Question Type (multiple Answer Answer Answer Answer Correct

Question choice or multi-select) Option 1 Option 2 Option 3 Option 4 Response

Which of the following are common
threats facing cloud computing platforms? Denial of Cryptographic Phishing
(Choose two.) multiple-choice service hashing Data breaches attacks 1,3

Which of the following standards is

commonly applied to cloud computing ISO/IEC ISO/IEC ISO/IEC ISO/IEC
security? multi-select 27001:2010 27003:2013 27013:2000 27001:2013 4
Which of the following methods is
commonly used to ensure that data multiple-choice Deletion Degaussing Overwriting Shredding 3
Which
removed type of hypervisor is a software
implementation
from a cloud system thatisruns
noton top of an
recoverable? multiple-choice Type 1 Type 2 Type 3 Type 4 2
operating
Which system rather
component of thethan
NISTtied
Cloud to the Regulatory
hardware? Roadmap pertains to the
Technology multi-select SLAs requirements Governance Auditability 1
minimum
Which of the
requirements
following isbetween
a uniquethe benefit
cloud Scalability Right-sizing Disaster Ownership 4
provider
of
Which ofand
a private cloud
thecloud
followingcustomer
versus othertomodels?
meet of
characteristics On-demand Measured
resources Resource
recovery Rapid
retention 2
contractual
cloud
What feature
computingsatisfaction?
of IaaS
would would
be MOST
be most self-service
Scalability service
Physical pooling
Physical elasticity
High 2
Which common
attractive
beneficial to management
a new threat, which
company when a customer
starting
looking
up to Data hardware
Malicious securityof
Denial availability
Insufficient 3
could
What
save more
with certification
be totally
money? limited unaware
would of
capital? be at
most
the time, NIST SP 800-
breaches costs140-2
insiders
FIPS requirements
service
ISO/IEC 27001 SOC 1, SOC 2,
due diligence 4
appropriate
Which component
could lead totoa use
directof
forthe
financial
NIST Cloud
financial statement
cost 53
Portability Interoperabili Auditability and SOC 3
Availability 2
withoutproblem
auditing?
Computing
Which lossRoadmap
of reputation
wouldpertains
make oritprivacy
to
least
thelikely Data lock-in ty
Operating Patching Insecure APIs 1
Which
ability
for cloud
an application
to
exposure? splithosting model would
up applications
or system toand be the
be reuse
able Public cloud Community
systems cycles cloud
Private Hybrid cloud 4
most appropriate
components?
to easily
Which move to
concept for abe
another
would company
cloudimportant
most provider? Malicious cloudin transit
Data Data at rest Denial of 2
looking
Which
to phase
to leverage
consider forofdata
the multiple
cloud
securitydata
cloud
lifecycle
while it is insiders
Use Share Store service
Consume 3
providers
typically
being usedoccurs
for
bydisaster
animmediately
recovery
application? after
or load
or
bursts?
simultaneous with the Create phase?
Which of the following is NOT a type of Structured Volume Container Object 3
storageofused
Which the within
following a cloud
is NOT part of the Environment Human Threat and Mobile 1
environment?
CCM
Which domains?
of the following logs could be Billing
al Management
resources vulnerability
Network Operating
security 1
Which
exposed oftothe following
a cloud storage
customer intypes are
a Software records and
Volume plane logs
Structured management
captures
Content and system logs
Volume and 2
used in a Platform
as a Service as a Service
environment, if themodel?
contract object and database labeled
allows it? unstructured
Explanation Knowledge Area

Denial-of-service attacks are used to overwhelm system resources with

traffic or malformed requests with the intent to block legitimate and authorized Background
ISO/IEC 27001:2013 is commonly applied to cloud computing security as a
standard and certification system for promoting and continually improving upon
the security applied to a system or application. The other certifications listed are
not relevant or fabricated numbers for example purposes only Background
Overwriting is a common method used for ensuring removed data is no
longer accessible in a cloud environment by replacing valid and sensitive data Background
with random
Type 2 is the type data,ofnull hypervisor
values, orthat repeating
is hosted data onso topthat of anit cannot
operating be read.
system
Simple
as a software
deleting package,
only removes rather than pointers connectedto data directly and notto the the dataunderlying
itself, and physical
degaussing
hardware
SLAs are the likeand a Type
shredding
criteria to1 hypervisor
meet areminimum
physical
would media
be. Type
requirements destruction
3 and for4contractual
techniques
hypervisorsthat do not would
not be
exist and
satisfaction available
were simply
between within included
the a cloud environment
for example
provider [Link] customer. They document
specific requirements
Ownership retention isand a unique
metricsbenefitthat are of required
the private and cloud
howmodel, they will wherebe
the
While cloud
measured, customer
all aspects
as wellcould aswill have methods
potentially
specific significantly
savefor anmoreorganization
remedy inputshouldand control
money,
they not over
measured
be [Link] the
service
cloud
Physical
Regulatory isand only paying
deployed
hardware
requirementsand
costs for dowhat
managed,
would you
notbedictate
versus
most consume—when
abeneficial
public cloud
specific performance you consume
to a model,
new metricsit—would
company
where specific
starting
in most
be
cases,
customers
out
A the
denial-of-service
with most
and limited
evenattractive
have if
very
capital
they
attack option.
little
do, the With
because
could
input SLA
lead
or
IaaS ato traditional
leverage.
would
would direct
beremove data
Scalability
the
financial
vehicle
the center,
costs
isneed
that afor
a feature
for
wouldsystem
aacustomer
large
of allmust
documentcloud
SOC
models
without
essentially
and establish
upfront 1, SOCand
data 2,
be
investment and
isexposure
their SOC
not specific
built to 3due
inhandle
performance
data pertain
tocenter
tothe
peak to financial
therequirements
private
pricing
load,
expenses. cloud
model
leaving statements
A model.
aoflot
within
startupcloud
of and
Right-sizing
the auditing,
computing
excess
wouldbusiness resources
resources
only needmeasured
relationship.
toatpayis
most
times.
and also
synonymous
for
againstthe
Auditability With
Interoperability extend
specific
consumed awith
cloud
refers past
resources
is what
to
the environment,
athat
resources.
system
abilitywith
scalability
that the
With
tothey
or
splitresources
latter
and
elasticity
need
application two
upelasticity
andreuse
and can
for
and
when
and be
morescaled
provide
auto-scaling,
thethey broad
and
need
aspects
components upareauditing
and
of them,
and added
italso
cloud
that
throughout of
and
not systems
when
makenot
specific
needed
and
it subjected
to
the
environments
Data practices.
private
systems full for
lock-in
data
and peak
cloudto The
would
center times
capable
audits NIST
models.
make
[Link] or
and
ofSP
all cycles,
800-53
Disaster
it
handling
the
the
veryease
Portabilityandpublication
components
difficult
recovery
very only
atrefers
whichforincur
high isto
athat
they pertains
loads, those
acustomer
larger
the are
can costs
to
especially
necessary
concept
abilitybe to security
done,
to topublic
easily
move the
that
and
for and
customer
move
it.
applies
systems privacy
isclouds,
Physical
not to ato aany
and
controls
type
cloud
while
framework
security
another
A hybrid
applications for
ofcustomer
hosting,
requirements
cloud
cloud federal
for may
provider,
easily government
including
would
specifying not
betweengive
are even
as both
contractual
the
also
they be IT systems
atraditional
most immediately
would
component
different flexibility data
performance within
be dependent
cloud aware
that
for
providers. the
centers
moving
would of
requirements
onUnited
and
the
make cloudStates,
resources
proprietary
between
Auditability and
IaaSenvironments,
their
different
attractive
offerings
refers is not
to to
an
athey
and
systems
clouds
from
Data auditing
isare
customer,
theabilityinnot
theand actually
are
transit framework.
specific
hosting
cloud
to but itbeing
utilizing would
to
concerns
audit models,
provider.
the at
any used.
FIPS
thebe
one
data
controls 140-2,
On-demand
moment
as
the
model
Operating well
same
while
and also
as
itorisincorporating
for
systems
practices from
self-service
implementation
PaaS
being the
would and
used
of United
SaaS
and
not
a system refers
disaster
be States
as
exchanged
oran to
well; the
federal
recovery
impediment
application, mechanism
theduring
physical
options.
and as any
forpublic
government,
hardware
cloud
A
[Link]
availability
The scaling
Store arefers
cloud
costs
phase system
isand
aare
Malicious set
could and
of
toamore
private
typicallyoffer
one standards
provisioning
insiders
of directly
thecloud
the
occurs are
same
main and
asrelated
not
are
partresources,
aaccreditation
operating
both
three unique
oftothe single
theCreate
security and
systems,
risk
specific
models
tofor
itself
cryptographic
data
and
principles, isonly
question.
phase thatnot
patching a specific
would
orfocusedwhile modules,
Scalability
immediatelynot
cycles
iton way
isspan
being
and
to save
thereafter.
would
between
used
data ISO/IECmoney.
high-availability
orfall
and transmitted,
multiple
into27001
The
systems Use isand
Resource
the cloud
same
being a general
are
and Share
pooling
providers,
not
type
denial
available certification
ofphases
appropriate
of refers
universal
toservice
and ofwhile
to
authorizeddata
answersand
isthe
offerings.
also standards
aoccur
overall
asafter
community
not
users publication
aggregation
Insecure
they
awhen the
unique
may data
cloud
APIs
risk has afor
of data
notincorporates
needed. are
to
be resources
been
specific
majorIT
in any
between
security.
requirements
similar
created
security
state, and
but all
and tenants
isaligned
instead ofsome
a cloud
of an organizations
stored individual
in
focused environment
oncustomer
manner, together,
andand
availability. there and
itData
would
is is the
likely
nonot
at allocation
restalsonecessarily
a single
dependency
would between
not cloud
orfactor
be them
model.
immediate
dependent to
into the
meet
hosting
risk
Only
on the
connection
Container ademand.
and, hybrid
data
decisions Rapid
if isanything,
actually
cloud
between
not aand elasticity
spans
being
would
storage costs.
the be aisused
multiple
used
creating
type orthe
primary concept
transmitted,
different
and in a reason
storing
cloud that
cloud and
forenables
arefers
ofenvironment.
dataproviders.
cloud
to thetoacustomer
cloud
data that
actual
Both customer
useto
the isleave
volume
or in tofor
sharing
of
and
Environmental
aadd [Link]
resources
archived Consuming
different storage
orcloud when
is of
storage not types
data
needed,
[Link] explicit
states. isare
notused
but
andomain
is
actual
within
not the under
phase
Infrastructure
specific the
of the CCM.
cost-saving
dataas
The lifecycle
a Service,
other mechanism
three
andandwouldthethat be
is
options,
synonymous
structured
Billing human
records storage
with resources,
would the
type most
Use threat
is used
or
likely
Shareasbeand
part
phase. vulnerability
available
of a Platform management,
in a Software as a Serviceas a Service and mobile
offering
represented
security
environment
Structured areand all
with
if actual
allowed
measured
unstructured domains
or required
service
explicitly
storage bytypes
thenamedcontract.
are used in the The
inCCM.
theotherPlatformchoices, as a Service
management
model. The volume plane and logs,objectnetwork captures,
storage typesand areoperating
used within system logs would all
the Infrastructure
as
be asolely
Service model. The
accessible and otherused by two the options,
cloud provider content and in andatabase,
SaaS environment, as well as as
none of and
volume the systems
labeled, that are not generate
used asthose a pairlogs with falls
anyundercloudthe responsibility
service category,or
Where would the DLP solution be located On the On the user’s On the Integrated 2
for data-in-use
Which of the following
monitoring? data destruction application
Degaussing device
Shredding network
Encryption with the
Recycling 3
methods
Which of would
the following
be available
is NOTinaafeature
public of server
Monitoring Aggregation boundary
Alerting database
Dashboards 1
Which
cloud
an SIEM ofsolution?
model?the following is NOT a key Format Technologies Testing server
Size 4
component
Which of theoffollowing
a data archiving
laws in the strategy?
United SOX HIPAA Dodd–Frank ACA 2
States governs
Which the protection
of the following is the soleof health Physical Data Infrastructure Platform 2
data? of the following
responsibility
Which of the cloud is NOTcustomer
a key in a security
Expiration Policy control Chain of Auditing 3
PaaS environment?
feature
Encryption of an that
IRM is part
solution?
of a database and Transparent Transparent custody
Passive Active 1
What are the three
not noticeable by the methods of datawhat?
user is called Metadata, Metadata, Categories, Volumes, 1
discovery?
Which cloud model gives responsibility for IaaS
labels, PaaS
categories, SaaS
labels, labels,of the
None 4
the physical
Which of theenvironment
following involves to thereplacing
cloud content
Anonymizati content
Tokenization structure
Encryption metadata
above
Obfuscation 2
customer?
data in a data set with random values analysis
on analysis
that can then be mapped back to the
actual data
Which of theviafollowing
a separate is the
index?
correct order Define, Define, Assess Define, Define, 4
for some
What is the
of entity
the steps called
of athat
BCDR takes
strategy
the Analyze,
Relaying Risk, Analyze,
Relying party Design,
Relaying Analyze,
Relying 2
response
Which fromfollowing
of the the identity storageprovider to
methods Design,
party
Volume Design,
Structured Analyze,
system
Object Assess Risk,
system
Unstructured 3
Which
allow access
provides of athekey following
to value to concepts
call a file provides
an application? from Assess Risk,
Authenticati Implement,
Authorization Assess Risk,
Federation Design,
Identification 1
evidence of that
rather than
Which an entity would
thea following
directory is in structure?
tree fact
bewho they
the LEAST Test,
Metered
on Hardware
Test Test,
Broad Implement,
Virtual host 2
claim toconcept
Which
beneficial be?reason involves the prioritization
to consider a cloud Implement
service
Reservations
costs ownership
Limits Implement
Shares
network Test
replication
Quotas 3
of
Which
virtual
platform of asthe
hosts
a following
getting
BCDR system
is the MOST
solution? resources Regulations Policies access
Laws All of the 4
important
What
when do reservations
a cloudfactor in defining
definethe
is experiencing within
high controls
a cloud Maximum Guaranteed Maximum above
A reserved 2
utilization
used
environment?
What to
is test
theand MAIN
anmight
audit?objective
not be of able
software-
to serve level of
Make Separate
minimumthe resources
Allow poolsoftware
Use of 2
all hosts?
defined
What is anetworking
major security (SDN)? risk with Type 2 resources
networking
Slower filtering
Proprietary
level of of available on
different
Reliance fora
to create
resources
Runs on top 4
hypervisors
What is the main
that does methodnot forexistdoing
with Type 1 availableoffor
dependent
release
Scripts network
platform
resources
Host allocation
operating
small
Reimaging
numberto
virtual
Customers
held
of another
for 3
hypervisors?
patching
Apart from in annual
a cloud testing,
environment?
when would it allocation
During
security
on the a traffic
During
available
management
controlledand
major
for
by all coding
systems
of
Whencustomers
to
new During
emergency
operating
networks
applying a 2
be MOST
What typecrucial
of storagefor a isBCDR
the MOST
plan tolikely to operating
change
patches
Structuredin aadministratio
configuration
single
allocation
software
Unstructured seamlessly
platforms
staff
Volumeis hiredinstead
patches
change
load spikes
system
Object in
of
on 4
undergo
be
Which
usedoffor additional
thevirtual
following images?
testing
issues would be the senior
Location
system ofof n from the
changes
vendor
Scalabilityto an communicate
Self-service encryption
Interoperabili
relying onhosts
affected 1
GREATEST
Which of the concern
following fromrelates
a regulatory
to the management
stored
RPO
the host data
and actual
application
RSL with each
RDO keys
ty
RTO
physical 4
standpoint of
acceptable duration
using aofcloud recovery
provider
to a for
BCDRa leverage its transport of other network
BCDR solution
location? utilities. network cabling.
What are the two components to a Service [Link]
LDAP Identity Identity 3
federated identity system? provider and web server provider and provider and
relying party relying party password
store
On the user’s device is the correct choice of data-in-use monitoring. Integrated
with the database
Encryption is a dataserver destruction would provide method coverage available for in adatapublic at cloud
rest, while model. on the
network boundary
Cryptographic
Monitoring is noterasure,
awould
feature in which
provide
of anthe SIEM
coverage
encryption
solution. for data
keys
SIEMin are
solutions
transit.
deleted Onwork
asthe a by
means to
applicationserver
protect
aggregating
The sizeand of archives
destroy
data, is which
is
also
data,
notcannotais key
aappropriate
then
software
component
be used process
asfor the
ofalerting
athat
actual
dataisarchiving
on
use
always
specific
andavailable
viewing
strategy.
conditions,
of
in any
data
HIPAA
would
environment.
but
The not
main governs
occur
used driving the protection
inDegaussing,
thecomponents
sense of of healthcare-related
shredding,
system a datamonitoring.
and archiving
recycling data.
Dashboards
strategy
are all While
deal
physically
arewiththe
alsotheACA is
destructive
a common
format
through
methods
feature
of theisarchives,
related
Data of
the
to
the that
SIEM client,
would
healthcare
sole the
solutions
astechnologies
not
well
as
responsibility be
to
well,asavailable
present
being
it
ofistheused outside
reporting
focusedwith
withon
cloud acustomer
the
cloud
and
theimmediate
archiving,
hosting
alerting
in all and
delivery arrangement,
ofsecurity
outputs
the ongoing
healthcare
environments. enclave
to users and
and and
of
or
Physical
Chain
theapplication.
most
management
successful
health
security of iscustody
certainly
insurancetesting
always notis not
coverage,
of
with
the part
restoration
a public
responsibility of an
and notIRM
cloud
abilities. solution,
cloudas
theenvironment.
of thespecific it is central
security
provider. andWith toPaaS,
privacy eDiscovery
concerns
the cloud and
other
Transparent
with the
provider legal mechanisms.
is also encryption
responsible isWith
partforan of
bothIRM
thethe database
solution,
infrastructureand not theand known
protection to the
platform ofaspects
data
user; it of
assets,
is integrated
data.
the
Metadata, SOXtheislabels,
environment concepts
with and
focused theof onactual
expiration,
financial
content database policy
systems
analysis processes
arecontrol,
andthethe and
threeand works
securitythe auditing
methods as of
controlspart of
dataofacceptable
and thereporting
discovery.
and
ongoing
necessary
Metadata
None authorized
of the forlooking
is use are
them,
environments while
at all Dodd–Frank
the key
“data
gives components
on data” is focused
responsibility aspects, for on suchcorporate
physical as security reforms
the creator, to the and
workflow.
consumer
cloud
timestamps,customer.
Tokenization The isother
protection.
software
theIn all choices,
cloud
mappingused, hosting ofembedded,
column random environments,
headers, passive,
values field
to theand
the
names, active,
cloud
actual etc. are
provider
data Labelsgeneral
via aarehasITsole
separate
terms Anonymization
index.
responsibility
subjective andfor applied and
the physicalto the obfuscation
infrastructure
data also involve
by systems andor the replacing
actualsecurity sensitive
of
staff members, it. data
and fields
are
that are
only
with as
randomnot applicable
good as
or they
opaque aretodata, this but
consistently specifictheand question
replacing
correctly of data
[Link] notContent
done inanalysis a way that
involves
it
Define,
can beAnalyze,
making
mappedsubjective Assess
back to Risk,
the determinations
Design,
actual data Implement,
fields
about asTest
the
withdata
are
tokenization.
infrom
the correct
the actual
Encryption
order;
is the
content
the
The protection
other
relying party of
of,options
either takes
aretheallthe
through confidentiality
incorrect.
technological
authentication ofor sensitive
tokens
personnel dataefforts.
from by altering
the identity
The other the actual
provider terms and
Object
used grants
contents
then withstorage
ofthe the
accessisdata.
other a and
flat storage
responses
authorization system
are that
notbasedpartsresideson
of its
data on
own external
discovery
business orservices,
rules.
are not The and other
references
applicable
terms
Authentication storage
and entities
here. itemsproof
provides
listed based
are not ofon
applicable
thea key value
identification rather
or correct of than
an
in this a instance.
entity traditional
to an acceptablefile
system of
Hardware
degree andcertainty
organizational
ownership basedwould structure.
on be orVolume
the least
policy beneficial
regulation. storage is a traditional
reason
Authorization,because donea type
cloud
after file
system isthat
customer
Shares
successful adoes contains
not own
prioritization
authentication, directory
the
and is hardware;
the structures
processthe
weighting ofand
system cloud hierarchical
granting provider
within a auser does.
organization,
cloudaccess Metered
to dataand
environment service
uses
orthat
paths
costs
sets
All ofthat
functions are
the
andorder
aabove
filenames
major
within ofarebenefit
anspecific
crucial
for access
application of
applications
tousing
a within
security
and a cloudan
oraudit.
is based Infrastructure
customers
provideronRegulations,
thefor toBCDR,
role receive
as
or aapproved
policies,
Service
asadditional
the cloud
deployment.
and
needs laws ofare
the
Structured
going
customer
resources
user. to bewould
Reservations
Federation storage
absolutes
when is used
arerequested.
only
is
a guaranteed
an and
pay require
forwith
authenticationThose Platform
services specific
with
minimum when
the
system astesting
level athey
Service
higherof are
that and and
validation,
is available
prioritization
resources
uses needed,
external typically
unlike andBCDR
number
identity ato
none
system
will canlike
that
allocate
providers
a database,
typically
be
to
receive
The
that abypassed
host
main involves
to
willresources
accept which
during
power
objective idle
has
on a security
first,
of hardware
authenticationaand
and
SDN predefined tocontrols
perform
isthose sitting
separate
with
tokens structure
[Link]
audit
aThe
lower
for the secondary
users, and
maximum
filtering
numbers organization
without data
ofwill center
level
network ofmethodology.
receive
requiring that
resources
traffic will
resources
the user andlikely
to
Unstructured
never
later,
administration
D. Running
create
available or
be
annot used.
for on at
account storage
top
all.
from
Virtual
allocation Reservations
ofthe
with another
ishost
also
actual
would
the replication
used
operating
actual transport
is with
refer theto setting
is
Platform
system
application. also
of network
limits, aside
aIdentification
and major
versus
as
theaofService
traffic.
benefit
resources
beingThis
maximum and
tied
isfor
partso
allows
relates
adirectly
cloud
that
resources
of the cloud
totodata
the
that doesin
hardware
platform
customers
management
Patching
authentication
available not
iswill
and
for aaallocation
fit
major
cloud
BCDR
tobe within
be guaranteed
process. aenables
environment
performed
assecurity
itto predefinedrisk
afrom
all customers with
minimum structure,
production
is Type
typically
portalsforlevel2performed
the hypervisors.
and such
systems
ofAPI as
resources
entire calls,
to web
by
cloud This
files
beratherto makes
reimaging
regularly or media
start
than
environment the
mirrored
and
hosts
by use from
wouldtheir
to
aobjects
hypervisor
the
besecondary
new,
services,
networking
Majorthe fully
concern potentially
configuration
even location
patched
ifofthey
specialists. and
subjected
thechanges baseline
cloud
cannot instantly
Toolsets provider
obtain
with image,
toan
and used,
anyand rather
security
unlike
additionalplay than
provisioning
application traditional
exploits
into
ones. deploying
their
should
systems
Limits orcan
backups
issues
overall
entail
are patches
access
new the
that
resource
the underlying
upper
BCDRand
and would
doing
pooling
bounds
modify
testing.
havemajor
that
network
operating
validations
Any
Object
model are
tostorage
be
set
capabilities
system
configuration
recovered
across
on anyis themay
alllevel
that
the
most
onhave,
(host,
change
top
various
are likely
as
of
specific
application,
opposed
another
type
or
virtual
update
to
of machines.
customer
configured
storage
to represents
customer)
Type used 1needs,
hypervisors
This
system
for
that
aallows
significant
virtual
without
constrain
beforefor
which
images.
consistent
impacting
they
shift
the
arecan
in
Object
amount
tied
anbe
the
and
directly
used.
of
underlying
uniform
environment,
storage
Location
resourcesto
Broad ofthe
resides
management
actual
storedhardware
network
that
and,externally
can
routing
data
as access
be
such, and
ofwould
allocated
patches
and
from do
proper
would
network
be not
specific rely
against
the
and
testing
alsomost on
consumed,
transport
systems
be security
aishighly
tested
important
neededand
of patching
beneficial
and
inpackets.
to
references
order
concern
validated
ensuretoforand
protect
from
that
BCDR,
eachconfigurations
image, all
astorage
the
regulatory
as
BCDR
rather
network
overall
availability
of
than
object external
environmentthrough
implementations
standpoint
RTO,anhaving
or recoverywould
tofrom
due software
validate
atokey
not
time
and be
different
any value,
on
package
a aconcern
procedures
objective,
entity which
host-by-host
jurisdictions
from isconsuming
and
ideal
relates
are boththe
tobasis
for
and ability
the
stillsystem
to ensure
requirements.
enough toand
acceptable
valid images.
access patches
resources
still
timethe
TheSystem
work environment
for
other
toare
as images
properly
restoration
impact
intended.
choices also
otherare
of
from
customers.
received
The
do
all
services.
technological
not
changes
anywhere
needand
The Quotas
any
mentioned
other
applied
onor
organization
the
are
choices
cloud Internet
used
inconcepts
the
offered
bystructure
other
some
in casethat
are
answer
toofrandom
to
would
mean
athem,
disaster
choices
the
not
acronyms
such
same
have
would
are
asany
thing
either
what
that
bebearing
aas
volume
are
minor
major
a limit,
notonor
factor.
storage
applicable
specific
but
“limit” offer.
personnel
would
regulatory
here. is the changes
requirements.
Structured
preferred thatterminology
would
and unstructurednot requirewould new comprehensive
not be appropriate testing choices as
theyidentity
The are geared providertoward and Platform
relying party as a Service
are theand twoare not appropriate
components for storing
of a federated
system images
identity system, with the identity provider handling authentication and providing
information about the user, and the relying party accepting the authentication
token and then granting access to some or all parts of an application. The other
Which of the following security devices Firewall XML Sandbox WAF 4
would enable
Which type of atesting
systemwouldto filter
NOToutbeattacks RASP accelerator
Pen SAST DAST 1
such asofSQL
performed
Which the injection
against
followinganbefore
couldthey
NOTreach
application that
be used RSA token Retina scan Challenge- Fingerprint 3
does
in
thea application
Which multifactor
not
of contain authentication
self-protection
the following
servers? would be system
the MOST APIs Operating Programming
response with Programming 1
capabilities?
along
important
Which with
is thereason
a password?
mostto commonly
have the used Oauth systems
SAML personal
libraries
OpenID languages
WS 2
development
assertion
Which of the
methodfollowing
and with
production
federated
is NOTsystems
partidentity
of the
in Cross-site Weak questions
Injection Cross-site 2
the same
systems?
OWASP
With Top
cloud
a single 10 list?
environment?
sign-on system, what is Tokens
request Masks
password Certificates scripting
Credentials 1
passedof
Which between
the following
systems is the
to verify
only data
the forgery
YAML requirements
SAML JSON XML 4
If you are
user’s
format running application
authentication?
supported by SOAP? security Dynamic Static Hybrid Open 2
What does the
tests against S in thewhere
a system STRIDEyou model
haverefer Spoofing Security Sensitive SAML 1
knowledge
to?
Who wouldand NOTaccess to the for
be included code,
thewhich
initial Management Users Developers Security 3
type of test aregathering
requirements you running?for a software
development project?
What is the first step in the process of Patch the Update all Perform a Disable 3
creatingnetworking
Which a baseline concept
image? allows for operating
VLAN software and
WAN clean install
LAN PLAN
nonessential 1
segregation
What is the MOST
and isolation
importantof systems
securityin a Minimize
system to utilities on
Prevent log Encrypt logs
with a base Immediate
services. 2
cloud type
reason
What environment
for centralizing
of application logallows
collection? the latest
LSRT
storage the image.
SIEM
manipulation operating
SAMS
that contain CLSR
response for 2
centralized
Which of the logfollowing
searching concepts
and reporting?
is focused Incident
needs
level. on Continuity
or deletion on Availability
sensitive
system. Problem
eDiscovery 4
on preventing
What is the order potential
for theissues
four components
from management
Framing,
hosts management
Responding,
a host management
Framing,
information management
Responding,
requests 3
occurring
of
Whata risk
does
management
within
the acronym
a system
process?
SLE
or stand
process?for? monitoring,
WUSU assessing,
MPMT monitoring,
MSPT assessing,
WSUS 4
To automatically detect and block attacks assessing,
Server loss framing,loss
System assessing,
Single loss framing,load
System 3
againstare
What systems,
the fourwhich possible
typeresponses
of device to responding
exception
IDS monitoring
expectancy
NIDS responding
expectancy
HIPS monitoring
emergency
IPS 4
wouldhas
risk?
Who youresponsibility
employ? for forensic Accept, Deflect, Avoid, insure, Accept, 4
collection
Risk transferof data
is oftenin an
equated
IaaS to what type Cloud
avoid, Cloud
avoid, remediate,
Cloud broker deflect,
Cloud 1
implementation?
of
Riskservice?
transfer is often equated to what type provider
Banking
transfer, customer
Policing
transfer, nullify
Insurance ignore, cancel
administrator
Inspection 3
Which of the following is NOT part of the
of service? Orchestratio
mitigate ignore
Maintenance Planning Scheduling 3
management
Which plan for operations
of the following is concerned of awith Capacity
n Allocation Availability System 1
cloud environment?
ensuring
Which enough
type resourcesisare
of assessment available
based on management
Quantitative management
Cursory management
Documentary management
Qualitative 4
to meet SLA requirements?
observations and documentation rather
than data and numbers?
Your organization has just been served Virtualization Data Multitenancy Resource 2 1 3 4
with an eDiscovery order. Because the discovery pooling
organization has moved to a cloud
environment, what is the biggest challenge
A WAF (web application firewall) sits in front of an application and has the
capabilityapplication
Runtime to analyze self-protection
and apply policies (RASP) to incoming
would only traffic and transactions
be performed against
based
systems
A personal onthat their
responsecontent.
contain A very common
challenge
self-protection falls under use theforsame
capabilities. a These
WAF issystems
category to detectas ahave andthe
password, block ability
common
APIs
to
which tunecanisanddiffer
security
something greatly
refocus threats
the between
their user such
security ascloud
knows, injection
soproviders
protections it couldattacks and and,
not or
bedepending
cross-site
controlsused based as part scripting
onuponhow
of a the the
attacks.
actual
A firewall
applications
SAML
attacks
multifactor isand
theis authentication
used
most
are built
methods to
commonly
deny
or implemented,
being orsystem
allow
and against
used widely
network
if themay used make
password
them trafficmethod
in real based
itwas
difficult
for
time.
thesolely
assertions
to on
other
Pen seamlessly
thewithin
source,
(penetration)
factor. The moveRSA
federated
Weak
destination,
from
testing,
token password
one
could identity
environment
static and
be requirements
portsystems.
application
used oftothe
along WS
another.
security
with are
is
packets, another
not
Also,
a password
testing part
and protocol
of
unless
does asthe
(SAST), itnot
thereOWASP
that
perform
constitutes
and is awas
dynamic Top developed
specific 10.
analysis
something There
reason
application of the byisnot
that not
a istoin
a
group
specific
packets
use
security theofare
possession
Tokens item
same
orcompanies
have
testingof incloud
the
passed regard
the
(DAST) forto use
environment
userability
betweenrather
are password
towithin
all inspect
than
tests
systems, fortheir
policies
development
the
something
against
which own or
packets
any projects,
enablesrequirements,
known. for
and
applications Abut
content.
the itand
production,
retina
relyingisbutnot
An
scandoit
XMLas
partieswould
orwidely
separating
not fall
fingerprint
pertain
or or to
service
openly
under
accelerator
them
SOAP some
self-protection
also
providers out
could used
only only
to of
as
supports
be performs
verify
usedthe
SAML.
adds other
complexity
XML
capabilities
back
as OpenID
XML
they totopics
for and
as
processing
atdata
both
the [Link]
identityaOAuth
constitute mitigating
transfer
potential
before are
and
provider two
the
biometric factor
problems.
[Link]
data
that for sign-on
general
reaches
adata.
userThe
SAML other
has anismethods
security
used
application
choices,
authenticated, within that as
are
policies.
Static
server toThe
operatingsystems,
federated
well used
astests
to with are
offloadother
identity
obtain federated
donethe choices,
with
systems,
programming
encoded identity
processing knowledge
cross-site
whilefrom
information systems,
libraries,
JSON of
request
the isthe
about but
actual
used
and systemforgery,
are
the not
programming
for and
application.
data
user as
injection,
to security
widely
exchange used
and
configurations,
Alanguages,
determine sandbox cross-site
betweenprotocols
isaremerely
all
within
scripting,
typically
a segregated
universal
applications,
The S infederated
with
are but
toolsets
STRIDE
specificauthorizations specific
thestands
and systems
source
not
isolated
thatasthreats
would
for
and code
part as SAML
systemlisted.
of as
easily
“spoofing
roles well.
SOAP. [Link] This
the enables
configuration,
within YAML
available
identity.” is aThis
application. data
from testers
andinvolves
does
encoding
different toa perform
not
Credentials relate
protocol
cloud
user being
areto on
providers
never anuse
network
for
able toas
offline system
trafficscripting
well
with
passed
assume
Developers orwith
thean would comprehensive
analysis
a languages
identity
federatednot ofbe
of, itorsystem,
such
at
part
make analyses
[Link]
of aPerl
as
requirements
system
theyand(such Python.
are
believe asgathering,
passed scans
they solelyof
are, source
as
between
another
their coderole and
user
the does
user
andnot and
thus
evaluation
theable
be
begin identity
until
to use of
the the
provider,
their coding
project level
with
and and
ofonly security
scope
authorization
the aretokens mechanisms
defined tobeingaccess
andused infunctions
ready place)
after that
for them
that. would
or data,Certificatesnot beare
to translate
typically the
at
apossible
usedhigher
design from
level
forrequirements external
than
the encrypted theyandtests
are
connections withoutin
authorized
technology such forknowledge.
decisions
general, themselves. into
but are Tests
Thepassed
executable
not cancode.
other beanswers
directed
as part of to
arethe
the
primary specific
incorrect.
Management,
When creating protocols
functions users,
a new of the andsystem,
and
baseline technologies
security image,
and
staffers masks
youused, are dorather
always crucial
notwant than
come to to applying
design
into
startplay withgeneral
decisions
ataallcleanwith
and tests
a
or
federated
project
operating
A having
VLAN to discover
requirements
allows
system
identity for install. what
network
system.
at all This is being
allowsused.
stages.
isolation in On the
configuration
a cloud other
environment
settings end to ofbybethe spectrum,
establishing
applied from
dynamic
Preventing
virtual
the bottom testing
network log
up,manipulation
is done
segments,
and without withoutwithor deletion
the knowledge
their
possibility ownonIPof aof host
space the issystems
other and a main
changes firewall or
reason
code,
from settings,for
and
previous logThis
the
that
enables
testers
images
are
A security separation
must
segregated
impacting usefrom
information tools
theofother
duties
and
new
and image, as well,
methods
network
event where
to
management
orsegments. discover
having the
to clean security
Wideanything
(SIEM) up
area team oldand
about
solution
an network theauditors
image
allows environment
(WAN)and and
to use
can
remember
local have
centralized
Problem areawith access
management
network
tosecurity
searching
resetto the evaluations.
(LAN) aggregated
everything
and
is focused
are
reportingtoOpen
both on
thelogs,
network
of andand
preventing
original.
log hybrid
filesthe
conceptsOnce are
system
orissues
any athat not
new
other terms
administrators
from speak
operating
event
occurringthat
to data apply
networks havehere
system
within
that as a
atsystem
access
allbeen
whole,
ahas
install
Framing, isand collected
used, not
monitoring,
or itto
process can segments
and
in
haveaaggregated
assessing, all within
proactive nonessential
and ainto
[Link]
it. services
responding The
Incidentand
other
areseparation,
disabled
theexamples
management
fourand while
are
components isextraneous
brought PLANtoisthe
focused an
on
to
Windows
athe
latest
extraneous
acronyms
the
of actual
response
risk
patchingServer
managementsystems,
tochoice.
the
and Update
level,
question. butServices
mitigation
have
process, not ofto
updated and each
(WSUS)
problems in other.
software
that isorder.
or the Although
incidents
and name
The
utilities ofminimizing
other
after the Microsoft
installed,
they
choices havestorage
and
contain
occurred
have onall
tool
SLE a stands
security
systems
in for performing
components andforconfiguration
reactionary single
allowing
that arepatches
manner. loss
not
more expectancy,
onofa the
Continuity
partrequirements
aggressiveWindows which
management
risk system.
logmanagement
set. is the is
rotation difference
The
and
focused otheron
process.
cleanup inacronyms
the
are value
the resiliency
benefits areof of a
SIEM
extraneous.
an
An
or assetsolution,
intrusion
restoration fromprevention
before
they
or are
servicesa successful
not
system
aftera main (IPS)
an exploit
reason
is used
unexpected tofor after
toitoutage
orone
detect a security-focused
has occurred.
andevent,
or and It
automatically benefit.
is
availability
Encryption
calculated
Accept,
management
block avoid,
attacks of against
log
is filesacan
transfer,
focused onbemeeting
and
system, done
mitigate atSLA
as opposed anyrequirements
are level
the tofour an if needed
possible
intrusion fororperformance
desired, though,
responses
detection to risk.
systemand (IDS)
by
in general,
Accept
Since aisoccurs
availability
whichmultiplying
cloud the to
sensitive
of provider
designed when
systems. value of an
information
an controls
detectorganization
and asset
theshould
alert indecides
dollars
physical
on not and
be
potential bywritten
that the
underlying
cost exposure
attacks. oftomitigation
log
The value,
systems
files,
other and which
exceeds
withina SIEM
options ais a
solution
percentage
the
cloud
The
are costs
transfer
andmay
specific ofistypes
of
the
the
ofassist
loss
risk
risk
only
ofbased
is
with
andparty
when
either decides
eDiscovery
ondevice;
that
an
a successful
organization
has
toan leave
full
orders,
HIPSadministrative
exploit
theisbut
getsarisk itanother
in
would
host-based place. and depend
entity
Avoid
system
IPS and to
is
onassume
access
when
the scope
NIDS isan to
a of
the order
organization
everything,
liability
The three
network-based forand
main
all
they
takes
or
itIDS
building
issome
arenot
other
responsible
aofprimary
device. blocks
mitigating
the impact forreason
forastepsforensic
cloud
andfor loss
toenvironment
aavoid
data
SIEM
as a collection
result
an
solution.
exploit
and
of a within
the
successful
happening
management
the exploit.
at all,
The
Capacity
aggregation.
such
environment.
plan most
for common
itmanagement
as placing areBy orchestration,
Expectations
other example
sending isor of
concerned
technologies copying
and this
maintenance, kind
with
requirements
like
the ofensuring
network
logs transfer
and
from should is be
that
scheduling.
devices
hosts through
sufficient
into
to
established
block thetraffic
Planning
a central usewithin
resources ofthatthe
would
system, occur
it
prevents
can
contract
insurance
before
A
arequalitative
exploitsystems
available between
those
toancover
assessment
toapplication
with
or
meet the
applications
any
system
cloud
thelosses.
isneeds
rather
based
or
customer
administrative
are
ofthan
on deployed
cloud aapplying
and
review cloud
customerstoaccess
offixes
aprovider
documentation
cloud toontheenvironment
host
throughout toapplication
govern
servers in regard
the the
from
and itself.
thus is
altering
Transfer
collection
not
to system
part of
environment, isand
design,
when
thetimeline
actual
anpolicies,
organization
management
to do [Link].
canplan get for a different
Itcloud
is notoperations.
based
party to onaccept
hard numbers liability for or a
data
as in the
theestablished
successful
logs waythrough
to exploit,
cover that
traces
mosta quantitative
their
of
commonly
unauthorized assessment
SLAs. Availability
in theaccess, formmanagement is.
of Both
orinsurance. cursory
the wholesale and
isMitigate
ensuring documentary
deletion isthat
when of an
[Link]
organization
choices
systems
B. areenables
and
Data discovery not
cantypes
services fix
separation
in the of
aare
cloudactual
assessments
ofexploit
available duties
environment andso asaccessible
well,
that
encountersitwhere
cannot
when the occur.
security
needed
significant The byteam
other
users.
challenges and
options
System
auditors
are
management
due not
to the thedistributed
correct fournature
is concerned possible
with of the riskoverall
cloud responses
computing. management A primary of ITconcern
systemswith and
assets
can have
eDiscovery within is an
access environment.
to
determining the aggregated all ofAllocation
thelogs, and
applicable management
thedata system andisadministrators
not oneitof
locating forthe have
collection
access
principles
and of ITIL. Within a cloud environment, locating the data and ensuring
preservation.
Your organization is considering a move to FedRAMP PCI DSS FIPS 140-2 SOC Type 2 3 1 2 4
You
a cloudare environment
developing a and newisprocess
lookingfor data Metadata Content Labels Classification 4 1
Management
discovery hasorrequested
for your
for certifications organization
audit reports thatandsecurity
fromare Static Penetration
analysis Runtime Dynamic 4 1 2 3
testing
charged be
cloud providers
Which of done
with
the against
ensuring
to
following ensure their
that
cloud alllive
adequate cloud-
applicable
categories IaaS
application testing
SaaS PaaS
application DaaS
application 2 1 3 4
based
data
would
security
Which isapplications,
allow
included.
phase for
of the Whichwith
LEAST
risk ofthethe testers
amount
management ofnot
following security
Assessing Framing self-
Responding security
Monitoring 3 1 2 4
having
is NOT one
customization
controls
process
During internal
the ofprocesses.
involves
and the
by
testing knowledge
anthree
the
phasecloud ofof
methods
organization
Which the
customer?
the of system.
of
thedata
SDLC,
deciding testing
User testing Stakeholder Vulnerability
protection testing
Auditing 4 1 2 3
Not
discovery?
You
following
how
which attempting
have decided
toofmitigate
the
is NOT to
following
riskactually
a to use
security
that is breach
SOAP
is NOT systems
as the
certification
discovered
included or SAML testing
Oauth scanning
XML HTML 3 1 2 4
or
protocol
audit
during
as
A ainject
cloud
core
report
thedata
for
provider
activityis also
exchanging
course
that is
of
would aantop
oflooking
testing? requirement.
information
audit?
be to
pertinent?
provide a SAS-70 SOC 1 SOC 2 SOC 3 4 1 2 3
Which
between
At which
higher of theoffollowing
stage
services
level of the
for your
assurance would
software be theand
toapplication.
current Requirement Design Testing Development 1 2 3 4
appropriate
Which
development
potential of the
cloudapproach
following
lifecycle
customers to take?
isisthe
the
NOT only
most
about onethedata
of the s gathering
Format Regulatory Testing Encryption 4 1 2 3
format
appropriate
main
design
While considerations
an that
and auditcan
placeisbe
effectiveness used
being with with
data
conducted,
of SOAP?
their archiving?
security
which Cost requirements
Impact on Regulatory Software 2 1 3 4
to begin
controls.
of
Which
the ofthe
theinvolvement
following
Which following
of
could
the cause of security?
following
threat models
audit has overruns
DREAD systems
STRIDE changes
HIPAA SOX
version 2 1 3 4
elevation
What
reports
managementtype ofofprivilege
would risk
theassessment
and the
cloudas one
auditors
providerofisto
its
based
key on a
change
choose Computation Quantitative Qualitative changes
Cursory 3 1 2 4
as the
the
components
documentation
With original
amost
SOC 2planappropriate
and review
in
auditingconcerns?
order andto
toaccomplish
report, making
continue
which of the this al
Security Processing Privacy Availability 1 2 3 4
goal?the
with
informed
Which
following ofaudit
the
judgment
following
principles calls
must would
about
always berisk
used
be from to Sandboxing integrity
Application Firewalling Puppet 1 2 3 4
operational
isolate
Which
included? of
testthe procedures
systems
following from isand
NOT system
production
as aspect of Access to Offline
virtualization Knowledge of Live system 4 1 2 4
designs?
systems
static
Which application
ofwithin
the following
a cloud
security environment
are the four cloud for source code
Public, system
Public, system
Internal, Public, 1 2 3 4
Which
testing of
deployment orthe
(SAST)? following ispurposes?
development
models? NOT a core private,
Correlation private,
Aggregation configurations
external,
Compliance private,
Escalation 4 1 2 3
component
Which of theoffollowing
an SIEM threat solution? types is the Data loss
hybrid, and internal, and
Malicious Insecure APIs
hybrid, and hybrid, and
Account 2 1 3 4
Which of the following
MOST difficult storage types
for an organization to are Structured
community hybrid
insiders
File and community
Object and organizational
hijacking
Block and 3 1 2 4
used
Which
defend with
of Infrastructure
the
against following
and detect? as a Service
data-sanitation and
Physical database
Shredding volume
Overwriting Cryptographic
striped 4 1 2 3
(IaaS)? of theare
approaches
Which always technologies
following available within willa unstructured
destruction
IPS XML Vulnerability erasure
Web 1 2 3 4
cloud make
often
Which environment?
of theelasticity
following a bigger
concepts challenge
involves Interoperabil accelerator
Portability scanner
Multitenancy application
Measured 2 1 3 4
What
in a ability
the doesenvironment?
cloud ofthe S stand
cloud for in the
customers to STRIDE
easily ity
Secure Structured Standard firewall
service
Spoofing 4 1 2 3
threat model?
move services
Which of the following
from oneiscloud NOT aprovider
major to Integrity Confidentialit Efficiency Key 1 2 3 4
Which
another?
concern ofwith
the following
encryptiontypes systems?of data is the Financial y
Historical Healthcare management
Hybrid cloud 3 1 2 4
United of
Which States’ HIPAA regulations
the following in a federated Relying party Identity Cloud services Authenticatio 1 2 3 4
concerned
environment
Which phase with?
is responsible
of the cloud data for lifecycle
consuming Create provider
Share broker
Store n provider
Use 4 1 2 3
authentication
involves
Which ofprocessing
the following
tokens? by aisuserNOTor a state of Data in use Data in transit Data at rest Data in 4 1 2 3
data
Which that
application?of the
is important
followingfor is asecurity
standard andand FIPS 199 FIPS 140 FIPS 201 archive
FIPS 153 2 1 3 4
encryption?
certification
The use of which for cryptographic
of the following modules? Management Type 1 Type 2 Virtual 2 1 3 4
technologies will NOT require the security plane hypervisor hypervisor machine
dependency of an operating system, other
than its own?
C. FIPS 140-2 is a security standard from the United States federal government
Classification
that pertains to is the the overall accreditation processofofcryptographic using certain modules. attributesWhile aboutthis data is and
then
D. Dynamic
important applying toapplicationappropriate
security security
processes security andcontrols
testing controls,is done toitthat against
is not data. Classification
aacertification
system or isaudit
or application applied
B.
after
report
in Software
its datathatdiscovery
actual asresponsive
isruntime a Service has
state, allows
been
toand overall the least
completed,
where securitytheamount and
testers
controls, ofdocustomization
it pertains not
policies, only or
have to
specific the byapplication
operations. the
knowledgecloud
about
of
customer.
security
A isResponding
C. the configurations
incorrect With
controls, isthe
because theentire not
stagethe theorFederal
oftechnologies
systemactual
the risk and
process
Risk application
management
and employed
of discovering
Authorization under on [Link]
process Unlike
orwhere
Managementdetermining static
of an the cloud data.
Program
A
provider,
is incorrect
organization
Although
(FedRAMP)
application the
many iswillcloud
because
security different
a program customer
determine, metadata
testing, types
under will
based
dynamic of
theisonly essentially
testing
on
U.S. have
the
testing areexact
government minimal
mustdata
done nature about
at
discoveroptions
this
for of data.
ensuring allfor
phase,
the Itcustomization,
risk contains
auditing
interfaces finding,and
adequate isasnot well
information
which
C.
paths
as
one The
the
security ofto typically
SOAP test,about
potential
them.
policies, protocoliscosts
Testing,
but limited
theonly
unlike
practices, as
and data, toefforts
penetration
part uses
branding
and such XML asSDLC
of configurations
the involvedthe
as
orathe
testing, type,
data
process,
with selection
ithow
format
does
when isitnot
mitigation, isof
for
highly
using stored,
default
exchanging
attempt focused
which
cloud-based how options
to
is on it
the isfunctional
actively or
resources
and
organized,
exploit
information.
settings.
D. SOC operational
appropriate
services. vulnerabilities
reports how XML
It are
direction itreadiness,
offers was
isdonea certifications
free,
that
tocreated,
tocould
take. both
open
testThe or from
standard
cause
how
controls at adifferent
organization stability
itsystem
isfor
in used.
place encoding perspective
outages,
may Metadata
within
classification decide documents
impact
an can
organization
to and
levels to
also
accept a users,
meeting
and
forinclude
the data
or
for
federalriskin“as a
headers
A
damage
is,”
agencies incorrect
functional
format
financial
the is which
very and
to
that organizational
because
toisrequirements
or
initialthe typically
use
is
other system
both insystems.
stages their an
machine
ofInfrastructure
or option
data.
security markings,
perspective.
SOC
requirements andwhen 3monitoring
human
reports as such
the
The areadable.
Service
gathering. as
finding and
testing
specifically column allows
is
auditing
phaseofare
XML
Security aorlow the
field
isdoesand ormost
designed
intended
can names
possible
ensures
include
provide customization
fortoin they
security
be a
moderate
general
guidance use
by
database
extremely
D.
A
scanning
comply incorrect
classification.
and
on the
isAlthough cloud
exposure,
requirements withasorflexiblecustomer.
aspecific,
spreadsheet
encryption
part because
soof
They and
they
from it,
can but toWhile
will
static
established
opt
would
the handle
not be
to theused
application
be
regulatory to
avoid any
the cloud
security
appropriate in
the type
extent many provider
ofof
security
risk
perspective standards.
bydata
archiving
toformal employing
use isformatting,
testing
and solely
foraudits isresponsible
solutions
thepotential done and
necessary which
countermeasures and
against
evaluations.
cloud for
makes
security theitor
offline
customers
ideal
systems,
physical
A
or for
implementations,
B. put
B isDuring
changes
controls incorrectout web
infrastructure
where
in an
that for services.
public
audit,
operations
because
they the testers
itdictate.
even XML
user
and
isconsumption
not
so
the afteralways
that is not
Payment
By widely
appliances
testing
have theknowledge
extensive used
involves
and
arisk isof
review.
requirement,
Card
involving aacross
planning
never cloud
Industryhaving
ahead
security realized,all platforms
environment,
and actual
Dataoffrom time
will
scoping,
which
Security users
beabout
the isand
largely the
test
there
earliest the
Standard many
cloud
typically the application
subjective,
may
stages, endan
customer
application
and
accomplished
different
(PCI
A its
organization
based
up
B. isTheincorrect
DSS)
being has
Econfiguration.
on application
is
innegative
the theto
ancan see
by
because
typeindustry
acronym if
incur ofitframeworks
disabling
impacts performs
This
dataSAS-70
substantial
security
forandcan
or
onthe blocking
reports
the as
include
theSTRIDE and
standard expected
risk
environment
archiving programming
access
documentation
have
forthreat for
softwareand
largely to
organizations
method model desired.
certain
and been languages.
about
development
thechosen.
stands This
function
phased that
performance for Itisis“elevation
system very
or
process
out important
interfaces.
because
not design
and of and replaced
considered,
systems.
of
C.
A isQualitative
enormous
by
Although
privilege.”
They
overall
handle
and
security incorrect
itself,
SOCthe can to
because
credit testing
also
1specific
reports.
controls risk
bebecause
control
Elevation opt
carda it majorassessments
over
should
technologies
andto
will
When of SAML
transfer
be
transactions storage,
consideration
privilege
ideally
requirementsa similar
they isthe
were
used, aare
be free,
network
occurs
from risk based
done
experience
in
as
may open
with
to
the
routine
wellas on
settings,
against documentation
aarchiving.
another
bemajoras standard
threat
missed for
use,
access offline
credit virtual
entity,
all to
SAS-70 that
orusers
toapplications
cardsystems,
which,
the
inadequate, is
machines,
of
reports and
built
vendors
sourcethe other
on
that
although and
application,
were
codeXML,
and
and
requiring data
issystems
notand andlater
identity
not is
and
programming
and
any
intended
about
considered
A
always
thatisThe
platforms.
revisions
A. features
access systems
incorrect
use SOC to
aor
possible, control
common
PCI bethatlibraries
2“restricted
fixes. and
used
because
DSS
auditing willare
This systems.
applications
for
logindifficult
that
the
typically
certification
reports
can authentication
audience,”
method
format
addtheWithto
beare application
that
canuse
inthis
additional and
of
and the
builtbeorarelevel
as
archives
thenany
and
form not
obtained,
on awas
such,of
costsaspects
authorization
easily
display
of
set iscontrol,
built
would
very
insurance.
and
of orfiveconverted
that
upon.
specific the
not
important
required,
time are
todata
principles: cloud
be Because
confusing
Lastly, into
byexchange
tocustomer
appropriate
functions
software numerical
they
complying the
consider,
security, todata
orcan testing
users
can
for both
decide
with
choose
values
is
willdone
between
and mitigate
potential
A. come
Sandboxing
development
processing
at
possible
to the
users for
timewhich
againstcomparison.
inidentity
basedto the
oflight,
customers
integrity,
all technologies
offline
risk
involves
projects
environments,
archiving
on and
and
theirthrough
or They
systems,
service
possible
privacy,current
isolating
that
andare
role, and are
the
for configurations
it
providers. often
fixes
use does
customers.
systems
availability,
with
and largely
the may ofcan
administrativedone
not
applicable
While
be
avoidable
long-term
cause and have
They in
explored situations
ittowere
the
applicationsis use,
technologies,
confidentiality.
potential by
considerations
users similar typically
ability
before
intended
including
service
having where
to tothe
from and
A without
impact an organization
2 production
configuration
application
built
others
for
security
SOC
involved.
the
interruptions
sameinternalon
audit
fromany
within
The top
initial isof
audit
the
can
involvement
XML,
does
format
or
interface
systems
changes,
D. slowdowns
SAST
verifying
released
onset.
include
the regulatory
same not
itItchosen
isanyhave
isorused
as
or
also
to always
users
securityall from
regular
code
number
environment. the
for
with
will
serves
compliance
users. the
while
done time
have
the
users.
standards
to
ofWithspecific
cloudor
systems
the
against
foster
these money
toreviewB
This If be
most provider.
the
testing
and purposes
one being
systems
isprinciples, to
application
isthat
testing,
policies.
typically complete
tested.
being
incorrect of
properly
that
but
done authentication
is
completed.
application are
under
to athis
Ifbecause
not more
ensures
not
keep properly
the were
live
developers
dataexhaustive
and
official
SOC and
archiving
to coded
1occur,
segregated authorization
operational
reports
guidelines,
and quantitative
and
and
itstakeholders
will
andto
are be
thea
B
C
are
and
assessment.
A.
D isGitHub
considered
readability.
decision
performing
inaccessible
changes
users
better
security so
incorrect
isor not
involved
byis appropriate
customers.
to
cooperation
principle anAfter
because
restricted-use
management
authorization
Failure
from
remove online
in must the
ato
other thorough
or
SAST
and application
code
Platform
penetration
pickto
lessen
the use
alwaysas
checks
systems,
to is repository
reports,
alimit
Service
done for
format
to thereview
be as
whether
the general
and
amuch
within
such
vulnerability
by testing
Service,
that ofhow
Organization
included. that
as
testers
perception documentation,
web
each
to
isthe is
itworks
keeping done
while
isfunction,
recoverable
continue
same
with
Within services,
or supposed
Controlfrom
against
prevalent not
as
production
exposure.
extensive
the with allowing
their specifically
both
it
for systems
(SOC)
securityisto
inan
the the work,
command-line
application
predecessor,
possible audit
and
knowledge
many Type full
duration design,
itwithin
control
or isreports
2for to
nonproduction
principle difficult
organizationsof where
policies,
users
of
the the
modifyto
the and
systems
are tofor
SAS-
them
web-based
A
SOAP
and
focus
70
that
required
the operational
authenticate
seven
data
D. operating
isEscalation
testers
reports. to
incorrect
how
scope do
protocol,
on
security
segregated they
the
categories:ordo system
interfaces.
proper
They isbecause
were
not
nonfinancial
approach. practices,
which
athe would
from testing
have
hindrancecoded,
change
processlevel
Itnot
requires
the
each risk
provides
any andlike
process
and
aspectsbe
management,
other.
or
of categories
particular IaaS,
see
as robust
XML.
appropriate
moving
roadblock such,
ofof
This allows
things
anassessing
knowledge
issues
can will can
access
from tremendous
organization’s
for
communications,
in also orbe
typically
development the
risk
usebe assigned
control
alerts of perspective
involves
with
done the
produce
along control
and
systems, system
potential
within
andfor many management
aevaluating
logical of over
superior
orandactual
specifically
predefined
operations. customers,
environments application
different
application. users,
results
potential
physical path to
environments
review
archiving
A
and
others
B. malicious
vulnerabilities,
as
They
especially
toolsets
related
because
B
access
to isA
keepchange
compared
incorrect responsible
toforterm
they
controls,those
production their
code
security, to
areand
insider
will
coupled
because other
wholevelconfigurations,
monitoringexpose
for
collaboration,
restricted
privacy,
data areOAuth
istypes
cost
atremediation
ofwith
any access
new
the an
isolated,issues
user
availability,
for
of isorganization
the to
design an once
of
testing
internal
controls, as
andauthentication
likeliness
including
the such and well
astage,
system,
they
budgeting
that
application
as action
use as
bugare
to
of
must
processing
organization
specific
keeping sole
only, substantial
though
within
if or
occurrence
tracking, control
thosemechanism
would
discover
and are
employee typically
the
integrity,
decisionsare
and prior
beand over
risk
application,
and
encountering
management completed
also to
management,
are that
for
the
and
data the
someone
them
scan
focused code
allows
noncompliance
toin
possible even
confidentiality.
made and that
before
try
the
tools,the
only
as with
customer users
and
new
risk
to isthe
chain
and
on
C.
would
deployed
features
to
based
wikis.
financial
with
audit
gaining
data
do IaaS
authenticate
elevated
damage not
determine
They
which
management For
on uses
not
data-retention
completely
begins.
are being
the
and
code
know
controls.
respond.
administrative
access,
from
technologies how
produced object
likeliness
configured
Once deployed.
collaboration
to the
This
successful
and systems and
many
segregated
who the
design specific volume
of
requirements.
after
and isuses different
access
audit
done This
for
arethreats
exploit,
thorough
programming
and their technologies
the
and
from
has
to
put ifwill storage
applications.
bring
access being
management,
also
applications
otherwise
begun
each
together.
and
implementation audits the
then types.
bring
exploited,
controls
other,
and
languages or
issues
and out With
toolsets
authorized
the
assigning or PaaS
or
reviews,
of itany
are
to web
original
in
controls,
will volume
offers
as
the
anallows
notauser
well
used
be services
academic
access
attention
risk
and extensive
properly
scope
used actions
asthe
instorage,
thethe
for
classification
andcan cloud
using
and
with be potential
setting,
enforced.A
of
system acustomer
development
andversioning
unauthorized
used logical
commonly
processbehaviors
management.
development. keeping
value
to is and
are
assure
to
damage
of choose
(ranging
that
used
A
branching
While
means.
storage
D. isthe
Cryptographic
clients
C
student
At
B
followed,
incorrect
operations.
this cause
credentials,
SIEM the
application,
incorrect ofBecause
unit
data
point, capabilities
error
security
because
costs solutions
will
and underlying
because conditions
be
aerasure
requirements
shouldsuch
malicious
orallocated
information
can
faculty/staff
controls
the and
the
SOC
DREAD
inas
not operating
Google,
is
trigger
most testers
is
2aor
and
be insider
haveinmeans
toaincorrect
reports widespread
data
model the
alerts
policies
instances,
dynamic
already system,
Facebook,
performing
aboutuses
virtual
to
isolated
are
does based
ensure
data
the
authorized
meeting
very
value
requirements
been application
machine,
not useruntime
Twitter,
inputs
from SAST
on data
similar throughout
include predefined
specific
gathered
and each will
is
that
access,
and
shouldenvironment
to no have
other.
SOC
elevation
for frameworks,
were
longer
it
so
standards
and will
havethe
datait3on.
conditions,
access
is
not
The
scoped, appear
ITIt
accessible,
reports, industry.
enables
considered
and
retention,
novery
of need todifficult
privilege.
impactandthe
into
thethe
for the
that
itusers
and
on and
full
is for
theit
programming
to
that
system,
use
possibly
audit
While
technologies
from
when
source
B
can isThe
requirements
they
very
A.
isolation
workflow
an could
incorrect
always credentials
proceeding
the
minimal
the
possible
coveruse
organization applications,
even
code, occur
DREAD
application
can
of be
of
securityandlibraries
archiving
itIPS
because
to
thatused
isor
sometimes
escalation ifsystems
as they
they
model
critical).
built
insecurity or
planned.
within
many and
controls
monitoring and
Chefalready
whilewere
upon.
is users
methods,
also
In
comeerror
can
handledinterfaces
instances successfully
arequirements
issome
cloud
and
processinghave,
contains
Penetration
abeas from
tool part
software
checking
go will
instances,
complicated
by without
of
that
come
environment
tofull
beyond an the
organizational
an
detect Eexploited.
knowledge
tool
wereare
integrity
have
external with
testing file
from
thethe having
forused
with
such system.
its
defined
been because
financial within
regulatory
assigning to
acronym,
handling
is done
aone
tool of
elasticity
missed
security
vulnerability.
ortheand
of create
Itapplication,
usingcan
itthethe
SDLC
infrastructure
of
controliscoded.
or an
requirements.
andin
policies, then
environment.
apurely
the
five this
risk
processaccount
misunderstood. be
sameinstance
level
limitationabut
auto-scaling;
principles
Typically, used
software
and that
will
toolsets
in
theon
of asrole
many
such
approach
and
D
B
each
A
configurations.
normal
SOC
Depending
C
it
instances
of
an
B.
be
the tactics
1system
represents
Portability
the
attack reports.
incorrect
SIEM
automatically
Although
as is application
systems SOC and
storage
will
it
thisthat
onwill
2are or isnot
solution
“exploitability,”
is
because
only
audits, It
However,
thethe
went
expanded dependent
application,
would
hackers
be
stillwill
type
become
required
feature
dictated often
stakeholder
computational
itwould
early Desktop
inofwould
aSOC
regulatory
through.
is not data
by physical
be
and
obvious
that
by
programmatically,
in the 2on
whichused
use
as
the
regulatory
requiredIt isthe
without
reports ininfrastructure.
aintended
regulation.
andallows
process, testing
to
server
changes Service
initial
its
after
is is
attack
aconjunction
touse, not
aare
quantitative
requirements,
betheir
model,
involves
system the
identification
itduring
and hasworks
ato
not type
regulations
included
it credentials
changes system
meant
already
to
isexpose ancomplete
as
of
with
difficult Rather
management,
arisk
easily
actual virtual
for
measure
with and
will
beenGitHub
in
programming
are depending
toassessment.
ever
move
any than
aaudit
with
general real
typically
alert.A
much ensure desktop
being
completed
of
of to awould
situation,
file
between
the
easier
the traditional
strategic
form
use
isthat
on system
exposed.
where
and,
require
incorrect
skills
errors
the
other to aand
have
traffic and
and
type
makein
andnoisItat
the
configurations
itisis
of
partners,
is
typical
comprehensive
D. andata
The
organization,
means
this
minimum
impact
sources intended
open Ssecurity
particular
principles.
B
accurately
different
because
damage incorrect
stage and
of
on ininternal
standard
the
overwriting
needed
is than
periods
the
The
correlation
done. and
application
routed to STRIDE
permissions,
example,
because
current
processing
atdeficiencies
determine
management
for later
Althoughinstallations
experts,
of that
through or
someone quantitative
threat
isarchiving
whileinvolved.
aaudit. any
stages, and
potentialsecurity
destroying
key related
data
integrity
IPS system
model
possessing are
solution
application
Since
to
componentitpossibly
systems
and This
structures,risk
stored
vulnerabilities
tostands
orvalue
physical
successfully
stillcustomers..
the
data
principle
adds assessments
coding,
for application
customers
audit
and retention.
virtualization
authorized
and remotely
systems
for
andand
media,
additional
thatscope
is
use such
exploit spoofing,
rating
any
focused
the
of inand
ifis
In
access,asaare
aand
done
free
other
SIEM XSS
proactive
will
cryptographic
correct
time
some
will accessed
applications,
weakness. or to
requirements
on based and
as
andthen
more
aspects
keep
ensuring
asolutions. use
part
instances,
signatures,
malicious on numerical
over
injection.B
costs be
manner,
and
specifically,
of used
applications
The but
ainsider
erasure
that
An the
leverage.
contract
file
value
are
regulatory
SIEM by
in
policies,
data
could
done data
isiswill
itself
in
network.
D
system.
spoofing
A. metrics.
requirements
before
be
solution
most
allowing
the
for
incorrect
it isEncryption
performed
have
is does
isolated
and in
cloud incorrect
development.
responding
rules
its instances
the
not
largely With
identity.
[Link]
has
correct
away offers
because
areaudit
handle
by With
as
beenobject
because
is
will
[Link]
awill
encrypting
fromphase
format,
Thissubstantial
This
the
begins,
primary
also
These
SAST
codestorage,
also
avoided. availability
to
operatingHTML
involves
dictate
isWithin have
anyto protect
function:
testing
versioning
groups
determine
data
accurate,
accomplished forms
data
security
changes
extensive
the
and
asystemsapplications
isare ofisthen
the
time
always
traditional
and quantified
the
kept
collecting
and
the
the and
after
verified,
by andbackbone
ofconfidentiality
in recoverability
knowledge
collaboration.
core recovery,
that
appropriate
destroying
done data
relying athat
other flat
logs
investors data
would
against
and center,
onhave
structure
of
fromof
applications,
that and
web
in
the unique
the
coursebe and
which
many
nonproduction
and
standardizedkeys
network
it risks,
features
pages and
privacy
captured
system
has administrators
of access
case
that real
itand
accessed
systems
notaction because
or
werecalculations
pathways
istool
been ofweb
controls
regulations
by
restricteddata
application,
future
based
used
sets through
altered the
offirst
are
and on
to for
the
towill
or
the
and
forisThe
device
system
design,
can
C
encrypt
individual
C.
play
audits.
within
throughout
as
platforms
systems;
modified
known use
foremost.
patching
incorrect
be
well
application
risk of
Health
ais
a large performed
or
and
it,
Also,
as no
range opaque
users
application
thus
the
and
exposure,
and these
by is
longer
or
role
an While
because
Insurance
usedmitigation
rendering
regulatory
data and
avoiding
of
unauthorized
routing, tokens,
the
as
infrastructure.
layer
in0the
systems during
the encryption
as
contained
to administrators,
as andmarkup
Puppet
10,
risk
by holder
Portability
exactwell
the awith
it
changes
will
well the rather
before
cannot quantitative
inaccessible
use
appetite
not
parties
as as is
of
methods
within
testing can
language
With
0of those
also
have
physical than
data
happen and
representing
behackers
or certainly
but anetwork
aproduction
propriety
having
ofused
it, or
who
software
and
the
stage,
[Link] filename
Accountability
assessment.
to
then
and
software.
overare
for enable
have
technologies
data
will
organization,prevent
unreadable.
APIs within
able
overall
time,
development or
application
extensive adata
know
fromor web
vested
to
connections, through
Although
andthe
This
other the
discover
systems.
manyAct
what
or browsers unauthorized
application
even
chosen
and will
This
interest
of
knowledge for
toolsets
users
has has
different
the abeen
it1996 directory
include
the
method,
ishandling
ifAlso,
will new
the
for centrally
tosame
in
interacting
costs (HIPAA)
thatrender
they
itsystems,
the
and
application
most
archiving.
and
regulations
either
ensure altering
especially
exploits
will
associateduse
values
thatan
valueand
end
with
mostly the
maintained,
for
where
with
intimate
display
them.
infrastructure
structure.
of
in
A.
up
service
or
Also,
were single
The
data
resources
C data
successfully
mitigation.
binding
virtualization
an
and isthe
correct
completely
SIEM
incorrect
an United
This
relying
content.
at
released loss
knowledge
accounts
paths rest,
This
organization
solution
to isitexploit
enables
an expectancy
offers
already
States
party
configurations.
type
that Although
use
organization
because
will
are
finished,
during or
can more
testers
always is
of
in
is
of
common
typically
and encrypted,
them.
notconcerned
astorage
easily
needs
an itand
while (SLE),
federated
10and
its
audit,
taken. flexibility
itbe
to
to is intended
detecthow
do the
aItwidely
is works
credentials
representing
itto
privacy
within
is is
more
often
with
itthe
particular
ensure
they
In
far annualized
as
extremely
environment
cloud
tooshould
is
would
theused far
purpose.
much
invasive
the
oneused
that
samelateto as
protection
andoperate.
for
inconfiguration,
communicate
environments,
same
no cloud
of
they
almost
to specific
pattern
the fast
hostrate
will
the
and
media
startisfive and
the
provider,
can of
same
bedeeper
Testing
certainly
systems,
the
recover occurrence
efficient.
actual
objects
knowledge
orofcrucial
principles
otherpatient
way
making
with
involvement
where software
testing
havebyservice
to
data
so as
such Whereas
this
any
privacy
databases,
details
theany
of Chef,
or the
afor(ARO),
than
theas
grouppackages
web-based
provider
images,
and
cost
infrastructure
skill
future
potential
across
of
the SOC and
whatand
requiredshould
isthose
APIs,
of
security.
durationthe
used
can
deployed,
application,
videos,
or
B
that other
systems,
the
of agives
implementation
C audits,
be
to
deleting
is
security
Although
2 derived
best
exploit.
manage
thorough,
done
compromise
moving
D. is
inthe
Theincorrect andservices.
ways
retention
constant
to
“use” access
largeand
whereas
against
involved
it audio
annualized
securityitof is
tocustomization
configurations
another
is because
using
not volumes
phase state
thenot
to In
files,secure
compromiseused
this
relying
requirements.
and
live
with
required
willscripted confidentiality
substantial,
host
of as
loss
enforcement
systems
runtime
ofplay
the or
the instance,
flux,to
well
on
system asystems
numbers
and expectancy
framing encode
protection
to
cloud than
log it.
regression
because
this
role
be as
It
standards where
files
application
inincluded
could
data itdate.
afar
serves
isin or
is
stage
both ofinformation
SaaS
the is
frompossible
data.
the
files
ofmorethe
(ALE).
expose
time
lifecycle cloud
no
testing
ofinsolution
medical
testing The
particular
risk
with purpose
self-protection
onmain
the
regards These
difficult
and aofproviders
data
is for
that
any relying
riskto
concern
system
data
phase
money.
where offers
abetween
records. be values
management
evaluates
to
othersuser
and
to used
servers
corruption
assystems
canparty
store
to
achieve.
the to
and
doesn’t
far While users.
and
isdata
during bywould
often
asassume
the
the consumes
focus
all system
web
acalculations
satisfy
vulnerability services
configuration,
ability
aspects
Theor
process
two
is take
major
audits. of
the
requireimages
negatively
primary
actually identity
substantial
ofThe
ofis
a the
part can
or
each
ofand
not
of isanother
system
application,
protocols
give
to
virtual
time
encryption.
the
authentication
D.
compliance
D
C
virtualization
A
processed
server
where
impacting
scanning
privacy
means handle
Data
lawmanagement
toto
incorrect machine
theor
complete,
toin
protectswithin
such
be or
users
principle
andcode
application
archive
It
including
implement isas
tokens
requirements
overallanalyzed the
versioning
consumed
because intended
files.
evaluationworkers
isSOAP
will is
in
hard
risk not application
addition
focusedspecific
to that
HIPAAdata
one
detect
ifand
interoperability
software
independently.
IPSdata by
assessment
exist
ofand
toto are
an prevent
lossof
and
the to
security
on
get their
targeted
collaboration.
refers
with generated
the
and
the
application
personal
around once
cost
changes
data
can is families
official
respond
to
[Link]
the isauthenticated,
numbers
being
the
typically
The
defined
controls testing
the unauthorized
orby
the
and states
or
U.S.
SIEM fromto
anfor
archived
releases
ability
user.
be
shortcomings
private
and time
to
security
acceptable
Health losing
of make
new
solution
prevented
scoped.
their data
During
of required
would
for and
exposure
and
health
athreats
informed
aInsurance
information, as
system
alsoperiod
the
The
implementations
of then
updated
it
identity
be
by applies
for
virtual make
insurance
“use” and
suspended
allows or
having or
overwriting
riskleakage
provider
Portability
of
organization
and attacks
features
application
time
phase,
forto
in
network-itthe appear
mitigation
security
ensuring when
cannot
place
go, of
inand
during
data
and
will or
as
manyto
or
anisFIPS
determine
part
C
D
A
ensuring
as
data
they
then
and
security
be
auditing that
of
change
to
grants
Accountability
that
containers.
identification
redundant
based
reuse
will
B. acceptance
if
automated
incorrect
encryption.
recovered.
transition
it the
parties
components.
IPS
is140, it
user
isduring
is
concerns
handled
periodscode decisions.
authorization
or
systems,deleted,
because
is that
lose
specifically
through
ofmanner.
accessing
between
Act Although
release.
the framing
within
per
or are
their
ofThis
as
same
requirements
the keys
one
structured
Nessus
1996.
the It
not
well
the
any jobs,
isthe
to
allows
use resources
what
ofcan
organization’s
typesauthorized
intended
the
current
It access
other
isappropriate
the
data-at-rest
as
organization.
ofcovers be risk
aofkey
and
tool
deleted
other
organizations
host-based the
three
and
through
issues,
will aspects
for
unstructured
revision
the for
to systems
levels
likelymajor
applications
have
conducting
states
instantaneously
policies,
and
privacy
Organizations
traffic,
business
IPS of the
of they
data-in-use
have
toFIPS it.
parts
SAST
or
systemsof
avoid
and
asapplication.
orIn data
been storage
want
order
140-2,
wellofis
to
vulnerability
events
continuity
security thebe
in
particular
in based
missed
almost
as to
states to
aisuse,
and
able
knowledge
law
types
per evaluate,
aread
across
cloud To
of onfrom
data
that
to
mitigate
processing
any
and belong
the
adata
throughout
always
patient
ties scans,
respond
are
at
where
environment.
applicable
disaster
willto successful
based
on
rest,
that
use to
and
this
vendors
require
medicalthe to
they
is
and
theon
D
PaaS,
threat,
encrypted,
authentication,
data
an
information.
heterogeneous
recovery
real-world
specific
part
it
are
important
standard
B.
overallaudit
regulations
C
B
or does
additional
isType innot
housed,
other of
incorrect systems
transit
not
the IaaS.
period
plans.
1threats,
published
hypervisors
in
development.
systemsaor
attacks
testers
have
security partywill
sometimes
this Structured
because and
should would
environment.
While
as
laws, aand
regulation,
anything
context
for have
of possibly
by
as freeze
during
the cursory
implications
redundancy
thein
run
it continually
while
the need
order
scenarios
Because without
systems’
are
directly
to
firewalling
XML is storage
for
United
components
exposed or
all based
much
do For
the
acceleratorsisto not
configuration
for
the with
even
in
times—whether
this have
is
isexample,
an on
protection
attached
States
configurations
type
ofcheck
can
real
and
stageadone
usedand
archiving
code
the
accessing
ortype
specific
access
help
of
timeapplicability
the typically
of
if
government
testing
accessed
will data access
prevent
collaboration
functions
to
occurs to
limit
beand
of an
and risk
to
attributes
the system
IP
patient
that
itthe the
phase
placed
asor
by assessment.
version
apply
isand through
of
aaddress
underlying
of keys
datato
systems
is
either
restrict
systems.
final adata,
to
pertaining
the
used.
their is
around archiving,
user
about
changes
loss
be
mitigation
and used
issystems
focused
technologies
approval
created,
own This as
considered
holding
the
specific to
the
suspected
from
versioning.
hardware
Therefore,
load they the
user
such
requirements
to
systemsencrypt
so
will
on move
happening
tactics
the
stored,that
the
guide
before
network
balancersconcept
functionalor
of
used.
of as
valid
the
Nessus
actual
and
it totheentity
the
must
releaseand
stop at
to
the
works
attempting
all,
databases,
data.
between
[Link]
establish
that
be
of
hostisarchiving
sound, having
attacks
usability
environment
D
traffic are
applications.
overall
With
to
processed,
and and
incorrect
certification
production
will Iffrom
by the
it provided
risk do
interfaces
taking
mustrobust
which
datawas
automatically
orimmediately,
tois
not
testing
isbecause
making
assessment
ofThisfound
attack
disposed
isbefocused
ahaveand
have
large
bysuccessful
consistent
can
tested
cryptographic
approved, or
encrypted
by
within
the
any
comprehensive
alsofunctions
aensemble
SOX
be populations
solely
identity
set,
toallowing
software
process
of added
byand
be them
refersdefined
ensure
any on
arelatedwithto
inbound
static
modules from
system provider,
changes
as the
and
of
topersonnel
ensure
between
of
strong
known
data-organization
is
backups,
restoration
theability
while
to
start
systems orusers
or
thatnot
the
U.S.
in they
by
encryption,
vulnerabilities
to
considered
outbound
undergoing
to use
application.
design
are
are and
them
to enabling
read
Sarbanes–Oxley
[Link]
review
have
ofstakeholders,
used
expanded
orwell
or data,
the
dependencies
standardized
access as
when
theascheme
connections,
code
within testing. proper
state
so
theand
relying
arechances
based itavailable
means
Actisscanning
programmatically.
systems. vulnerability
inand
not
level
functional.
Thedata
on and
ofparty
of
on
usuallyused
are
to of
exception
2002. it
and
discovered external
restore
to
against
access,
ever
itself.
structures
Following tomake
with This
provide
scanning
other
maintained
being
as
prevent
electronic
decisions
A
operating
asystems
isthis
well
security
Without
to
SOX
D
specific
them
differs
and
this
systemincorrect
presented types
accessed
standard,
formats as
isquickly,further
intended
would
fromthe
tois
portsabout
check
concerns
this
orsystems.
healthcare
indetermine
also
by
of
encrypted
becauseagain
application,
IPS
to
level
anbe
as testing,
the
will
whichtuning
crucial
roles.
that
avoid
because
to
well.
limited
will
largely
ofcloud
unencrypted Withthe
protect
isare
transactions,
ifdata
the
where
or
volumes
atthey
assurance,
vendor
Although
likely
like provider,
configuration,
identity
contained
changes
an
itextremely
to
this
main
mitigatein investigate
are
processing
relates
the
SIEM
incur this
use
stage.
lock-in.
state. apurpose
from
public vulnerable
the
there inside
iswith
solution
to
firewall
substantial
into
or and
low;
an
Although
system
being
isofficial
mitigate
four
where
minimize
Thisand the
data
further
integrityknowledge
noof
for
levels,
iscan
also athe
Type
attempt
intercepted
shareholders
point
into
the
inserted
assumes
not
state
auditing
costs
security
extends them.
correlate
the
the
andmonitoring
most
will1innetwork
aeffects
hypervisor
and is
comprehensive
of
tofindings
With
or
privacy,
ensure
havingpart,
they
not
tool
the data.
standardize
specifically—just
created
delays,
from
the present,
of
for
data have
phase
it’s
the
varying
flow During
traffic is
availability
any virtually
results,
accounting actually
by
protecting
during
and highly
archives
XML
security isand
data the
identifiers
the
this
to
audit,
depending
degrees
the track
optimized
testers
cloud
accelerators
loss.
events
isstate,
in matches
the
and
actual
one
concernsthe risks
of on
customer.
the
reading
B
data
first
audit
and
across
for
scanningidentity
application
impossible.
with
of
isolating
are
C
from isthe
fraudulent
its
confidence
isthe place.
so
limited actually
evaluations
placed
release
incorrect and
networking
that
intended
five that
access
Testing
shouldto
traffic,
server they
developers
principles
andin
and because
the consumed
they
practices
howfunctions,
be
any
it
orof canof
shouldofused
devices,
information
them
done
security
is storage
not the
the
proper
be
publicity
the and
multitenancy
the by
overdata
identity
and
closed
be
using
network
used of to
servers,initially
processed
corporations.
aspect done
validation,
security
SOC timecontained
all
they 2before
cryptographic
that
for iscode
standard
segregating
auditing
may
toprovider
at
to authenticate
firewalls,
are regular
teams
routed.
relates
the is by
with
becoming
determine
able
have tools
client isto
aaddition,
certification,
Inreports,
removed
can
XML thesystem
them.
intervals
modules
tobeenIPSs,
and awith
expose
proactively
aspect
cloudgenerator
and
official,
and
by
ifisolating
they
full
accelerators
done,but or
it
and
the
used or
and itaccess
so requires
signature
are
environment
orapplication.
on,
but
testing
vendor,
glean
is tofollowof
discover
the still
systems
requirements
not the
authentication
which
those
encrypt
also from
security system
that
the
of
with
aapplicable,
sets
required
are and
or As
changes
otherwise
APIs
same
certain
scanning
to
hosting
and
usedthe
of such,or
will
mitigate
detect
to
the and
decrypt
inmeet if
Which of the following threats involves Cross-site Injection Unvalidated Man in the 1 2 3 4
sendingofuntrusted
Which the following datainvolves
to a user’s assigning
browser scripting
Obfuscation Masking redirects
Tokenization Anonymizatio
middle 3 1 2 4
in an
an
Whichopaque
attempt
of the valueto have
to sensitive
following itisexecuted
NOTdataoneusing
fields
of thethe Financial Mobile Data center Interface
n 1 2 3 4
security
user’s
to
Whichprotect domains
permissions presented
confidentiality?
ISO/IEC and access?
standards setwithin
documents the ISO/IEC
security security 17788
ISO/IEC security 17789
ISO/IEC security 27040
ISO/IEC 2 1 3 4
Cloud
the
Which cloudControls
definitions
of the Matrix?
following forpieces
staffing of and 27001
Address ZIP Code Biometric Phone 2 1 3 4
official concept
information
Which roles?is NOT pertains
included to the asrisk
partan of PII Interoperabil Reversibility records
Portability number
Broad 3 1 2 4
as a of the entails
Which
organization following is NOTto
in regard one theofability
the ity
CPU Memory Storage Hardware
network 4 1 2 3
You
direct
to
core have
movebuilding beenblocks
identifier?
between tasked ofwith
cloud cloud creating
providers atan
computing? a Statement of Deliverables Classification access
Costs 4 1 2 3
audit
With ascope
later date? statement
multifactor and are making
authentication system, purpose
Fingerprint RSA token Text message PIN code 4 1 2 3
your of
which
Which of the
the following
following would ISO/IECNOT standards ISO/IEC ISO/IEC 17789 ISO/IEC 27001 ISO/IEC 17788 1 2 3 4
project
be
pertains
Which outline.
appropriate
of to
the Which
eDiscovery
as
following of
a secondary the following
processes
is NOT factor
one and is
of after
the 27050 service
Cloud Cloud service Cloud service Cloud service 3 1 2 4
aNOT
best
cloud typically
password
Which practices?
computing is included
act relatesused? to theinuse
activities, anasaudit
and
outlined provider
SOX partner
GLBA administrator
HIPAA customer
PCI DSS 2 1 3 4
scope
protection
Which
in ISO/IEC statement?
of the of following
PII with financial
17789? is NOT one of the Infrastructur Network Platform Software 2 1 3 4
institutions?
cloud
Which service capabilities?
of the following would NOT be used e
Metadata PII Creator Future use 4 1 2 3
What is the prevailing
to determine factor for
the classification PII Classification Population Location 4 1 2 3
Which
determining
of data? concept whichinvolves applying
regulations apply to Images Repudiation Baselines Interoperabili 3 1 2 4
Your companyconfigurations
data that
standardized has just been and served with
settings Encryption Chain of Compression ty
Confidentialit 2 1 3 4
an
Which
is housed
to eDiscovery
of the
in afollowing
order environment?
cloud to roles
collectis event
responsible
data Limits custody
Multitenancy Reservations y
Shares 1 2 3 4
and
in
Which
many
systemsotheroforganizations
tothe
pertinent
following
ensure information
for
roles
compliance overseeing
is with
responsible
from your
policy Data owner Data steward Data Data 2 1 3 4
application
access
in
or many
Which requests
regulatory
oforganizations
theduring foradata
following specific
requirements? for
isutilization
overseeing
period
directly andof
part Staffing Development processor
Licensing controller
Auditing 3 1 2 4
of time,
ensuring
Which
access
the oftothat
thebefollowing
requests
“metered” policies
used
for as
costs data are
potential
roles
followed
associated is responsible
utilizationevidence
withand PaaS? Data owner Data steward Data Data 2 1 3 4
formany
proper
ensuring
in
Whicha courtof
approvals
organizations
that
theproceeding.
following
policies
are granted?
are
for
is
Which
directly
followed
overseeing
of the
part
andof Staffing Development processor
Licensing controller
Auditing 3 1 2 4
following,
proper
access
the
Many “metered”
highly
requests
approvals
apart
regulated
costs
for
from
aredata
associated
granted?
ensuring
data
utilization
types
that
withand
and
you
PaaS? FedRAMP HIPAA FIPS 140-2 PCI DSS 3 1 2 4
collect cloud
ensuring
systems
Which allwill
that
pertinent
policies
have
deployment data,
are would
specialized followed
model be and
regulatorythe the
offers Private Public Community Hybrid 1 2 3 4
MOSTcontrol
proper
requirements
Which
most important
approvals
of the and thatconsideration?
are
followingextend
granted?
ownership further
over than
is encryption the
MOST Integrity Availability Data loss Confidentialit 4 1 2 3
regulatory
systems
To test some
intended and
torequirements
operations
new application
address? for
thatanapply
features, to Sandboxing Application Honeypot y
Federation 2 1 3 4
you
all data.
organization?
Which want to isolate
ofWhich
the following
of the applications
following
would NOT iswithin
be athe
NOT Users virtualization
Management Regulators Auditors 4 1 2 3
specialized
cloud
included
Which environment
phase
as regulatory
input
of the into
from
SDLCthe
framework
other
process
requirements
applications
includes
that Requirement Development Design Requirement 4 1 2 3
has selection
and
gathering
the
Which its
systems.
own
regulations
forcompliance
of
Which
antheapplication
were
application
of therequirements?
designed
following
or system?to try gathering
Safe Harbor HIPAA SOX analysis
GLBA 1 2 3 4
approaches
framework
and
Which bridge
conceptand
would
the programming
gap be
involves thethe
in privacy MOST languages to
maintenance
laws Dynamic Auto-scaling Elasticity Resource 1 2 3 4
appropriate
be
between
of
Whichusedtype
resources for
thethe
to
ofUnited
accomplish
application?
within
storage aStates
withthis?
cloud and
IaaSthe
environment
will be optimization
Structured Object Volume pooling
Unstructured 2 1 3 4
European
to
maintained
ensure resources
Union?
by the cloud are available
provider when and
and where needed?
referenced with a key value?
A. Cross-site scripting involves injecting scripts into web pages that are then
C. Tokenization
executed on theisclient the process side by of thereplacing [Link] This allows dataanwith attack an opaque to run scripts or
using
random
A. Financial
thevalue, permissions
security with the is of not ability
the one browser
to
of map the specificandbackany the security
authenticated
value to domains
the originalsessionspresented realto execute.
value.
as part
of
This
B. the can
allows
ISO/IEC Cloudexpose anControls
17788, application
web specificallyMatrix
applications (CCM).
to operate
the latest to While
potential themany
in revision same attacks other
manner
ISO/IEC bydomains
allowing
in which
17788:2014, willthe itplay
was into
bypassingcoded
and
the
provides
B.
of As sometothey use
protection the
anrelate
security overview same
ofto financial
controlsPII,values
and ZIPsuch as keys,
vocabulary
information,
Codes as would but
same-origin forthere without
notcloud beispolicies,
computing.
considered
notusing a domainthe
as well actual
aIt protected
defines
that real
as utilizing value,
is specifically
muchpiece the of
which
C.
credentials
related
the
of Portabilitymay
information.
commonly to [Link]
ofThisisaused the
Avalid also
ZIP PII
concept
cloud
user
Code,or other
includes to that
terminology,
being sensitive
execute.B
the allows
ainclusion
broad data.
isasuchcloud
incorrect asThis
geographic
of customer
costs
service can
because
asarea,allow towould
categories
a factor an in
easily
injection application
move
security,
not
and attempts
meet
cloud between to
cloud
because
the
conform
D.
involve Hardware
deployment providers
definition only
sending issecurity
required
to confidentiality
models. notat
segments aconsidered
later fordate.
controls PIIcode
or
of Portability
because
and
privacy
one policies
ofrequirements
through theit solely takes
core ainto
are building
input cannot
part
fields account
withoutofbe the used
inblocks
order the the
CCM. of to
to characteristics
need identify
cloud
have forthe ancode
other,
computing.
more
and
D.
B
A isThe
individual.
executed features
audit
incorrect by With
scope
of
However,
thebecause cloud
asystem
system
statement
combinedcomputing
mobileororapplication.
ISO/IEC application
focuses
security
27001
with specifically,
ison
other athat
isThis onethe
generaliscan hardware
reasons
various
of donethelead
security toto
pieces and
specific should
vendor
attempt goals
of
standard
domains not
lock-in
for
information,
to conducting
that
access be acan
and
outlined concern
a in
expensive
D. ACode
information
apply
ZIP
therefore
at
the all PIN
Cloud
audit,
forto any could
and
cloud
could
are
Controls
and and
type not
intensive
aspects
the
customers,
bebypass of be
used
costs
[Link]
system
that toimplementations
asinpart
associated
security
narrow
because
should any of
controls
be
down
type
with
they a multifactor
[Link] the
will such
information
when
hosting
audit
neverForas
theare encryption.
authentication
example,
environment.
interact
input and
handled fieldsif aWith
possibly
with under
are
cloud system
the
it identify
ornot even ability
different
customer ifor
properly a a
have
builds
processes.
password
A.
distinguish
validated
need
to
C isISO/IEC
map totheir
incorrect is27050
really
back or Bysystems
an also the
individual
sanitized
know
tokenized
because used
istime or
awhat because
an
applications
standard
data
when
ISO/IEC from
values audit
it center
is. ascope
others
submitted
to PIN
focused
All
17789 the cloud around
securityis
isstatement
with essentially
on
by
original isspecific
eDiscovery
similar
services
focused the one
user.
sensitiveon is
areofacloud
being
APIs
type
attributes.
Forthe or
of
processes
segregated worked
specific
example,
values, features
numeric
computing thedomainsaout
and
from field
system that
password,
andbetween
how mayare
outlined
thatcall
proprietary
contains
thehardware
the
so
C.
best
in
A The
foristheboth
the theto
activity
toCloud
reference
incorrect would
approach
user’s abespecific
original
layer,
of
Controls
because
e-mail aan
architecture,incloud
and
the
mappings
order. cloud
ancloud
Matrix.
address, same
serviceThe
address
including
butprovider,
customers
category
or administrator
goal is responsible
relates
an of the
attacker of
the itare
common
towill
authentication
aonly
standard be
isfor
specific
may almost
not
buying
sendgenerating
isone
features toSQLimpossible
resident computing
of
types—in
the
establish
that
code or them
defined
define for
this
incommon
location the
resources
themust case,
cloud
cloud
input be as
and,
terminology,
protected
that
cloud
organization
computing
field.
D
such,
something
B. isThe customer
incorrect
Ifcan and give
activities
Gramm–Leach–Bliley
thedirectly“known”
such and
applicationsecured
because to
asthe anlater
identify auditor,
measured
tooverview
in to
ISO/IEC
move
interface
does
the prevent
an user.
not
Act costs
toof
individual.
service, athe
17789.
security
(GLBA),exposure.A
properlydifferent
will eDiscovery
broadhavealso
isvalidate
one cloud
already
network
known process,
isofincorrect
provider
the
theas been theand
access,
specific
input because
determined
without thenthe
Financial
fields,
multitenancy,
domains provide
obfuscation
incurring
and the
application
outlined
scope
substantial
guidance
A
Modernization
in
C
B. isthe
involves
are
on-demand
may willreplacing
incorrect
Network Cloud
consumable
either focus
and costs best
Controls
because
isself-service,
directlynot Act on the
ininasensitive
practices
of
both
defined
nature
run atechnical
1999,
the
Matrix, fingerprint
time
biometrics
the rapidcloud
and isfor
cloud
or
code and and
specifically
conducting
service
specifically
protected
specific
elasticity
or money
can could
service procedural
insert provider
immediately
toand be
focused
tothe
labeled change
used
capability.
data
their
it into data details
isalong
as
computing
scalability, the on an
and their
collection,
the
application
Network
database of
official
with
use the
applications,
directly
and needs. aof
resourceaudit.
role
password
including
PIIestablished
identify
and
services
and by financial
interface
then which
an
are
pooling. for
a
execute it
multifactor
institutions
fields
would
discovery,
in
D.
security.
D isISO/IEC
individual,
A
major
later The with
also
future
incorrect
whencomponent aauthentication.
and
17789.
preservation,
random
expose
and use
because
SQL the
most or
The
command necessary
them
ofinformation,
intended
cloud
biometric
cloudCPU
the
ISO/IECand The
tostatement
is
computing requirements
significant
service
is analysis.
ause password
core
27040
run typically
markers of provider
building
against data
isrisk
of infocused
willforwould
should
purposefor
general,
that be for
block
generating
issuch thethe
unique
on
field. be
have
is andof something
protection
entity
an
the
security
Thiscloud
undertaking.
no
to
all data
first athat
bearing
computing.
single
service
can step sets
techniques
be “known”
of
makes in it.
for
on The
individual.
the
capabilities
used the
cloud
testing
byaudit
asan totheythe
B
D.
heavily
classification
attacker
in
A
When
scope
user,
services
Act
relate
D isnonproduction
The
incorrect
containslocation
while
correctstatement.
new
to use
available
to and
virtual
storagethe
exposebecause
of
what
because of
depend
it. the
fingerprint
TheThe
systems
tomachines
is
other
security. a data,
known
users ISO/IEC
on
classification
statement and
network
interoperability
personaldatabase
or
would
asor 17789any
customers,
otherthe
virtual
phoneof
be Safeguards
areasjurisdictions
of provides
services,
purposes
purpose data
something
appliances
refers
number, should
regardless
beyond a in
covers
tobut
similar
Rule,reference
the
and that
network
those
arethebe
the
ability
of
which the
based
inprovisioned
user’s
the
[Link]
architecture
is
intended,
reason
many cloud
puts
of not
on
possession,
a The
system
for
the
instances aor
the fall
instandalone
deployment
the sensitivity
difference
specific
aevenunder,
for
cloud
audit.
or
even asdump a of
well
application
Typically,
as
cloud
model
requirements
will
C.
businessbeing
category.
between
the
entireBaselines
always
data,
environment, computing
oraphone
hosting
biometric
tokenization
databaseany be
to are and
reuse
the set
regulatory
one and
model
number,
fieldsprevailing
burdens
ofconfiguration
components
factor.
isor
the and focused
used.
can on factor
requirements,
file
main be
obfuscation
systemfinancial
on
selectionsfrom
standards
directly for
general determining
previous
institutions
is
and
information tied
that,
made cloud
and
the towith versions
requirements
computing
apotential
is to
which
specific
back
in protect
obfuscation,
regardto or
the regulations
individual
risks
toother
design
the
that
and
malicious
their the applications
privacy
apply
and
and,
costs
CPU apply
original
actor. tosuch,
as to
a it,
audits
mappings
in
resources.
implementation.
B
and
associated
regardless
system
is
A
B.
C is new
definitely
When can
personal
incorrectways.
orato be
application.
of
The
with the
company conducted
With
what
information
considered
becausemeasured
compromise.
protected
While this
type an
the ofeither
Baselines
ability,
some
PII.
is unvalidated data
infrastructure
dealing RSA
service
of
cloud
data
their
information
Applications
token
developers
withfor
itservice
are costs
is. internal
customers.
could
not
often
eDiscovery
is one
redirects associated
partner purposes
maintained,
can
contained
be
part
and
of used
occurThe
save
theservices
ofis regulatory
orders, Act
an
with
astime
three
when of
nor
would
official
secondary
also
thethe
each
that
and
are
cloud
an organization
requires
beintend
chainrole
virtual
or
they
moneyuseful
application legal
servicefactor
established
of important.
regular
to
machine
building
custodyin
use
with and
some data
capabilities.
does and
in
not
instances
A
This
is
the
A. is
Although incorrect
extremely
isadapt
Limits why
aggregate
applications
atthe
multifactor
ISO/IEC
notification
must
requirements
properly ofInfrastructure
are
organization’s
17789.
this
validate because
important
put total
authentication
their
ofeDiscovery,
and will
and
the The in
components
security
be
input place
of
oftentimes
privacy
cloud
own
more while
CPU as
and the
to as PII
standard
itpractices
pertains
request,
controls
serviceaafollow
resources
enforce
secure
if
sets will
Service
through
password
up partner
than
or
andahave
the
of to itself
published
they
situation atie
isfinancial
will theofficial
one
maximum
policies definite
tokenization
is
iscan does
use
used of legal
the
directly
defined be
of
to
industry
where impact
institutions
asnot
code three
conducted
theamount
well. address
proceedings.
asinto
because
classification
an
that
users on
main
the
standard
The of
entity
not
as
cantoeDiscovery
the
cloud
costs
RSAcompute
the
wellfulfill
only
that
be regulations
The
token of
original
[Link]
chain
hosting
asisassists
with
the
redirected at
resources
already [Link]
whom ofthat
or
written,
requirements
represents
provide
either
they
apply
A
categories,
custody
B. isThe
mappings
with
The
that
through incorrect
share
data
any
the to
the any
databut
data,cloud
personal
documents
one
cloud
should
thisare awhere
guidance
also
PIN
because
steward itenvironment.
tenant
not
untrusted is
service
tested
code,
not athe subsection
information
betoward
everyone
is
preserved
or images
and
cloudand
customer
responsible
system
classified
input the
verified
it.
form
provider
who
anywhere,
With
to user
canof and
externalthe
or
for
based
thethe
has would
by
the
[Link]
isoverall
basis
both what
overseeing
had
cloud cloud
responsible
it
on also
sites. need
the users
for
data
purposes.
possession
built
The service
means virtual
to
demands
Through an classification
and
limits be
for
entirely provider
in
security
organization’s
of
that machines,
the
can
thispossession
orthe
on physical
theneeds
kind data,
bevirtual
data scanning.
in
requirements.
placedofthe but
of in of
policy delivery
are
thetoken
environment
cannot
and
attack,what
specific
on the
initbeis of
logical
various
used
infrastructure
from
in
C
cloud
A
applications
B
end
levels
and
format,
regard
C. isorder
With
possible incorrect
result
in
regulations.
services,
and
making any
to to
PaaS,
and
for units,
of
data know
meaningful
or applied
because
from
services
for
the the or
users.A
ranging
access,
what the
In
both.
cloud
attacker the
the
regularly
configurations
ISO/IEC
reversibility
the
available,
reasons.
as isperspective
way
case
from
incorrect
provider
well
to classification
Sarbanes–Oxley
beyond
stealof a27001
aschanging
For
butregulations,
specific
for
is
user refers
because
data
the of
and
functional
giving iscredentials
the
evaluating focused
of
cloud
to virtual
PIN
requirements,
to
thethe
becloud
Act
metadata
the
code
the data
(SOX)
machine
testing
customer on
ability
statement
admissible
cloud customer,
access that
and general
will isattempt
customer is
the
of
or
focused
always
not
to
one
requests
is adevelopment
for token
acloud
security
of
CPU
theof
cloud
responsible apurpose,
legal have
the
mechanism
on
allocations
has
customer
fully
and
phishing the
customer
keys
principles
afunctioning
proceedings,at major
matching
for as
purposes.
for
thewell
attacks to
per
for as
and
impact
virtual
the
them
B
remove
D
protection
classifying
applying
for
B. isThe
against
many best
chain
the
timewith
incorrect
environment, on practices,
machines,
data
machine
aggregate
all
aspectsor
the
users the regulations
organizational
data.
of
systems,
ensuring
steward
PIN
because
stakeholders
as including
of can ofand
configurations,
code
well.
the easily
applications,
is
their
their
audit masking
needs
the
Becausedoes
responsible
the that
policy not
utilization
compliance.
be
cloud
and
scope to
operating apply
changed
theisto storage,
shareholders
be have
service
another
as andensure
for to
entered.
useraacross any
data
overseeing
with
whole,
systemit,
went but
specific
and
compliance
customer
termfrom
all
stopping
This
from
may the
almost
systems.
for
through
and awould
an
be jurisdiction,
guidance
is
cloud
financial
anyobfuscation.
an aall
and aspects
organization’s
and
dictatedofficial
satisfy
They
middleware
trusted or
proper
environment,
starting focus
irregularities,
are
by based
the
role of
designed
ofuse. on
multifactor
application
the ormaintenance.
established
policy If location,
aregulatory
virtual
as the
well
applicationin
to andasin
to
requirements
eDiscovery
ISO/IEC
improper
is
B
C.
C
of ultimately
business
D isWith
machine ensure
custody
incorrect
Information
regard
was
ensure
framework PaaS,
to
redirected17789.
that practices,
that
isprocesses
purpose
after
data no what
the
about pertinent
because
vital
[Link]
because The ismakes
configuration
access,
single
by traces
cloud
in cloud
the
it, and or the
acceptable,
showing
they repudiation
provider
to
of
errors
platform
as
host anything
that
service
anonymization
creation
well
As the
password
maythem
or part determination.
that
changes
as type
by
customer
notis
the
of have
is
for customer
of that
organizations.
onedeals
giving
of
nothing
data,
be data
the would
been
evaluating
haveapplication
ofiscan
involves
aware with
involved
the the
the
steward
services, hasissecurely
constitute
been cloud
the
defined
three
time
utilize
they been The
replacing
access verifiability
made
of
thewith
or
is
are customer
cloud deleted.
date
act
assomething
them.
responsible
tampered
creation,
enormous no
licensing any
also
requests
through
dataunder
service
longer entity
of
outlines
aso
This
with
who
resources
costsfully
anreview.
for
the
andcapabilities.
that“known”
sendingisindividual
that
and
created functioning
governed
itspecific
ensuring
service
matching has
that
cannot
that
input to
the
tracking awill
portal. the
by
that
to
B
environment,
be
contract
CPU
user
D
business
requirements
data,
C
and
ultimately
them
Platform
everyone
appropriate
are
the
C. isFIPS
successfully
incorrect
proof
is
and
the where
withpart terms
relationship
the
responsibility
140-2asof
in make including
organizational
of and
their
RSA
because
the
for
apossession
approvals for
mapped
athe
Service,
is how
token
data
resource
activities,
the cloud
certification fordeliverables
itbeing
ofwhilethe
ISO/IEC
retention
level
is
havewould
ofback
the
the operating
policy
stored,
provider
thepooling
of
the
and
use
been
one
cloudto 17788
assistance
beto
data
for an
population
and
does
ofofand are
something
ensure
cryptographic system
individual.
and
cloud
unable
obtained
provider
the
can preservation
provides
theamain
not be iskey
that ofcomponent
services.
specific
shared
have
compliance
to
questioned
and inand
properly
the
cloudIt
the any
terminology
possession
any
isbetween
documented
are
modulesfields
cloud
built
data
of impact
service
factored middleware
financial
and to
allocate
can
on
involved
provider
thean
proper
of
or
and
categories,audit
certainly
the
bearing
investigated,
based into
as and
concept
tenants
resources
on or
definitions
all
must
user.
well.
theuse.
system
the scope
play application
have
onIf
provide
ofwhere
metered
is ifheavily
the
the
specificdirect
and for as
cloud
an
the
needed.
A
serve
and
well
statement.
C
records.
into
system
business
framework
trusted
A.
costs
needs impact
cloud
isPrivate computing
incorrect
indirect
datathe
asofenvironment.
the
andconfigurations
application
the on
provider
needs
purpose theof
classification,
timeliness
While
components.
clouds identifiers.
because
requirements
cloud in
regulations
is
all
offer general,
makes
other
customer. while
acceptable,
and audits
of
the
or
theand
Indirect
are but
available
cloud
having
As the
regulatory
for usewill
all
part
most
thus that
of does
aofapply
data
customers.
fall
ultimately
all
the
identifiers
control
exposing
level to
under
text
tasks
the
data not
owner
the
requirements,
of to
message have
services, it,
cloud
completed
andthe
steward
result
are
their
encryption hasitthose
conceptany
is
ownership customer
final
as
inaisthe
the
private subset
afocus
though
and authority
responsible
licensing
secondary
attributes orof
ofproduction
verified.
data
for
the sections
the
virtual
metadata.
repudiation
an or costsand overall
thatmachines
factor
for
organization.
privileged
protection pertaining
responsibility
ofensuring
andbycertain
along
and
of [Link]
tracking
access. with
that
With
It
D
reports,
to
C
classification
nonrepudiation
are is eDiscovery
application
over
themselves
B
appropriate
ais
D.
A password
private
basedthe
incorrect
The data responsibility
these
purpose
oncloud, would
policies requirements
because
at
frameworks
cannot reports
approvals
both may
an
of all satisfy
and of
encryption,
software the
can
broad
although
access,
organization
map certainly
memory
any
multitenancy
ahave the
tothe
staffing Health
differ
installed cloud
data
abeennetwork
requirement
man-in-the-middle
and be
the
single is
first
comes greatly
themes
Insurance
encryption
that
will
hardwareand provider
data
aobtained
core access
individual,
and is
either based
configured,
contains
inthesteward of
building
foremost,
many for
Portability
regulatory
may
larger
have
and
requirementsisPII
attack multifactor
on
one
but are
issole
be
different the
documented
willwhere
concept
block
is of
factored
used
ainvolves
to audience
the
and
requirements.
position
combination
automatically
ownership
of the
as
prevent
and
forms,core
authentication.
that Accountability
cloudpart
the
theinto
cloud
as components
or the
officially
deals
the
with ofof purpose
computing.
well.
or customer
eDiscovery
have
be
interception
level withmetered
a control,
unauthorized
manyof To
strategic ofofthe
hosting to
indirect
cloud
Much
audit.
receive
Act
legal
D
multiple,
A
costs
paying
B. isApplication
just
sign, (HIPAA)
incorrect
designated
different or
of
needs
communications
viewing
features, computing,
like
The
partner
the
regulatory
identifiers
the
preserve,
of different
CPU
parties
and scope
to text
cloud
isload
for
data. because
focused
virtualization
resources,
withmessage
will
directly
and
protections but
customer.
cloud
requirements
could
involved.
While their
between the
cover
protectitwhile
interoperability
on does
entity
customers
lead
with
carrying privacy
memory
the
application
encryption allows
the
Within
thatany
two not
toaeach
running
format
secondary
data
theplaced
relate
and
evidence
out
parties. is
you
cloud
can within
identification
code
thoseconfigured
owner
have. personal
of
has
bethe
to
at
The ontherun
all
to
the
cloud
code,
computing,
and
that it
duties.
aIt ishas
deliverables,
to
do
for
attacker
useful parallel
data.
is same
notinformation
moving
final
per
with
data
and
the
collected
TheaofThe
tool virtual
cloud
auser
thus
authority
the
classification.
application
although
attempts
regulatoryspecific
data between
cloud
when ability
would
have
which
andenvironment.
machine,
as
owner itindividual.
service
the
turned
usedto and
much
of
relates
need
can
frameworkdeployments
insystems
cloud
is
read, responsibility
Inbe
and
more
to
most
providers.
responsible
provider
over, to
textual
conjunction While
be
provider
alter, or
with in
oris
responsible
especially
for
influence
Anonymization
Broad
the
reports,
possession
healthcare
regulatory
applications
it
over
A
in isthe
redirect
D.
has incorrect
compliance
with establishing
individual
certainly
data
Auditors
staffing
othersame
network
the ifsystems,
and for
the
presentations,
policies
andenvironment
to
would
tools the
data input
because
or the
the
data
reuse
requirements.
to access
health
is
maintain aggregate
driving
(foroften
and
flows patching
notriskiscomponents
into
the sensitive,
decisions
staffing
refers
access,
records,
be
digital or
inmanagement
inclusion
reason
the afor
even
included and
totals
to
the
manner
signing the
comes
and
environment,the maintenance
in
formatted
why purposes
ofand
will
data
or general
ability
has
andPIIthe
that approach
code
in
tie policies
steward
will
nomany
considered need
into
the to
specifically
to
bearing
ofitparties
have
nonrepudiation,
due isdifferent
access
make
theof to
testing
for
to not
than
is the data
automatic
cost
balancing
the
duringon acloud
any
development
are
self-service virtual
required
new security
other
position
for
structure
financial
forms,
unaware
the
forimport machines
features
resources element
model
ramifications
resource and
officially
with
institutions
collection
example), for
into
itsimpler,
provisioning, orthe
is access
many and
affords.
andallocations
software
patches.
happening
of
theofsystems
cloud on the
moreinthe
at all.
It
from
applications
of
D
granular
different
requirements
D.
associated
eDiscovery.
conjunction
used
customer. anywhere
classification
is
designated
B
and
A is aThe
differs
staffing preregistered
necessary,
incorrect
protection in requirement
continue isand
from parties forefficient,
frameworks
conjunction
Memory
not forwith
thatfor
level
because
sandboxing
against toneededand
tracking.
involved.
directly
use an device,
management
concept
of analysis
over
canapplication
with
the
the PCI
and
an
unauthorized
as This
running
carrying
also
FedRAMP data
the which
DSS
Within
less
organization
itselfphase
be
transmissions
because
additional public
also
isandor
on
obfuscation
and costly.
would
aaccess
changed
out
doesisitcloud
financial
includes
asystem.
is internet,
them.
the then
those
does where
not
virtual It be
regulatory computing,
does
necessary
would
as to something
who
While
industry
matching
after
play
or
notduties.
norma
datatherather
machines not
tokenization
have
into
the
require isspecific
should
have
auditors
this
security
The
framework
its than
regulation
provisioning
the
very although
inspecific
data
distinct
primary
are anything
toreceive
hardware
their
through
little
of will
the
controls
owner
brought that the
possession.
play
as
the
tocloud
organizational
sensitive
say, details
systemsconfigurations
intended theorrestricted
itthat
is and
online do
reports
aresponsible
pertains
role
with
possibly
United
or software
provider
fields
of orlater
must
use inbe
as
and
new the
a way
network
have
end.
Because
to
used
regulatory
implementations
for
has
even
segregated
in
platforms
D
C isany
policies
services
A.
States
focus. organizations
establishing
Thestaffing
In
on
been
no of
new
incorrectmost
Safe
With it.
say,
ortunnels
removing
federal with
requirements
updated
design
networks
toin
provisioned;
regulatory
Harbor
the instances,
maintain
becausewhich
how
the
government
usethat
orlikeor
the
specific
risk
by
amodification
accept
to
this.
the
public
this aindirect
even
management
the
function,
requirements.
although
regulations
of simple
software
modern orprogrammers
physical
their
isusesenvironment,
allcredit
cloud
if handled
they
identifiers
stopping
toenforcement.
were
and and
by
operates
card
compression
is one are
networks.
assess
strongensuring
approach
can
developed done
payments
will
ofthroughand
to
the due
be
and work
or
ensure
focused
starting
for
three
may
encryption compliance
to
functions.
to
and
certify regulatory
self-service
are
automated
befrom
data
cloudthe decided,
of
purely
used
implemented
cloud security
the
data
thePublic
with
service
techniques, whenmajor
reasons,
virtual
at
sets
provisioning,
along
processes.
services the
regulation
and
clouds
cannot
credit
preserving
capabilities.
bymachine
application
along access
forwith
unless
the typically
theirnetwork
withbe
the
andinthe
and
use
the
Software
submitting
C
mapped
instance.
auditors
the
providers.
conjunction
staffing
offer
level.
policy,
specific
A.
B
by isDynamic
proper incorrect
device
Department free
Itthey
federal takesas
functionality
isback
are
protection evidence
Memory
services
not awith
Itwould because
Service
optimization
would
is
tied
agencies.
of successfully
needed
focused directly
management
have
Commerce to
is
not
of pursuant
isas
part
Asand
the the
adevelopment
keys, be
to
on one
reservation
part additional
is data
public
to
of
features
be
involved
creator
security
through
the
the
the
data
to of to
the
processor
preregistered
serve
FedRAMP,the
continual
and
regulators,
at
resource
can ofmain
large,
that order,
requirements
at
anyvirtual
then
isdata
as an
easily theare cloud
means.
anot or is
early
waymatching
and
pooling
can
there
and the
itto
minimum
machines is
expected.
with
the
offer
part service
one
not
automatic
definitely
stage
reports
efficiently
of the
services
bridge
is and
and
athis
the asystem
who
at requirement
amount
are categories,
records
This
isall.
to
will
certification actually
have
shared
process
brought
services
the beto
the
will
Thefirst
gapto
any
ofan
retention uses
and
organizational
then
receive
role
rendered
fromamong
resources
go
betweencustomer
impact
within
online
process element
to
of
be one
an
a cloudthe
used
the
afor
on
or
the where
data
auditor
cloud
for text
that
newand
the
those
lowis
management
code,
types
services
is
during
the
willto
within
privacy
tenants validate
classification
guaranteed
policies
willing
far cloud
have
environment
B. Object
fewer
provider,
and
inaccessible of
this
the
an
to
moderate provisioned;
transactions
laws
or
of noalso
design
application
provider
storage
pay.
resources
northe
regulatory
to for
bearing
of configurations,
level
of
is aisthe
With
cloud
systems,areview
phase
itshifting
cloud
is robust
is
ofUnited
included on
athe
to specifically,
this
responsible
or
environment.
it.
type for
and
the
requirements.
customer
set For
largeis
security
service.
resources
as up
ofall
the
Statespolicies,
will
overall
inexample,
well IaaS
the handled
number
and programmers
as As then
for
and
withinsystem
use
costs process
the
storage
and
high ifand
thedoes
be
the
than
of through
consumer
virtual
the
the
from
systems made
because
practices
not
infrastructure
European
of
customers
where toapply
sandboxing.
creator
environment.
the known
automated
plan
eDiscovery.
machines
of cloudof
filesitof
against
or
2016, would
to
Union.
the the
andto
dataup
freepersonal
the
actual
data,
between
provider
to A the
negate
processes.
aregulators.
through
The
objects
is
servicesthe
reservation
meet regulations
coding
data
European
doctor’s
for someone
data
physical
are the
offered,
requirements
cloud or and
fully
processor
physically
office,
willthe
Unionthey
hosts it is
from
financial
typically
C
B
not
A
are
methodology
has
and
stored
functional
D is designed
does
[Link]
possible
very
the
resources
getting
not on
auditing.
virtually nature
guarantee
strong
sector
aapplication.
separate
for
Development
play ato
because
to
atonewof
in
privacy
unbreakable.
One comply
adevelop
role ensure
public
the
general.
device
to
aspectinsystem
data
adevelopment
the
sandboxing
storage
laws
with,
cloud
cloud
athe
confidentiality
granting
The
would of classification
data
proper
and
is enforced
cloudand
application
healthcare
and
FedRAMPcustomer
be to
isthen
processor
also
data are
take
balance
to
donegoes
customer trying
isestablish
referenced
part
at
into
access
maynot of
far
isunderthat
related,
aaround
isof
that the
is
part
high
to
oraccount
beyond
the
may
ormaintained.
the
they
use
may
itadata,
its of
level,
one
gap
policy
was pooled
to
by
then
have
ownitthe
will
not isolating
meet
to
individual
adesigned
as
analysis
who while
key
services
have
the
access
well
enforcement.
contract,
limited
be resources
This
aactually
the
or
dataas
the
token
applications
between
factorthe
design
ensures
demands
the
from
will
United
minimum
system.
uses
configuration
for or reports
with
use of
value.
automatically
possiblyaby acloud
the
that
the
States
cloud
from
anyfor
Itdesired
data
adiffers
even
or
default
eDiscovery,
D
infrastructure,
produced,
assume
required
within
provider,
customers
testing.
and
requirements.
single
from
under
federal
A
does actual
traditional
is incorrect
not physical
ansettings
With
certain
resources
nor
contracts
have ordepending
application
is
state asandboxing,
is
forkey
ahost
and
because itto
data
storage
of leverage
customers
that included
specificconsideration
the
it
necessary
or on
classification
shares
or the
asystem
incorporate
encryption term
the
service.
subset
asyou
privacy itbut
in to
similar
does
the
tonature
are
or otherwise
data
expect
ofAs
power
lawof
costs controller
application,
physical
the of
requirements.
setting
isnot
the
an
qualities
not
at any
contain
costsaudit
from
consumer
theon the up
focused is
ofdata
responsible
reasonable
hosts
and scope.
the
to
totally
federal not
the iscloud
any requested
operate
memory
on synonymous
does
to
of
cloudorganizational
Under
separate
level. be
the not for
likeliness
integrity,provider
involved
their
and
data,
become
hosting
The mostand
importing
CPU with
services
and
EUorthe the
for
of
regulatory
with
distinct
as
or
data
services
useful their
regulations data
maxed
cloudtypes
far or
hierarchical
within
design
processor
toas owner;
loading
demands
as of
virtual
out
ease
protect
[Link]
or
systems,
services.
development
A
ofisin
applicable
systems
they
prohibit
environment.
does
being
machines,
on have
capabilities;
However,
agency
it, incorrect
changes
resources
not
any [Link]
the
involved.
itthe
playdata
and
reasonable aclassification
Public
and because
decisions.
same
instead,
wouldand and
aReservations
inmodifications
role
provider most
thus
clouds
notthen
duties
in
[Link]
everything
granting
impact
cases
be hadarearequirement-gathering
forofand
also the
be
user
intended
network
Encryption
direct
been after isdata
done
responsibilities
otherdata
offer account
stored
initial will
under
customers
access
certified,
part insurance
isolation
tois serve
of builds.
indirectly
focused
the a its
management
or flat
removing policy
mass
as
or
metered own
againstphase
tiepopulations
Depending
system
well.
virtual
solely contract,
into
enforcement.
the ismachines
Althoughwhere
ontype
denial-of-service
services
on the
with
needthe aor the
for the
possibly
token and
sandboxing
and on
cloud
confidentiality
from each mandatory
to
the orscope
the dokey
agencyeven
(DoS)
service
same
cloud soas of
When an audit plan is being prepared, four Define scope Conduct audit Identify Gather 1 2 3 4
distinctofsteps
Which the following
are done in technology
sequence. Firewalls IPS stakeholders
Honeypots documentatio
Cryptography 4 1 2 3
Whichare
concepts
What of is
the
thelisted
following
twospecifically
mainistypes the as second
ofits
APIsown step,
used REST and XML and REST and XML HTTPS
n and 1 2 3 4
You
afterhave
with
domain been
part tasked
cloud-based
theasdefining of systems
of
ISO/IEC by management
objectives? and
27001:2013? to XML
SOAP SOAPfirewall
XML Web REST
Firewall 1 2 3 4
offload
applications?
What is processing
used with aand singlevalidation
sign-on system accelerator
Token Key application
XML SAML 1 2 3 4
of incoming
for
Which authentication
document encoded will
afterdatathefrom
enforce identityyour and
uptime Contract Operational Service
firewall level Regulation 3 1 2 4
application
Which
provider
availability ofhas
the servers
following
requirements
successfullyand concepts
their associated
authenticated
between makes
the a Multitenancy level
Resource agreement
Elasticity Virtualization 4 1 2 3
[Link]
repeated
The
user?
cloud Which audits
customer of theandfollowing
principle
and verification
of the
cloud would
SOC
provider? much be the
2 reports Monitoring Legal
agreement
pooling Change System 2 1 3 4
most appropriate
more
consists
Which difficult
privacy
of seven in acategories.
device
cloud was
standard environment
or software
developed
Which as of controls
GLBA compliance
HIPAA management
GAPP operations
ISO/IEC 27001 3 1 2 4
tojoint
versus
aof
Whichconsider?
the a traditional
following
effort between
cross-cutting is NOTdata AICPA
one
aspect center?
ofand
the seven
relates to the Portability controls
Reversibility Sanitation Wiping 2 1 3 4
categories?
the
ability
Which CICA?
for a cloud
protocol is customer
the current todefault
removeand TLS SSL Ipsec DNSSEC 1 2 3 4
their data
industry
Which network
standard
and systems
concept
for encrypting
from
is useda cloud
within
traffica Subnets VLANs Gateways Ipsec 2 1 3 4
provider
across
cloud
Which environment
ajurisdiction,
network?
and be afforded through
to segregate assurances
Directiveand that United States European Russia Japan 2 1 3 4
it
isolate
95/46,
What enacted
network
type in
segments
of encryption1995, declared from other
allows fordata
the Homomorphi Union
Symmetric Asymmetric Public key 1 2 3 4
has
systems
privacy
Whichbeen
manipulation of
to
orsecurely
the
beapplications?
aof
following
human removed?
encrypted right?
threat datamodels
without c
DREAD SOX STRIDE CSA 1 2 3 4
From
havinga to
includes legal
firstperspective,
discoverability
unencryptasit? data
a keythat is Possession Shared Control Treacherous
Custody 2 1 3 4
Which
component
covered ofunder
the following
eDiscovery would fallsbe intocovered
three Security Costs Operating 12
System design 1 2 3 4
by
andanconcern?
different
What external
is thecategories.
mostaudit and
Which
prevalent NOT ofby the controls
iSCSI TCP efficiency
TLS NetBIOS 1 2 3 4
an
Which internal
following of the
communications isaudit?
following
NOT one ofsecurity
protocol thefor three?
network- Infrastructur Data Physical Application 3 1 2 4
responsibilities
Your
basedorganization
storage is always has made solelyit aunder
top the e
Limits Shares Resource Reservations 4 1 2 3
cloud
priority
solutions
Which isthat
the
withinany
most acloud
data environment
commonlycenter?used being Oauth OpenID pooling
SAML WS- 3 1 2 4
provider?
Which
considered
standard of for
the following
toinformation
host production common
exchange threats
systemswithin Data loss System Insufficient Federation
Advanced 3 1 2 4
involves
Which
ahave guarantees
ofantheorganization
following
that resources
groups
not placing
would
will always
NOT Regulators vulnerabilities
Potential due diligence
Current Management
persistent 2 1 3 4
sufficient
be appropriate
datacontrols
available
federated
With in for
identity to share
and
allocation
transit, system?oversight
which a SOC
when
of the1 needed.
on their
following Scalability customers
Encryption customers
Redundancy threats
Integrity 2 1 3 4
systems
report
Which
will be with?
of
theand
the data
MOSTfollowing,
protection?
major
following ifconcern
important
concepts will to the
in Certifications Availability Incident Elasticity 1 2 3 4
you need
cloud
Which
order customer
of the
for atoDLPensure
following
or required
solutionis part
aspects
to of bythe ofcontract
properly thework? Generators Cooling Power
management Storage 1 2 3 4
physical
and SLA?
regulation,
Which ofenvironment
the is following
something ismethods
considered
that must an
is often
be Tokenization chillers
Encryption distribution
Masking systems
Classification 3 1 2 4
addressed
external
As
usedpartto of redundancy
byaudit,
an
obscure a contract,
data issue?
systems
from versus
and an
production SLA,
processes Audit Gap analysis units
Audit Compliance 2 1 3 4
to aensure
systems
In
are cloudfor
tested compliance?
environment,
touse in test whether
evaluate orapart
development
from
they findings
Integrity Nonrepudiati deficiency
Availability analysis
Archiving 3 1 2 4
are
Which in compliance
of the following
environments?
confidentiality, what with is top
regulatory
the MOSTsecurityorthreats Cross-site on
Injection Insecure Cross-site 2 1 3 4
organizational
involves
Which
important ofattempting
the key policyaspects
to
requirements.
send of security
invalid What is scripting
Integrity Confidentialit direct object
Availability request
Privacy 1 2 3 4
factor
is the official
commands
concerned to consider
with
toterm with
anensuring
applicationa key
for determining management
information
in an attempt
anyand y references forgery
discrepancies
to
datagetisthe
system? in itsapplication
intended
betweento format
the execute
realand and has not
desired
the
been code?
altered?
states?
A. After the objectives within an audit have been defined, the defining of the
scope
D. Cryptographyis the next as step. an overall This involves concept theisspecifics
a specificofdomain what isof toISO/IEC
be tested as well
A.
as Representational
27001:2013, which covers State Transfer all of the(REST) various and aspects Simpleand Object methods Access where Protocol
cryptography
(SOAP)
A.
all An theXML are accelerator
details theis two
about usedmain within
how is designed
types
andITwhen services
of APIs toitsit used
willandinbe front
operations.
within
tested. of application
cloud-basedservers systems. or services
B isWith
A
SOAP
A.
and incorrect
APIs is afocused
single
for because
the sign-on
on
purpose providingconducting
firewalls
system,
of offloading a arestructured
once thecovered audit
the user
processing occurs
information
under hasand after
network
successfully both
exchange
validation the
domains authenticated,
ofscope
system andand for
are not
C.
web
aobjectives
they
incomingThe services,
are SLA issuedwilland
have
XML. determine
been
an
They REST
opaquearedefined, aand
ishighly protocol
token document
which
scaledthatfor will
can
and the
using
serve
then
tuned requirements
HTTP
as the
beappliances
usedrequests
roadmap
to accessand
totohandle expectations
access
for thetheir
systems and
actual that
for
specific
manipulate
are
audit.
D. factors
Virtualization purpose
domain such
[Link] and uptime
themselves.
makes willrepeated and availability
allow theaudits backend and within service
verifications a cloudproviders environment
difficult to focus within that
on are
a cloud
expected
C isThe
B
business
part
environment
B. incorrect
ofSOC the tofederation.
logic, 2be reports
becausemet by
rather do the
than
it
IPSthe
although
Eachis
not cloud
identification
isalmost
processing
covered
system
contain provider.
SOAP impossible
can
the
under
is
and of
validate
one
legal This
stakeholders
validating
network
of to will
compliance
the
ensure
thetwo beand
token
the donewill
that
methods, on
be done
application
incoming
controls
back
the asystem
topercentage
XML
as
data.
the as
security
a is part
a of
identity
being and
C.
basis
protocol
initially
is
B
provider
testedis
factor, The
not aGenerally
that
incorrect torepresents
for
defining
domain
now
because isencoding
ensure
because
the Accepted
objectives,
itself.
they sameit canishow
and
an current
XML
asdiffer Privacy
much
representing
the and firewall
and Principles
unscheduled
will
previous
greatly tothen gain
is
fromdata,
beinformation
designed
one. (GAPP)
refined
one
In ora jurisdiction
and unplanned
is
tonot
virtual was
some
protect established
one
about downtime
of
during
environment,
tosystems
thethethe
another, two
user by aand
ismain
defining
andto
images joint
scanAPI
then of
are
effort
allowablewithin
B.
C
types
data
make
the
changed
each isReversibility
incorrect
as
scope. between
for
informed
itoften
regulatory cloud-based
is coming becausethe
refers
anddecisions
system American
a specifiedin to
systems and
systems.
a will the
honeypot
on out period
have Institute
ability
authorization
reimaged of an isof
its for atime,
application
own aofcloud
security
for Certified
compliance
patchesandcustomer
within will
mechanism
orthe or Public
be
data other specific
toAccountants
application.
center
requirements withdraw
for
changes. to the
capturing
for validity,
and
This (AICPA)
their
applications
and data
differs
A.
D isTransport
from
auditing
and
analyzing
C
but
B the
incorrect
does Canadian
configurations
a traditional
demands.
not
attack Layer
provide
because Institute
Security
data
attemptsfrom the agathering
center
although of
(TLS)
aprocessing
key cloud
against
would Chartered
where issystems
the
environment
documentation
REST is standard
servers
typically
capabilities
oneAccountants
thatof
referarequickly
the
usesprotocol
is
physical
and
totwonot (CICA).
anda step
encryption
aapplication used
assets
similar-looking
methods, Ititself
efficiently. serves
for
andthat and
iscan
interaction
XML sending to
isisaassist
The
server
not easily
done
cloud
used of
with as
to
systems
provider
organizations
protocol
part
encrypted
fake
an
refer
be
A
B. of
isBecause
XML toboth
incorrect
data in
must
for
accelerator.C
maintaining
thatquestion.
trafficencoding
the
cloud andalso
because
is defining
designedprovide
their
over the
environments isand
athe management
network assurances
representing
objectives
incorrect
session
to
monitoring
entice do between
and because
notand ofand
in
attackers.
presence developing
data,
defining
have atwo
controls aweb
thetimeline
andparties.
The
within scope strong
isisapplication
not
application
ability one afor It
to onesecurely
steps.
single
of has privacy
the of theand
replaced
firewall
physicallysign-on
owners
main programs
twoseven main
SSL,
issystem.
can
designed
separate that
API
which
then
A
address
completely
B.
networks
use
types
to
C
is is
no
verifiedThe
inspect
categories incorrect
the forEuropean
longer risk the
exploit
as cloud-based
web
being
under andsame
because
considered regulatory
Union
attempts
the
SOC way the athat
2systems.
sameXML issued
secure
and contract
isrequirements.
traditional
system aare
pertainsDirective
standard
enough directed
asis to the
data 95/46,
for
before, high-level
for center
toward
organizations data
general even whichwould, formal
encoding
the
ifusage. established
upgrades they
honeypot TLS
effectively agreement
andrely data
on
presentation,
supports
and to refine
testing between
privacy
logical
features much
andand haveand
the
A
removing
stronger
of
A.
augment
D isHomomorphic
traffic
would
changed personal
verifying
separationscloud
incorrect notand
coming provider
the
over
their
security
be information
withmore
because
data
used
time.
into
controls iscontrols
VLANsfrom
and
robust
an a new
for thethe
application
although
proving
arewithin
to cutting-edge
Gramm–Leach–Bliley
encryption
be
cloud
on
keep
adequatelyaidentity
the their
human
RESTcustomer
systems
to
actual environment.
isciphers.B
detect right.
type
addressing
after
oneproduction
isolated thatof Following
security
of encryption
isAct
successful
the documents
incorrect
from (GLBA)
their
two exploit
systems. this
others.
methods,
login. that
intended because
was
directive,
theThis
attempts allows
requirements
established
HTTPS SSL
threats,
enablesEurope
or a other
system
was
is a by
as the
has
for
well
policies
the
A isThe
protocol
or
predecessor
had
A.
signatures
D
as
security United
incorrect
application
some
ensuring and
DREADfor
to ofofStates
be resources
because
secure
thatto
theto
threat
the TLS
controlled federal
read
strictest
and
mechanisms
traffic portability
that
communication
and
model has government
multitenancy
SAMLand are
manipulate
privacy
within been
includes
take
isput covered
used
the refers to
extensions
controls
replaced
specific
in VLAN to
for deal
encrypted
discoverability
place
refers
within the
as
action
and
aretoaanfederated
with
theagreed-upon
ability
to the
data
requirements
still
allows
against financial
hosting
in as for
place HTTP
similaritaof
without
the
system system
based
and price,
organizations
web
second
inhave
multiple
systems first
the
toon or
but
protocol,
having
Dworld.
passwhat
notapplication
in does
the
customers
and been and
tonotis
policies
specify
to
A
not
are
informationincorrect
applications
the
unencrypt
acronym.
B.
withinisFrom
changed move
way
matched.
one
standard operational
the they
ofbetween
the the
Insame
it.
through about
tohandle
because
This
two
communicate
perspective
this
method
This sense,
clouddifferent
can
the
allowsdetails
types
unintended personal
forthe
include
user
discoverability
ofofUnited
for
environmentsuch
cloud
for
APIs
encrypting
eDiscovery,and
with
enhanced
or as providers,
States
redirectingprivate
availability
authorization
used each
unauthorized
and by does
other
communications
refers
security
who information.B
cloud-based
or
within but
blocking
data or
to not
and
within
[Link]
iscurrently
uptime
registration
because
the shared
same not
athe ispool
systems.
likelinesssecure
over the relate
requirements
incorrect
have
trafficpurposes,
with
thedata
orenclave
of toaresources,
before
network. federal-level
ispossibility
does
notthe because
ability
awhere
but
not like
itprimary
Atreachesthe
would
need
that
this
andto
the
SLA
Health
securely
point,
policy
ato
concern
A.
the
not malicious
would
C isSecurity
reside
separationwould,
application.
incorrect
be on
SSL
Insurance
not
usedor
remove
on
data
isplay
controls
one
or
actor
of considered
abecause
to the
system
privacy
ofits
physical
validate
into will
Portability
metrics
the and
data
the discover
inmain
and
changeinsecure
testing
unencrypted
and
networks
the used
ability personal
principles
andconfigurations
that
toto
are
authentication Accountability
because
management
and evaluate
auditacrucial
information
specific
format
[Link]
cabling itaspects
inData
them.
uses
from
isisvulnerability
at
the
anotany
Actprotection
collection
coreweaker
one
way of(HIPAA)
point,
consistency
[Link] environment
component
that external
andexists
so
isin
the was
the
older
even
atoken
over general
and
established
responsibility
audit
of aciphers
as
time.
SOCcompromise
have itand
would sense,
2moves
the
that
byof
reports
be.
to
no
but
of
ability
the
A.
D isiSCSI
B
and
A United
longer
typically authoritative
it does
incorrect
how toisthe
exploit
an States
aprovide
for
protocol more
organization
focus
because [Link]
source
adequate
ofspecific
that
one. an or
resource
subnets operational
government
sits
a firewall systems
oversees
While protection
applications
onbreak top
pooling
is
internal
designed
and that
of
uplevel
and
the
or use
such
verifies
refers
larger pertains
agreement
assurance
audits TCP to it,toasstack
but
control
networks
the
may toperform
healthcare
the logging
of
and
process the
is
aggregationsimilar
protection
security.
networkenables
into and
of and
logical
some tofinancial
changes an
preservation
the
communications
of level of
SLA,
resources
sections private
withinofdata. are
but
health
another.
security
C.
aC isRegardless
between
for
B
focused
sending
system
from
their incorrect
isenvironments.
IP used
information
controls
addressing
the of
onInstead,
internally
sources
will
entireSCSI
the because
ofdata
not thevalidation,
portability
and
and
commands
reveal
cloud andcloud
between
Russia
organization,
owner
This destinations,
IPsec
the records.
data
environment service
Sarbanes–Oxley
over
or
includes they
isisto
did purely
components
athe anot
the are
category
communications
network,
onebut
as not
focused
documentation,
and issue
well
malicious
whodo
howconsidered
Directive
not
asemployed,
Act of
controls
rather on
the
they the
contain
actor,
covers the
ports
method
aresame
than95/46,
toability
because
and
approvals, the
made be organization
they
companies
through
makescloud
valid
but
to
protections
that are
they
available
andismove
itthe
audits,
provider
does
communicating
the
used
and
would
riskdataor because
andmigrate.
traditional
the
to
tohas will
its
encrypt
available
still
allwaythe
there
document
D
C
traffic
own
need
they
to
method
always
D. Itisbetween
isconsumers.
over. Aincorrect
customers
management reservation
segregations laws
handle beno independent
infocused
does responsible
duties
awithin
financial
physical
because
not
that two
isperform
evaluations and
on
thea hosts.
VLANs set-aside
environment
transactions,
protecting
responsibilities,
sanitation
for
the
cloud external
the
ISO/IEC
However,
afford
content
for management
and
environment,
all the
and auditor
commonly
guaranteed
27001
where
records,
proposed privacy
itand
inspection
allow. is notto
standards
storage
would
and evaluate
retention,
and
refers
ofon
changes, inwould
amount
information
widespread
operations
not
devices
toon
packets asnotthem.
the
pertain
and
security
of ability
well be Independent
resources
arethe
for
of
asuse
ato directly
the
transparency
Russian
were
the
to
due
tracking
factor underlying
ensure
relations
that
to
inestablished
attached and
citizens,
resource
their will
auditingthat of
or
arrangements
by
data the
limitations
including
the
their
A
external
to
physical
C. isThe
consistency
completion
C
alwaysthe has
encryption
incorrect joint
practices
server.
Security
be been
environment.
testing
restrictions
andtechnical
available
and
over between
securely
Within
and
keys
becauseAssertion
demands.
for
thetime. compliance.
audits
to committee
toathat
signoff deleted
the
possession
aEven
read
cloud
gateways Markup cloud
Itrequire
systemisfrom
also
it,
with
paramount
data and
evenThe
or between
are customer
requires
IaaS,
Language
of
all
centerwiped
on
concept
functional the
data
application.
where theatodata
live
especially,
known
onthe
from
cloud and
instill isInternational
(SAML)
systemsof
system
Russian
testing cloud
discoverability
oneathesystem,
customer
hosts
trust
Typically, is
of
andiSCSI
that
send citizens
the
in
the
to but
provider.
Organization
areservations
be
isstandard
system,
three
isaccessing
validation.
data crucial
configured
notto does
does
when bemain not
responsible
and
because
housed
protocol
not
theytheispertain
to
representfor
directly
ado
data.
use
on for
for,
not it,
Standardization
to
servers
required
or
the
know
and
B
play involved
minimal
components
virtual ita the
C isInsufficient
D
information
C. incorrectis that
role
machines
notcomponent
inwith,
specificareside
amount
of
SOX. the
general-purpose
exchange
because
due (ISO)
eDiscovery,within
route.
and of
physical
for
and
other
diligence regulations
resources
symmetric
elasticity
within
systemregulatory
Thethe virtual
and environment
political
International
isgateway encryption
federate the
operations
where
refersrequired
may compliance
encryption
appliances
party
an boundaries
can
toserve
identity to
at
Electrotechnical
determine
that
method
organization
the
and as power
all.
refers
will
ability
how and
the
possesses
not
systems. ofthat
to
an inputs
certification
for on
the
how
have
the
does and
ItRussian
is
organization
systems isor
to
the
widely
situation
any
not Commission
operate
requirements
route
data
used toprograms.
direct
properlyFederation.
the aexchanging
available.
will
for where cloud
automatically
runs (IEC).
packets
physical
likely for
evaluate,
their be to
customer’s
specific
D
C
the
B
connections
A
both
scale
systems
B. isSOC
plan, ability
first
incorrect
parties
authentication
up1performance
correct
design, to
through
or
reports systems,
downto
ofextract
because
destination astorage
operate, secure
policies
to meet
are but
data
data
metrics,
the
costs
infrastructure
Japan
considered
orDNSSEC
systems.
andmay
communication
and
or
andSTRIDE
current
secure wouldnot
configurations
canwas information
but
isserve
procedures provide
used
not
threat
not
beisparty
demands
restricted-use
their considered
how
to
as the
systems isfor
have
model
averityto
sole
they
tofrom
router increased
be
awithoutDirective
the
core
andthe
responsibility
does
would
used
an
reportspart
same
on integrity
environment.
not
component
having
the for
applicationsofbe
andprovisioning
95/46.
keyinclude
an
authorization
enforced
[Link]
internal
an
areandofof orthe
excessauthority
discoverability
limitedand as asthey
cloud
audit
evaluation
the orpart
inneeded.
purposes.
data of
theare
of
that
the
audience
SAML
of
exchanged
as
recipient
operation
B
provider
A incorrect
deficiency
under
D
B.
theyisIn
DNS
onebusiness
order
house. of
the they
resolution
with
of
its
policies
SOC
of prior
fortherelationship.
key
Any acan
because
PaaS2eDiscovery
resources or
components.
to
DLP
of and
and
[Link] wiping
should
communications
these SaaS,
TCP
limits
lookups
solution
IPsec They
procedures.
atareas
any be
isorder.
but
are
isthe
towould
an would
Withexposed
back
is
givenupper
cangeneral
work be
a External
shared
the
to
encryptionbeing
point.
cause be
with the
their captured
to.
boundaries
STRIDE
protocol same
Potential
established.
responsibility
data
security intended
audits inconcept
acronym,
protocol for within
on
are
transit,
exposure customers,
network
issuer.
the
focused
thatThis the
as
with
the
amount
first sanitation
ItDSLA,
isallows the
communications
ifapplieddigitally
andon
stands
sufficient where
which
cloud
of
regulatory
forto in
resources
foremost for
very dotheir
signs
each
due this
not
fast
it
and
requirements
case,
compliance
customer
that
has
every
currently
DNS to
isaresolutions
communications
denial
C
and
is
diligence
A. is
based and
incorrectsystem,
be
packet
not
ofon
Certifications, able
it
for
have
service.
is would
orsent
specifically
XML
not IaaS.
and
to
application,
certifications,
because read
aapplied metrics
have
between
contractual
that
standards
over
based can the
related the
encrypted
control
to
on be data
are
or
them,same
two
and as
or
industry customer
established.
verified
toof as
well limitations
it and
systems
business
isstorage
the
channels,
andwidely isas
back
data
cantransmitted.
oncan
over
relationship
systems
used
is
toensuring
lead but
independent consume
one and
theirthe concepts
throughout
to does
of
any Typically,
customer
network,
orsource,
thethe within
with
require
other main
direct
standards, apply
and
asorts
preventing
the athis
cloudrequirements
cloud
components
both does
carrier
industryof
areto
will it. be
anot
provider,
parties the
of done
vulnerabilities
primary play
tostorage
to beaby
ensure
having
spoofing
known
D
for
communications
B
environment,
compatibility
A.
roleisGenerators
would
and
means security
incorrect
principles
in not
attacks and
the
for orabe DLP
familiarofsystem
redirecting
controls
because
segregation
beingbetween
dataand
are
included or
eDiscovery.
considered
are
center with
commands.
possibleand not unencrypt
data
the
identity
oftoeach
withinvalidation,
network
aCloud
networks
asisguarantee
ensure This
always
an
other
athe and
providers
TCP
Security
external
is traffic
of
and
before
does
the
without
restricted-use
result. certain then
particular
thatare
responsibility
Alliance
and
by
redundancy
play re-encrypt
attempting
aanot
security sending
specific
service
a concerned
central
logical concern
Treacherous
classes. out
controls packets
minimum
providers
issue
ofcommunication
role
framework. incorrect
the
within
with
because
andgiven
cloud as
12
or
of they
acosts.
does
cloud
relying
resources
that
IPcustomer,
operational theypass
address
They
iSCSI
not
soare that is
will
A
C. incorrect
resolutions
the
include
environment
are
dependent
who
be
parties.A
through
outside
bestisMasking
available
only
keysis responsible
practices involves
discoverability
it.
concerned
can
the is This
on
incorrect
to at
be
because
hosts.
interior it,enables
are exchanged.
but for regulators
replacing
with
of
followed because
by the
the
asthe
data itself
the
one
boundaries
maintaining
data sensitive
point-to-point
loss
by compliance
TCP
of
OAuth
acenter;are
its
occurs
cloudis12 notawill
is key
adata
key
andan
they(or
provider.
when audience
standard
blur fields
components.
encryption
appropriate
loading
lack
work
data between with
thereof)
onfor
Certifications
is of
ofcorrupted
the toSOC
opaque
providing
data answer
the
still
with
as1cloud
incoming be reports
well and
requirements
here.
provide
orlogin
indeleted,
customer
as
place,
power and
randomized
ensuring
services
both one
but
feeds and
either
the of
also
to
any
allows
and
B.
the
values.
cloud
C isAprimary
online
standardsappropriate
given
regulation.
their
gap
incorrect
intentionally the
Itanalysis
provider availability.
ispoint.
DLP
and groups system
particularly
because
or with
best useis an
through ofThey
that
most
practicesofficial
to
itusedand
asymmetric
TLS do
will isdoaactions
cloud
the its
access
report
not
receive
for inspection
secure
required serve
preparing to
on
and
implementations.D
encryption
of it.
the
areview
Even
redundancy
communications
for
malicious anddifferences
production
specific isprocessing
within
them.
done types
actors, acapacity
is incorrectand
data orof
through
andSaaS
of inconsistencies
for data
implementation,
encryption
data
even for
test
thebecause
or inpower
use
theora secure
malicious protocoloncethe
ofcustody
keys
it
and
is
for
cloud
B
sites
manner.
between
C has
one
is network
certificates
development
insiders. and
classification
C. entered
customer
incorrect
Cloud-based of While
the
the
applications within
traffic,
main
intended
because
of issued
assecurity
environments,
asystems
it, principles
the
asbut thethrough
welloperating
shares
data
by
orit’s
current
anddata
required
known
asnot
breach owner
and
are
wherecenter
the
specifically
applications
requirements efficiency
components
authorities
a use
customers
willis
configurations
means itself,
always
theoftenofdata aof
are related
is
for
beand
user’s
responsible
that
prioritizing
ais
atheof
heavilythey
major
key
needed
regular are
credentials
and
to are
storage
component
trusted
audience
result dependent
auditsindependent
operations
inthe
for
of the the
notallocation
by
systems
on
for
same
and data.
both
aremediation
SOC
placing
on of
of of
third-party
internal
a1parties.
or
format,system
of
encryption thebut
the
reports.
sufficient or
for
They
having
This
eDiscovery.
auditing
carrying
D
requested
system
A
data
application
oversight
any
for
B. doconnections
isInjection
incorrect
requires
center.
virtually have
such
of
and orresources
storage
and
Within
as acrucial
contractual
areliance
because
involves
all
security Google
thesolution
communicationsato
reality
for
cloud
sending real
input
onscalability
only
controlsortimes
the agreement
users
Facebook.
of
environment,
infor
communications.
third-party
what
the
invalid
inwhen or
management
and
place, aissensitive
isSaaS Through
concern
there
commands
storage with
actually
service
that authority
custody isasystems.
may datacloud
oversight
all
in
OAuth,
category
not be
place
around
isto
through
the provider
not
limitations
very
establish
the
and
focus
Theandimportant.
is
with
important
user
inputthe
inof and,
decision
effect.
any
cloud
on
can
trust,
confidentiality
the
fields as
what
system
data such,
Unlike
authenticate
and
provider
making.
and
in can
an can
loss enables
or
andhave
bebe
An
responsible
allocated.
technology,
B
A
A.
the
tokenization,
communications
complex
D
and isIntegrity
external
incorrect
necessary
protectiongain because
vulnerabilities,
deficiencies
application This
access ofis
audit
for
but
with because
found allows
nondisclosure
masking
the sothe
isthe
to main
would
itnot
over
keys
theanapplications.
from the
acooling
audit
security
does
duties
application
secure
isintent
notNetBIOS
are specific
not
thecloud
the
the of findings
be
not
[Link]
concerned
principle
agreements
forchannels
mostprovider
concern
With
have
is
custody
getting
best without
a answer isthe
program are
both
awhere
Ifimportant common
with
to
concerned
contained
and
ability
fall
certifications with
PaaS
establish
exposingon
application
in thatdata operating
and
term
understandings
the
this to
factors
both in
map
allows
parties
[Link]
within
their aIaaS,
thetransit
to inweighting
used
the data
efficiency,
the
applications
cloud
providing
login
don’t
required
execute thelike
datafor being
cloud
thatinterior
encryption
credentials
provider
knowthe
or system
back come
the gap
in
customer
but
to
desired,
codeto
eachits
of analysis
based
security
and the
with
the
or
and is,
other
the
theyit.
and
cloud
rather
communicate
loads,
on
creating
which
data
by
intended
D many
contract,
original
B
of
must
thusisdatahaven’t
center
customer,
incorrect
bypass
be configures,
can
onlyainform
within new
make
values, the
documentedwith
and
already
system,
many over
and
account
because
the industry,
operate
compliance
an
and
which andaaccurate.
entire
exchanged
system.
securityapplication,
depending
local
is
andmaintains
on
system but
onsystem
regardless
why area
that
systems
Beyond
agreed with
itThis
controls isnetwork
system.
keys.
on
not
the
or
regulatory
allows
ineffective
of
typically
vulnerabilities
to the
any
within
applications
thepart
the
confidentiality,
that
as type
However,
other
with
the
official
type
are used [Link]
of
indata
or
ifeach
of
can Although
factor
not
cloud
certification
term
audit
for
place.
the at
toitthe
occur other,
done
all
is
be
that
testingimplementation,
used
not
times.
considered
incorrectly.
Ifrequested
contract. and
they
the
some
in
availability
in
an manyasstandards
part
iscommon
application neednot
instances
by
nonproduction
Many forms, of
ofIfan
trustworthy
specifically
cloudto
athe
the system
the
for
and
does standard
auditing
key there
their
duties
the
are
not
organization,
environments.
D is
validation
related
systems
for
is
may
process.
throughout
not not information
providersincorrect
management
properly fall
be scaling
necessarily to
external
on
to storage
offollow
validateone
its
maintain the
security
and
because
entire
system and
party
the audit
coolers
iswhen
communications.
input amaking will
authentication
resultlifecycle,
controls
ismore
numberpublic ofalways
resources
that
fields
vital processing
thankey
insufficient
forpump
toofand
ensuring
anythe
ensure be
isare
policies.
another available
exchange
in other.
certifications cold
requested.
very
that
applications
that
oversightair slow,
term toand
itwithin
they from
byhas management
for
at
Those
default
areornot
the
afederated
asymmetric
minimum
been
outside,
controls.
in
access thewith
to serve altered
the
correct
to They and
systems.
in
work those
itencryption.
highest
would
thegeneral
in
format
can an
inneeds
order be
occurpriority
they
andof
D performance
will
aresponsible
are
C
unauthorized
A
B
their
do
in
to issoftware
considered
incorrect
receive
not
make contain
data what
for
or because
manner
issue
internal.
available. is requested
ordering
extraneous
configurations, and audit
or
system by
would
Ifit.
tokenization
OpenID the an
deficiency
code design
keyfirst
isunauthorized
even not
or and
similar result
management overall
involves
commands,
those isforemost,
tonot in
doneOAuth, is
the
aparty.
replacingterm
internal
the exposing
and
following
system used those
inapplication
that to
sensitiveto
an
it
becomesofallows
best refer
atdata
organization.
the
fields
may
practices,to
or
alower
the
bypassing
with
expose
user
unavailable, concepts
end
to data
because will
Which of the following has user training as Data Account Advanced Malicious 3 1 2 4
a primary
You have been
means tasked
of combating
with developing
and a breaches
IDCA hijacking
BICSI persistent
Uptime insiders
NFPA 2 1 3 4
mitigating
list
Which its success
of requirements
network for
protocolagainst
cabling a cloud
design
is essential for DNSSEC DHCP threats
Institute
Ipsec VLANs 2 1 3 4
allowing
application?
in a new
Which ofautomation
data center as
the following and orchestration
well
tools as
hasensuring
the ability XML XML firewall Web Firewall 3 1 2 4
that
within
to
The anya cloud
analyze
ISO/IECdesigns environment?
incoming
27018 developed
standard
traffic forby the on
focuses accelerator
Communicati Consent application
Yearly audit Penalties for 4 1 2 3
Which
networking
patterns
privacy of the
inand following
team
cloud meet
content
computing concepts
andstandards.
take ofWhich
cloud
andappropriate Resource
on Multitenancy firewall
Elasticity privacy
Measured 2 1 3 4
computing
standard
actions
Which
consists necessitates
ofshould
common
based fiveon you
threat
them
main the
consult?
is
before
[Link]
mitigated
the by the
Which of pooling
Spoofing Snooping XSS violations
service
DDoS 1 2 3 4
separation
traffic
the
use following
of reaches
DNSSEC? of is
systems
the
NOTactual
onethatof would
the normally
applications?
be done byestablished
principles physical separation in
in the standard?
a traditional data center?

What type of solutions enable enterprises Online Cloud backup Removable Masking 2
or individuals
When using antoInfrastructure
store their data as aand
Service backups
Scalability Metered
solutions hard drives
Energy and Transfer of 4
computer
(IaaS)focuses
solution, on what
securityis the
andkey encryption
benefit for to Digital rights service
Enterprise cooling
Bit splitting ownership
Degaussing 1
files onofthe
the
prevent
Which theInternet
unauthorized
following using a storage
copying
represents and the service Public,
management Public,
digital rights Public,
efficiencies cost
External, 2
provider
customer?
limitations
correct
What arather
is set special
on
of fourthan storing
distribution
mathematical
cloud tothe
deployment
only data
code
those that Private,
(DRM) Joint
PKI Encryption
Private, Internet,
management Public key Private,
Masking 2
locally
who
models?
allows
Which on
pay.
encryption
of thea following hardware/software
lists the correcttosix Spoofing,
and Hybrid, and Spoofing,
key
Spoofing, Hybrid, and Hybrid, and
Spoofing, 1
physical
What
encode is the
components disk,term
such
of thefor
as the
a hard
STRIDE assurance
drive model?
threat orthat
tape a Tampering,
Community
PKI Community Nonrepudiati
Tampering,
DLP Community
Tampering, Community
Tampering,
Bit splitting 3
backup?
specific
What
and is author
then the correct
decipher actually
term
an created
for theand
encrypted process
sent of
message a Repudiation,
Poor key PKI
Repudiation, Obfuscation
on
Repudiation, Nonrepudiati
Crypto- 4
specific
deliberately
called?
In a federated destroying
environment, the encryption
who is the Information
The relying
management The relying
Information The relying
Information The
on, relying
shredding 1
item used
keys
relying
What toisparty,
athe
specific
andrecipient,
process what
of replacing
do theyand do?
that the
sensitive Disclosure,
Randomizati
party is the party is the
Disclosure,
Elasticity party is the
Disclosure,
Obfuscation party is the
Information
Tokenization 4
message
to
Which
dataencrypt
of was
with the
data?
following
successfully
unique data received?
identification storage
symbolstypes Denial of
on
Databases
service service
SaaS
Denial of customer
Tabular
Distributedand identity
Raw and
Disclosure, 1
are
What
thatassociated
is the term or used for withsoftware
Platform as a Service,
provider
and
Hypervisor
Big Data
and
and provider
application
Service, and
Application and VMWare
they
Denialwould
of provider
block
SaaS
Denial of and 2
Service
Which
technology
retain allof thethat following
essential represents
encapsulates
information the
application
about Elevation
they
PCI would of they
Socialwould
virtualization
Gramm-Leach- consume
Service, the
Sarbanes- they
Service,
HIPAA wouldand 3
(PaaS)?
legislation
What
the data
software is awithout
device
enacted
from called
to protect
that can
compromising shareholders
safely
its Privilegekey
Private
consume the consume
Hardware
Engineering
Bliley Act the Public
tokens key
and Elevation
Oxley Act consume
Trusted
Elevation theof 2
the
and
store
What underlying
the
and
security?is a type
manage of
operating
cloud
encryption
infrastructure
system keysonandwhich
that
is tokens cloud
Private tokens
security
Elasticity
(GLBA)
Public generated
cloud Hybrid
of Privilege
(SOX) cloudby tokens
Operating
Personal
Privilege 2
public
used
it is
is
When inusing
from enterprise
provisioned
executed? for openaccounting
transparent useencryption errors
by the general
of a generated
Within the module
generated
At the the the
On System
generated
cloud
In a key 1
and fraudulent
servers,
database,
What
public is adata
type
where
transmission,
of
practices?
does
assessment
the encryption
and called
log files?
that Quantitative
by the
database by the
(HSM)
Qualitative
application identity
Hybrid
instances by the
Module
management
SOC 2 service
(TOS) 2
and is best
engine
employs
What owned,
reside?
a set
describes
of
managed,
methods,
the Cloud
and principles,
operated
Security orby a identity
application
assessment
A set of customer.
using
assessment
A set of
the provider.
attached
assessment
A securityto provider.
system
An inventory 3
business,
rules
Alliance
When fora conflict
Cloud
academic,
Controls
of laws
or government
Matrix?
occurs, regulatory
provider.
itself
Tort law Doctrine
databaseof
software the volume
controls
Common law of cloud law
Criminal 2
assessing
determines
Which onerisk
organization the
of based
thejurisdiction
on non-numerical
following in whichthe
is the most requirement
Local law Proper
Location Law
development Aircraft
framework flight Utility
service 4
and exists
categories
dispute
important willon
orbelevels?
theheard.
security premises
considerationof the when
cloud s for cloud
enforcement life cycle to
adjacent that provides
paths infrastructure
security
selecting a
provider called? service
response competitor’s
requirements mapping/cros controls that
new computer facility? providers
times facilities
for cloud s relationships are arranged
C. Advanced persistent threats involve a malicious actor establishing a presence
within
B. a systemIndustry
The Building or application, Consulting withService
the goalInternationalof accessing(BICSI) information issues or standards
resources
and
B. Thecertifications
Dynamic over an Host related
extended
Configuration
to complex
period Protocolofcabling
time while (DHCP)
of data avoiding
issystems.
designed [Link] to standards
Some ofare the
primary
C.
focused A webways
automatically on application
of
cabling establishing
provide firewall
setups an IPand (WAF)
such
address a is
designs, presence
and typically
butother alsoarean through
crucialappliance
include network attacks
that
specifications inspects
suchon
information aspower,
HTTP
to
phishing,
traffic
D.
energy
hosts ISO/IEC before
on ainfected
in
efficiency, general
it hitsand
network, USB an
asare devices,
application
setup
well standards
asand toand socialfor
server
based
configuration
provide engineering
and
on IThas
the policies
of the and
centralized
hot attempts
ability
and cold best
to to
apply
management
aisles get
practices.a users
set of
within They
a
filters
are
B.
to Multitenancy
data
their done
execute andatrules
center.
network a higher
code to
is
onthe
presence. [Link],
A concept
WAF
[Link] sowill they
Oneoftypically
differs having
are
of the
from flexible
multiple
be
theused
most for acustomers
tovariety
effective
traditional detect ways ofand
static sharing
diverseblock
toapproach
combat the
systems
XSSmany
sameand of
where
injection
and
physical
these
A.
aA requirements,
isDNSSEC
host types
would
incorrect infrastructure
attempts
isofexplicitly
attacks
have
because before
andis
specific and
they
designed
the they
through systems.
serve hit
configuration
International as
the
touser With
proveaeducation
actual
strong a traditional
the
entered
Datacenter application,
framework
validitytointoavoid it,data
and
Authority but
forcenter
their implementing
it(IDCA)
authenticity
which alsomodel,
successful
would has ofthe
need DNS
establishes to
ability
regulatory
different
lookups
execution
standards
be changed tofrom detect
customers
orindividually
and
for organizational
their and
entry
all aspectsauthoritative
use
manipulate
into their
a system.
of
and policies
dataown
directly almost
host.
dedicated
center and
This
on Itdesign.
anything
isrequirements.
should
the intended
and
host beifthat
Whilesegregated
toitis
coupled
the eliminate
needAs
found
does such,
with
everphysical
inother
include they
the
an HTTP
arose. possibility
do
hardware,
some not a
With
communication
articulate
typically
of
technological
guidance
cloud rogue within
DNSor cabling
on
environment, cover their
stream.
servers potential
countermeasures own
design
where A cages
interceptingWAF penalties,
and
systems can
and also
with
implementation
as lookup
well. either
auto-scalebe totally
used
requests civil
andseparate
toorare
as block
fromcriminal,
part of specific
networking
devices
dynamically that
its Infinity ortraffic
could cabling
clients
optimized based
beandand
Paradigm, on
A is just
originating
triggered
hardware
and
inserting
it incorrect one in
asIPthe
incorrectbecause
well.
address,
small eventWith data
of
IP address
section type ofbreaches
a privacy
cloud oftheir
request,
deployment,
policy
resolutions are
overall oractive
violations.
invirtually
an
guidelines exploits
allattempt
customers
Penalties
any and done
other
tonot share
can
direct by
aaspect
focus attackers
differ
theof
traffic same
of widely
the
away
them. that
require
from
request.
physical
BICSI
moved the apolicy
legitimate
jurisdiction
hardware,
is around far more and totechnological
constantly, destination.
thus
jurisdiction,
focused requiring
the
andstatic DNSSEC
solutions
and thethe
comprehensive
method works
to logical
useapplicable
of prevent.
would by applying
set Overall,
regulations
segregation
ofnever
standards digital
work. user
into keys
eachtraining
ensure
specific
With to
DHCP,tothe will
A
jurisdiction
security.
not incorrect
authoritative
is be
cabling
it
Cloud trivial an
backup
design. would
because
effective
for DNS
new
solutions be
host
hosts where
an toXML
countermeasure
and
enable be any
then accelerator
potential
signing
enabled
enterprisesforasdata penalties
istointended
lookup
well breaches,
asand
store are towith
resolution
fortheir
hosts covered.
process
datatothe be
and XML
requests
exception
moved
computertraffic
when
betweenoffiles
those
and
A
The
C
sending
on primary
data that
is incorrect
physical packages
them occur
hardware benefit
because
back asprogrammatically
before
atoresult
to communication
resource
therequestor.
the they
customer
of advanced
Uptime reach
pooling of
an
Institutetousing
With
and does
persistent
application
individuals
the is not
the Infrastructure
focused
network deal
ability threats.
server.
about
towith
on authenticate
data
informationthe
This
ascenterasegregation
useallows
Service
and
to beastorage
tiers
those (IaaS)
highly
and
easily or
keys is
B istheir
optimized
of
isolation
back
the
Digital incorrect
topologies.
updated torights
Internet the
personal
ofappliance
and resources
authoritative
It because
using
management
changed information
establishes toand
a storage account
asoffload
ahost,
access
(DRM)
[Link]
trust
substantial
service
paradigm a without
crucial
was isof
isestablished
rather iscomponent
designed
four aathan
processing
incorrect shared
major
tiers, that
threat
storingenvironment.
tobecause
with ofrequirements
focus the
the
data
each inDNSSEC
on DNS
standard.
which
tierresolutions
security
locally Resource
malicious
ison
buildingand
aMany load
a hard in more
protocol disk
from
regulatory
pooling
are
actors
for
transfer
redundancy
or
encryption
The tape application
correct
ensuring
only are isof the
requirements
and
able
cost
correct
as aggregation
the
and to
of servers,
from
integrity
obtain
reliable
answer thefor
ownership. specifically
and
ofand
proper
credentials
systems DNSitIn
this allocation
allows articulate
authority,
athan
is cloudtothe
Public, for of
access faster
compute
and
environment,
Private,
previousacommunication
and
not
system. more
resources
inserted
Hybrid,
tier. the efficient
Although
It customer
and
focuses and
aacross
byCommunity. rougetransparency
processing
training
on usesall
or and can
Joint, of
isbe
used
requests
to
customers.
abilled their
Internet,
An means
malicious
redundancy
resolutions
backup. to
only
encryption customers
mitigate
and
of
This data.
preventing
host.
and
has key account
DNSSEC
their
the isabout
just
added hijacking,
their
unauthorized
that:
ensures
validation apersonal
benefit thetechnological
key
back used
of copying
integritydata
toproviding
an and
toauthoritative
encrypt
of DNS countermeasures
privacy,
limitations
access and and
decrypt
resolutions,
tohost.
data on itshould
It has
butare
distribution
does been
information.
not
thealsooffer very
ofIt
effective
B
incorporated
C
the
for
primary
content
and
is
The
any iswhat
confidentiality
incorrect
letters
External to
capabilities
reliability they
against
business because
as
inare use
STRIDE
offoraall
itkey
as
not or
(unlike
opposed
availability
component
elasticity
an XML
cloud
threat
providing
aspects with
[Link]
model
of firewall
advanced
refers
network
data the
ofinrepresent
them.
most
full
to
centersserves
cost
the
persistent
Itofand
configuration also
ability
the
of
the implementation,
is
best
Spoofingpurpose
data intended
ofthreats).
practices
aofsystem
information
center ofoperations,
to
identity,inspecting
Countermeasures
work
systems
toto
saving
scale without
Tampering
hosts incoming
up
as
themorwell.
or a as
well
XML
B
down
Nonrepudiation
such is incorrect
requiring
significant
provides
assisting
location
only
mathematical
with traffic
asbased
those thebe
with andon
because
additional
testinguse
authorized
damaged
the
codeapplying
current
means
of inconsent
multifactor
protocolslookups
automation
that that
demands,
security
(purchasers).
some forawhen
supports specific and
authentication
way
ensuring
ortoorchestration
policies
usemaking
either
that or
author
to store
Enterprise ensure
and theor
compliance
prevents
hardware- processing
private
ofuser
systemsthat
initial
digital
accessing
a with
or cannot
at
and
DNS
can
dynamic
rights any
topersonal
ordetermine
given
request,refute
effectively
software-based
standards.
management,
environment.
restoring point
information
oreliminate
instead repudiate
ifdata
aitsystem
encryptionis is
also
the
legitimate
also
or
amount
that
known
used isapplication
sending
D
C
locally
data,
The hijacking
ahe key
as
incorrect
act to
Repudiation,
due
ofincomponent
back and
terms
toof has
all should
account
crypto-shredding
because ofthe
required cost be
exact
of
Information
IPsec
the credentials
ofthe
allowed
ownership.
resources
standard
information
National
is
means todestroying
a disclosure,
protocol for
reach
Fire as
itWhile
accessing
from needs.
well
Protection
that the scalability,
Denialasapplication
a single
worksThis
themany
aof system.
key is
[Link]
regulatory
Association
along
service,
thatmetered
servers.
withto
is
wasand eliminate
incorrect
(NFPA)
IP service,
systems.
While
initially
Elevation issueshaving
itand
because
used While
serves
of to
D similar
acommunications
it
an
DNSSEC
energy
or
damaged imperative
incorrect
information
encode
privilege.
encrypt
The isshe
excess
guidelines created
identityand
orisfunctionality
or
only deficit
and/or
designed
toand
infrastructure
decode because
forrights
provider
fire properly
ofencrypts
to
resources
sent
user
information.
management
would
protection atoWAF,
or communicate
atraining
ensure
message
equipment.
hold
for it
at
each isthe
any
(IRM),
all
any will
focused
of
packet
typeand
integrity
time,
isnot
the aand
Online ofthebesolely
and
inform
receiver
an
identities
subset
of ofso
abackups
building effective
ofon
session. that
users
orthe
and
DRM of
andItcustomers
the
processing
and
tool
generate
and
removable
facility,
is useddata customers
against
typically
not aor
for are message
ofhard
token
just malicious
paying
XML
refers
point-to-
data as
fortoto
data
which
for
cannot exactly
insiders.
DNS
cooling
Replacing
centers.
point
drives
businessto-
The
the
known and ofdeny their
resolutions;
data,
other not what
efficiencies
By sensitive
communications
are Specific
thereby
options
other on data
nature, general
they ayou
itmaking
to will
are data
are needawill
malicious
data notprocessing
with
simplypart
security and
use,
provide
itcenter,
forever
mixedare
uniquecollect,
insiders
ofand thetheconsuming.
of
any HTTP
benefit
have orincorrect
encryption
unrecoverable.
would
upidentification
standards
or keep,
not requests
decided
of play it or
a provide
cloud istoalso
and
symbols
any protection
versionscomputing
use
role imperative
communications.D
their
is
guidance ofknown
in the
thelegitimate
for to
environment,
for the
automation
[Link] getaccess
electrical their
isor
forisunauthorized
incorrect
informed
D
they
tokenization,
PaaS
business incorrect
are
received
uses
confidentiality
wiring
orchestration
options
users. The
and not
but because
consent
databases
securingdobecause
relying [Link]
emergency
ofnot purposes;
to
firewalls
of
data
systems
party and
do measured
sowithin
byinformationBig under
are
communications
default
procedures
(RP) therefore,
Data
would network
aservice
supply most
storage
rights.
cloud
for
bethe training
allregulatory
the appliances
orrefers
Bit types.
environment.
customer
systems efforts
to within
splitting
connections.
service the
systems.
and
is concept
provider
with awillwork
a not
method
Once
ubiquitous
data
and solely
be
within
the ofan
DNS
center.
would on
effective
cloud
hiding lookup
access.
consume
mitigation
network
C
computing
has
athe
Application
is tokens.
Maskingprimary
incorrect
beenand
information
D simple layer
iscompleted
awhere
virtualization
benefit
only
because,
traffic,
because somewhat
the orand
applying
cloud
business
as the
VLANs encapsulates
with customer
effective
results
arerules
any
driverregulation
based
validated
virtual only
behind
way
application
networkon
of
pays or
hiding
ports,
IaaS
byfor
standard
theadoption.
software
those
protocols,
or
segmentsrequestor,
concealing
practice,
services
from
used andthe
tothe
sensitive
they
the
IProle
source
underlying
isolatemain
use.
of dataItand
destinations.
mechanism
does
operating
DNSSEC
with
The
devices
technology
across
All not
Sarbanes-Oxleyrelate
thereplacement
other ends,
multiple
by answers for
Firewalls
andthe
application,
used totoare
anyvalidation
another
Act
geographical oftechnical
are
partially (SOX)
unique
incorrect.
purpose, not and
capable
technology
was
conceal capabilities
orcompliance
identification
boundaries, enacted of and
such
environment;
sensitive inspecting
or
in enforcement
the
assymbols.
response
TLSthey
degaussing
data. segregation
orpackets
IPsec
Ittoisisthe
assist aiswith
not at
would through
of
2000theservices
method application
considered
needaccounting
providing within
oftodeleting
be
as
layer
the
strong
system
scandal
data environment.
leveraged
A
access audit
hardware orasonapplying
permanently
controlsprocess.
encryption
which
to security
ensureandrules
it isrestrictions
executed.
to suchis packets.
confidentiality
module abased
deviceandon that
prevent can the
networking. safely snooping
store they
While and of communications
manage
are crucial to
and
but
that
encryption
from
This
making can
data
caused
is abetransfers.
magnetic
the effective
very
cloud [Link]
definition
environmentin keeping of of public
workEnron.
prying cloud
with At
eyes that
security offtime,
computing. ofpractices
sensitive
top executives information.
and laid the
regulatory Whileclaim
C
randomization
that
keys.
In istransparent
incorrect
they
These can
requirements, because
encryption,
be used
VLANs cross-site
are innot the
servers, encryption
scripting
essential workstations,
or is akey a potential
part forofandathe
database
so application
on. Once
automation is stored common
and
andinclient thetype boot
and
were
record obfuscation
unaware
vulnerability,
is
A qualitative
called
orchestration ofofare
assessment
and the
thealso
cloud accounting
lookup means
is a set
services. andof practices
of concealing
integrity
methods that
of or information,
DNS led
rules tofor theassessing
resolutions company’s
they that are risk done
demise.
DNSSEC based quite
is onSOX
intended
differently.
not
the
of
nonmathematical
The the
Trusted
only
CCM database cross-references
to Platform
provide itself. would
Module many
not(TPM) beindustry
a factor
and can standards,
orbe tool foundused laws,
onto enterprise
mitigate
and guidelines. or prevent it.
The
D iscategories
forces
workstations
or Doctrine
incorrect
executives of
and
or Proper
because
levels.
to oversee Law that
distributed
One isallused when
accounting
uses
denial-of-service
those a dispute
practices,
mathematical occurs
(DDoS)
but holds over
categories
attacks which
them areor jurisdiction
threats
levels
accountable
will
Of
tocalled
laptops.
is athe
systemanswers
aThere should
isgiven,
quantitative
or application
no such option
assessment.
term
in theDas isarea
the
a trustedmost
There isimportant.
of availability.
operating
no such DNSSEC It is as
thing
system, vital is
aand that
hybrid
just any and
public
intended
to mitigate
such
private
assessment,
hear
datacenter aactivity
keysagainst
case. and
occur
Tort an
law again.
integrity
refers to attacks and threats,
civil liability suits. Commonso it would law berefers of no to use lawsin the
regarding
facility
mitigation
are
SOC 2 isbeanused
terms close
against
accountingto asound
with DDoS
PKI. facility
report attack. resources
regarding control such as power, water, and
effectiveness.
marriage, and criminal law refers to violations of state or federal criminal code.
connectivity.
Which of the following is always safe to Physical Overwriting Encryption Degaussing 3
Which
use in the of the following
disposal describesrecords
of electronic a SYN destruction
Rapid Creating a Disabling the Excessive list 2
withinattack?
flood
Which aof the following is an example of a transmission
Raw storage high number
Flash storage Obfuscation
Domain Name Mobile
linking of
cloud 4
Which
cloudof
form ofcloud
the following
environment? storage that terms best to
applies of Internet
Infrastructur Public cloud
of partially Service (DNS)
Software
archiving as a Private
users and
storage cloud
files 3
describes
storingof
Which anthe a distributed
following is model where
a federal law eRelay
PCI
as a Chat
Service open TCP
ISO/IEC server (SaaS) Consumer
Service
Gramm-Leach- 3
software
The typical
individual’s
enacted inapplications
function
the
mobile
United ofStates
deviceSecure toSockets
data in
control
the the (IRC)
(IaaS)
Between the connections
Between the From
Bliley the
Act web Between
Protectionthe 3
are
Layer
What
cloud
way hosted
(SSL)
is
that
and anproviding
accounting
by
in securing
a vendor theWireless
report
or cloud
on service
individual controls
with messages
WAP
SOC 1 SSAE16
web server server
(GLBA)to the SOC
GAAP wireless
Act 2 1
provider
Application
at
Whata service
access and
istoainstitutions
financial the organization
Protocol
made available
company that that
withto
replaces
dealpurchases customers
privatehosting gateway
Cloud and
broker Cloud
and the WAP wireless
Cloud device and
proxy VAR 2
over
(WAP)
older
servicesisisafrom
data from
information
What to
typeprotect
ofaof
anywhere?cloudtransmissions
server hosting
individuals?
computing that
comparable or Server
the wireless computing
Legacy
gateway endpoint
Cloud the base
Intranet 3
network
exist:
SAS70
to
Whatgridistype
cloud aresources?
setreports?
computing of technologies
that relies on designed
sharingto hosting
endpoint
Dynamic reseller
computing
Static device coding OWASP
computing
Secure station 2
computing
analyze providersource
application who then coderesells
and to its device
application application
own customers?
resources
binaries forrather than having local servers security security
or personal
coding
Which of
and the design
devices
following
conditions
to handle
is not athat
common
are testing as a
Software testing (SAST)
Programming Infrastructure Platform as a 2
applications?
indicative
cloud
All of these
service oftechnologies
security
model? and have vulnerabilities?
made cloud (DAST)
Service
Virtualization as a Service
Widely as a Service
Cryptographic Servicehubs
Smart 2
servicevendors
Cloud viable except:
are held to contractual SLAs Regulations
available connectivity
Law Discipline 4
obligations drive withsecurity
specified decisions.
metrics by: Customer broadband
Surveys Business Public opinion 3
If a cloud customer cannot get access to service
Integrity Authenticatio requirements
Confidentialit Availability 2
the cloud
Cloud Access provider,
Security thisBrokers
affects(CASBs)
what Single sign-
responses n
BC/DR/COOP y
IAM Key escrow 2
portionoffer
might
Encryption of the all the
can following
be used services
in various aspects on
Storage Remote Secure Magnetic 4
All
CIAcloud
EXCEPT:
of of these
triad? are reasons
computing, an organization
including all of these Reduced access
Elimination of Reduced
sessions swipe cards
Increased 1
may
except:
The want to consider
generally acceptedcloud migration
definition of cloud personnel
On-demand Negating
risks the operational
Resource Measured
efficiency or 1
except:
All of the following
computing includescan result
all of in vendor
the following costs
services
Unfavorable need for
Statutory expenses
pooling
Proprietary metered
Insufficient 4
lock-in
characteristics
The riskexcept:
that a cloud provider might go out contract
Vendor backupslock-
compliance
Vendor data formats
Vendor lock- service route
bandwidth
Vending 4
All of these and
except:
of business are features
the cloudofcustomer
cloud might closure
Broad out
Reversed in
Rapid scaling On-demand 1
computing
When
not a cloud except:
customer uploads PII to a network
Cloud Regulators
charging Cloud self-service
The 2
cloud
We use
be able provider,
which
to ofwho
recover the becomes
datafollowing
is known ultimately
to as: Business
access
provider configuration
BIA customer
RMF individuals
CIA triad 1
responsible
The cloud deployment
determine modelprocesses,
the critical paths, that features requirement
Private Public Hybrid who are the
Motive 2
for the
and
organizational
The cloud
assets
security
deployment
of an ownership
of that model
PII?of the
that hardware
features s
Private Public Hybrid subjects of
Latent 3
organization?
and
ownership
The cloud deployment
by a cloud provider,
model that with features Private Public Hybrid the PII
Community 2
infrastructure,
joint
If ownership
a cloud
services customer and
of assets
usage
wantsamong
only byan
a secure, members
affinity IaaS PaaS SaaS Hybrid 4
ofathat
offered
group
isolated
If isorganization,
cloud to
knownanyone
sandbox
customer as:
inwho is known
wants
order wants
to to
as:subscribe,
a fully-
conduct IaaS PaaS SaaS Hybrid 4
is known as:
software
operational development
environment with very little
and testing, which
maintenance or cloud service model
would probablynecessary,
administration be best? which cloud
Encryption can always be used in a cloud environment, but physical destruction,
A SYN flood is where a TCP connection attempt is made and then cut short just
overwriting,
prior tocloud storage
and degaussing
Mobile may not be available
is defi ned as a form due to ofaccess and physical
cloud storage separation
that applies to storing
completion,
factors.
an
This individual’s
is the defi thereby
nition leaving a server waiting
of the Software as a Servicefor a(SaaS)
response. If enough
service [Link] these
Public
connection
The
mobile
and Gramm-Leach-Bliley
device data in theAct
private cloudtargets U.S. fi nancial
and providing institutions
the individual andaccess
with requires them
to the
attempts
to
data
are
The cloud
purpose are made,
deployment
of SSL isa to “flood”
models,
encrypt occurs,
and causing the end
theInfrastructure
communication unit
as achannel
Serviceto between
consume
(IaaS) does resources
two not
end
to the
deal
The
from
provide
points. correct
specifi
pointcally
anywhere. answer with is protecting
the SOC 1 report, accountwhich holders’
is designed
private information.
to assess thePCI controls
refers
that
to
primarily either
applications
In
The credit
this
cloudexample,services
computing
of any and/or
it [Link] endthe
reseller user system
purchases
and the itself become
hosting
server. servicesunavailable
and thenfor use. The
resells them.
otherprocessing
card
revolving
Cloud options
aroundrequirements,
computing fiis nancial
built onreporting,
theISO/IEC
modelformerlyis agrid
of standards
found organization,
computing in the SAS [Link]
whereby and
Thethe
SOC 2can is
have
aConsumer
Static
be no
pooled connection
Protection
application
and shared with
security atesting
rather flood
thanof(SAST)any kind.
having differs from dynamic
local devices do all the application
compute and
Act, while
report
storage
security thatproviding
provides oversight information forrelated
the protection
to one or ofmore
consumer of theprivate
AICPA fi ve
information,
security
functions.
testing (DAST)is in that it looks at source code and binaries to see if it can detect
limitedwe
principles.
When
problems in scope.
gather information about business requirements, we need to do a
complete
before
The business
the code impact
is loaded analysis intogathers
memory asset
andvaluation
run. information that is
inventory,
In IaaS, thefor
beneficial receive
serviceaccurateis bare metal, valuation and of theassets
customer
(usuallyhas from
to install
the owners
the OS and of those
the
assets),
software;
In
risk PaaS, and
the provider
analysis and selection supplies the hardware,
of security controlsconnectivity,
(it helps avoid and OS; the
putting customer
the ten-
assess
the
SaaS
dollar
installs customer
islock
criticality;
the onmodelthen thisiniswhich
responsible
collectionthe customer
offorinformation
maintaining
suppliesdoesthat
onlynotOS.
thetell
In
data;
us,
theobjectively,
in
other
the models,
otherhow
useful
the
models,
and
The anthe codifies
five-dollar
contract
maintains bicycle),
applications. theandrights
criticality
In IaaS,
and the responsibilities
information
customer must that
of the
helps
alsoparties
install
in BC/DRinvolved
the planning
OS, and
uponin
asset
provider
customer
Layered
SaaS,
by
completion is,
thehowever
letting defense
installs
also supplies
and
callsmaintains
for
thea diverse
OS, the approach
application,
OS. to or
security.
both.
A
the process
provider
of negotiation. is an administrative
organization
supplies Theunderstand
and RMF maintains incontrol;
aids which risk sometimes,
thesystems,
analysis
applications.
and
data, the personnel
design
and process includes
of the environment. elements
are necessary An
of
A
tofirewall
MOU other
continuouslyis a technological control. The safe and extinguisher are physical
controls,
types
Fences
maintain.
is shared ofare
controls
physical
between
However, (inparties
controls;
itthis
doescase,
for carpets
not athe
aid access
number andofcontrol
secure ceilings
acquisition
possiblemechanism
are architectural
reasons.
efforts,Themight
since
BIA features,
be
the aassets
aids technical
and
in risk
control,
aand
Alldoor
offiring
examined
assessment,thesesomeone
activitiesisshould an administrative
incorporatecontrol. encryption, except for profile
formatting,
or
is
bynot
DC/BR
We itthe
might
necessarily
don’tBIA be aand
efforts,
want
have physical
to aimprove
already control:
selection control),
been the
default lockbut
ofacquired.
security onthe the
accounts—weprocess
door would
controls. itself is
want beadministrative.
to a physical
remove security
them. All the
which
Updating
other
Keystroke
control. is aand
made-uppatching
logging term. the system helps harden the system. Encrypting the OS is
is distractor.
Although
aoptions
Homomorphic
a technical you
are control
might
encryption
steps wethink (or
takeanof hopes
to attack,
aharden
door toifas
achieve
done
a potential
devices. for
that
malicious
goal;
answer,thepurposes,
other
the bestoptions
and
answer
notarefor
is the
That
terms
auditing);
fence;
Senior would
that
the make thedecides
management OS/machine the risk impossible
appetite to [Link].
of the Video cameras are a
security
have
This
doorislocks
exam almost
thehave
will definition
arenothing
aquestions
physical of
to the
do with
[Link].
control;
where more
and biometric
than one authentication
answer is correct, is aandtechnological
the
[Link]
answer
control,
Reversal but
is notnot
willaone
method usedfor to harden
handlinga risk. device. Background checks are good for
vetting
This isyou
score
Although apersonnel,
tricky
points
all thequestion.
is the options
other one thatare is most
ways correct.
to harden a mobile device, two-person
but not forthe
integrity
Although hardening
rest of the devices.
options are good tactics for securing devices, we can’t
is a concept that has nothing to do with the topic, and, if implemented, would
remove
require
all admin accounts; the device will need to be administered at some point, and
everyone
that account in your organization to walk around in pairs while using their mobile
If a cloud customer wants a bare-bones IaaS PaaS SaaS Hybrid 3
environment in which to replicate their
own enterprise
for of
All BC/DR
thesepurposes,
are methods which of cloud
data discovery,
service Content- User-based Label-based Metadata- 1
modellabels
except:
Data would could
probably
include beall
best?
the following, baseddata
Date Data owner Data value basedof
Data 3
Data
except: labels could include all the following, was created
Source Delivery Handling scheduled
Jurisdiction 2
except:
Data labels could include all the following, Confidentiali vendor
Distribution restrictions
Distribution destruction
Multifactor 4
except:
All the following are data analytics modes, ty level
Real-time limitations
Datamining limitations
Agile business authenticatio
Refractory 4
In the cloud motif, the data owner is
except: In another
analytics The cloud The cloud
intelligence The
n cloud
iterations 2
usually:
In the cloud motif, the data processor is jurisdiction
The party customer
The cloud provider
The cloud The
accesscloud 3
usually:
Every security program and process should that assigns
Foundational customer
Severe provider
Multifactor access
security
Homomorphi 1
have
All whichwithin
policies of the the following?
organization should access rights
policy
Policy penalties
Policy review authenticatio
Policy csecurity
broker
encryption
Policy 4
include
The most a section
pragmatic thatoption
includesfor all
data
of the maintenance
Melting Cryptoshreddi n
enforcement
Cold fusion broker
adjudication
Overwriting 2
following,
disposal
What in the
is the cloud is which
intellectual property of the Copyright ng
Patent Trademark Trade secret 1
except:
following?
What is thefor
protection intellectual
the tangible property
expression of a Copyright Patent Trademark Trade secret 2
protection
What
creative is the for
idea? a useful manufacturing
intellectual property Copyright Patent Trademark Trade secret 4
What is thefor
innovation?
protection intellectual property
a very valuable set of sales Copyright Patent Trademark Trade secret 4
protection
leads?is thefor
What a confidential
intellectual propertyrecipe for Copyright Patent Trademark Trade secret 3
muffins?
What is thefor
protection aspect of the
the logo of DMCA that has
a new video Online Decryption Takedown Puppet 3
often
game?been
What is theabused
federal and places
agency thatthe burden
accepts service
USDA program
USPTO notice
OSHA plasticity
SEC 2
of proof
applications
DRM tools use foranew
variety
patents?
of methods for provider
Support- Local agent
prohibition Dip switch Media- 3
on of
All thethe
enforcementaccused?
following regions have
of intellectual at least
property exemption
based
Asia enforcement
Europe validity
South present
The United 4
rights.
one
DRM country
solutions
Thesewith should
an overarching,
generally include
federalall licensing
Persistency Automatic America
Automatic checks
States
Dynamic 2
include
privacy
the following
all thefunctions,
following,except:
except: self-destruct expiration policy control
law protecting personal data of its citizens,
All of the following are terms used to
except: Tokenization Data Obfuscation Masking 2
The goals of
described theSIEM solution
practice implementation
of obscuring Centralizatio discovery
Trend analysis Dashboarding Performance 4
include
The goals
original all
rawof
ofdata
DLP
the solution
following, implementation
except: n of log
Policy Elasticity Data enhancement
Loss of 2
so that
include
DLP solutions
only
all ofathecan
portion
following,
aid in
is deterring
displayed
except:loss
for due streams
enforcement
Randomizati Inadvertent discovery
Natural mitigation
Device failure 2
DLP
operational
to solutions
which of the can
purposes, aid inexcept:
following? deterring loss due Malicious
on Performance
disclosure disaster
Bad policy Power failure 1
to which
What of the
is the following?technology that
experimental disclosure
AES issues
Link Homomorphic One-time 3
might lead to the possibility of processing encryption encryption pads
encrypted data without having to decrypt
it first?
Option C is the definition of risk—and risk is never preventable: it can be
obviated,
attenuated, reduced, and minimized, but never completely prevented. A risk
maythe
All beothers
everlasting
are valid methods of data discovery; user-based is a red herring
or transient,
with
All the noothersindicating
might be that includedrisk itself
in data is not limited
labels, but weto being
don’teither.
usually include data
meaning.
value,
All the others might be included in data labels, but we don’t include delivery
vendor,
since
All theitothers
is prone might
to change
be included
frequently,in data andlabels,
becausebut multifactor
it might notauthentication
be informationis a
All
we the
which
procedure
want isothers
to are data
nonsense analytics methods, but “refractory iterations” is a
in context.
nonsense
disclose
used
The data
for to term
access
owner
anyone control,
is usually
who does not
considered
a not
label. havethe need cloudto know.
customer in a cloud
thrown in as a the
configuration;
In legal terms, red herring.
when “data processor” is defined, it refers to anyone who stores,
data indrives
handles,
Policy questionall programs
is the customer’s
and functions information,
in the organization;
being processed the organization
in the cloud. The
cloud
moves,
should
All theprovider
elements
or manipulates exceptdata adjudication
on behalfneed of the to data
be addressed
owner or in controller.
each policy. In the
We don’t
is only
cloud
not
Adjudication
conduct have
computing
leasing any physical
isservices
operations ownership,
and hardware
that don’t control,the or
tohave even access
customer.
a policy The to
governing the
cloud devices
them.
access holding
Penalties
security
the
broker
realm,
may
not data,
anorthis
Copyrights element
mayis arethe ofcloud
policy.
protected provider.
tangible expressions of creative works. The other
so physical
(CASB)
not
Patents
be an
answers only destruction,
protect
element
handlesprocesses
ofaccess including
policy, (as
control
and melting,
wellseverity
as
oninventions,
behalf is not
depends an
of thenew
onoption.
cloud
the Overwriting
plantlife,
topic.
customer,
and andisisanot in
Multifactor
decorative
possibility,
direct are answers
authentication
patterns).
Confidential
listed sales and marketing materials
to subsequent [Link] to the organization are trade
but
Confidential
contact
and
The itother
secrets. is complicated
homomorphic
with recipes
answers unique
the productionby the
encryption
listed aredifficulty
to the red
data.
answers
are organization
ofto locating
herrings are
all the
other questions.
here. tradesectors
[Link]
otherareas
answers
that other
The
Logos might
and answers
symbols listed and phrases
are answers and color to other
schemesquestions
that describe brands are
haveDMCA
listed are answers
trademarks.
The contained ourtodata,
provision other
for andquestions.
takedown by thenotices
likelihood allowsthat constantholders
copyright backups toin the
demand
cloudU.S.
removal
The increase
other of suspect
Patent
answers content
andlisted arefrom
Trademark answers the web,
Office to andquestions.
accepts,
other puts the burden
reviews, of proof on
and approves
the chance
whoever
DRM solutions
applications posted
we’ll
foruse missall something
these methods as it’sexcept
beingfor overwritten.
dip switchCryptoshredding
validity, which is isa the
onlymaterial;
nonsense
the
The
new reasonable
United
[Link] this
The function
does creates
USDA nothas havebeen
anda single,
abused
enforces overarching
byagriculture
griefers andpersonal
trolls privacy
[Link] law;
alternative.
overzealous
term.
instead,
DRM
overseestoolsworkplace
should
Cold
content fusion
include is aallred
theherring.
functions listed except for self-destruction,
which
producers.
the U.S.
safety often
Theprotects
regulations. OSPThe exemption
PII by
SEC industry
providers
regulates (HIPAA,
a safe
publicly GLBA,
harbor
traded FERPA,
provision
[Link]
forth.). All
might
[Link]
EU hurtdecryption
someone. program prohibition makes DeCSS and other similar
programs
member
Data discovery
countries
illegal. is a term
adhere usedto the
to describe
Data Protection
the process Regulation.
of identifying
Argentina’s
information
according
SIEM
Puppet
Personaldoes not intend
plasticity
Data to provideterm
is a nonsense any used
enhancement of performance; in fact, a
for a red herring.
to
SIEM
DLP specific
does not
Protection traits
Acthave or anything
cleavescategories.
to thetoEU The
doRegulation,
with
rest elasticity,
are allas methods
which
does for
is the
Japan’sobscuring
capability
Act on thedata.
of the
Protection
solution
environment
DLP solutions
may of decrease
may protect performance
against inadvertent
because ofdisclosure.
additionalRandomization
overhead. All the is arest
are
to scale
goals
toolsup
Personal
technique
DLP of or identify
down according
Information.
can outbound totraffic
demand. thatAll the rest
violates theare goals of DLP policies.
organization’s
SIEM
implementations.
for
DLP
AES isimplementations.
obscuring
an encryption
data, not standard.
a risk toLink data. encryption
DLP toolsiswill a method
not protectfor protecting
against risks from
natural
will
communications
not protect against losses due to performance issues or power failures. The
disasters,
DLP
traffic.
solution
One-time
or against pads impacts
are andue encryption
to device method.
failure.
must be configured according to the organization’s policies, so bad policies will
Proper implementation of DLP solutions Accurate Physical USB Physical 1
Tokenization
for successfulrequires functiontwo distinct
requires which of Authenticati
data access
Databases Encryption
connectivity presence
Personnel 2
Data
,the masking can be used to provide all of categorizatio
on
Secure
factors Enforcing
limitations keys data in
Test Authenticatio 4
following?
the
DLP following
can be combined functionality,with whatexcept: other remote
n
DRM least privilege
SIEM sandboxed
Kerberos Hypervisors
n of 1
security
What aretechnology
the U.S. State to enhance
Department data access
ITAR EAR environments
EAL privileged
DRM 2
What
controls?
controls areon the U.S. Commerce
technology exports Department
known as? ITAR EAR EAL users
DRM 1
controls on technology
Cryptographic exports known
keys for encrypted data as? At least 128 Not stored Split into Generated 2
stored
Best practices
in the cloud for key should
management
be .include Have key
bits long with the key
Maintain groups
Pass keys out Ensure
with 4
Cryptographic
all of the following, keys should
except:be secured recovery
To a level at cloud
security
In vaults By armed
of band multifactor
With two-
redundancy 1
.
When crafting plans and policies for data processes
least as high
Archive provider
The backup guards
The format of authenticatio
person
Immediacy of 4
archiving,
What is the wecorrect
shouldorderconsiderof the allphases
of the of as the data
location
Create, process Store,
Create, the dataUse,
Create, n
integrity
the
Create, 2
following,
the
What dataarelife cycle? providers of IAM
third-party they can
DLPs
Store, Use, CASBs
Use, Share, SIEMs
Store, Share, technology
AESs
Archive, 2
except:
What
functions is a cloud
for thestorage architecture that
cloud environment? decrypt
Object-based
Archive, Archive,
File-based Archive,
Database Store, Share,
CDN 2
manages
What is a thecloud datastorage
in a hierarchy
architecture of files?
that Share,
storage
Object-based Destroy
storage
File-based Destroy
Database Use, Destroy
CDN 4
manages the data in caches of copied Destroy
storage storage
content close
to locations
What is the term of high wedemand?
use to describe the Mobility Elasticity Obfuscation Portability 4
general
The various easemodels
and efficiency
generally ofavailable
moving data for Private Cloud Cloud Cloud 4
Countermeasures
from one
cloud BC/DR activities for protecting
include all cloud
of the Continual
architecture, provider,and
Detailed provider,
Hardened provider,and
Regular 2
operations
cloud
following
All of the
provider against
following eitherexternal attackers
aretotechniques
another cloud
to monitoring
Avoid
cloud backup backup
extensive
Use DRM from
and backup there
devices
Ensure from
and backup from
Ensure
detailed 2
include
Which
provider
except:
enhance ofallor
the
theofdown
following
from is
portability ofacloud
the technique
cloud? data,used
in proprietary
Remote
for kill samesolutions
background
DLP
Dual control another
no cloud
systems,
are
Muddling private
favorable
configuration
Safe harbor 1
theattenuate
to
Each
order following
oftothe following
risks
except: to the
arecloud
dependencies anomalous
data
switch
The formats
cloud provider
checks
widely
The cloud provider
including
physical
The cloud provider
contract
/change
The cloud 4
environment,
that
When
minimizemustreviewing
be considered
the the BIAofafter
potential when
vendorareviewing
cloud
lock-in activity
Legal liability
provider’s throughout
Many states
provider’s servers, hosts,
limitations
provider’s
Breaches can
to terms
management
provider’s
Breachesto can 1
resulting
the
The BIA
cloudincustomer
migration,
except: lossorganization
the or theft
will ofhave
ashould
device
the most used
take can’t
suppliers
IaaS be the cloud
have
vendors
PaaS data hypervisors,
moving
utilities
cause
SaaS the loss support
Community
activities
resellers
cause the loss 1
After
into a
for remote
after
control cloud
accountcloud
of their migration,
access?
migration
data and the
except: BIA should
systems, and the be NIST
transferred The cloud
operation
breach The cost-
andproprietary
of virtual Open source
portability
cloud
of intellectual 3
A
newpoorly
updated
cloud factors negotiated
to
provider include
related cloud
ato
will have review
data
theservice
breach
least contract
of theamount
new Vendor lock-
to the cloud Malware
provider
notification Unfavorable
benefit
machines
data. Lack of
providers
property. 2
could
Because
risks
of resultof
responsibility,
impacts. One inofallthese
the
multitenancy,
in following
whichnewspecific
cloud
factors risks
is: in
computing in
Risk of
provider. Information
laws. terms
DoS/DDoS
analysis the necessary of
Escalation 3
detrimental
the
Countermeasures
and public
impacts
arrangement? cloud that
fordon’t
associated protecting
withexist
cloudin
cloud
the loss/disclosu
Aggressive bleed
Hardened Skills and
organization services and
privilege
Extensive 2
effects
Countermeasures
other
operations
operations; except:
cloud against for
this review protecting
internal threats
should cloud
includeinclude
an re due to
background
Active perimeter
Active knowledge
Redundant
conducted comprehensiv
Masking and 3
service
all
operations
Countermeasures
of the models
analysis of the againstinclude
for
internal
protecting
all the
threats
following
cloud
include legal seizures
checks
physical
Broad devices
electronic
Financial testing
ISPs
DLP
whensolutions e training
obfuscation
Scalability 4
all of the except:
except:
following
operations
Countermeasures
possibility against
of vendor for
internal
protecting
threats
lock-in/lock-out. cloud
include Separation
surveillanceof
contractual Least
surveillance
penalties for Conflict
decidingof on of
Mandatory
data for all
programs, 3
following
all of theofexcept:
operations
Analysis against
this risk internal
may notthreatshave toinclude
be and
duties
protections and cloud
privilege
the interest
cloud including
personnel
vacation
following
all of the
performed as except: monitoring
to ensure the monitoring
provider in migration initial, need
without
following
a new effort, except:
because a lot of the material provider is the event of to know for
recurring, and
that would be included is already available ensuring an negligence or refresher
raw data
DLP tools need to be aware of which information to monitor and which requires
In order to implement tokenization, there will need to be two databases: the
categorization
database
(usually
Data masking
done upon does not datasupport
creation, authentication
by the data owners).
in any way. DLPs Allcan
thebe others are
containing
DLP can be the
excellent
implemented combined
raw,ororiginal
with with DRM data,toand protect
the token
intellectual
database property;
containingbothtokens
are that
map
designed
without
use
ITAR to
cases to
is aphysical
for dataaccess
Department masking.
of or presence.
State program. USBEvaluation
connectivity has nothing
assurance levelstoare
dopartwithof
original
deal
EAR iswith
a data.
DLP solutions.
the Commerce
dataHaving
that falls
Department
two-factor
into specialauthentication
program.
categories.
Evaluation
is
SIEMs
nice,assurance
are
butused
certainly
for
levels
monitoring
notare part of
required.
event
the logs,Criteria
Cryptographic
Common Encryption
keys should not
standard frombeISO.
stored along
Digital withmanagement
rights the data they secure,
tools are used
keysprotecting
not
Common
We
regardless
for should
livearedata
not
Criteria
donecessary
of movement.
all of
standard
theseforKerberos
except
tokenization.
from ISO.
foris requiring
an
Digital
authentication
Two-person
rights
multifactor
management
integrity
mechanism.
authentication,
does
tools
not
Hypervisors
are
haveused
which
anything
are
for
is
key
We protecting
used
should
length.
electronic for do
Wealldon’t
processing of these
split except
crypto keys
of intellectual forproperty.
requiring
or generate multifactor
redundant authentication,
keys (doing so which
to do
virtualization.
electronic
pointless
would
is
All with
of these inprocessing
tokenization.
violate key management.
things of intellectual
should be considered property.
when creating data archival policies,
the principle
pointless
except
The otherinoptionskeyof secrecy
management.
are the necessary
names offorthe keys
phases,
to serve buttheir
out of purpose).
proper order.
Data
option loss, leak prevention,
D, which is a nonsense andterm.
protection is a family of tools used to reduce the
possibility
Object-based storage stores data as objects in a volume, with labels and
of unauthorized
metadata.
Object-based Databases
storage
disclosure
storesofdatasensitive
as objects
information.
in a volume,SIEMs with
arelabels
tools used
and to
collatedata in
store
metadata. Filebased
fields, in a relational motif. A CDN stores data in caches of copied
and
content
is manage
a cloud log data.
storage AES is anthat
architecture encryption
manages standard.
the data in a hierarchy of files.
Elasticity
near locations
Databases is theof name
highfor the benefit of cloud computing where resources can be
demand.
apportioned
storeisdata
This not ainnormal
fields, inconfiguration
a relational motif.
and would not likely provide genuine benefit.
as necessarychecks
Background to meet arecustomer
controlsdemand. Obfuscation
for attenuating is a threats
potential technique to internal
from hide full
raw and DLP are used for increased authentication/access control and egress
DRM
actors;
monitoring,
datasets,
Dual
external controleither
threatsis notfromuseful
aren’t personnel
for to
likely remote
who access
submit dotonot devices,
have need
background because
to know
checks. we’dor for
haveusetoinassign
testing.
respectively,
two
The people
cloud Mobility and would
provider’s actually
resellers aredecrease
a marketing portability
and sales instead of enhancing
mechanism, not anit.
is not
for
State
every notification
a term
operational device,pertinent
which
laws andto
would
thetheCBK.
decrease
loss of proprietary
efficiency data/intellectual
and [Link]- is a
existed
IaaS entails the
cocktail
dependency that cloud
could customer
affect the installing
securityand of amaintaining
cloud customer. the OS, programs, and
NIST
the
data; offers
cloud; only
preparation many informative
the lackthat
technique of abilityguides and
to transfer
involves standards,
crushingliability but nothing
is [Link] harbor
ingredients. specific
is atopolicy
any
Malware
one
provision
PaaS has therisks and threats
thatcustomer are notprograms
installing affected and by the terms
data; of thethe
in SaaS, cloud contract.
customer only
Malware
DoS/DDoS
allows forrisks
organization.
uploads threats
andcloud
The
compliance and
threats
risksarearenot
provider
through not
an affected
will unique
not have
alternate by
to the public
terms
prepared
method thananof
cloud
the
the model.
cloudofcontract.
analysis
primary lock-
instruction.
Hardened
out/lock-in perimeter devices
data. In a community cloud, data are more usefulowners
and device at attenuating the risk of external
are distributed.
attack.
ISP redundancy
potential. Open is a means
source to control
providers can the
offerrisk
manyof externalities,
useful materials,not internal
but, again,
Scalability
threats.
nothing is a feature of cloud computing, allowing users to dictate an increase
or
Conflict
specific to of the
interest is a threat, not a control.
organization.
decrease in service as needed, not a means to counter internal threats.
Benefits for addressing BC/DR offered by Metered Distributed, Fast Regular 1
cloud
All of the
operations
following include
methods all of
can thebe used service
Extensive remote and
Analysis replication
Periodic and backups
The use of 3
following
What
to is the hypervisor
attenuate the harm caused malicious by attackers access1
Type processing,
Type
review 2 of all effective
Type 3 use automated
offered
Type 4 by 2
escalation
except:
would
What theofterm
isprefer to attack?
used to describe loss of control and
Closing anddata
Vendor
log storage
lock-
by Vendor
of lock- cloud tools
analysis
Masking 2
privilege
access
Because toPaaS
except:
dataimplementations
because the cloudare provider
so authenticatio
Malware of data of
out
Loss/theft
trained, cryptographic
in
Backdoors providers
such
DoS/DDoS
as SIM, 3
has used for software development,
often n tools and portable
skilled sanitization SIEM, and
ceased
what is operation?
one of techniques devices
personnel on tools SEM solutions
What is the cloud service
the vulnerabilities that shouldmodel in which
always be IaaS a frequent
PaaS SaaS QaaS 1
To
the
kept address
customer
in mind? shared monitoring
is responsible forand testing Access to SIM,
basisSEIM, DLP solution Security 4
responsibilities
administration
In addition to whatever in a cloudaudit
of configuration,
results the audit logs
Statutes and contract
The SEM logs results
Security HIPAA
control 2
the provider
provider
Which OS?kind shares
of SSAE withaudit
the customer,
report is awhat cloud and 1 Type 1
SOC SOC 2 Type 2 control
SOC 1 Type
matrix
2 administratio
SOC 3 4
might offer
other
customer
Which all SSAE
kindmost
of these to
tothe
likelyaudit cloudfrom
receive
report iscustomer
mosta performance
SOC 1 Type 1 SOC 2 Type 2 SOC 1 Type 2 n 3
SOC 2
except:
mechanism
cloud
As a resultfor
beneficial ofdoes
scandals
a cloudthe customer
involvinghave
customer, publicly
evento data
FERPA GLBA SOX HIPAA 3
ensure corporations
provider?
though
traded
Hardening trust
it’s thein operating
the provider’s
suchsystem
as Enron,
performance
refers to Limiting Removing Closing Removing 2
andofcloud
unlikely
WorldCom,
all
The thethe following
customer’s
cloud provider
except:
trust inwilltheshare
cloud it? Audits
administrato Shared
antimalware unused ports
Real-time unnecessary
SLAs 3
duties?
and
User Adelphi,
provideraccesscantobeCongress
the cloud
enhanced passed legislation
environment
by all of thecan Customer
r access administratio
Customer
agents video
Provider services
Third party
and 2
known
following
Which
be kind
as: of SSAE
administered audit
in all reviews
of the followingcontrols SOC 1
directly n 2
provides
SOC surveillance
provides
SOC 3 libraries
provides
SOC 4 2
Which
except:kind
ways
dealing withofthe SSAE report comes
organization’s with a for
controls administers
SOC 1 administratio
SOC 2 administratio
SOC 3 administratio
SOC 4 3
seal
Which
assuring
except:of of
approval
theconfidentiality,
the following
from a iscertified
a cloud auditor?
provider
integrity, and Site visit
access SOC
n on 2behalf
Type 2of n on behalf
Audit and n on behalf of
Backend 3
likely
In all cloud
to provide
availability models,
of data?to its
thecustomers
customerin will
order
be access
Data the provider
Security the customer
performance
User the customer
administrativ
OS 1
In
to all cloud
given accessmodels,
and ability security controls
to modify are of
which Virtualization controls
Hypervisor log data
permissions
SLAs Business
e access 4
enhance
the
driven
In all cloud
bythewhich
models,
customer’s
of the
thefollowing?
trust in thewill engine
Vendor Customer State requirements
Administrator 2
provider?
following?
retain
Why ultimate
will liability and
cloud providers beresponsibility
unlikely to They want to They want to They want to Most 1
for anyphysical
Which
allow type of access
software to is most
their likely to be
datacenters? enhance
Database Open
enhance source Secure
minimize Proprietary
datacenters 2
data
A loss or
firewall
reviewed can
by disclosure.
theusemostall ofpersonnel,
the following with the security
Rule setsby
management software
Behavior
exclusivity for software
Content
traffic in software
Randomizatio
are 4
most
techniques
A honeypotfor should
controlling
containtraffic except: data. keeping
software
Raw analysis
Production
their those areas,
filtering
Useless inhospitable
n
Sensitive 3
Vulnerability
varied perspectives? assessments cannot detect information
Malware Defined
customers, so Zero-day
to maximize Programming
to human life, 3
which of the following? about vulnerabilities
only an elite exploits
efficiency of flaws
so minimizing
physical tier of operational physical
Which of the following best represents the layoutonand
Built Lightweight
higherpaying Relies heavily
personnel. Only
accesssupports
also 2
definition
Which of the
of REST?
following is not one of the controls
protocol
Define and
Reject
scalable
clientele will on XML
Design XML
Test output
minimizes 2
SDLC phases? confidential.
standards be allowed safety
physical concerns.
access.
Metered service allows cloud customers to minimize expenses, and only pay for
what
Cryptographic sanitization is a means of reducing the risks from data remnance,
not
theyaneedprefer
Attackers and use; Typethis2 has
hypervisors,
nothing to because
do withthe BC/DR.
OS offers more attack surface
and
way to minimize
Vendor lock-in is escalation
the result of of aprivilege.
lack of portability, for any number of reasons.
potential developers
Masking
Software vulnerabilities. often There arebackdoors
install no Type 3as ora4means
hypervisors.
to avoid performing
is a means to hide raw datasets from users who do not have need to know.
entire
Closing is awhen
workflows nonsense adjusting the programs they’re working; they often leave
A. In IaaS, the
term.
backdoors cloud provider only owns the hardware and supplies the utilities.
behind
While
The the provider
customer
in production mightinadvertently
software, share any ofor theintentionally.
other options listed, the provider will
not
is responsible
The contract between for the OS, theprograms,
provider and andcustomer
data. In PaaS and SaaS,
enhances the providertrust
the customer’s also
share
owns
by
The administration
holding
SOCthe 3OS. There
is the leastisofnosecurity
QaaS. so
detailed, controls
That withherring.
theisprovider
a red the customer.
is not concerned Security
aboutcontrols
revealingare
The
theThe
it. sole
SOC 3 is the
provider least detailed,
financially liable forsonegligence
the provider is not concerned
or inadequate serviceabout revealing
(although the
province
it. The
customer
SOC
C. of the
Sarbanes-Oxley
1 Types 1 andprovider.
was
2 area about
direct financial
responsereporting,
to corporate andscandals.
not relevant.
FERPA Theis related
SOC 2
Removing
remains
Type
SOC
to education.
12Types antimalware
islegally1 and
liable
2 areforagents.
about Hardening
all inadvertent
financial the operating
reporting
disclosures). notsystem
andStatutes, means
relevant. Themaking
however, SOC 2 it
largely
more
Type
leave 2is
much
GLBA
Video isabout
more
surveillance
detailed
the financial
will
and notwill
provide
industry.
most likely
meaningful
HIPAAbe kept
is about
information
closely
health
heldcare.
and
by will
the not
provider.
enhance
secure.
much
trust.
customers
The Limiting
more
customer administrator
detailed
liable.
does The and
not access,
will most
security
administer closing
likely
control
on matrixbe kept
behalf isunused
of ports,
closely
athe
tool held
provider.
for and
by
ensuring removing
All the
the provider
compliance
rest are
unnecessary
with
All
possible
SOC the
2regulations.
deals
others services
with
willthe
andCIA [Link]. SOC 1 is for financial reporting. SOC 3 is only an
and
SOC
HIPAA libraries
2 deals
options.
attestation with
allthe
is a statute.
by have
the CIA
the triad.
auditor. potential
There SOCisto
1 is
no make
for financial
SOC an OS more
4. reporting.
[Link] 3removing
is only an
antimalware
attestation
The providerbymay the share
auditor. audit
There
andisperformance
no SOC 4. log data with the customer. The
agents
provider
The would actually
customer always owns makethe thedata
systemandless
willsecure.
therefore If anything,
always have antimalware
access to it.
agents
will
Security
The mostislikelyalways notcontingent
share any on of the
business
other drivers
options,and since
beholden
they reveal
to operational
too much
should
information
customer
needs.
The be will
customer added,never nothave
currently removed
administrative
always retains legal access to the
liability forsecurity controls,
data loss, even if the
about
The
Knowledge
virtualization
regardless
provider the provider’s
ofthe
of the engine
physical
security
does
layout
program.
notanddictate
site controls
security controls,
could be andof great
the hypervisor
use to an
attacker,
Open
may
model.
was source
vary
negligent software
The customer
or [Link] available
may or may to notthehavepublic, and often draws
administrative controlinspection
over user from
so
Firewalls
they are
permissions.
numerous,
(depending dokept
useitsrules,
on extremely
type behavior
and confidential.
analytics,The
implementation). and/or
other
The content
options
SLAs do filtering
aredrive
not all red
insecurity
order
herrings.
to
controls;
determine
A
Thehoneypot
customer
disparate theyis meant
only has
reviewers. AtoDBMS
draw isin not
administrativeattackers
power
reviewedbutover not divulge
more the OS in
or less anything
an IaaS
than otherof value.
model. It
software.
should
All
drive performance
which
Vulnerability
traffic is assessments
allowable.
goals. Firewalls
can only detect
ought not known use vulnerabilities,
random criteria,using because any
such
not use
softwarelimitations
definitions. raw, aproduction,
in Some or sensitive data.
production environment should be secure. That is not a valid
would
malware beisjust
discriminator known,
as likely
as are
to damage
programming production
[Link]
Zero-dayas enhance
exploits, them.
on the other
for answering
hand,
The other
are answers this question. Proprietary
all list aspects of SOAP. software reviews are limited to the
The other answers
personnel
necessarily unknown, areuntil
all possible
discovered stagesandused in software
exercised by an development.
attacker, and will
therefore
employed not within the offices of the software developer, which narrows the
perspective
be detected and by vulnerability assessments.
necessarily reduces the amount of potential reviewers.
Which of the following is not a component Spoofing Repudiation Information External pen 4
Which
of the ofof thethe STRIDE
following best describes
model? A set of A set of disclosure
A set of testing
A set of 3
Which
SAST? of the following best describes data technologies
A method A method for
technologies A method
technologies Data masking
technologies 2
Which
masking? of the following best describes a An
thatisolated
where analyze
the creating
A space
that analyze used to
thatisolated
An analyze involves
An
thatisolated
analyze 3
sandbox?and access management (IAM) is a
Identity space
That allwhere
application
last few users similar
where
That the
application you
butright protect
That prying
allwhere
application
space users stripping
space
That where
application out 2
security
In a federated
discipline
identity
that arrangement
ensures whichusing of A
arecontracted
sourceproperly
transactions
numbers code,
in a inauthentic
can safely
individual
The usersand
bit code, of are
eyes
source properly
untested
Each from
member
code,
code all
untested
unauthorized
source
Eachsimilar
member
code 1
athe
Which
trusted
of thethird-party
following model,
best describes
who is thethe third
are
authorized
and
dataset
A bit code
container are datasets
execute
the
A various
framework
gets
binariesaccess used
for to data
authenticated
byte
and such
of as
organization/
A setcode, digits
code
users and
will
in a get
forframework
organization/
A coding 2
following?
identity
Organizational
APIs are definedNormative
as which of Framework
the following? party/the
protected
not
for
A setcoding
of for
malicious
the
organizations
coding
of
A setsoftware
right
containers
ofand social
A
and setbinaries
of
security
aexperimentati
application
trusted third string
experimentati
access
and
each
of
A set
containers
design
member
ofof
to the 3
The application
provider
(ONF)? and who normative framework
is the relying party? is various
and
from
obscured.
components
protocols,
A stand- testing
code
A subset
resources
within
design
for alltothe
standards and
see
ofat
for A
forsuperset
numbers
on
party
security,
routines,
can safely of
and
and numbers
on
right
The can
complete
problems
organization
for
routines
some safely
so
and
of 2
best described
Which as whichbest
of the following of the following?
describes member
malicious
design
These
A
of
andstandard
alone are for
antools user
what
the training.
it does
federation/a
components
building
problems
A ONF
right
standard time
that the
credit
coding
occur
best
standards,
A ONFcard
standardand for as
occur
resources
ONF
that
tools
A
the towould
within
standard
for at 2
SAML? of the following best describes the
Which organizations
software
problems
often
application’s
building
framework
for
Describes Provides
CASB
would
of
software
for the rightan
application data.
design as aand
separate
practices,
protocols,
exchanging
Serves obscure
the right
indicatefor the
components
building
used
Provides time
aan 2
purpose
Which ofand the scope of ISO/IEC
following 27034-1?
best describes data of
that
developing
international
used
security,
software
for
Data thewould
storing
masking
for best overview
reasons
indicate
security,
applications
exchanging
Data maskingof
abest problems
from
catalogued
tools
usernames
newer
Data masking
the
for that original
production
for
Data the
security
of
softwaremasking
directory
overview
application of 3
Database
masking? activity monitoring (DAM) can federation
indicate
authenticatio
secure
privacy
used ina
practices,
applications
security
is
Host-based application
practices,
to
is used
access
security
authenticatio
Server-based to a would
production
building
and
replacement
is
Used
used
leveraged
intothe number.
environment
right
problem reasons
applications
synchronizati
is used inin
security,
network
Used or
place
and
best 1
be: application firewalls (WAFs) are
Web security
n.
catalogued
to
practices
application
standards
place
or
Syn access
network-
floods
of forafor security
problem PII. that
catalogued
web-based
n
hide
or
Ransomware
and
client- or indicate
environment
by
software
passwords
for
create
place
XSS the
NIST
andofa SQL
a800- vulnerability
practices,
to
on
infrastructure
place
of
Password
data
access
of web- 3
designed primarily
Multifactor authentication
to protect consists
applications
of at problem
management
cloud
and ONF or
web-based
the
encryption
based
A complex introduces
vulnerability
and
software
authorization
based
Complexleveraged security
organization
applications
across
53
similar,
encryption
injection
A hardware
r4 devices production
catalogued
based
security
masking
cracking
Something 4
SOAP
from two
least is a items.
protocol specification
Which providing
of the following vulnerability
logistics
computing
Standards-
leveraged
software
for
password
better by definitive
by the
application
passwords
Reliant
data on or
between problem
to
inauthentic
token
Extremelyandorfast
a software
data.
and know
designed
you
Works leveraged
over to
and 3
Dynamic
common
best
for the application
represents
exchange security testing
of structured information the a secret
application
performance
and
based
Test concepts,
organization
tool
security
and
XML
Test an HSM Test
vulnerability
access
dataset
magnetic aused
web-
strip by the cloud
applications
secure
something
numerous
Masking 2
(DAST)
Sandboxing
attacks
this
or islike:
concept? bestprovides
describedwhichas which
of theof the organization
.or
code
performed
A test
tool principles,
A test
domains
performed on performed
based
for
card
A training on
testing organization
applications
you
protocols
A testing
have 1
following?
data in web services. Which of the on an
environment andapplication
an processes
environment an application
environment
software
and environment
following is not true of SOAP? application
that isolates involved
that
or isolates
software in or software
application
software
where new or that prevents
What is the lowest tier of datacenter or software 1
untrusted application
untrusted
product
V while product
too
testing.
and
C while isolated code4 1
redundancy,
What according
is the amount to the
of fuel Uptime
that should be product
code 1 security
1,000
it is being
code gallons
changes being
12 hours
experimental from
As muchrunningas 3
Institute?
on
Which
handofto the
power
following
generators
is not one
for backup
of the Integral
while it isfor
changes for
Initial
testinginin
executed consumed
Recurring
code can beby needed
Refresher
in a to 1
Which
datacenter
three of theoffollowing
types training?is part of the using real
testing
Repudiation in a amemory in an
Redundancy cloud in a
tested
Resiliency ensure
nonproductio
Rijndael all 1
STRIDE
power,of
Which model?
in the
all tiers,
following
according
is notto part
theofUptime
the Spoofing
data in
production Tampering
operating
nonproductio customers
Resiliency
production n
Information
systems may 3
Which
Institute?
STRIDE of the following is not a feature of
model? Source
production
environment code n
Team-
system. “White-box”
environment be
Highly
gracefully
skilled,
environment
disclosure 2
Which
SAST? of the following is not a feature of Testing
review in building
environment
User teams “Black-box”
testing Binary
shut down
often 4
DAST? of the following is not a feature of a
Which runtime
Keystroke efforts
Sealed
performing testing
Welded inspection
Push-button
and data
expensive 1
securetype
What KVMofcomponent?
redundancy can we expect to logging
All executable
exterior
All case chipsets
Emergency securely
outside
selectors
Full power 3
find inshould
What a datacenterbe the ofprimary
any tier?
focus of operational
Critical Health
testing and
infrastructure Infrastructure
egress Power
stored and
consultants
capabilities 2
datacenter
Which of the redundancy and contingency
following techniques for components
path/operati
Cloud- human safety
RAID Data
supporting HVAC
SAN 2
planning?cloud datacenter storage
ensuring ons
bursting dispersion
the
resiliency uses parity production
bits and disk striping? environment
The other answers all include aspects of the STRIDE model
All the possible answers are good, and are, in fact, correct. C, however, is the
most complete
Again, all of these answers are actually correct, but B is the best answer, because
and
it
Options
is therefore
A and the B are best
alsoanswer
correct, but C is more general and incorporates them
the mostAgeneral,
both.
Options and C are includes
also correct,
the others,
but included
and is therefore
in B, making the optimum
B the bestchoice.
[Link]
D is
is is
D
incorrect,
In aa good
incorrect,
trusted becausebecause
third-party sandboxing
we don’t
model want does not take
unauthorized
of federation, each place
users
member in the
gaining production
access.
organization
Option
exampleA of
environment
outsources is incorrect,
the type ofbecause
question it refers
that can to appear
a specificonapplications
the actual exam. security
elements,
review
All the answers
and approval are true,
taskbutto aCthird
is theparty
mostthey
complete
all trust. This makes the third party
meaning
Remember,
the identifier it isthere
aboutisan a one-to-many
ANF, not the ratio [Link] C is
ONF
true,
to but
ANF;not each
as complete
organization as B,has
making
one
Option
(it issuesCBand is also true, but
manages not as comprehensive
identities for all users in allas organizations
B. A and D areinsimply the not true
the
ONF
Option better
andB many
federation), ischoice. ANFs D suggests
a description(oneofforthethat
each the
application
standard; framework in the
the others contains
organization).
are only “some”
not. Therefore,
of the
components,
the
and ANF
Options Bis and Dmember
the various are also correct,
organizationsbut not areasthe
comprehensive
relying partiesas(the C, making
resourceC the
awhich
subset
providers
best
We is why
don’t ofuse the
that BDAM
(which
[Link] place
describes “all” components)
of encryption or masking; is better.
DAM augments these
WAFs
share resources
choice.
options detect
A is not how the application
correct;
based on weapproval
don’t wantinteracts
fromtothe with
encrypt the
third environment,
data
party).if we’re using so they are for
the data
optimal
testing or
without
Option Dfor
replacing
is the best, them.
most We general,
don’t usually
and most think
accurate
of the database
answer. interaction as
detecting
display
client-server,
The other and
purposes, refuting
answers the things
true oflike
arecommon uses
SOAP. SQLofinjection and XSS. Password cracking, syn
masked data.
floods,
so Ado
We is the best testinganswer.
prior to deployment, so A and C are incorrect. D is simply a
and ransomware
Options
distractor. B and C are usually aren’tbecause
incorrect, taking place in the issame
a sandbox not in waytheasproduction
injection and
XSS, and they
environment.
areis better
D incorrect addressed with controls
in that sandboxing does at the
not router
prevent and through
code the use of HIDS,
from running.
NIDS, and
There are four tiers of the Uptime Institute's datacenter redundancy rating
antimalware
system,
The other with answers
tools. are distractors
1 being
The three thecommon
lowest and types4 the
of security
[Link] are initial, recurring, and refresher.
Repudiation is an element of the STRIDE model; the rest of the answers are not.
Resiliency is not an element of the STRIDE model; all the rest of the answers are.
Team-building has nothing to do with SAST; all the rest of the answers are
characteristics
Binary inspection has nothing to do with DAST, and it is not really a term that
of SAST. logging is not a characteristic of secure KVM design; in fact, secure
means
Keystroke
anything in egress
KVM
Emergency our industry
redundancy
(althoughis the it could
only aspect
be interpreted
of datacenters
as a type thatofcan
code
be
review, more
components
expected
Regardless toofshould
the tierattenuate
level or purpose
the potentialof anyfordatacenter,
keystrokedesignlogging. focus
All the
for rest of
related
the
security
be
Parityanswers
found to
bitsshould
inSAST);
and allstriping
datacenters
disk the rest of the
of any
are tier; answers
the rest are
characteristic characteristics
ofofthe
RAIDanswers list of
implementations. DAST. Cloud-
characteristics
are characteristics
that
always canconsider
bursting be health
of secure
and human
KVM components
safety paramount.
found
is a feature
only in ofspecific
scalabletiers.
cloud hosting. Data dispersion uses parity bits, but not
disk striping;
Which resiliency technique attenuates the Cross- Metered Proper Raised floors 1
possibleofloss
Which the offollowing
functional hascapabilities
not been training
Hackers Construction
usage placement of
Changing Squirrels 3
during of the
attributed
Which as the
following
cause aids
of lost
in the
capabilities
ability to Redundant HVAC
equipment regulatory
HVAC
Security Bollards 3
contingency
due
demonstrate
What toisDoS?
oftenoperations?
due
a major
diligence
challenge
efforts?
to getting power lines
Expense Carrying
placement Personnel
motif
temperature
training Location of 4
both redundant
Which power is
of the following and
not an aspect of Perimeter medium
Vehicular measurement
documentatio
deployment
Fire many
Elevation of 4
communications
The Brewer-Nash
physical security thatutility
security
oughtmodel
to beis also MAC approach/traf
The Chinese Preventive
s tools
n
suppression dropped
datacenters
RBAC 2
Which
connections?
known
consideredkind of hypervisor
as which
in would malicious
of the following? Cat IV fic model
Wall
Type II measures
Bare metal ceilings
Converged 2
actors
Which prefer
of the and
the planning to attack,
following ostensibly
of a cloudbecause
designtechniques for Cloud- RAID Data SAN 3
it
ensuring
datacenter
Security cloud
training datacenter
should notstorage
facility? be: bursting
Documented Internal dispersion
A means to Boring 4
offers a greater
resiliency uses attack surface? foster a non-
encrypted chunks of data? adversarial
Which form of BC/DR testing has the most Tabletop Dry run Full test
relationship Structured 3
Which
impactform of BC/DR testing has the least
on operations? Tabletop Dry run between
Full test the Structured
test 1
impactcharacteristic
Which on operations? of liquid propane Burn rate Price security
Does notoffice
spoil test
Flavor 3
increases
How oftenitsshould
desirability
the CMB as ameet?
fuel for Whenever Often enough Every
and week Annually 2
backup to ASHRAE standards for
Adhering regulations to
Breach Static
address operations
Theft Inversion 2
generators?
humidity
A UPS should can reduce
have enough the possibility
power tooflast dictate
12 hours organizational
discharge
10 minutes personnel
One day Long enough 4
. generator
how
A long? transfer switch should bring 10 seconds Before the
needs and Before the for graceful
Three days 3
backupcharacteristic
Which power onlineof within
automated
what time Cost recovery
Speed
attenuate UPS duration
Noise shutdown to
Capability 2
Which
frame?tool
patching can reduce
makes confusion and
it attractive? Flashlight point
frustration
Controls is exceeded
reduction
Checklist recognize
Call tree 3
misunderstanding
When deciding whether duringtoa apply
BC/DRspecific Regulations Vendor
objective
with delayis
matrix Internal policy problems
Competitors’ 2
response?
The CMB itshould
updates, is bestinclude
to followrepresentations , in Regulators ITreached
guidance Security office quickly
actions
Management 1
from
order
For all
to of the following
performance purposes, offices except:
OS monitoring Disk space department
Disk I/O CPU usage Print spooling 4
Maintenance
demonstrate
should mode
includedue of requires
all care. all of except:
the following these Remove all Initiate
usage Prevent new Ensure 2
actionsis except:
What one of the reasons a baseline active
Numerous Power
enhanced logins
To reduce logging
Natural 1
In addition
might to battery backup, a UPS can
be changed? Communicati Line
production
change security
fluctuation redundancy
Breach alert Confidentialit
continues
disaster 2
Deviations
offer whichfrom the baseline should be
capability? on
instances
requests
Documented controls
conditioning
Enforced Revealed y
Encouraged 1
investigated
The baseline and should cover which of the . redundancy
As many Data breach A process for All regulatory 1
following?
A localized incident or disaster can be systems
UPS alerting and Joint
Generators version compliance
Strict 3
addressed in
Generator fuel
a cost-effective
storage for a cloud manner by throughout
10 minutes Three
reporting
days operating
control
Indefinitely requirements
adherence
12 hours to 4
usingBC/DR
datacenter
The whichkit should
should lastinclude
for howalllong,
of theat a Flashlight
the Documentati Hard
agreements
drives applicable
Annotated 3
of the following?
minimum?
following except: organization on equipment regulations
asset
as possible inventory
Cross-training offers attenuation of lost contingency capabilities by ensuring
Changing
personnelregulations should not result in lack of availability. All the other
answers
Security
will be able have
training
to performdocumentation can beeven
essential tasks, usediftothey show arethat
notpersonnel have
primarily assigned to
received
caused
The
those locationDoSadequate,
positions outages
of many datacenters—rurally situated, distant from metropolitan
pertinent
heighttraining
areas—may
The
in a full-time ofcapacity.
droppedto a Metered
suitable
ceilings is level,
not awhich
usage issecurity demonstrates
a benefit concern,
for cloud due
except diligence—that
in action
customers movies.
associated is,
effort
The
withBrewer-Nash
create inchallenges
furtherance model
for findingis also knownpower
multiple as theutility
Chinese Wall model.
providers and ISPs, as those
Type
of
areas ofIIjust
due
ensuring
rest hypervisors
care.
the aren’t
value All for
answers run
are via
thepayment,
other the
allanswers
aspects
butOSnoton
are the
of resiliency.
physicalhost security
beneficial machine;
to thethat
Proper thisshould
makes
resiliency
placement and
of
bethem
durability
HVAC
taken into
attractive
of
Datathedispersion
usually
account
temperature to byuses
served parityvendors.
multiple bits, dataExpense
chunks,isand notencryption. Parity bits
usually a concern; and disk
economies
attackers,
Security
datacenter,
striping
measurement
of
whenscale training
planning
makeasbut both
and
andshould
theythe machine
are
raised not
not
designing be
floors a boring;
and
boththe
methods
datacenter.
aid you
forOS offer
want potential
attendees
indemonstrating
optimizing attack
duetodiligence.
component be vectors.
enthused
performanceCat
This so
isIVa
and
that
difficult
costs
are converged
they question,as
acceptable
but characteristic
are not ofpart
RAIDofimplementations.
the pricing structure. Personnel deployment
Cloud-bursting is a feature of doesn’t
are
pay
and not
attention,
scalable
it could
usually
practically terms
affect beassociated
which
associatedread inenhances
ways
with with hypervisors.
that recall
[Link]
Thisthe isBare-metal
suggestmaterial,
otherelevating
a difficult hypervisors
correct
question, security
and(Type
answers. for
I) are
it could thebe
less
organization.
cloud
readfull
access
The inhosting.
totest
eitherwillSANtype is of
involve a data
connection.
every storage
asset in technique
Thethe carrying butmedium
organization, not focused
including onall
has nothing resiliency.
personnel.
to do with
preferable
All
challenges
ways
The the other
tabletop
that to
foranswers
would attackers,
testingsuggest areasother
characteristics
involves they onlyoffer
correct less
essential ofattack
[Link] surface.
security
personnel andtraining.
none of the
Liquid
findingpropane
others
production will
multiple
have
[Link]
providers
lesser not spoil,
impact,
and is which
except obviates
not evenfor D, necessity
a common
which is aindustry
redforherring.
continually
term.
refreshing
The othersand
Frustrated employees
will have greater and managers
impact, except
can increase for D, which
risk to isthea red
organization
herring by
restocking
A datacenter
implementing it andwithmight makeoptimum
less than it more cost-effective.
humidity can have The burn
a higherratestatic
has nothing
electricity to
do with
their
discharge
The UPS
own, is unapproved
intended to last modifications
only long enoughto the environment.
to save production The particular
data currently
interval
its suitability,
changes
rate.
being
Generator
Humidityfrompower unless noitbearing
organization
hasshould hasbesome ondirect
toonline
organization.
breaches
before bearing
battery on backups
or theft, the
andparticular
inversion
fail. Thegenerator
isspecific
a nonsensethe
datacenter
Automated
term
amount
processed. of The patching
exact isquantity
much fasterof time and willmoredependefficient than variables
on many manual patching.
and will It
owner
is,
Checklists
usedhowever,
differ
time will
as has
from serve
avarychosen.
distractor. as aThe
between reliable
various guide
datacenters. relative
for BC/DR
pricesactivity
of fuel fluctuate.
and shouldFlavor be is a
distractor
not
straightforward
A
onedatacenter
necessarily
datacenter in thisthatany
to doesn’t
thelessnext.
expensive
follow vendorthan manualguidance patching.
might be Manual
seen as patching
failing to is
questionto
overseen
enough
provide
Regulators due
anduse
aremeansthat
not involved
someone
[Link] an already
organization’s
an expert CMB; or trained
all the restin BC/DR
are. response
by administrators,
could
care.
Print spooling
Regulations, is not internal
whoa metric
willpolicy,
recognize
for system
and problems
theperformance;
actions faster
of competitors
than
all the automated
restmight
are. tools.
all inform
Noise
ostensibly
the
While decision
reduction
the otheraccomplish answers thearenecessary
all stepstasks.
in moving Flashlights and calloperations
from normal trees are certainly
to
is the
useful
to
If not
perform
CMB
a factor
maintenance isanreceiving
in
update
patchand numerous
management
patch, but change
at
[Link]
are notto necessarily
the point directly
where the bearing
during
on
amount
A UPS
mode,duecan BC/DR
care.
we ofdoprovide
This
actions,
not linebut
conditioning,
necessarily notinitiate
for theadjusting
purpose
any enhanced power
of reducing
so that
security confusion
it is optimized
controls. and for
misunderstanding.
is
All
requests
theadeviations
difficult, would nuanced
fromdrop the question,
by baseline
modifying and
should
all baseline,
the the
be documented,
answersthenare good,
that including
is a but
good option
details
reason Bofis
tothe
the
Control
best.
change
investigation
devices
The more the
matrices
it serves
systems are
andthatnotbeuseful
smoothing
included during BC/DR
anyinpower
the actions
baseline,
fluctuations;
the moreit doescost-effective
not offer any and of
baseline.
the
and
scalable
Joint other
outcome.
operating NoneWe of
agreements
the
do nototherenforce
reasons
can provide
or should
encourage
nearby involve
deviations.
relocation
the baseline
sites
Presumably,
so
at that
all. awe
would
The
listed
the Uptime
disruption
baseline
functions. Institute
limited dictatesdoes
is. Thetobaseline 12 hours
not dealof generator
with breaches fuel foror all cloudcontrol;
version datacenter
already
tiers.
While
those
the hardbethe
organization’s
are aware
drives of may
own thebedeviation,
useful
facility andin so
the“revealing”
campus kit (for beisaddressed
caninstance, not aif reasonable
theyatstore answer.
BC/DR
a different data
provinces
facility
such [Link] security office and CMB, respectively. Regulatory compliance
might
UPS
as and (and
inventory generators are not limited
lists, baselines, to serving
and patches), theyneeds
are not fornecessarily
localized causes.
required. All
the other
usually
Regulations will) do go beyond
not the baseline and involve systems, processes, and
Which of the following is the least Decentralizat Complexities Identifying Forensic 4
challenging
Legal controlswithrefer
regard
to which
to eDiscovery
of the in ion of data
Controls PCI
of DSS roles27001
ISO such as analysis
NIST 800-53r4 1
the cloud?
following?
Which of the following terms is not designed
storage to
Analysis International
eDiscovery data owner,
Chain of Plausibility 4
Which of the
associated following
with is not a component
cloud forensics? Scope
complyofwith law of
Use controller,
Location
custody of Value of data 4
of contractual
Which PII?
of the following is the best example laws and
processing
Items that subcontractor
Mandatory and processor
data
Audit rights of PCI DSS 2
of a keyofcomponent
Which the following of regulated
is not associated
PII? regulations
should
Confidentiali
be s
breach
Availability subcontractor
Integrity Quality 4
Which of the following is the best
with security? Independenc
related to
implemented
ty reporting
Oversight s
Cheaper Better results 1
advantage
Which of following
of the external audits?
laws resulted from ethe cloud
HIPAA GLBA SOX ISO 27064 3
a lack of
Which ofindependence
the following reports
in auditispractices?
no longer environment
SAS 70 SSAE 16 SOC 1 SOC 3 1
used? of the following report is most
Which SOC 1 SOC 2 SOC 3 SSAE 16 1
Which
alignedofwiththefinancial
followingcontrol
is the primary
audits? Absolute Compliance HIPAA Seal of 4
purpose
Gap analysis
of anisSOC
performed
3 report?for what assurances
To begin the with
To provide
PCI/DSS compliance
To assure approval
To ensure all 1
reason?are created and maintained by
GAAPs ISO
benchmarkin assurances to
ISO/IEC proper
PCI Council controls are
AICPA 4
Which statute addresses security and
which organization? g process
GLBA cloud
FERPA accounting
SOX in place and
HIPAA 1
privacyof
Which matters
the following
in the financial
is not anindustry?
example Healthcare customers
Financial practices are
Wholesale or working
Public 3
Which of the
of a highly following
regulated SOC report
environment? SOC 2 services
Type I beingIIused
distribution
Type properly
companies
SOC 3 2
subtypes
Which of represents
the following a point in time?
SOC report SOC 2 SOC 3 SOC 1 Type II 4
subtypes
The right spans
to be forgotten
a period of refers
time?to which of The right to Erasing The right to Masking 3
The right to audit should be a part of what
the following? no longer
SLA criminal
PLA All
have cloud
all of a Masking 1
documents?
SOX was enacted because of which of the pay taxes
Poor BOD history
Lack of data owner’s
providers
Poor financial All of the 4
following?
What is a key component of GLBA? oversight
The right to independent
EU Data data erased
controls
The above
The right to 3
Which of the following are not associated Administrativ
be forgotten Technical
audits
Directives Physical
information Financial
audit 4
with HIPAA
What controls?
does the doctrine of the proper law e controls
How controls
The law that controls
The
security controls
The proper 1
The
referRestatement
to? (Second) Conflict of Law jurisdictional
The basis for is applied
When judges determination
How
program handling of
Whether local 1
Which
refers toof which
the following applies to the
of the following? disputes
deciding
It’s old. are after
restate
It’s inthe
bad first
the of what
jurisdictional
It’s unclearlaw eDiscovery
All
or of the
federal 4
Stored Communications Act (SCA)? settledlaws
which law in
need isofapplied
an will apply
disputes
with regardare
toto
a materials
laws
above apply in
are most opinion
updating. case
settled
current a situation
Which is the lowest level of the CSA STAR Continuous
appropriate Self- technologies.
Hybridization Attestation 2
program?
Which of the following is a valid risk monitoring
KPI
in a situation assessment
KRI SLA SOC 2
management metric? where
conflicting
laws exist
Forensic analysis is the least challenging of the answers provided as it refers to
the controls are those controls that are designed to comply with laws and
Legal
analysis of data
regulations
Plausibility, here,onceis a it is obtained.
distractor andThe
not challenges
specificallyrevolve
relevantaround
to cloudobtaining the
forensics.
datavalue
whether
The for they be local
of data itselforhasinternational.
nothing to do with it being considered a part of
analysis duebreach
contractual
Mandatory to the reporting
complexities of best
is the international
example law, the decentralization
of regulated PII [Link] data
storage
Quality
PII
The restisor
even not associated
though it may have withvalue
security in the way
associated withthat
it. confidentiality, integrity,
difficulty
and
As
are discussed
generallyknowingin thewhere
chapter,
considered to look,
the primary
components and identifying
of advantage theofPII.
contractual data
external
owner,audits
controller,
based onand
processor.
availability
the
SOX was passed are. primarily to address the issues of audit independence, poor
choices
board
The SAS given
oversight,
70 was would
a reportbe that
usedofinindependence. External
the past primarily audits are
for financial typicallyand
reporting more
independent
and
was
The transparency
SOC 1 report focusesof [Link] on controls associated with financial services.
and SOC
oftentimes
While
The therefore
IT controls
3 report leadare
misused is to more
more
incertainly effective
theofservice
anpart ofresults.
attestation
provider
mostthan
context.
accounting
a fullThe
evaluation
systems
SSAE 16today,
of
standards
controls
the focus
and
subsequent
is
associated
Theonprimary
the purpose of the gap analysis is to begin the benchmarking process
SOC AICPA
controls
with
The reports
againsta service
around
is are
theprovider.
its
those
organization
successors.
financialresponsible
systems. for generating and maintaining what
are
FERPA
risk the
anddeals
securitywithstandards
data protection in the academic industry, HIPAA in the medical
and frameworks.
Wholesalers
Generallyand
industry, or
Accepted distributors
SOX forAccounting
publicly aretraded
generally
Practices not regulated,
corporations.
in the although the products
United States.
theySOC
An sellType I report is designed around a specific point in time as opposed to a
maySOC
report
An [Link] II report is designed around a period of time as opposed to a
of effectiveness
specific
The right to be forgotten
over a period is about
of time.
the individual’s right to have data removed
The
pointright
from to audit should be contained in the client service-level agreement
ain time.
Options
(SLA).
providerA, atB, any and C are
time perreasons leadingItup
their request. is to the tried
being creation andEUpassage
in the of SOX.
at the moment
The mostnot
but does important aspect of GLBA was the creation of a formal information
security
yet apply controls
Financial here in the areUnited
not addressed
States. by HIPAA.
program.
The doctrine of the proper law refers to how jurisdictional disputes are settled.
The Restatement (Second) Conflict of Law is the basis used for determining
which
The laws Communication Act, passed in 1995, is old, in bad need of updating,
Stored
are most appropriate in a situation where conflicting laws exist.
and
unclear with regard to newer technologies.
The lowest level is Level 1, which is self-assessment, Level 2 is an external third-
party
KRI stands for key risk indicator. KRIs are the red flags if you will in the world of
attestation, and Level 3 is a continuous-monitoring program. Hybridization does
risk
not exist
management. When these change, they indicate something is amiss and should
as part
be looked of the
at CSA STAR program.
Which of the following frameworks ISO HIPAA ISO 27017 NIST 800-92 1
focusesofspecifically
Which the following on design
frameworks 31000:2009
NIST 800-53 ISO 27000 ENISA COBIT 3
implementation
identifies
The CSA STARthe top and
program
8 security
consists
risksofbased
threeon Self- Third-party SOC 2 audit Continuous 3
likelihood
Which ISO standard
management?
levels. Which refers to addressing
of the following is not one of assessment
ISO 27001 ISO/IEC
assessment- certification
ISO 18799 ISO
monitoring–b 2
and impact?
those
security
Which ofrisks
the following
in a supplyischain?
not a risk NIST SP 800- European
based
28000:2007 Key risk ased
31000:2009
ISO 3
levels? of the following
management
Which framework? best define risk? 37
Threat certification
Union Agency
Vulnerability indicators
Threat certification
31000:2009
Threat 4
Which of the following is not a part of the coupledlock-
Vendor with for Network
coupled
Isolation with (KRI)
coupled
Insecure with
or Availability
coupled with 4
Which
ENISA Topof the following
8 Security is a of
Risks riskcloud a breach
in
Mitigation andattack
an
failure
Acceptance a threat actor
incomplete
Transference a vulnerability
Avoidance 4
management
Which of the following
computing? option that best
halts
describes
a business
a A person or Information
The dataperson
The deletion
or The person or 2
function?
cloud
Which carrier?
of the following methods of Transference
entity Avoidance
Security
intermediary Acceptance
entity Mitigation
entity 1
addressing
Which of therisk is most associated
following components with
are responsible
The physical (ENISA)
who
Background
provides responsible
Use of Redundant
responsible 3
insurance?
part
A data
of custodian
what a CCSP is responsible
should review for when
which for making
layout
The safe
of the
a connectivity
checks
Logging for the Data content
for keeping
subcontractor uplink
Data
for context
grafts 1
Which
looking
of of the following is not a way to
the following? custody,
cloud service
datacenter
Enveloping and transport
provider’s
access and
Mitigating scloud services
Accepting transporting
Transferring 1
at contracting
manage
Which ofrisk?
the following
with a cloud
is not
service
a risk available
transport,
Hex GBL to of cloud
personnel
alerts
COBIT running
NIST SP 800-
for data across
ISO 1
provider?
management
Which framework?
of the following is not appropriate consumers
storage
The number
of Which
services The amount
customers
37 the Internet
31000:2009
The time 2
What is theinCloud
to include an SLA? Security Alliance Cloud theuser
of
An data, and
inventory An inventory
between
personnel are ofset
A data
of A set of to
allowed 1
Controls
Which ofMatrix
the following
(CCM)?is not one of the implementati
accounts
of
Transitional
cloud responsible
of cloud
cloud
Administrativ allowed to be
regulatory
Technical software
migrate from
Physical 1
Which
types ofofcontrols?
the following is not an example onanalyst
allowed
service
IT of eservices
and
providers
IT directorand transmitted
requirements
CFO development
normal
HR director 1
of an essential internal stakeholder? business
during
securitya security
cloud
authorized andcloud
for received life cycle to
operations
rules
specified
controls that among
controls
consumersboth
that between the
service requirements
contingency
period
are arranged are
the arranged
provider cloud
providers for cloud
operations
into separate into a
and the provider service
security customer of
hierarchy and customer providers
domains security
to declare an
domains
emergency
and transition
the service to
contingency
operation
status
ISO 31000:2009 specifically focuses on design implementation and management.
ENISA
HIPAA specifically
refers to health identifies the top 8 security
care regulations, risks based
NIST 800-92 on likelihood
is about and
log management,
and SOC
The ISO 2 report is not a part of the CSA Star program. It is a totally different
impact.
audit
27017
ISO /IECis 28000-2007
about cloud appliesspecificto security
security controls.
controls in supply chains. The others are
reporting
cloud
Key standardare
risk indicators developed
useful, but by the
theyAICPA.
are not a framework. ISO 31000:2009 is
computing
The
an best definition
standards of by
riskhave
is thatlittle
of to
a threat
do with coupled
supplywithchaina management.
vulnerability.
international
The ENISA Topstandard 8 SecuritythatRisks
focuses
of Cloud
on designing,
Computing implementing,
does not include and availability,
reviewing
Avoidance
risk management
even though haltsit isthe business
certainly process,
a risk mitigation
that could entails using controls to reduce
be realized.
risk,
A cloud carrier
processes is the intermediary
and practices. NIST SP 800-37 who provides
is the Guide connectivity and transport
for Implementing of
the Risk
Avoidance
acceptance
cloud
Management halts
involvesthe business
Framework onprocess,
taking(RMF), thearisk, mitigation
methodology entails
and transference
for using
usually
handling controls
all involvesto reduce
organizational
risk,
insurance.
services
risk in
The usea ofbetween cloud providers
subcontractors can addand riskcloud
to thecustomers.
supply chain and should be
acceptance
holistic,
considered;
A data custodian involves
comprehensive, taking
is responsible
and oncontinual
the
forrisk, and
the safe
[Link]
custody,
European usually
transport,
Unionandinvolves
Agency
storage forof
insurance.
Network
trusting
data, andthe
Enveloping andisprovider’s
a nonsense management
term, unrelated of their vendors
to risk and suppliers
management. The (including
rest are not.
Information
subcontractors)is
the
Hex implementation
GBL is a Security important
reference of
(ENISA)
business
to to
identifies
a computertrusting
[Link]
35
thetypes
inprovider.
Terryof risks
Conversely,
organizations
Pratchett’s the customer
fictional should
Discworld is
consider
not likely
universe.
Roles andbutto be allowed toshould be included in the contract, not the SLA; a good
responsibilities
goesCSA
review
method
The further
rest the
to
CCM physical
byis identifying
aredetermine
not. design
an inventory
whetherof
theof
thetopdatacenter
eight
something
cloud security
service (or,
might indeed,
risks controls
security
belong based
inevenonknow
the likelihood
SLA
that atthe
are isexact
and
allarranged
impact. out
location
into
Transitional
figuring of the is not a term we associate with types of controls; the rest are.
An IT analyst
datacenter)
separate
whether oris the
asecurity
numericalgenerally
domains, not
personnel
value is high
not enough
security
a hierarchy.
associated of ait—in
specifics
with position
for the to be able
thisprovider’s
case, to provide
the staff.
element
quality
“Redundant
involves names uplink
information
grafts”
and to other
is a nonsense
offices (roles), notstakeholders.
term aHowever,
used asvalues,
numerical distractor.
so it’sthe IT director would
immediately be in such
recognizable as a
positon,
something as that
would the [Link] the SLA. Options A and C are explicitly defined by exact
isn’t appropriate
numbers and
are just the sort of aspects that belong in the SLA. Option D, the amount of time
allowed to
transition between normal and contingency operations, is also an explicit
numerical value,
but it is not a recurring event, regularly anticipated during each period of
performance (or
shouldn’t be, anyway; if your cloud provider is fluctuating between normal and
contingency
ops every performance period, you should probably find a new provider), so this
is
something that can be defined once in the contract, and if the provider fails to