Last Updated on March 21, 2022 by Admin 3

CCSP : Certified Cloud Security Professional (CCSP) : Part 18

  1. Which of the following is a management role, versus a technical role, as it pertains to data management and oversight?

    • Data owner
    • Data processor
    • Database administrator
    • Data custodian

    Explanation: 
    Data owner is a management role that’s responsible for all aspects of how data is used and protected. The database administrator, data custodian, and data processor are all technical roles that involve the actual use and consumption of data, or the implementation of security controls and policies with the data.

  2. IRM solutions allow an organization to place different restrictions on data usage than would otherwise be possible through traditional security controls.

    Which of the following controls would be possible with IRM that would not with traditional security controls?

    • Copy
    • Read
    • Delete
    • Print
    Explanation: 
    Traditional security controls would not be able to restrict a user from printing something that they have the ability to access and read, but IRM solutions would allow for such a restriction. If a user has permissions to read a file, he can also copy the file or print it under traditional controls, and the ability to modify or write will give the user the ability to delete.
  3. Which data protection strategy would be useful for a situation where the ability to remove sensitive data from a set is needed, but a requirement to retain the ability to map back to the original values is also present?

    • Masking
    • Tokenization
    • Encryption
    • Anonymization
    Explanation: 
    Tokenization involves the replacement of sensitive data fields with key or token values, which can ultimately be mapped back to the original, sensitive data values. Masking refers to the overall approach to covering sensitive data, and anonymization is a type of masking, where indirect identifiers are removed from a data set to prevent the mapping back of data to an individual. Encryption refers to the overall process of protecting data via key pairs and protecting confidentiality.
  4. A comprehensive BCDR plan will encapsulate many or most of the traditional concerns of operating a system in any data center.

    However, what is one consideration that is often overlooked with the formulation of a BCDR plan?

    • Availability of staff
    • Capacity at the BCDR site
    • Restoration of services
    • Change management processes
    Explanation: 
    BCDR planning tends to focus so much on the failing over of services in the case of a disaster that recovery back to primary hosting after the disaster is often overlooked. In many instances, this can be just as complex a process as failing over, if not more so. Availability of staff, capacity at the BCDR site, and change management processes are typically integral to BCDR plans and are common components of them.
  5. Which of the following is NOT one of the components of multifactor authentication?

    • Something the user knows
    • Something the user has
    • Something the user sends
    • Something the user is
    Explanation: 
    Multifactor authentication systems are composed of something the user knows, has, and/or is, not something the user sends. Multifactor authentication commonly uses something that a user knows, has, and/or is (such as biometrics or features).
  6. Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.

    Which of the following is not a regulatory framework for more sensitive or specialized data?

    • FIPS 140-2
    • FedRAMP
    • PCI DSS
    • HIPAA
    Explanation: 
    The FIPS 140-2 standard pertains to the certification of cryptographic modules and is not a regulatory framework. The Payment Card Industry Data Security Standard (PCI DSS), the Federal Risk and Authorization Management Program (FedRAMP), and the Health Insurance Portability and Accountability Act (HIPAA) are all regulatory frameworks for sensitive or specialized data.
  7. Which data sanitation method is also commonly referred to as “zeroing”?

    • Overwriting
    • Nullification
    • Blanking
    • Deleting
    Explanation: 
    The zeroing of data–or the writing of null values or arbitrary data to ensure deletion has been fully completed–is officially referred to as overwriting. Nullification, deleting, and blanking are provided as distractor terms.
  8. What is the concept of isolating an application from the underlying operating system for testing purposes?

    • Abstracting
    • Application virtualization
    • Hosting
    • Sandboxing
    Explanation: 
    Application virtualization is a software implementation that allows applications and programs to run in an isolated environment rather than directly interacting with the operating system. Sandboxing refers to segregating information or processes for security or testing purposes, but it’s not directly related to isolation from the underlying operating system. Abstracting sounds similar to the correct term but is not pertinent to the question, and hosting is provided as an erroneous answer.
  9. Which of the following could be used as a second component of multifactor authentication if a user has an RSA token?

    • Access card
    • USB thumb drive
    • Retina scan
    • RFID
    Explanation: 
    A retina scan could be used in conjunction with an RSA token because it is a biometric factor, and thus a different type of factor. An access card, RFID, and USB thumb drive are all items in possession of a user, the same as an RSA token, and as such would not be appropriate.
  10. Which of the following is NOT one of the official risk rating categories?

    • Critical
    • Low
    • Catastrophic
    • Minimal
    Explanation: 
    The official categories of cloud risk ratings are Minimal, Low, Moderate, High, and Critical.
  11. SOC Type 1 reports are considered “restricted use,” in that they are intended only for limited audiences and purposes.

    Which of the following is NOT a population that would be appropriate for a SOC Type 1 report?

    • Current clients
    • Auditors
    • Potential clients
    • The service organization
    Explanation: 
    Potential clients are not served by SOC Type 1 audits. A Type 2 or Type 3 report would be appropriate for potential clients. SOC Type 1 reports are intended for restricted use, where only the service organization itself, current clients, or auditors would have access to them.
  12. Having a reservation in a cloud environment can ensure operations continue in the event of high utilization across the cloud.

    Which of the following would NOT be a capability covered by reservations?

    • Performing business operations
    • Starting virtual machines
    • Running applications
    • Auto-scaling
    Explanation:
    A reservation will not guarantee auto-scaling is available because it involves the allocation of additional resources beyond what a cloud customer already has provisioned. Reservations will guarantee minimal resources are available to start virtual machines, run applications, and perform normal business operations.
  13. What must SOAP rely on for security since it does not provide security as a built-in capability?

    • Encryption
    • Tokenization
    • TLS
    • SSL
    Explanation: 
    Simple Object Access Protocol (SOAP) uses Extensible Markup Language (XML) for data passing, and it must rely on the encryption of those data packages for security. TLS and SSL (before it was deprecated) represent two commons approaches to using encryption for protection of data transmissions. However, they are only two possible options and do not encapsulate the overall concept the question is looking for. Tokenization, which involves the replacement of sensitive data with opaque values, would not be appropriate for use with SOAP because the actual data is needed by the services.
  14. With a federated identity system, what does the identity provider send information to after a successful authentication?

    • Relying party
    • Service originator
    • Service relay
    • Service relay
    Explanation:
    Upon successful authentication, the identity provider sends an assertion with appropriate attributes to the relying party to grant access and assign appropriate roles to the user. The other terms provided are similar sounding to the correct term but are not actual components of a federated system.
  15. Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?

    • KVM
    • HTTPS
    • VPN
    • TLS
    Explanation: 
    A keyboard-video-mouse (KVM) system is commonly used for directly accessing server terminals in a data center. It is not a method that would be possible within a cloud environment, primarily due to the use virtualized systems, but also because only the cloud provider’s staff would be allowed the physical access to hardware systems that’s provided by a KVM. Hypertext Transfer Protocol Secure (HTTPS), virtual private network (VPN), and Transport Layer Security (TLS) are all technologies and protocols that are widely used with cloud implementations for secure access to systems and services.
  16. Which component of ITIL involves handling anything that can impact services for either internal or public users?

    • Incident management
    • Deployment management
    • Problem management
    • Change management
    Explanation: 
    Incident management is focused on limiting the impact of disruptions to an organization’s services or operations, as well as returning their state to full operational status as soon as possible. Problem management is focused on identifying and mitigating known problems and deficiencies before they occur. Deployment management is a subcomponent of change management and is where the actual code or configuration change is put into place. Change management involves the processes and procedures that allow an organization to make changes to its IT systems and services in a controlled manner.
  17. Which protocol, as a part of TLS, handles the actual secure communications and transmission of data?

    • Negotiation
    • Handshake
    • Transfer
    • Record
    Explanation: 
    The TLS record protocol is the actual secure communications method for transmitting data; it’s responsible for encrypting and authenticating packets throughout their transmission between the parties, and in some cases it also performs compression. The TLS handshake protocol is what negotiates and establishes the TLS connection between two parties and enables the secure communications channel to then handle data transmissions. Negotiation and transfer are not protocols under TLS.
  18. Which of the following terms is NOT a commonly used category of risk acceptance?

    • Moderate
    • Critical
    • Minimal
    • Accepted
    Explanation: 
    Accepted is not a risk acceptance category. The risk acceptance categories are minimal, low, moderate, high, and critical.
  19. Many activities within a cloud environment are performed via programmatic means, where complex and distributed operations are handled without the need to perform each step individually.

    Which of the following concepts does this describe?

    • Orchestration
    • Provisioning
    • Automation
    • Allocation
    Explanation: 
    Orchestration is the programmatic means of managing and coordinating activities within a cloud environment and allowing for a commensurate level of automation and self-service. Provisioning, allocation, and automation are all components of orchestration, but none refers to the overall concept.
  20. Being in a cloud environment, cloud customers lose a lot of insight and knowledge as to how their data is stored and their systems are deployed.

    Which concept from the ISO/IEC cloud standards relates to the necessity of the cloud provider to inform the cloud customer on these issues?

    • Disclosure
    • Transparency
    • Openness
    • Documentation
    Explanation:
    Transparency is the official process by which a cloud provider discloses insight and information into its configurations or operations to the appropriate audiences. Disclosure, openness, and documentation are all terms that sound similar to the correct answer, but none of them is the correct term in this case.