The Actual Exam Version included actual exam questions verified by IT Experts. We verified questions and updated frequently each month and also based on members’ feedback to keep updating with the real exam. We are offering money back immediately if questions in our Actual Exam Version do not appear in your exam. Highly recommend you take the Actual Exam Version then go to the exam as soon as possible.
QUESTION NO: 61
Which of the following are the storage types associated with IaaS?
A. Volume and object
B. Volume and label
C. Volume and container
D. Object and target
Answer: A
Explanation:
QUESTION NO: 62
Which technology can be useful during the “share” phase of the cloud data lifecycle to continue to protect data as it leaves the original system and security controls?
A. IPS
B. WAF
C. DLP
D. IDS
Answer: C
Explanation:
Data loss prevention (DLP) can be applied to data that is leaving the security enclave to continue to enforce access restrictions and policies on other clients and systems.
QUESTION NO: 63
Which of the following storage types is most closely associated with a traditional file system and tree structure?
A. Volume
B. Unstructured
C. Object
D. Structured
Answer: A
Explanation:
Volume storage works as a virtual hard drive that is attached to a virtual machine. The operating system sees the volume the same as how a traditional drive on a physical server would be seen.
QUESTION NO: 64
Which of the following represents a prioritization of applications or cloud customers for the allocation of additional requested resources when there is a limitation on available resources?
A. Provision
B. Limit
C. Reservation
D. Share
Answer: D
Explanation:
The concept of shares within a cloud environment is used to mitigate and control the request for resource allocations from customers that the environment may not have the current capability to allow. Shares work by prioritizing hosts within a cloud environment through a weighting system that is defined by the cloud provider. When periods of high utilization and allocation are reached, the system automatically uses scoring of each host based on its share value to determine which hosts get access to the limited resources still available. The higher the value a particular host has, the more resources it will be allowed to utilize.
QUESTION NO: 65
Which type of audit report does many cloud providers use to instill confidence in their policies, practices, and procedures to current and potential customers?
A. SAS-70
B. SOC 2
C. SOC 1
D. SOX
Answer: B
Explanation:
One approach that many cloud providers opt to take is to undergo a SOC 2 audit and make the report available to cloud customers and potential cloud customers as a way of providing security confidence without having to open their systems or sensitive information to the masses.
QUESTION NO: 66
Which of the following statements accurately describes VLANs?
A. They are not restricted to the same data center or the same racks.
B. They are not restricted to the name rack but restricted to the same data center.
C. They are restricted to the same racks and data centers.
D. They are not restricted to the same rack but restricted to the same switches.
Answer: A
Explanation:
A virtual area network (VLAN) can span any network within a data center, or it can span across different physical locations and data centers.
QUESTION NO: 67
What must be secured on physical hardware to prevent unauthorized access to systems?
A. BIOS
B. SSH
C. RDP
D. ALOM
Answer: A
Explanation:
BIOS is the firmware that governs the physical initiation and boot up of a piece of hardware. If it is compromised, an attacker could have access to hosted systems and make configuration changes to expose or disable some security elements on the system.
QUESTION NO: 68
What type of PII is regulated based on the type of application or per the conditions of the specific hosting agreement?
A. Specific
B. Contractual
C. regulated
D. Jurisdictional
Answer: B
Explanation:
Contractual PII has specific requirements for the handling of sensitive and personal information, as defined at a contractual level. These specific requirements will typically document the required handling procedures and policies to deal with PII. They may be in specific security controls and configurations, required policies or procedures, or limitations on who may gain authorized access to data and systems.
QUESTION NO: 69
Which of the following security technologies is commonly used to give administrators access into trust zones within an environment?
A. VPN
B. WAF
C. IPSec
D. HTTPS
Answer: A
Explanation:
Virtual private networks (VPNs) are commonly used to allow access into trust zones. Via a VPN, access can be controlled and logged and only allowed through secure channels by authorized users. It also adds an additional layer of encryption and protection to communications.
QUESTION NO: 70
Which concept BEST describes the capability for a cloud environment to automatically scale a system or application, based on its current resource demands?
A. On-demand self-service
B. Resource pooling
C. Measured service
D. Rapid elasticity
Answer: D
Explanation:
Rapid elasticity allows a cloud environment to automatically add or remove resources to or from a system or application based on its current demands. Whereas a traditional data center model would require standby hardware and substantial effort to add resources in response to load increases, a cloud environment can easily and rapidly expand to meet resource demands, so long as the application is properly implemented for it.
QUESTION NO: 71
If you’re using iSCSI in a cloud environment, what must come from an external protocol or application?
A. Kerberos support
B. CHAP support
C. Authentication
D. Encryption
Answer: D
Explanation:
iSCSI does not natively support encryption, so another technology such as IPsec must be used to encrypt communications.
QUESTION NO: 72
Which of the following pertains to a macro level approach to data center design rather than the traditional tiered approach to data centers?
A. IDCA
B. NFPA
C. BICSI
D. Uptime Institute
Answer: A
Explanation:
The standards put out by the International Data Center Authority (IDCA) have established the Infinity Paradigm, which is intended to be a comprehensive data center design and operations framework. The Infinity Paradigm shifts away from many models that rely on tiered architecture for data centers, where each successive tier increases redundancy. Instead, it emphasizes data centers being approached at a macro level, without a specific and isolated focus on certain aspects to achieve tier status.
QUESTION NO: 73
What does the REST API support that SOAP does NOT support?
A. Caching
B. Encryption
C. Acceleration
D. Redundancy
Answer: A
Explanation:
The SOAP protocol does not support caching, whereas the REST API does.
QUESTION NO: 74
Why does a Type 1 hypervisor typically offer tighter security controls than a Type 2 hypervisor?
A. A Type 1 hypervisor also controls patching of its hosted virtual machines to ensure they are always secure.
B. A Type 1 hypervisor is tied directly to the bare metal and only runs with code necessary to perform its specific mission.
C. A Type 1 hypervisor performs hardware-level encryption for tighter security and efficiency.
D. A Type 1 hypervisor only hosts virtual machines with the same operating systems as the hypervisor.
Answer: B
Explanation:
Type 1 hypervisors run directly on top of the bare metal and only contain the code and functions required to perform their purpose. They do not rely on any other systems or contain extra features to secure.
QUESTION NO: 75
Which of the following are the storage types associated with PaaS?
A. Structured and freeform
B. Volume and object
C. Structured and unstructured
D. Database and file system
Answer: C
Explanation:
QUESTION NO: 76
Which of the following threat types can occur when baselines are not appropriately applied or unauthorized changes are made?
A. Insecure direct object references
B. Unvalidated redirects and forwards
C. Security misconfiguration
D. Sensitive data exposure
Answer: C
Explanation:
Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner. This can be caused from a shortcoming in security baselines or configurations, unauthorized changes to system configurations, or a failure to patch and upgrade systems as the vendor releases security patches.
QUESTION NO: 77
What is the data encapsulation used with the SOAP protocol referred to?
A. Packet
B. Envelope
C. Payload
D. Object
Answer: B
Explanation:
Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope and then leverages common communications protocols for transmission.
QUESTION NO: 78
Which of the following threat types can occur when an application does not properly validate input and can be leveraged to send users to malicious sites that appear to be legitimate?
A. Unvalidated redirects and forwards
B. Insecure direct object references
C. Security misconfiguration
D. Sensitive data exposure
Answer: A
Explanation:
Many web applications offer redirect or forward pages that send users to different, external sites. If these pages are not properly secured and validated, attackers can use the application to forward users off to sites for phishing or malware attempts. These attempts can often be more successful than direct phishing attempts because users will trust the site or application that sent them there, and they will assume it has been properly validated and approved by the trusted application’s owners or operators. Security misconfiguration occurs when applications and systems are not properly configured for security–often a result of misapplied or inadequate baselines. Insecure direct object references occur when code references aspects of the infrastructure, especially internal or private systems, and an attacker can use that knowledge to glean more information about the infrastructure. Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data.
QUESTION NO: 79
Which publication from the United States National Institute of Standards and Technology pertains to defining cloud concepts and definitions for the various core components of cloud computing?
A. SP 800-153
B. SP 800-145
C. SP 800-53
D. SP 800-40
Answer: B
Explanation:
NIST Special Publications 800-145 is titled “The NIST Definition of Cloud Computing” and contains definitions and explanations of core cloud concepts and components.
QUESTION NO: 80
What is the biggest negative to leasing space in a data center versus building or maintain your own?
A. Costs
B. Control
C. Certification
D. Regulation
Answer: B
Explanation:
When leasing space in a data center, an organization will give up a large degree of control as to how it is built and maintained, and instead must conform to the policies and procedures of the owners and operators of the data center.
QUESTION NO: 81
Which aspect of archiving must be tested regularly for the duration of retention requirements?
A. Availability
B. Recoverability
C. Auditability
D. Portability
Answer: B
Explanation:
In order for any archiving system to be deemed useful and compliant, regular tests must be performed to ensure the data can still be recovered and accessible, should it ever be needed, for the duration of the retention requirements.
QUESTION NO: 82
Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer?
A. Reservation
B. Share
C. Limit
D. Provision
Answer: A
Explanation:
A reservation is a minimum resource that is guaranteed to a customer within a cloud environment. Within a cloud, a reservation can pertain to the two main aspects of computing: memory and processor. With a reservation in place, the cloud provider guarantees that a cloud customer will always have at minimum the necessary resources available to power on and operate any of their services.
QUESTION NO: 83
When is a virtual machine susceptible to attacks while a physical server in the same state would not be?
A. When it is behind a WAF
B. When it is behind an IPS
C. When it is not patched
D. When it is powered off
Answer: D
Explanation:
A virtual machine is ultimately an image file residing a file system. Because of this, even when a virtual machine is “powered off,” it is still susceptible to attacks and modification. A physical server that is powered off would not be susceptible to attacks.
QUESTION NO: 84
Which of the following threat types involves an application developer leaving references to internal information and configurations in code that is exposed to the client?
A. Sensitive data exposure
B. Security misconfiguration
C. Insecure direct object references
D. Unvalidated redirect and forwards
Answer: C
Explanation:
An insecure direct object reference occurs when a developer has in their code a reference to something on the application side, such as a database key, the directory structure of the application, configuration information about the hosting system, or any other information that pertains to the workings of the application that should not be exposed to users or the network. Unvalidated redirects and forwards occur when an application has functions to forward users to other sites, and these functions are not properly secured to validate the data and redirect requests, allowing spoofing for malware of phishing attacks. Sensitive data exposure occurs when an application does not use sufficient encryption and other security controls to protect sensitive application data. Security misconfigurations occur when applications and systems are not properly configured or maintained in a secure manner.
QUESTION NO: 85
Which of the following is the biggest concern or challenge with using encryption?
A. Dependence on keys
B. Cipher strength
C. Efficiency
D. Protocol standards
Answer: A
Explanation:
No matter what kind of application, system, or hosting model used, encryption is 100 percent dependent on encryption keys. Properly securing the keys and the exchange of them is the biggest and most important challenge of encryption systems.
QUESTION NO: 86
Which of the following would NOT be considered part of resource pooling with an Infrastructure as a Service implementation?
A. Storage
B. Application
C. Memory
D. CPU
Answer: B
Explanation:
Infrastructure as a Service pools the compute resources for platforms and applications to build upon, including CPU, memory, and storage. Applications are not part of an IaaS offering from the cloud provider.
QUESTION NO: 87
Which technology is NOT commonly used for security with data in transit?
A. DNSSEC
B. IPsec
C. VPN
D. HTTPS
Answer: A
Explanation:
DNSSEC relates to the integrity of DNS resolutions and the prevention of spoofing or redirection, and does not pertain to the actual security of transmissions or the protection of data.
QUESTION NO: 88
Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes?
A. Cloud service business manager
B. Cloud service operations manager
C. Cloud service manager
D. Cloud service deployment manager
Answer: D
Explanation:
The cloud service deployment manager is responsible for gathering metrics on cloud services, managing cloud deployments and the deployment process, and defining the environments and processes.
QUESTION NO: 89
Which of the following is considered an external redundancy for a data center?
A. Power feeds to rack
B. Generators
C. Power distribution units
D. Storage systems
Answer: B
Explanation:
Generators are considered an external redundancy to a data center. Power distribution units (PDUs), storage systems, and power feeds to racks are all internal to a data center, and as such they are considered internal redundancies.
QUESTION NO: 90
Which of the following is the optimal humidity level for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)?
A. 30-50 percent relative humidity
B. 50-75 percent relative humidity
C. 20-40 percent relative humidity
D. 40-60 percent relative humidity
Answer: D
Explanation:
The guidelines from ASHRAE establish 40-60 percent relative humidity as optimal for a data center.
QUESTION NO: 91
What is the first stage of the cloud data lifecycle where security controls can be implemented?
A. Use
B. Store
C. Share
D. Create
Answer: B
Explanation:
The “store” phase of the cloud data lifecycle, which typically occurs simultaneously with the “create” phase, or immediately thereafter, is the first phase where security controls can be implemented. In most case, the manner in which the data is stored will be based on its classification.
QUESTION NO: 92
What controls the formatting and security settings of a volume storage system within a cloud environment?
A. Management plane
B. SAN host controller
C. Hypervisor
D. Operating system of the host
Answer: D
Explanation:
Once a storage LUN is allocated to a virtual machine, the operating system of that virtual machine will format, manage, and control the file system and security of the data on that LUN.
QUESTION NO: 93
What does SDN stand for within a cloud environment?
A. Software-dynamic networking
B. Software-defined networking
C. Software-dependent networking
D. System-dynamic nodes
Answer: B
Explanation:
Software-defined networking separates the administration of network filtering and network forwarding to allow for distributed administration.
QUESTION NO: 94
From a legal perspective, what is the most important first step after an eDiscovery order has been received by the cloud provider?
A. Notification
B. Key identification
C. Data collection
D. Virtual image snapshots
Answer: A
Explanation:
The contract should include requirements for notification by the cloud provider to the cloud customer upon the receipt of such an order. This serves a few important purposes. First, it keeps communication and trust open between the cloud provider and cloud customers. Second, and more importantly, it allows the cloud customer to potentially challenge the order if they feel they have the grounds or desire to do so.
QUESTION NO: 95
Which of the following would make it more likely that a cloud provider would be unwilling to satisfy specific certification requirements?
A. Resource pooling
B. Virtualization
C. Multi Tenancy
D. Regulation
Answer: C
Explanation:
With cloud providers hosting a number of different customers, it would be impractical for them to pursue additional certifications based on the needs of a specific customer. Cloud environments are built to a common denominator to serve the greatest number of customers, and especially within a public cloud model, it is not possible or practical for a cloud provider to alter their services for specific customer demands.
QUESTION NO: 96
Which of the following pertains to fire safety standards within a data center, specifically with their enormous electrical consumption?
A. NFPA
B. BICSIC. IDCA
D. Uptime Institute
Answer: A
Explanation:
The standards put out by the National Fire Protection Association (NFPA) cover general fire protection best practices for any type of facility, but also specific publications pertaining to IT equipment and data centers.
QUESTION NO: 97
Which of the following roles involves the connection and integration of existing systems and services to a cloud environment?
A. Cloud service business manager
B. Cloud service user
C. Cloud service administrator
D. Cloud service integrator
Answer: D
Explanation:
The cloud service integrator is the official role that involves connecting and integrating existing systems and services with a cloud environment. This may involve moving services into a cloud environment, or connecting to external cloud services and capabilities from traditional data center hosted services.
QUESTION NO: 98
Which technique involves replacing values within a specific data field to protect sensitive data?
A. Anonymization
B. Masking
C. Tokenization
D. Obfuscation
Answer: B
Explanation:
Masking involves replacing specific data within a data set with new values. For example, with credit card fields, as most who have ever purchased anything online can attest, nearly the entire credit card number is masked with a character such as an asterisk, with the last four digits left visible for identification and confirmation.
QUESTION NO: 99
What expectation of data custodians is made much more challenging by a cloud implementation, especially with PaaS or SaaS?
A. Data classification
B. Knowledge of systems
C. Access to data
D. Encryption requirements
Answer: B
Explanation:
Under the Federal Rules of Civil Procedure, data custodians are assumed and expected to have full and comprehensive knowledge of the internal design and architecture of their systems. In a cloud environment, especially with PaaS and SaaS, it is impossible for the data custodian to have this knowledge because those systems are controlled by the cloud provider and protected as proprietary knowledge.
QUESTION NO: 100
What type of PII is controlled based on laws and carries legal penalties for noncompliance with requirements?
A. Contractual
B. Regulated
C. Specific
D. Jurisdictional
Answer: B
Explanation:
Regulated PII involves those requirements put forth by specific laws or regulations, and unlike contractual PII, where a violation can lead to contractual penalties, a violation of regulated PII can lead to fines or even criminal charges in some jurisdictions. PII regulations can depend on either the jurisdiction that applies to the hosting location or application or specific legislation based on the industry or type of data used.
QUESTION NO: 101
Which if the following is NOT one of the three components of a federated identity system transaction?
A. Relying party
B. Identity provider
C. User
D. Proxy relay
Answer: D
Explanation:
QUESTION NO: 102
Which value refers to the amount of time it takes to recover operations in a BCDR situation to meet management’s objectives?
A. RSL
B. RPO
C. SRE
D. RTO
Answer: D
Explanation:
The recovery time objective (RTO) is a measure of the amount of time it would take to recover operations in the event of a disaster to the point where management’s objectives are met for
BCDR.
QUESTION NO: 103
Which of the cloud deployment models requires the cloud customer to be part of a specific group or organization in order to host cloud services within it?
A. Community
B. Hybrid
C. Private
D. Public
Answer: A
Explanation:
A community cloud model is where customers that share a certain common bond or group membership come together to offer cloud services to their members, focused on common goals and interests.
QUESTION NO: 104
What provides the information to an application to make decisions about the authorization level appropriate when granting access?
A. User
B. Relying party
C. Federation
D. Identity Provider
Answer: D
Explanation:
Upon successful user authentication, the identity provider gives information about the user to the relying party that it needs to make authorization decisions for granting access as well as the level of access needed.
QUESTION NO: 105
What is a standard configuration and policy set that is applied to systems and virtual machines called?
A. Standardization
B. Baseline
C. Hardening
D. Redline
Answer: B
Explanation:
The most common and efficient manner of securing operating systems is through the use of baselines. A baseline is a standardized and understood set of base configurations and settings. When a new system is built or a new virtual machine is established, baselines will be applied to a new image to ensure the base configuration meets organizational policy and regulatory requirements.
QUESTION NO: 106
Which entity requires all collection and storing of data on their citizens to be done on hardware that resides within their borders?
A. Russia
B. France
C. Germany
D. United States
Answer: A
Explanation:
Signed into law and effective starting on September 1, 2015, Russian Law 526-FZ establishes that any collecting, storing, or processing of personal information or data on Russian citizens must be done from systems and databases that are physically located with the Russian Federation.
QUESTION NO: 107
Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers?
A. Reversibility
B. Availability
C. Portability
D. Interoperability
Answer: C
Explanation:
Portability is the ease with which a service or application can be moved between different cloud providers. Maintaining portability gives an organization great flexibility between cloud providers and the ability to shop for better deals or offerings.
QUESTION NO: 108
Which type of audit report is considered a “restricted use” report for its intended audience?
A. SAS-70
B. SSAE-16
C. SOC Type 1
D. SOC Type 2
Answer: C
Explanation:
SOC Type 1 reports are considered “restricted use” reports. They are intended for management and stakeholders of an organization, clients of the service organization, and auditors of the organization. They are not intended for release beyond those audiences.
QUESTION NO: 109
What is the concept of segregating information or processes, within the same system or application, for security reasons?
A. fencing
B. Sandboxing
C. Cellblocking
D. Pooling
Answer: B
Explanation:
Sandboxing involves segregating and isolating information or processes from others within the same system or application, typically for security concerns. This is generally used for data isolation (for example, keeping different communities and populations of users isolated from other similar data).
QUESTION NO: 110
The European Union passed the first major regulation declaring data privacy to be a human right. In what year did it go into effect?
A. 2010
B. 2000
C. 1995
D. 1990
Answer: C
Explanation:
Adopted in 1995, Directive 95/46 EC establishes strong data protection and policy requirements, including the declaring of data privacy to be a human right. It establishes that an individual has the right to be notified when their personal data is being access or processed, that it only will ever be accessed for legitimate purposes, and that data will only be accessed to the exact extent it needs to be for the particular process or request.
QUESTION NO: 111
Which of the following is NOT a key area for performance monitoring as far as an SLA is concerned?
A. CPU
B. Users
C. Memory
D. Network
Answer: B
Explanation:
An SLA requires performance monitoring of CPU, memory, storage, and networking. The number of users active on a system would not be part of an SLA specifically, other than in regard to the impact on the other four variables.
QUESTION NO: 112
Which of the following is the MOST important requirement and guidance for testing during an audit?
A. Stakeholders
B. Shareholders
C. Management
D. Regulations
Answer: D
Explanation:
During any audit, regulations are the most important factor and guidelines for what must be tested. Although the requirements from management, stakeholders, and shareholders are also important, regulations are not negotiable and pose the biggest risk to any organization for compliance failure.
QUESTION NO: 113
Which value refers to the amount of data an organization would need to recover in the event of a BCDR situation in order to reach an acceptable level of operations?
A. SRE
B. RTO
C. RPO
D. RSL
Answer: C
Explanation:
The recovery point objective (RPO) is defined as the amount of data a company would need to maintain and recover in order to function at a level acceptable to management. This may or may not be a restoration to full operating capacity, depending on what management deems as crucial and essential.
QUESTION NO: 114
What must SOAP rely on for security?
A. Encryption
B. Tokenization
C. TLS
D. SSL
Answer: A
Explanation:
Simple Object Access Protocol (SOAP) uses Extensible Markup Language (XML) for passing data, and it must rely on the encryption of those data packages for security.
QUESTION NO: 115
Which of the following is a commonly used tool for maintaining system configurations?
A. Maestro
B. Orchestrator
C. Puppet
D. Conductor
Answer: C
Explanation:
Puppet is a commonly used tool for maintaining system configurations based on policies, and done so from a centralized authority.
QUESTION NO: 116
What type of data does data rights management (DRM) protect?
A. Consumer
B. PII
C. Financial
D. Healthcare
Answer: A
Explanation:
DRM applies to the protection of consumer media, such as music, publications, video, movies, and soon.
QUESTION NO: 117
Which type of testing uses the same strategies and toolsets that hackers would use?
A. Penetration
B. Dynamic
C. Static
D. Malicious
Answer: A
Explanation:
Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities.
QUESTION NO: 118
From a security perspective, which of the following is a major concern when evaluating possible
BCDR solutions?
A. Access provisioning
B. Auditing
C. Jurisdictions
D. Authorization
Answer: C
Explanation:
When a security professional is considering cloud solutions for BCDR, a top concern is the jurisdiction where the cloud systems are hosted. If the jurisdiction is different from where the production systems are hosted, they may be subjected to different regulations and controls, which would make a seamless BCDR solution far more difficult.
QUESTION NO: 119
Which of the following is NOT a focus or consideration of an internal audit?
A. Certification
B. Design
C. Costs
D. Operational efficiency
Answer: A
Explanation:
In order to obtain and comply with certifications, independent external audits must be performed and satisfied. Although some testing of certification controls can be part of an internal audit, they will not satisfy requirements.
QUESTION NO: 120
Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used?
A. Infrastructure
B. Platform
C. Application
D. Data
Answer: D
Explanation:
Regardless of which cloud-hosting model is used, the cloud customer always has sole responsibility for the data and its security.
What next?
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-1
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-2
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-3
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-4
