CCSK TESTBANK QUESTIONS WITH
100% CORRECT ANSWERS
What should a client account for during e-discovery? - Answer- Additional time and
expense where a client may not have the ability or administrative rights to search or
access all of the data hosted in the cloud.
In the U.S. what is generally considered to be the obligation of a client who knows or
reasonably should know is relevant to a pending or reasonably anticipated litigation or
government investigation? - Answer- To undertake reasonable steps to prevent the
destruction or modification of data or information in its possession, custody or control.
Who is held liable for acts of a subcontractor? - Answer- Government agencies, such as
the FTC or the state Attorney General, have consistently held organizations liable for
the activities of their subcontractors.
What does the GLBA and HIPAA require between an organization and their
subcontractor? - Answer- The security and privacy rules require organizations to compel
their subcontractors in written contracts to use reasonable security measures and
comply with data privacy provisions.
What two general categories do assets supported by the cloud fall into? - Answer- 1.
Data\n2. Applications/Functions/Process
What is the first step in evaluating risk for the cloud? - Answer- Determine exactly what
data or function is being considered for the cloud.
What is the second step in evaluating risk for the cloud? - Answer- Determine how
important the data or function is to the organization.
For each asset, what three areas are assessed if all or part of the asset is handled in
the cloud? - Answer- 1. Confidentiality\n2. Integrity\n3. Availability requirements
For each asset, what six areas are examined in how the organization would be harmed
if all or part of the asset is handled in the cloud? - Answer- 1. If the asset became widely
public and widely distributed\n2. If an employee of the cloud provider accessed the
asset\n3. If the process or function were manipulated by an outsider\n4. If the process
or function failed to provide expected results\n5. If the information/data were
unexpectedly changed\n6. If the asset were unavailable for a period of time
,What is the third step in evaluating risk for the cloud? - Answer- Determine which
deployment models are best suited to the organization
What is the fourth step in evaluating risk for the cloud? - Answer- Evaluate potential
cloud service providers
How do you prevent scope creep? - Answer- Determine potential uses of the data or
function being considered for the cloud.
Define cloud computing - Answer- A model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing resources.
Define multi-tenancy in cloud service models - Answer- The need for policy-driven
enforcement, segmentation, isolation, governance, service levels, and
chargeback/billing models for different consumer constituencies.
What are the five essential characteristics of cloud computing as defined by NIST? -
Answer- Broad Network Access\nRapid Elasticity\nMeasured Service\nOn-Demand Self
Service\nResource Pooling
The level of attention and scrutiny paid to enterprise risk assessments should be directly
related to what? - Answer- The value at risk
In the majority of data protection laws, when the data is transferred to a third party
custodian, who is ultimately responsible for the security of the data? - Answer- The Data
Controller
What is the most important reason for knowing where the cloud service provider will
host the data? - Answer- So that it can address the specific restrictions that foreign data
protection laws may impose.
What are the six phases of the data security lifecycle? - Answer-
Create\nStore\nUse\nShare\nArchive\nDestroy
Why is the size of data sets a consideration in portability between cloud service
providers? - Answer- The sheer size of data may cause an interruption of service during
a transition, or a longer transition period than anticipated.
What are the four D's of perimeter security? - Answer- Deter\nDetect\nDelay\nDeny
In which type of environment is it impractical to allow the customer to conduct their own
audit, making it important that the data center operators are required to provide auditing
for the customers? - Answer- In multi-tenant environments the operator or provider
cannot normally accommodate visits by every customer to conduct an audit.
, What measures could be taken by the cloud service provider (CSP) that might reduce
the occurrence of application level incidents? - Answer- SaaS providers that generate
extensive customer-specific application logs and provide secure storage as well as
analysis facilities will ease the IR burden on the customer.
How should an SDLC be modified to address application security in a Cloud Computing
environment? - Answer- Organizations must adopt best practices for development,
either by having a good blend of processes, tools, and technologies of their own or
adopting one of the maturity models.
What is the most significant reason that customers are advised to maintain in-house key
management? - Answer- To be able to prove that all data has been deleted from the
public cloud environment when exiting that environment.
What two types of information will cause additional regulatory issues for all
organizations if held as an aspect of an Identity? - Answer- PII - Personal Identifiable
Information\nSPI - Sensitive Personal Information
Why do blind spots occur in a virtualized environment, where network-based security
controls may not be able to monitor certain types of traffic? - Answer- Virtual machines
may communicate with each other over a hardware backplane, rather than a network.
When deploying Security as a Service in a highly regulated industry or environment,
what should both parties agree on in advance and include in the SLA? - Answer-
Agreement on the metrics defining the service level required to achieve regulatory
objectives
Economic Denial of Service (EDOS), refers to... - Answer- The destruction of economic
resources; the worst case scenario would be bankruptcy of the customer or a serious
economic impact
How does SaaS alleviate much of the consumer's direct operational responsibility? -
Answer- The provider is not only responsible for the physical and environmental security
controls, but it must also address the security controls on the infrastructure, the
applications, and the data.
In Europe, name the group that has enacted data protection laws and the principles on
which they follow. - Answer- The European Economic Area (EEA) Member States follow
principles set forth in the 1995 European Union (EU) Data Protective Directive and the
2002 ePrivacy Directive as amended in 2009.
What is the minimum that U.S. state laws require when using a Cloud Service Provider?
- Answer- Written contract with the service provider with reasonable security measures.
What must be included between an organization and a Cloud Service Provider when the
organization has contractual obligations to protect the personal information of their
100% CORRECT ANSWERS
What should a client account for during e-discovery? - Answer- Additional time and
expense where a client may not have the ability or administrative rights to search or
access all of the data hosted in the cloud.
In the U.S. what is generally considered to be the obligation of a client who knows or
reasonably should know is relevant to a pending or reasonably anticipated litigation or
government investigation? - Answer- To undertake reasonable steps to prevent the
destruction or modification of data or information in its possession, custody or control.
Who is held liable for acts of a subcontractor? - Answer- Government agencies, such as
the FTC or the state Attorney General, have consistently held organizations liable for
the activities of their subcontractors.
What does the GLBA and HIPAA require between an organization and their
subcontractor? - Answer- The security and privacy rules require organizations to compel
their subcontractors in written contracts to use reasonable security measures and
comply with data privacy provisions.
What two general categories do assets supported by the cloud fall into? - Answer- 1.
Data\n2. Applications/Functions/Process
What is the first step in evaluating risk for the cloud? - Answer- Determine exactly what
data or function is being considered for the cloud.
What is the second step in evaluating risk for the cloud? - Answer- Determine how
important the data or function is to the organization.
For each asset, what three areas are assessed if all or part of the asset is handled in
the cloud? - Answer- 1. Confidentiality\n2. Integrity\n3. Availability requirements
For each asset, what six areas are examined in how the organization would be harmed
if all or part of the asset is handled in the cloud? - Answer- 1. If the asset became widely
public and widely distributed\n2. If an employee of the cloud provider accessed the
asset\n3. If the process or function were manipulated by an outsider\n4. If the process
or function failed to provide expected results\n5. If the information/data were
unexpectedly changed\n6. If the asset were unavailable for a period of time
,What is the third step in evaluating risk for the cloud? - Answer- Determine which
deployment models are best suited to the organization
What is the fourth step in evaluating risk for the cloud? - Answer- Evaluate potential
cloud service providers
How do you prevent scope creep? - Answer- Determine potential uses of the data or
function being considered for the cloud.
Define cloud computing - Answer- A model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable computing resources.
Define multi-tenancy in cloud service models - Answer- The need for policy-driven
enforcement, segmentation, isolation, governance, service levels, and
chargeback/billing models for different consumer constituencies.
What are the five essential characteristics of cloud computing as defined by NIST? -
Answer- Broad Network Access\nRapid Elasticity\nMeasured Service\nOn-Demand Self
Service\nResource Pooling
The level of attention and scrutiny paid to enterprise risk assessments should be directly
related to what? - Answer- The value at risk
In the majority of data protection laws, when the data is transferred to a third party
custodian, who is ultimately responsible for the security of the data? - Answer- The Data
Controller
What is the most important reason for knowing where the cloud service provider will
host the data? - Answer- So that it can address the specific restrictions that foreign data
protection laws may impose.
What are the six phases of the data security lifecycle? - Answer-
Create\nStore\nUse\nShare\nArchive\nDestroy
Why is the size of data sets a consideration in portability between cloud service
providers? - Answer- The sheer size of data may cause an interruption of service during
a transition, or a longer transition period than anticipated.
What are the four D's of perimeter security? - Answer- Deter\nDetect\nDelay\nDeny
In which type of environment is it impractical to allow the customer to conduct their own
audit, making it important that the data center operators are required to provide auditing
for the customers? - Answer- In multi-tenant environments the operator or provider
cannot normally accommodate visits by every customer to conduct an audit.
, What measures could be taken by the cloud service provider (CSP) that might reduce
the occurrence of application level incidents? - Answer- SaaS providers that generate
extensive customer-specific application logs and provide secure storage as well as
analysis facilities will ease the IR burden on the customer.
How should an SDLC be modified to address application security in a Cloud Computing
environment? - Answer- Organizations must adopt best practices for development,
either by having a good blend of processes, tools, and technologies of their own or
adopting one of the maturity models.
What is the most significant reason that customers are advised to maintain in-house key
management? - Answer- To be able to prove that all data has been deleted from the
public cloud environment when exiting that environment.
What two types of information will cause additional regulatory issues for all
organizations if held as an aspect of an Identity? - Answer- PII - Personal Identifiable
Information\nSPI - Sensitive Personal Information
Why do blind spots occur in a virtualized environment, where network-based security
controls may not be able to monitor certain types of traffic? - Answer- Virtual machines
may communicate with each other over a hardware backplane, rather than a network.
When deploying Security as a Service in a highly regulated industry or environment,
what should both parties agree on in advance and include in the SLA? - Answer-
Agreement on the metrics defining the service level required to achieve regulatory
objectives
Economic Denial of Service (EDOS), refers to... - Answer- The destruction of economic
resources; the worst case scenario would be bankruptcy of the customer or a serious
economic impact
How does SaaS alleviate much of the consumer's direct operational responsibility? -
Answer- The provider is not only responsible for the physical and environmental security
controls, but it must also address the security controls on the infrastructure, the
applications, and the data.
In Europe, name the group that has enacted data protection laws and the principles on
which they follow. - Answer- The European Economic Area (EEA) Member States follow
principles set forth in the 1995 European Union (EU) Data Protective Directive and the
2002 ePrivacy Directive as amended in 2009.
What is the minimum that U.S. state laws require when using a Cloud Service Provider?
- Answer- Written contract with the service provider with reasonable security measures.
What must be included between an organization and a Cloud Service Provider when the
organization has contractual obligations to protect the personal information of their
