(ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests. Ben Malisow
group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to hire a third party to review each organization, for compliance with security governance and standards they all find acceptable, what is this federation model called?Cross-certificationProxySingle sign-onRegulated
42 A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the identity provider(s)?Each organizationA trusted third partyThe regulator overseeing their industryAll of their patients
43 A group of clinics decides to create an identification federation for their users (medical providers and clinicians). If they opt to use the web of trust model for federation, who is/are the service providers?Each organizationA trusted third partyThe regulator overseeing their industryAll of their patients
44 A group of clinics decides to create an identification federation for their users (medical providers and clinicians). In this federation, all of the participating organizations would need to be in compliance with what U.S. federal regulation?Gramm-Leach-Bliley Act (GLBA)Family and Medical Leave Act (FMLA)Payment Card Industry Data Security Standard (PCI DSS)Health Information Portability and Accountability Act (HIPAA)
45 What is the process of granting access to resources?IdentificationAuthenticationAuthorizationFederation
46 The process of identity management includes all the following elements except ___________________.ProvisioningMaintenanceDeprovisioningRedaction
47 Which organizational entity usually performs the verification part of the provisioning element of the identification process?Information technology (IT)SecurityHuman resources (HR)Sales
48 Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits?Data in the cloud can’t be audited.Controls in the cloud can’t be audited.Getting physical access can be difficult.There are no regulators for cloud operations.
49 Of the following options, which is a reason cloud data center audits are often less easy to verify than traditional audits?Cryptography is present.Auditors don’t like the cloud.Cloud equipment is resistant to audit.They often rely on data the provider chooses to disclose.
50 Of the following options, which is a reason cloud data center audits are often less easy to verify than audits in standard data centers?They frequently rely on third parties.The standards are too difficult to follow.The paperwork is cumbersome.There aren’t enough auditors.
51 The cloud customer will usually not have physical access to the cloud data center. This enhances security by ___________________.Reducing the need for qualified personnelLimiting access to sensitive informationReducing jurisdictional exposureEnsuring statutory compliance
52 Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?GPS tracking/locatorAutomated vulnerability scan on system startupAccess control list (ACL) of authorized personnelWrite protection
53 Which of the following controls would be useful to build into a virtual machine baseline image for a cloud environment?Automatic registration with the configuration management systemEnhanced user training and awareness mediaMechanisms that prevent the file from being copiedKeystroke loggers
54 Virtual machine (VM) configuration management (CM) tools should probably include ___________________.Biometric recognitionAnti-tampering mechanismsLog file generationHackback capabilities
55 Using a virtual machine baseline image could be very useful for which of the following options?Physical securityAuditingTrainingCustomization
56 What can be revealed by an audit of a baseline virtual image, used in a cloud environment?Adequate physical protections in the data centerPotential criminal activity before it occursWhether necessary security controls are in place and functioning properlyLack of user training and awareness
57 Using one cloud provider for your operational environment and another for your BC/DR backup will also give you the additional benefit of ___________________.Allowing any custom VM builds you use to be instantly ported to another environmentAvoiding vendor lock-in/lock-outIncreased performanceLower cost
58 Having your BC/DR backup stored with the same cloud provider as your production environment can help you ___________________.Maintain regulatory complianceSpend less of your budget on travelingTrain your users about security awarenessRecover quickly from minor incidents
59 If you use the cloud for BC/DR purposes, even if you don’t operate your production environment in the cloud, you can cut costs by eliminating your ___________________.Security personnelBC/DR policyOld access credentialsNeed for a physical hot site/warm site
60 If the cloud is used for BC/DR purposes, the loss of ___________________ could gravely affect your organization’s RTO.Any cloud administratorA specific VMYour policy and contract documentationISP connectivity
61 What is the most important asset to protect in cloud BC/DR activities?Intellectual propertyHardware at the cloud data centerPersonnelData on portable media
62 When considering cloud data replication strategies (i.e., whether you are making backups at the block, file, or database level), which element of your organization’s BC/DR plan will be most affected by your choice?Recovery time objectiveRecovery point objectiveMaximum allowable downtimeMean time to failure
63 In addition to BC/DR, what other benefit can your data archive/backup provide?Physical security enforcementAccess control methodologySecurity control against data breachAvailability for data lost accidentally
64 Which of the following risks is probably most significant when choosing to use one cloud provider for your operational environment and another for BC/DR backup/archive?Physical intrusionProprietary formats/lack of interoperabilityVendor lock-in/lock-outNatural disasters
65 Return to normal operations is a phase in BC/DR activity when the emergency is over and regular production can resume. Which of the following can sometimes be the result when the organization uses two different cloud providers for the production and BC/DR environments?Both providers are affected by the emergency, extending the time before return to normal can occur.The BC/DR provider becomes the new normal production environment.Regulators will find the organization in violation of compliance guidance.All data is lost irretrievably.
66 Which of these determines the critical assets, recovery time objective (RTO), and recover point objective (RPO) for BC/DR purposes?Business driversUser inputRegulator mandateIndustry standards
67 What artifact—which should already exist within the organization—can be used to determine the critical assets necessary to protect in the BC/DR activity?Quantitative risk analysisQualitative risk analysisBusiness impact analysisRisk appetite
68 Which of the following is probably the most important element to address if your organization is using two different cloud providers for the production and BC/DR environments?Do they cost the same?Do they have similar facility protections in place?What level of end-user support do they each offer?Can the backup provider meet the same SLA requirements as the primary?
69 In a managed cloud services arrangement, who invokes a BC/DR action?The cloud providerThe cloud customerDepends on the contractAny user
70 What do you need to do in order to fully ensure that a BC/DR action will function during a contingency?Audit all performance functions.Audit all security functions.Perform a full-scale test.Mandate this capability in the contract.
71 Which of the following is probably the most important activity, of those listed?Regularly update the BC/DR plan/process.Have contact information for all personnel in the organization.Have contact information for essential BC/DR personnel.Have contact information for local law enforcement.
72 The BC/DR plan/policy should include all of the following except ___________________.Tasking for the office responsible for maintaining/enforcing the planContact information for essential entities, including BC/DR personnel and emergency services agenciesCopies of the laws/regulations/standards governing specific elements of the planChecklists for BC/DR personnel to follow
73 The