CCSP 2020 BEST EXAM STUDY

What type of solutions enable enterprises or individuals to store data and computer files on the Internet using a storage service provider rather than keeping the data locally on a physical disk such as a hard drive or tape backup? A. Online backups B. Cloud backup solutions C. Removable hard drives D. Masking Correct answer- B When using an infrastructure as a service (IaaS) solution, which of the following is not an essential benefit for the customer? A. Removing the need to maintain a license library B. Metered service C. Energy and cooling efficiencies D. Transfer of ownership cost Correct answer- A ______________focuses on security and encryption to prevent unauthorized copying and limitations on distribution to only those who pay. A. Information rights management (IRM) B. Masking C. Bit splitting D. Degaussing Correct answer- A Which of the following represents the correct set of four cloud deployment models? A. Public, private, joint and community B. Public, private, hybrid, and community C. Public, Internet, hybrid, and community D. External, private, hybrid, and community Correct answer- B A special mathematical code that allows encryption hardware/software to encrypt and then decipher a message. A. PKI B. Key C. Public-private D. Masking Correct answer- B Which of the following lists the correct six components of the STRIDE threat model? A. Spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege B. Spoofing, tampering, refutation, information disclosure, denial of service, and social engineering elasticity C. Spoofing, tampering, repudiation, information disclosure, distributed denial of service, and elevation of privilege D. Spoofing, tampering, nonrepudiation, information disclosure, denial of service, and elevation of privilege Correct answer- A What is the term that describes the assurance that a specific author actually created and sent a specific item to a specific recipient, and that the message was successfully received? A. PKI B. DLP C. Nonrepudiation D. Bit splitting Correct answer- C What is the correct term for the process of deliberately destroying the encryption keys used to encrypt data? A. Poor key management B. PKI C. Obfuscation D. Crypto-shredding Correct answer- D In a federated environment, who is the relying party, and what do they do? A. The relying party is the service provider, and they consume the tokens generated by the identity provider. B. The relying party is the service provider, and they consume the tokens generated by the customer. C. The relying party is the customer, and they consume the tokens generated by the identity provider. D. The relying party is the identity provider, and they consume the tokens generated by the service provider. Correct answer- A What is the process of replacing sensitive data with unique identification symbols/addresses? A. Randomization B. Elasticity C. Obfuscation D. Tokenization Correct answer- D Which of the following data storage types are associated or used with platform as a service (PaaS)? A. Databases and big data B. SaaS application C. Tabular D. Raw and block Correct answer- A What is the term used for software technology that abstracts application software from the underlying operating system on which it is executed? A. Partition B. Application virtualization C. Distributed D. SaaS Correct answer- B Which of the following represents the US legislation enacted to protect shareholders and the public from enterprise accounting errors and fraudulent practices? A. PCI B. Gramm-Leach-Bliley Act (GLBA) C. Sarbanes-Oxley Act (SOX) D. HIPAA Correct answer- C Which of the following is a device that can safely store and manage encryption keys and is used in servers, data transmission, and log files? A. Private key B. Hardware security module (HSM) C. Public key D. Trusted operating system module (TOS) Correct answer- B What is a type of cloud infrastructure that is provisioned for open use by the general public and is owned, managed, and operated by a cloud provider? A. Private cloud B. Public cloud C. Hybrid cloud D. Personal cloud Correct answer- B When transparent encryption of a database is used, where does the encryption engine reside? A. Within the database application itself B. At the application using the database C. On the instances attached to the volume D. In a key management system Correct answer- A What is a type of assessment that employs a set of methods, principles, or rules for assessing risk based on nonnumerical categories or levels? A. Quantitative assessment B. Qualitative assessment C. Hybrid assessment D. SOC 2 Correct answer- B Which of the following best describes the Cloud Security Alliance Cloud Controls Matrix (CSA CCM)? A. A set of regulatory requirements for cloud service providers B. A set of software development lifecycle requirements for cloud service providers C. A security controls framework that provides mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks D. An inventory of cloud service security controls that are arranged into separate security domains Correct answer- C When a conflict between parties occurs, which of the following is the primary means of determining the jurisdiction in which the dispute will be heard? A. Tort law B. Contract C. Common law D. Criminal law Correct answer- B Which one of the following is the most important security consideration when selecting a new computer facility? A. Local law enforcement response times B. Location adjacent to competitor's facilities Your selection is incorrect C. Aircraft flight paths D. Utility infrastructure Correct answer- D Which of the following is always safe to use in the disposal of electronic records within a cloud environment? A. Physical destruction B. Overwriting C. Encryption D. Degaussing Correct answer- C Which of the following does not represent an attack on a network? A. Syn flood B. Denial of service C. Nmap scan D. Brute force Correct answer- C Which of the following takes advantage of the information developed in the business impact analysis (BIA)? A. Calculating ROI B. Risk analysis C. Calculating TCO D. Securing asset acquisitions Correct answer- B Which of the following terms best describes a managed service model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources? A. Infrastructure as a service (IaaS) B. Public cloud C. Software as a service (SaaS) D. Private cloud Correct answer- C Which of the following is a federal law enacted in the United States to control the way financial institutions deal with private information of individuals? A. PCI B. ISO/IEC C. Gramm-Leach-Bliley Act (GLBA) D. Consumer Protection Act Correct answer- C The typical function of Secure Sockets Layer (SSL) in securing Wireless Application Protocol (WAP) is to protect transmissions that exist: A. Between the WAP gateway and the wireless endpoint device B. Between the web server and the WAP gateway C. From the web server to the wireless endpoint device D. Between the wireless device and the base station Correct answer- C What is an audit standard for service organizations? A. SOC 1 B. SSAE 18 C. GAAP D. SOC 2 Correct answer- B What is a company that purchases hosting services from a cloud server hosting provider or cloud computing provider and then resells to its own customers? A. Cloud programmer B. Cloud broker C. Cloud proxy D. VAR Correct answer- B Which of the following is comparable to grid computing in that it relies on sharing computing resources rather than having local servers or personal devices to handle applications? A. Server hosting B. Legacy computing C. Cloud computing D. Intranet Correct answer- C What is a set of technologies designed to analyze application source code and binaries for coding and design conditions that are indicative of security vulnerabilities? A. Dynamic application security testing (DAST) B. Static application security testing (SAST) C. Secure coding D. OWASP Correct answer- B Which of the following is not a common cloud service model? A. Software as a service (SaaS) B. Programming as a service (PaaS) C. Infrastructure as a service (IaaS) D. Platform as a service (PaaS) Correct answer- B All of these technologies have made cloud service viable except ___________________. A. Virtualization B. Widely available broadband C. Encrypted connectivity D. Smart hubs Correct answer- D Cloud vendors are held to contractual obligations with specified metrics by ___________________. A. Service-level agreements (SLAs) B. Regulations C. Law D. Discipline Correct answer- A ________ drive(s) security decisions. A. Customer service responses B. Surveys C. Business requirements D. Public opinion Correct answer- C If a cloud customer cannot get access to the cloud provider, this affects what portion of the CIA triad? A. Integrity B. Authentication C. Confidentiality D. Availability Correct answer- D Cloud access security brokers (CASBs) might offer all the following services except ___________________. A. Single sign-on B. Business continuity/disaster recovery/Continuity of Operations (BC/DR/COOP) C. Identity and access management (IAM) D. Key escrow Correct answer- B Encryption can be used in various aspects of cloud computing, including all of these except ___________________. A. Storage B. Remote access C. Secure sessions D. Magnetic swipe cards Correct answer- D All of these are reasons an organization may want to consider cloud migration except ___________________. A. Reduced personnel costs B. Elimination of risks C. Reduced operational expenses D. Increased efficiency Correct answer- B The generally accepted definition of cloud computing includes all of the following characteristics except ___________________. A. On-demand self-service B. Negating the need for backups C. Resource pooling D. Measured or metered service Correct answer- B A gamer is part of the PlayStation Network community cloud. Who owns the PlayStation console in the gamer's home? A. Sony B. The community as a whole C. The company that made the game that the gamer is playing at the time D. The gamer Correct answer- D The risk that a cloud provider might go out of business and the cloud customer might not be able to recover data is known as ___________________. A. Vendor closure B. Vendor lock-out C. Vendor lock-in D. Vending route Correct answer- B All of these are features of cloud computing except ___________________. A. Broad network access B. Reversed charging configuration C. Rapid scaling D. On-demand self-service Correct answer- B When a cloud customer uploads personally identifiable information (PII) to a cloud provider, who is ultimately responsible for the security of that PII? A. Cloud provider B. Regulators C. Cloud customer D. The individuals who are the subjects of the PII Correct answer- C We use which of the following to determine the critical paths, processes, and assets of an organization? A. Business requirements B. Business impact analysis (BIA) C. Risk Management Framework (RMF) D. Confidentiality, integrity, availability (CIA) triad Correct answer- B If an organization owns all of the hardware and infrastructure of a cloud data center that is used only by members of that organization, which cloud model would this be? A. Private B. Public C. Hybrid D. Motive Correct answer- A The cloud deployment model that features ownership by a cloud provider, with services offered to anyone who wants to subscribe, is known as ___________________. A. Private B. Public C. Hybrid D. Latent Correct answer- B The cloud deployment model that features joint ownership of assets among an affinity group is known as ___________________. A. Private B. Public C. Hybrid D. Community Correct answer- D If a cloud customer wants a secure, isolated environment in order to conduct software development and testing, which cloud service model would probably be best? A. IaaS B. PaaS C. SaaS D. Hybrid Correct answer- B If a cloud customer wants a fully operational environment with very little maintenance or administration necessary, which cloud service model would probably be best? A. IaaS B. PaaS C. SaaS D. Hybrid Correct answer- C If a cloud customer wants a bare-bones environment in which to replicate their own enterprise for business continuity/disaster recovery (BC/DR) purposes, which cloud service model would probably be best? A. IaaS B. PaaS C. SaaS D. Hybrid Correct answer- A Gathering business requirements can aid the organization in determining all of these facets of organizational assets except ___________________. A. Full inventory B. Usefulness C. Value D. Criticality Correct answer- B The BIA can be used to provide information about all the following elements except___________________. A. Risk analysis B. Secure acquisition C. BC/DR planning D. Selection of security controls Correct answer- B In which cloud service model is the customer required to maintain the OS? A. CaaS B. SaaS C. PaaS D. IaaS Correct answer- D In which cloud service model is the customer required to maintain and update only the applications? A. CaaS B. SaaS C. PaaS D. IaaS Correct answer- C 55 In which cloud service model is the customer only responsible for the data? A. CaaS B. SaaS C. PaaS D. IaaS Correct answer- B The cloud customer and provider negotiate their respective responsibilities and rights regarding the capabilities and data of the cloud service. Where is the eventual agreement codified? A. RMF B. Contract C. MOU D. BIA Correct answer- B In attempting to provide a layered defense, the security practitioner should convince senior management to include security controls of which type? A. Technological B. Physical C. Administrative D. All of the above Correct answer- D Which of the following is considered an administrative control? A. Access control process B. Keystroke logging C. Door locks D. Biometric authentication Correct answer- A Which of the following is considered a technological control? A. Firewall software B. Fireproof safe C. Fire extinguisher D. Firing personnel Correct answer- A Which of the following is the best example of a physical control? A. Carpets B. Ceilings C. Doors D. Fences Correct answer- D In a cloud environment, encryption should be used for all the following except ___________________. A. Long-term storage of data B. Near-term storage of virtualized images C. Secure sessions/VPN D. Profile formatting Correct answer- D The process of hardening a device should include all the following except ___________________. A. Improve default accounts B. Close unused ports C. Delete unnecessary services D. Strictly control administrator access Correct answer- A The process of hardening a device should include which of the following? A. Encrypting the OS B. Updating and patching the system C. Using video cameras D. Performing thorough personnel background checks Correct answer- B What is an experimental technology that is intended to create the possibility of processing encrypted data without having to decrypt it first? A. Homomorphic B. Polyinstantiation C. Quantum-state D. Gastronomic Correct answer- A Risk appetite for an organization is determined by which of the following? A. Reclusion evaluation B. Senior management C. Legislative mandates D. Contractual agreement Correct answer- B What is the risk left over after controls and countermeasures are put in place? A. Null B. High C. Residual D. Pertinent Correct answer- C All the following are ways of addressing risk except ___________________. A. Acceptance B. Reversal C. Mitigation D. Transfer Correct answer- B To protect data on user devices in a BYOD environment, the organization should consider requiring all the following except ___________________. A. DLP agents B. Local encryption C. Multifactor authentication D. Two-person integrity Correct answer- D Devices in the cloud data center should be secure against attack. All the following are means of hardening devices except ___________________. A. Using a strong password policy B. Removing default passwords C. Strictly limiting physical access D. Removing all admin accounts Correct answer- D Which of the following best describes risk? A. Preventable B. Everlasting C. The likelihood that a threat will exploit a vulnerability D. Transient Correct answer- C All of these are methods of data discovery except: A. Content-based B. User-based C. Label-based D. Metadata-based Correct answer- B Data labels could include all the following except: A. Date data was created B. Data owner C. Data value D. Date of scheduled destruction Correct answer- C Data labels could include all the following except: A. Source B. Delivery vendor C. Handling restrictions D. Jurisdiction Correct answer- B Data labels could include all the following except: A. Confidentiality level B. Distribution limitations C. Access restrictions D. Multifactor authentication Correct answer- D All the following are data analytics modes except: A. Real-time analytics B. Datamining C. Agile business intelligence D. Refractory iterations Correct answer- D In the cloud, the data owner is usually: A. In another jurisdiction B. The cloud customer C. The cloud provider D. The cloud access security broker Correct answer- B In the cloud, the data processor is usually: A. The party that assigns access rights B. The cloud customer C. The cloud provider D. The cloud access security broker Correct answer- C Which of the following is not an acceptable means of sanitizing hardware? A. Burning B. Deletion C. Industrial Shredding D. Drilling Correct answer- B All policies within the organization should include a section that includes all of the following except: A. Policy maintenance B. Policy monitoring C. Policy enforcement D. Policy transference Correct answer- D The most pragmatic option for data disposal in the cloud is which of the following? A. Melting B. Crypto-shredding C. Cold fusion D. Overwriting Correct answer- B What is the intellectual property protection for the tangible expression of a creative idea? A. Copyright B. Patent C. Trademark D. Trade secret Correct answer- A What is the intellectual property protection for a useful manufacturing innovation? A. Copyright B. Patent C. Trademark D. Trade secret Correct answer- B What is the intellectual property protection for a very valuable set of sales leads? A. Copyright B. Patent C. Trademark D. Trade secret Correct answer- D What is the intellectual property protection for a confidential recipe for muffins? A. Copyright B. Patent C. Trademark D. Trade secret Correct answer- D What is the intellectual property protection for the logo of a new video game? A. Copyright B. Patent C. Trademark D. Trade secret Correct answer- C What is the aspect of the DMCA that has often been abused and places the burden of proof on the accused? A. Toll exemption B. Decryption program prohibition C. Takedown notice D. Puppet plasticity Correct answer- C What is the US federal agency that accepts applications for new patents? A. USDA B. USPTO C. OSHA D. SEC Correct answer- B IRM tools use a variety of methods for enforcement of intellectual property rights. These include all the following except: A. Support-based licensing B. Local agent enforcement C. Dip switch validity D. Media-present checks Correct answer- C Which of the following does not have a personal privacy law that limits the way all citizens and entities can share personal data? A. Japan B. Belgium C. Argentina D. The United States Correct answer- D IRM solutions should generally include all the following functions except: A. Persistency B. Automatic self-destruct C. Automatic expiration D. Dynamic policy control Correct answer- B All of the following are terms used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes except ___________________. A. Tokenization B. Data discovery C. Obfuscation D. Masking Correct answer- B The goals of SIEM solution implementation include all of the following except ___________________. A. Centralization of log streams B. Trend analysis C. Dashboarding D. Performance enhancement Correct answer- D The goals of DLP solution implementation include all of the following except ___________________. A. Policy enforcement B. Elasticity C. Data discovery D. Mitigating loss Correct answer- B DLP solutions can aid in deterring loss due to which of the following? A. Randomization B. Inadvertent disclosure C. Natural disaster D. Device failure Correct answer- B DLP solutions can help deter loss because of which of the following? A. Malicious disclosure B. Performance issues C. Bad policy D. Power failure Correct answer- A What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first? A. AES B. Link encryption C. Homomorphic encryption D. One-time pads Correct answer- C Proper implementation of DLP solutions for successful function requires which of the following? A. Accurate data categorization B. Physical access limitations C. USB connectivity D. Physical presence Correct answer- A Tokenization requires two distinct ___________________. A. Authentication factors B. Databases C. Encryption keys D. Personnel Correct answer- B Data masking can be used to provide all of the following functionality except ___________________. A. Secure remote access B. Enforcing least privilege C. Testing data in sandboxed environments D. Authentication of privileged users Correct answer- D DLP can be combined with what other security tools to enhance data controls? A. IRM B. SIEM C. Kerberos D. Hypervisors Correct answer- A What are the US State Department controls on technology exports known as? A. ITAR B. EAR C. EAL D. IRM Correct answer- A What are the US Commerce Department controls on technology exports known as? A. ITAR B. EAR C. EAL D. IRM Correct answer- B Cryptographic keys for encrypted data stored in the cloud should be ___________________. A. At least 128 bits long B. Not stored with the cloud provider C. Split into groups D. Generated with dependencies Correct answer- B Best practices for key management include all of the following except ___________________. A. Have key recovery processes B. Maintain key security C. Pass keys out of band D. Ensure multifactor authentication Correct answer- D Cryptographic keys should be secured ___________________. A. To a level at least as high as the data they can decrypt B. In vaults C. By armed guards D. With two-person integrity Correct answer- A When crafting plans and policies for data archiving, we should consider all of the following except ___________________. A. Archive location B. The backup process C. The format of the data D. Immediacy of the technology Correct answer- D What is the correct order of the phases of the data lifecycle? A. Create, Store, Use, Archive, Share, Destroy B. Create, Store, Use, Share, Archive, Destroy C. Create, Use, Store, Share, Archive, Destroy D. Create, Archive, Store, Share, Use, Destroy Correct answer- B What are third-party providers of IAM functions for the cloud environment? A. DLPs B. CASBs C. SIEMs D. AESs Correct answer- B What is a cloud storage architecture that manages the data in an arrangement of fields according to characteristics of each data element? A. Object-based storage B. File-based storage C. Database D. CDN Correct answer- C What is a cloud storage architecture that manages the data in caches of copied content close to locations of high demand? A. Object-based storage B. File-based storage C. Database D. CDN Correct answer- D What is the term we use to describe the general ease and efficiency of moving data from one cloud provider either to another cloud provider or down from the cloud? A. Mobility B. Elasticity C. Obfuscation D. Portability Correct answer- D The various models generally available for cloud BC/DR activities include all of the following except ___________________. A. Private architecture, cloud backup B. Cloud provider, backup from same provider C. Cloud provider, backup from another cloud provider D. Cloud provider, backup from private provider Correct answer- D Countermeasures for protecting cloud operations against external attackers include all of the following except ___________________. A. Continual monitoring for anomalous activity B. Detailed and extensive background checks C. Hardened devices and systems, including servers, hosts, hypervisors, and virtual machines D. Regular and detailed configuration/change management activities Correct answer- B All of the following are techniques to enhance the portability of cloud data in order to minimize the potential of vendor lock-in except: ___________________. A. Avoid proprietary data formats B. Use IRM and DLP solutions widely throughout the cloud operation C. Ensure there are no physical limitations to moving D. Ensure favorable contract terms to support portability Correct answer- B Which of the following is a technique used to attenuate risks to the cloud environment, resulting in loss or theft of a device used for remote access? A. Remote kill switch B. Dual control C. Muddling D. Safe harbor Correct answer- A Each of the following are dependencies that must be considered when reviewing the BIA after cloud migration except___________________. A. The cloud provider's suppliers B. The cloud provider's vendors C. The cloud provider's utilities D. The cloud provider's resellers Correct answer- D When reviewing the BIA after a cloud migration, the organization should take into account new factors related to data breach impacts. One of these new factors is: ___________________. A. Legal liability can't be transferred to the cloud provider B. Many states have data breach notification laws C. Breaches can cause the loss of proprietary data D. Breaches can cause the loss of intellectual property Correct answer- A The cloud customer will have the most control of their data and systems, and the cloud provider will have the least amount of responsibility, in which cloud computing arrangement? A. IaaS B. PaaS C. SaaS D. Community cloud Correct answer- A After a cloud migration, the BIA should be updated to include a review of the new risks and impacts associated with cloud operations; this review should include an analysis of the possibility of vendor lock-in/lock-out. Analysis of this risk may not have to be performed as a new effort because a lot of the material that would be included is already available from which of the following? A. NIST B. The cloud provider C. The cost-benefit analysis the organization conducted when deciding on cloud migration D. Open-source providers Correct answer- C A poorly negotiated cloud service contract could result in all the following detrimental effects except ___________________. A. Vendor lock-in B. Malware C. Unfavorable terms D. Lack of necessary services Correct answer- B All of the following are cloud computing risks in a multitenant environment except ___________________. A. Risk of loss/disclosure due to legal seizures B. Information bleed C. DoS/DDoS D. Escalation of privilege Correct answer- C Countermeasures for protecting cloud operations against internal threats include all of the following except ___________________. A. Aggressive background checks B. Hardened perimeter devices C. Skills and knowledge testing D. Extensive and comprehensive training programs, including initial, recurring, and refresher sessions Correct answer- B Countermeasures for protecting cloud operations against internal threats include all of the following except ___________________. A. Active physical surveillance and monitoring B. Active electronic surveillance and monitoring C. Redundant ISPs D. Masking and obfuscation of data for all personnel without need to know for raw data Correct answer- C Countermeasures for protecting cloud operations against internal threats at the provider's data center include all of the following except ___________________. A. Broad contractual protections to ensure the provider is ensuring an extreme level of trust in its own personnel B. Financial penalties for the cloud provider in the event of negligence or malice on the part of its own personnel C. DLP solutions D. Scalability Correct answer- D Countermeasures for protecting cloud operations against internal threats at the provider's data center include all of the following except ___________________. A. Separation of duties B. Least privilege C. Conflict of interest D. Mandatory vacation Correct answer- C Benefits for addressing BC/DR offered by cloud operations include all of the following except ___________________. A. One-time pads B. Distributed, remote processing of, and storage of data C. Fast replication D. Regular backups offered by cloud providers Correct answer- A All of the following methods can be used to attenuate the harm caused by escalation of privilege except ___________________. A. Extensive access control and authentication tools and techniques B. Analysis and review of all log data by trained, skilled personnel on a frequent basis C. Periodic and effective use of cryptographic sanitization tools D. The use of automated analysis tools such as SIM, SIEM, and SEM solutions Correct answer- C What is the hypervisor malicious attackers would prefer to attack? A. Type 1 B. Type 2 C. Type 3 D. Type 4 Correct answer- B What is the term used to describe loss of access to data because the cloud provider has ceased operation? A. Closing B. Vendor lock-out C. Vendor lock-in D. Masking Correct answer- B Because PaaS implementations are so often used for software development, what is one of the vulnerabilities that should always be kept in mind? A. Malware B. Loss/theft of portable devices C. Backdoors D. DoS/DDoS Correct answer- C What is the cloud service model in which the customer is responsible for administration of the OS? A. IaaS B. PaaS C. SaaS D. QaaS Correct answer- A To address shared monitoring and testing responsibilities in a cloud configuration, the provider might offer all these to the cloud customer except ___________________. A. Access to audit logs and performance data B. SIM, SIEM, and SEM logs C. DLP solution results D. Security control administration Correct answer- D In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider's performance and duties? A. Statutes B. The contract C. Security control matrix D. HIPAA Correct answer- B Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider? A. SOC 1 Type 1 B. SOC 2 Type 2 C. SOC 1 Type 2 D. SOC 3 Correct answer- D Which kind of SSAE audit report is most beneficial for a cloud customer, even though it's unlikely the cloud provider will share it without additional protections? A. SOC 1 Type 1 B. SOC 2 Type 2 C. SOC 1 Type 2 D. SOC 3 Correct answer- B The auditor should not ___________________. A. Review documents B. Physically visit the business location C. Perform system scans D. Deliver consulting services Correct answer- D Hardening the operating system refers to all of the following except ___________________. A. Limiting administrator access B. Removing anti-malware agents C. Closing unused ports D. Removing unnecessary services and libraries Correct answer- B The cloud customer's trust in the cloud provider can be enhanced by all of the following except ___________________. A. Audits B. Shared administration C. Real-time environmental controls D. SLAs Correct answer- C User access to the cloud environment can be administered in all of the following ways except: ___________________. A. Customer directly administers access B. Customer provides administration on behalf of the provider C. Provider provides administration on behalf the customer D. Third party provides administration on behalf of the customer Correct answer- B Which kind of SSAE audit reviews the organization's controls for assuring the confidentiality, integrity, and availability of data? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4 Correct answer- B Which kind of SSAE report provides only an attestation by a certified auditor? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4 Correct answer- C Which of the following is a cloud provider likely to provide to its customers in order to enhance the customer's trust in the provider? A. Site visit access B. Financial reports to shareholders C. Audit and performance log data D. Backend administrative access Correct answer- C In all cloud models, the customer will be given access and ability to modify which of the following? A. Data B. Security controls C. User permissions D. OS Correct answer- A In all cloud models, security controls are driven by which of the following? A. Virtualization engine B. Hypervisor C. SLAs D. Business requirements Correct answer- D In all cloud models, the ___________________ will retain ultimate liability and responsibility for any data loss or disclosure. A. Vendor B. Customer C. State D. Administrator Correct answer- B Why will cloud providers be unlikely to allow physical access to their data centers? A. They want to enhance security by keeping information about physical layout and controls confidential. B. They want to enhance exclusivity for their customers, so only an elite tier of higher- paying clientele will be allowed physical access. C. They want to minimize traffic in those areas to maximize efficiency of operational personnel. D. Most data centers are inhospitable to human life, so minimizing physical access also minimizes safety concerns. Correct answer- A Which type of software is most likely to be reviewed by the most personnel, with the most varied perspectives? A. Database management software B. Open-source software C. Secure software D. Proprietary software Correct answer- B A firewall can use all of the following techniques for controlling traffic except ___________________. A. Rule sets B. Behavior analysis C. Content filtering D. Randomization Correct answer- D A honeypot should contain ___________________ data. A. Raw B. Production C. Useless D. Sensitive Correct answer- C Vulnerability assessments cannot detect which of the following? A. Malware B. Defined vulnerabilities C. Zero-day exploits D. Programming flaws Correct answer- C Which of the following best represents the REST approach to APIs? A. Built on protocol standards B. Lightweight and scalable C. Relies heavily on XML D. Only supports XML output Correct answer- B Which of the following is not commonly included in the phases of SDLC? A. Define B. Reject C. Design D. Test Correct answer- B Which of the following is not a component of the of the STRIDE model? A. Spoofing B. Repudiation C. Information disclosure D. External pen testing Correct answer- D Which of the following best describes SAST? A. White-box testing B. Black-box testing C. Gray-box testing D. Red-team testing Correct answer- A Which of the following confirms that the identity assertion belongs to the entity presenting it? A. Identification B. Authentication C. Authorization D. Inflammation Correct answer- B Which of the following best describes a sandbox? A. An isolated space where transactions are protected from malicious software B. A space where you can safely execute malicious code to see what it does C. An isolated space where untested code and experimentation can safely occur separate from the production environment D. An isolated space where untested code and experimentation can safely occur within the production environment Correct answer- C Identity and access management (IAM) is a security discipline intended to ensure ___________________. A. All users are properly authorized B. The right individual gets access to the right resources at the right time for the right reasons C. All users are properly authenticated D. Unauthorized users will get access to the right resources at the right time for the right reasons Correct answer- B In a federated identity arrangement using a trusted third-party model, who is the identity provider and who is the relying party? A. A contracted third party/the various member organizations of the federation B. The users of the various organizations within the federation/a CASB C. Each member organization/a trusted third party D. Each member organization/each member organization Correct answer- A Which of the following best describes the Organizational Normative Framework (ONF)? A. A container for components of an application's security controls and best practices catalogued and leveraged by the organization B. A framework of containers for all components of application security controls and best practices catalogued and leveraged by the organization C. A subset of application security controls and best practices catalogued and leveraged by the organization D. A framework of containers for some of the components of application security controls and best practices catalogued and leveraged by the organization Correct answer- B APIs typically are built with REST or ___________________. A. XML B. SSL C. SOAP D. TEMPEST Correct answer- C The ANF is best described as which of the following? A. A stand-alone framework for storing security practices for the ONF B. A subset of the ONF C. A superset of the ONF D. The complete ONF Correct answer- B Which of the following best describes SAML? A. A standard for developing secure application management logistics B. A standard for exchanging authentication and authorization data between security domains C. A standard for exchanging usernames and passwords across devices D. A standard used for directory synchronization Correct answer- B Which of the following best describes the purpose and scope of ISO/IEC 27034-1? A. Describes international privacy standards for cloud computing B. Provides an overview of application security that introduces definitive concepts, principles, and processes involved in application security C. Serves as a newer replacement for NIST 800-53 r4 D. Provides an overview of network and infrastructure security designed to secure cloud applications Correct answer- B Which of the following terms means "to perceive software from the perspective of the attacker in order to locate/detect potential vulnerabilities?" A. Rendering B. Galloping C. Agile D. Threat modeling Correct answer- D Database activity monitoring (DAM) can be ___________________. A. Host-based or network-based B. Reactive or imperative C. Used in the place of encryption D. Used in place of data masking Correct answer- A WAFs operate at OSI Layer ___________________. A. 1 B. 3 C. 5 D. 7 Correct answer- D Multifactor authentication consists of at least two items. Which of the following best represents this concept? A. A complex password and a secret code B. Complex passwords and an HSM C. A hardware token and a magnetic strip card D. Something you know and something you have Correct answer- D SOAP is a protocol specification providing for the exchange of structured information or data in web services. Which of the following is not true of SOAP? A. Standards-based B. Reliant on XML C. Extremely fast D. Works over numerous protocols Correct answer- C DAST requires ___________________. A. Money B. Compartmentalization C. A runtime environment D. Recurring inflation Correct answer- C Physical sandboxing provides which of the following? A. The production environment B. An airgapped test environment that isolates untrusted code for testing in a nonproduction environment C. Emulation D. Virtualization Correct answer- B What is the lowest tier of data center redundancy, according to the Uptime Institute? A. 1 B. V C. C D. 4 Correct answer- A What is the amount of fuel that should be on hand to power generators for backup data center power, in all tiers, according to the Uptime Institute? A. 1 B. 1,000 gallons C. Enough to last 12 hours D. As much as needed to ensure all systems may be gracefully shut down and data securely stored Correct answer- C Who should not be involved in application security testing? A. Quality Assurance team members B. Testing contractors C. User community representatives D. Developers of the application Correct answer- D Which of the following is part of the STRIDE model? A. Repudiation B. Redundancy C. Resiliency D. Rijndael Correct answer- A Which of the following is not part of the STRIDE model? A. Spoofing B. Tampering C. Resiliency D. Information disclosure Correct answer- C Which of the following is not a feature of SAST? A. Source code review B. Team-building efforts C. White-box testing D. Highly skilled, often expensive outside consultants Correct answer- B Which of the following is not a feature of DAST? A. Testing in runtime B. User teams performing executable testing C. Black-box testing D. Binary inspection Correct answer- D Which of the following is not a feature of a secure KVM component? A. Keystroke logging B. Sealed exterior case C. Soldered chipsets D. Push-button selectors Correct answer- A What type of redundancy can we expect to find in a data center of any tier? A. All operational components B. All infrastructure C. Emergency egress D. Full power capabilities Correct answer- C What should be the primary focus of data center redundancy and contingency planning? A. Critical path/operations B. Health and human safety C. Infrastructure supporting the production environment D. Power and HVAC Correct answer- B Which of the following techniques for ensuring cloud data center storage resiliency uses parity bits and disk striping? A. Cloud-bursting B. RAID C. Data dispersion D. SAN Correct answer- B Which resiliency technique attenuates the possible loss of functional capabilities during contingency operations? A. Cross-training B. Metered usage C. Proper placement of HVAC temperature measurements tools D. Raised floors Correct answer- A Which of the following has not been attributed as the cause of lost capabilities due to DoS? A. Hackers B. Construction equipment C. Changing regulatory motif D. Squirrels Correct answer- C If a hospital is considering using a cloud data center, which Uptime Institute Tier should it require? A. 2 B. 4 C. 8 D. X Correct answer- B What is often a major challenge to getting both redundant power and communications utility connections? A. Expense B. Carrying medium C. Personnel deployment D. Location of many data centers Correct answer- D Which of the following is generally not a high-priority aspect of physical security in the planning and design of a cloud data center facility? A. Perimeter B. Vehicular approach/traffic C. Fire suppression D. Elevation of dropped ceilings Correct answer- D The Brewer-Nash security model is also known as which of the following? A. MAC B. The Chinese Wall model C. Preventive measures D. RBAC Correct answer- B Which kind of hypervisor would malicious actors prefer to attack, ostensibly because it offers a greater attack surface? A. Cat IV B. Type II C. Bare metal D. Converged Correct answer- B Which of the following techniques for ensuring cloud data center storage resiliency uses encrypted chunks of data? A. Cloud-bursting B. RAID C. Data dispersion D. SAN Correct answer- C Which of the following data center redundancy efforts probably poses the greatest threat to human safety? A. Emergency egress B. Communications C. Generators D. Spare components Correct answer- C Which form of BC/DR testing has the most impact on operations? A. Tabletop B. Dry run C. Full test D. Structured test Correct answer- C Which form of BC/DR testing has the least impact on operations? A. Tabletop B. Dry run C. Full test D. Structured test Correct answer- A Which characteristic of liquid propane increases its desirability as a fuel for backup generators? A. Burn rate B. Price C. Does not spoil D. Flavor Correct answer- C How often should the CMB meet? A. Whenever regulations dictate B. Often enough to address organizational needs and reduce frustration with delay C. Every week D. Annually Correct answer- B Adhering to ASHRAE standards for humidity can reduce the possibility of _______. A. Breach B. Static discharge C. Theft D. Inversion Correct answer- B A UPS should have enough power to last how long? A. 12 hours B. 10 minutes C. One day D. Long enough for graceful shutdown Correct answer- D A generator transfer switch should bring backup power online within what timeframe? A. 10 seconds B. Before the recovery point objective is reached C. Before the UPS duration is exceeded D. Three days Correct answer- C Which characteristic of automated patching makes it attractive? A. Cost B. Speed C. Noise reduction D. Capability to recognize problems quickly Correct answer- B Which tool can reduce confusion and misunderstanding during a BC/DR response? A. Flashlight B. Controls matrix C. Checklist D. Call tree Correct answer- C When deciding whether to apply specific updates, it is best to follow ______ in order to demonstrate due care. A. Regulations B. Vendor guidance C. Internal policy D. Competitors' actions Correct answer- B The CMB should include representations from all of the following offices except: A. Regulators B. IT department C. Security office D. Management Correct answer- A For performance purposes, OS monitoring should include all of the following except ___________________. A. Disk space B. Disk I/O usage C. CPU usage D. Print spooling Correct answer- D Maintenance mode requires all of these actions except ___________________. A. Remove all active production instances B. Initiate enhanced security controls C. Prevent new logins D. Ensure logging continues Correct answer- B What is one of the reasons a baseline might be changed? A. Numerous change requests B. Power fluctuation C. To reduce redundancy D. Natural disaster Correct answer- A In addition to battery backup, a UPS can offer which capability? A. Communication redundancy B. Line conditioning C. Breach alert D. Confidentiality Correct answer- B Deviations from the baseline should be investigated and ______. A. Documented B. Enforced C. Revealed D. Encouraged Correct answer- A The baseline should cover which of the following? A. As many systems throughout the organization as possible B. Data breach alerting and reporting C. A process for version control D. All regulatory compliance requirements Correct answer- A A localized incident or disaster can be addressed in a cost-effective manner by using which of the following? A. UPS B. Generators C. Joint operating agreements D. Strict adherence to applicable regulations Correct answer- C Generator fuel storage for a cloud data center should last for how long, at a minimum? A. 10 minutes B. Three days C. Indefinitely D. 12 hours Correct answer- D The BC/DR kit should include all of the following except ___________________. A. Flashlight B. Documentation equipment C. Fuel for the backup generators D. Annotated asset inventory Correct answer- C What must be collected during the eDiscovery process? A. Emails B. Anything pertinent to the request C. All documentation created during a specific time period D. Anything that can provide forensic benefit Correct answer- B Legal controls refer to which of the following? A. Controls designed to comply with laws and regulations related to the cloud environment B. PCI DSS C. ISO 27001 D. NIST 800-53r4 Correct answer- A Which of the following terms is not associated with cloud forensics? A. Analysis B. eDiscovery C. Chain of custody D. Plausibility Correct answer- D Which of the following is not a component of contractual PII? A. Scope of processing B. Use of subcontractors C. Location of data D. Value of data Correct answer- D Which of the following is a primary component of regulated PII? A. Items that should be implemented B. Mandatory breach reporting C. Audit rights of subcontractors D. PCI DSS Correct answer- B Which of the following is not associated with privacy? A. Medical records B. Personal hobbies C. Birthdate D. Participation in a transaction Correct answer- B Which of the following is the best advantage of external audits? A. Independence B. Oversight C. Cheaper D. Better results Correct answer- A Which of the following laws resulted from a lack of independence in audit practices? A. HIPAA B. GLBA C. SOX D. ISO 27064 Correct answer- C Which of the following reports is no longer used? A. SAS 70 B. SSAE 18 C. SOC 1 D. SOC 3 Correct answer- A Which of the following report is most aligned with financial control audits? A. SOC 1 B. SOC 2 C. SOC 3 D. SSAE 18 Correct answer- A Which of the following is the primary purpose of an SOC 3 report? A. Absolute assurances B. Compliance with PCI/DSS C. HIPAA compliance D. Seal of approval Correct answer- D The Generally Accepted Accounting Principles are created and maintained by which organization? A. ISO B. ISO/IEC C. PCI Council D. AICPA Correct answer- D Which statute addresses security and privacy matters in the US financial industry? A. GLBA B. FERPA C. SOX D. HIPAA Correct answer- A Which of the following is not an example of a highly regulated environment? A. Healthcare B. Financial services C. Wholesale or distribution D. Public companies Correct answer- C Which of the following SOC report subtypes represents a point in time? A. SOC 2 B. Type I C. Type II D. SOC 3 Correct answer- B Which of the following SOC report subtypes spans a period of time? A. SOC 2 B. SOC 3 C. SOC 1 D. Type II Correct answer- D The right to be forgotten refers to which of the following? A. The right to no longer pay taxes B. Erasing criminal history C. The right to have all of a data subject's data erased D. Masking Correct answer- C SOX was enacted because of which of the following? A. Poor board oversight B. Lack of independent audits C. Poor financial controls D. All of the above Correct answer- D What is a primary component of the Graham-Leach-Bliley Act? A. The right to be forgotten B. EU Data Directives C. The information security program D. The right to audit Correct answer- C Which of the following are not associated with HIPAA controls? A. Administrative controls B. Technical controls C. Physical controls D. Financial controls Correct answer- D Which is the lowest level of the CSA STAR program? A. Continuous monitoring B. Self-assessment C. Hybridization D. Attestation Correct answer- B Which of the following is a valid risk management metric? A. CSA B. KRI C. SLA D. SOC Correct answer- B Which of the following frameworks focuses specifically on design implementation and oversight of risk management? A. ISO 31000:2018 B. HIPAA C. ISO 27017 D. NIST 800-92 Correct answer- A Which of the following identifies the top eight security risks based on likelihood and impact? A. NIST 800-53 B. ISO 27000 C. ENISA D. COBIT Correct answer- C The CSA STAR program consists of three levels. Which of the following is not one of the CSA STAR levels? A. Self-assessment B. Third-party assessment-based certification C. SOC 2 audit certification D. Continuous monitoring-based certification Correct answer- C Which ISO standard refers to addressing security risks in a supply chain? A. ISO 27001 B. ISO/IEC 28000:2007 C. ISO 9000 D. ISO 31000:2018 Correct answer- B Which of the following is not a risk management framework? A. NIST SP 800-37 B. ENISA Cloud Computing: Benefits, Risks, and Recommendations for Information Security C. Key risk indicators (KRIs) D. ISO 31000:2018 Correct answer- C What is an impossible level of risk? A. Condition Alpha B. Maximum C. Reduced D. Zero Correct answer- D Which of the following is not a part of ENISA's top eight security risks of cloud computing? A. Vendor lock-in B. Isolation failure C. Insecure or incomplete data deletion D. Availability Correct answer- D Which of the following is a risk management option that halts a business function? A. Mitigation B. Acceptance C. Transference D. Avoidance Correct answer- D Which of the following best describes a cloud carrier? A. A person or entity responsible for making a cloud service available to consumers B. The intermediary who provides connectivity and transport of cloud services between cloud providers and cloud consumers C. The person or entity responsible for keeping cloud services running for customers D. The person or entity responsible for transporting data across the Internet Correct answer- B Which of the following methods of addressing risk is most associated with insurance? A. Transference B. Avoidance C. Acceptance D. Mitigation Correct answer- A Which of the following components is part of what a CCSP should review when looking at contracting with a cloud service provider? A. The physical layout of the data center B. Background checks for the provider's personnel C. Use of subcontractors Your selection is incorrect D. Redundant uplink grafts Correct answer- C The difference between KPIs and a KRIs is which of the following? A. KPIs no longer exist, having been replaced by KRIs. B. KRIs no longer exist, having been replaced by KPIs. C. KRIs are forward looking, while KPIs are backward looking. D. There is no difference between KPIs and KRIs. Correct answer- C Which of the following represents a minimum guaranteed resource within a cloud environment for the cloud customer? A. Reservation B. Share C. Limit D. Provision Correct answer- A Within an IaaS implementation, which of the following would NOT be a metric used to quantify service charges for the cloud customer? A. Memory B. Number of users C. Storage D. CPU Correct answer- B What does the REST API use to protect data transmissions? A. NetBIOS B. VPN C. Encapsulation D. TLS Correct answer- D Without the extensive funds of a large corporation, a small-sized company could gain considerable and cost-effective services for which of the following concepts by moving to a cloud environment? A. Regulatory B. Security C. Testing D. Development Correct answer- B The application normative framework is best described as which of the following? A. A superset of the ONF B. A stand-alone framework for storing security practices for the ONF C. The complete ONF D. A subnet of the ONF Correct answer- D Which of the following threat types can occur when baselines are not appropriately applied or when unauthorized changes are made? A. Security misconfiguration B. Insecure direct object references C. Unvalidated redirects and forwards D. Sensitive data exposure Correct answer- A What does the management plane typically utilize to perform administrative functions on the hypervisors that it has access to? A. Scripts B. RDP C. APIs D. XML Correct answer- C The BIA can be used to provide information about all the following, except: A. BC/DR planning B. Risk analysis C. Secure acquisition D. Selection of security controls Correct answer- C What process entails taking sensitive data and removing the indirect identifiers from each data object so that the identification of a single entity would not be possible? A. Tokenization B. Encryption C. Anonymization D. Masking Correct answer- C Which one of the following threat types to applications and services involves the sending of requests that are invalid and manipulated through a user's client to execute commands on the application under the user's own credentials? A. Injection B. Missing function-level access control C. Cross-site scripting D. Cross-site request forgery Correct answer- D Which of the following roles is responsible for gathering metrics on cloud services and managing cloud deployments and the deployment processes? A. Cloud service business manager B. Cloud service operations manager C. Cloud service manager D. Cloud service deployment manager Correct answer- D Because cloud providers will not give detailed information out about their infrastructures and practices to the general public, they will often use established auditing reports to ensure public trust, where the reputation of the auditors serves for assurance. Which type of audit reports can be used for general public trust assurances? A. SOC 2 B. SAS-70 C. SOC 3 D. SOC 1 Correct answer- C Which of the following are the storage types associated with PaaS? A. Structured and freeform B. Volume and object C. Structured and unstructured D. Database and file system Correct answer- C Which of the following is not a way to manage risk? A. Enveloping B. Mitigating C. Accepting D. Transferring Correct answer- A Which of the following is not a risk management framework? A. Hex GBL B. COBIT C. NIST SP 800-37 D. ISO 31000:2019 Correct answer- A Which of the following is not appropriate to include in an SLA? A. The number of user accounts allowed during a specified period B. Which personnel are responsible and authorized among both the provider and the customer to declare an emergency and transition the service to contingency operation status C. The amount of data allowed to be transmitted and received between the cloud provider and customer D. The availability requirements for a given period Correct answer- B What is the Cloud Security Alliance Cloud Controls Matrix (CCM)? A. An inventory of cloud service security controls that are arranged into separate security domains B. An inventory of cloud services security controls that are arranged into a hierarchy of security domains C. A set of regulatory requirements for cloud service providers D. A set of software development lifecycle requirements for cloud service providers Correct answer- A Which of the following is not one of the types of controls? A. Transitional B. Administrative C. Technical D. Physical Correct answer- A Which of the following is not an example of an essential internal stakeholder? A. IT analyst B. IT director C. CFO D. HR director Correct answer- A Gathering business requirements aids in determining information about organizational assets. Which of the following is not determined by this process? A. Criticality B. Robustness C. Value D. ROI Correct answer- B Which of the following is one example of a data discovery method? A. Bastion host based B. Metadata based C. Firewall based D. SIEM based Correct answer- B Which of the following is a term used to describe the practice of obscuring original raw data so that only a portion is displayed for operational purposes? A. Data discovery B. Hashing C. Masking D. Public key infrastructure Correct answer- C Which of the following is a characteristic of modern data center design? A. Weak physical security B. Located in metropolitan areas C. Located in desert climates D. Power redundancy Correct answer- D What is the term used to describe the ease and efficiency of moving data from one provider to another? A. Portability B. Mobility C. Forklifting D. Vendor lock-out Correct answer- A Which of the following is not a characteristic of REST? A. Lightweight and scalable B. Supports multiple protocols C. Relies heavily on XML D. Stateless Correct answer- C In what cloud service model is the customer responsible for administration of the operating system? A. PaaS B. SaaS C. DaaS D. IaaS Correct answer- D Which is the highest level of data center redundancy, according to the Uptime Institute? A. 4 B. 5 C. 3 D. 10 Correct answer- A Of the following, which type of test has the most impact on operations? A. Tabletop exercise B. Dry run C. Full test D. Structured test Correct answer- C Which of the following has increased the viability of cloud services? A. Smart bus hubs B. Virtualization C. Agile development D. High-speed switching Correct answer- B Which of the following is the best example of a SIEM function? A. Performance enhancements B. REST C. SOAP D. Centralization of log streams Correct answer- D What is the lowest tier of data center redundancy according to the Uptime Institute? A. 1 B. 3 C. 5 D. 7 Correct answer- A What is a function common to many egress monitoring solutions? A. Elasticity B. Data discovery C. Metered service D. Satellite links Correct answer- B Which of the following is the best example of a countermeasure used to protect cloud operations against external attackers? A. Continual monitoring for anomalous activity B. Detailed and extensive background checks C. Use of generic hardware in building infrastructure components D. Cameras inside the data center Correct answer- A Which of the following is included in the STRIDE model? A. Spoofing B. Testing C. Database D. Erasure Correct answer- A Which of the following is the most important mechanism to ensure trust in the cloud provider's performance and duties? A. The contract B. Statutory law C. CSA Security Alliance Cloud Controls Matrix D. SLA provisions Correct answer- A Which of the following is a characteristic of liquid propane gas that makes it attractive as a fuel for backup generators? A. Does not spoil B. Burn rate C. Price D. Ubiquitous Correct answer- A Of the following elements, which is the primary driver of security decisions? A. Location B. Access C. Resiliency D. Business requirements Correct answer- D Egress monitoring solutions can aid in reducing the possibility of losses due to ______. A. Inadvertent disclosure B. Natural disasters C. Device failures D. Randomization Correct answer- A Which of the following represents a technique to enhance the portability of cloud data? A. Avoiding proprietary data formats B. DRM C. DLP D. Comprehensive auditing Correct answer- A What term best describes a set of technologies that analyze application source code, byte code, and binaries for coding and design problems that would indicate a security problem or vulnerability? A. DAST B. SAST C. MFA D. STRIDE Correct answer- B Of the following, which type of SSAE audit report is the cloud provider most likely to be willing to share without any additional participation from the cloud customer? A. SOC 1 Type 1 B. SOC 3 C. SOC 2 Type 1 D. SOC 3 Type 2 Correct answer- B Which of the following terms is not associated with the STRIDE model? A. Spoofing B. Tampering C. Resiliency D. Information disclosure Correct answer- C Inability to remotely access a cloud provider impacts which of the three elements of the CIA triad? A. Integrity B. Availability C. Confidentiality D. Access controls Correct answer- B In which cloud service model is the customer required to maintain and update only the applications? A. SaaS B. IaaS C. PaaS D. DaaS Correct answer- C In which cloud service model is the customer responsible for only the data? A. IaaS B. PaaS C. SaaS D. DaaS Correct answer- C Egr