The Actual Exam Version included actual exam questions verified by IT Experts. We verified questions and updated frequently each month and also based on members’ feedback to keep updating with the real exam. We are offering money back immediately if questions in our Actual Exam Version do not appear in your exam. Highly recommend you take the Actual Exam Version then go to the exam as soon as possible.
QUESTION NO: 121
What process is used within a clustered system to provide high availability and load balancing?
A. Dynamic balancing
B. Dynamic clustering
C. Dynamic optimization
D. Dynamic resource scheduling
Dynamic resource scheduling (DRS) is used within all clustering systems as the method for clusters to provide high availability, scaling, management, and workload distribution and balancing of jobs and processes. From a physical infrastructure perspective, DRS is used to balance compute loads between physical hosts in a cloud to maintain the desired thresholds and limits on the physical hosts.
QUESTION NO: 122
Which of the following is NOT a function performed by the handshake protocol of TLS?
A. Key exchange
C. Negotiation of connection
D. Establish session ID
The handshake protocol negotiates and establishes the connection as well as handles the key exchange and establishes the session ID. It does not perform the actual encryption of data packets.
QUESTION NO: 123
Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report?
A. Six months
B. One month
C. One year
D. One week
SOC Type 2 reports are focused on the same policies and procedures, as well as their effectiveness, as SOC Type 1 reports, but are evaluated over a period of at least six consecutive months, rather than a finite point in time.
QUESTION NO: 124
What changes are necessary to application code in order to implement DNSSEC?
A. Adding encryption modules
B. Implementing certificate validations
C. Additional DNS lookups
D. No changes are needed.
To implement DNSSEC, no additional changes are needed to applications or their code because the integrity checks are all performed at the system level.
QUESTION NO: 125
Which type of controls are the SOC Type 1 reports specifically focused on?
SOC Type 1 reports are focused specifically on internal controls as they relate to financial reporting.
QUESTION NO: 126
Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it?
The main goal of confidentiality is to ensure that sensitive information is not made available or leaked to parties that should not have access to it, while at the same time ensuring that those with appropriate need and authorization to access it can do so in a manner commensurate with their needs and confidentiality requirements.
QUESTION NO: 127
Which of the following is NOT a domain of the Cloud Controls Matrix (CCM)?
A. Data center security
B. Human resources
C. Mobile security
D. Budgetary and cost controls
Budgetary and cost controls is not one of the domains outlined in the CCM.
QUESTION NO: 128
Which security concept, if implemented correctly, will protect the data on a system, even if a malicious actor gains access to the actual system?
D. Access control
In any environment, data encryption is incredibly important to prevent unauthorized exposure of data either internally or externally. If a system is compromised by an attack, having the data encrypted on the system will prevent its unauthorized exposure or export, even with the system itself being exposed.
QUESTION NO: 129
Which of the following is the sole responsibility of the cloud provider, regardless of which cloud model is used?
C. Physical environment
Regardless of which cloud-hosting model is used, the cloud provider always has sole responsibility for the physical environment.
QUESTION NO: 130
Which of the following is NOT a factor that is part of a firewall configuration?
D. Source IP
Firewalls take into account source IP, destination IP, the port the traffic is using, as well as the network protocol (UDP/TCP). Whether or not the traffic is encrypted is not something a firewall is concerned with.
QUESTION NO: 131
Which of the cloud deployment models involves spanning multiple cloud environments or a mix of cloud hosting models?
A hybrid cloud model involves the use of more than one type of cloud hosting models, typically the mix of private and public cloud hosting models.
QUESTION NO: 132
Which of the following is NOT one of five principles of SOC Type 2 audits?
B. Processing integrity
The SOC Type 2 audits include five principles: security, privacy, processing integrity, availability, and confidentiality.
QUESTION NO: 133
Which aspect of cloud computing makes data classification even more vital than in a traditional data center?
C. Multi Tenancy
With multiple tenants within the same hosting environment, any failure to properly classify data may lead to potential exposure to other customers and applications within the same environment.
QUESTION NO: 134
What concept does the “T” represent in the STRIDE threat model?
C. Tampering with data
Any application that sends data to the user will face the potential that the user could manipulate or alter the data, whether it resides in cookies, GET or POST commands, or headers, or manipulates client-side validations. If the user receives data from the application, it is crucial that the application validate and verify any data that is received back from the user.
QUESTION NO: 135
Which of the following would be a reason to undertake a BCDR test?
A. Functional change of the application
B. Change in staff
C. User interface overhaul of the application
D. Change in regulations
Any time a major functional change of an application occurs, a new BCDR test should be done to ensure the overall strategy and process are still applicable and appropriate.
QUESTION NO: 136
What is the biggest challenge to data discovery in a cloud environment?
D. Multi Tenancy
With the distributed nature of cloud environments, the foremost challenge for data discovery is awareness of the location of data and keeping track of it during the constant motion of cloud storage systems.
QUESTION NO: 137
Which crucial aspect of cloud computing can be most threatened by insecure APIs?
C. Resource pooling
Cloud environments depend heavily on API calls for management and automation. Any vulnerability with the APIs can cause significant risk and exposure to all tenants of the cloud environment.
QUESTION NO: 138
Which of the following should NOT be part of the requirement analysis phase of the software development lifecycle?
B. Programming languages
C. Software platform
D. Security requirements
Security requirements should be incorporated into the software development lifecycle (SDLC) from the earliest requirement gathering stage and should be incorporated prior to the requirement analysis phase.
QUESTION NO: 139
Which of the cloud cross-cutting aspects relates to the assigning of jobs, tasks, and roles, as well as to ensuring they are successful and properly performed?
A. Service-level agreements
C. Regulatory requirements
Governance at its core is the idea of assigning jobs, takes, roles, and responsibilities and ensuring they are satisfactory performed.
QUESTION NO: 140
Which regulatory system pertains to the protection of healthcare data?
The Health Insurance Portability and Accountability Act (HIPAA) sets stringent requirements in the United States for the protection of healthcare records.
QUESTION NO: 141
Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance?
C. Resource pooling
D. Dynamic optimization
Cloud environments will regularly change virtual machines as patching and versions are changed. Unlike a physical environment, there is little continuity from one period of time to another. It is very unlikely that the same virtual machines would be in use during a repeat audit.
QUESTION NO: 142
Which security concept would business continuity and disaster recovery fall under?
C. Fault tolerance
Disaster recovery and business continuity are vital concerns with availability. If data is destroyed or compromised, having regular backup systems in place as well as being able to perform disaster recovery in the event of a major or widespread problem allows operations to continue with an acceptable loss of time and data to management. This also ensures that sensitive data is protected and persisted in the event of the loss or corruption of data systems or physical storage systems.
QUESTION NO: 143
Which of the following is NOT an application or utility to apply and enforce baselines on a system?
D. Active Directory
GitHub is an application for code collaboration, including versioning and branching of code trees. It is not used for applying or maintaining system configurations.
QUESTION NO: 144
Which of the cloud cross-cutting aspects relates to the ability for a cloud customer to easily remove their applications and data from a cloud environment?
Reversibility is the ability for a cloud customer to easily remove their applications or data from a cloud environment, as well as to ensure that all traces of their applications or data have been securely removed per a predefined agreement with the cloud provider.
QUESTION NO: 145
Which of the following is NOT a function performed by the record protocol of TLS?
The record protocol of TLS performs the authentication and encryption of data packets, and in some cases compression as well. It does not perform any acceleration functions.
QUESTION NO: 146
What concept does the “R” represent with the DREAD model?
Reproducibility is the measure of how easy it is to reproduce and successful use an exploit.
Scoring within the DREAD model ranges from 0, signifying a nearly impossibly exploit, up to 10, which signifies something that anyone from a simple function call could exploit, such as a URL.
QUESTION NO: 147
The SOC Type 2 reports are divided into five principles.
Which of the five principles must also be included when auditing any of the other four principles?
Under the SOC guidelines, when any of the four principles other than security are being audited, which includes availability, confidentiality, processing integrity, and privacy, the security principle must also be included with the audit.
QUESTION NO: 148
How many additional DNS queries are needed when DNSSEC integrity checks are added?
DNSSEC does not require any additional DNS queries to be performed. The DNSSEC integrity checks and validations are all performed as part of the single DNS lookup resolution.
QUESTION NO: 149
Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used?
Regardless of which cloud-hosting model is used, the cloud customer always has sole responsibility for the governance of systems and data.
QUESTION NO: 150
Which of the following service categories entails the least amount of support needed on the part of the cloud customer?
With SaaS providing a fully functioning application that is managed and maintained by the cloud provider, cloud customers incur the least amount of support responsibilities themselves of any service category.
QUESTION NO: 151
Which of the following would NOT be a reason to activate a BCDR strategy?
A. Staffing loss
B. Terrorism attack
C. Utility disruptions
D. Natural disaster
The loss of staffing would not be a reason to declare a BCDR situation because it does not impact production operations or equipment, and the same staff would be needed for a BCDR situation.
QUESTION NO: 152
Which of the cloud cross-cutting aspects relates to the oversight of processes and systems, as well as to ensuring their compliance with specific policies and regulations?
B. Regulatory requirements
C. Service-level agreements
Auditing involves reports and evidence that show user activity, compliance with controls and regulations, the systems and processes that run and what they do, as well as information and data access and modification records. A cloud environment adds additional complexity to traditional audits because the cloud customer will not have the same level of access to systems and data as they would in a traditional data center.
QUESTION NO: 153
Which of the cloud cross-cutting aspects relates to the ability to reuse or move components of an application or service?
Interoperability is the ease with which one can move or reuse components of an application or service. This is maximized when services are designed without specific dependencies on underlying platforms, operating systems, locations, or cloud providers.
QUESTION NO: 154
Which of the following is a restriction that can be enforced by information rights management
(IRM) that is not possible for traditional file system controls?
IRM allows an organization to control who can print a set of information. This is not possible under traditional file system controls, where if a user can read a file, they are able to print it as well.
QUESTION NO: 155
What strategy involves hiding data in a data set to prevent someone from identifying specific individuals based on other data fields present?
With data anonymization, data is manipulated in such a way so as to prevent the identification of an individual through various data objects, and is often used in conjunction with other concepts such as masking.
QUESTION NO: 156
What type of security threat is DNSSEC designed to prevent?
A. Account hijacking
DNSSEC is designed to prevent the spoofing and redirection of DNS resolutions to rogue sites.
QUESTION NO: 157
Which European Union directive pertains to personal data privacy and an individual’s control over their personal data?
Directive 95/46/EC is titled “On the protection of individuals with regard to the processing of personal data and on the free movement of such data.”
QUESTION NO: 158
Which of the cloud cross-cutting aspects relates to the requirements placed on a system or application by law, policy, or requirements from standards?
A. regulatory requirements
C. Service-level agreements
Regulatory requirements are those imposed upon businesses and their operations either by law, regulation, policy, or standards and guidelines. These requirements are specific either to the locality in which the company or application is based or to the specific nature of the data and transactions conducted.
QUESTION NO: 159
Which data point that auditors always desire is very difficult to provide within a cloud environment?
A. Access policy
B. Systems architecture
D. Privacy statement
Cloud environments are constantly changing and often span multiple physical locations. A cloud customer is also very unlikely to have knowledge and insight into the underlying systems architecture in a cloud environment. Both of these realities make it very difficult, if not impossible, for an organization to provide a comprehensive systems design document.
QUESTION NO: 160
What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users?
A bastion host is a server that is fully exposed to the public Internet, but is extremely hardened to prevent attacks and is usually dedicated for a specific application or usage; it is not something that will serve multiple purposes. This singular focus allows for much more stringent security hardening and monitoring.
QUESTION NO: 161
Which security concept is focused on the trustworthiness of data?
Integrity is focused on the trustworthiness of data as well as the prevention of unauthorized modification or tampering of it. A prime consideration for maintaining integrity is an emphasis on the change management and configuration management aspects of operations, so that all modifications are predictable, tracked, logged, and verified, whether they are performed by actual human users or systems processes and scripts.
QUESTION NO: 162
Which OSI layer does IPsec operate at?
A major difference between IPsec and other protocols such as TLS is that IPsec operates at the Internet network layer rather than the application layer, allowing for complete end-to-end encryption of all communications and traffic.
QUESTION NO: 163
Which of the cloud cross-cutting aspects relates to the requirements placed on the cloud provider by the cloud customer for minimum performance standards and requirements that must be met?
A. Regulatory requirements
Whereas a contract spells out general terms and costs for services, the SLA is where the real meat of the business relationship and concrete requirements come into play. The SLA spells out in clear terms the minimum requirements for uptime, availability, processes, customer service and support, security controls and requirements, auditing and reporting, and potentially many other areas that define the business relationship and the success of it.
QUESTION NO: 164
Which of the following service capabilities gives the cloud customer the most control over resources and configurations?
The infrastructure service capability gives the cloud customer substantial control in provisioning and configuring resources, including processing, storage, and network resources.
QUESTION NO: 165
What concept does the “I” represent with the STRIDE threat model?
B. Information disclosure
C. IT security
D. Insider threat
Perhaps the biggest concern for any user is having their personal and sensitive information disclosed by an application. There are many aspects of an application to consider with security and protecting this information, and it is very difficult for any application to fully ensure security from start to finish. The obvious focus is on security within the application itself, as well as protecting and storing the data.
QUESTION NO: 166
At which stage of the BCDR plan creation phase should security be included in discussions?
A. Define scope
C. Assess risk
D. Gather requirements
Security should be included in discussions from the very first phase when defining the scope. Adding security later is likely to incur additional costs in time and money, or will result in an incomplete or inadequate plan.
QUESTION NO: 167
Which approach is typically the most efficient method to use for data discovery?
B. Content analysis
Metadata is data about data. It contains information about the type of data, how it is stored and organized, or information about its creation and use.
QUESTION NO: 168
Which of the following features is a main benefit of PaaS over IaaS?
A. Location independence
C. Physical security requirements
With PaaS providing a fully configured and managed framework, auto-scaling can be implemented to programmatically adjust resources based on the current demands of the environment.
QUESTION NO: 169
Which audit type has been largely replaced by newer approaches since 2011?
A. SOC Type 1
D. SOC Type 2
SAS-70 reports were replaced in 2011 with the SSAE-16 reports throughout the industry.
QUESTION NO: 170
Which of the following can be useful for protecting cloud customers from a denial-of-service (DoS) attack against another customer hosted in the same cloud?
B. Measured service
Reservations ensure that a minimum level of resources will always be available to a cloud customer for them to start and operate their services. In the event of a DoS attack against one customer, they can guarantee that the other customers will still be able to operate.
QUESTION NO: 171
Which of the following service capabilities gives the cloud customer the least amount of control over configurations and deployments?
The software service capability gives the cloud customer a fully established application, where only minimal user configuration options are allowed.
QUESTION NO: 172
What does the “SOC” acronym refer to with audit reports?
A. Service Origin Confidentiality
B. System Organization Confidentiality
C. Service Organizational Control
D. System Organization Control
QUESTION NO: 173
What does the REST API use to protect data transmissions?
Representational State Transfer (REST) uses TLS for communication over secured channels. Although REST also supports SSL, at this point SSL has been phased out due to vulnerabilities and has been replaced by TLS.
QUESTION NO: 174
What strategy involves replacing sensitive data with opaque values, usually with a means of mapping it back to the original value?
Tokenization is the practice of utilizing a random and opaque “token” value in data to replace what otherwise would be a sensitive or protected data object. The token value is usually generated by the application with a means to map it back to the actual real value, and then the token value is placed in the data set with the same formatting and requirements of the actual real value so that the application can continue to function without different modifications or code changes.
QUESTION NO: 175
With software-defined networking, what aspect of networking is abstracted from the forwarding of traffic?
With software-defined networking (SDN), the filtering of network traffic is separated from the forwarding of network traffic so that it can be independently administered.
QUESTION NO: 176
Which of the following does NOT fall under the “IT” aspect of quality of service (QoS)?
B. Key performance indicators (KPIs)
KPIs fall under the “business” aspect of QoS, along with monitoring and measuring of events and business processes. Services, security, and applications are all core components and concepts of the “IT” aspect of QoS.
QUESTION NO: 177
What does dynamic application security testing (DAST) NOT entail?
D. Knowledge of the system
Dynamic application security testing (DAST) is considered “black box” testing and begins with no inside knowledge of the application or its configurations. Everything about the application must be discovered during the testing.
QUESTION NO: 178
Where is an XML firewall most commonly deployed in the environment?
A. Between the application and data layers
B. Between the IPS and firewall
C. Between the presentation and application layers
D. Between the firewall and application server
XML firewalls are most commonly deployed in line between the firewall and application server to validate XML code before it reaches the application.
QUESTION NO: 179
What type of masking strategy involves replacing data on a system while it passes between the data and application layers?
With dynamic masking, production environments are protected with the masking process being implemented between the application and data layers of the application. This allows for a masking translation to take place live in the system and during normal application processing of data.
QUESTION NO: 180
Which of the following is a widely used tool for code development, branching, and collaboration?
GitHub is an open source tool that developers leverage for code collaboration, branching, and versioning.