Last Updated on March 20, 2022 by Admin 3
CCSP : Certified Cloud Security Professional (CCSP) : Part 06
Which if the following is NOT one of the three components of a federated identity system transaction?
- Relying party
- Identity provider
- Proxy relay
Which value refers to the amount of time it takes to recover operations in a BCDR situation to meet management’s objectives?
The recovery time objective (RTO) is a measure of the amount of time it would take to recover operations in the event of a disaster to the point where management’s objectives are met for BCDR.
Which of the cloud deployment models requires the cloud customer to be part of a specific group or organization in order to host cloud services within it?
A community cloud model is where customers that share a certain common bond or group membership come together to offer cloud services to their members, focused on common goals and interests.
What provides the information to an application to make decisions about the authorization level appropriate when granting access?
- Relying party
- Identity Provider
Upon successful user authentication, the identity provider gives information about the user to the relying party that it needs to make authorization decisions for granting access as well as the level of access needed.
What is a standard configuration and policy set that is applied to systems and virtual machines called?
The most common and efficient manner of securing operating systems is through the use of baselines. A baseline is a standardized and understood set of base configurations and settings. When a new system is built or a new virtual machine is established, baselines will be applied to a new image to ensure the base configuration meets organizational policy and regulatory requirements.
Which entity requires all collection and storing of data on their citizens to be done on hardware that resides within their borders?
- United States
Signed into law and effective starting on September 1, 2015, Russian Law 526-FZ establishes that any collecting, storing, or processing of personal information or data on Russian citizens must be done from systems and databases that are physically located with the Russian Federation.
Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers?
Portability is the ease with which a service or application can be moved between different cloud providers. Maintaining portability gives an organization great flexibility between cloud providers and the ability to shop for better deals or offerings.
Which type of audit report is considered a “restricted use” report for its intended audience?
- SOC Type 1
- SOC Type 2
SOC Type 1 reports are considered “restricted use” reports. They are intended for management and stakeholders of an organization, clients of the service organization, and auditors of the organization. They are not intended for release beyond those audiences.
What is the concept of segregating information or processes, within the same system or application, for security reasons?
Sandboxing involves segregating and isolating information or processes from others within the same system or application, typically for security concerns. This is generally used for data isolation (for example, keeping different communities and populations of users isolated from other similar data).
The European Union passed the first major regulation declaring data privacy to be a human right. In what year did it go into effect?
Adopted in 1995, Directive 95/46 EC establishes strong data protection and policy requirements, including the declaring of data privacy to be a human right. It establishes that an individual has the right to be notified when their personal data is being access or processed, that it only will ever be accessed for legitimate purposes, and that data will only be accessed to the exact extent it needs to be for the particular process or request.
Which of the following is NOT a key area for performance monitoring as far as an SLA is concerned?
An SLA requires performance monitoring of CPU, memory, storage, and networking. The number of users active on a system would not be part of an SLA specifically, other than in regard to the impact on the other four variables.
Which of the following is the MOST important requirement and guidance for testing during an audit?
During any audit, regulations are the most important factor and guidelines for what must be tested. Although the requirements from management, stakeholders, and shareholders are also important, regulations are not negotiable and pose the biggest risk to any organization for compliance failure.
Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations?
The recovery point objective (RPO) is defined as the amount of data a company would need to maintain and recover in order to function at a level acceptable to management. This may or may not be a restoration to full operating capacity, depending on what management deems as crucial and essential.
What must SOAP rely on for security?
Simple Object Access Protocol (SOAP) uses Extensible Markup Language (XML) for passing data, and it must rely on the encryption of those data packages for security.
Which of the following is a commonly used tool for maintaining system configurations?
Puppet is a commonly used tool for maintaining system configurations based on policies, and done so from a centralized authority.
What type of data does data rights management (DRM) protect?
DRM applies to the protection of consumer media, such as music, publications, video, movies, and soon.
Which type of testing uses the same strategies and toolsets that hackers would use?
Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities.
From a security perspective, which of the following is a major concern when evaluating possible BCDR solutions?
- Access provisioning
When a security professional is considering cloud solutions for BCDR, a top concern is the jurisdiction where the cloud systems are hosted. If the jurisdiction is different from where the production systems are hosted, they may be subjected to different regulations and controls, which would make a seamless BCDR solution far more difficult.
Which of the following is NOT a focus or consideration of an internal audit?
- Operational efficiency
In order to obtain and comply with certifications, independent external audits must be performed and satisfied. Although some testing of certification controls can be part of an internal audit, they will not satisfy requirements.
Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used?
Regardless of which cloud-hosting model is used, the cloud customer always has sole responsibility for the data and its security.