Question Type (multiple Answer Answer Answer Answer Correct

Question choice or multi-select) Option 1 Option 2 Option 3 Option 4 Response

Which of the following are attributes of Minimal High cost and Rapid Limited 1
Which of the following are distinguishing
cloud computing? management
Have some unique
Be able to provisioning
Have some access
Be ableandto 4
characteristics
Which of the following
of a managed
are cloud
service effortofand
form
Cloud a resources
remotely
CSP and and slow
form
Cloud ofservice
a help Cloud
serviceservice
remotely 2
provider?
computing
Which of the
roles?
following are essential shared
NOC
On-demand
customer but no Unmeasured
monitor and Resource
backup release
desk
broker but and
ofno Broad
providerand
auditor
monitor and 1 4
characteristics
Which of cloud are
of the following computing?
considered to resources
help
and
self-service
Data, financial
desk.
access manage
service
Storage, resources
NOC.
user
isolation
CPU, RAM, interaction
object
network
manage
Data, CPU, 3
(Choose
be
When
the using
building
two.)
an IaaS
blockssolution,
of cloudwhat is the auditor
control,
To provision objects
provider
networking,
To for
provision storage,
To provision and To objects
access
RAM, and
for
provision 4
When using
computing?
capability an IaaS to
provided solution, what is a key
the customer? virtualization
Metered
processing, and printing,
the customer
processing,
The ability andto Increased
networking
processing, Transferred
the customer
access
processing,control 1
When
benefitusing a PaaS
provided to solution, what is the
the customer? , and
priced
To
storage, services
deployusage anddeploy
virtualization
scale
storage,
To reactively
up energy
storage,
To deploy and cost
anddeploy
storage,
To of 3
capability
What provided
is a key to the
capability orcustomer?
characteristic of onto
on
Support thethe
networks, basis
for a maintain
infrastructure
Ability
onto
networks, to and Support
the cooling
onto
networks,theforand ownership
a Ability
proactively
networks,
onto theto and 2
PaaS? using a SaaS solution, what is the
When of
andunits
cloud other
homogenous
To use the other
these
services
reduce
cloud
To useobjects system
other
lock-in To
the single
clouduse the manually
other
maintain
cloud
To use the 1
What are the
capability four cloud
provided to thedeployment
customer? consumed
hosting
infrastructur
fundamental
provider’s
Public, under on
fundamental
based
infrastructure
External,
provider’s efficiencies
programming
fundamental Public,
infrastructure
Public,
consumer’s scale
these objects
fundamental
consumer’s
infrastructure 4
models?
What are the six stages of the cloud secure ecomputing
provider-
Create,
environment
applications
internal, use, Create,
management.
projected
applications
computing
private,
consumer- store, Create,
language
computing
private,
applications
consumer- share,
joint, Create,
under
computing
consumer-
applications
private, 2
data lifecycle?
What are SOC 1/SOC 2/SOC 3? created
store,
Risk
resources
running
hybrid, or
share,
and
on a use,
resources
usage
hybrid,
Access
created
running share,
and store,
on a Audit
or resources
and
created
running archive,
on a Software
reports
or archive,
management.
resources
hybrid,
running
created use,a
and
on
or 3
What are the five Trust Services archive,
management
acquired
where the
cloud
community
Security, and archive,
where the
community
controls
Security,
acquired
cloud and Security,
use,
where
community
cloud and
acquired the share,
development
where store,
Security,
cloud
community
acquired the 1
principles?
What is a security-related concern for a destroy
frameworks
Virtual
consumer is
applications
infrastructur
Availability, destroy
infrastructure
Auditability,
applications
Web
provider is destroy
Data access
Availability,
applications
provider
infrastructure is and
phases destroy
Availability,
System
consumer andis
infrastructure
applications 4
PaaS solution? created
machine
notThe
e. ableusing
Processing to application
Theto using and
able
Processing
.created Thepolicies
able
.created
Customer using resource
to deploy able
Processing
Theto using
.created
programmin
attacks
deploy and
applications
Integrity, security
deploy and
Integrity,
programming
applications and run
Integrity,
programming
applications Integrity,
isolation
deploy and
applications
programming
grun
Confidentiali
are languages,
arbitrary Confidentialit
arbitrary Confidentialit
languages,
are
run accessible accessible Confidentialit
languages,
arbitrary
are run accessible
are arbitrary
languages,
What are the three things that you must libraries,
accessible
software,
ty,
Management
and software,
y,
Function,
andvarious
from
libraries, Privacy Actors,
software,
y, andvarious
from
libraries,Privacy Lifecycle,
software,
y, andvarious
libraries,
from 2
Which of thebefore
understand following
you are
canstorage types
determine the Volume
services,
whichvarious
from
,Privacy canand
and location,
Structured
which devices
client
services, policies,
and Unstructured
which devices
services,
client and
and Volume
Nonrepudiati
function,
which devices
services,
client and
and
and 4
necessary
used
Which with
of the
an
controls
IaaS
following
solution?
to deploy
are data
forstorage
data tools
provisioning,
block
Raw
include
client that
and
devices
OSs actors
and
tools object
can include
Structured
through procedures
and
that the Unstructured
tools
can include
through that the Tabular
on
cost
object
can include
through
tools and
that the 2
protection
types
Which used
of the
in
with
following
a cloud
a PaaSenvironment?
can
solution?
be deployed to the provider
through
and
block
Encryption
location OSs and
and
SLAs
provider
either a thin Masking
OSs and
ephemeral
and
provider
either a thin Continuous
OSs and
object
consumer
either a thin 1 3
help ensure
Where wouldthe theconfidentiality of data
monitoring engine bein On a user’s
supports.
applications
either a thin In the storage
applications
unstructured
supports.
client The Near
applications
ephemeral
supports.
client the The On applications
client
monitoring
a VLANThe
supports. 3
When using
the cloud?
deployed whentransparent
(Choose
using two.)encryption of aDLP
a network-based Thethe
At
workstation
client On
systemthe does In
provider
interface, organizational
a key does Within
provider
interface, interface,
consumer the 4
database,
system?
What whereanalysis
are three does the encryption
methods used consumer
application
Metadata,
interface, instances
Metadata,
not manage
such as a web Statistical
gatewayas a web Bit
management
not manage
such database
does
such splitting,
nota web
as 1
engine
In thedata
with context of privacy
discovery and data
techniques? using
doeswho
such
labels,
One the
not
as and
a attached
structural
One
browser who(for
or control to
can
the The
analysis,
systemnatural
browser
or control (foror A
the natural
browser
labels,
manage and
oror
(for 3
reside?is the what
protection,
What CSA CCM?
is a controller? manage
database
content
A
cannot
web setbrowser
ofbe or the volume
analysis,
be identified,
example,
underlying
An inventory and
web- A ofandweb- An
underlying
labels,
legal
set person,
example, content
legalinventory
person,
example,
control theweb- 2
Which of the following are common control
(for
analysis
identified,
regulatory the
example,
Persistent cloud
labels
directly
Persistent
of cloud
based or
email), cloud email), Persistent
based
content
software
Persistent
public analysis
public
of cloud
underlying
based email), 1
What are the
capabilities offour
IRMelements
solutions?that a data requirement
Retention
underlying
web-based
protection,
directly or indirectly,
protection,
infrastructure
or
service
Retention
a program in Retention
analysis
authority,
development
infrastructure
protection,
or authority,
service
a program Retention
cloud
or a program
protection, 4
retention policy should define? cloud
sindirectly,
periods,
for CSPs
email),
dynamic ordata
ain particular
, including
interface.
static
security
periods, policy by periods,
The
data , including
dynamic
agency,
lifecycle
interface. data
or The periods,
agency,
security
dynamic
interface. or
data
infrastructureThe
infrastructur
program
access
particular
policy by consumer
reference
control,
network,that
controls
formats, to formats,
data requirements
network,
consumer
policy
any data formats,
control,
other any
controls
other
, including
policy
consumer that
data
control,
methods,
e, includingto
interface.
control,
reference an
automatic
servers,
does
are
security,
arranged
manageand security,
does
body
for
servers,thatand security,
CSPs
manual not body
are
does arranged
network,thatand
manage
automatic
Explanation Knowledge Area
Explanation: “Cloud computing is a model for enabling ubiquitous, convenient,
According tonetwork
on-demand the MSP access Alliance, to typically
a sharedMSPs pool of have the following
configurable computing
Explanation:
resources
distinguishing (e.g.,The following groups
networks,
characteristics: servers,form storage,the key roles and functions
applications, and services) associated thatwith
“The
can
■■beHave
cloud NIST
rapidly
computing. someDefinition
provisioned
They of
form ofNOC
do Cloud
not and Computing,”
released
constitute
service anwith
exhaustive the essential
minimal listmanagement
but highlight effort the main or
service
The
■■building
characteristics
roles and
Have provider
functions
some blocks interaction.”
of cloud
form ofof
within cloud
computing
cloud
help computing
desk are
computing: are composed of RAM, CPU,
as follows:
service
According
—“The
storage,
■■ On-demand Cloud
Can NIST
and tocustomer:
remotely “Theself-service:
Definition
networking. NIST
monitorAn Definition
of Cloud
andAmanage
individual oforCloud
Computing”1
consumer orComputing,”
all can
entity aunilaterally
that in
utilizesoforprovision
majority IaaS,
subscribes
the objects computing
to cloudbased
for the
IaaS
“the has
capabilities,
services a
capability
customeror resources. number of
provided key benefits
to the for
consumer organizations,
is to which
provision include
processing, but storage,
networks,
According
are
such
■■ notasCSP:
Can limited
serverto
A “The to these:
time
company
proactively NIST
and Definition
network
that
maintain provides
the ofcloud-based
storage,
objects Cloud
asunder Computing,”
needed automatically
platform,
management in PaaS,
for without
infrastructure,
the customer application,
PaaS
and
“the
■■
requiring
or
■■ should
other
capability
storageUsage
Canhuman have
fundamental
is
services the
provided
metered
deliverinteraction following
to other
these and computing
to the
priced key
with each
organizations
solutions on capabilities
consumerresources
with somethe basis
service is
form toofand
where
deploy
provider.
or individuals, unitscharacteristics:
the
(or
of predictable onto consumer
the
instances)
usually billing cloud
for a fee; is able
consumed. to
otherwise
model, This
where
deploy
According
infrastructure
■■
can
■■ also and
Support
Broad to run
beclients
billed“The
network arbitrary
multiplebackNIST software,
Definition
alanguages
toservice.”Cloud
access: specific and ofwhich
Cloudarecan
frameworks:
departments
Capabilities orinclude
Computing,”
available PaaS
functions. over operating
shouldin SaaS, Asystems
support multiple andentity
known
the customer to knows “as with great accuracy backup
what her service
regular ITthe
provider: network
management and accessed
third-party
According
applications.
consumer-created
“The
programming
■■ capability
It has to “The provided
languages NIST
or toacquired
and Definition
to up applications
the consumer
frameworks, of Cloud thus Computing,”
iscreated
to
byuse
enabling using
the theservices the thin
developers cloud
programming
provider’s applications
ortoon code
through
that
expense manages willanbe
standard andability
mechanisms
holds scale that and down
promote infrastructure
use heterogeneous based thick actual
The
As
languages,
running
deployment
in consumer
with
whichever systems models does
language and not
other
areasthey manage
asmobile
follows:
prefer or
organizational control
or the tablets,
design the
assets, underlying
data should cloud have infrastructure
a
usage.
client
operational platforms (such
responsibilities for phones,
cloud-based data requirements
laptops,services
backup specify.
and workstations). In recentto
and solutions
but
on
An
■■ a has
SOC
libraries, cloud control
1
is“Private is
services, over
infrastructure.
a report and operating
on controls
tools The systems,
applications
at
supported a service
bystorage,
are
the and
organization
accessible
provider. deployed
The that
from mayapplications;
various
consumer besource clientby
does and
not
times,
This
■■
customers significant
particularly
Resource acloud:
from pooling: strides
useful
central The and
and
The
data cloud
efforts infrastructure
beneficial
provider’s
center. havewhere been
computing is provisioned
taken
there to
areensure
resourcessignificantfor
areexclusive
that open
spikes
pooled touse
serve a
SOC
possibly
manage
devices
relevant
single 2organization
reporting
through
toboth a user was
either specifically
entity’s
comprising aand
thin
internal designed
client
multiple control
interface, forover
consumers IT-managed
suchfinancial
(e.g.,as a web service
reporting.
browser AnIt(e.g.,
SOC web-
2
stacks
and
■■dips
multiple are
CSB: within supported
Typicallythe usage curve
a third-party utilized,
for thus or reducing
infrastructure.
entity company thatbusiness
“lock-in” looks toor units).
issues
extend may
orwith
enhance
limited
or
based
reportcontrol
Explanation:
providers
be owned, control
andthePaaS
managed,cloudof select
underlyingsecurity
computing.
and networking
cloud
concernsThe byreport components
infrastructure
areorganization,
focused
specifically including
on(e.g.,
athe host
network,
areas
addresses firewalls).”2
shown
any orservers,
number (Figure A.2).
of the
interoperability
■■
consumers
value It
to has using
multiple when
a reduced acustomers costoperated
changing
multitenant CSPs.
ofofownership.
model,
cloud-based the
with There is nothrough
different
services need
physical third party,
torelationships
buy
and assets
virtual some
forwitheveryday
e-mail),
is
System
five
■■ based
operating and
so-called
combination or
onathe
Multiple program
of Trustexisting
them,
hosting Services
andinterface.
SysTrust
principles,
itliaison
may
environments: The
andThe
exist consumer
WebTrust
on-whichor follow:does
principles.
off-premises.The
ability to supportnot manage The
cloud purpose
or control
ofof an
infrastructure theSOC
is
use,
resources
multiple dynamically
CSPs. It acts assigned
as a and reassigned
between cloud according
services to aconsumer
wide
customers variety
and demand.
CSPs,
systems,
underlying
2
Resource
■■ or storage, but has control over the deployed applications and possibly
There lossSecurity:
provisioned
underlying
no
selecting is ofa asset
sensefor Theexclusive
value system
of location overuse is by
time, protected
and reduced
independence
against
in costs
that
unauthorized
theof maintenance
customer
access,and
generally
both physical and
support.
has no
configuration
cloud
report
Isolations infrastructure
is
logical.Availability:
ahosting
specific to
community settings
evaluate Theincluding
an
of for the
system
consumers application-hosting
organization’s
network,
iscooling
available
from information
servers,
for
organizationsoperation environment.”3
operating
systems
that and havesystems,
relevant
useshared asIT” storage,
to
committed security,
concerns or
■■
control
the It
bestor environments
has a reduced
knowledge
provider for for
energy the
overcustomer
each the platform
and
exact is
location
and keycosts
monitoringto
of meeting
along
thethe with
provided
the customer
“green
services. resources requirements
The but may environment
To
or determine
availability,
User even
agreed. individual the necessary
application controls to
capabilities, be deployed,
with you must
possible first
exception of limited
(e.g.,
and
effect
be
CSB able mission,
demands.
with
can tobe optimum
specify security
Whether
utilized userequirements,
location
as apublic
of atITacloud,
“middleman” resources
higher policy,
private
leveland and
toofcloud,
systems. compliance
abstraction
broker local
theSOC best (such considerations).
hypervisor,
deal asand or
country,
customize It
state,
IaaS
understand
■■ uses
user-specific
processing
Level the
Processing the following
integrity,
application
following:
Integrity: storage
confidentiality,
System types:
configuration or
processing settings.”4
privacy. An 3 report is also based
may
bare
or data
services be
metal, owned,
center).
to the managed,
supporting
Examples
customer’s and
multiple
ofdata operated
hosting
resources
requirements. by one isstorage,
environments
includeMay
complete,
oralsomore of the
allows
resell
accurate,
processing,
cloud organizations
the timely, in
application
memory,
services.
and
and and
PaaS
on
Permissions
■■ the
authorized.utilizes
existing
Volume
Functions the following
SysTrust
storage:
of the A
data and
virtual storage
WebTrust
hard drivetypes:
principles,
that can belike a
attached SOC 2
to report.
a VM The
instance
the
network
■■ community,
developer Cloud or
bandwidth. a third
administrator
service party,
auditor: to or some
migrate combination
the application of them,
when andand asit may
required. exist onor
This
It
■■
be
■■ isused
important
difference
User Structured:
to
Locations host
Confidentiality: todata
ofbe theaware
Information
withindata
Informationa Third-party
of the
file a highorganization
relevant
withsystem.
designated dataassecurity
degree
Volumes ofattachedthat
organization,
confidential
verifies
technologies
toisIaaS attainment
such of SLAs.
thatasinclusion
instances
protected committed
off-premises.
can
■■ alsoRapid be used as
elasticity: a form of
Capabilities contingencycan be and continuity
elastically and
provisioned to ensure the ongoing
DLP
is
Access
you
in
■■
or
that maytool
aagreed.
behave the
relational
just
Actors implementations
needSOC
like toa3deploy
database
upon report
physical
the The typically
isordoesworknot
seamless
dataOnce drive with
or
you conform
detail
and
an to the
ensure
readily
array
understand totesting
does. the
searchable
and following
AIC
Examples performed.
document ofby datasimple,
include inand
these released,
theVMware
cloud.
straightforward
three items, in you
■■ “Public
availability.Flexibility:
some cloud: cloud
Traditionally, infrastructure
platform is provisioned
providers provided for open
features use by
and the
For
search
VMFS,
can database
Management
topologies:
Potential
designengine
Amazontheencryption,
controls and solutions
algorithms
EBS,
appropriate you
or other
Rackspace should
can search
RAID,understand
include operations. the following
andtheOpenStack
following: Cinder. options:
■■
general
requirementsPrivacy: Personal information is collected, used, retained, disclosed, and
cases
Data
Protection
■■
■■
controls automatically,
discovery
File-level
DIM:
Encryption:
Unstructured:
Objectand tools
Sometimes
storage:
apply For to
encryption: scale
differreferred
preventing
Information
Object
them tomanaged, by rapidly
technique
Database
storage
the systemto as outward
unauthorized
that does
is and
servers
network-based
like not
a
tooperated and
typically
file
safeguard data
reside inward
data-matching
share or
viewing
in
data a commensurate
reside
gateway abilities.
on
traditional
accessed
and control volume
DLP.
via Inwithdemand.
storage.
row-column
APIs
access this
or a web For
disposed
public.
that they It may
felt be
suited owned,
the client and
requirements, along bywitha business,
what suited academic,
their or
service
To
Where
Assume
this the
Against consumer,
the
you
deployment,
topology,
■■
database.
interface.
to it. DLP: purposes
wanted the tocapabilities
you aredata
For auditing
Unstructured andfind means
credit
encrypting
and preventing
files available
of
card
often processing
theinclude
volumefor
numbers.
unauthorizedprovisioning
text are
Data
or folder determined
discovery
data often
ofexfiltration
and(monitoring),
multimedia appear
by
tools
the database, national
for
content. databases
with
of in These
government
offering conformity
and
controls withcan
organization,
positioned thethembe of
as
a preventive,
provider’s
or some the privacy
combination
provider
detective
of policy.
of
choice,them. It
with exists
limited on orthecorrective
options premises
for login
The
or
Malware/
to
use
the
■■ be CSA
community
encryption
monitoring
Examples CCM
unlimited
a couple
File include isand
andofdatabase an
laws
methods
engine
engine essential
can
email
Amazonorand regulations,
beto
isaccesskeys
deployed
messages,
S3 andand
appropriated
find up-to-date
andnear
residing
monitor:word the
thenthe
Rackspace in
oncontroller
any
identify
For the security
quantity
detecting
processing cloud or
information.
instances
organizational controls
the
at
documents,
files. specific
any
attached
gateway
unauthorized time.
Most framework
toto
videos, criteria
use
the tofor
special
volume.
monitor
access photos, datahis
nature.
of the CSP.
the
■■ customers
nomination
Backdoors/
that
The following
isMeasured
credentials
External
outgoing addressed
fileto maytotable
scan
system
protocols move
beto
service:
internal easily.
designated
illustrates
the
encryption
such cloud
Cloud
as This
database
HTTP, keyby
systems has
community
protects
HTTPS, changed
national
capabilities and
automatically
structures,
from media
SMTP, drastically,
oritemize
community
common
stakeholders.
and control
theft,tables
FTP. towith
lost law.
IRM
and Aextensibility
backups, fundamental
optimize
columns, andcan and
resource
and
external
stored
audio in
files, files and
presentations, databases web pages, and many other kinds ofThe topology
business documents.
■■
flexibility
A
richness
The data
Trojans “Hybrid now
retention
customer
solutionsPersistentofdoesthe cloud:
afforded The cloud
toanagainst
meeting infrastructure
the needs and is a composition
requirements of of two
developer or more
use
then aby
attack
be
■■
Note leveraging
analyze
but
mixture
Obfuscation,
that althoughwhat policy
CCM
ofdetermines
not
proxyawasmetering
protect isits
sortsorganization’s
isbased,
protection
found.
anonymization,
these
ability
thecapability
Three
bridge,
of files
to
ultimate
Ensures provide
basic
attacks
network
tokenization,
may
purpose
atthat
some established
mapping
analysis
with
have
documents,
level
andmethods
access
tapping,
an orand
ofmasking:
the
of
to
internal protocol
the
SMTP cross
processing
messages,
abstraction
are for
relationships
employed:
application
structure,relays.
Different and
they
and
appropriate
To scan with
decides
layer,
alternatives
distinct
audiences.
the
on the
attachments
retaining outsourcing
informationare or
protected
for the delegation
operational of allrelational
ormechanisms
regulatory or part ofdatabases
compliance the concernedneeds. activities to
to
arethe
■■
the
encrypted
for the
still type
Metadata:
instance’s of service
HTTPS
protection
considered Data
OS, of or (such
that
traffic,
data the
unstructured as
describesstorage,
database
appropriate
without data;processing,
itself.
encryption
because all
the data they bandwidth,
to enable
containSSL and
does store notThe
active
interception objectives
fituser
metadataneatlythat
cloud
This
external
main
at rest, infrastructures
has inbeen
organizations.
industry-accepted
transit, (private, community, or public) that remain unique entities
areheavily
of and influenced
Therefore,
even security
after by open
the
standards,
they’re source,
customer
distributed which
actsto
regulations, allows
as aand
recipients relevant
controller.
controls Inorthis
frameworksrole,
in aa broker
data
accounts).
describes
■■
and database retention
Resource
tables
Transparent and
requiredpolicy
usage
column
encryption: toare can
be to bekeep
attributes.
Many
integrated important
monitored,
database-management
into the information
controlled,
system and for
systems
architecture. future
reported, haveuse
providing
the ability
but
such
the
DynamicareLabels:
plug-ins
reference, bound
topolicy
to together
beSometimes control
quickly
organize byAllows
and standardized
efficiently
information content or proprietary
owners
areitintroduced technology
to define
into athe and
platform. that
change enables
user
transparency
■■
to encrypt DAR: the for
Where
entirebothdatabase
the
data provider
elements
referred tosoand
or specificas can
the
grouped bebased.
consumer
portions,
storage searched
with such of
In and
the
tag
as
this thataccessed
utilized
tables. describes
topology, The at
service. athelater
encryption
the DLP date,
data.
engine
Which of the following methods for the Physical Encryption Overwriting Degaussing 2
safesupport
To disposalcontinuous
of electronic
operations,
records can
which destruction
Application Audit logging, Audit logging, Transaction 3
always
of the following principles should be logging, contract and contract and logging,
adopted as partaof
be used within the security
cloud operations
environment? contract and authority authority contract and
policies? authority maintenance, maintenance, authority
What is a cloud carrier? maintenance
A person, secure usage,
The secure
A person or The maintenance, 2
Which of the following statements about , secure
organization,
SDN enables and incident
intermediary
SDN’s disposal,
organization
SDN enables and SDN’s
secure
intermediary 1 4
With
SDN isregards
correct? to (Choose
management
two.) of the The
disposal,
or
you abilityand
entity
to to response
that
A guaranteed
provides
objective is to incident
A
that
youmaximum
to disposal,
that
A guaranteed
provides
objective and
is to 2
compute
What is the
resources
key issueofassociated
a host in awith
cloudthe execute
businessthe
responsible
arbitrate
Data the legal a
Access
connectivity
minimum
provide response
Data
execute
maintains
ceiling forthelegal
a Continuous
DR a clearly
business
maximum
offer 1
environment,
What
object types
storageof risks
type are
thattypically
the CCSPassociated
has to issues
continuity
for
control
consistency,
Loss making
of plane a preparation
control
and
resource
Guest transport
clearly preparation
resource
consistency,
business
control
Guest plane Guestpreparation
monitoring
continuity
resource
defined andof 3
whatvirtualization?
be
with
When does
usinga areservation
SaaS solution,
provide?
who is associated
preparation
service
which
governance,
Both
software the
is on of cloud
defined
allocation
breakout,
The allocation.
software
which
The CSPis only
relationship
breakout, on Both
cloudCSP
separate
allocation
breakout, and
services 4
aware of?
responsible
Which of thefor application
following security? of
are examples A
general-
with
available
achieved
snapshot
cloud specific
service
to
and services
snapshot
that
enterprise
Segmentation
networkmustand be achieved
A web
specific
This
with, and only
ceiling
snapshot uses Storage
and the enterprise
between
that
knowledge
networkmust ofbea 2 3
trust zones?
What are the(Choose
relevanttwo.)
cloud infrastructure compute
application
service
purpose
only
image
consumer
Rapid after between
met
image
according
Rapid
control
only by the to
plane may
after
Rapid
service
application
hardware,
image be
change
fixed, Continuous
from, cloudby
met
baseline
level
control service
the
required
plane 3
characteristics that can be considered resource
being
consumers
change
security,
and
elasticity,
hardware, theusedand CSPs
host
availability,
department
elasticity,
to with
and
manage allowing
or
propagation
elasticity,
CSPsit may
security,
with a two- for
and monitoring,
consumers
host
to
configuration
manage,
with
distinct to
contention
propagation
sprawl
enterprise
provider-
allowingcarry out for a cloud service
and
physical
broad
network to
broad
theabinding
tiered
be
sprawl specified of broad
on
manage
physical
and asprawl
advantages in realizing a BCDR plan situations.
general
theall replica
to
specific consumers
compute
compliance
network
traffic that is expandable,
percentage
network
architecture
specific of network
compute
workstation
objective
What is REST?
with regards to cloud computing Resource
function
A protocolhas
instances
network
decoupling not
resources
connectivity,
A software
separated to network
allowing
replica
connectivity,
The namefor of The
connectivity,
resources
traffic thattois 2
What are the phases of a software
environments? such
Planning
from as
contention
specification
taken
connectivity,specific
placeand Defining,
allow
and
architecture
fromathea guest instances
and
hardware
the a pay-per-
process
Planning has Planning
and and a apay-per-
intermediary
allow
separated and
guest 1
development
When does anlifecycle
XSS flawprocess
occur? model? implies
printing
for
requirement
Whenever
network
and thatan
a pay- planning
Whenever
to power and
multitenancy
style
forwarding onan acquisition
taken
use
Whenever
model
anplacean
requirements
configurations
that of Whenever
use
requirements
to model
power
process
from thethatonan 2
What are the six components that make there
sexchanging
application
Spoofing,
analysis,
per-use
hardware are too requirements
application
Spoofing,
and
model
consisting
plane.operate.
Thisof . Further, the Spoofing,
more
organization
application
Spoofing,
analysis, provides
analysis,
application
and operate.
forwarding 1
In
upathe
federated environment,
STRIDE threat model?who is the defining,
takes
configuration
many
structured
tampering,
The
model trusted
relying analysis,
tampering,
The
takes relying
guidelines
approach takes
useperson
compute
or
tampering,
The of
defining,trusted The
relying designing,
business
takes relying
tampering,
plane. This 3
relyingare
What party,
the five
and steps
what does
used it
todo?
create an requests
information
designing,
data
Specifying
s
repudiation,
party and
is thefor designing,
untrusted
nonrepudiatio
party
and
allows isfor
best
Assessing the resources
data
party
Specifying
and
is thethe Specifying
designing,
who
repudiation,
moves
software- defining,
untrusted
party
continuity
repudiation,
approach is theofthe 4
ASMP? resources
in
developing,
sends
information
identity
the
and the it to a
allowing developing,
data
n,
serviceand for
practices
network
application application
basedbetween
through
data
sends
information
service
testing, it to
a a application
cloud
developing,
data
information
customer;
permits and
services
he
testing,
web
for the
based
implementati
disclosure,
provider;
applicationbrowser
on and
use it of
the testing,
information
provider;
sends
controlitto
creating
security and
to ita
risks, web browser
controllers
borrowing
CSPs
disclosure,
provider;
requirements
developing, testing,
consumes
usesitto requirements
between
sends it and
disclosure,
network to the
a
actual
on
maintenance
without
requirement
commodity
DoS,
consumes and maintenance
web
disclosure,
consumes
scalable
become browser
specifying webthe scheme
with
consumes
and
permitsand
document
DDoS, afromthe and
maintenance
web
tokens
cloud
DoS,
control browser
and that
to
At which of the following levels should sthe and
available
of
proper
elevation
Compute
web
servers.tokensof without
DoS,
tokens
Storageand
services
directly
applicationthat viewroot
the
what
proper
elevation
tokens
environment,
Control of
hethat
maintenance the
plane
isof Management
consumers
with
social
the
becomeidentity
environment, 1
logical design
Which for data separation
of the following be name
is the correct validation
nodes
Concurrently
Further,
resources
services
privilege
that
environment
the andthe
in or elevation
the
nodescustomer
proper and
Fault-Tolerant
programmabl
requirements validation
Basic
network
resource
doing
privilege
the
assessing
and Sitethat
identity
session or Redundant
provider
plane
and
proper and
engineering
CSPs
directly
assessing 4
incorporated?
Which
for TierofII the following
of the UptimeisInstitute
the Data currently
computer
escaping
,service
network
Maintainable
creating
Between
use of 62° in validation
of
generates.
application
Site
e and
Between
and privilege
for 64° or escaping
provider
application
Infrastructure
presents (the
Between validation
generates.
presentation
Site
a64° Between
programmabl
application or
60° 2
Center of
recommended
Which Site the
Infrastructure
following
operatingarerange
Tier
supported
Standard
for the
networks
provider
and
Kerberos
FSite
andsystem.
software- 81° F escaping
TLS
FInfrastructure
dynamic
and 81° F
environment, logical
host).
generates.
SRP
Fsecurity
and 84°risks, F escaping
L2TP
FInfrastructure
e and 85°
security distinct
F
risks, 1 3
temperature
authentication
are the and
Topology?
What methods
two biggestfor iSCSI?
challenges Infrastructur
and
based 40
generates.
maintaining
Access and 40 andof
Auditability
adjustment
creating and
switch
provisioning
Configuration Capacity
30 to the Training
and
from40 and
creating 3
humidity
(Choose
associated
When two.)
inwith
setting a data
upthecenter?
resource
use of sharing
IPSec inwithin
cloud a ethe
Reservations
ANF,and
percent
controllers
control and and
Limits
traffic flows
percent
maintainingand and
Clusters
operating
percent
applications
management and SharesComponents
percent
customers
forwarding,
maintaining andon 4
computing
host cluster, which option would you assessing
patch
65 percent
permits a governance
to address
60
thepercent
ANF, running
the
and
60 percent allowing
60
how
the percent
to use
ANF, for
environments?
choose to mediate resource contention? relative
view of the
application
management relative
changing
provisioning relative
above,
application,
performance relative
dynamic
provisioning
IPSec and
security
humidity
network that patterns
humidity
and of
operating auditing
allowing the
humidity for documentatio
humidity
adjustment
and operating of
To safely dispose of electronic records, the following options are
To support continuous operations, the following principles should be
available:
adopted
■■ Physical as partdestruction:
of the security operations
Physically policies:the media by incineration, shredding,
destroying
■■
or other Audit means. logging: Higher levels of assurance are required for protection, retention,
and
■■ Degaussing: Using strong magnets for scrambling data on magnetic media such
According
lifecycle
as hard drives to NIST’s
management and tapes. ofCloud
auditComputing
logs. They Synopsis must adhere andtoRecommendations,
applicable legal, statutory,
According
the
or
■■ following
regulatory to
Overwriting: OpenNetworking.org,
first-level
compliance Writing terms
obligations
randomare importantsoftware-defined
dataandover providetothedefine: networking
uniquedata.
actual user The access ismore accountability
times the
The
defined
■■
to use as
Cloud of
detect potentially
overwriting reservations,
the physical
service
process occurs, consumer:
suspicious limits,
separation and
Person
the network of
more thorough shares
the or network provides
organization
behaviors the orcontrol the
that planecontextual
maintains
file integrity
destruction from
of the the
a
anomalies ability
dataforwarding
business
is through
The
for
plane, anfeatures
relationship
forensic administrator
and where you a get in
to
control an
allocateobject
plane the storage
controls
investigative capabilities in the event of a security breach. compute severalsystem resourcesare
devices. typically
of a host.minimal.
considered
Although
You
A can
reservation otherservice
store, risks
retrieve,
creates might copy,
a guaranteed
ofnot appear
This architecture decouples the and delete
network incontrol
minimumvirtualized
files,and as well
resourceenvironments
forwarding controlaswhich
asallocation that thus usersbe
must can
with,
The and
to be.continuous uses operation from, CSPs.
audit logging is composed of three functions,important processes:
aundertake
met
Implementation
result
enabling by ofthe choices
network ofmade controlsby the
control requires
to architect,
become cooperation
implementer,
directly and anda clearcustomer, virtualization
■■
■■ Cloud
Detecting
Encryption: service new Usingprovider:
events: ThePerson,
an encryption goal organization,
ofmethod
auditing toprogrammable
is or
to entity
rewrite detect andinthe
the responsible
information
data an underlying
for making a
security
encrypted
these
A
demarcation
thetrust
risks host actions.
zonewith
traditionally
infrastructure can If you
be
physicalare want
defined
seencompute
as the as ability
a
including network
resources to
the search
segment
to
following: or
allow to have
within
a guest a central
which
to power data repository
on and
service
events.
format to maketoitshould
available
Policies be abstracted
tounreadable
service for applications
consumers.
be created without thatthe defineencryption and network
what securityservices.
a key.Crypto-shredding:event isThe and SDN howBecause
Cloud
flows
■■ object
operate.
of infrastructure
relatively
responsibility
Guest
architecture
■■ Cloud metadata
breakout:
has
carrier: freely,
thebetweenhas
that
This
following
The a number
whereas
other
the
occurs
intermediary CSP of
applications
data
whenand
characteristics:characteristics
flowing
that the
there
providescan
cloud
is ina and
drawthat
breakout out
consumer. can
on,
connectivity ofofbe
you the
a distinct
generally
trust
Without
guest
and OS zone
transportso haveisof to
that it can
to
theaddress
first three it.Adding
optionsnew are rules:
not fully Rules are builttoto detect new events. Rules allow
applicable for
implement
subject
that,
This
advantages
access
■■ there
reservation
Directly is realizing
in
the hypervisor aprogrammable:
real risk for certain
is traditionally
orBCDR,
other depending
guests.
Network important
available This on
control the iscontrols
isforpresumably
eitherscenario:
directly to orbeRAM,
CPUfacilitated
programmableabsent. by For
or aboth, example,
as it is
hypervisor
because
cloud
mapping
cloud services
computing, between the CSPs
only and
reasonable cloud consumers.
method remaining is encrypting the data.
them
to
IaaS
■■ stronger
needed.
flaw. yourself.
Rapid restrictions.
Amazon
elasticity andS3 Some andexamples
on-demand otherself-service
object of trust storage zones
lead systems
to ainclude
flexible provide
demilitarized REST APIs
infrastructure that
decoupled
In
of
The the
expectedNISTfrom
process Cloud
values forwarding
of encrypting Computing
to log files
the functions.
reference
and
data detect
to dispose model,
events. the network
itIniscontinuous
ofhardening called andoperation
digital communication
shredding or be
that
zones
A
can
■■ limit
providersallowcreates
beSnapshot
quickly programmers
typically a maximum
deployed
and do
image notto to work
ceiling
consider
execute
security: with
anfor
The guest athe
actual resource
OS
portabilitycontainers
DRrole. without and
allocation. their
hitting
ofInadministrators
images objects.
This
andthis ceiling
responsibility.
unexpected
snapshots may
function
mode, Agile:
rules
crypto-shredding. Abstracting
is provided
have to be control
as updated
part of the tofromcloud
address forwarding
carrier
new risks.lets practice, is an IPmakes
dynamically service,
APIs
The
(DMZs);
fixed,
Consider
ceilings.
people can
key or be
issue
site-specific
it
this
maybroken
forgetdelivered that
visual
that be into
the
images multiple
zones,
CCSP
expandable,
responsibility such
has
and snapshots formats,
to as
allowingbesegmentation
matrix aware
can two
for
across of
of
the
contain which
with
the follow:
according
object
acquisition
cloud
sensitive storage
to
environment
of
information department
more systems
compute
andpart or
is
adjust
increasingly
■■ Reducing
Crypto-shredding false through
positives:
is the process IPv4
The and
quality
of deliberately IPv6. of This
the IP network
continuous
destroying the might
operations
encryption not be
audit
keys thatof
logging
Planning
that
function;
(Figure
resources
■■
■■ REST:
Broad andnetwork
A.3). requirements
A software analysis:
architecture
connectivity Business
reducesstyle operational and
consisting security
ofrisk. requirements
guidelines and best and practices
need
the protecting.
network-wide
public
depends traffic
Internet. flow to meet changing needs.
were
data
and
XSS
for flaws
through
standards usedon to the
application-defined
consistencyoccur
aareborrowing
beingability
encrypt whenever to
the
isdetermined.
achievedgradually
data
scheme anoriginally.
zones, only reduce
application
from such
This eventually.
the
phase the
asBecause
the
root number
takes
is three
the the
Whenever
resourceuntrusted
main offocus
data
tiers false
is you
of
provider positives
aencrypted
data
of web update
the and with
application.
(the
project the you
a file,
host).
■■
■■
2. Which Cloud
Sprawl:
Centrallyof infrastructure
the This occurs
managed:
following providers
when
Network
statements you have
lose
intelligence
about resilient
control
SDN is of infrastructure,
the
(logically)
are amount
correct? of and
centralized
(Choose contentantwo.)
external
in on your
to
In maintain
keys,
the
mayhave
sends
Shares
managers
creating the
STRIDE
it to
are data
to
andaoperational
scalable is
wait
web
used rendered
threat
to until
browser
stakeholders.
web efficiency.
model,
the
arbitrate unreadable
services6 the
change
without
the
Meetings This
following
is
issues (at
proper requires
least
propagated
with six
associated until
managers, constant
threats
validation the
to are
all
with or improvement
encryption
considered
the escaping.
compute
stakeholders, replicas protocol
and XSS of
before
resource the
used
allows
users
BCDR
image
a. SDN provider
store
softwarebased enables has the
you potential
totoexecute the for being plane
control experienced software and oncapable
general-purpose because
rule
can
requests
and
are
■■ set
be
attackers
In aheld
controlsin
broken
federated
contention SOAP: to use.
returnare orenvironment,
determine
A is capable
used
protocol addressof being
requirements.
specificationthere
the brute-forced
isforan
threats:
The identity
software
exchanging byprovider
an
development attacker).
structured and aTorelying
lifecycle
information perform
calls in the
their
SDN
hardware,technical
controllersallowing and that people
formaintain
the resourcesa
decoupling global arefrom beingspecific
view of shared
the across awhich
network,
network number
hardware ofconfigurations
appears tenants.
■■
proper
the
to
ISO/IEC
■■
for executeContract
latest
situations.
party. crypto-shredding,
The 27034-1
Spoofing:
allPay-per-use version.
scripts
Resource
identityand
business requirements
implementation authority
defines
in
Attacker
of can Thisthe
provider
webmean consider
makes
assumes
services maintenance:
victim’s
an
contention ASMP
holds
(functional
in the
object
identityfollowing:
browser,
to
implies
all
computer manage
storage
theand Points
the
of which
identities of contact
unsuitable
and
existence
subject
nonfunctional)
networks7 can
maintain
and hijack
of for
for
too
generates applicable
user
each
data
many
tobebea defined sessions,
that
a regulatory
changes
requests
token
eventhandeface
forfor
■■
to
and applications
allowing for and the policy
use of that
engines
commodity theas total
a BCDR
single,
servers. logicalstrategy
Further, switch.
thecanuse of lot cheaper
softwarebased
authorities,
■■
frequently.
websites,
ANF.
known
resources
before The
Tampering:
initial national
data
ASMP
or
based should
redirect
design ison and
Attacker be
created
the
the
begins. local
encrypted
user
actualin
alterslaw
five
Planningto enforcement,
data completely
malicious
steps:
available or messages
for the and other
without
sites.
resources
quality legalrequirements
leaving
currently
assurance jurisdictional
clear
in thetext system. andIf
alternative
■■
controllers solutions.
Programmatically
permits a During
view of normal
configured:the network operation,
SDN lets
that the BCDR
network
presents managers
a solution
logical is likely
configure,
switch to to
manage,
authorities
However,
1.
users.
resource
remaining.
■■ Theitshould
Specifying provides
thethe
relying be
application
partymaintained
a good
is thesolution andwith
requirements
service regularly
offor thedata
provider andupdated
that
environment
and isdoesas per
consumes not thechange
business
these much,need
tokens.
have
secure,
the aRepudiation:
identification
low
and
applications cost.of
optimize
Illegitimate
running
risks
network
associated
above,
denial
resources
allowing
an
quickly
for
event
project
access via
also
dynamic,
via APIs
done in
automated
that can
the planning
be SDN
used to
such
2.
■■ Assessing
contention
(that
stage. as
is,
The
The abackups,
change application
takes
technique
Informationrequirements inarchives,
place,
impacted
mustare
disclosure: security
share
make video
then values
scopesure
Informationrisks
andorthat
analyzed audio
aarechange
the
is used
for files,
intoany
encryption
obtained
their and VM
prioritize
compliance
keys
without
validity andimages.
compute
are resource
obligation).
totally
authorization
the possibility of
Of course,
programs,
configure, as
which part
manage, of
they due
and can diligence
write
secure in
themselves
network your BCDR
because
resources. plan, you
the programs should do validate
not all
depend
Logical
3.
ThisCreating
access ensures
unrecoverable.
■■ design
for
Denial ofthemand
directfor data
maintaining
service: separation
complianceAttacker the needs
ANF
liaisons to
have be incorporated
been established at the
and following
will prepare
incorporating
assumptions into the systemoverloads to be developed. system to deny legitimate access
on
b.
4.
all
The proprietary
SDN’s
Provisioning
guests
levels:
for
This a Uptime
forensic
can be assigned
hard software.
objective and
Institute
investigation
to a is to
operating
certain
is
accomplisha provide
leader
requiring the
number
if a
in
an clearly
application
data
rapidof
external defined
shares.
center
engagement ornetwork
design
The shares
withand control
management.
law areparty planeistopermitted
weighed
enforcement. manage
and used
■■
with Elevation
Defining:
the candidate of
This privilege:
phaseprovider
service isAttacker
meantand togains
clearly
ensure a CSP
privilege
define
that they
other
and level
are
third
above
document
documented what
the product
■■
network
5.
as
The Open
Auditing
a American
Their “Data thestandards
trafficthe
Centerthat
security
Society based
isSite
not andand
separated
of the
ofInfrastructure
Heating, vendor fromneutral:
application the forwarding
Refrigeration,
Tier When
Standard: andbe implemented
plane.
Air Conditioning
Topology” through open
whatThis approach
document
■■
manages
5. In aCompute
Secure
requirements
in your federated
SLAs. to nodes
disposal:
keys. environment,
place Policies
them who procedures
in front is
of thethe relying
customer shallparty,and established
and
get them does with
approved. it supporting
do?This
standards,
A number
percentage
provides
Engineers
allows SDN
of
the
(ASHRAE)
forprocesses
network simplifies
authentication
against
baseline all
control that
Technical network
tomethods
outstanding
many
become design
are
enterprises
Committee shares
directly and
supported assigned
9.9 operation
use with
createdto and
rate because
iSCSI:
a in their
widelyuse instructions
data
by alldisposal
acceptedcenter
powered-on
set
■■
a. TheManagement
business
is done relying
throughparty plane
andis the
a requirement technical
identity measures
provider;
specification it programmable
implemented
consumeswhich
document, for
the the and
tokens
consists
for
secure thatdynamic
ofthe all service
the
The
of
guests
designs.
are
■■ two
guidelines
provided
adjustment
and keyofchallenges
Kerberos:
Storage
complete by for Aoptimal
SDN
traffic
nodes
removal with
controllers
network
flows to the
temperature
addressdeployment
instead
authentication and
of
changing and
humidity
multiple,
protocol use
patterns of IPSec
set
vendor-specific
designed of totofollow:
ispoints provide
consumption.SDN in devices
the data
strong isand center.
enables
provider
product generates.
requirements toofbedata from
designed alland storage
developed media. This
during the ensure
project data
lifecycle. not
to
■■ calculate
Within
The
protocols. a host
guidelines
document
Configuration
authentication
you to execute the the amount
cluster,
are
describes management:
control of
resources
available planeresources
a four-tiered are
as software
theThe2008 each
allocated
use ASHRAE
onof guest
architecture
IPSec andisEnvironmental
given
managed
for data
optional, access as ifto.
center
and asthey The higher
Guidelines
design,
such, many for
with
■■
recoverable
b.
■■ The Control
relying
Designing: by plane
any
party This computer
is phase
the service forensic
helps provider;
in specifying itspecific
means.Incident consumes
hardware
hardware,
response
theand tokens legal
system thatpreparation:
the customer
requirements If a
the
each
are
Datacom
for pooled
endpoint
client/server
allowing
■■ Network for or
Equipment.
devicesthe jointly
connecting
applications
binding available
These
of to
by
specific to all
guidelines
cloud
using membersspecify
infrastructure
secret
network key
hardwareof theconfigurations.
a required
do
cryptography. cluster.
not have and The
IPSec
The use
allowable of resource-
support
Kerberos
Further, range of
follow-up
generates.
and overall action
system concerning
architecture. a personThe system design specifications serve as inputand
sharing
temperature
share
tier
enabledbeing
protocol
the use value
of and
uses and humidity,
progressively
assigned
configured.
strong
software-based toIfmore
the
cryptographyIPSec as
guest,
controllers follows:
secure,
issonotthe
that reliable,
larger
enabled
permits a client the
onand
a view can percentage
the redundant
endpoint,
prove
ofrequires
the networkitslegal of
theninthe
identity itsdepending
that design
remaining
to aservera(and
presents
or
for organization
the next phase after of an information
the64.4°
model. Threat securitymodeling incident and secure design action,
elementsrefine
resources
concepts
Low-end
operational
on
vice the
logical versa)switchsuch
temperature
configuration
across as reservations
choices
insecuremade
an applications
toprocedures,
the F limits
(18°
network C)
on the
running and shares
server side
connection.
above, may
allowing of the
After be a forused
IPSec
client accessto
and further
solution,
via APIs that
proper
should forensic
be discussed here. including chain of custody, should be required for
When using maintenance mode, which Customer Customer Logging and Customer 1
two items
What are the
arethree
disabled
generally
and which
accepted
item IaaS,
accessDRaaS, and PaaS,
accessSECaaS, and SaaS,
alerts PaaS,
are access and
Desktop as a 3
remains
service
What ismodels
aenabled?
key characteristic
of cloud computing?
of a honeypot? alerts
and
Isolated, are
PaaS logging
and
Isolated, IaaSare disabled
and
ComposedIaaS while of alerts are
service,
Composed PaaS,
of 2
What does the concept of nondestructive Detected
disabled
nonmonitore Known
monitored
disabled Detected
virtualized
the ability to disabled
Known
physical
and IaaS 1
testing mean
Seeking in the
to follow context
good designof practices
a vulnerabilitie
while
d
A statement
logging vulnerabilities
while
environment
A series alerts
of vulnerabilities
deploy
infrastructure
A designnew while
vulnerabilities
infrastructure
A logicalthe 4
vulnerability
What
and should configuration
principles, the CCSP shouldmanagement
create the senvironment
remainsare
Financial
of work not are
remain
Change
interviews not are
VMs
policy
IT not
service
remains ability
are
network
Business notto 2
assessment?
always
physical
What be
are tiedobjectives
network
the to?design ofbased
change
on which of exploited
enabled. to a
management
Respond exploited
Ensure
enabled.
management
with that exploited
enabled. to
statement
management
Respond power on
exploited
design
relationship
Ensure that 1 2
the following?
management?
What is the definition
(Chooseofallanthat
incident
apply.) during the
customer’s
An during
changes
stakeholders
A planned the are afterunknown
The
business the and VMs
before
The
management
all identified
changes the 1
What is thetodifference
according between BC and
the ITIL framework? vulnerability
unplanned
BC
changing is defined vulnerability
recorded
interruption
BC is defined and vulnerability
BC
cause
IT is defined
of one
requests remains
vulnerability
root
BC
are is cause
defined of 4
BCM? are the four steps in the risk-
What assessment.
as
interruption
Assessing,
business the assessment.
evaluated.
Framing,
as
to a holistic
an IT assessment.
or
Framing,
as
for more
the
change enabled.
assessment.
aprioritized,
Monitoring,
as problem
the 2
management
An organization process?
will conduct a risk capability
Threats an IT toof
requirement
to
monitoring, its Threats
service or
assessing,
process to
that aits problems
that willtoof
monitoring,
Threats
capability its planned,toof
assessing,
Threats
capability its 3
assessment
What is the minimum
to evaluateand which
customary
of the service
s while or a
the
assets,
transferring,
Due reduction in
monitoring,
assets,
Risk
identifies assets,
the first
disassociate
documenting,
Asset assets,
the
Due
tested, care
optimizing, 4
following?
practice
Within the
of realm
responsible
of IT security,
protectionwhich
of assets
of organization
reduction
and
maximizingin
vulnerabilitie
diligence
Threat vulnerabilities
and
potential
the quality of
mitigation
Threat vulnerabilities
and
responder
services to
protection
Vulnerability vulnerabilities
and
Threat
organization
implemented, 2
thatfollowing
the
Qualitative risk
combinations
assessment is best
earmarked
defines to
sresponding
Ease
value
the not
coupled continue
of
present
quality
andwith of present
Can
an ITbe to
responding
coupled
threats in
withthe
an present
with business
responding
coupled
Detailed
continue in the
with present
Can
documented,
responding
coupled
to be in
continue the
with 2
affects
risk?
by
SLE which a community
of the following?
is calculated or societal
by using which norm?
of the implementati
an
ain
delivery
reducing
Asset IT value
the
breach of completed
aenvironment,
service
Asset value,by
vulnerability
organization environment,
delivery
needs.
an
metrics
Assetattack of
value
used completed
aenvironment,
breach
delivery
and
LAFE andof
reviewed of by
ARO 3
What is the process flow of digital
following? products
on;
service itARO
environment
incidents, can be
Identification
and and likelihood
the
personnel
Identification
LAFE, theand the
Identification
for
and likelihood
calculating
productsexposure the
personnel
Identification
in a likelihood
security
products 3
forensics? ,or
completed
disruption,
of the
services at
incident that
with
of
SAFE
impacts incident
aa threat
limited
to that
of
or incident
risk
factor a threat
and
services ease at that
with
of incident
aa threat
controlled
or serviceslimitedat
by personnel
likelihood
and rework.
acceptable understandin
and
will
business evidence,
be will
and
acceptable
of be
evidence, will
understandin
acceptable
and
manner.be
evidence,
predefined
with
that
evidence, aa threat grealized
examination,
of the risk
operations by realized
collection,
implementati
predefined by grealized
collection,
of the risk-
predefined by
levels
will
limited be
analysis, taking
assessment
collection,
that those taking
examination,
on
levels taking
assessment
analysis,
levels
When does the EU Data Protection understandin
following
realized
The directive
collection, bya process
analysis,
threats,
advantage
The and
ifand
directive of advantage
analysis,
following
The and
aof
directive advantage
process
following
examination,
The and
directive aof 1
Which of (Directive
Directive the following are contractual
95/46/EC) apply to disruptive
gtaking
Concurrently
applies
examination, to an
uses
presentation
applies
Use exposure,
realized, ofdetailed
to an
presentation
applies
exposure,
Redundant
disruptive to an
detailed
and
Scopeexposure,
disruptive
applies ofto 2 4
components
What
data does anthat auditthescope
CCSPstatement
should review incident.
advantage
of
data
The
and the risk of
maintainable the
metrics
data
The impact
required
subcontractor
might used the
data
listimpact
site
A
incident. of all the the
metrics
presentation
data
processing
The impact
outcome
incident. used 2
and
provide
understand
processed?
Which oftothe
a cloudfully
service
following when customer
contracting
should or
be carried assessment
BCM
an
processed
credentials
presentation
site
Define is scope
exposure, by for
Identify
that
level
sprocessed
cause. calculating
ofBC by that
processed
infrastructure
security
Obtain
BCM is in that
for
of calculating
processed
Conduct
BCM the isaudit, by 3
withfirst
organization?
out
What aisCSP?
the (Choose
when
first
seeking two.)
international
to perform
set of
a gap process
infrastructur
and
ISO/IEC
the
automated
of the
definedimpact as a the
information
potential
ISO/IEC
arisk
providesexposure
natural 27005
arisks the
ISO/IEC
exposure
course
capacity
controls
management
defined 27002
to aof
as be the
risk
as
ISO/IEC
well
exposure
information
defined
automated as
27018
asany
a 4
What
analysis?
privacyis controls
domain A.16
in theofcloud?
the ISO holisticand
that
auditors,
Security
emeans
objectives
27032 as being
person
for
Organizationa
therealized
framework client
in the being
an
System
activity
components
audited
support.
holistic realized being
means
findings
Security
holisticrealized
gathering. inthat
the 4
27001:2013
What is a data
standard?
custodian responsible for? Policy
the
data
well
management
The exposure
as the
safe lor
Asset
will
course
Data
for have
content,
of on
building will
Security
management
that
Logginghave on
fallsand will
need
Incident
management
coursehave
Customer toofbeon 1
What is typically not included in an SLA? process that
Management
Availability
custody,
being
contained
projected another
organization
Management
Change
organizational
purely
context, and the
outside
Management
alerts
Pricing
process for
for allthe
that the
addressed
Management
Dispute
processand
purely
access that 3
identifies
realized
in
cost
of paper
the of the
transport, will organization,
personal
subject
associated
management
resilience to the organization,
the
data
services
scopetoofbe
identifies organization,
personal
alerts
mediation
identifies for all
actualon of
have
files.
audit
services
storage to
the process
and
activities.
audit
business
withthe to to
the fullybe
rules and
covered the by
potential
community and
process
potential
activities.
data the to total
be
threats
be
data,covered
and
organization, residual
understand
used
capability of residual
law,
the SLA
threats suchrisk
as risk
used
threats
to an
and
by the
theSLA
implementati an effective
risk
(and agree) public
to an safety. to an
organization
residual
on of risk with
response the that organization organization
and the
business scope,
safeguards focus, and the and the
Maintenance mode is utilized when updating or configuring different
According
components to “Theof the NIST cloud Definition
environment. of Cloud While Computing,”
in maintenance the threemode, customer
access
A
service honeypot models is used
are astofollows: detect, deflect, or in some manner counteract attempts
is blocked,
During
at
■■ SaaS: and
a vulnerability
unauthorized Customers alerts
use ofare can disabled.
assessment,
information
use the provider’s (Logging
the cloudisenvironment
systems. still enabled.)
Generally,
applications is tested
arunning
honeypot on foraconsists
cloud of
The
a computer,
known basic
infrastructure. ideadata,
vulnerabilities.of physical
or a Detected design is
network sitethat
vulnerabilities
thatit communicates
appears aretonot bedecisions
exploited
part of a network during abut is
The
actually need
vulnerability
aboutapplications
The to
the hardware tie configuration
areused to deliver
accessible management
froma system.
various client to change
The following management
devices through is true about a isa physical
Change
assessment
because
isolated
network
thin client management
change
and
design: (nondestructive
monitored
interface suchhas as
management several
and a web objectives:
testing)
thathas to and
seems
browser approve
tomay
(for require
containany changes
example, further
information
web-based to validation
alloremail)
production
a resourceortoa detect
of
According
systems
value
false
■■
program positives.
Respond to the
It isinterface.
created to aITIL
from
The framework,
customer’s
a logical network
consumer an incident
changing
does business
notdesign
manage is defined
requirements
or control as thean unplanned
while maximizing
underlying
It
value
■■
cloud Itis
interruption
prior
to important
to
attackers.
and them to
reducing
often
infrastructure, to an
expandsunderstand
taking IT service
place.
incidents,
elements
including the
In or difference
a
other reduction
disruption, words,
found inservers,
network, and between
in
there
rework.
a logical the
OSs, BC
quality
should
design and BCM:
of
never
storage, or even an IT
beservice.
aindividual
change that
15.
is
■■ What
Risk-managementBC:
Respond is
The the difference
a capability
to processes
business ofandbetween
the include
organization BC and
framing BCM?
risk, diagram
fortodesign
continue assessingdelivery risk,
of
be products asora line
For
applicationinstance, WAN
capabilities, connection
with theIT onrequests
possiblea logical exception change of thatlimited alignscan services
user-specific shown with
application
An
a.
allowed
responding
services
business
between organization
BC is defined
to take
two to will
as
place
risk,
buildings. theconduct
and capability
to a riskofassessment
a Configuration
monitoring risk. Item(or
the organization (CI) riskin analysis)
atoproduction
continue to delivery
system of unless
configuration settings. When transformed into a physical design, that single line can
products
Due
change
Note
evaluate
at
needs.
expand diligence
the
acceptable management
four
the
into is
steps
following: the in
predefined
the connection,act has
theofapproved
levels investigating
risk-management
following
routers, and aand
theotherchange understanding
disruptive first.
process,
equipment incidentwhich
at each the
includes
(Source:
end risksof ISO the
the risk
the
■■ PaaS: Consumers can deploy onto the cloud infrastructure consumer-created or
or
company
A
■■ services
vulnerability
assessment Threats
22301:2012).BCM:
■■ Ensure atthat
faces. toacceptable
Achanges
isitsacompany
lack
assets
A ofare
holistic predefined
practices
a countermeasure
management
recorded levels
and following
dueevaluated.
care
process orby athat a disruptive
developing
weakness identifies insecurity incident.
apotential
countermeasurepolicies,
threats to
connection.
acquired applications created using programming languages and tools that the
BCM
procedures,
SLE
step
that
■■
an
■■ is
must
is
and defined
in be
place.
the
Vulnerabilities
Ensure as
calculated
information
A a
that authorized holistic
threat
presentto is provide
and
anymanagement
in the
changes an
communications
potential
environmentestimateprocess
danger of
flows that
loss.
that is identifies
SLE
necessary is
associated definedtoactual
with
make threats
the
the
The
provider actual connection
supports. Themedia consumer might doesbeare not prioritized,
shown manage orplanned,
on a physical controldesign tested,
the as implemented,
well as
underlying
to
and
as
SLE
process
■■ an
the
exploitation
organization organization
standards.
must difference
The be
work of
likelihood
and Due
calculated and
between
effectively
a care
that the
to
vulnerability. a impacts
shows
the
provide
(Figure
threat original
that
TheA.5).
will antobea
threat business
company
value
estimateis
realized and
that byoperations
ofhasthe
loss.
someone,
takingtaken
remaining
SLE that
responsibility
isor
advantage definedthose
value
something, threats,
ifofrealized,
an theif
ofexposure
for
an asset
will
documented,
manufacturers
cloud infrastructure, and andthe impacts
reviewed
other intoanetwork,
qualities
including business
controlled
of the servers, operations
manner.
network that
implementation.
OSs, those
orbuilding
storage, threats,
but has control
realized,
activities
after
as
identify
The
(or
might the
probability
cause.will
difference
figure that cause.
take
illustrates
and
Itthatprovides BCM
between
placethe
frequency provides
within
the
process
a frameworkwhen original
the a
flow
dealingframework
corporation
value
of
forrecorded digital and for
and
with quantitative
building the
forensics has
remaining
taken
(Figureorganizational
assessment) the
value necessary
A.6). of an asset
■■
over Ensure
the deployed all changes
applications to CIspossibly
and are applicationinorganizational
the configuration
hosting resilience
environment management
resilience
asteps
after
Cloud
■■ single to
specific exploit.
help
vulnerability
forensics
Thecapability
impact that The
can formula
be and
defined
theeffective use for it
as
exposureresponsecalculating
against
applying
being realized the SLE
all company
the is as
will havethe follows:
processes or individual.
of
on interests digital
the organization Aforensics
risk is thein
with
system. the
configurations. of an that safeguards of its
with
protect
aSLE
the
■■ =the
single
likelihood asset capability
the ofvalue
exploit. company,
Countermeasures a threat (inofformula
The an × effective
$)agent
its exposure
resources,
available forthat
exploiting response
factor
and
calculating that
employees
(loss
areduce SLE
vulnerability issafeguards
due astofrom successful
follows:
and itscorresponding
possible
the keythreatprocesses,
torisks. exploit,
So due as
key
■■
■■ stakeholders,
Optimize
IaaS: The reputation,
overall
capability business brand,
provided risk;toand itcanisvalue-creating
the often
consumer
the
correct threat’s
is activities
to
to minimize
provision
ability
(Source:
business exploit
processing, ISOrisk,thebut
reputation,
diligence
abusiness
SLE
cloud%)= asset
environment. brand,(inand
value $) ×value-creating
exposure factor activities.
(loss due to successful threat exploit, as
exposure
22301:2012).
sometimes oritthat is can lessen the
appropriate to impact to the
knowingly acceptorganization
a risk because whenofa threat the potential is able to
storage,
b.%)
is BC iscan
aLosses defined
understanding
impact. include asthealack
holistic
current process
threats that
of availability and
of dataidentifies
risksassetsand due potential
duecare to data isthreatsloss, to
implementing an
theft,
exploit
benefit. a vulnerability
networks,
organization
countermeasures
alteration,
Losses
Directive and
can95/46/EC
includeother lack fundamental
of the of European computing
availability of data
Parliament resources
assetsandwhere due
of the tothe data consumer
Council loss, theft,
■■ The residual risk, or the amount of risk that is left over when appropriate
canOctober
From
and
to
or deploy
the
alteration,
of a (perhaps
provide
DoS and
24, run
contractual,
impacts
protection to
due
1995, arbitrary
regulated,
business
to
from
on thesoftware,
business and PII
operations
those
protection which
perspective,
continuity
threats. that
of Ifcan
athose
or include
individuals thethreats,
company
security OSs
following and
issues).
withdoes if not
regard applications.
realized,practice
to the mightdue
controls
TheDoS
An
cause.
care
or
should consumer
audit
and
processing BC
be scope
provides
(perhaps
due
reviewed does not
statement
diligence
due and tomanage
a frameworkprovides
pertaining
business
fully or for
understoodcontrol
the thebythe
required
tobuilding
continuity theunderlying
orlevel
securityorganizational
security
CCSP ofofwith
its cloud
information
assets,
issues).
regard infrastructure
resiliencefor
ittocan with
anybehosting the
legally
are properly applied to lessen or remove the vulnerability
butpersonal
capability
charged
Numerous
of
the has control
client
contracts (along anover
orofstages
data effective
organization
withare
and OSs,
other storage,
carried
on response
the
subject out
free
overarching toandthethat
prior
movementdeployed
tosafeguards
audit
components applications
commencing
to offullysuch the data,
understand
within and
interests
aan gap SLA): possibly
analysis
regulates
(and ofagree
its
thelimited
key
with)
An organization
ISO/IEC
stakeholders,
with
review.
processingnegligence may also document evidence of the countermeasure in a deliverable
control
the
■■ scope,
Scope 27018
ofAlthough
of
select
focus, addresses
andthey
networking
and
of processing: held
type can the privacy
ofaccountable
vary depending
components,
assessment
Clear aspects
understanding for
such
being ofperformed.
any
on cloud
asoframifications
the
host computing
thereview,
firewalls.Typically,
permissible of for
common that
types annegligence.
stages
audit
of datascope
called
reputation,
The
personal
include
consumers. an
following exhibit
thedata brand,
ISO or
domains
within
27018 evidence.
and the An
value-creating
ismake
the European up
first exhibit
the ISO
Union.
international can provide
activities.
27001:2013,
It set ofBCM
is designed an
privacyaudit
isalso
the trail
defined
tomostprotect
controls for the
aspurpose
widelyinthe
the organization
the privacy
cloud.
statement
processing includes
should the
be following:
provided. The specifications should list the for
and,
The
ISO likewise,
following
capability
following:
used
and global
27018 of evidence
theare
standard
wasstatement key
published for
roles
organization
for any internal
associated
ISMS to or
onwith
continue
implementations: external
Julydata auditors
30,management:
delivery that
2014, as a new component ofatthe
of products may or have
services questions
■■
which General
the data can ofby
be processed focusthe orISO
and objectives
utilized.
about
Within
acceptable
1.
■■
ISO Obtainthe
A.5—Security
protection Data
27001 anorganization’s
SLA,
management
of
subject:
standard. the
Policy
all following
personal
ThisISO current
Management
issupport
data
an
27018 state
contents
from
collected
individual
sets forth of
and
the
whorisk.
topics
right
afor Why
isor
code theof undertake
should
managers.
about
focus
practice be forsuch
covered
citizens
of personal anas endeavor?
oftransmission,
the
protectiondata. European
of PII in
■■ Scope
Use of of audit
subcontractors: (including exclusions)
Understanding where any processing,
Without
predefined
A.6—Corporate
Union,
2.
a■■ Define
minimum:
public Data knowing
cloudsthe levels
scope
controller: which
following
Securityand
asThis assets a are
Management
objectives.
is person critical
disruptive who and which
incident.
CSPseither alone would be
or jointly most at
with must otherwithin
risk persons an
■■
storage, Type of acting PII processors.
audit (certification, attestation, adopting
and so on)ISO/IEC 27018 operate
organization,
c.
3.
■■ BC is
A.7—Personnel
Plan
especially defined
an theititassessment
assessment
as isasnot
relatesthe
Security possible
capability
schedule.
to to
Management
the appropriately
of the
processing, thefirstusing, protect
responder
or those
in exchanging toanyassets.
continue of such delivery
data.isofThe
useAvailability
determines
under
■■
or five
Security key
of information (for
purposes
principles: example,
will foroccur.
which 99.99
requirementsAand completepercent manner of
list services
should which beanddrawn data) personal
up including data
products
4.
data
■■ Agree
processed. on a plan.
Performance
Consent: CSPs (for must example,
notformuseexpected
the personalresponse data times they receive versus maximum
for advertising response
and
■■ Assessment
the entity, location, criteria
rationale, (including ofratings)
data use (processing, transmission,
or services
protection
5. Conduct
times)
■■ Data at acceptable
directive
information
processor: encompassespredefined
gathering
In relation to the
exerciseslevels
key following
elements a
from disruptive
article 8 incident.
of the
marketing
■■ Acceptance
and storage), unlessand expressly
criteria
any limitationsinstructed or personalto do sodata,
nonpermitted by the thiscustomers.
uses. isContractually,
any person other
the than
In addition, a an
BCM
6.
■■ is
Interview
European defined
Security key as a holistic
personnel. management process that identifies potential threats
employee
customer
■■ should
Deliverables
requirement forand beprivacy
the able to of
procuring employthe data
the(for
organization example,
serviceto bewithout
informedencrypting
having as totoall stored
consent
where data and
to the
has
to
7. an organization
Review
Convention
transmitted
of the data supporting
on Human
controller and who the impacts
documentation.
Rights,
processes which tostates
business onitsbehalfoperations
intention of thetotop that
respect those thethreats,
rights of
use
■■
been ofprovided
her personal
Classification or will data befor
(confidential, advertising
utilized by athe
highly data
or marketing.
confidential,
subcontractor is secret,
essential. data secret, public, and so