Which of the following storage types are used with an Infrastructure as a Service
(IaaS) solution?
Response:

A.

Volume and block

B.

Structured and object

C.

Unstructured and ephemeral

D.

Volume and object

You are the security manager for an online retail sales company with 100 employees
and a production environment hosted in a PaaS model with a major cloud provider.
Your company policies have allowed for a BYOD workforce that work equally from
the company offices and their own homes or other locations. The policies also allow
users to select which APIs they install and use on their own devices in order to
access and manipulate company data.
Of the following, what is a security control you’d like to implement to offset the
risk(s) incurred by this practice?

A.

Regular and widespread integrity checks on sampled data throughout the managed
environment

B.

More extensive and granular background checks on all employees, particularly new
hires

C.

Inclusion of references to all applicable regulations in the policy documents

D.

Increased enforcement of separation of duties for all workflows

When an organization implements an SIEM solution and begins aggregating event
data, the configured event sources are only valid at the time it was configured.
Application modifications, patching, and other upgrades will change the events
generated and how they are represented over time.
What process is necessary to ensure events are collected and processed with this in
mind?

A.

Continual review

B.

Continuous optimization

C.

Aggregation updates

D.

Event elasticity

You are the security manager of a small firm that has just purchased a DLP solution to
implement in your cloud-based production environment.
What should you not expect the tool to address?
Response:

A.

Sensitive data sent inadvertently in user emails

B.

Sensitive data captured by screen shots

C.

Sensitive data moved to external devices

D.

Sensitive data in the contents of files sent via FTP

You are the security manager for a software development firm. Your company is
interested in using a managed cloud service provider for hosting its testing
environment. Previous releases have shipped with major flaws that were not
detected in the testing phase; leadership wants to avoid repeating that problem.
What tool/technique/technology might you suggest to aid in identifying
programming errors?

A.

Vulnerability scans

B.

Open source review

C.

SOC audits

D.

Regulatory review

Which of the following types of organizations is most likely to make use of open
source software technologies?

A.

Government agencies

B.

Corporations

C.

Universities

D.

Military

Which of the following is not one of the defined security controls domains within the Cloud
Controls Matrix, published by the Cloud Security Alliance?
Response:

A.

Financial

B.

Human resources

C.

Mobile security

D.

Identity and access management

Which document will enforce uptime and availability requirements between the cloud
customer and cloud provider?
Response:

A.

Contract

B.

Operational level agreement

C.

Service level agreement

D.

Regulation

You are the security manager of a small firm that has just purchased a DLP solution to
implement in your cloud-based production environment.
In order to increase the security value of the DLP, you should consider combining it with
____________.
Response:

A.

Digital rights management (DRM) and security event and incident management (SIEM)
tools

B.

An investment in upgraded project management software

C.

Digital insurance policies

D.

The Uptime Institute’s Tier certification

The Transport Layer Security (TLS) protocol creates a secure communications channel
over public media (such as the Internet). In a typical TLS session, who initiates the
protocol?
Response:

A.

The server

B.

The client

C.

The certifying authority

D.

The ISP

Which phase of the cloud data lifecycle involves processing by a user or application?
Response: 

A.

Create

B.

Share

C.

Store

D.

Use

Which of the following should occur at each stage of the SDLC?

A.

Added functionality

B.

Management review

C.

Verification and validation

D.

Repurposing of any newly developed components