The Actual Exam Version included actual exam questions verified by IT Experts. We verified questions and updated frequently each month and also based on members’ feedback to keep updating with the real exam. We are offering money back immediately if questions in our Actual Exam Version do not appear in your exam. Highly recommend you take the Actual Exam Version then go to the exam as soon as possible.
QUESTION NO: 181
Which aspect of security is DNSSEC designed to ensure?
A. Integrity
B. Authentication
C. Availability
D. Confidentiality
Answer: A
Explanation:
DNSSEC is a security extension to the regular DNS protocol and services that allows for the validation of the integrity of DNS lookups. It does not address confidentiality or availability at all. It allows for a DNS client to perform DNS lookups and validate both their origin and authority via the cryptographic signature that accompanies the DNS response.
QUESTION NO: 182
Which process serves to prove the identity and credentials of a user requesting access to an application or data?
A. Repudiation
B. Authentication
C. Identification
D. Authorization
Answer: B
Explanation:
Authentication is the process of proving whether the identity presented by a user is true and valid. This can be done through common mechanisms such as user ID and password combinations or with more secure methods such as multi factor authentication.
QUESTION NO: 183
Who would be responsible for implementing IPsec to secure communications for an application?
A. Developers
B. Systems staff
C. Auditors
D. Cloud customer
Answer: B
Explanation:
Because IPsec is implemented at the system or network level, it is the responsibility of the systems staff. IPsec removes the responsibility from developers, whereas other technologies such as TLS would be implemented by developers.
QUESTION NO: 184
What is the minimum regularity for testing a BCDR plan to meet best practices?
A. Once year
B. Once a month
C. Every six months
D. When the budget allows it
Answer: A
Explanation:
Best practices and industry standards dictate that a BCDR solution should be tested at least once a year, though specific regulatory requirements may dictate more regular testing. The BCDR plan should also be tested whenever a major modification to a system occurs.
QUESTION NO: 185
Other than cost savings realized due to measured service, what is another facet of cloud computing that will typically save substantial costs in time and money for an organization in the event of a disaster?
A. Broad network access
B. Interoperability
C. Resource pooling
D. Portability
Answer: A
Explanation:
With a typical BCDR solution, an organization would need some number of staff to quickly travel to the location of the BCDR site to configure systems and applications for recovery. With a cloud environment, everything is done over broad network access, with no need (or even possibility) to travel to a remote site at any time.
QUESTION NO: 186
Which of the following is NOT part of a retention policy?
A. Format
B. Costs
C. Accessibility
D. Duration
Answer: B
Explanation:
The data retention policy covers the duration, format, technologies, protection, and accessibility of archives, but does not address the specific costs of its implementation and maintenance.
QUESTION NO: 187
Which aspect of cloud computing would make the use of a cloud the most attractive as a BCDR solution?
A. Interoperability
B. Resource pooling
C. Portability
D. Measured service
Answer: D
Explanation:
Measured service means that costs are only incurred when a cloud customer is actually using cloud services. This is ideal for a business continuity and disaster recovery (BCDR) solution because it negates the need to keep hardware or resources on standby in case of a disaster.
Services can be initiated when needed and without costs unless needed.
QUESTION NO: 188
Which of the cloud deployment models offers the easiest initial setup and access for the cloud customer?
A. Hybrid
B. Community
C. Private
D. Public
Answer: D
Explanation:
Because the public cloud model is available to everyone, in most instances all a customer will need to do to gain access is set up an account and provide a credit card number through the service’s web portal. No additional contract negotiations, agreements, or specific group memberships are typically needed to get started.
QUESTION NO: 189
Which of the following is NOT something that an HIDS will monitor?
A. Configurations
B. User logins
C. Critical system files
D. Network traffic
Answer: B
Explanation:
A host intrusion detection system (HIDS) monitors network traffic as well as critical system files and configurations.
QUESTION NO: 190
Which of the following technologies is used to monitor network traffic and notify if any potential threats or attacks are noticed?
A. IPS
B. WAF
C. Firewall
D. IDS
Answer: D
Explanation:
An intrusion detection system (IDS) is designed to analyze network packets, compare their contents or characteristics against a set of configurations or signatures, and alert personnel if anything is detected that could constitute a threat or is otherwise designated for alerting.
QUESTION NO: 191
What concept does the “A” represent in the DREAD model?
A. Affected users
B. Authentication
C. Affinity
D. Authorization
Answer: A
Explanation:
Affected users refers to the percentage of users who would be impacted by a successful exploit. Scoring ranges from 0, which means no users are impacted, to 10, which means all users are impacted.
QUESTION NO: 192
Which attribute of data poses the biggest challenge for data discovery?
A. Labels
B. Quality
C. Volume
D. Format
Answer: B
Explanation:
The main problem when it comes to data discovery is the quality of the data that analysis is being performed against. Data that is malformed, incorrectly stored or labeled, or incomplete makes it very difficult to use analytical tools against.
QUESTION NO: 193
What does static application security testing (SAST) offer as a tool to the testers?
A. Production system scanning
B. Injection attempts
C. Source code access
D. Live testing
Answer: C
Explanation:
Static application security testing (SAST) is conducted with knowledge of the system, including source code, and is done against offline systems.
QUESTION NO: 194
Which of the following service capabilities gives the cloud customer an established and maintained framework to deploy code and applications?
A. Software
B. Desktop
C. Platform
D. Infrastructure
Answer: C
Explanation:
The platform service capability provides programming languages and libraries from the cloud provider, where the customer can deploy their own code and applications into a managed and controlled framework.
QUESTION NO: 195
What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed?
A. Dynamic clustering
B. Dynamic balancing
C. Dynamic resource scheduling
D. Dynamic optimization
Answer: D
Explanation:
Dynamic optimization is the process through which the cloud environment is constantly maintained to ensure resources are available when and where needed, and that physical nodes do not become overloaded or near capacity, while others are underutilized.
QUESTION NO: 196
Which value refers to the percentage of production level restoration needed to meet BCDR objectives?
A. RPO
B. RTO
C. RSL
D. SRE
Answer: C
Explanation:
The recovery service level (RSL) is a percentage measure of the total typical production service level that needs to be restored to meet BCDR objectives in the case of a failure.
QUESTION NO: 197
Over time, what is a primary concern for data archiving?
A. Size of archives
B. Format of archives
C. Recoverability
D. Regulatory changes
Answer: C
Explanation:
Over time, maintaining the ability to restore and read archives is a primary concern for data archiving. As technologies change and new systems are brought in, it is imperative for an organization to ensure they are still able to restore and access archives for the duration of the required retention period.
QUESTION NO: 198
What is an often overlooked concept that is essential to protecting the confidentiality of data?
A. Strong password
B. Training
C. Security controls
D. Policies
Answer: B
Explanation:
While the main focus of confidentiality revolves around technological requirements or particular security methods, an important and often overlooked aspect of safeguarding data confidentiality is appropriate and comprehensive training for those with access to it. Training should be focused on the safe handling of sensitive information overall, including best practices for network activities as well as physical security of the devices or workstations used to access the application.
QUESTION NO: 199
Which of the cloud deployment models offers the most control and input to the cloud customer as to how the overall cloud environment is implemented and configured?
A. Public
B. Community
C. Hybrid
D. Private
Answer: D
Explanation:
A private cloud model, and the specific contractual relationships involved, will give a cloud customer the most level of input and control over how the overall cloud environment is designed and implemented. This would be even more so in cases where the private cloud is owned and operated by the same organization that is hosting services within it.
QUESTION NO: 200
What concept does the “D” represent with the STRIDE threat model?
A. Data loss
B. Denial of service
C. Data breach
D. Distributed
Answer: B
Explanation:
Any application can be a possible target of denial-of-service (DoS) attacks. From the application side, the developers should minimize how many operations are performed for non-authenticated users. This will keep the application running as quickly as possible and using the least amount of system resources to help minimize the impact of any such attacks.
QUESTION NO: 201
Your boss has tasked your team with getting your legacy systems and applications connected with new cloud-based services that management has decided are crucial to customer service and offerings.
Which role would you be assuming under this directive?
A. Cloud service administrator
B. Cloud service user
C. Cloud service integrator
D. Cloud service business manager
Answer: C
Explanation:
The cloud service integrator role is responsible for connecting and integrating existing services and applications with cloud-based services.A cloud service administrator is responsible for testing, monitoring, and securing cloud services, as well as providing usage reporting and dealing with service problems. The cloud service user is someone who consumes cloud services. The cloud service business manager is responsible for overseeing the billing, auditing, and purchasing of cloud services.
QUESTION NO: 202
One of the main components of system audits is the ability to track changes over time and to match these changes with continued compliance and internal processes.
Which aspect of cloud computing makes this particular component more challenging than in a traditional data center?
A. Portability
B. Virtualization
C. Elasticity
D. Resource pooling
Answer: B
Explanation:
Cloud services make exclusive use of virtualization, and systems change over time, including the addition, subtraction, and reimaging of virtual machines. It is extremely unlikely that the exact same virtual machines and images used in a previous audit would still be in use or even available for a later audit, making the tracking of changes over time extremely difficult, or even impossible. Elasticity refers to the ability to add and remove resources from a system or service to meet current demand, and although it plays a factor in making the tracking of virtual machines very difficult over time, it is not the best answer in this case. Resource pooling pertains to a cloud environment sharing a large amount of resources between different customers and services. Portability refers to the ability to move systems or services easily between different cloud providers.
QUESTION NO: 203
In the wake of many scandals with major corporations involving fraud and the deception of investors and regulators, which of the following laws was passed to govern accounting and financial records and disclosures?
A. GLBA
B. Safe Harbor
C. HIPAA
D. SOX
Answer: D
Explanation:
The Sarbanes-Oxley Act (SOX) regulates the financial and accounting practices used by organizations in order to protect shareholders from improper practices and accounting errors.The Health Insurance Portability and Accountability Act (HIPAA) pertains to the protection of patient medical records and privacy. The Gramm-Leach-Bliley Act (GLBA) focuses on the use of PII within financial institutions. The Safe Harbor program was designed by the US government as a way for American companies to comply with European Union privacy laws.
QUESTION NO: 204
Which one of the following threat types to applications and services involves the sending of requests that are invalid and manipulated through a user’s client to execute commands on the application under the user’s own credentials?
A. Injection
B. Missing function-level access control
C. Cross-site scripting
D. Cross-site request forgery
Answer: D
Explanation:
A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user’s own credentials to execute commands and requests that the application thinks are coming from a trusted client and user. Although this type of attack cannot be used to steal data directly because the attacker has no way of seeing the results of the commands, it does open other ways to compromise an application. Missing function level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call. Cross-site scripting occurs when an attacker is able to send untrusted data to a user’s browser without going through validation processes. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.
QUESTION NO: 205
Which cloud service category would be most ideal for a cloud customer that is developing software to test its applications among multiple hosting providers to determine the best option for its needs?
A. DaaS
B. PaaS
C. IaaS
D. SaaS
Answer: B
Explanation:
Platform as a Service would allow software developers to quickly and easily deploy their applications among different hosting providers for testing and validation in order to determine the best option. Although IaaS would also be appropriate for hosting applications, it would require too much configuration of application servers and libraries in order to test code. Conversely, PaaS would provide a ready-to-use environment from the onset. DaaS would not be appropriate in any way for software developers to use to deploy applications. IaaS would not be appropriate in this scenario because it would require the developers to also deploy and maintain the operating system images or to contract with another firm to do so. SaaS, being a fully functional software platform, would not be appropriate for deploying applications into.
QUESTION NO: 206
You just hired an outside developer to modernize some applications with new web services and functionality. In order to implement a comprehensive test platform for validation, the developer needs a data set that resembles a production data set in both size and composition.
In order to accomplish this, what type of masking would you use?
A. Development
B. Replicated
C. Static
D. Dynamic
Answer: C
Explanation:
Static masking takes a data set and produces a copy of it, but with sensitive data fields masked.
This allows for a full data set from production for testing purposes, but without any sensitive data. Dynamic masking works with a live system and is not used to produce a distinct copy. The terms “replicated” and “development” are not types of masking.
QUESTION NO: 207
In order to prevent cloud customers from potentially consuming enormous amounts of resources within a cloud environment and thus having a negative impact on other customers, what concept is commonly used by a cloud provider?
A. Limit
B. Cap
C. Throttle
D. Reservation
Answer: A
Explanation:
A limit puts a maximum value on the amount of resources that may be consumed by either a system, a service, or a cloud customer. It is commonly used to prevent one entity from consuming enormous amounts of resources and having an operational impact on other tenants within the same cloud system. Limits can either be hard or somewhat flexible, meaning a customer can borrow from other customers while still having their actual limit preserved. A reservation is a guarantee to a cloud customer that a certain level of resources will always be available to them, regardless of what operational demands are currently placed on the cloud environment. Both cap and throttle are terms that sound similar to limit, but they are not the correct terms in this case.
QUESTION NO: 208
Where is a DLP solution generally installed when utilized for monitoring data at rest?
A. Network firewall
B. Host system
C. Application server
D. Database server
Answer: B
Explanation:
To monitor data at rest appropriately, the DLP solution would be installed on the host system where the data resides. A database server, in some situations, may be an appropriate answer, but the host system is the best answer because a database server is only one example of where data could reside. An application server processes data and typically sits between the data and presentation zones, and as such, does not store data at rest. A network firewall would be more appropriate for data in transit because it is not a place where data would reside.
QUESTION NO: 209
Which of the following aspects of security is solely the responsibility of the cloud provider?
A. Regulatory compliance
B. Physical security
C. Operating system auditing
D. Personal security of developers
Answer: B
Explanation:
Regardless of the particular cloud service used, physical security of hardware and facilities is always the sole responsibility of the cloud provider. The cloud provider may release information about their physical security policies and procedures to ensure any particular requirements of potential customers will meet their regulatory obligations. Personal security of developers and regulatory compliance are always the responsibility of the cloud customer. Responsibility for operating systems, and the auditing of them, will differ based on the cloud service category used.
QUESTION NO: 210
Humidity levels for a data center are a prime concern for maintaining electrical and computing resources properly as well as ensuring that conditions are optimal for top performance.
Which of the following is the optimal humidity level, as established by ASHRAE?
A. 20 to 40 percent relative humidityB. 50 to 75 percent relative humidity
C. 40 to 60 percent relative humidity
D. 30 to 50 percent relative humidity
Answer: C
Explanation:
The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) recommends 40 to 60 percent relatively humidity for data centers. None of these options is the recommendation from ASHRAE.
QUESTION NO: 211
Within a SaaS environment, what is the responsibility on the part of the cloud customer in regard to procuring the software used?
A. Maintenance
B. Licensing
C. Development
D. Purchasing
Answer: B
Explanation:
Within a SaaS implementation, the cloud customer licenses the use of the software from the cloud provider because SaaS delivers a fully functional application to the customer. With SaaS, the cloud provider is responsible for the entire software application and any necessary infrastructure to develop, run, and maintain it. The purchasing, development, and maintenance are fully the responsibility of the cloud provider.
QUESTION NO: 212
Implementing baselines on systems would take an enormous amount of time and resources if the staff had to apply them to each server, and over time, it would be almost impossible to keep all the systems in sync on an ongoing basis. Which of the following is NOT a package that can be used for implementing and maintaining baselines across an enterprise?
A. Puppet
B. SCCM
C. Chef
D. GitHub
Answer: D
Explanation:
GitHub is a software development platform that serves as a code repository and versioning system. It is solely used for software development and would not be appropriate for applying baselines to systems. Puppet is an open-source configuration management tool that runs on many platforms and can be used to apply and maintain baselines. The Software Center Configuration Manager (SCCM) was developed by Microsoft for managing systems across large groups of servers. Chef is also a system for maintaining large groups of systems throughout an enterprise.
QUESTION NO: 213
From the perspective of compliance, what is the most important consideration when it comes to data center location?
A. Natural disasters
B. Utility access
C. Jurisdiction
D. Personnel access
Answer: C
Explanation:
Jurisdiction will dictate much of the compliance and audit requirements for a data center. Although all the aspects listed are very important to security, from a strict compliance perspective, jurisdiction is the most important. Personnel access, natural disasters, and utility access are all important operational considerations for selecting a data center location, but they are not related to compliance issues like jurisdiction is.
QUESTION NO: 214
Different certifications and standards take different approaches to data center design and operations. Although many traditional approaches use a tiered methodology, which of the following utilizes a macro-level approach to data center design?
A. IDCA
B. BICSI
C. Uptime Institute
D. NFPA
Answer: A
Explanation:
The Infinity Paradigm of the International Data Center Authority (IDCA) takes a macro-level approach to data center design. The IDCA does not use a specific, focused approach on specific components to achieve tier status. Building Industry Consulting Services International (BICSI) issues certifications for data center cabling. The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. The Uptime Institute publishes the most widely known and used standard for data center topologies and tiers.
QUESTION NO: 215
The European Union is often considered the world leader in regard to the privacy of personal data and has declared privacy to be a “human right.”
In what year did the EU first assert this principle?
A. 1995
B. 2000
C. 2010
D. 1999
Answer: A
Explanation:
The EU passed Directive 95/46 EC in 1995, which established data privacy as a human right. The other years listed are incorrect.
QUESTION NO: 216
A DLP solution/implementation has three main components.
Which of the following is NOT one of the three main components?
A. Monitoring
B. Enforcement
C. Auditing
D. Discovery and classification
Answer: C
Explanation:
Auditing, which can be supported to varying degrees by DLP solutions, is not a core component of them. Data loss prevention (DLP) solutions have core components of discovery and classification, enforcement, and monitoring. Discovery and classification are concerned with determining which data should be applied to the DLP policies, and then determining its classification level. Monitoring is concerned with the actual watching of data and how it’s used through its various stages. Enforcement is the actual application of policies determined from the discovery stage and then triggered during the monitoring stage.
QUESTION NO: 217
What type of storage structure does object storage employ to maintain files?
A. Directory
B. Hierarchical
C. tree
D. Flat
Answer: D
Explanation:
Object storage uses a flat file system to hold storage objects; it assigns files a key value that is then used to access them, rather than relying on directories or descriptive filenames. Typical storage layouts such as tree, directory, and hierarchical structures are used within volume storage, whereas object storage maintains a flat structure with key values.
QUESTION NO: 218
Which cloud storage type requires special consideration on the part of the cloud customer to ensure they do not program themselves into a vendor lock-in situation?
A. Unstructured
B. Object
C. Volume
D. Structured
Answer: D
Explanation:
Structured storage is designed, maintained, and implemented by a cloud service provider as part of a PaaS offering. It is specific to that cloud provider and the way they have opted to implement systems, so special care is required to ensure that applications are not designed in a way that will lock the cloud customer into a specific cloud provider with that dependency. Unstructured storage for auxiliary files would not lock a customer into a specific provider. With volume and object storage, because the cloud customer maintains their own systems with IaaS, moving and replicating to a different cloud provider would be very easy.
QUESTION NO: 219
Which cloud deployment model would be ideal for a group of universities looking to work together, where each university can gain benefits according to its specific needs?
A. Private
B. Public
C. Hybrid
D. Community
Answer: D
Explanation:
A community cloud is owned and maintained by similar organizations working toward a common goal. In this case, the universities would all have very similar needs and calendar requirements, and they would not be financial competitors of each other. Therefore, this would be an ideal group for working together within a community cloud. A public cloud model would not work in this scenario because it is designed to serve the largest number of customers, would not likely be targeted toward specific requirements for individual customers, and would not be willing to make changes for them. A private cloud could accommodate such needs, but would not meet the criteria for a group working together, and a hybrid cloud spanning multiple cloud providers would not fit the specifics of the question.
QUESTION NO: 220
Data centers have enormous power resources that are distributed and consumed throughout the entire facility.
Which of the following standards pertains to the proper fire safety standards within that scope?
A. IDCA
B. BICSI
C. NFPA
D. Uptime Institute
Answer: C
Explanation:
The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. Building Industry Consulting Services International (BICSI) issues certifications for data center cabling. The Uptime Institute publishes the most widely known and used standard for data center topologies and tiers. The International Data Center Authority (IDCA) offers the Infinity Paradigm, which takes a macro-level approach to data center design.
QUESTION NO: 221
Which of the following threat types involves an application that does not validate authorization for portions of itself beyond when the user first enters it?
A. Cross-site request forgery
B. Missing function-level access control
C. Injection
D. Cross-site scripting
Answer: B
Explanation:
It is imperative that applications do checks when each function or portion of the application is accessed to ensure that the user is properly authorized. Without continual checks each time a function is accessed, an attacker could forge requests to access portions of the application where authorization has not been granted. An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries. Cross-site scripting occurs when an attacker is able to send untrusted data to a user’s browser without going through validation processes. Cross-site request forgery occurs when an attack forces an authenticated user to send forged requests to an application running under their own access and credentials.
QUESTION NO: 222
Clustered systems can be used to ensure high availability and load balancing across individual systems through a variety of methodologies.
What process is used within a clustered system to ensure proper load balancing and to maintain the health of the overall system to provide high availability?
A. Distributed clustering
B. Distributed balancing
C. Distributed optimization
D. Distributed resource scheduling
Answer: D
Explanation:
Distributed resource scheduling (DRS) is used within all clustered systems as the method for providing high availability, scaling, management, workload distribution, and the balancing of jobs and processes. None of the other choices is the correct term in this case.
QUESTION NO: 223
Although the REST API supports a wide variety of data formats for communications and exchange, which data formats are the most commonly used?
A. SAML and HTML
B. XML and SAML
C. XML and JSON
D. JSON and SAML
Answer: C
Explanation:
JavaScript Object Notation (JSON) and Extensible Markup Language (XML) are the most commonly used data formats for the Representational State Transfer (REST) API and are typically implemented with caching for increased scalability and performance. Extensible Markup Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. HTML is used for authoring web pages for consumption by web browsers
QUESTION NO: 224
The share phase of the cloud data lifecycle involves allowing data to leave the application, to be shared with external systems, services, or even other vendors/contractors.
What technology would be useful for protecting data at this point?
A. IDS
B. DLP
C. IPS
D. WAF
Answer: B
Explanation:
Data loss prevention (DLP) solutions allow for control of data outside of the application or original system. They can enforce granular control such as printing, copying, and being read by others, as well as forcing expiration of access. Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions are used for detecting and blocking suspicious and malicious traffic, respectively, whereas a web application firewall (WAF) is used for enforcing security or other controls on web-based applications.
QUESTION NO: 225
When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service.
What is the data encapsulation used with the SOAP protocol referred to as?
A. Packet
B. Payload
C. Object
D. Envelope
Answer: D
Explanation:
Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope. It then leverages common communications protocols for transmission. Object is a type of cloud storage, but also a commonly used term with certain types of programming languages. Packet and payload are terms that sound similar to envelope but are not correct in this case.
QUESTION NO: 226
From a security perspective, what component of a cloud computing infrastructure represents the biggest concern?
A. Hypervisor
B. Management plane
C. Object storage
D. Encryption
Answer: B
Explanation:
The management plane will have broad administrative access to all host systems throughout an environment; as such, it represents the most pressing security concerns. A compromise of the management plane can directly lead to compromises of any other systems within the environment. Although hypervisors represent a significant security concern to an environment because their compromise would expose any virtual systems hosted within them, the management plane is a better choice in this case because it controls multiple hypervisors. Encryption and object storage both represent lower-level security concerns.
QUESTION NO: 227
Which of the following is NOT one of the main intended goals of a DLP solution?
A. Showing due diligence
B. Preventing malicious insiders
C. Regulatory compliance
D. Managing and minimizing risk
Answer: B
Explanation:
Data loss prevention (DLP) extends the capabilities for data protection beyond the standard and traditional security controls that are offered by operating systems, application containers, and network devices. DLP is not specifically implemented to counter malicious insiders, and would not be particularly effective in doing so, because a malicious insider with legitimate access would have other ways to obtain data. DLP is a set of practices and controls to manage and minimize risk, comply with regulatory requirements, and show due diligence with the protection of data.
QUESTION NO: 228
Data center and operations design traditionally takes a tiered, topological approach.
Which of the following standards is focused on that approach and is prevalently used throughout the industry?
A. IDCA
B. NFPA
C. BICSI
D. Uptime Institute
Answer: D
Explanation:
The Uptime Institute publishes the most widely known and used standard for data center topologies and tiers. The National Fire Protection Association (NFPA) publishes a broad range of fire safety and design standards for many different types of facilities. Building Industry Consulting Services International (BICSI) issues certifications for data center cabling. The International Data Center Authority (IDCA) offers the Infinity Paradigm, which takes a macro-level approach to data center design.
QUESTION NO: 229
Jurisdictions have a broad range of privacy requirements pertaining to the handling of personal data and information. Which jurisdiction requires all storage and processing of data that pertains to its citizens to be done on hardware that is physically located within its borders?
A. Japan
B. United States
C. European Union
D. Russia
Answer: D
Explanation:
The Russian government requires all data and processing of information about its citizens to be done solely on systems and applications that reside within the physical borders of the country. The United States, European Union, and Japan focus their data privacy laws on requirements and methods for the protection of data, rather than where the data physically resides.
QUESTION NO: 230
The management plane is used to administer a cloud environment and perform administrative tasks across a variety of systems, but most specifically it’s used with the hypervisors.
What does the management plane typically leverage for this orchestration?
A. APIs
B. Scripts
C. TLS
D. XML
Answer: A
Explanation:
The management plane uses APIs to execute remote calls across the cloud environment to various management systems, especially hypervisors. This allows a centralized administrative interface, often a web portal, to orchestrate tasks throughout an enterprise. Scripts may be utilized to execute API calls, but they are not used directly to interact with systems. XML is used for data encoding and transmission, but not for executing remote calls. TLS is used to encrypt communications and may be used with API calls, but it is not the actual process for executing commands.
QUESTION NO: 231
When dealing with PII, which category pertains to those requirements that can carry legal sanctions or penalties for failure to adequately safeguard the data and address compliance requirements?
A. Contractual
B. Jurisdictional
C. Regulated
D. Legal
Answer: C
Explanation:
Regulated PII pertains to data that is outlined in law and regulations. Violations of the
requirements for the protection of regulated PII can carry legal sanctions or penalties. Contractual PII involves required data protection that is determined by the actual service contract between the cloud provider and cloud customer, rather than outlined by law. Violations of the provisions of contractual PII carry potential financial or contractual implications, but not legal sanctions. Legal and jurisdictional are similar terms to regulated, but neither is the official term used.
QUESTION NO: 232
Although the United States does not have a single, comprehensive privacy and regulatory framework, a number of specific regulations pertain to types of data or populations.
Which of the following is NOT a regulatory system from the United States federal government?
A. HIPAA
B. SOX
C. FISMA
D. PCI DSS
Answer: D
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) pertains to organizations that handle credit card transactions and is an industry-regulatory standard, not a governmental one. The Sarbanes-Oxley Act (SOX) was passed in 2002 and pertains to financial records and reporting, as well as transparency requirements for shareholders and other stakeholders. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and pertains to data privacy and security for medical records. FISMA refers to the Federal Information Security Management Act of 2002 and pertains to the protection of all US federal government IT systems, with the exception of national security systems.
QUESTION NO: 233
The president of your company has tasked you with implementing cloud services as the most efficient way of obtaining a robust disaster recovery configuration for your production services.
Which of the cloud deployment models would you MOST likely be exploring?
A. Hybrid
B. Private
C. Community
D. Public
Answer: A
Explanation:
A hybrid cloud model spans two more different hosting configurations or cloud providers. This would enable an organization to continue using its current hosting configuration, while adding additional cloud services to enable disaster recovery capabilities. The other cloud deployment models–public, private, and community–would not be applicable for seeking a disaster recovery configuration where cloud services are to be leveraged for that purpose rather than production service hosting.
QUESTION NO: 234
If you are running an application that has strict legal requirements that the data cannot reside on systems that contain other applications or systems, which aspect of cloud computing would be prohibitive in this case?
A. Multi Tenancy
B. Broad network access
C. Portability
D. Elasticity
Answer: A
Explanation:
Multitenancy is the aspect of cloud computing that involves having multiple customers and applications running within the same system and sharing the same resources. Although considerable mechanisms are in place to ensure isolation and separation, the data and applications are ultimately using shared resources. Broad network access refers to the ability to access cloud services from any location or client. Portability refers to the ability to easily move cloud services between different cloud providers, whereas elasticity refers to the capabilities of a cloud environment to add or remove services, as needed, to meet current demand.
QUESTION NO: 235
The REST API is a widely used standard for communications of web-based services between clients and the servers hosting them.
Which protocol does the REST API depend on?
A. HTTP
B. SSH
C. SAML
D. XML
Answer: A
Explanation:
Representational State Transfer (REST) is a software architectural scheme that applies the components, connectors, and data conduits for many web applications used on the Internet. It uses and relies on the HTTP protocol and supports a variety of data formats. Extensible Markup
Language (XML) and Security Assertion Markup Language (SAML) are both standards for exchanging encoded data between two parties, with XML being for more general use and SAML focused on authentication and authorization data. Secure Shell client (SSH) is a secure method for allowing remote login to systems over a network.
QUESTION NO: 236
Which of the following actions will NOT make data part of the create phase of the cloud data lifecycle?
A. Modify data
B. Modify metadata
C. New data
D. Import data
Answer: B
Explanation:
Modifying the metadata does not change the actual data. Although this initial phase is called “create,” it can also refer to modification. In essence, any time data is considered “new,” it is in the create phase. This can come from data that is newly created, data that is imported into a system and is new to that system, or data that is already present and is modified into a new form or value.
QUESTION NO: 237
Most APIs will support a variety of different data formats or structures.
However, the SOAP API will only support which one of the following data formats?
A. XML
B. XSLT
C. JSON
D. SAML
Answer: A
Explanation:
The Simple Object Access Protocol (SOAP) protocol only supports the Extensible Markup Language (XML) data format. Although the other options are all data formats or data structures, they are not supported by SOAP.
QUESTION NO: 238
Which cloud storage type is typically used to house virtual machine images that are used throughout the environment?
A. Structured
B. Unstructured
C. Volume
D. Object
Answer: D
Explanation:
Object storage is typically used to house virtual machine images because it is independent from other systems and is focused solely on storage. It is also the most appropriate for handling large individual files. Volume storage, because it is allocated to a specific host, would not be appropriate for the storing of virtual images. Structured and unstructured are storage types specific to PaaS and would not be used for storing items used throughout a cloud environment.
QUESTION NO: 239
With an API, various features and optimizations are highly desirable for scalability, reliability, and security. What does the REST API support that the SOAP API does NOT support?
A. Acceleration
B. Caching
C. Redundancy
D. Encryption
Answer: B
Explanation:
The Simple Object Access Protocol (SOAP) does not support caching, whereas the
Representational State Transfer (REST) API does. The other options are all capabilities that are either not supported by SOAP or not supported by any API and must be provided by external features.
QUESTION NO: 240
Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data.
Which concept encapsulates this?
A. Validity
B. Integrity
C. Accessibility
D. Confidentiality
Answer: B
Explanation:
Integrity refers to the trustworthiness of data and whether its format and values are true and have not been corrupted or otherwise altered through unauthorized means. Confidentiality refers to keeping data from being access or viewed by unauthorized parties. Accessibility means that data is available and ready when needed by a user or service. Validity can mean a variety of things that are somewhat similar to integrity, but it’s not the most appropriate answer in this case.
What next?
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-1
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-2
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-3
- https://www.awslagi.com/ccsp-certified-cloud-security-professional-exam-question-part-4
