ISC2 CCSP Certified Cloud Security Professional Official Practice Tests E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

CCSP Certification

Taking the CCSP Exam

Computer-Based Testing Environment

Exam Retake Policy

Work Experience Requirement

Recertification Requirements

Using This Book to Practice

Sybex Online Learning Environment

CCSP Certified Cloud Security Professional Objectives

Chapter 1: Domain 1: Cloud Concepts, Architecture, and Design

Chapter 2: Domain 2: Cloud Data Security

Chapter 3: Domain 3: Cloud Platform and Infrastructure Security

Chapter 4: Domain 4: Cloud Application Security

Chapter 5: Domain 5: Cloud Security Operations

Chapter 6: Domain 6: Legal, Risk, and Compliance

Chapter 7: Practice Test 1

Chapter 8: Practice Test 2

Appendix: Answers to Review Questions

Chapter 1: Domain 1: Cloud Concepts, Architecture, and Design

Chapter 2: Domain 2: Cloud Data Security

Chapter 3: Domain 3: Cloud Platform and Infrastructure Security

Chapter 4: Domain 4: Cloud Application Security

Chapter 5: Domain 5: Cloud Security Operations

Chapter 6: Domain 6: Legal, Risk, and Compliance

Chapter 7: Practice Test 1

Chapter 8: Practice Test 2

Index

End User License Agreement

Guide

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editors

Introduction

Table of Contents

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xi

xii

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

xxvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

(ISC)2®CCSP® Certified Cloud Security ProfessionalOfficial Practice Tests

Third Edition

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBN: 978-1-119-90940-8ISBN: 978-1-119-90941-5 (ebk.)ISBN: 978-1-119-90942-2 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, Sybex, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2 and CCSP are registered trademarks or certification marks of the International Information Systems Security Certification Consortium, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022944049

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

For Robin, again, for another one

Acknowledgments

The authors would like to thank the many people who made this book possible. Those include Jim Minatel at Wiley Publishing who helped us extend the Sybex certification preparation franchise to include this title and has continued to champion with the International Information Systems Security Certification Consortium (ISC)2. Carole Jelen, our agent, tackles all the back-end magic for our writing efforts and worked on both the logistical details and the business side of the book with her usual grace and commitment to excellence. Sharif Nijim, our technical editor, pointed out many opportunities to improve our work and deliver a high-quality final product. John Sleeva served as our project manager and Archana Pragash served as our content refinement specialist. They both made sure everything fit together. Many other people we'll never meet worked behind the scenes to make this book a success, and we really appreciate their time and talents to make this next edition come together.

The authors, publisher and (ISC)2 would like to acknowledge and thank the previous edition author Ben Malisow for his dedicated effort to advance the cause of CCSP and cloud security education.

About the Authors

Mike Chapple, Ph.D., CISSP, CCSP is an author of the best-selling CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Sybex, 2021), now in its ninth edition. He is an information security professional with two decades of experience in higher education, the private sector, and government.

Mike currently serves as Teaching Professor of IT, Analytics, and Operations at the University of Notre Dame's Mendoza College of Business. He previously served as Senior Director for IT Service Delivery at Notre Dame, where he oversaw the information security, data governance, IT architecture, project management, strategic planning, and product management functions for the university.

Before returning to Notre Dame, Mike served as Executive Vice President and Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force.

Mike has written more than 30 books, including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett, 2021), CompTIA Security+ SY0-601 Study Guide (Wiley, 2021), CompTIA Cybersecurity Analyst+ (CySA+) Study Guide (Wiley, 2020), and the (ISC)2 Certified Information Systems Security Professional (CISSP) Study Guide (Wiley, 2021).

Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University. His IT certifications include the CISSP, Security+, CySA+, CISA, PenTest+, CIPP/US, CISM, CCSP, and PMP credentials.

Mike provides books, video-based training, and free study groups for a wide variety of IT certifications at his website, https://CertMike.com.

David Seidl, CISSP is Vice President for Information Technology and CIO at Miami University. During his IT career, he has served in a variety of technical and information security roles, including serving as the Senior Director for Campus Technology Services at the University of Notre Dame, where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and services. He also served as Notre Dame's Director of Information Security and led Notre Dame's information security program. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business and has written books on security certification and cyberwarfare. including co-authoring the previous editions of CISSP (ISC)2Official Practice Tests (Sybex, 2021) as well as CompTIA CySA+ Study Guide: Exam CS0-002, CompTIA CySA+ Practice Tests: Exam CS0-002, CompTIA Security+ Study Guide: Exam SY0-601, and CompTIA Security+ Practice Tests: Exam SY0-601 as well as other certification guides and books on information security.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as CISSP, CySA+, PenTest+, GPEN, and GCIH certifications.

About the Technical Editors

Sharif Nijim is an associate teaching professor of IT, Analytics, and Operations in the Mendoza College of Business at the University of Notre Dame, where he teaches undergraduate and graduate business analytics and information technology courses.

Before becoming part of the Mendoza faculty, Sharif served as the Senior Director for IT Service Delivery in the University of Notre Dame's Office of Information Technologies. In this role, he was part of the senior leadership team for the Office of Information Technologies, overseeing data stewardship, information security and compliance, learning platforms, product services, project management, and enterprise architecture. Prior to Notre Dame, Sharif co-founded and was a board member of a customer data integration company catering to the airline industry. Sharif also spent more than a decade building and performance-optimizing enterprise-class transactional and analytical systems for clients in the logistics, telecommunications, energy, manufacturing, insurance, real estate, healthcare, travel and transportation, and hospitality sectors.

Gareth Marchant started his professional career as an electrical engineer and has worked in information technology for over 20 years. He has held systems engineering and senior leadership roles in both private and public sector organizations. The central theme throughout his career has been systems architecture and design, covering a broad range of technical services but always focused on resiliency. Gareth currently lives in Nashville, TN, but has recovered IT operations in Florida following tornado strikes and many hurricanes.

Gareth is an (ISC)2 and EC-Council certified instructor and currently holds CISSP, CEH, ECIH, SSCP, GMON, CASP+, Security+, CySA+, Network+, Cybersec First Responder,

Cyber Secure Coder, and other certifications, as well as a master’s degree in computer information systems. In addition to cybersecurity certification prep, he also teaches information systems and cybersecurity courses as an adjunct instructor and is the author of the Official CompTIA CASP+ Self-Paced Study Guide.

John L. Whiteman is a security researcher for Intel Corporation with over 20 years experience. He is a part-time adjunct cybersecurity instructor for the University of Portland and also teaches the UC Berkeley Extension’s Cybersecurity Boot Camp. He holds multiple security certifications including CISSP and CCSP. John holds a MSCS from Georgia Institute of Technology and a BSCS from Portland State University.

Justin Hensley has over 15 years of information technology and cybersecurity administration experience and is currently a cybersecurity architect and project manager for CloudFit Software, a managed service provider serving both federal and commercial customers. Previously, he was the Director of Information Security and Infrastructure at University of the Cumberlands and was responsible for the information security program and all infrastructure services for over 30,000 users at two campuses. Along with his experience in the field, he has also been an academician in the classroom for the last 8 years specializing in the fields of information technology and cybersecurity.

Dr. Hensley holds a BS in Computer Information Systems and Business Administration, a MBA, a MS in Information Systems Security, and PhD in Information Technology with an emphasis in Cybersecurity. He also holds several certifications including Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), and Certified Ethical Hacker (CEH). He currently serves on the board of Central Virginia Community College and as an adjunct instructor in the Liberty University School of Business.

Introduction

(ISC)2CCSP® Certified Cloud Security Professional: Official Practice Tests, Third Edition is a companion volume to (ISC)2CCSP® Certified Cloud Security Professional Official Study Guide, Third Edition. It includes questions in the formats that appear in the version of the CCSP Certification Exam Outline and exam that became effective on August 1, 2022. If you're looking to test your knowledge before you take the CCSP exam, this book will help you by providing more than 900 questions that cover the CCSP Common Body of Knowledge and easy-to-understand explanations of both right and wrong answers.

If you're just starting to prepare for the CCSP exam, we highly recommend that you use (ISC)2CCSP® Certified Cloud Security Professional Official Study Guide, Third Edition to help you learn about each of the domains covered by the CCSP exam. Once you're ready to test your knowledge, use this book to help find places where you may need to study more or to practice for the exam itself.

Since this is a companion to CCSP Study Guide, this book is designed to be similar to taking the CCSP exam. It contains multipart scenarios as well as standard multiple-choice questions similar to those you may encounter on the certification exam. The book is broken up into eight chapters: six domain-centric chapters with 100 or more questions about each domain, and two chapters that contain 150-question practice tests to simulate taking the exam.

CCSP Certification

The CCSP certification is offered by the International Information System Security Certification Consortium, or (ISC)2, a global nonprofit organization. The mission of (ISC)2 is to support and provide members and constituents with credentials, resources, and leadership to address cyber, information, software, and infrastructure security to deliver value to society. (ISC)2 achieves this mission by delivering the world's leading information security certification program. The CCSP is the cloud-focused credential in this series and is accompanied by several other (ISC)2 programs:

Certified Information Systems Security Professional (CISSP)

Systems Security Certified Practitioner (SSCP)

Certified Authorization Professional (CAP)

Certified Secure Software Lifecycle Professional (CSSLP)

HealthCare Information Security and Privacy Practitioner (HCISPP)

The CCSP certification covers six domains of cloud security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in cloud security roles:

Cloud Concepts, Architecture, and Design

Cloud Data Security

Cloud Platform and Infrastructure Security

Cloud Application Security

Cloud Security Operations

Legal, Risk, and Compliance

The CCSP domains are periodically updated by (ISC)2. The most recent revision in August 2022 slightly modified the weighting for Cloud Data Security from 19% to 20% while changing the focus on Cloud Security Operations from 17% to 16%. It also added or expanded coverage of emerging topics in cloud security.

Complete details on the CCSP Common Body of Knowledge (CBK) are contained in the Exam Outline. It includes a full outline of exam topics and can be found on the (ISC)2 website at www.isc2.org.

Taking the CCSP Exam

The CCSP exam is administered in English, Chinese, German, Japanese, Korean, and Spanish using a computer-based testing format. Your exam will contain 150 questions with a four-hour time limit. You will not have the opportunity to skip back and forth as you take the exam; you have only one chance to answer each question correctly, so be careful!

Passing the CCSP requires achieving a score of at least 700 out of 1,000 points. It's important to understand that this is a scaled score, meaning that not every question is worth the same number of points. Questions of differing difficulty may factor into your score more or less heavily, and adaptive exams adjust to the test taker.

That said, as you work through these practice exams, you might want to use 70 percent as a goal to help you get a sense of whether you're ready to sit for the actual exam. When you're ready, you can schedule an exam at a location near you through the (ISC)2 website.

Questions on the CCSP exam use a standard multiple choice format where you are presented with a question and four possible answer choices, one of which is correct. Remember to read the full question and all of the answer options very carefully. Some of those questions can get tricky!

Computer-Based Testing Environment

The CCSP exam is administered in a computer-based testing (CBT) format. You'll register for the exam through the Pearson Vue website and may take the exam in the language of your choice.

You'll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you'd like to become more familiar with the testing environment, the Pearson Vue website offers a virtual tour of a testing center:

https://home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx

When you take the exam, you'll be seated at a computer that has the exam software already loaded and running. It's a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from the Pearson Vue website:

www.vue.com/athena/athena.asp

 Exam policies can change from time to time. We highly recommend that you check both the (ISC)2 and Pearson VUE sites for the most up-to-date information when you begin your preparing, when you register, and again a few days before your scheduled exam date.

Exam Retake Policy

If you don't pass the CCSP exam, you shouldn't panic. Many individuals don't reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you'll have the benefit of familiarity with the CBT environment and CCSP exam format. You'll also have time to study the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you're not successful on that attempt, you must then wait 60 days before your third attempt and 90 days before your fourth attempt. You may not take the exam more than four times in any 12-month period.

Work Experience Requirement

Candidates who want to earn the CCSP credential must not only pass the exam but also demonstrate that they have at least five years of work experience in the information technology field. Your work experience must include three years of information security experience and one year of experience in one or more of the six CCSP domains.

Candidates who hold the CISSP certification may substitute that certification for the entire CCSP experience requirement. Candidates with the Cloud Security Alliance (CSA)'s Certificate of Cloud Security Knowledge (CCSK) may substitute that certification for one year of experience in the CCSP domains.

If you haven't yet completed your work experience requirement, you may still attempt the CCSP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have six years to complete the work experience requirement.

Recertification Requirements

Once you've earned your CCSP credential, you'll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the CCSP exam.

Currently, the annual maintenance fees for the CCSP credential are $125 per year. This fee covers the renewal for all (ISC)2 certifications held by an individual.

The CCSP CPE requirement mandates earning at least 90 CPE credits during each three-year renewal cycle. Associates of (ISC)2 must earn at least 15 CPE credits each year. (ISC)2 provides an online portal where certificate holders may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

Using This Book to Practice

This book is composed of eight chapters. Each of the first six chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best-practice security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine whether you're ready for the CCSP exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you're ready, take the other practice exams to make sure you've covered all of the material and are ready to attempt the CCSP exam.

Sybex Online Learning Environment

To practice in an online testing setting of the same questions, visit www.wiley.com/go/sybextestprep and register your book to get access to the Sybex Test Platform. Online, you can mix questions from the domain chapters and practice exams, take timed tests, and have your answers scored.

As you go through the questions in this book, please remember the abbreviation RTFQ, which is short for “read the full question.” There is no better advice you can possibly receive than this. Read every word of every question. Read every possible answer before selecting the one you like. The exam is 125 questions over three hours. You have more than enough time to consider each question thoroughly. There is no cause for hurry. Make sure you understand what the question is asking before responding.

Good luck on the exam. We hope this book helps you pass.

 Like all exams, the Certified Cloud Security Professional (CCSP) certification from (ISC)2 is updated periodically and may eventually be retired or replaced. At some point after (ISC)2 is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam's online Sybex tools will be available once the exam is no longer available.

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts, an error may occur.

To submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

CCSP Certified Cloud Security Professional Objectives

Domain 1 Cloud Concepts, Architecture, and Design

1.1. Understand cloud computing concepts

1.1.1 Cloud computing definitions

1.1.2 Cloud computing roles (e.g., cloud service customer, cloud service provider, cloud service partner, cloud service broker, regulator)

1.1.3 Key cloud computing characteristics (e.g., on-demand self-service, broad network access, multitenancy, rapid elasticity and scalability, resource pooling, measured service)

1.1.4 Building block technologies (e.g., virtualization, storage, networking, databases, orchestration)

1.2 Describe cloud reference architecture

1.2.1 Cloud computing activities

1.2.2 Cloud service capabilities (e.g., application capability types, platform capability types, infrastructure capability types)

1.2.3 Cloud service categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

1.2.4 Cloud deployment models (e.g., public, private, hybrid, community, multi-cloud)

1.2.5 Cloud shared considerations (e.g., interoperability, portability, reversibility, availability, security, privacy, resiliency, performance, governance, maintenance and versioning, service levels and Service Level Agreements (SLA), auditability, regulatory, outsourcing)

1.2.6 Impact of related technologies (e.g., data science, machine learning, artificial intelligence (AI), blockchain, Internet of Things (IoT), containers, quantum computing, edge computing, confidential computing, DevSecOps)

1.3 Understand security concepts relevant to cloud computing

1.3.1 Cryptography and key management

1.3.2 Identity and access control (e.g., user access, privilege access, service access)

1.3.3 Data and media sanitization (e.g., overwriting, cryptographic erase)

1.3.4 Network security (e.g., network security groups, traffic inspection, geofencing, zero trust network)

1.3.5 Virtualization security (e.g., hypervisor security, container security, ephemeral computing, serverless technology)

1.3.6 Common threats

1.3.7 Security hygiene (e.g., patching, baselining)

1.4 Understand design principles of secure cloud computing

1.4.1 Cloud secure data lifecycle

1.4.2 Cloud-based business continuity (BC) and disaster recovery (DR) plan

1.4.3 Business impact analysis (BIA) (e.g., cost-benefit analysis, return on investment (ROI))

1.4.4 Functional security requirements (e.g., portability, interoperability, vendor lock-in)

1.4.5 Security considerations and responsibilities for different cloud categories (e.g., Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))

1.4.6 Cloud design patterns (e.g., SANS security principles, Well-Architected Framework, Cloud Security Alliance (CSA) Enterprise Architecture)

1.5 Evaluate cloud service providers

1.5.1 Verification against criteria (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27017, Payment Card Industry Data Security Standard (PCI DSS))

1.5.2 System/subsystem product certifications (e.g., Common Criteria (CC), Federal Information Processing Standard (FIPS) 140-2)

Domain 2 Cloud Data Security

2.1 Describe cloud data concepts

2.1.1 Cloud data lifecycle phases

2.1.2 Data dispersion

2.1.3 Data flows

2.2 Design and implement cloud data storage architectures

2.2.1 Storage types (e.g. long term, ephemeral, raw storage)

2.2.2 Threats to storage types

2.3 Design and apply data security technologies and strategies

2.3.1 Encryption and key management

2.3.2 Hashing

2.3.3 Data obfuscation (e.g., masking, anonymization)

2.3.4 Tokenization

2.3.5 Data Loss Prevention (DLP)

2.3.6 Keys, secrets, and certificates management

2.4 Implement data discovery

2.4.1 Structured data

2.4.2 Unstructured data

2.4.3 Semi-structured data

2.4.4 Data location

2.5 Plan and implement data classification

2.5.1 Data classification policies

2.5.2 Data mapping

2.5.3 Data labeling

2.6 Design and implement Information Rights Management (IRM)

2.6.1 Objectives (e.g., data rights, provisioning, access models)

2.6.2 Appropriate tools (e.g., issuing and revocation of certificates)

2.7 Plan and implement data retention, deletion, and archiving policies

2.7.1 Data retention policies

2.7.2 Data deletion procedures and mechanisms

2.7.3 Data archiving procedures and mechanisms

2.7.4 Legal hold

2.8 Design and implement auditability, traceability, and accountability of data events

2.8.1 Definition of event sources and requirement of event attributes (e.g., identity, Internet Protocol (IP) address, geolocation)

2.8.2 Logging, storage, and analysis of data events

2.8.3 Chain of custody and non-repudiation

Domain 3 Cloud Platform and Infrastructure Security

3.1 Comprehend cloud infrastructure and platform components

3.1.1 Physical environment

3.1.2 Network and communications

3.1.3 Compute

3.1.4 Virtualization

3.1.5 Storage

3.1.6 Management plane

3.2 Design a secure data center

3.2.1 Logical design (e.g., tenant partitioning, access control)

3.2.2 Physical design (e.g., location, buy or build)

3.2.3 Environmental design (e.g., Heating, Ventilation, and Air Conditioning (HVAC), multi-vendor pathway connectivity)

3.2.4 Design resilient

3.3 Analyze risks associated with cloud infrastructure and platforms

3.3.1 Risk assessment (e.g. identification and analysis)

3.3.2 Cloud vulnerabilities, threats, and attacks

3.3.3 Risk mitigation strategies

3.4 Plan and implementation of security controls

3.4.1 Physical and environmental protection (e.g., on-premises)

3.4.2 System, storage, and communication protection

3.4.3 Identification, authentication, and authorization in cloud environments

3.4.4 Audit mechanisms (e.g., log collection, correlation, packet capture)

3.5 Plan business continuity (BC) and disaster recovery (DR)

3.5.1 Business Continuity/Disaster Recovery strategy

3.5.2 Business requirements (e.g., Recovery Time Objective (RTO), Recovery Point Objective (RPO), recovery service level)

3.5.3 Creation, implementation, and testing of plan

Domain 4 Cloud Application Security

4.1 Advocate training and awareness for application security

4.1.1 Cloud development basics

4.1.2 Common pitfalls

4.1.3 Common cloud vulnerabilities (e.g., Open Web Application Security Project (OWASP) Top-10, SANS Top-25)

4.2 Describe the Secure Software Development Lifecycle (SDLC) process

4.2.1 Business requirements

4.2.2 Phases and methodologies (e.g., design, code, test, maintain, waterfall vs. agile)

4.3 Apply the Secure Software Development Lifecycle (SDLC)

4.3.1 Cloud-specific risks

4.3.2 Threat modeling (e.g., Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE), Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability (DREAD), Architecture, Threats, Attack Surfaces, and Mitigations (ATASM), Process for Attack Simulation and Threat Analysis (PASTA))

4.3.3 Avoid common vulnerabilities during development

4.3.4 Secure coding (e.g. Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS), Software Assurance Forum for Excellence in Code (SAFECode))

4.3.5 Software configuration management and versioning

4.4 Apply cloud software assurance and validation

4.4.1 Functional and non-functional testing

4.4.2 Security testing methodologies (e.g., blackbox, whitebox, static, dynamic, Software Composition Analysis (SCA), interactive application security testing (IAST))

4.4.3 Quality assurance (QA)

4.4.4 Abuse case testing

4.5 Use verified secure software

4.5.1 Securing application programming interfaces (API)

4.5.2 Supply-chain management (e.g., vendor assessment)

4.5.3 Third-party software management (e.g., licensing)

4.5.4 Validated open-source software

4.6 Comprehend the specifics of cloud application architecture

4.6.1 Supplemental security components (e.g., web application firewall (WAF), Database Activity Monitoring (DAM), Extensible Markup Language (XML) firewalls, application programming interface (API) gateway)

4.6.2 Cryptography

4.6.3 Sandboxing

4.6.4 Application virtualization and orchestration (e.g., microservices, containers)

4.7 Design appropriate identity and access management (IAM) solutions

4.7.1 Federated identity

4.7.2 Identity providers (IdP)

4.7.3 Single Sign-On (SSO)

4.7.4 Multi-factor authentication (MFA)

4.7.5 Cloud Access Security Broker (CASB)

4.7.6 Secrets management

Domain 5 Cloud Security Operations

5.1 Build and implement physical and logical infrastructure for cloud environment

5.1.1 Hardware-specific security configuration requirements (e.g., hardware security module (HSM) and Trusted Platform Module (TPM))

5.1.2 Installation and configuration of management tools

5.1.3 Virtual hardware-specific security configuration requirements (e.g., network, storage, memory, Central Processing Unit (CPU), Hypervisor type 1 and 2)

5.1.4 Installation of guest operating system (OS) virtualization toolsets

5.2 Operate and maintain physical and logical infrastructure for cloud environment

5.2.1 Access controls for local and remote access (e.g., Remote Desktop Protocol (RDP), secure terminal access, Secure Shell (SSH), console-based access mechanisms, jumpboxes, virtual client)

5.2.2 Secure network configuration (e.g., virtual local area networks (VLAN), Transport Layer Security (TLS), Dynamic Host Configuration Protocol (DHCP), Domain Name System Security Extensions (DNSSEC), virtual private network (VPN))5.2.3 Network security controls (e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, vulnerability assessments, network security groups, bastion host)

5.2.4 Operating system (OS) hardening through the application of baselines, monitoring, and remediation (e.g., Windows, Linux, VMware)

5.2.5 Patch management

5.2.6 Infrastructure as Code (IaC) strategy

5.2.7 Availability of clustered hosts (e.g., distributed resource scheduling, dynamic optimization, storage clusters, maintenance mode, high availability (HA))

5.2.8 Availability of guest operating system (OS)

5.2.9 Performance and capacity monitoring (e.g., network, compute, storage, response time)

5.2.10 Hardware monitoring (e.g., disk, central processing unit (CPU), fan speed, temperature)

5.2.11 Configuration of host and guest operating system (OS) backup and restore functions

5.2.12 Management plane (e.g., scheduling, orchestration, maintenance)

5.3 Implement operational controls and standards (e.g., Information Technology Infrastructure Library (ITIL), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1)

5.3.1 Change management

5.3.2 Continuity management

5.3.3 Information security management

5.3.4 Continual service improvement management

5.3.5 Incident management

5.3.6 Problem management

5.3.7 Release management

5.3.8 Deployment management

5.3.9 Configuration management

5.3.10 Service level management

5.3.11 Availability management

5.3.12 Capacity management

5.4 Support digital forensics

5.4.1 Forensic data collection methodologies

5.4.2 Evidence management

5.4.3 Collect, acquire, and preserve digital evidence

5.5 Manage communication with relevant parties

5.5.1 Vendors

5.5.2 Customers

5.5.3 Partners

5.5.4 Regulators

5.5.5 Other stakeholders

5.6 Manage security operations

5.6.1 Security Operations Center (SOC)

5.6.2 Monitoring of security controls (e.g., firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), honeypots, network security groups, artificial intelligence (AI))

5.7.3 Log capture and analysis (e.g., security information and event management (SIEM), log management)

5.7.4 Incident management

5.7.5 Vulnerability assessments

Domain 6 Legal, Risk, and Compliance

6.1 Articulate legal requirements and unique risks within the cloud environment

6.1.1 Conflicting international legislation

6.1.2 Evaluation of legal risks specific to cloud computing

6.1.3 Legal frameworks and guidelines

6.1.4 eDiscovery (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)

6.1.5 Forensics requirements

6.2 Understand privacy issues

6.2.1 Difference between contractual and regulated private data (e.g., protected health information (PHI), personally identifiable information (PII))

6.2.2 Country-specific legislation related to private data (e.g., protected health information (PHI), personally identifiable information (PII))

6.2.3 Jurisdictional differences in data privacy

6.2.4 Standard privacy requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR))

6.2.5 Privacy Impact Assessments (PIA)

6.3 Understand audit process, methodologies, and required adaptations for a cloud environment

6.3.1 Internal and external audit controls

6.3.2 Impact of audit requirements

6.3.3 Identify assurance challenges of virtualization and cloud

6.3.4 Types of audit reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Security Operations Center (SOC), International Standard on Assurance Engagements (ISAE))

6.3.5 Restrictions of audit scope statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))

6.3.6 Gap analysis (e.g., control analysis, baselines)

6.3.7 Audit planning

6.3.8 Internal information security management system

6.3.9 Internal information security controls system

6.3.10 Policies (e.g., organizational, functional, cloud computing)

6.3.11 Identification and involvement of relevant stakeholders

6.3.12 Specialized compliance requirements for highly-regulated industries (e.g., North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))

6.3.13 Impact of distributed information technology (IT) model (e.g., diverse geographical locations and crossing over legal jurisdictions)

6.4 Understand implications of cloud to enterprise risk management

6.4.1 Assess providers risk management programs (e.g., controls, methodologies, policies, risk profile, risk appetite)

6.4.2 Difference between data owner/controller vs. data custodian/processor

6.4.3 Regulatory transparency requirements (e.g., breach notification, Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR))

6.4.4 Risk treatment (i.e., avoid, mitigate, transfer, share, acceptance)

6.4.5 Different risk frameworks

6.4.6 Metrics for risk management

6.4.7 Assessment of risk environment (e.g., service, vendor, infrastructure, business)

6.5 Understand outsourcing and cloud contract design

6.5.1 Business requirements (e.g., service level agreement (SLA), master service agreement (MSA), statement of work (SOW))

6.5.2 Vendor management (e.g., vendor assessments, vendor lock-in risks, vendor viability, escrow)

6.5.3 Contract management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data, cyber risk insurance)

6.5.4 Supply-chain management (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036)

Chapter 1Domain 1: Cloud Concepts, Architecture, and Design

SUBDOMAINS:

1.1 Understand cloud computing concepts

1.2 Describe cloud reference architecture

1.3 Understand security concepts relevant to cloud computing

1.4 Understand design principles of cloud computing

1.5 Evaluate cloud service providers

Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthew's company. What cloud deployment model is being used?

Hybrid cloud

Public cloud

Private cloud

Community cloud

Zeke is responsible for sanitizing a set of solid-state drives (SSDs) removed from servers in his organization's datacenter. The drives will be reused on a different project. Which one of the following sanitization techniques would be most effective?

Cryptographic erasure

Physical destruction

Degaussing

Overwriting

Tina would like to use a technology that will allow her to bundle up workloads and easily move them between different operating systems. What technology would best meet this need?

Virtual machines

Serverless computing

Hypervisors

Containers

Under the cloud reference architecture, which one of the following activities is not generally part of the responsibilities of a customer?

Monitor services

Prepare systems

Perform business administration

Handle problem reports

Seth is helping his organization move their web server cluster to a cloud provider. The goal of this move is to provide the cluster with the ability to grow and shrink based on changing demand. What characteristic of cloud computing is Seth hoping to achieve?

Scalability

On-demand self service

Elasticity

Broad network access

Sherry is deploying a zero-trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?

User identity

IP address

Geolocation

Nature of requested access

Which one of the following hypervisor models is the most resistant to attack?

Type 1

Type 2

Type 3

Type 4

Joe is using a virtual server instance running on a public cloud provider and would like to restrict the ports on that server accessible from the internet. What security control would best allow him to meet this need?

Geofencing

Traffic inspection

Network firewall

Network security groups

Which one of the following cybersecurity threats is least likely to directly affect an object storage service?

Disk failure

User error

Ransomware

Virus

Vince would like to be immediately alerted whenever a user with access to a sensitive cloud service leaves a defined physical area. What type of security control should he implement?

Intrusion prevention system

Geofencing

Firewall rule

Geotagging

Which one of the following characteristics is not a component of the standard definition of cloud computing?

Broad network access

Rapid provisioning

Multitenancy

On-demand self service

Which one of the following sources provides a set of vendor-neutral design patterns for cloud security?

Cloud Security Alliance

Amazon Web Services

Microsoft

(ISC)

2

Lori is using an API to access sensitive information stored in a cloud service. What cloud secure data lifecycle activity is Lori engaged in?

Store

Use

Destroy

Create

Helen would like to provision a disk volume in the cloud that is mountable from a server. What cloud capability does she want?

Virtualized server

Object storage

Network capacity

Block storage

Ben is using the

sudo

command to carry out operations on a Linux server. What type of access is he using?

Service access

Unauthorized access

User access

Privileged access

Which one of the following cryptographic goals protects against the risks posed when a device is lost or stolen?

Nonrepudiation

Authentication

Integrity

Confidentiality

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

Quantitative

Qualitative

Annualized loss expectancy

Single loss expectancy

Robert is reviewing a system that has been assigned the EAL2 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

It has been functionally tested.

It has been structurally tested.

It has been formally verified, designed, and tested.

It has been semi-formally designed and tested.

Jake would like to use a third-party platform to automatically move workloads between cloud service providers. What type of tool would best meet this need?

Cloud access service broker

Database

Virtualization

Orchestration

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions?

HIPAA

PCI DSS

SOX

GLBA

What type of effort attempts to bring all of an organization's cloud activities under more centralized control?

Cloud access service broker

Cloud orchestration

Cloud governance

Cloud migration

Chris is designing a cryptographic system for use within his company. The company has 1,000 employees, and they plan to use an asymmetric encryption system. They would like the system to be set up so that any pair of arbitrary users may communicate privately. How many total keys will they need?

500

1,000

2,000

4,950

Erin is concerned about the risk that a cloud provider used by her organization will fail, so she is creating a strategy that will combine resources from multiple public cloud providers. What term best describes this strategy?

Community cloud

Multicloud

Private cloud

Hybrid cloud

Which one of the following would normally be considered an application capability of a cloud service provider?

Network capacity

Hosted email

Block storage

Serverless computing

What activity are cloud providers able to engage in because not all users will access the full capacity of their service offering simultaneously?

Oversubscription

Overprovisioning

Underprovisioning

Undersubscription

Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datacenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?

Public cloud

Dedicated cloud

Private cloud

Hybrid cloud

In an infrastructure as a service (IaaS) environment where a vendor supplies a customer with access to storage services, who is normally responsible for removing sensitive data from drives that are taken out of service?

Customer's security team

Customer's storage team

Customer's vendor management team

Vendor

Lucca is reviewing his organization's disaster recovery process data and notes that the MTD for the business's main website is two hours. What does he know about the RTO for the site when he does testing and validation?

It needs to be less than two hours.

It needs to be at least two hours.

The MTD is too short and needs to be longer.

The RTO is too short and needs to be longer.

Alice and Bob would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.

When Bob receives an encrypted message from Alice, what key does he use to decrypt the plaintext message's contents?

Alice's public key

Alice's private key

Bob's public key

Bob's private key

Jen works for an organization that assists other companies in moving their operations from on-premises datacenters to the cloud. Jen's company does not operate their own cloud services but assists in the use of services offered by other organizations. What term best describes the role of Jen's company?

Cloud service customer

Cloud service partner

Cloud service provider

Cloud service broker

Carla is selecting a hardware security module (HSM) for use by her organization. She is employed by an agency of the U.S. federal government and must ensure that the technology she chooses meets applicable federal standards for cryptographic systems. What publication would best help her determine these requirements?

NIST 800-53

NIST 800-171

Common Criteria

FIPS 140-2

Ryan is reviewing the design of a new service that will use several offerings from a cloud service provider. The design depends on some unique features offered only by that provider. What should concern Ryan the most about the fact that these service features are not available from other providers?

Vendor lock-in

Interoperability

Auditability

Confidentiality

Colin is reviewing a system that has been assigned the EAL7 evaluation assurance level under the Common Criteria. What is the highest level of assurance that he may have about the system?

It has been functionally tested.

It has been methodically tested and checked.

It has been methodically designed, tested, and reviewed.

It has been formally verified, designed, and tested.

Which one of the following technologies provides the capability of creating a distributed, immutable ledger?

Quantum computing

Blockchain

Edge computing

Confidential computing

Which one of the following systems assurance processes provides an independent third-party evaluation of a system's controls that may be trusted by many different organizations?

Planning

Definition

Verification

Accreditation

Which one of the following would be considered an example of infrastructure as a service cloud computing?

Payroll system managed by a vendor and delivered over the web

Application platform managed by a vendor that runs customer code

Servers provisioned by customers on a vendor-managed virtualization platform

Web-based email service provided by a vendor

Which of the following is

not

a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?

Pooled resources in the cloud

Shifting from IT investment as capital expenditures to operational expenditures

The time savings and efficiencies offered by the cloud service

Branding associated with which cloud provider might be selected

Barry has a temporary need for massive computing power and is planning to use virtual server instances from a cloud provider for a short period of time. What term best describes the characteristic of Barry's workload?

Quantum computing

Confidential computing

Ephemeral computing

Parallel computing

You are reviewing a service-level agreement (SLA) and find a provision that guarantees 99.99% uptime for a service you plan to use. What term best describes this type of provision?

Availability

Security

Privacy

Resiliency

Carlton is selecting a cloud environment for an application run by his organization. He needs an environment where he will have the most control over the application's performance. What service category would be best suited for his needs?

SaaS

FaaS

IaaS

PaaS

Gavin is looking for guidance on how his organization should approach the evaluation of cloud service providers. What ISO document can help him with this work?

ISO 27001

ISO 27701

ISO 27017

ISO 17789

Ed has a question about the applicability of PCI DSS requirements to his organization's credit card processing environment. What organization is the regulator in this case?

SEC

FDA

FTC

PCI SSC

Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What cloud service category includes this service?

SaaS

PaaS

IaaS

CaaS

Gordon is developing a business continuity plan for a manufacturing company's IT operations. The company is located in North Dakota and currently evaluating the risk of earthquake. They choose to pursue a risk acceptance strategy. Which one of the following actions is consistent with that strategy?

Purchasing earthquake insurance

Relocating the datacenter to a safer area

Documenting the decision-making process

Reengineering the facility to withstand the shock of an earthquake

Matthew is a data scientist looking to apply machine learning and artificial intelligence techniques in his organization. He is developing an application that will analyze a potential customer and develop an estimate of how likely it is that they will make a purchase. What type of analytic technique is he using?

Optimal analytics

Descriptive analytics

Prescriptive analytics

Predictive analytics

Which one of the following statements correctly describes resource pooling?

Resource pooling allows customers to add computing resources as needed.

Resource pooling allows the cloud provider to achieve economies of scale.

Resource pooling allows customers to remove computing resources as needed.

Resource pooling allows customers to provision resources without service provider interaction.

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?

I

II

III

IV

Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?

Service-level agreement (SLA)

Operational-level agreement (OLA)

Memorandum of understanding (MOU)

Statement of work (SOW)

Bianca is preparing for her organization's move to a cloud computing environment. She is concerned that issues may arise during the change and would like to ensure that they can revert back to their on-premises environment in the case of a problem. What consideration is Bianca concerned about?

Reversibility

Portability

Regulatory

Resiliency

Which one of the following organizations is not known for producing cloud security guidance?

SANS Institute

FBI

Cloud Security Alliance

Microsoft

Vince is using a new cloud service provider and is charged for each CPU that he uses, every bit of data transferred over the network, and every GB of disk space allocated. What characteristic of cloud services does this describe?

Elasticity

On-demand self service

Scalability

Measured service

Who is responsible for performing scheduled maintenance of server operating systems in a PaaS environment?

The customer.

Both the customer and the service provider.

No operating system maintenance is necessary in a PaaS environment.

The service provider.

When considering a move from a traditional on-premises environment to the cloud, organizations often calculate a return on investment. Which one of the following factors should you expect to contribute the most to this calculation?

Utility costs

Licensing fees

Security expenses

Executive compensation

Devon is using an IaaS environment and would like to provision storage that will be used as a disk attached to a server instance. What type of storage should he use?

Archival storage

Block storage

Object storage

Database storage

During a system audit, Casey notices that the private key for her organization's web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

Remove the key from the bucket.

Notify all customers that their data may have been exposed.

Request a new certificate using a new key.

Nothing, because the private key should be accessible for validation.

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose?

Tabletop exercise

Parallel test

Full interruption test

Checklist review

Mark is considering replacing his organization's customer relationship management (CRM) solution with a new product that is available in the cloud. This new solution is completely managed by the vendor, and Mark's company will not have to write any code or manage any physical resources. What type of cloud solution is Mark considering?

IaaS

CaaS

PaaS

SaaS

Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline?

They apply in all circumstances, allowing consistent security controls.

They are approved by industry standards bodies, preventing liability.

They provide a good starting point that can be tailored to organizational needs.

They ensure that systems are always in a secure state.

What approach to technology management integrates the three components of technology management shown in this illustration?

Agile

Lean

DevOps

ITIL

Stacey is configuring a PaaS service for use in her organization. She would like to get SSH access to the servers that will be executing her code and contacts the vendor to request this access. What response should she expect?

Immediate approval of the request.

Immediate denial of the request.

The vendor will likely request more information before granting the request.

The vendor will likely ask for executive-level approval of the request.

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?

Impact

RPO

MTO

Likelihood

Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs?

OpenID Connect

SAML

RADIUS

Kerberos

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?

Compliance with all laws and regulations

Handling information in the same manner the organization would

Elimination of all identified security risks

Compliance with the vendor's own policies

Fran's company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran's company considering?

SaaS

IaaS

CaaS

PaaS

Carl is deploying a set of video sensors that will be placed in remote locations as part of a research project. Due to connectivity limitations, he would like to perform as much image processing and computation as possible on the device itself before sending results back to the cloud for further analysis. What computing model would best meet his needs?

Serverless computing

Edge computing

IaaS computing

SaaS computing

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?

HTML

XACML

SAML

SPML

Bert is considering the use of an infrastructure as a service cloud computing partner to provide virtual servers. Which one of the following would be a vendor responsibility in this scenario?

Maintaining the hypervisor

Managing operating system security settings

Maintaining the host firewall

Configuring server access control

Nuno's company is outsourcing its email system to a cloud service provider who will provide web-based email access to employees of Nuno's company. What cloud service category is being used?

PaaS

IaaS

SaaS

FaaS

What software development methodology is most closely linked to the DevSecOps approach?

Waterfall

Spiral

Agile

Modified waterfall

Bailey is concerned that users around her organization are using a variety of cloud services and would like to enforce security policies consistently across those services. What security control would be best suited for her needs?

DRM

IPS

CASB

DLP

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm?

Configuring accessible network ports

Applying hypervisor updates

Patching operating systems

Wiping drives prior to disposal

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other's identity?

Public cloud

Private cloud

Community cloud

Shared cloud

Kristen wants to use multiple processing sites for her data, but does not want to pay for a full datacenter. Which of the following options would you recommend as her best option if she wants to be able to quickly migrate portions of her custom application environment to the facilities in multiple countries without having to wait to ship or acquire hardware?

A cloud PaaS vendor

A hosted datacenter provider

A cloud IaaS vendor

A datacenter vendor that provides rack, power, and remote hands services

Which one of the following statements about cloud networking is

not

correct?

Security groups are the equivalent of network firewall rules.

IaaS networking is not configurable.

PaaS and SaaS networking are managed by the cloud service provider.

Customers may connect to cloud service provider networks using a VPN.

Darcy's organization is deploying serverless computing technology to better meet the needs of developers and users. In a serverless model, who is normally responsible for configuring operating system security controls?

Software developer

Cybersecurity professional

Cloud architect

Vendor

What is the international standard that provides guidance for the creation of an organizational information security management system (ISMS)?

NIST SP 800-53

PCI DSS

ISO 27001

NIST SP 800-37

You are the security subject matter expert (SME) for an organization considering a transition from a traditional IT enterprise environment into a hosted cloud provider's datacenter. One of the challenges you're facing is whether your current applications in the on-premises environment will function properly with the provider's hosted systems and tools. This is a(n) ________________ issue.

Interoperability

Portability

Stability

Security

Mike is conducting a business impact assessment of his organization's potential move to the cloud. He is concerned about the ability to shift workloads between cloud vendors as needs change. What term best describes Mike's concern?

Resiliency

Regulatory

Reversibility

Portability

Which one of the following statements is correct?

Services that are scalable are also elastic.

There is no relationship between elasticity and scalability.

Services that are elastic are also scalable.

Services that are either elastic or scalable are both elastic and scalable.

From a customer perspective, all of the following are benefits of infrastructure as a service (IaaS) cloud services

except

____________.

Reduced cost of ownership

Reduced energy costs

Metered usage

Reduced overhead of administering the operating system (OS) in the cloud environment

Encryption is an essential tool for affording security to cloud-based operations. While it is possible to encrypt every system, piece of data, and transaction that takes place on the cloud, why might that not be the optimum choice for an organization?

Key length variances don't provide any actual additional security.

It would cause additional processing overhead and time delay.

It might result in vendor lockout.

The data subjects might be upset by this.

__________ is an example of due care, and ___________ is an example of due diligence.

Privacy data security policy; auditing the controls dictated by the privacy data security policy

The European Union General Data Protection Regulation (GDPR); the Gramm–Leach–Bliley Act (GLBA)

Locks on doors; turnstiles

Perimeter defenses; internal defenses

Which one of the following is a critical component for confidential computing environments?

TEE

TPM

HSM

PKI

Which one of the following programs provides a general certification process for computing hardware that might be used in a government environment?

FedRAMP

NIST 800-53

Common Criteria

FIPS 140-2

In a Lightweight Directory Access Protocol (LDAP) environment, each entry in a directory server is identified by a ______________.

Domain name (DN)

Distinguished name (DN)