Question 1

Which type of audit report is considered a "restricted use" report for its intended audience?

Accepted Answer

SOC Type 1 reports are considered "restricted use" reports. They are intended for management and stakeholders of an organization, clients of the service organization, and auditors of the organization. They are not intended for release beyond those audiences.

Question 2

When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service. What is the data encapsulation used with the SOAP protocol referred to as?

Accepted Answer

Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope. It then leverages common communications protocols for transmission. Object is a type of cloud storage, but also a commonly used term with certain types of programming languages. Packet and payload are terms that sound similar to envelope but are not correct in this case.

Question 3

From a security perspective, which of the following is a major concern when evaluating possible BCDR solutions?

Accepted Answer

When a security professional is considering cloud solutions for BCDR, a top concern is the jurisdiction where the cloud systems are hosted. If the jurisdiction is different from where the production systems are hosted, they may be subjected to different regulations and controls, which would make a seamless BCDR solution far more difficult.

Question 4

Which of the following roles involves the provisioning and delivery of cloud services?

Accepted Answer

The cloud service manager is responsible for the delivery of cloud services, the provisioning of cloud services, and the overall management of cloud services.

Question 5

Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes?

Accepted Answer

The cloud service deployment manager is responsible for gathering metrics on cloud services, managing cloud deployments and the deployment process, and defining the environments and processes.

Question 6

Which of the following is NOT one of the main intended goals of a DLP solution?

Accepted Answer

Data loss prevention (DLP) extends the capabilities for data protection beyond the standard and traditional security controls that are offered by operating systems, application containers, and network devices. DLP is not specifically implemented to counter malicious insiders, and would not be particularly effective in doing so, because a malicious insider with legitimate access would have other ways to obtain data. DLP is a set of practices and controls to manage and minimize risk, comply with regulatory requirements, and show due diligence with the protection of data.

Question 7

Which networking concept in a cloud environment allows for network segregation and isolation of IP spaces?

Accepted Answer

A virtual area network (VLAN) allows the logical separation and isolation of networks and IP spaces to provide enhanced security and controls.

Question 8

In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party?

Accepted Answer

In a trusted third-party model of federation, each member organization outsources the review and approval task to a third party they all trust. This makes the third party the identifier (it issues and manages identities for all users in all organizations in the federation), and the various member organizations are the relying parties (the resource providers that share resources based on approval from the third party).

Question 9

Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user's valid credentials?

Accepted Answer

Cross-site request forgery (CSRF) involves tricking a user's browser into sending a request that the user did not intend, using their valid credentials, often leading to unauthorized actions on a web application.

Question 10

Which cloud deployment model would be ideal for a group of universities looking to work together, where each university can gain benefits according to its specific needs?

Accepted Answer

A community cloud is owned and maintained by similar organizations working toward a common goal. In this case, the universities would all have very similar needs and calendar requirements, and they would not be financial competitors of each other. Therefore, this would be an ideal group for working together within a community cloud. A public cloud model would not work in this scenario because it is designed to serve the largest number of customers, would not likely be targeted toward specific requirements for individual customers, and would not be willing to make changes for them. A private cloud could accommodate such needs, but would not meet the criteria for a group working together, and a hybrid cloud spanning multiple cloud providers would not fit the specifics of the question.

Question 11

When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern?

Accepted Answer

If an organization wants to use a cloud service for BCDR, the location of the cloud hosting becomes a very important security consideration due to regulations and jurisdiction, which could be dramatically different from the organization's normal hosting locations. Availability is a hallmark of any cloud service provider, and likely will not be a prime consideration when an organization is considering using a cloud for BCDR; the same goes for self-service options. Resource pooling is common among all cloud systems and would not be a concern when an organization is dealing with the provisioning of resources during a disaster.

Question 12

In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?

Accepted Answer

Layered defense calls for a diverse approach to security.

Question 13

Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?

Accepted Answer

A keyboard-video-mouse (KVM) system is commonly used for directly accessing server terminals in a data center. It is not a method that would be possible within a cloud environment, primarily due to the use virtualized systems, but also because only the cloud provider's staff would be allowed the physical access to hardware systems that's provided by a KVM. Hypertext Transfer Protocol Secure (HTTPS), virtual private network (VPN), and Transport Layer Security (TLS) are all technologies and protocols that are widely used with cloud implementations for secure access to systems and services.

Question 14

With finite resources available within a cloud, even the largest cloud providers will at times need to determine which customers will receive additional resources first. What is the term associated with this determination?

Accepted Answer

Shares are used within a cloud environment to prioritize resource allocation when customer requests exceed the available resources. Cloud providers utilize shares by assigning a priority score to each customer and allocating resources to those with the highest scores first. Scoring is a component of shares that determines the actual order in which to allocate resources. Neither weighting nor prioritization is the correct term in this case.

Question 15

Which of the following is NOT a function performed by the handshake protocol of TLS?

Accepted Answer

The handshake protocol negotiates and establishes the connection as well as handles the key exchange and establishes the session ID. It does not perform the actual encryption of data packets.

Question 16

Which type of controls are the SOC Type 1 reports specifically focused on?

Accepted Answer

SOC Type 1 reports are focused specifically on internal controls as they relate to financial reporting.

Question 17

At which stage of the BCDR plan creation phase should security be included in discussions?

Accepted Answer

Security should be included in discussions from the very first phase when defining the scope. Adding security later is likely to incur additional costs in time and money, or will result in an incomplete or inadequate plan.

Question 18

SOC Type 1 reports are considered "restricted use," in that they are intended only for limited audiences and purposes. Which of the following is NOT a population that would be appropriate for a SOC Type 1 report?

Accepted Answer

Potential clients are not served by SOC Type 1 audits. A Type 2 or Type 3 report would be appropriate for potential clients. SOC Type 1 reports are intended for restricted use, where only the service organization itself, current clients, or auditors would have access to them.

Question 19

Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it?

Accepted Answer

The main goal of confidentiality is to ensure that sensitive information is not made available or leaked to parties that should not have access to it, while at the same time ensuring that those with appropriate need and authorization to access it can do so in a manner commensurate with their needs and confidentiality requirements.

Question 20

Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers?

Accepted Answer

Portability is the ease with which a service or application can be moved between different cloud providers. Maintaining portability gives an organization great flexibility between cloud providers and the ability to shop for better deals or offerings.

Exam 2: Certified Cloud Security Professional (CCSP)