The Actual Exam Version included actual exam questions verified by IT Experts. We verified questions and updated frequently each month and also based on members’ feedback to keep updating with the real exam. We are offering money back immediately if questions in our Actual Exam Version do not appear in your exam. Highly recommend you take the Actual Exam Version then go to the exam as soon as possible.
QUESTION NO: 1
Which of the following roles is responsible for creating cloud components and the testing and validation of services?
A. Cloud auditor
B. Inter-cloud provider
C. Cloud service broker
D. Cloud service developer
Answer: D
Explanation:
The cloud service developer is responsible for developing and creating cloud components and services, as well as for testing and validating services.
QUESTION NO: 2
What is the best source for information about securing a physical asset’s BIOS?
A. Security policies
B. Manual pages
C. Vendor documentation
D. Regulations
Answer: C
Explanation:
Vendor documentation from the manufacturer of the physical hardware is the best source of best practices for securing the BIOS.
QUESTION NO: 3
Which of the following is not a component of contractual PII?
A. Scope of processing
B. Value of data
C. Location of data
D. Use of subcontractors
Answer: C
Explanation:
The value of data itself has nothing to do with it being considered a part of contractual
QUESTION NO: 4
Which of the following concepts refers to a cloud customer paying only for the resources and offerings they use within a cloud environment, and only for the duration that they are consuming them?
A. Consumable service
B. Measured service
C. Billable service
D. Metered service
Answer: B
Explanation:
Measured service is where cloud services are delivered and billed in a metered way, where the cloud customer only pays for those that they actually use, and for the duration of time that they use them.
QUESTION NO: 5
Which of the following roles involves testing, monitoring, and securing cloud services for an organization?
A. Cloud service integrator
B. Cloud service business manager
C. Cloud service user
D. Cloud service administrator
Answer: D
Explanation:
The cloud service administrator is responsible for testing cloud services, monitoring services, administering security for services, providing usage reports on cloud services, and addressing problem reports
QUESTION NO: 6
What is the only data format permitted with the SOAP API?
A. HTML
B. SAML
C. XSML
D. XML
Answer: D
Explanation:
The SOAP protocol only supports the XML data format.
QUESTION NO: 7
Which data formats are most commonly used with the REST API?
A. JSON and SAML
B. XML and SAML
C. XML and JSON
D. SAML and HTML
Answer: C
Explanation:
JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer (REST) API, and are typically implemented with caching for increased scalability and performance.
QUESTION NO: 8
Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks?
A. Injection
B. Missing function-level access control
C. Cross-site request forgery
D. Cross-site scripting
Answer: B
Explanation:
It is imperative that an application performs checks when each function or portion of the application is accessed, to ensure that the user is properly authorized to access it. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted.
QUESTION NO: 9
Which of the following roles involves overseeing billing, purchasing, and requesting audit reports for an organization within a cloud environment?
A. Cloud service user
B. Cloud service business manager
C. Cloud service administrator
D. Cloud service integrator
Answer: B
Explanation:
The cloud service business manager is responsible for overseeing business and billing administration, purchasing cloud services, and requesting audit reports when necessary
QUESTION NO: 10
What is the biggest concern with hosting a key management system outside of the cloud environment?
A. Confidentiality
B. Portability
C. Availability
D. Integrity
Answer: C
Explanation:
When a key management system is outside of the cloud environment hosting the application, availability is a primary concern because any access issues with the encryption keys will render the entire application unusable.
QUESTION NO: 11
Which of the following approaches would NOT be considered sufficient to meet the requirements of secure data destruction within a cloud environment?
A. Cryptographic erasure
B. Zeroing
C. Overwriting
D. Deletion
Answer: D
Explanation:
Deletion merely removes the pointers to data on a system; it does nothing to actually remove and sanitize the data. As such, the data remains in a recoverable state, and more secure methods are needed to ensure it has been destroyed and is not recoverable by another party.
QUESTION NO: 12
Which of the following cloud aspects complicates eDiscovery?
A. Resource pooling
B. On-demand self-service
C. Multi Tenancy
D. Measured service
Answer: C
Explanation:
With multi tenancy, eDiscovery becomes more complicated because the data collection involves extra steps to ensure that only those customers or systems that are within scope are turned over to the requesting authority.
QUESTION NO: 13
What does the management plane typically utilize to perform administrative functions on the hypervisors that it has access to?
A. Scripts
B. RDP
C. APIs
D. XML
Answer: C
Explanation:
The functions of the management plane are typically exposed as a series of remote calls and function executions and as a set of APIs. These APIs are typically leveraged through either a client or a web portal, with the latter being the most common.
QUESTION NO: 14
What is a serious complication an organization faces from the perspective of compliance with international operations?
A. Different certifications
B. Multiple jurisdictions
C. Different capabilities
D. Different operational procedures
Answer: B
Explanation:
When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, and many times they might be in contention with one other or not clearly applicable. These requirements can include the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, as well as the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which might be multiple jurisdictions as well.
QUESTION NO: 15
Which networking concept in a cloud environment allows for network segregation and isolation of IP spaces?
A. PLAN
B. WAN
C. LAN
D. VLAN
Answer: D
Explanation:
A virtual area network (VLAN) allows the logical separation and isolation of networks and IP spaces to provide enhanced security and controls.
QUESTION NO: 16
Which of the following standards primarily pertains to cabling designs and setups in a data center?
A. IDCA
B. BICSI
C. NFPA
D. Uptime Institute
Answer: B
Explanation:
The standards put out by Building Industry Consulting Service International (BICSI) primarily cover complex cabling designs and setups for data centers, but also include specifications on power, energy efficiency, and hot/cold aisle setups.
QUESTION NO: 17
Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies?
A. IDCA
B. Uptime Institute
C. NFPA
D. BICSI
Answer: B
Explanation:
The Uptime Institute publishes the most commonly used and widely known standard on data center tiers and topologies. It is based on a series of four tiers, with each progressive increase in number representing more stringent, reliable, and redundant systems for security, connectivity, fault tolerance, redundancy, and cooling.
QUESTION NO: 18
What type of segregation and separation of resources is needed within a cloud environment for multi tenancy purposes versus a traditional data center model?
A. Virtual
B. Security
C. Physical
D. Logical
Answer: D
Explanation:
Cloud environments lack the ability to physically separate resources like a traditional data center can. To compensate, cloud computing logical segregation concepts are employed. These include VLANs, sandboxing, and the use of virtual network devices such as firewalls.
QUESTION NO: 19
Which United States law is focused on data related to health records and privacy?
A. Safe Harbor
B. SOX
C. GLBA
D. HIPAA
Answer: D
Explanation:
The Health Insurance Portability and Accountability Act (HIPAA) requires the U.S. Federal Department of Health and Human Services to publish and enforce regulations pertaining to electronic health records and identifiers between patients, providers, and insurance companies. It is focused on the security controls and confidentiality of medical records, rather than the specific technologies used, so long as they meet the requirements of the regulations.
QUESTION NO: 20
What is used for local, physical access to hardware within a data center?
A. SSH
B. KVM
C. VPN
D. RDP
Answer: B
Explanation:
Local, physical access in a data center is done via KVM (keyboard, video, mouse) switches.
QUESTION NO: 21
Within an Infrastructure as a Service model, which of the following would NOT be a measured service?
A. CPU
B. Storage
C. Number of users
D. Memory
Answer: C
Explanation:
Within IaaS, the number of users on a system is not relevant to the particular hosting model in regard to cloud resources. IaaS is focused on infrastructure needs of a system or application. Therefore, a factor such as the number of users that could affect licensing requirements, for example, would apply to the SaaS model, or in some instances to PaaS.
QUESTION NO: 22
Which of the following is NOT a criterion for data within the scope of eDiscovery?
A. Possession
B. Custody
C. Control
D. Archive
Answer: D
Explanation:
eDiscovery pertains to information and data that is in the possession, control, and custody of an organization.
QUESTION NO: 23
Which United States law is focused on accounting and financial practices of organizations?
A. Safe Harbor
B. GLBA
C. SOX
D. HIPAA
Answer: C
Explanation:
The Sarbanes-Oxley (SOX) Act is not an act that pertains to privacy or IT security directly, but rather regulates accounting and financial practices used by organizations. It was passed to protect stakeholders and shareholders from improper practices and errors, and it sets forth rules for compliance, regulated and enforced by the Securities and Exchange Commission (SEC). The main influence on IT systems and operations is the requirements it sets for data retention, specifically in regard to what types of records must be preserved and for how long.
QUESTION NO: 24
What type of masking strategy involves making a separate and distinct copy of data with masking in place?
A. Dynamic
B. Replication
C. Static
D. Duplication
Answer: C
Explanation:
With static masking, a separate and distinct copy of the data set is created with masking in place. This is typically done through a script or other process that takes a standard data set, processes it to mask the appropriate and predefined fields, and then outputs the data set as a new one with the completed masking done.
QUESTION NO: 25
Which of the following storage types is most closely associated with a database-type storage implementation?
A. Object
B. Unstructured
C. Volume
D. Structured
Answer: D
Explanation:
Structured storage involves organized and categorized data, which most closely resembles and operates like a database system would.
QUESTION NO: 26
Which of the following roles is responsible for overseeing customer relationships and the processing of financial transactions?
A. Cloud service manager
B. Cloud service deployment
C. Cloud service business manager
D. Cloud service operations manager
Answer: C
Explanation:
The cloud service business manager is responsible for overseeing business plans and customer relationships as well as processing financial transactions.
QUESTION NO: 27
Which protocol does the REST API depend on?
A. HTTP
B. XML
C. SAML
D. SSH
Answer: A
Explanation:
Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats.
QUESTION NO: 28
Which United States program was designed to enable organizations to bridge the gap between privacy laws and requirements of the United States and the European Union?
A. GLBA
B. HIPAA
C. Safe Harbor
D. SOX
Answer: C
Explanation:
Due to the lack of an adequate privacy law or protection at the federal level in the United States, European privacy regulations generally prohibit the exporting or sharing of PII from Europe with the United States. Participation in the Safe Harbor program is voluntary on behalf of an organization, but it does require them to conform to specific requirements and policies that mirror those from the EU. Thus, organizations can fulfill requirements for data sharing and export and possibly serve customers in the EU.
QUESTION NO: 29
What is the biggest benefit to leasing space in a data center versus building or maintain your own?
A. Certification
B. Costs
C. Regulation
D. Control
Answer: B
Explanation:
When leasing space in a data center, an organization can avoid the enormous startup and building costs associated with a data center, and can instead leverage economies of scale by grouping with other organizations and sharing costs.
QUESTION NO: 30
Which of the following security measures done at the network layer in a traditional data center are also applicable to a cloud environment?
A. Dedicated switches
B. Trust zones
C. Redundant network circuits
D. Direct connections
Answer: B
Explanation:
Trust zones can be implemented to separate systems or tiers along logical lines for great security and access controls. Each zone can then have its own security controls and monitoring based on its particular needs.
QUESTION NO: 31
Which aspect of cloud computing will be most negatively impacted by vendor lock-in?
A. Elasticity
B. Reversibility
C. Interoperability
D. Portability
Answer: D
Explanation:
A cloud customer utilizing proprietary APIs or services from one cloud provider that are unlikely to be available from another cloud provider will most negatively impact portability.
QUESTION NO: 32
Which of the following APIs are most commonly used within a cloud environment?
A. REST and SAML
B. SOAP and REST
C. REST and XML
D. XML and SAML
Answer: B
Explanation:
Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) are the most commonly used APIs within a cloud environment. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data.
QUESTION NO: 33
Which of the following attempts to establish an international standard for eDiscovery processes and best practices?
A. ISO/IEC 31000
B. ISO/IEC 27050
C. ISO/IEC 19888
D. ISO/IEC 27001
Answer: B
Explanation:
ISO/IEC 27050 strives to establish an internationally accepted standard for eDiscovery processes and best practices. It encompasses all steps of the eDiscovery process: identification, preservation, collection, processing, review, analysis, and the final production of the requested data.
QUESTION NO: 34
Which of the following roles is responsible for obtaining new customers and securing contracts and agreements?
A. Inter-cloud provider
B. Cloud service broker
C. Cloud auditor
D. Cloud service developer
Answer: B
Explanation:
The cloud service broker is responsible for obtaining new customers, analyzing the marketplace, and securing contracts and agreements.
QUESTION NO: 35
Which term relates to the application of scientific methods and practices to evidence?
A. Forensics
B. Methodical
C. Theoretical
D. Measured
Answer: A
Explanation:
Forensics is the application of scientific and methodical processes to identify, collect, preserve, analyze, and summarize/report digital information and evidence.
QUESTION NO: 36
Which of the following roles involves the provisioning and delivery of cloud services?
A. Cloud service deployment manager
B. Cloud service business manager
C. Cloud service manager
D. Cloud service operations manager
Answer: C
Explanation:
The cloud service manager is responsible for the delivery of cloud services, the provisioning of cloud services, and the overall management of cloud services.
QUESTION NO: 37
What is the primary reason that makes resolving jurisdictional conflicts complicated?
A. Different technology standards
B. Costs
C. Language barriers
D. Lack of international authority
Answer: D
Explanation:
With international operations, systems ultimately cross many jurisdictional boundaries, and many times, they conflict with each other. The major hurdle to overcome for an organization is the lack of an ultimate international authority to mediate such conflicts, with a likely result of legal efforts in each jurisdiction.
QUESTION NO: 38
GAAPs are created and maintained by which organization?
A. ISO/IEC
B. AICPA
C. PCI Council
D. ISO
Answer: B
Explanation:
The AICPA is the organization responsible for generating and maintaining what are the Generally
Accepted Accounting Practices in the United States.
QUESTION NO: 39
Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets?
A. Cloud service business manager
B. Cloud service deployment manager
C. Cloud service operations manager
D. Cloud service manager
Answer: C
Explanation:
The cloud service operations manager is responsible for preparing systems for the cloud, administering and monitoring services, providing audit data as requested or required, and managing inventory and assets.
QUESTION NO: 40
Which protocol allows a system to use block-level storage as if it was a SAN, but over TCP network traffic instead?
A. SATA
B. iSCSI
C. TLS
D. SCSI
Answer: B
Explanation:
iSCSI is a protocol that allows for the transmission and use of SCSI commands and features over a TCP-based network. iSCSI allows systems to use block-level storage that looks and behaves as a SAN would with physical servers, but to leverage the TCP network within a virtualized environment and cloud.
QUESTION NO: 41
Which of the cloud deployment models is used by popular services such as iCloud, Dropbox, and
OneDrive?
A. Hybrid
B. Public
C. Private
D. Community
Answer: B
Explanation:
Popular services such as iCloud, Dropbox, and OneDrive are all publicly available and are open to any user for free, with possible add-on services offered for a cost.
QUESTION NO: 42
Why does a Type 2 hypervisor typically offer less security control than a Type 1 hypervisor?
A. A Type 2 hypervisor runs on top of another operating system and is dependent on the security of the OS for its own security.
B. A Type 2 hypervisor allows users to directly perform some functions with their own access.
C. A Type 2 hypervisor is open source, so attackers can more easily find exploitable vulnerabilities with that access.
D. A Type 2 hypervisor is always exposed to the public Internet for federated identity access.
Answer: A
Explanation:A Type 2 hypervisor differs from a Type 1 hypervisor in that it runs on top of another operating system rather than directly tied into the underlying hardware of the virtual host servers. With this type of implementation, additional security and architecture concerns come into play because the interaction between the operating system and the hypervisor becomes a critical link. The hypervisor no longer has direct interaction and control over the underlying hardware, which means that some performance will be lost due to the operating system in the middle needing its own resources, patching requirements, and operational oversight.
QUESTION NO: 43
Which is the appropriate phase of the cloud data lifecycle for determining the data’s classification?
A. Create
B. Use
C. Share
D. Store
Answer: A
Explanation:
Any time data is created, modified, or imported, the classification needs to be evaluated and set from the earliest phase to ensure security is always properly maintained for the duration of its lifecycle.
QUESTION NO: 44
Which of the following is the optimal temperature for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)?
A. 69.8-86.0degF (21-30degC)
B. 64.4-80.6degF(18-27degC)
C. 51.8-66.2degF(11-19degC)
D. 44.6-60-8degF(7-16degC)
Answer: B
Explanation:
The guidelines from ASHRAE establish 64.4-80.6degF (18-27degC) as the optimal temperature for a data center.
QUESTION NO: 45
Which of the following is not a risk management framework?
A. COBIT
B. Hex GBL
C. ISO 31000:2009
D. NIST SP 800-37
Answer: B
Explanation:
Hex GBL is a reference to a computer part in Terry Pratchett’s fictional Discworld universe. The rest are not.
QUESTION NO: 46
Which of the following threat types involves the sending of untrusted data to a user’s browser to be executed with their own credentials and access?
A. Missing function level access control
B. Cross-site scripting
C. Cross-site request forgery
D. Injection
Answer: B
Explanation:
Cross-site scripting (XSS) is an attack where a malicious actor is able to send untrusted data to a user’s browser without going through any validation or sanitization processes, or where the code is not properly escaped from processing by the browser. The code is then executed on the user’s browser with the user’s own access and permissions, allowing an attacker to redirect their web traffic, steal data from their session, or potentially access information on the user’s own computer that their browser has the ability to access.
QUESTION NO: 47
How is an object stored within an object storage system?
A. Key value
B. Database
C. LDAP
D. Tree structure
Answer: A
Explanation:
Object storage uses a flat structure with key values to store and access objects.
QUESTION NO: 48
Which of the following is NOT a regulatory system from the United States federal government?
A. PCI DSS
B. FISMA
C. SOX
D. HIPAA
Answer: A
Explanation:
The payment card industry data security standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry regulatory standard, not a governmental one.
QUESTION NO: 49
Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority?
A. European Union
B. Germany
C. Russia
D. United States
Answer: D
Explanation:
The United States lacks a single comprehensive law at the federal level addressing data security and privacy, but there are multiple federal laws that deal with different industries.
QUESTION NO: 50
Which United States law is focused on PII as it relates to the financial industry?
A. HIPAA
B. SOX
C. Safe Harbor
D. GLBA
Answer: D
Explanation:
The GLBA, as it is commonly called based on the lead sponsors and authors of the act, is officially known as “The Financial Modernization Act of 1999.” It is specifically focused on PII as it relates to financial institutions. There are three specific components of it, covering various areas and use, on top of a general requirement that all financial institutions must provide all users and customers with a written copy of their privacy policies and practices, including with whom and for what reasons their information may be shared with other entities.
QUESTION NO: 51
Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used?
A. Security misconfiguration
B. Insecure direct object references
C. Sensitive data exposure
D. Unvalidated redirects and forwards
Answer: C
Explanation:
Sensitive data exposure occurs when information is not properly secured through encryption and secure transport mechanisms; it can quickly become an easy and broad method for attackers to compromise information. Web applications must enforce strong encryption and security controls on the application side, but secure methods of communications with browsers or other clients used to access the information are also required. Security misconfiguration occurs when applications and systems are not properly configured for security, often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, thus allowing spoofing for malware or phishing attacks.
QUESTION NO: 52
What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function?
A. Remove
B. Monitor
C. Disable
D. Stop
Answer: A
Explanation:
The best practice is to totally remove any unneeded services and utilities on a system to prevent any chance of compromise or use. If they are just disabled, it is possible for them to be inadvertently started again at any point, or another exploit could be used to start them again.
Removing also negates the need to patch and maintain them going forward.
QUESTION NO: 53
Which of the following actions will NOT make data part of the “create” phase of the cloud data lifecycle?
A. Modifying metadata
B. Importing data
C. Modifying data
D. Constructing new data
Answer: A
Explanation:
Although the initial phase is called “create,” it can also refer to modification. In essence, any time data is considered “new,” it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and modified into a new form or value. Modifying the metadata does not change the actual data.
QUESTION NO: 54
What are the two protocols that TLS uses?
A. Handshake and record
B. Transport and initiate
C. Handshake and transport
D. Record and transmit
Answer: A
Explanation:
TLS uses the handshake protocol to establish and negotiate the TLS connection, and it uses the record protocol for the secure transmission of data.
QUESTION NO: 55
Which type of cloud model typically presents the most challenges to a cloud customer during the “destroy” phase of the cloud data lifecycle?
A. IaaS
B. DaaS
C. SaaS
D. PaaS
Answer: C
Explanation:
With many SaaS implementations, data is not isolated to a particular customer but rather is part of the overall application. When it comes to data destruction, a particular challenge is ensuring that all of a customer’s data is completely destroyed while not impacting the data of other customers.
QUESTION NO: 56
Which of the following may unilaterally deem a cloud hosting model inappropriate for a system or application?
A. Multi Tenancy
B. Certification
C. Regulation
D. Virtualization
Answer: C
Explanation:
Some regulations may require specific security controls or certifications be used for hosting certain types of data or functions, and in some circumstances they may be requirements that are unable to be met by any cloud provider.
QUESTION NO: 57
Which of the following is considered an internal redundancy for a data center?
A. Power distribution units
B. Network circuits
C. Power substations
D. Generators
Answer: A
Explanation:
Power distribution units are internal to a data center and supply power to internal components such as racks, appliances, and cooling systems. As such, they are considered an internal redundancy.
QUESTION NO: 58
Which of the following represents a control on the maximum amount of resources that a single customer, virtual machine, or application can consume within a cloud environment?
A. Share
B. Reservation
C. Provision
D. Limit
Answer: D
Explanation:
Limits are put in place to enforce a maximum on the amount of memory or processing a cloud customer can use. This can be done either on a virtual machine or as a comprehensive whole for a customer, and is meant to ensure that enormous cloud resources cannot be allocated or consumed by a single host or customer to the detriment of other hosts and customers.
QUESTION NO: 59
Which of the following roles is responsible for peering with other cloud services and providers?
A. Cloud auditor
B. Inter-cloud provider
C. Cloud service broker
D. Cloud service developer
Answer: B
Explanation:
The inter-cloud provider is responsible for peering with other cloud services and providers, as well as overseeing and managing federations and federated services.
QUESTION NO: 60
Which of the following does NOT relate to the hiding of sensitive data from data sets?
A. Obfuscation
B. Federation
C. Masking
D. Anonymization
Answer: B
Explanation:
Federation pertains to authenticating systems between different organizations.
What next?
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-1
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-2
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-3
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-4
