) e-Discovery refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence. Refers to the process of identifying and obtaining electronic evidence for either prosecutorial or litigation purposes. correct answere-Discovery An overt secret writing technique that uses a bidirectional algorithm in which humanly readable information (referred to as plaintext) is converted into humanly unintelligible information (referred to as ciphertext). Offers a degree of assurance that nobody without authorization will be able to access your data in a meaningful way. correct answerEncryption A special mathematical code that allows encryption hardware and software to encode and then decipher an encrypted message. correct answerEncryption Key Software that a business uses to assist in solving problems. correct answerEnterprise Application The set of processes and structures to systematically manage all risks to the enterprise. correct answerEnterprise Risk Management Refers to the ability of any user to gain permissions above their authorized level. correct answerEscalation of privilege An open source cloud computing and infrastructure as a service (IaaS) platform for enabling AWS-compatible private and hybrid clouds. correct answerEucalyptus A standard and model developed in Europe, which is responsible for producing cloud computing benefits, risks, and recommendations for information security. correct answerEuropean Union Agency for Network and Information Security (ENISA) A type of risk that includes malware, hacking, DoS/DDoS, man-in-the-middle attacks, and so on. correct answerExternal threat A National Institute of Standards and Technology (NIST) publication written to accredit and distinguish secure and well-architected cryptographic modules produced by private-sector vendors who seek to or are in the process of having their solutions and services certified for use in U.S. government departments and regulated industries that collect, store, transfer, or share data that is deemed to be sensitive but not classified as top secret. correct answerFederal Information Processing Standard (FIPS) 140-2 Governs the country against kidnapping or bank robbery and the criminal would be subject to prosecution or punishment. correct answerFederal law An arrangement that can be made among multiple enterprises allowing subscribers to use the same identification data to obtain access to the networks of all enterprises in the group. correct answerFederated Identity Management (FIM) A system that allows a single user authentication process across multiple information technology (IT) systems or even organizations. SSO is a subset of federated identity management (FIM), as it relates only to authentication and technical interoperability. correct answerFederated Single Sign-On (SSO) An association of organizations that facilitate the exchange of information and access to resources. correct answerFederation A tool which can be either hardware or software, or a combination of both, used to limit communications based on some criteria. correct answerFirewall An improperly designed or poorly configured hypervisor might allow for a user to leave the confines of their own virtualized instance. correct answerGuest escape A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protection of log files, and more. correct answerHardware Security Module (HSM) Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider (CSP) for processing without the requirement to decipher the data first. correct answerHomomorphic Encryption A developing technology that is intended to allow for processing of encrypted material without decrypting it first. correct answerHomomorphic encryption A tool used to detect, identify, isolate, and analyze attacks by attracting attackers. correct answerHoneypot A combination of public cloud storage and private cloud storage in which some critical data resides in the enterprise's private cloud whereas other data is stored and accessible from a public cloud storage provider. correct answerHybrid Cloud Storage The cloud provider creates and administers the hardware assets on which the customer's programs and data will ride. correct answerIaaS boundaries The security discipline that enables the right individuals to access the right resources at the right times for the right reasons. correct answerIdentity and Access Management (IAM) Responsible for (a) providing identifiers for users looking to interact with a system, (b) asserting to such a system that such an identifier presented by a user is known to the provider, and (c) possibly providing other information about the user that is known to the provider. This can be achieved via an authentication module that verifies a security token that can be accepted as an alternative to repeatedly and explicitly authenticating a user within a security realm. correct answerIdentity Provider The directory services for the administration of user accounts and their associated attributes. correct answerIdentity repositories The possibility that processing performed on one virtualized instance may be detected by other instances on the same host. correct answerInformation bleed A model that provides a complete infrastructure (servers and internetworking devices) and allows companies to install software on provisioned servers and control the configurations of all devices. Allows the customer to install all software, including operating systems (OSs) on hardware housed and connected by the cloud vendor. correct answerInfrastructure as a Service (IaaS) Allows an individual to correct any of their own information if it is inaccurate. correct answerIntegrity An issue in which the customer's software may not function properly with each new adjustment in the environment if the OS is updated by the provider. correct answerInteroperability issue Takes defensive action when suspicious activity is recognized (such as closing ports and services), in addition to sending alerts. correct answerIntrusion Prevention System (IPS) Represents an overview of application security. It introduces definitions, concepts, principles, and processes involved in application security. correct answerISO/IEC 27034-1 The geophysical location of the source or storage point of the data might have significant bearing on how that data is treated and handled. correct answerJurisdiction The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy. correct answerKey Management Entails a procedure that involves multiple people, each with access to only a portion of the key. correct answerKey recovery Describes those items that will be the first things that let you know something is inappropriate. correct answerKey risk indicator The practice of having multiple overlapping means of securing the environment with a variety of methods. correct answerLayered defenses Causes a wide variety of problems, including data loss, loss of control of devices, interruption of operations, and so forth. correct answerMalware The plane that controls the entire infrastructure. Because parts of it are exposed to customers independent of the network location, it is a prime resource to protect. correct answerManagement Plane A weak form of confidentiality assurance that replaces the original information with asterisks or Xs. A technique that hides the data with useless characters, e.g., showing only the last four digits of a social security number. correct answerMasking The measure of the average time between failures of a specific component or part of a system. correct answerMean time between failure (MTBF) The measure of the average time it should take to repair a failed component or part of a system. correct answerMean time to repair (MTTR) A process of taking steps to decrease the likelihood or the impact of the risk--this can take the form of controls/countermeasures and is usually where security practitioners are involved. correct answerMitigation A form of cloud storage that applies to storing an individual's mobile device data in the cloud and providing the individual with access to the data from anywhere. correct answerMobile Cloud Storage A method of computer access control that a user can pass by successfully presenting authentication factors from two or more independent credentials: what the user knows (password), what the user has (security token), and what the user is (biometric verification). correct answerMultifactor Authentication The concept of sharing resources with other cloud customers simultaneously. correct answerMultitenancy Multiple customers using the same public cloud. correct answerMultitenant A NIST publication written to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems. correct answerNational Institute of Standards and Technology (NIST) SP 800-53 Helps to check not only the hardware and the software but the distribution facets such as SDN control planes. correct answerNetwork monitoring A guide for implementing the risk management framework, which is a methodology for handling all organizational risks in a comprehensive manner. correct answerNIST SP 800-37 The assurance that a specific author actually did create and send a specific item to a specific recipient and that it was successfully received. With assurance of nonrepudiation, the sender of the message cannot later credibly deny having sent the message, nor can the recipient credibly claim not to have received it. correct answerNonrepudiation Informs an individual that personal information about them is being gathered or created. correct answerNotice The convoluting of code to such a degree that even if the source code is obtained, it is not easily decipherable. correct answerObfuscation Additional metadata, such as content type, redundancy required, and creation date, that is stored for a file. These objects are accessible through application programming interfaces (APIs) and potentially through a web user interface (UI). Stores all data in a filesystem and also gives access to the customers to the parts of the hierarchy to which they are assigned. correct answerObject Storage Allows a significant level of description, including the marking, labels, classification and categorization; it also enhances the opportunity for indexing capabilities. correct answerObject-based storage Leverages the Internet and cloud computing to create an attractive offsite storage solution with little hardware requirements for any business of any size. correct answerOnline Backup A framework of so-called containers for all components of application security best practices catalogued and leveraged by the organization. correct answerOrganizational Normative Framework (ONF) Used to alert administrators when usage approaches a level of capacity utilization that may affect SLA parameters. correct answerOS logging The cloud provider is responsible for installing, maintaining, and administering the OS(s). correct answerPaaS boundaries What is the intellectual property protection for a useful manufacturing innovation? A Trademark B Trade secret C Copyright D Patent correct answerD A form of cloud storage that applies to storing an individual's data in the cloud and providing the individual with access to the data from anywhere. correct answerPersonal Cloud Storage Any information relating to an identified or identifiable data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity. correct answerPersonal Data Information that can be traced back to an individual user, such as name, postal address, or email address. Persona