CCSK Sample Questions Answers

A shared set of resources delivered over the Internet

A model for more-efficient use of network-based resources

A model for on-demand network access to a shared pool of configurable resources

Services that are delivered over the Internet to customers

They reduce the cost of cloud services.

They provide visibility into cloud environments.

They enhance physical security.

They encrypt cloud data at rest.

Firewalls

Software-Defined Perimeter (SDP)

Virtual Private Network (VPN)

Intrusion Detection System (IDS)

Inability to monitor cloud infrastructure for threats

IAM failures

Lack of encryption for data at rest

Vulnerabilities in cloud provider's physical infrastructure

Implementing dynamic network segmentation policies

Employing Role-Based Access Control (RBAC) for container access

Regular vulnerability scanning of deployed containers

Use of immutable containers

Risk assessment

Audit

Penetration testing

Incident response

High operational costs

Misconfigurations

Limited scalability

Complex deployment pipelines

Infrastructures as a Service

A Private Cloud

A Community Cloud

A Hybrid Cloud

Jericho Cloud Cube Model

Legal Issues: Contracts and Electronic Discovery

Infrastructure Security

Compliance and Audit Management

Information Governance

Governance and Enterprise Risk Management

Infrastructure

Datastructure

Infostructure

Applistructure

Metastructure

False

True

Encryption

Organization

Knowledge management

IDS

Insulation

The provider’s computing resources are pooled to serve multiple consumers.

Internet-based CPUs are pooled to enable multi-threading.

The dedicated computing resources of each client are pooled together in a colocation facility.

Placing Internet (“cloud”) data centers near multiple sources of energy, such as hydroelectric dams.

None of the above.

By proxying or redirecting web traffic to the cloud provider

By utilizing a partitioned network drive

On the premise through a software or appliance installation

Both A and C

None of the above

Planned Outages

Resiliency Planning

Expected Engineering

Chaos Engineering

Organized Downtime

It reduces hardware costs

It provides dynamic and granular policies with less management overhead

It locks down access and provides stronger data security

It reduces the blast radius of a compromised system

It enables you to configure applications around business groups

False

True

Virtualization

Applistructure

Hypervisor

Metastructure

Orchestration

False

True

Database encryption

Media encryption

Asymmetric encryption

Object encryption

Client/application encryption

Lack of visibility

Deployment flexibility

Scaling and costs

Intelligence sharing

Insulation of clients

Building and properly configuring a secure network infrastructure

Configuring second factor authentication across the network

Properly configuring the deployment of the virtual network, especially the firewalls

Properly configuring the deployment of the virtual network, except the firewalls

Providing as many API endpoints as possible for custom access and configurations

The Data Security Lifecycle has six stages, is strictly linear, and never varies.

The Data Security Lifecycle has six stages, can be non-linear, and varies in that some data may never pass through all stages.

The Data Security Lifecycle has five stages, is circular, and varies in that some data may never pass through all stages.

The Data Security Lifecycle has six stages, can be non-linear, and is distinct in that data must always pass through all phases.

The Data Security Lifecycle has five stages, can be non-linear, and is distinct in that data must always pass through all phases.

False

True

Lack of completeness and transparency in terms of use

Lack of information on jurisdictions

No source escrow agreement

Unclear asset ownership

Audit or certification not available to customers

The physical location of the data and how it is accessed

The fragmentation and encryption algorithms employed

The language of the data and how it affects the user

The implications of storing complex information on simple storage systems

The actual size of the data and the storage format

Allowing the cloud provider to manage your keys so that they have the ability to access and delete the data from the main and back-up storage.

Maintaining customer managed key management and revoking or deleting keys from the key management system to prevent the data from being accessed again.

Practice Integration of Duties (IOD) so that everyone is able to delete the encrypted data.

Keep the keys stored on the client side so that they are secure and so that the users have the ability to delete their own data.

Both B and D.

False

True

True

False

Inspect and account for risks inherited from other members of the cloud supply chain and take active measures to mitigate and contain risks through operational resiliency.

Respect the interdependency of the risks inherent in the cloud supply chain and communicate the corporate risk posture and readiness to consumers and dependent parties.

Negotiate long-term contracts with companies who use well-vetted software application to avoid the transient nature of the cloud environment.

Provide transparency to stakeholders and shareholders demonstrating fiscal solvency and organizational transparency.

Both B and C.

Rapid elasticity

Resource pooling

Broad network access

Measured service

On-demand self-service

Software Development Kits (SDKs)

Resource Description Framework (RDF)

Extensible Markup Language (XML)

Application Binary Interface (ABI)

Application Programming Interface (API)

Policies and procedures shall be established for managing the risks associated with applying changes to business-critical or customer (tenant)-impacting (physical and virtual) applications and system-

system interface (API) designs and configurations, infrastructure network and systems components.

Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or

managed user end-point devices (e.g. issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.

All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved for usage and the storage of company business data.

None of the above

The laws protecting customer data are based on the cloud provider and customer location only.

The confidentiality agreements between companies using cloud computing services is limited legally to the company, not the provider.

The companies using the cloud providers are the custodians of the data entrusted to them.

The cloud computing companies are absolved of all data security and associated risks through contracts and data laws.

The cloud computing companies own all customer data.

To provide cloud service rate comparisons

To certify cloud services for regulatory compliance

To document security and privacy controls of cloud offerings

To manage data residency and localization requirements

To automate the data encryption process across all cloud services

To reduce the overall cost of cloud storage solutions

To apply appropriate security controls based on asset sensitivity and importance

To increase the speed of data retrieval within the cloud environment

Local backup

Multi-region resiliency

Single-region resiliency

High Availability within one data center

Cloud sprawl disperses assets, making it harder to monitor assets.

Cloud sprawl centralizes assets, simplifying security monitoring.

Cloud sprawl reduces the number of assets, easing security efforts.

Cloud sprawl has no impact on security monitoring.

To create a separation between development and operations

To eliminate the need for IT operations by automating all tasks

To enhance collaboration between development and IT operations for efficient delivery

To reduce the development team size by merging roles

Implementing real-time visibility

Deploying container-specific antivirus scanning

Using static code analysis tools in the pipeline

Full packet network monitoring

Reduces the need for security auditing

Enables consistent security configurations through automation

Increases manual control over security settings

Increases scalability of cloud resources

To implement detailed procedural instructions for security measures

To organize control objectives for achieving desired security outcomes

To ensure compliance with all regulatory requirements

To provide tools for automated security management

PBAC eliminates the need for defining and managing user roles and permissions.

PBAC is easier to implement and manage compared to Role-Based Access Control (RBAC).

PBAC allows enforcement of granular, context-aware security policies using multiple attributes.

PBAC ensures that access policies are consistent across all cloud providers and platforms.

Continuous Build, Integration, and Testing

Continuous Delivery and Deployment

Secure Design and Architecture

Secure Coding

Formalizing cloud security policies

Implementing best-practice cloud security control objectives

Negotiating SLAs with cloud providers

Establishing a governance hierarchy

It identifies issues before full deployment, saving time and resources.

It increases the overall testing time and costs.

It allows skipping final verification tests.

It eliminates the need for continuous integration.

Using access controls as the sole security measure

Encrypting all objects in the repository

Encrypting the access paths only

Encrypting only sensitive objects

By reducing the threat of breaches and vulnerabilities

Confining breaches to a smaller portion of the network

Allowing faster data recovery and response

Monitoring and detecting unauthorized access attempts

To increase data transfer speeds within the cloud environment

To reduce the cost of cloud services

To ensure compliance, security, and efficient management aligned with the organization's goals

To eliminate the need for on-premises data centers

Post-Incident Activity

Detection and Analysis

Preparation

Containment, Eradication, and Recovery