All of the following are terms used to described the practice of obscuring original raw data
so that only a portion is displayed for operational purposes, except:
Response:

A.

Tokenization

B.

Data discovery

C.

Obfuscation

Who should be the only entity allowed to declare that an organization can return to normal
following contingency or BCDR operations?
Response:

A.

Regulators

B.

Law enforcement

C.

The incident manager

D.

Senior management

You work for a government research facility. Your organization often shares data
with other government research organizations.
You would like to create a single sign-on experience across the organizations, where
users at each organization can sign in with the user ID/authentication issued by that
organization, then access research data in all the other organizations.
Instead of replicating the data stores of each organization at every other
organization (which is one way of accomplishing this goal), you instead want every
user to have access to each organization’s specific storage resources.
If you don’t use cross-certification, what other model can you implement for this
purpose?
Response:

A.

Third-party identity broker

B.

Cloud reseller

C.

Intractable nuanced variance

D.

Mandatory access control (MAC)

At which phase of the SDLC process should security begin participating?

A.

Requirements gathering

B.

Requirements analysis

C.

Design

D.

Testing

The final phase of the cloud data lifecycle is the destroy phase, where data is
ultimately deleted and done so in a secure manner to ensure it cannot be recovered
or reconstructed. Which cloud service category poses the most challenges to data
destruction or the cloud customer?

A.

Platform

B.

Software

C.

Infrastructure

D.

Desktop

In the cloud motif, the data processor is usually:
Response:

A.

The party that assigns access rights

B.

The cloud customer

C.

The cloud provider

D.

The cloud access security broker

Which of the following is the best and only completely secure method of data destruction?
Response:

A.

Degaussing

B.

Crypto-shredding

C.

Physical destruction of resources that store the data

D.

Legal order issued by the prevailing jurisdiction where the data is geographically
situated

Which of the following is a risk in the cloud environment that is not existing or is as
prevalent in the legacy environment?
Response:

A.

Legal liability in multiple jurisdictions

B.

Loss of productivity due to DDoS

C.

Ability of users to gain access to their physical workplace

D.

Fire

Static software security testing typically uses __________ as a measure of how thorough
the testing was.
Response:

A.

Number of testers

B.

Flaws detected

C.

Code coverage

D.

Malware hits

At which layer does the IPSec protocol operate to encrypt and protect communications
between two parties?
Response:

A.

Network

B.

Application

C.

Transport

D.

Data link

You are the security manager for a small application development company. Your company
is considering the use of the cloud for software testing purposes. Which cloud service
model is most likely to suit your needs?
Response:

A.

IaaS

B.

PaaS

C.

SaaS

D.

LaaS

Which of the following is not a factor an organization might use in the cost-benefit
analysis when deciding whether to migrate to a cloud environment?
Response:

A.

Pooled resources in the cloud

B.

Shifting from capital expenditures to support IT investment to operational expenditures

C.

The time savings and efficiencies offered by the cloud service

D.

Branding associated with which cloud provider might be selected