CCSK EXAM SIMULATOR 2 · CCSK CLOUD SECURITY

CCSK EXAM SIMULATOR

1. The nature of contracts with cloud providers will often preclude things like on-premises audits. What options does the customer have in this situation?

Remote Audit of provider services

Service Level Agreement

Non Disclosure Agreement

Third Party Certification

Third Party Attestation

2. In which of the following service models cloud consumer may only be able to manage authorization and entitlements?

SaaS

PaaS

IaaS

BothA & B

3. In which phase of the application design and development process, the focus is on architecture?

Training

Define

Design

Develop

Test

4. Dedicated or private tenancy model is not possible in a cloud environment.

True

False

5. Which plane is used by consumers to launch virtual machines or configuring virtual networks?

Infrastructure Plane

Cloud Control Plane

Management Plane

Application Plane

Virtual Plane

6. Which of the following describes the cloud management plane?

API’s that are remotely accessible and those wrapped into a web-based user interfac

Is a layer in which alltypes of devices and resources from different vendors are interconnecte

Is a layer where the data centre is the component element.

Is a layer consisting of plenty of vendors and third party applications.

7. CCM: How many Domains and Controls are in CCM V.3.0.1?

133 Domains and 16 Controls

14 Domains and 133 Controls

16 Domains and 133 Controls

16 Domains and 100 Controls

8. Which of the following governance domain focuses on proper and adequate incident detection, response, notification and remediation?

Infrastructure Security

Information Governance and Enterprise Risk Management

Compliance and Audit Management

Incident Response

Information Governance

9. Which of the following is not one of the five key legal issues common across all scenarios?

Data Protection

Confidentiality

Intellectual Property

Professional Negligence

Global Proliferation

10. Which of the following can the cloud provider implement to mitigate the credential compromise or theft?

Separation of roles and responsibilities

Automated inventory of all assets

Federated method of authentication

Hardening of virtual machines using industry standards

Anomaly detection

11. Cloud service providers leverage which of the following to manage costs and enable capabilities?

On-demand self-service

Broad network access

Economies of scale

Measured service

Resource Pooling

12. Which of the following tools lists cloud security controls and maps them to multiple security and compliance standards. ?

Consensus Assessments Initiative Questionnaire

Cloud Controls Matrix

Cloud Provider Contracts

Supplier (cloud provider)Assessments

Cloud Security Alliance STAR Registry

13. All services from a particular provider meet the same audit/assessment standards.

True

False

14. Which of the following is true about the pass-through audit which is a form of compliance inheritance?

Provider’s infrastructure is not within the scope of customer’s audit/assessment.

Everything the customer builds on top of Provider’s infrastructure is out of scope.

Provider’s infrastructure is within the scope of customer’s audit/assessment

Customer is not responsible for maintaining the compliance as the Provider is already compliant.

15. When entrusting a third party to process the data on its behalf, who remains responsible for the collection and processing of the data?

Data Processor

Data Controller

Data Analyzer

Data Protector

16. In which type of environment it is impractical to allow clients to conduct their own audits?

Long Distance relationships

Multi-tenant environment

Dedicated environment

Multi-application environment

Multi-database environment

17. The data and information like content in database or file storage are part of which layer of Logical Model?

Infrastructure

Metastructure

Infostructure

Applistructure

18. Logs, documentation, and other materials that are needed for audits and compliance and are used as evidence to support compliance activities are called as-

Audit Proof

Audit Evidence

Audit Trail

Artifacts

Log Trail

19. The Cloud Security Alliance STAR Registry is used for which of the following purposes?

Used by cloud providers to document their security and compliance controls

List all cloud security controls mapped to multiple security standards

To publicly release certifications and attestations

Used by cloud providers to keep all the service contracts and service level agreements

20. Identity and Access Management (IAM) includes which of the following?

Identification, authentication and authorization

Identification, authentication, authorization and non-repudiation

Identification, authentication, authorization and encryption

Identification, authentication, authorization and delegation

Identification, authentication, authorization and deletion

21. Which of the following tools provide a standard template for cloud providers to document their security and compliance controls?

Consensus Assessments Initiative Questionnaire

Cloud Controls Matrix

Cloud Provider Contracts

Supplier (cloud provider) Assessments

Cloud Security Alliance STAR Registry

22. How can a single administrator access multiple service administrator accounts with just the privileges they need for that particular action?

Using Groups

Using Assertions

Using Roles

Using Provider Policies

Using Custom Policies

23. Which of the following allows you to create an infrastructure template to configure all or some aspects of a cloud deployment?

Metastructure

Infostructure

Software-Defined Infrastructure

Applistructure

Infrastructure

24. Which of the following statement is true for orchestration?

Orchestration is used to coordinate carving out and delivering a set of resources from the pools to the consumers.

Orchestration abstracts the resources from the underlying physical infrastructure to create pools.

Orchestration allows the cloud provider to divvy up resources to different groups.

Orchestration ensures that different groups can’t see or modify each other’s assets.

25. Which of the following statement about CSA s CCM and Security Guidance is not true?

CSA’s CCM provides a set of controls and maps them to multiple security and compliance standards.

CSA’s CCM tells you WHAT to do. CSA’s Security Guidance tells HOW to do it.

C. CSA’s Security Guidance provides a set of best practices and recommendations.

D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it.

26. CCM: The CCM provides an anchor-point and common language for balanced measurement of security and compliance postures.

With CCM all supply chain parties can speak the same language ?

True

False

27. In which of the five main phases of secure application design and development, you perform Threat Modelling?

Training

Define

Design

Develop

Test

28. Which of the following is a cloud infrastructure that is shared by several organizations and supports a specific group that has shared concerns?

Public Cloud

Private Cloud

Community Cloud

Hybrid Cloud

Common Cloud

29. When it comes to securing the management plane, how are access identification, authentication, and authorization implemented?

Identity and Access Management (IAM).

Your directory service manages how your cloud providers are manage

Cloud providers provide the access layer; you must also have a directory service to get authentication.

Authentication is based on your authentication provider and the cloud provider provides the access and authorization controls.

30. Who manages the web console which is one of the ways the management plane is delivered?

Super Admin User

Cloud Access Security Broker

Cloud Provider

Cloud User

31. Which of the following is not one of the benefits of Cloud Computing?

Agility

Resiliency

Economy

Vendor Lock-in

32. Which communication method is used by customers to access database information using a web console?

Cross-Origin Resource Sharing (CORS)

Application Programming Interface (API)

Security Assertion Markup Language (SAML)

Extensible Markup Language(XML)

Software Development Kit (SDKs)

33. Cloud user does not require special permission to perform vulnerability assessment on its environment in cloud.

True

False

34. The following list of controls belongs to which domain of the CCM?
GRM 04 – Management Program
GRM 05 – Support / Involvement
GRM 06 – Policy
GRM 07 – Policy Enforcement

Data Centre security

Encryption & Key Management

Governance and Risk Management

Change Control & Configuration Management

Business Continuity Management & Operational Resilience

35. Which of the following is among the top security benefits?

Compatibility with customer IT services and infrastructure

Data Protection

Lock-In

More timely, effective and efficient updates and default

Certifications and Accreditations

36. Which of the following statements regarding SDN (Software Defined Networking) is not true?

SDN firewalls apply to more flexible criteria than hardware-based firewalls.

SDN firewalls apply to single assets or groups of assets.

SDN firewall rules can be applied to any asset or groups of assets with a particular tag.

SDN firewalls define rules can apply to a specific network location only (within a given virtual network).

SDN firewalls can define both ingress and egress rules.

37. If an attacker gets into your management plane, they have full remote access to your entire cloud environment.

True

False

38. SLA’s may limit a client’s ability to collect large volumes of data quickly and in a forensically sound manner.

True

False

39. Which of the following statement regarding service administrator account is not true?

Service administrator’s accounts are more suited for common daily use.

Service administrator’s help compartmentalize individual sessions.

Service administrator accounts can expose the entire deployment.

Service administrators accounts manage parts of the service.

40. The main difference between traditional virtualization and cloud computing and is abstraction.

True

False

41. Which of the following is the most commonly used application programming interface?

REST

SOAP

HTTP

JSON

42. Which of the following WAN virtualization technology is used to create networks which span multiple base networks?

Cloud overlay networks

Virtual private networks

Virtual private cloud

Network peering

43. Which process is used to determine and defend the applications from any weakness before they are introduced into production?

Threat Modelling

Vulnerability Assessment

Penetration Testing

OWASP

STRIDE

44. Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is completely responsible for it.

True

False

45. Which of the following leverages virtual network topologies to run smaller, and more isolated networks without incurring additional hardware costs?

Microsegmentation

VLANs

Converged networking

Virtual Private Networks

Virtual Private Cloud

46. The management plane controls and configures which of the following:

Infratructure

Metastructure

Infostructure

Applistructure

47. The key difference between cloud and traditional computing is the infrastructure.

True

False

48. Attestations and certifications are activities that will be valid at any future point in time and providers must keep any published results readily available for quick reference.

True

False

49. PaaS needs to be built on top of IaaS and it cannot be a custom designed stand-alone architecture

True

False

50. Which of the following statements regarding risk transfer is not true?

It is possible for the cloud customer to transfer risk to the cloud provider.

All risks can be transferred

The level of risk may vary with the type of cloud architecture use

Risks should be considered against the cost benefit received from the services.

51. Which of the following is a key tool in enabling and enforcing separation and isolation in multi-tenancy environment?

Infratructure

Infostructure

Applistructure

Metastructure

52. How can web security as a service be offered to the cloud customer?

Either on-premise through software and/or appliance installation.

Via the Cloud using proxy or redirecting web traffic to the cloud provider.

By using separate VLANs.

Both B & C.

Both A & B.

53. How will you ensure that you have provided sufficient encryption protection to your data in the cloud?

Ensure that you are encrypting your data as it moves to the cloud

Do not encrypt the data when it is close to the cloud

Encrypt the data at rest when it is stored in the cloud

Encrypt the data only as it leaves the cloud

Both A, C

54. What is the role of the Scope Applicability column in the CCM?

Applicability of controls in the domains

Maps the existing industry standards to the controls in the domains

Overall applicability of the domain

Shows architecture elements that are related to a given control

55. Which of the following reflects the claim of an individual to have certain data deleted so that third persons can no longer trace them?

Right to be deleted

Right to be erased

Right to non-disclosure

Right to be forgotten

Right to privacy

56. In the United States, a party is obligated to take reasonable steps to prevent the destruction or modification of data in its possession that it knows, is relevant to pending litigation or government investigation.

True

False

57. Which of the following is an important consideration in management plane usage?

Segregation of Duties

Least Privilege

Multi-Factor Authentication

Biometric Authentication

Authorization

58. Which of the following is a key area of control for the cloud provider network architecture?

SANS Checklist.

DDOS.

Anti-virus.

Hardened virtualised imag

Host based intrusion prevention service (IPS).

59. Which of the following is an underlying vulnerability related to loss of Governance?

Lack of reputational isolation

Lack of resource isolation

Hypervisor vulnerabilities

Unclear asset ownership

Lack of supplier redundancy

60. All assets in the cloud require same business continuity.

True

False

Question 1 of 60