Free CCSP PDF Exam Dumps 2022 Updated with Free CCSP (Certified Cloud Security Professional) Practice Exam

1. ISO/IEC has established international standards for many aspects of computing and any processes or procedures related to information technology.

Which ISO/IEC standard has been established to provide a framework for handling eDiscovery processes?

2. If a company needed to guarantee through contract and SLAs that a cloud provider would always have available sufficient resources to start their services and provide a certain level of provisioning, what would the contract need to refer to?

3. Many aspects and features of cloud computing can make eDiscovery compliance more difficult or costly. Which aspect of cloud computing would be the MOST complicating factor?

4. A crucial decision any company must make is in regard to where it hosts the data systems it depends on. A debate exists as to whether it's best to lease space in a data center or build your own data center--and now with cloud computing, whether to purchase resources within a cloud.

What is the biggest advantage to leasing space in a data center versus procuring cloud services?

5. Which of the following systems is used to employ a variety of different techniques to discover and alert on threats and potential threats to systems and networks?

6. Which of the following is not a risk management framework?

7. In order to ensure ongoing compliance with regulatory requirements, which phase of the cloud data lifecycle must be tested regularly?

8. Which of the following threat types involves leveraging a user's browser to send untrusted data to be executed with legitimate access via the user’s valid credentials?

9. Digital investigations have adopted many of the same methodologies and protocols as other types of criminal or scientific inquiries.

What term pertains to the application of scientific norms and protocols to digital investigations?

10. Within a federated identity system, which entity accepts tokens from the identity provider?

11. Different types of audits are intended for different audiences, such as internal, external, regulatory, and so on. Which of the following audits are considered "restricted use" versus being for a more broad audience?

12. Although host-based and network-based IDSs perform similar functions and have similar capabilities, which of the following is an advantage of a network-based IDS over a host-based IDS, assuming all capabilities are equal?

13. DNSSEC was designed to add a layer of security to the DNS protocol. Which type of attack was the DNSSEC extension designed to mitigate?

14. Which aspect of cloud computing pertains to cloud customers only paying for the resources and services they actually use?

15. Many of the traditional concepts of systems and services for a traditional data center also apply to the cloud. Both are built around key computing concepts.

Which of the following compromise the two facets of computing?

16. With a cloud service category where the cloud customer is provided a full application framework into which to deploy their code and services, which storage types are MOST likely to be available to them?

17. Firewalls are used to provide network security throughout an enterprise and to control what information can be accessed--and to a certain extent, through what means.

Which of the following is NOT something that firewalls are concerned with?

18. Within an IaaS implementation, which of the following would NOT be a metric used to quantify service charges for the cloud customer?

19. Many different common threats exist against web-exposed services and applications. One attack involves attempting to leverage input fields to execute queries in a nested fashion that is unintended by the developers.

What type of attack is this?

20. For service provisioning and support, what is the ideal amount of interaction between a cloud customer and cloud provider?

21. What does a cloud customer purchase or obtain from a cloud provider?

22. Which phase of the cloud data lifecycle represents the first instance where security controls can be implemented?

23. You were recently hired as a project manager at a major university to implement cloud services for the academic and administrative systems. Because the load and demand for services at a university are very cyclical in nature, commensurate with the academic calendar, which of the following aspects of cloud computing would NOT be a primary benefit to you?

24. Which cloud deployment model is MOST likely to offer free or very cheap services to users?

25. Where is a DLP solution generally installed when utilized for monitoring data in transit?

26. With IaaS, what is responsible for handling the security and control over the volume storage space?

27. Configurations and policies for a system can come from a variety of sources and take a variety of formats. Which concept pertains to the application of a set of configurations and policies that is applied to all systems or a class of systems?

28. Which of the following tasks within a SaaS environment would NOT be something the cloud customer would be responsible for?

29. An SLA contains the official requirements for contract performance and satisfaction between the cloud provider and cloud customer.

Which of the following would NOT be a component with measurable metrics and requirements as part of an SLA?

30. Within a federated identity system, which of the following would you be MOST likely to use for sending information for consumption by a relying party?

31. Which data state would be most likely to use digital signatures as a security protection mechanism?

32. There is a large gap between the privacy laws of the United States and those of the European Union. Bridging this gap is necessary for American companies to do business with European companies and in European markets in many situations, as the American companies are required to comply with the stricter requirements.

Which US program was designed to help companies overcome these differences?

33. Audits are either done based on the status of a system or application at a specific time or done as a study over a period of time that takes into account changes and processes.

Which of the following pairs matches an audit type that is done over time, along with the minimum span of time necessary for it?

34. With software-defined networking (SDN), which two types of network operations are segregated to allow for granularity and delegation of administrative access and functions?

35. Along with humidity, temperature is crucial to a data center for optimal operations and protection of equipment.

Which of the following is the optimal temperature range as set by ASHRAE?

36. Which of the following statements best describes a Type 1 hypervisor?

37. Which cloud storage type resembles a virtual hard drive and can be utilized in the same manner and with the same type of features and capabilities?

38. Which aspect of SaaS will alleviate much of the time and energy organizations spend on compliance (specifically baselines)?

39.

40. Many tools and technologies are available for securing or monitoring data in transit within a data center, whether it is a traditional data center or a cloud.

Which of the following is NOT a technology for securing data in transit?

41. With a federated identity system, where would a user perform their authentication when requesting services or application access?

42. Where is an XML firewall most commonly and effectively deployed in the environment?

43. Modern web service systems are designed for high availability and resiliency. Which concept pertains to the ability to detect problems within a system, environment, or application and programmatically invoke redundant systems or processes for mitigation?

44. On large distributed systems with pooled resources, cloud computing relies on extensive orchestration to maintain the environment and the constant provisioning of resources.

Which of the following is crucial to the orchestration and automation of networking resources within a cloud?

45. BCDR strategies do not typically involve the entire operations of an organization, but only those deemed critical to their business.

Which concept pertains to the amount of services that need to be recovered to meet BCDR objectives?

46. During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.

47. The GAPP framework was developed through a joint effort between the major Canadian and American professional accounting associations in order to assist their members with managing and preventing risks to the privacy of their data and customers.

Which of the following is the meaning of GAPP?

48. Which protocol operates at the network layer and provides for full point-to-point encryption of all communications and transmissions?

49. When data discovery is undertaken, three main approaches or strategies are commonly used to determine what the type of data, its format, and composition are for the purposes of classification.

Which of the following is NOT one of the three main approaches to data discovery?

50. There are many situations when testing a BCDR plan is appropriate or mandated. Which of the following would not be a necessary time to test a BCDR plan?

51. Key maintenance and security are paramount within a cloud environment due to the widespread use of encryption for both data and transmissions.

Which of the following key-management systems would provide the most robust control over and ownership of the key-management processes for the cloud customer?

52. Security is a critical yet often overlooked consideration for BCDR planning. At which stage of the planning process should security be involved?

53. Which type of testing uses the same strategies and toolsets that hackers would use?

54. Which of the following statements about Type 1 hypervisors is true?

55. Which format is the most commonly used standard for exchanging information within a federated identity system?

56. Which ITIL component is focused on anticipating predictable problems and ensuring that configurations and operations are in place to prevent these problems from ever occurring?

57. Which of the following areas of responsibility would be shared between the cloud customer and cloud provider within the Software as a Service (SaaS) category?

58. When a system needs to be exposed to the public Internet, what type of secure system would be used to perform only the desired operations?

59. With the rapid emergence of cloud computing, very few regulations were in place that pertained to it specifically, and organizations often had to resort to using a collection of regulations that were not specific to cloud in order to drive audits and policies.

Which standard from the ISO/IEC was designed specifically for cloud computing?

60. Which of the following is NOT considered a type of data loss?

61. Which of the following jurisdictions lacks a comprehensive national policy on data privacy and the protection of personally identifiable information (PII)?

62. Which component of ITIL involves planning for the restoration of services after an unexpected outage or incident?

63. Which component of ITIL pertains to planning, coordinating, executing, and validating changes and rollouts to production environments?

64. What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible?

65. Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance.

Which type of audit reports can be used for general public trust assurances?

66. Which of the following concepts is NOT one of the core components to an encryption system architecture?

67. For optimal security, trust zones are used for network segmentation and isolation. They allow for the separation of various systems and tiers, each with its own security level.

Which of the following is typically used to allow administrative personnel access to trust zones?

68. Which of the following is NOT a major regulatory framework?

69. As part of the auditing process, getting a report on the deviations between intended configurations and actual policy is often crucial for an organization.

What term pertains to the process of generating such a report?

70. An audit scope statement defines the limits and outcomes from an audit.

Which of the following would NOT be included as part of an audit scope statement?

71. What concept and operational process must be spelled out clearly, as far as roles and responsibilities go, between the cloud provider and cloud customer for the mitigation of any problems or security events?

72. Your new CISO is placing increased importance and focus on regulatory compliance as your applications and systems move into cloud environments.

Which of the following would NOT be a major focus of yours as you develop a project plan to focus on regulatory compliance?

73. Cloud systems are increasingly used for BCDR solutions for organizations. What aspect of cloud computing makes their use for BCDR the most attractive?

74. What's a potential problem when object storage versus volume storage is used within IaaS for application use and dependency?

75. Many aspects of cloud computing bring enormous benefits over a traditional data center, but also introduce new challenges unique to cloud computing.

Which of the following aspects of cloud computing makes appropriate data classification of high importance?

76. Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost- effective services for which of the following concepts by moving to a cloud environment?

77. BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.

Which concept pertains to the amount of data and services needed to reach the predetermined level of operations?

78. Which of the following is NOT a commonly used communications method within cloud environments to secure data in transit?

79. Which crucial aspect of cloud computing can be most threatened by insecure APIs?

80. The WS-Security standards are built around all of the following standards except which one?

81. Which protocol, as a part of TLS, handles negotiating and establishing a connection between two parties?

82. BCDR strategies typically do not involve the entire operations of an organization, but only those deemed critical to their business.

Which concept pertains to the required amount of time to restore services to the predetermined level?

83. Your company is in the planning stages of moving applications that have large data sets to a cloud environment.

What strategy for data removal would be the MOST appropriate for you to recommend if costs and speed are primary considerations?

84. Which of the following is a management role, versus a technical role, as it pertains to data management and oversight?

85. IRM solutions allow an organization to place different restrictions on data usage than would otherwise be possible through traditional security controls.

Which of the following controls would be possible with IRM that would not with traditional security controls?

86. Which data protection strategy would be useful for a situation where the ability to remove sensitive data from a set is needed, but a requirement to retain the ability to map back to the original values is also present?

87. A comprehensive BCDR plan will encapsulate many or most of the traditional concerns of operating a system in any data center.

However, what is one consideration that is often overlooked with the formulation of a BCDR plan?

88. Which of the following is NOT one of the components of multifactor authentication?

89. Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.

Which of the following is not a regulatory framework for more sensitive or specialized data?

90. Which data sanitation method is also commonly referred to as "zeroing"?

91. What is the concept of isolating an application from the underlying operating system for testing purposes?

92. Which of the following could be used as a second component of multifactor authentication if a user has an RSA token?

93. Which of the following is NOT one of the official risk rating categories?

94. SOC Type 1 reports are considered "restricted use," in that they are intended only for limited audiences and purposes.

Which of the following is NOT a population that would be appropriate for a SOC Type 1 report?

95. Having a reservation in a cloud environment can ensure operations continue in the event of high utilization across the cloud.

Which of the following would NOT be a capability covered by reservations?

96. What must SOAP rely on for security since it does not provide security as a built-in capability?

97. With a federated identity system, what does the identity provider send information to after a successful authentication?

98. Which of the following technologies is NOT commonly used for accessing systems and services in a cloud environment in a secure manner?

99. Which component of ITIL involves handling anything that can impact services for either internal or public users?

100. Which protocol, as a part of TLS, handles the actual secure communications and transmission of data?

101. Which of the following terms is NOT a commonly used category of risk acceptance?

102. Many activities within a cloud environment are performed via programmatic means, where complex and distributed operations are handled without the need to perform each step individually.

Which of the following concepts does this describe?

103. Being in a cloud environment, cloud customers lose a lot of insight and knowledge as to how their data is stored and their systems are deployed.

Which concept from the ISO/IEC cloud standards relates to the necessity of the cloud provider to inform the cloud customer on these issues?

104. Your IT steering committee has, at a high level, approved your project to begin using cloud services. However, the committee is concerned with getting locked into a single cloud provider and has flagged the ability to easily move between cloud providers as a top priority. It also wants to save costs by reusing components.

Which cross-cutting aspect of cloud computing would be your primary focus as your project plan continues to develop and you begin to evaluate cloud providers?

105. Which of the following provides assurance, to a predetermined acceptable level of certainty, that an entity is indeed who they claim to be?

106. Whereas a contract articulates overall priorities and requirements for a business relationship, which artifact enumerates specific compliance requirements, metrics, and response times?

107. When an organization is considering the use of cloud services for BCDR planning and solutions, which of the following cloud concepts would be the most important?

108. What masking strategy involves the replacing of sensitive data at the time it is accessed and used as it flows between the data and application layers of a service?

109. Which of the following would be considered an example of insufficient due diligence leading to security or operational problems when moving to a cloud?

110. Which aspect of cloud computing serves as the biggest challenge to using DLP to protect data at rest?

111. What category of PII data can carry potential fines or even criminal charges for its improper use or disclosure?

112. A variety of security systems can be integrated within a network--some that just monitor for threats and issue alerts, and others that take action based on signatures, behavior, and other types of rules to actively stop potential threats.

Which of the following types of technologies is best described here?

113. Upon completing a risk analysis, a company has four different approaches to addressing risk. Which approach it takes will be based on costs, available options, and adherence to any regulatory requirements from independent audits.

114. Which of the following is NOT a component of access control?

115. What concept does the A represent within the DREAD model?

116. With an application hosted in a cloud environment, who could be the recipient of an eDiscovery order?

117. Which ITIL component focuses on ensuring that system resources, processes, and personnel are properly allocated to meet SLA requirements?

118. Which ITIL component is an ongoing, iterative process of tracking all deployed and configured resources that an organization uses and depends on, whether they are hosted in a traditional data center or a cloud?

119. When beginning an audit, both the system owner and the auditors must agree on various aspects of the final audit report.

Which of the following would NOT be something that is predefined as part of the audit agreement?

120. What concept does the D represent within the STRIDE threat model?

121. Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons?

122. Which cloud service category most commonly uses client-side key management systems?

123. Apart from using encryption at the file system level, what technology is the most widely used to protect data stored in an object storage system?

124. Which of the following types of data would fall under data rights management (DRM) rather than information rights management (IRM)?

125. Different security testing methodologies offer different strategies and approaches to testing systems, requiring security personnel to determine the best type to use for their specific circumstances.

What does dynamic application security testing (DAST) NOT entail that SAST does?

126. You need to gain approval to begin moving your company's data and systems into a cloud environment. However, your CEO has mandated the ability to easily remove your IT assets from the cloud provider as a precondition.

Which of the following cloud concepts would this pertain to?

127. What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies?

128. A main objective for an organization when utilizing cloud services is to avoid vendor lock-in so as to ensure flexibility and maintain independence.

Which core concept of cloud computing is most related to vendor lock-in?

129. Which of the following areas of responsibility always falls completely under the purview of the cloud provider, regardless of which cloud service category is used?

130. What type of masking would you employ to produce a separate data set for testing purposes based on production data without any sensitive information?

131. Which aspect of data poses the biggest challenge to using automated tools for data discovery and programmatic data classification?

132. When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern?

133. Just like the risk management process, the BCDR planning process has a defined sequence of steps and processes to follow to ensure the production of a comprehensive and successful plan.

Which of the following is the correct sequence of steps for a BCDR plan?

134. What type of solution is at the core of virtually all directory services?

135. The different cloud service models have varying levels of responsibilities for functions and operations depending with the model's level of service.

In which of the following models would the responsibility for patching lie predominantly with the cloud customer?

136. Which component of ITIL involves the creation of an RFC ticket and obtaining official approvals for it?

137. Which of the following are attributes of cloud computing?

138. In a cloud environment, encryption should be used for all the following, except:

139. Which of the following is considered a technological control?

140. When using an IaaS solution, what is the capability provided to the customer?

141. When using an IaaS solution, what is a key benefit provided to the customer?

142. Which of the following is considered an administrative control?

143. What is a key capability or characteristic of PaaS?

144. In which cloud service model is the customer required to maintain the OS?

145. When using a PaaS solution, what is the capability provided to the customer?

146. What are SOC 1/SOC 2/SOC 3?

147. Gathering business requirements can aid the organization in determining all of this information about organizational assets, except:

148. In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type?

149. The BIA can be used to provide information about all the following, except:

150. Which of the following are cloud computing roles?

151. Which of the following are considered to be the building blocks of cloud computing?

152. Which of the following is considered a physical control?

153. What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first?

154. Which of the following are distinguishing characteristics of a managed service provider?

155. To protect data on user devices in a BYOD environment, the organization should consider requiring all the following, except:

156. Tokenization requires two distinct                                 .

157. DLP can be combined with what other security technology to enhance data controls?

158. What is the intellectual property protection for a confidential recipe for muffins?

159. Every security program and process should have which of the following?

160. DLP solutions can aid in deterring loss due to which of the following?