EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies?

Question2: You work for a government research facility. Your organization often shares data with other government research organizations.
You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations.
Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources.
If you don't use cross-certification, what other model can you implement for this purpose?
Response:

Question3: The different cloud service models have varying levels of responsibilities for functions and operations depending with the model's level of service.
In which of the following models would the responsibility for patching lie predominantly with the cloud customer?

Question4: Which of the cloud cross-cutting aspects relates to the ability for a cloud customer to easily remove their applications and data from a cloud environment?

Question5: Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance?

Question6: Cloud systems are increasingly used for BCDR solutions for organizations.
What aspect of cloud computing makes their use for BCDR the most attractive?

Question7: Which of the following is considered a physical control?

Question8: A DLP solution/implementation has three main components.
Which of the following is NOT one of the three main components?

Question9: Which of the cloud cross-cutting aspects relates to the oversight of processes and systems, as well as to ensuring their compliance with specific policies and regulations?

Question10: Which of the following threat types involves an application developer leaving references to internal information and configurations in code that is exposed to the client?

Question11: Which technology can be useful during the "share" phase of the cloud data lifecycle to continue to protect data as it leaves the original system and security controls?

Question12: What is the primary reason that makes resolving jurisdictional conflicts complicated?

Question13: Cryptographic keys should be secured ________________ .

Question14: Which of these characteristics of a virtualized network adds risks to the cloud environment?

Question15: What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies?

Question16: Which of the following could be used as a second component of multifactor authentication if a user has an RSA token?

Question17: A main objective for an organization when utilizing cloud services is to avoid vendor lock-in so as to ensure flexibility and maintain independence.
Which core concept of cloud computing is most related to vendor lock-in?

Question18: The REST API is a widely used standard for communications of web-based services between clients and the servers hosting them.
Which protocol does the REST API depend on?

Question19: Application virtualization can typically be used for ____________.

Question20: Which of the cloud cross-cutting aspects relates to the oversight of processes and systems, as well as to ensuring their compliance with specific policies and regulations?

Question21: Who would be responsible for implementing IPsec to secure communications for an application?

Question22: Which of the following terms is NOT a commonly used category of risk acceptance?

Question23: Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit?

Question24: Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?

Question25: Which one of the following is not one of the three common threat modeling techniques?
Response:

Question26: What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users?

Question27: The cloud deployment model that features joint ownership of assets among an affinity group is known as:
Response:

Question28: As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as:

Question29: Which of the following best describes SAML?
Response:

Question30: Which of the following threat types can occur when encryption is not properly applied or insecure transport mechanisms are used?

Question31: Which United States law is focused on accounting and financial practices of organizations?

Question32: The cloud customer's trust in the cloud provider can be enhanced by all of the following except:

Question33: Which of the following would be considered an example of insufficient due diligence leading to security or operational problems when moving to a cloud?

Question34: Which protocol, as a part of TLS, handles negotiating and establishing a connection between two parties?

Question35: In a data retention policy, what is perhaps the most crucial element?
Response:

Question36: On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources.
Which of the following is crucial to the orchestration and automation of networking resources within a cloud?

Question37: Which of the following is NOT an application or utility to apply and enforce baselines on a system?

Question38: GAAPs are created and maintained by which organization?

Question39: Modern web service systems are designed for high availability and resiliency. Which concept pertains to the ability to detect problems within a system, environment, or application and programmatically invoke redundant systems or processes for mitigation?

Question40: With a cloud service category where the cloud customer is responsible for deploying all services, systems, and components needed for their applications, which of the following storage types are MOST likely to be available to them?

Question41: Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks?

Question42: Which of the following terms is NOT a commonly used category of risk acceptance?

Question43: Hardening the operating system refers to all of the following except:

Question44: Single sign-on systems work by authenticating users from a centralized location or using a centralized method, and then allowing applications that trust the system to grant those users access. What would be passed between the authentication system and the applications to grant a user access?
Response:

Question45: Which data formats are most commonly used with the REST API?

Question46: Which network protocol is essential for allowing automation and orchestration within a cloud environment?
Response:

Question47: GAAPs are created and maintained by which organization?

Question48: Where is a DLP solution generally installed when utilized for monitoring data in use?

Question49: Which crucial aspect of cloud computing can be most threatened by insecure APIs?

Question50: Database activity monitoring (DAM) can be:

Question51: In the cloud motif, the data owner is usually:

Question52: You work for a government research facility. Your organization often shares data with other government research organizations.
You would like to create a single sign-on experience across the organizations, where users at each organization can sign in with the user ID/authentication issued by that organization, then access research data in all the other organizations.
Instead of replicating the data stores of each organization at every other organization (which is one way of accomplishing this goal), you instead want every user to have access to each organization's specific storage resources.
In order to pass the user IDs and authenticating credentials of each user among the organizations, what protocol/language/motif will you most likely utilize?
Response:

Question53: Proper implementation of DLP solutions for successful function requires which of the following?

Question54: Single sign-on systems work by authenticating users from a centralized location or using a centralized method, and then allowing applications that trust the system to grant those users access. What would be passed between the authentication system and the applications to grant a user access?

Question55: When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service.
What is the data encapsulation used with the SOAP protocol referred to as?

Question56: Which security concept is based on preventing unauthorized access to data while also ensuring that it is accessible to those authorized to use it?

Question57: Which cloud service category brings with it the most expensive startup costs, but also the lowest costs for ongoing support and maintenance staff?

Question58: Which data state would be most likely to use TLS as a protection mechanism?

Question59: Which of the following storage types is most closely associated with a traditional file system and tree structure?

Question60: What is the federal agency that accepts applications for new patents?

Question61: Countermeasures for protecting cloud operations against internal threats include all of the following except:

Question62: Which of the following top security threats involves attempting to send invalid commands to an application in an attempt to get the application to execute the code?

Question63: Which of the following is NOT something that an HIDS will monitor?

Question64: Which of the following threat types involves the sending of untrusted data to a user's browser to be executed with their own credentials and access?

Question65: It's important to maintain a current asset inventory list, including surveying your environment on a regular basis, in order to ____________.
Response:

Question66: Which of the following service capabilities gives the cloud customer the most control over resources and configurations?

Question67: The cloud customer's trust in the cloud provider can be enhanced by all of the following except:

Question68: When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations?

Question69: All of the following are usually nonfunctional requirements except ____________.
Response:

Question70: Your organization has made it a top priority that any cloud environment being considered to host production systems have guarantees that resources will always be available for allocation when needed.
Which of the following concepts will you need to ensure is part of the contract and SLA?

Question71: Most APIs will support a variety of different data formats or structures.
However, the SOAP API will only support which one of the following data formats?

Question72: Which of the cloud cross-cutting aspects relates to the requirements placed on a system or application by law, policy, or requirements from standards?

Question73: Which of the following is NOT a core component of an SIEM solution?
Response:

Question74: DAST checks software functionality in ____________.
Response:

Question75: Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons?

Question76: What type of host is exposed to the public Internet for a specific reason and hardened to perform only that function for authorized users?

Question77: If a key feature of cloud computing that your organization desires is the ability to scale and expand without limit or concern about available resources, which cloud deployment model would you MOST likely be considering?

Question78: DLP solutions can aid in deterring loss due to which of the following?

Question79: What is the intellectual property protection for the tangible expression of a creative idea?

Question80: A loosely coupled storage cluster will have performance and capacity limitations based on the ____________.
Response:

Question81: Why does a Type 1 hypervisor typically offer tighter security controls than a Type 2 hypervisor?

Question82: Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data.
Which concept encapsulates this?

Question83: Which of the following actions will NOT make data part of the "create" phase of the cloud data lifecycle?

Question84: To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except:

Question85: Which of the following is not a component of contractual PII?

Question86: Which of the following security technologies is commonly used to give administrators access into trust zones within an environment?

Question87: A truly airgapped machine selector will ____________.
Response:

Question88: For performance purposes, OS monitoring should include all of the following except:

Question89: Countermeasures for protecting cloud operations against external attackers include all of the following except:

Question90: What are SOC 1/SOC 2/SOC 3?

Question91: For performance purposes, OS monitoring should include all of the following except:

Question92: What type of masking strategy involves making a separate and distinct copy of data with masking in place?

Question93: Which cloud storage type is typically used to house virtual machine images that are used throughout the environment?

Question94: What type of software is often considered secured and validated via community knowledge?

Question95: What type of device is often leveraged to assist legacy applications that may not have the programmatic capability to process assertions from modern web services?

Question96: What is a key component of GLBA?

Question97: Which of the following is the MOST important requirement and guidance for testing during an audit?

Question98: What are the objectives of change management?
(Choose all that apply.)
Response:

Question99: Which of the following best describes data masking?

Question100: Every security program and process should have which of the following?

Question101: Which of the following is not an enforceable governmental request?

Question102: Which of the following is the MOST important requirement and guidance for testing during an audit?

Question103: The Cloud Security Alliance's (CSA's) Cloud Controls Matrix (CCM) addresses all the following security architecture elements except ____________.
Response:

Question104: What does a cloud customer purchase or obtain from a cloud provider?

Question105: Many of the traditional concepts of systems and services for a traditional data center also apply to the cloud.
Both are built around key computing concepts.
Which of the following compromise the two facets of computing?

Question106: Which of the following is essential for getting full security value from your system baseline?

Question107: Which is the appropriate phase of the cloud data lifecycle for determining the data's classification?

Question108: Data masking can be used to provide all of the following functionality, except:

Question109: What is the cloud service model in which the customer is responsible for administration of the OS?

Question110: Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions?

Question111: Although encryption can help an organization to effectively decrease the possibility of data breaches, which other type of threat can it increase the chances of?
Response:

Question112: All of the following are terms used to described the practice of obscuring original raw data so that only a portion is displayed for operational purposes, except:
Response:

Question113: A crucial decision any company must make is in regard to where it hosts the data systems it depends on.
A debate exists as to whether it's best to lease space in a data center or build your own data center--and now with cloud computing, whether to purchase resources within a cloud.
What is the biggest advantage to leasing space in a data center versus procuring cloud services?

Question114: Although much of the attention given to data security is focused on keeping data private and only accessible by authorized individuals, of equal importance is the trustworthiness of the data.
Which concept encapsulates this?

Question115: Which of the following might make crypto-shredding difficult or useless?
Response:

Question116: Which security concept is focused on the trustworthiness of data?

Question117: Your company maintains an on-premises data center for daily production activities but wants to use a cloud service to augment this capability during times of increased demand (cloud bursting).
Which deployment model would probably best suit the company's needs?
Response:

Question118: Upon completing a risk analysis, a company has four different approaches to addressing risk.
Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.
Which of the following groupings correctly represents the four possible approaches?

Question119: Which type of testing uses the same strategies and toolsets that hackers would use?

Question120: Which of the cloud deployment models offers the easiest initial setup and access for the cloud customer?

Question121: What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies?

Question122: Which ITIL component focuses on ensuring that system resources, processes, and personnel are properly allocated to meet SLA requirements?

Question123: Which of the following is NOT considered a type of data loss?

Question124: Which of the following may unilaterally deem a cloud hosting model inappropriate for a system or application?

Question125: Which of the following roles involves the provisioning and delivery of cloud services?

Question126: BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?

Question127: Which of the following are attributes of cloud computing?

Question128: Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer?

Question129: Which of the following roles would be responsible for managing memberships in federations and the use and integration of federated services?

Question130: Which of the following would probably best aid an organization in deciding whether to migrate from a legacy environment to a particular cloud provider?

Question131: With IaaS, what is responsible for handling the security and control over the volume storage space?

Question132: Digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM) often protect unauthorized distribution of what type of intellectual property?
Response:

Question133: What masking strategy involves the replacing of sensitive data at the time it is accessed and used as it flows between the data and application layers of a service?

Question134: Which of the following is the best example of a key component of regulated PII?

Question135: What type of security threat is DNSSEC designed to prevent?

Question136: Which of the following best describes a cloud carrier?

Question137: Data labels could include all the following, except:

Question138: Which of the following is a widely used tool for code development, branching, and collaboration?

Question139: The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "unvalidated redirects and forwards." Which of the following is a good way to protect against this problem?
Response:

Question140: Which aspect of cloud computing will be most negatively impacted by vendor lock-in?

Question141: Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for?

Question142: Which of the following best describes data masking?

Question143: In a cloud environment, encryption should be used for all the following, except:

Question144: Which component of ITIL involves handling anything that can impact services for either internal or public users?

Question145: Of the following, which is probably the most significant risk in a managed cloud environment?

Question146: Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?
Response:

Question147: Although performing BCDR tests at regular intervals is a best practice to ensure processes and documentation are still relevant and efficient, which of the following represents a reason to conduct a BCDR review outside of the regular interval?

Question148: Which cloud deployment model is MOST likely to offer free or very cheap services to users?

Question149: Which of the following service categories entails the least amount of support needed on the part of the cloud customer?

Question150: The tasks performed by the hypervisor in the virtual environment can most be likened to the tasks of the
________ in the legacy environment.
Response:

Question151: Within a SaaS environment, what is the responsibility on the part of the cloud customer in regard to procuring the software used?

Question152: All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline, except ____________.
Response:

Question153: Which cloud service category would be most ideal for a cloud customer that is developing software to test its applications among multiple hosting providers to determine the best option for its needs?

Question154: What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function?

Question155: IRM solutions allow an organization to place different restrictions on data usage than would otherwise be possible through traditional security controls.
Which of the following controls would be possible with IRM that would not with traditional security controls?

Question156: Which of the following methods of addressing risk is most associated with insurance?

Question157: Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets?

Question158: Unlike SOC Type 1 reports, which are based on a specific point in time, SOC Type 2 reports are done over a period of time. What is the minimum span of time for a SOC Type 2 report?

Question159: In a cloud environment, encryption should be used for all the following, except:

Question160: Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority?

Question161: Which of the following is NOT a major regulatory framework?

Question162: What must be secured on physical hardware to prevent unauthorized access to systems?

Question163: Which of the cloud deployment models is used by popular services such as iCloud, Dropbox, and OneDrive?

Question164: Which aspect of archiving must be tested regularly for the duration of retention requirements?

Question165: To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except:

Question166: Which ITIL component is an ongoing, iterative process of tracking all deployed and configured resources that an organization uses and depends on, whether they are hosted in a traditional data center or a cloud?

Question167: Which entity requires all collection and storing of data on their citizens to be done on hardware that resides within their borders?

Question168: Which of the following is NOT one of the official risk rating categories?

Question169: Which of the following threat types involves the sending of commands or arbitrary data through input fields in an application in an attempt to get that code executed as part of normal processing?

Question170: Which of the following is not a way to manage risk?

Question171: A UPS should have enough power to last how long?

Question172: Which of the following roles involves testing, monitoring, and securing cloud services for an organization?

Question173: Why does a Type 1 hypervisor typically offer tighter security controls than a Type 2 hypervisor?

Question174: APIs are defined as which of the following?

Question175: Which concept BEST describes the capability for a cloud environment to automatically scale a system or application, based on its current resource demands?

Question176: Which of the following is NOT part of a retention policy?

Question177: Which data sanitation method is also commonly referred to as "zeroing"?

Question178: There are many situations when testing a BCDR plan is appropriate or mandated.
Which of the following would not be a necessary time to test a BCDR plan?

Question179: Which networking concept in a cloud environment allows for network segregation and isolation of IP spaces?

Question180: Which protocol allows a system to use block-level storage as if it was a SAN, but over TCP network traffic instead?

Question181: There are many situations when testing a BCDR plan is appropriate or mandated.
Which of the following would not be a necessary time to test a BCDR plan?

Question182: Different security testing methodologies offer different strategies and approaches to testing systems, requiring security personnel to determine the best type to use for their specific circumstances.
What does dynamic application security testing (DAST) NOT entail that SAST does?

Question183: The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement?

Question184: Which of the following is NOT a major regulatory framework?

Question185: What is one of the reasons a baseline might be changed?

Question186: What is the intellectual property protection for the logo of a new video game?
Response:

Question187: Which of the following should NOT be part of the requirement analysis phase of the software development lifecycle?

Question188: Implementing baselines on systems would take an enormous amount of time and resources if the staff had to apply them to each server, and over time, it would be almost impossible to keep all the systems in sync on an ongoing basis.
Which of the following is NOT a package that can be used for implementing and maintaining baselines across an enterprise?

Question189: Which component of ITIL involves planning for the restoration of services after an unexpected outage or incident?

Question190: Which of the following would NOT be considered part of resource pooling with an Infrastructure as a Service implementation?

Question191: Which format is the most commonly used standard for exchanging information within a federated identity system?

Question192: With the rapid emergence of cloud computing, very few regulations were in place that pertained to it specifically, and organizations often had to resort to using a collection of regulations that were not specific to cloud in order to drive audits and policies.
Which standard from the ISO/IEC was designed specifically for cloud computing?

Question193: Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except:

Question194: BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.
Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?

Question195: What is the only data format permitted with the SOAP API?

Question196: Vulnerability scans are dependent on ________ in order to function.
Response:

Question197: You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment.
In order to get truly holistic coverage of your environment, you should be sure to include __________ as a step in the deployment process.
Response:

Question198: What must SOAP rely on for security since it does not provide security as a built-in capability?

Question199: The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is composed by a member-driven OWASP committee of application development experts and published approximately every 24 months. The 2013 OWASP Top Ten list includes "injection." In most cases, what is the method for reducing the risk of an injection attack?
Response:

Question200: Which of the following terms is not associated with cloud forensics?

Question201: In the wake of many scandals with major corporations involving fraud and the deception of investors and regulators, which of the following laws was passed to govern accounting and financial records and disclosures?

Question202: Which of the following approaches would NOT be considered sufficient to meet the requirements of secure data destruction within a cloud environment?

Question203: Which European Union directive pertains to personal data privacy and an individual's control over their personal data?

Question204: Which of the following is the least challenging with regard to eDiscovery in the cloud?

Question205: The physical layout of a cloud data center campus should include redundancies of all the following except ____________.
Response:

Question206: What is the only data format permitted with the SOAP API?

Question207: When data discovery is undertaken, three main approaches or strategies are commonly used to determine what the type of data, its format, and composition are for the purposes of classification.
Which of the following is NOT one of the three main approaches to data discovery?

Question208: There are two reasons to conduct a test of the organization's recovery from backup in an environment other than the primary production environment. Which of the following is one of them?
Response:

Question209: Which of the following technologies is used to monitor network traffic and notify if any potential threats or attacks are noticed?

Question210: Which of the following is NOT a key area for performance monitoring as far as an SLA is concerned?

Question211: You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider.
Your company policies have allowed for a BYOD workforce that work equally from the company offices and their own homes or other locations. The policies also allow users to select which APIs they install and use on their own devices in order to access and manipulate company data.
Of the following, what is a security control you'd like to implement to offset the risk(s) incurred by this practice?

Question212: What is used with a single sign-on system for authentication after the identity provider has successfully authenticated a user?
Response:

Question213: Which of the following roles is responsible for preparing systems for the cloud, administering and monitoring services, and managing inventory and assets?

Question214: You are the security manager of a small firm that has just purchased a DLP solution to implement in your cloud-based production environment.
Which of these activities should you perform before deploying the tool?

Question215: Which type of cloud model typically presents the most challenges to a cloud customer during the "destroy" phase of the cloud data lifecycle?

Question216: When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service.
What is the data encapsulation used with the SOAP protocol referred to as?

Question217: Which technology is NOT commonly used for security with data in transit?

Question218: DLP can be combined with what other security technology to enhance data controls?

Question219: Which data protection strategy would be useful for a situation where the ability to remove sensitive data from a set is needed, but a requirement to retain the ability to map back to the original values is also present?

Question220: What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?

Question221: What type of software is often considered secured and validated via community knowledge?
Response:

Question222: Which of the following terms is NOT a commonly used category of risk acceptance?

Question223: Which of the following is NOT one of five principles of SOC Type 2 audits?

Question224: The goals of DLP solution implementation include all of the following, except:

Question225: When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern?

Question226: Which data state would be most likely to use TLS as a protection mechanism?

Question227: Which of the following contract terms most incentivizes the cloud provider to meet the requirements listed in the SLA?
Response:

Question228: Identity and access management (IAM) is a security discipline that ensures which of the following?

Question229: Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for?

Question230: Many different common threats exist against web-exposed services and applications. One attack involves attempting to leverage input fields to execute queries in a nested fashion that is unintended by the developers.
What type of attack is this?

Question231: Which of the following roles is responsible for creating cloud components and the testing and validation of services?

Question232: Which type of testing tends to produce the best and most comprehensive results for discovering system vulnerabilities?

Question233: Which ISO/IEC standards set documents the cloud definitions for staffing and official roles?
Response:

Question234: Which phase of the cloud data lifecycle also typically entails the process of data classification?

Question235: What is a data custodian responsible for?

Question236: Your new CISO is placing increased importance and focus on regulatory compliance as your applications and systems move into cloud environments.
Which of the following would NOT be a major focus of yours as you develop a project plan to focus on regulatory compliance?

Question237: Which cloud service category is MOST likely to use a client-side key management system?
Response:

Question238: The management plane is used to administer a cloud environment and perform administrative tasks across a variety of systems, but most specifically it's used with the hypervisors.
What does the management plane typically leverage for this orchestration?

Question239: If a cloud computing customer wishes to guarantee that a minimum level of resources will always be available, which of the following set of services would compromise the reservation?

Question240: Limits for resource utilization can be set at different levels within a cloud environment to ensure that no particular entity can consume a level of resources that impacts other cloud customers.
Which of the following is NOT a unit covered by limits?

Question241: Which phase of the cloud data lifecycle represents the first instance where security controls can be implemented?

Question242: Which of the following is not one of the defined security controls domains within the Cloud Controls Matrix, published by the Cloud Security Alliance?
Response:

Question243: Which of the following methods for the safe disposal of electronic records can always be used in a cloud environment?
Response:

Question244: Which of the following best describes a sandbox?

Question245: Who is the entity identified by personal data?

Question246: Which process serves to prove the identity and credentials of a user requesting access to an application or data?

Question247: What is the primary reason that makes resolving jurisdictional conflicts complicated?

Question248: Which of the following is a risk that stems from a virtualized environment?
Response:

Question249: What is a key capability or characteristic of PaaS?

Question250: In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties?

Question251: Which of the following types of data would fall under data rights management (DRM) rather than information rights management (IRM)?

Question252: Which OSI layer does IPsec operate at?

Question253: What process is used within a cloud environment to maintain resource balancing and ensure that resources are available where and when needed?

Question254: Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used?

Question255: Which of the following roles is responsible for obtaining new customers and securing contracts and agreements?

Question256: Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance?

Question257: Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?

Question258: What are third-party providers of IAM functions for the cloud environment?

Question259: Which of the following is a valid risk management metric?

Question260: Which of the cloud deployment models involves spanning multiple cloud environments or a mix of cloud hosting models?

Question261: A loosely coupled storage cluster will have performance and capacity limitations based on the
____________.
Response:

Question262: A main objective for an organization when utilizing cloud services is to avoid vendor lock-in so as to ensure flexibility and maintain independence.
Which core concept of cloud computing is most related to vendor lock-in?

Question263: In a Lightweight Directory Access Protocol (LDAP) environment, each entry in a directory server is identified by a ___________.
Response:

Question264: You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which cost $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant.
The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month.
In order to establish the true annualized loss expectancy (ALE), you would need all of the following information except ____________.
Response:

Question265: Which ITIL component focuses on ensuring that system resources, processes, and personnel are properly allocated to meet SLA requirements?

Question266: Which of the following is the biggest concern or challenge with using encryption?

Question267: Maintenance mode requires all of these actions except:

Question268: What concept and operational process must be spelled out clearly, as far as roles and responsibilities go, between the cloud provider and cloud customer for the mitigation of any problems or security events?

Question269: Which technology is most associated with tunneling?
Response:

Question270: In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party?

Question271: The Transport Layer Security (TLS) protocol creates a secure communications channel over public media (such as the Internet). In a typical TLS session, who initiates the protocol?

Question272: Which of the following would be a reason to undertake a BCDR test?

Question273: Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives?
Response:

Question274: What type of masking strategy involves replacing data on a system while it passes between the data and application layers?

Question275: Which of the following roles involves overseeing billing, purchasing, and requesting audit reports for an organization within a cloud environment?

Question276: Which security concept, if implemented correctly, will protect the data on a system, even if a malicious actor gains access to the actual system?

Question277: What concept does the "D" represent with the STRIDE threat model?

Question278: When an organization considers cloud migrations, the organization's software developers will need to know which _______ and _______ which the organization will be using, in order to properly and securely create suitable applications.

Question279: What is the first stage of the cloud data lifecycle where security controls can be implemented?

Question280: Which of the following terms is NOT a commonly used category of risk acceptance?

Question281: The goals of DLP solution implementation include all of the following, except:

Question282: In which of the following situations does the data owner have to administer the OS?
Response:

Question283: Which type of testing uses the same strategies and toolsets that hackers would use?

Question284: Which of the following roles is responsible for peering with other cloud services and providers?

Question285: Which of the following service categories entails the least amount of support needed on the part of the cloud customer?

Question286: A honeypot can be used for all the following purposes except ____________.

Question287: A comprehensive BCDR plan will encapsulate many or most of the traditional concerns of operating a system in any data center.
However, what is one consideration that is often overlooked with the formulation of a BCDR plan?

Question288: Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider?

Question289: What does dynamic application security testing (DAST) NOT entail?

Question290: What does the REST API use to protect data transmissions?

Question291: Which of the following represents a prioritization of applications or cloud customers for the allocation of additional requested resources when there is a limitation on available resources?

Question292: From a security perspective, what component of a cloud computing infrastructure represents the biggest concern?

Question293: Which aspect of cloud computing makes it very difficult to perform repeat audits over time to track changes and compliance?

Question294: In addition to BCDR, what other benefit can your data archive/backup provide?
Response:

Question295: What are the U.S. State Department controls on technology exports known as?

Question296: What controls the formatting and security settings of a volume storage system within a cloud environment?

Question297: User access to the cloud environment can be administered in all of the following ways except:

Question298: Each of the following is an element of the Identification phase of the identity and access management (IAM) process except _____________.

Question299: Where is an XML firewall most commonly deployed in the environment?

Question300: Which type of cloud service category would having a vendor-neutral encryption scheme for data at rest (DAR) be the MOST important?

Question301: Access should be based on ____________.
Response:

Question302: Which of the following is NOT a major regulatory framework?

Question303: When using an IaaS solution, what is a key benefit provided to the customer?

Question304: Which component of ITIL involves handling anything that can impact services for either internal or public users?

Question305: Firewalls are used to provide network security throughout an enterprise and to control what information can be accessed--and to a certain extent, through what means.
Which of the following is NOT something that firewalls are concerned with?

Question306: Tokenization requires at least ____ database(s).

Question307: Which of the following would NOT be included as input into the requirements gathering for an application or system?

Question308: Data labels could include all the following, except:
Response:

Question309: What is the biggest challenge to data discovery in a cloud environment?

Question310: Which format is the most commonly used standard for exchanging information within a federated identity system?

Question311: Fiber-optic lines are considered part of layer __________ of the OSI model.
Response:

Question312: Which of the following is the optimal humidity level for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)?

Question313: Which United States law is focused on PII as it relates to the financial industry?

Question314: What is the first stage of the cloud data lifecycle where security controls can be implemented?

Question315: One of the main components of system audits is the ability to track changes over time and to match these changes with continued compliance and internal processes.
Which aspect of cloud computing makes this particular component more challenging than in a traditional data center?

Question316: All of the following are identity federation standards commonly found in use today except ____________.
Response:

Question317: The president of your company has tasked you with implementing cloud services as the most efficient way of obtaining a robust disaster recovery configuration for your production services.
Which of the cloud deployment models would you MOST likely be exploring?

Question318: Who will determine data classifications for the cloud customer?

Question319: The goals of DLP solution implementation include all of the following, except:

Question320: Which of the following is NOT one of the cloud computing activities, as outlined in ISO/IEC
17789?

Question321: Which cloud storage type is typically used to house virtual machine images that are used throughout the environment?

Question322: The goals of SIEM solution implementation include all of the following, except:

Question323: Over time, what is a primary concern for data archiving?

Question324: Which of the following roles involves the connection and integration of existing systems and services to a cloud environment?

Question325: Which of the following is not a factor an organization might use in the cost-benefit analysis when deciding whether to migrate to a cloud environment?
Response:

Question326: In the cloud motif, the data processor is usually:

Question327: All of the following are activities that should be performed when capturing and maintaining an accurate, secure system baseline except ____________.
Response:

Question328: Which of the following would NOT be included as input into the requirements gathering for an application or system?
Response:

Question329: The BC/DR kit should include all of the following except:

Question330: Different certifications and standards take different approaches to data center design and operations. Although many traditional approaches use a tiered methodology, which of the following utilizes a macro- level approach to data center design?

Question331: On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources.
Which of the following is crucial to the orchestration and automation of networking resources within a cloud?

Question332: When using a PaaS solution, what is the capability provided to the customer?

Question333: Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it?

Question334: What is the term used to describe loss of access to data because the cloud provider has ceased operation?
Response:

Question335: Firewalls are used to provide network security throughout an enterprise and to control what information can be accessed--and to a certain extent, through what means.
Which of the following is NOT something that firewalls are concerned with?

Question336: You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which cost $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. In order to establish the true annualized loss expectancy (ALE), you would need all of the following information except ____________.

Question337: Which of the following pertains to a macro level approach to data center design rather than the traditional tiered approach to data centers?

Question338: Security is a critical yet often overlooked consideration for BCDR planning.
At which stage of the planning process should security be involved?

Question339: When an organization implements an SIEM solution and begins aggregating event data, the configured event sources are only valid at the time it was configured.
Application modifications, patching, and other upgrades will change the events generated and how they are represented over time.
What process is necessary to ensure events are collected and processed with this in mind?

Question340: Which cloud service category would be most ideal for a cloud customer that is developing software to test its applications among multiple hosting providers to determine the best option for its needs?

Question341: What is the concept of isolating an application from the underlying operating system for testing purposes?

Question342: Which of the following top security threats involves attempting to send invalid commands to an application in an attempt to get the application to execute the code?
Response:

Question343: You are the security policy lead for your organization, which is considering migrating from your on- premises, legacy environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization. What is probably the best benefit offered by the CCM?

Question344: Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.
Which of the following is not a regulatory framework for more sensitive or specialized data?

Question345: Impact resulting from risk being realized is often measured in terms of ____________.

Question346: In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?

Question347: Which cloud service category offers the most customization options and control to the cloud customer?

Question348: When an organization implements an SIEM solution and begins aggregating event data, the configured event sources are only valid at the time it was configured. Application modifications, patching, and other upgrades will change the events generated and how they are represented over time.
What process is necessary to ensure events are collected and processed with this in mind?

Question349: With a cloud service category where the cloud customer is provided a full application framework into which to deploy their code and services, which storage types are MOST likely to be available to them?

Question350: Which of the following best describes data masking?

Question351: You are the security manager for an online retail sales company with 100 employees and a production environment hosted in a PaaS model with a major cloud provider. Your company policies have allowed for a BYOD workforce that work equally from the company offices and their own homes or other locations. The policies also allow users to select which APIs they install and use on their own devices in order to access and manipulate company data.
Of the following, what is a security control you'd like to implement to offset the risk(s) incurred by this practice?

Question352: The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing.
According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing?

Question353: Which of the following is NOT a focus or consideration of an internal audit?

Question354: All of these are methods of data discovery, except:

Question355: All of these are reasons an organization may want to consider cloud migration except:
Response:

Question356: What type of PII is regulated based on the type of application or per the conditions of the specific hosting agreement?

Question357: Which standards body depends heavily on contributions and input from its open membership base?

Question358: Which of the following threat types can occur when baselines are not appropriately applied or unauthorized changes are made?

Question359: Which technology is NOT commonly used for security with data in transit?

Question360: In the cloud motif, the data processor is usually:
Response:

Question361: What concept and operational process must be spelled out clearly, as far as roles and responsibilities go, between the cloud provider and cloud customer for the mitigation of any problems or security events?

Question362: DLP solutions can aid in deterring loss due to which of the following?

Question363: What are the two protocols that TLS uses?

Question364: Which of the following should occur at each stage of the SDLC?

Question365: What is a standard configuration and policy set that is applied to systems and virtual machines called?

Question366: Which of the following would be a reason to undertake a BCDR test?

Question367: Which of the following threat types involves an application that does not validate authorization for portions of itself after the initial checks?

Question368: A crucial decision any company must make is in regard to where it hosts the data systems it depends on. A debate exists as to whether it's best to lease space in a data center or build your own data center--and now with cloud computing, whether to purchase resources within a cloud.
What is the biggest advantage to leasing space in a data center versus procuring cloud services?

Question369: Which European Union directive pertains to personal data privacy and an individual's control over their personal data?

Question370: Data labels could include all the following, except:

Question371: Which of the cloud cross-cutting aspects relates to the ability to easily move services and applications between different cloud providers?

Question372: What is the best source for information about securing a physical asset's BIOS?

Question373: What does a cloud customer purchase or obtain from a cloud provider?

Question374: There are two general types of smoke detectors. Which type uses a small portion of radioactive material?

Question375: You are the security policy lead for your organization, which is considering migrating from your on-premises, legacy environment into the cloud. You are reviewing the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.
What is probably the best benefit offered by the CCM?
Response:

Question376: Gap analysis is performed for what reason?

Question377: Which of the following is a valid risk management metric?

Question378: Which security concept would business continuity and disaster recovery fall under?

Question379: All of the following are identity federation standards commonly found in use today except
____________.
Response:

Question380: Which protocol does the REST API depend on?

Question381: In the cloud motif, the data processor is usually:

Question382: To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except:

Question383: Which of the following aspects of security is solely the responsibility of the cloud provider?

Question384: Which of the following is the best and only completely secure method of data destruction?

Question385: Which of the following roles is responsible for creating cloud components and the testing and validation of services?

Question386: From a security perspective, automation of configuration aids in ____________.
Response:

Question387: Which of the following is NOT an application or utility to apply and enforce baselines on a system?

Question388: Your company has just been served with an eDiscovery order to collect event data and other pertinent information from your application during a specific period of time, to be used as potential evidence for a court proceeding.
Which of the following, apart from ensuring that you collect all pertinent data, would be the MOST important consideration?
Response:

Question389: The BC/DR kit should include all of the following except:

Question390: What process is used within a clustered system to provide high availability and load balancing?

Question391: With finite resources available within a cloud, even the largest cloud providers will at times need to determine which customers will receive additional resources first.
What is the term associated with this determination?

Question392: Which of the following is NOT a focus or consideration of an internal audit?

Question393: Upon completing a risk analysis, a company has four different approaches to addressing risk. Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.
Which of the following groupings correctly represents the four possible approaches?

Question394: Which of the cloud cross-cutting aspects relates to the assigning of jobs, tasks, and roles, as well as to ensuring they are successful and properly performed?

Question395: Which cloud deployment model is MOST likely to offer free or very cheap services to users?

Question396: Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies?

Question397: Countermeasures for protecting cloud operations against external attackers include all of the following except:

Question398: Which security concept, if implemented correctly, will protect the data on a system, even if a malicious actor gains access to the actual system?

Question399: Which cloud storage type is typically used to house virtual machine images that are used throughout the environment?

Question400: Which type of audit report does many cloud providers use to instill confidence in their policies, practices, and procedures to current and potential customers?

Question401: A variety of security systems can be integrated within a network--some that just monitor for threats and issue alerts, and others that take action based on signatures, behavior, and other types of rules to actively stop potential threats.
Which of the following types of technologies is best described here?

Question402: What does nonrepudiation mean?
Response:

Question403: What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible?

Question404: Although the REST API supports a wide variety of data formats for communications and exchange, which data formats are the most commonly used?

Question405: Cryptographic keys for encrypted data stored in the cloud should be ______________.
Response:

Question406: Which of the following is NOT a function performed by the handshake protocol of TLS?

Question407: Which of the following statements accurately describes VLANs?

Question408: Before deploying a specific brand of virtualization toolset, it is important to configure it according to ____________.
Response:

Question409: Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons?

Question410: Different certifications and standards take different approaches to data center design and operations. Although many traditional approaches use a tiered methodology, which of the following utilizes a macro-level approach to data center design?

Question411: When a data center is configured such that the backs of the devices face each other and the ambient temperature in the work area is cool, it is called ___________.

Question412: Using one cloud provider for your operational environment and another for your BCDR backup will also give you the additional benefit of ____________.

Question413: Which cloud storage type requires special consideration on the part of the cloud customer to ensure they do not program themselves into a vendor lock-in situation?

Question414: Which of the following is NOT a regulatory system from the United States federal government?

Question415: Which of the following publishes the most commonly used standard for data center design in regard to tiers and topologies?

Question416: Software-defined networking (SDN) is intended to separate different network capabilities and allow for the granting of granular configurations, permissions, and features to non- network staff or customers. Which network capability is separated from forwarding of traffic?
Response:

Question417: What type of data does data rights management (DRM) protect?

Question418: Managed cloud services exist because the service is less expensive for each customer than creating the same services for themselves in a legacy environment.
Using a managed service allows the customer to realize significant cost savings through the reduction of ____________.
Response:

Question419: Which crucial aspect of cloud computing can be most threatened by insecure APIs?

Question420: What strategy involves hiding data in a data set to prevent someone from identifying specific individuals based on other data fields present?

Question421: What concept does the A represent within the DREAD model?

Question422: Which aspect of cloud computing pertains to cloud customers only paying for the resources and services they actually use?

Question423: Which protocol, as a part of TLS, handles the actual secure communications and transmission of data?

Question424: Which of the following is a possible negative aspect of bit-splitting?

Question425: Which of the following BCDR testing methodologies is least intrusive?

Question426: With software-defined networking, what aspect of networking is abstracted from the forwarding of traffic?

Question427: What is the biggest challenge to data discovery in a cloud environment?

Question428: Other than cost savings realized due to measured service, what is another facet of cloud computing that will typically save substantial costs in time and money for an organization in the event of a disaster?

Question429: Tokenization requires two distinct _________________ .

Question430: Which of the following is the sole responsibility of the cloud customer, regardless of which cloud model is used?

Question431: What does SDN stand for within a cloud environment?

Question432: Which of the following is the dominant driver behind the regulations to which a system or application must adhere?

Question433: Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost-effective services for which of the following concepts by moving to a cloud environment?

Question434: Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except:

Question435: Within a federated identity system, which of the following would you be MOST likely to use for sending information for consumption by a relying party?

Question436: Which phase of the cloud data lifecycle involves processing by a user or application?

Question437: Which of the following concepts refers to a cloud customer paying only for the resources and offerings they use within a cloud environment, and only for the duration that they are consuming them?

Question438: Which of the following statements about Type 1 hypervisors is true?

Question439: Which of the following threat types can occur when baselines are not appropriately applied or when unauthorized changes are made?

Question440: Which of the following is not a feature of SAST?
Response:

Question441: Which of the following characteristics is associated with digital rights management (DRM) solutions (sometimes referred to as information rights management, or IRM)?

Question442: With finite resources available within a cloud, even the largest cloud providers will at times need to determine which customers will receive additional resources first.
What is the term associated with this determination?

Question443: What is the best approach for dealing with services or utilities that are installed on a system but not needed to perform their desired function?

Question444: Which component of ITIL pertains to planning, coordinating, executing, and validating changes and rollouts to production environments?

Question445: Data centers have enormous power resources that are distributed and consumed throughout the entire facility.
Which of the following standards pertains to the proper fire safety standards within that scope?

Question446: Which of the following is a method for apportioning resources that involves prioritizing resource requests to resolve contention situations?

Question447: Which of the following is a restriction that can be enforced by information rights management (IRM) that is not possible for traditional file system controls?

Question448: DLP can be combined with what other security technology to enhance data controls?

Question449: Heating, ventilation, and air conditioning (HVAC) systems cool the data center by pushing warm air into ____________.

Question450: Which regulatory system pertains to the protection of healthcare data?

Question451: What's a potential problem when object storage versus volume storage is used within IaaS for application use and dependency?

Question452: What type of segregation and separation of resources is needed within a cloud environment for multitenancy purposes versus a traditional data center model?

Question453: Which of the following is NOT something that an HIDS will monitor?

Question454: With a cloud service category where the cloud customer is provided a full application framework into which to deploy their code and services, which storage types are MOST likely to be available to them?

Question455: Which of the following can be useful for protecting cloud customers from a denial-of-service (DoS) attack against another customer hosted in the same cloud?

Question456: User access to the cloud environment can be administered in all of the following ways except:

Question457: Which of the following is the optimal temperature for a data center, per the guidelines established by the America Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE)?

Question458: During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.

Question459: Which of the following is considered an administrative control?

Question460: Which of the following best describes a cloud carrier?

Question461: The SOC Type 2 reports are divided into five principles.
Which of the five principles must also be included when auditing any of the other four principles?

Question462: Which United States law is focused on PII as it relates to the financial industry?

Question463: You need to gain approval to begin moving your company's data and systems into a cloud environment.
However, your CEO has mandated the ability to easily remove your IT assets from the cloud provider as a precondition.
Which of the following cloud concepts would this pertain to?

Question464: What type of storage structure does object storage employ to maintain files?

Question465: ISO/IEC has established international standards for many aspects of computing and any processes or procedures related to information technology.
Which ISO/IEC standard has been established to provide a framework for handling eDiscovery processes?

Question466: Your company operates in a highly competitive market, with extremely high-value data assets. Senior management wants to migrate to a cloud environment but is concerned that providers will not meet the company's security needs.
Which deployment model would probably best suit the company's needs?
Response:

Question467: Which of the following pertains to fire safety standards within a data center, specifically with their enormous electrical consumption?

Question468: Which type of audit report is considered a "restricted use" report for its intended audience?

Question469: Which of the following systems is used to employ a variety of different techniques to discover and alert on threats and potential threats to systems and networks?