What is the newer application development methodology and philosophy focused on automation of application development and deployment?
- A . Agile
- B . BusOps
- C . DevOps
- D . SecDevOps
- E . Scrum
What is true of searching data across cloud environments?
- A . You might not have the ability or administrative rights to search or access all hosted data.
- B . The cloud provider must conduct the search with the full administrative controls.
- C . All cloud-hosted email accounts are easily searchable.
- D . Search and discovery time is always factored into a contract between the consumer and provider.
- E . You can easily search across your environment using any E-Discovery tool.
How should an SDLC be modified to address application security in a Cloud Computing environment?
- A . Integrated development environments
- B . Updated threat and trust models
- C . No modification is needed
- D . Just-in-time compilers
- E . Both B and C
Which governance domain focuses on proper and adequate incident detection, response, notification, and remediation?
- A . Data Security and Encryption
- B . Information Governance
- C . Incident Response, Notification and Remediation
- D . Compliance and Audit Management
- E . Infrastructure Security
A defining set of rules composed of claims and attributes of the entities in a transaction, which is used to determine their level of access to cloud-based resources is called what?
- A . An entitlement matrix
- B . A support table
- C . An entry log
- D . A validation process
- E . An access log
Which cloud storage technology is basically a virtual hard drive for instanced or VMs?
- A . Volume storage
- B . Platform
- C . Database
- D . Application
- E . Object storage
Which opportunity helps reduce common application security issues?
- A . Elastic infrastructure
- B . Default deny
- C . Decreased use of micro-services
- D . Segregation by default
- E . Fewer serverless configurations
How does virtualized storage help avoid data loss if a drive fails?
- A . Multiple copies in different locations
- B . Drives are backed up, swapped, and archived constantly
- C . Full back ups weekly
- D . Data loss is unavoidable with drive failures
- E . Incremental backups daily
Which type of application security testing tests running applications and includes tests such as web vulnerability testing and fuzzing?
- A . Code Review
- B . Static Application Security Testing (SAST)
- C . Unit Testing
- D . Functional Testing
- E . Dynamic Application Security Testing (DAST)
Which layer is the most important for securing because it is considered to be the foundation for secure cloud operations?
- A . Infrastructure
- B . Datastructure
- C . Infostructure
- D . Applistructure
- E . Metastructure
ENISA: A reason for risk concerns of a cloud provider being acquired is:
- A . Arbitrary contract termination by acquiring company
- B . Resource isolation may fail
- C . Provider may change physical location
- D . Mass layoffs may occur
- E . Non-binding agreements put at risk
Which statement best describes the Data Security Lifecycle?
- A . The Data Security Lifecycle has six stages, is strictly linear, and never varies.
- B . The Data Security Lifecycle has six stages, can be non-linear, and varies in that some data may never pass through all stages.
- C . The Data Security Lifecycle has five stages, is circular, and varies in that some data may never pass through all stages.
- D . The Data Security Lifecycle has six stages, can be non-linear, and is distinct in that data must always pass through all phases.
- E . The Data Security Lifecycle has five stages, can be non-linear, and is distinct in that data must always pass through all phases.
Which of the following is one of the five essential characteristics of cloud computing as defined by NIST?
- A . Multi-tenancy
- B . Nation-state boundaries
- C . Measured service
- D . Unlimited bandwidth
- E . Hybrid clouds
What is known as the interface used to connect with the metastructure and configure the cloud environment?
- A . Administrative access
- B . Management plane
- C . Identity and Access Management
- D . Single sign-on
- E . Cloud dashboard
When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?
- A . The metrics defining the service level required to achieve regulatory objectives.
- B . The duration of time that a security violation can occur before the client begins assessing regulatory fines.
- C . The cost per incident for security breaches of regulated information.
- D . The regulations that are pertinent to the contract and how to circumvent them.
- E . The type of security software which meets regulations and the number of licenses that will be needed.
Which term is used to describe the use of tools to selectively degrade portions of the cloud to continuously test business continuity?
- A . Planned Outages
- B . Resiliency Planning
- C . Expected Engineering
- D . Chaos Engineering
- E . Organized Downtime
If there are gaps in network logging data, what can you do?
- A . Nothing. There are simply limitations around the data that can be logged in the cloud.
- B . Ask the cloud provider to open more ports.
- C . You can instrument the technology stack with your own logging.
- D . Ask the cloud provider to close more ports.
- E . Nothing. The cloud provider must make the information available.
CCM: A hypothetical start-up company called "ABC" provides a cloud based IT management solution. They are growing rapidly and therefore need to put controls in place in order to manage any changes in their production environment.
Which of the following Change Control & Configuration Management production environment specific control should they implement in this scenario?
- A . Policies and procedures shall be established for managing the risks associated with applying changes to business-critical or customer (tenant)-impacting (physical and virtual) applications and system-
system interface (API) designs and configurations, infrastructure network and systems components. - B . Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or
managed user end-point devices (e.g. issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. - C . All cloud-based services used by the company’s mobile devices or BYOD shall be pre-approved for usage and the storage of company business data.
- D . None of the above
How is encryption managed on multi-tenant storage?
- A . Single key for all data owners
- B . One key per data owner
- C . Multiple keys per data owner
- D . The answer could be A, B, or C depending on the provider
- E . C for data subject to the EU Data Protection Directive; B for all others
Vulnerability assessments cannot be easily integrated into CI/CD pipelines because of provider restrictions.
- A . False
- B . True
ENISA: Lock-in is ranked as a high risk in ENISA research, a key underlying vulnerability causing lock in is:
- A . Lack of completeness and transparency in terms of use
- B . Lack of information on jurisdictions
- C . No source escrow agreement
- D . Unclear asset ownership
- E . Audit or certification not available to customers
REST APIs are the standard for web-based services because they run over HTTPS and work well across diverse environments.
- A . False
- B . True
ENISA: Which is a potential security benefit of cloud computing?
- A . More efficient and timely system updates
- B . ISO 27001 certification
- C . Provider can obfuscate system O/S and versions
- D . Greater compatibility with customer IT infrastructure
- E . Lock-In
Sending data to a provider’s storage over an API is likely as much more reliable and secure than setting up your own SFTP server on a VM in the same provider
- A . False
- B . True
ENISA: An example high risk role for malicious insiders within a Cloud Provider includes
- A . Sales
- B . Marketing
- C . Legal counsel
- D . Auditors
- E . Accounting
All cloud services utilize virtualization technologies.
- A . False
- B . True
Which of the following is NOT a cloud computing characteristic that impacts incidence response?
- A . The on demand self-service nature of cloud computing environments.
- B . Privacy concerns for co-tenants regarding the collection and analysis of telemetry and artifacts associated with an incident.
- C . The possibility of data crossing geographic or jurisdictional boundaries.
- D . Object-based storage in a private cloud.
- E . The resource pooling practiced by cloud services, in addition to the rapid elasticity offered by cloud infrastructures.
Which of the following statements are NOT requirements of governance and enterprise risk management in a cloud environment?
- A . Inspect and account for risks inherited from other members of the cloud supply chain and take active measures to mitigate and contain risks through operational resiliency.
- B . Respect the interdependency of the risks inherent in the cloud supply chain and communicate the corporate risk posture and readiness to consumers and dependent parties.
- C . Negotiate long-term contracts with companies who use well-vetted software application to avoid the transient nature of the cloud environment.
- D . Provide transparency to stakeholders and shareholders demonstrating fiscal solvency and organizational transparency.
- E . Both B and C.
In the Software-as-a-service relationship, who is responsible for the majority of the security?
- A . Application Consumer
- B . Database Manager
- C . Application Developer
- D . Cloud Provider
- E . Web Application CISO
What is true of companies considering a cloud computing business relationship?
- A . The laws protecting customer data are based on the cloud provider and customer location only.
- B . The confidentiality agreements between companies using cloud computing services is limited legally to the company, not the provider.
- C . The companies using the cloud providers are the custodians of the data entrusted to them.
- D . The cloud computing companies are absolved of all data security and associated risks through contracts and data laws.
- E . The cloud computing companies own all customer data.
In volume storage, what method is often used to support resiliency and security?
- A . proxy encryption
- B . data rights management
- C . hypervisor agents
- D . data dispersion
- E . random placement
When investigating an incident in an Infrastructure as a Service (IaaS) environment, what can the user investigate on their own?
- A . The CSP server facility
- B . The logs of all customers in a multi-tenant cloud
- C . The network components controlled by the CSP
- D . The CSP office spaces
- E . Their own virtual instances in the cloud
Which of the following statements best defines the "authorization" as a component of identity, entitlement, and access management?
- A . The process of specifying and maintaining access policies
- B . Checking data storage to make sure it meets compliance requirements
- C . Giving a third party vendor permission to work on your cloud solution
- D . Establishing/asserting the identity to the application
- E . Enforcing the rules by which access is granted to the resources
Which governance domain deals with evaluating how cloud computing affects compliance with internal
security policies and various legal requirements, such as regulatory and legislative?
- A . Legal Issues: Contracts and Electronic Discovery
- B . Infrastructure Security
- C . Compliance and Audit Management
- D . Information Governance
- E . Governance and Enterprise Risk Management
Your SLA with your cloud provider ensures continuity for all services.
- A . False
- B . True
ENISA: “VM hopping” is:
- A . Improper management of VM instances, causing customer VMs to be commingled with other customer systems.
- B . Looping within virtualized routing systems.
- C . Lack of vulnerability management standards.
- D . Using a compromised VM to exploit a hypervisor, used to take control of other VMs.
- E . Instability in VM patch management causing VM routing errors.
Which of the following statements is true in regards to Data Loss Prevention (DLP)?
- A . DLP can provide options for quickly deleting all of the data stored in a cloud environment.
- B . DLP can classify all data in a storage repository.
- C . DLP never provides options for how data found in violation of a policy can be handled.
- D . DLP can provide options for where data is stored.
- E . DLP can provide options for how data found in violation of a policy can be handled.
CCM: In the CCM tool, “Encryption and Key Management” is an example of which of the following?
- A . Risk Impact
- B . Domain
- C . Control Specification
CCM: In the CCM tool, ais a measure that modifies risk and includes any process, policy, device, practice or any other actions which modify risk.
- A . Risk Impact
- B . Domain
- C . Control Specification
To understand their compliance alignments and gaps with a cloud provider, what must cloud customers rely on?
- A . Provider documentation
- B . Provider run audits and reports
- C . Third-party attestations
- D . Provider and consumer contracts
- E . EDiscovery tools