Which of the following is an effective way of segregating different cloud network and datacenters in a

hybrid cloud environment?

Ans: Bastion Virtual Network

Which of the following statements is not true regarding "Instance-managed encryption"?

Ans: The volume can be protected by a passphrase

________ is a Cloud Overlay Network.

Network virtualization that allows networks to span multiple base networks.

Which of the following WAN virtualization technology is used to create networks which span multiple
base networks?

Cloud Overlay Network

The ability of a cloud services datacenter and its associated components. Including servers, storage
and so on to continue operating in the event of a disruption which may be equipment failure, power
outage or a natural disaster known as:

Resiliency

Which is the set of technologies that are designed to detect condition indicative of a security
vulnerability in an application in its running state?

Ans: DAST

-----------------------------------------------------------------Data---------------------------------------------------------

Which of the following are key Data functions?

Ans: Access, Process & Store

What is a Controller in the context of Privacy and Data Protection?

Ans: The natural or legal person, public authority, agency, or any other body which alone or jointly with
others determines the purposes and means of the processing of personal data.

To help model data handling and controls for data security what can be used?

Ans: Data Security Lifecycle

Which of the following functions maps to all the phases of Data security life cycle?
Read / Access

Who is responsible for the safe custody, transport, data storage and implementation of business rules
in relation to the privacy?

Data Custodian

-----------------------------------------------------------------General---------------------------------------------------------

REST APIs are the standard for web-based services because they run over HTTPS and work well across
diverse environments.

True

Why a service type of network typically isolated on different hardware?

It manages the traffic between other networks

What is the process to determine any weaknesses in the application and the potential ingress, egress,
and actors involved before the weakness is introduced to production?

Threat Modeling

Key benefit provided to the customer in Infrastructure as a Service Model?

Ans: Transfer of Cost of Ownership

Logical design of data center might be affected by which of the following topics?

• Virtualization technology

• Cloud management plane

• Multi tenancy

Ans: All of these

Which guideline/s of the following should be followed when utilizing encryption?

1. Encrypt using sufficiently durable encryption strengths

2. Use open, validated formats

3. Use proprietary encryption formats whenever possible

Ans: 1 & 2

Storage encryption provides protection against what?

Ans: Hardware theft

Which of the following is NOT a typical approach of Key Storage in cloud?

Cloud Service Provider Managed

The "authentication" component of identity, entitlement and access management (WA) are best
defined by which of the following:

Ans: Establishing/asserting the identity to the application

To address application security in a Cloud computing environment how should an SDLC be modified?

Ans: Updated threat and trust models

Identity and Access Management (IAM) includes which of the following?

 Identification, authentication and authorization

 Identification, authentication, authorization and non-repudiation
 Identification, authentication, authorization and encryption
 Identification, authentication, authorization and delegation
 Identification, authentication, authorization and deletion

Network logs from cloud providers are typically flow records, not full packet captures

True

Which of the following statement regarding service administrator account is not true?
 Service administrator’s accounts are more suited for common daily use.
 Service administrator’s help compartmentalize individual sessions.
 Service administrator accounts can expose the entire deployment.
 Service administrator’s accounts manage parts of the service.

By which of the following Scoping and review tasks can be sped up?

Ans: Engaging auditors with experience in the cloud space

Consider the given statement: Information Lifecycle Management is a mature field that maps well to
the needs of security professionals. State whether correct or incorrect?
Ans: Incorrect

For protecting and managing data in a cloud select the key control factor of the following:

Ans: Access Controls

Between the lawyers and technology professionals stronger collaboration is required by cloud
computing?

Ans: Correct

Is accepting the risk of an entire cloud provider going down is often a legitimate option?

Correct

Cloud Overlay Network

Give the valid duration of attestations and certifications.

There is no period of validity

Why particular attention must be paid to 13CIDR routines involving a multiple jurisdictions?

Potential violation of contacts with data residency requirements

Select the validity of the following statement - "The incident response processes should be updated
for server less computing."

Statement is Correct

Code execution environments that run within an operating system, sharing and leveraging resources
of that operating system are called?

Container

What explains a data (information) dispersion fragmentation scheme?

When a File is split into fragments and all of the fragments are sent to multiple physical storage
repositories.

Which cloud services feature refers to unilateral provision of -computing capability as per need, by the
consumer?

On-demand self-service

Identify the encryption method used if object storage is used in an application's back-end?
 Client / Application encryption

What minimizes the blast radius if an attacker compromises an individual system?

Configuring application on distinct virtual network only connecting where needed

Which statement is applicable for a workload?

Statement 1. A workload is a unit of processing, which can be in a virtual machine

Statement 2. A workload always run somewhere on a processor and consume memory

Statement 3. A workload is a unit of processing, which cannot be in a virtual machine, a container, or

any other abstraction

Statement 4. A workload does not run on a hardware stack

Only 1 and 2

Which cloud deployment model consists of 2 or more cloud services which are unique entities but
bounded by standardized proprietary technology for data and application portability?

Hybrid Cloud

Which of the following statements regarding SDN (Software Defined Networking) is not CORRECT?

Does not overlay the overlapping addresses

Which of the following statements regarding SDN (Software Defined Networking) is not true?

 SDN firewalls apply to more flexible criteria than hardware-based firewalls.

 SDN firewalls apply to single assets or groups of assets.
 SDN firewall rules can be applied to any asset or groups of assets with a particular tag.
 SDN firewalls define rules can apply to a specific network location only (within a given virtual
network).
 SDN firewalls can define both ingress and egress rules.

Containers provide full security isolation and task segregation?

INCORRECT
Which of the following refers to a model that allows customers to closely match resource
consumption with demand?

Rapid elasticity

A framework of containers for all components of application security, best practices, catalogued and
leveraged by the ORGANIZATION, is called:

ONF

Which of the vulnerabilities is inherited from general software development practice in PaaS
environment?

Backdoors

In order to determine critical assets and processes of the organization, it must, first, conduct a?

Business Impact Analysis (BIA)

Containers can be implemented without the use of Ms at all and run directly on hardware?

Correct

Which of the following leverages virtual network topologies to run more, smaller, and more isolated
networks without incurring additional hardware costs that historically make such models prohibitive?

Microsegmentalion

In the laaS hosted environment, who is ultimately responsible for platform security?

Customer

Cloud architectures necessitate certain roles which are extremely high-risk. Examples of such roles
include CP system administrators and auditors and managed security service providers dealing with
intrusion detection reports and incident response.

They are known as high-risk because their malicious activities can lead to abuse of high privilege roles
and can impact confidentiality, Integrity and availability of data.

Incorret

Cloud customer can do vulnerability assessment of their whole infrastructure on cloud just like they
conduct vulnerability assessment of their traditional infrastructure.

Incorrect

Which of the following is correct about Due Care & Due Diligence?
Due diligence is the act of investigating and understanding the risks a company faces whereas Due care
is the development and implementation of policies and procedures to aid in protecting the company. Its
assets and its people from threats.

Interoperability is the ability that enables the migration of cloud services from one cloud provider to
another or between public cloud and a private cloud.

Incorrect

Which are the two major categories of network virtualization commonly seen in cloud computing
today?

Software Defined Networks and Virtual Private Networks

When virtual machines may communicate with each other over a hardware backplane, rather than a
network, it gives rise to

Blind spot

What is it called when you lose control of the amount of content on your image store?

Sprawl

What is a type of computing comparable to grid computing that relies on sharing computing resources
rather than having local servers or personal devices to handle applications?

Cloud Computing

The most pragmatic option for data disposal in the cloud is which of the following?

Crypto shredding

Ben was working on a project and hosted all its data on a public cloud. The project is now complete
and he wants to remove the data. Which of the following is best option for him in order to leave no
remanence?

Cryptographic erasure

Which of the following is NOT a component of Software Defined Perimeter as defined by Cloud
Security Alliance working group on SDP?

SDP Client

The basis for deciding which laws are most appropriate in a situation where conflicting laws exist,
refers to?

The Restatement (Second) Conflict of Law

In which service model, cloud consumer is responsible to manage authorizations and entitlements
only

SAAS

Which of the following is key benefit of private cloud model?

Assurance of Data Location

Who manages Web Consoles which are an important competent of Management Plane?

Cloud Service Provider

Cloud Security provider is responsible for Platform Security in Platform as a Service (PaaS) model

Incorrect

Which of the following can lead to vendor lock-in?

Lack of transparency in terms of use

Under the new EU data protection rules, data destruction and corruption of personal data:

Are considered forms of data breaches and require notification

Which of the following is a key consideration in Data security but does not feature in Data Security Life
cycle?

• Storage protocol
• Access Method
• Storage Location
• Storage Device

The six components that made STRIDE are:

Spoofing: Attacker assumes identity of subject

Tampering: Data or messages altered by an attacker
Repudiation: Illegitimate denial of an event Information disclosure:
Information obtained without authorization
Denial of service: Attacker overloads system to deny legitimate access
Elevation of privilege: Attacker gains a privilege level above what is permitted.

The management plane controls and configures the:

Metastructure

Which of the following is a key tool for enabling and enforcing separation and isolation in
multitenancy?
 Management Plane (Metastructre)

Who is responsible for the safe custody, transport, data storage, and implementation of business rules
in relation to the privacy?

Data custodian

Metrics which govern the contractual obligations of cloud service are found in?

Service Level agreements (SLA)

The intermediary that provides connectivity and transport of cloud services between the CSPs and the
cloud service consumers is called:

Cloud Carrier

Which of the fallowing document defines the roles and responsibilities for risk management between
a cloud provider and a cloud customer?

Contract

Which of the following help to intermediate IAM between an organization's existing identity providers
and many different cloud Services used by the organization?

Federated Identity Provider

What is the characteristic that allows the cloud provider to meet various demands from customers
while remaining financially viable?

Resource pooling

Cloud service providers leverage which of the following to manage costs and enable capabilities?

 On-demand self-service
 Broad network access
 Economies of scale
 Measured service
 Resource Pooling

The relationship between the shareholders (and other stakeholders) of the organization versus the
Senior Management of the organization is governed by:

Corporate Governance
Which document defines the minimum levels of service, availability, security, controls, processes,
communication & support?

Service Level agreements (SLA)

Which one of the following is NOT a phase of SDLC?

Deploying

Multi-tenancy and shared resources are defining characteristics of cloud computing. However,
mechanisms separating storage, memory, routing may fail due to several reasons. What risk are we
talking about?

Isolation Failure

The nature of contracts with cloud providers will often preclude things like on-premises audits. What
options does the customer have in this situation?

Third Party Attestation

Which of the following is a form of a compliance inheritance in which all or some of the cloud
provider's infrastructure and services undergo an audit to a compliance standard?

Pass through Audit

Which of the following can the cloud provider implement to mitigate the credential compromise or
theft?

Anomaly detection

Which of the following is not an example of vendor lock-in?

Custom SaaS applications

VM hopping is an attack that is possible in the event of what failure?

Hypervisor isolation failure

A company administrator determines that the best approach to dealing with any sudden increases in
network traffic is to create an auto-scaling group that will create an unlimited number of web servers
to meet increased demand.

What has the administrator created?

The administrator has created an economic denial of service scenario if there is ever a denial of service
attack against the company.
Which of the following is not considered a vulnerability associated with the risk of loss of business
reputation due to co-tenant activities?

Object Storage

What should always be done to protect against possible management interface compromise where an
attacker gains access to your cloud environment (select the best answer)?

Implement MFA on all privileged accounts

Which of the following is a key area of control for the cloud provider network architecture?

DODS

Moving to the cloud creates a Greenfield opportunity to reexamine what?

How you manage information and find ways to improve things

What does an authorization determine?

Who is allowed to access certain information and/or data

Alice wants to update, but not replace, a file via a REST API. What method should Alice use?

PATCH

Which of the fallowing defines the ease with which application components are moved and reused
elsewhere regardless of provider, platform, OS, infrastructure, location, storage, the format of data,
or API's?

Portability

Which of the following is the main purpose behind microsegmentation?

It is a fine-grained approach to grouping machines that limits blast radius

Select two attributes that a virtual appliance should have in a cloud environment.

Failover & Autoscalling

Before beginning a vulnerability assessment (VA) of one of your running instances, what should be
done first?

Determine whether a provider allows customers to perform a VA and if any advance notice is required.

Why must the provider encrypt hard drives at the physical layer?

• It prevents data from being compromised as a result of theft.

• It prevents data from being accessed by others via the virtual layer.
 • It prevents data from being compromised after the drive is replaced.
• Both (It prevents data from being compromised as a result of theft) and (It prevents data from
being compromised after the drive is replaced).

Which of the following is the number one security priority for a cloud service provider?

• Implementing SDN firewalls for customers

• Isolating tenant access to pools of resources
• Securing the network perimeter
• Offering network monitoring capability to customers

Nathan is trying to troubleshoot an issue with a packet capture tool on a running instance. He notices
clear-text FTP usernames and passwords in the captured network traffic that is intended for another
tenant's machine. What should Nathan do?

• This is normal behavior in a cloud. He should contact the other tenant and advise them that
using clear-text credentials in a cloud is a bad idea.
• Nathan should contact the other tenant and submit his finding for a bug bounty.
• This is not possible because FTP is prohibited in a cloud environment
• He should contact the provider and advise them that he will be canceling his use of their cloud
services because the provider has failed to isolate the network.

What is/are benefits of a virtual network compared to physical networks?

• You can compartmentalize application stacks in their own isolated virtual networks, which
increases security.
• An entire virtual network can be managed from a single management plane.
• Network filtering in a physical network is easier
• All of these are true.

How is a storage pool created?

• The provider uses direct storage with a bunch of hard drives attached to a server.
• The provider uses a storage area network_
• The provider uses a NAS
• The provider builds the storage pool however they want.

Why is volatile memory a security concern for providers?

• It isn't. Volatile memory protection is the customer's responsibility.

• Volatile memory may contain unencrypted information.
• Volatile memory may contain credentials.
• Both (Volatile memory may contain unencrypted information) and (Volatile memory may
contain credentials) are correct.
Which area of incident response is most impacted by automation of activities?

Containment, eradication: and recovery

Upon investigation of a potential incident, what should be performed first?

• The master account credentials should be retrieved and used to perform an investigation of
the metastructure to ensure that the attacker is no longer in the management plane.
• Every account should be logged off and their passwords reset
• Every server should be terminated.
• Snapshots of every instance should be performed using APIs

How can a server instance be quickly quarantined in an laaS environment?

• Perform a snapshot.
• Log on to the server instance and disable all user accounts.
• “Pause" the instance if the vendor allows such action.
• Change the virtual firewall rule set to allow access only from an investigator workstation.

Which of the following is a consideration concerning log data supplied by a provider?

• It will meet legal chain-of-custody requirements.

• It is in a format that can be used by customers.
• It is supplied in a timely manner to support investigation.
• (It will meet legal chain-of-custody requirements.) And (It is in a format that can be used by
customers.) are correct.

How often should incident response plans be tested?

Annually

Which phase does proactive scanning and network monitoring, vulnerability assessments, and
performing risk assessments fall under?

• Preparation
• Detection
• Containment, eradication, and recovery
• Post-incident

What is (are) the most important aspect(s) of incident response in a cloud environment?

Setting service level agreements and establishing roles and responsibilities

What is the purpose of an "Application Stack Map"?

• To understand the various systems those are used as part of an application

 • To understand where data is going to reside
• To understand the programming languages used in an application
• To understand the various dependencies associated with an application

What is a cloud jump kit?

A collection of tools needed to perform investigations in a remote location

What is a role?

• A role is a part of federation. It is how your group membership within your company is granted
entitlements in your IaaS provider.
• A role is the job you perform at work.
• A role is a temporary credential that is inherited by a system within a cloud environment.
• All of these are correct

Which of the following phases of data security lifecycle typically occurs nearly simultaneously with
creation?

• Save
• Store
Which of the following is NOT one of the vulnerabilities that can lead to risk of "abuse of high
privilege roles" or "Cloud provider malicious Insider:

• Lack of data centre hardware redundancy

• Poor enforcement of role definitions
• System and OS vulnerabilities
• AAA Vulnerabilities

When creating business strategies for cloud migration, which is the most important aspect?

• Hiring a cloud broker

• Valuating current staff for heir capabilities
• Due Diligence when inspecting technologies and choosing cloud provider
• Choosing the right auditor

Which is the correct sequence of Cloud Data life cycle phases?

• Create, Store. Use, Share, Archive, Destroy

• Create, Use, Share: Store, Archive, Destroy
• Create, Use, Store, Archive, Share, Destroy
• Create, Share, Use, Store, Archive, Destroy
•
Like security and compliance; BCP/DR is not a shared responsibility?

Incorrect
Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is
completely responsible for it.
False

Which of the following is key component of regulated PII components?

• Data disclosure
• Mandatory Breach Reporting
• Cloud Service Provider Consent
• E-discovery

Where does the encryption engine and key reside when doing file-level encryption?

• On the client side

• On the KMS attached to the system
• On the instance attached to the system
• Encryption engine resides on the server and keys on the client side

-----------------------------------------------------------------ENISA---------------------------------------------------------

Which of the following is not one of the categories of risks as defined in, ENISA (European Network
and Information Security Agency) document on Security risk and recommendation?

Ans: Environmental Risk

What is an ENISA: an example of a user provisioning vulnerability?

Ans: Credentials are vulnerable to interception and replay.

ENISA: Lock-in is ranked as a high risk in ENISA research, a key underlying vulnerability causing lock in
is:

Ans: Lack of completeness and transparency in terms of use

ENISA: Which of the following is not one of the five key legal issues common across all scenarios?

Global Proliferation

Which of the following could be considered a malicious insider as per ENISA Top Security Risks?

Provider's auditor (ENISA document lists provider employees and contractors as potential malicious
insiders)

-----------------------------------------------------------------Container---------------------------------------------------------
Which of the given option is not applicable for the compute abstraction types?

Ans: A container cannot run directly on hardware

State whether correct or incorrect that the Containers provide security isolation?

Ans: Incorrect

Which of the following statements is accurate when discussing the differences between a container
and a virtual machine?

• A virtual machine can be moved to and from any cloud service provider, while a container is tied
to a specific provider.
• A container contains the application and required dependencies (such as libraries). A virtual
machine contains the operating system, application, and any dependencies.
• Containers remove the dependency of a specific kernel. Virtual machines can run on any
platform.
• All of these are accurate statements.

How do containers perform isolation?

• They perform application layer isolation.

• They perform isolation at all layers like a virtual machine does.
• They perform isolation of the repository
• All of these are correct

Which of the following components in a container environment require access control and strong
authentication?

• Container runtime
• Orchestration and scheduling system
• Image repository
• All of these

-----------------------------------------------------------------BCP/DR---------------------------------------------------------

Which term is used to describe the use of tools to selectively degrade portions of the cloud to
continuously test business continuity?

Chaos Engineering
Business Continuity and Disaster Recovery is not a shared responsibility and the cloud user is
completely responsible for it

INCORRECT

What layers of the logical stack should be considered as part of BCP / DR?

• Infostucture
• Metastructure
• Infrastructure
 All layers of the logical model

Which of the following needs to be part of business continuity planning by the customer?

• Determining how the laaS provider will fix any availability issues in your application
• Using contracts to ensure that DR does not result in a different jurisdiction being used to store
and process data
• Determining how to guarantee availability in the DR region by discussing your DR plans with
the vendor
• Implementing chaos engineering

Which of the following introduces the most complexity when considering a multicloud approach to
BCPIDR:

• Applistructure
• Metastructure
• Infrastructure
• Infostructre

What is the key difference between Business Continuity and Business Continuity Management?

Business Continuity is the capability of the organization whereas Business Continuity Management is the
holistic process.

-----------------------------------------------------------------SDN---------------------------------------------------------

Which of the following is/are the accurate statement(s) about the differences between SDN and
VLAN?

• SDN isolates traffic, which can help with micro segmentation. VLANs segment network nodes
into broadcast domains.
 • VLANs have roughly 65,000 IDs, while SON has more than 16 million.
• SDN separates the control plane from the hardware device and allows for applications to
communicate with the control plane.
• All of these are accurate statements.

How is management centralized in SDN?

• By using northbound APIs that allow software to drive actions at the control layer
• By using southbound APIs that allow software to drive actions at the control layer
• By removing the control plane from the underlying networking appliance and placing it in the
SDN controller
• SDN is a decentralized model

Which of the following decouples the network control plane from the data plane and allows to
abstract networking from the tradition a limitations of a LAN?

Software defined networking

-----------------------------------------------------------------Structure---------------------------------------------------------

According to Cloud Security Alliance logical model of cloud computing, which of the following defines
the protocols and mechanisms that provide the interface between the infrastructure layer and the
other layers:

Metastructure

Which plane is used by consumers to launch virtual machines or configuring virtual networks?

Management Plane

According to CSA Security guidelines, there are four layers of Logical Models for Cloud Computing.
Which of the following is not one of the layers as defined by Cloud Security Alliance?

Ans: Softstructre

When it comes to securing the management plane, how are access identification, authentication, and
authorization implemented?

Identity and Access Management (IAM)

If an attacker gets into your management plane, they have full remote access to your entire cloud
environment.

True
The data and information like content in database or file storage are part of which layer of Logical
Model?

Infostructure

Who manages the web console which is one of the ways the management plane is delivered?

Cloud Provider

What level of privileges should be assigned to a user account with access to the metastructure?

Least privileges required to perform a job

When you're using immutable servers, how administrative access to the applistructure should be
granted to make changes to running instances?

Administrative access should be limited to the operations team. This is in support of the standard
separation of duties approach to security.

Administrative access should be limited to the development team. This is in support of the new
approach to software development, where the developers own the applications they build.

Administrative access should be restricted for everyone. Any changes made at the applistructure level
should be made to the image, and a new

Which of the following acids abstraction layer on top of networking hardware and decouples network
control plane from the data plane?

• VLANs
• Virtual Private Networks
• Converged Networks
• Software Defined Networks

Which layer is the most important for securing because it is considered to be the foundation for
secure cloud operations?

Infrastructure

Which of the following controls and configures the metastructure, and is also part of the
metastructure itself?

• Management Plane
• API Gateway
• Web Application Firewall
• Network Firewall

In Platform as a Service (PaaS), platform security is a responsibility of:

 • Customer
• Cloud service provider
• It's a shared responsibility
• Neither of them
•
Identifying the specific threats against servers and determine the effectiveness of existing security
controls in counteracting the threats, is known as:

• Risk Assessment
• Risk Determination
• Risk Management
• Risk Mitigation

Which of the following are communications method for components within a cloud, some of which or
an entirely different set) are exposed to the cloud users to manage their resources and configurations:

• Data Identifiers
• Application Programming Interfaces (API)

Which of the following is NOT one of the common networks underlying in Cloud Infrastructure?

• Service Network
• Management Network
• Security Network

Which of following is an exploit in which the attacker runs code on a VM that allows an operating
system running within it to break out and interact directly with the hypervisor:

• VM rootkit
• VM Escape
• VM DOS
• VM HBR

No policy on resource capping can lead to:

• Data manipulation
• Data disclosure
• Resource Exhaustion

In a cloud scenario, who is the data processor and who is the data controller?

• Cloud Service Provider is the data controller and its customer is the data processor
• Neither cloud service provider nor customer is data processor or data controller.
• Cloud Service Provider is the data processor and its customer is the data controller
In cloud services, risks and responsibilities are shared between the cloud provider and customer:
however which of the following holds true.
 • Cloud provider has ultimate legal liability for unauthorized and illicit data disclosures
• Cloud Customer has ultimate legal liability for unauthorized and illicit data disclosures
• Cloud Customer liability is limited to financial responsibility
• Cloud Provider liability is limited to financial responsibility

Ensuring the use of data and information complies with organizational policies, standards and strategy -
including regulatory, contractual, and business objectives, known as:

• IT Governance
• Enterprise Governance
• Corporate Governance
• Data Governance

Which of the following will not be provided by cloud services when requested by the customer?

Details of security controls

Which is the primary tool used to manage identity and access management of resources spread across
hundreds of different clouds and resources?

• SAML 2.0
• Entitlement Matrix
• Federation
• Active Directory

Which of the following Standards define Application Security Management Process?

• ISO 27032-1
• ISO 27034-1
• ISO 27032-1
• ISO 27036-1

-----------------------------------------------------------------Governance---------------------------------------------------------

Extending information governance to include cloud services requires

Both contractual and security controls

When deploying Security as a Service in a highly regulated industry or environment, what should both
parties agree on in advance and include in the SLA?

The metrics defining the service level required to achieve regulatory objectives.
-----------------------------------------------------------------Audits-----------------------------------------------------------------

Attestations and certifications are activities that will be valid at any future point in time and providers
must keep any published results readily available for quick reference.

INCORRECT

Which is the key mechanism used by organizations that supports, assures and demonstrate
compliance?

Audits

ANF and ONF are referred in which of the following ISO standards?

Ans: ISO 27034-1

Which standard offers guidelines for information security controls applicable to the provision and use
of cloud services?

ISO 27018

Which of the following establishes commonly accepted control objectives, controls and guidelines for
implementing measures to protect Personally Identifiable Information (PII) in accordance with the
privacy principles in ISOIIEC 29100 for the public cloud computing environment?

ISO 27018

Which of the following is true about the pass-through audit which is a form of compliance
inheritance?

Provider's infrastructure is not within the scope of customer's audit / assessment

Which of the following is a form of compliance inheritance and the cloud service provider takes
responsibility for the costs and maintenance of certifications for its infrastructure or services.

Pass-through Audit

Standards like the SSAE 16 have a defined scope, which includes both what is assessed (e.g. which of
the provider's services) as well as which controls are assessed. A provider can thus "pass" an audit
that doesn't include any security controls, which isn’t overly useful for security and risk managers.

Correct

Which of the following is an assurance program and documentation registry for cloud provider
assessments?

Ans: CSA Star

Which of the following is true when we talk about compliance inheritance?

• Cloud Service Provider's infrastructure is out of scope in the customer's compliance audit
• Cloud Service Provider's infrastructure should be included in the customer's compliance audit
• Everything the customer configures and builds on top of the certified services is out of scope of
Customer Compliance Audit program
• There is no need for compliance audit by customer since the Cloud Service Provider is already
compliant.

Define Third-Party Attestation?

• Legal statements to communicate the results of an assessment or audit.

-----------------------------------------------------------------CCM-----------------------------------------------------------------

Which of the following is NOT true about CSA Cloud control matrix (CCM)?

Define the Cloud Audit Methodology

ISO 27001 certification can be taken as proof to achieve Third-party assessment level in CSA star
program?

Correct

CCM: in the CCM tool, "Encryption and Key Management" is an example of which of the following?

Domain

CCM: A hypothetical company called: "Health4Sure" is located in the United States and provides cloud
based services for tracking patient health. The company is compliant with HIPAA/HITECH Act among
other industry standards. Health4Sure decides to assess the overall security of their cloud service
against the CCM toolkit so that they will be able to present this document to potential clients.

Which of the following approach would be most suitable to assess the overall security posture of
Health4Sure's cloud service?

The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should assess the
security posture of their cloud service against each and every control in the CCM. This approach will
allow a thorough assessment of the security posture

Which of the following tools lists cloud security controls and maps them to multiple security and
compliance standards?

Cloud Control Matrix

What is the role of the Scope Applicability column in the CCM?

Maps the existing industry standards to the controls in the domains

What can be used to determine what actors are allowed to do and what they're not allowed to do?

Entitlements

The following list of controls belongs to which domain of the CCM? GRM 04 - Management Program
GRM 05 - Support / Involvement GRM 06 — Policy GRM 07 — Policy Enforcement

Governance and Risk Management

CCM: The following list of controls belongs to which domain of the CCM? GRM 06 - Policy GRM 07 -
Policy Enforcement GRM 08 - Policy Impact on Risk Assessments GRM 09 - Policy Reviews GRM 10 -
Risk Assessments GRM 11 – Risk Management Framework

Governance and Risk Management

Which one of the following is NOT a level of CSA star program?

• Third-party attestation
• Self-assessment
• Continuous-monitoring program
• Technology Audit program

Which of the following is an assurance program and documentation registry for cloud provider
assessments?

CSA Star

The Cloud Security Alliance STAR Registry is used for which of the following purposes?

 Used by cloud providers to document their security and compliance controls

 List all cloud security controls mapped to multiple security standards
 To publicly release certifications and attestations
 Used by cloud providers to keep all the service contracts and service level agreements

CCM: The CCM provides an anchor-point and common language for balanced measurement of security
and compliance postures.

With CCM all supply chain parties can speak the same language?

True
 Which of the following tools provide a standard template for cloud providers to document their
security and compliance controls?

 Consensus Assessments Initiative Questionnaire

 Cloud Controls Matrix
 Cloud Provider Contracts
 Supplier (cloud provider) Assessments
 Cloud Security Alliance STAR Registry

Which of the following statement about CSA s CCM and Security Guidance is not true?

 CSA’s CCM provides a set of controls and maps them to multiple security and compliance standards.
 CSA’s CCM tells you WHAT to do. CSA’s Security Guidance tells HOW to do it.
 C. CSA’s Security Guidance provides a set of best practices and recommendations.
 D. CSA’s Security Guidance tells you WHAT to do. The CCM tells you HOW to do it.