Mock Exam

Q1. How many tiers should an Information Security Continuous Monitoring (ISCM) (as per
NIST 800-137) have?
a) 2 – Tier 1 (Organization Business Processes), Tier 2 (Cloud Computing Strategy Implementation)

b) 2 – Tier 1 (Cloud Computing Strategy Implementation), Tier 2 (Organization Business Processes)

c) 3 – Tier 1 (Organization Business Processes), Tier 2 (ICSM Strategy), Tier 3 (Cloud Computing
Strategy Implementation)

d) 3 – Tier 1 (Cloud Computing Strategy Implementation), Tier 2 (Organization Business

Processes), Tier 3 (ICSM Strategy)

Q2. Cloud services (such as IaaS, PaaS, and SaaS) can be delivered by several models.

Which 3 models are recognized as standards? Select three options.

a) Private cloud

b) Community cloud

c) Hybrid cloud

d) Shared cloud

e) Social cloud

Q3. Consider the following statements about hybrid cloud solutions.

1. In a hybrid cloud, both the provider and consumer share the management responsibility.
2. In a hybrid cloud, both the provider and consumer share the ownership.
3. In a hybrid cloud, the provider and consumer use a combination of on-premise and
off-premise infrastructure.
4. In a hybrid cloud, both the provider and consumer have trusted and untrusted users.

Which statements are correct?

a) Statements 1 and 2 are correct.

b) Statements 1, 3, and 4 are correct.

c) Statements 2, 3, and 4 are correct.

d) All statements are correct.

Copyright © 2016 │ 195

Course Book | Professional Cloud Security Manager

Q4. What is not a risk for a multi-tenancy design?

a) Co-mingled tenant data

b) Inadequate logical security controls

c) Overcharging for extreme use of resources

d) Uncoordinated change controls and miss-configurations

Q5. Consider the context of data center availability and physical security.

Which tier ensures the highest availability?

a) Tier I

b) Tier II

c) Tier III

d) Tier IV

Q6. What is a device that safeguards and manages digital keys for strong authentication
along with providing crypto processing called?
a) Hardware Security Module (HSM)

b) Key Management Device (KMD)

c) Public Key Infrastructure

d) Windows File Server

Q7. What are the benefits of Least Privilege Access?

a) Better service stability, security, and ease of deployment

b) Better service stability, lower complexity, better security, and ease of deployment

c) Improved availability, lower risk, lower cost of development, and deployment

d) It is mainly about best service availability

Q8. Consider the replication schemes and active costs, such as electricity and network
bandwidth.

Which disaster recovery solution is most advantageous?

a) Online Backup

b) Cold Site Disaster Recovery

c) Warm Site Disaster Recovery

d) Hot Site Disaster Recovery

196 │ Copyright © 2016

 Mock Exam

Q9. What allows an organization and cloud provider to trust and share digital identities?
a) Federated Identity

b) Identity and Access Management

c) Multi-factor Authentication

d) Tokenization

Q10. A new e-commerce application (predicted to deliver 70% of company’s revenue) is being
developed and will be hosted on IaaS and PaaS with a well- known public cloud provider.
The application will process personal data, orders, and also take payment details for
processing by external payment processing companies.

With regard to the data security, what should not be a key concern of the security
manager?

a) Ability of the application to handle the increase in number of users after a certain limit

b) Availability of the system when under DDoS attack

c) Integrity of financial transactions

d) Personal Identifiable Data of persons from outside US, stored in the US data centers

e) Payment processing not fully outsourced, hence the system in the full scope of PCI DSS

Q11. The Heartbleed bug in the OpenSSL was open to which of the following attacks?
a) Brute-force of the cryptographic keys used to encrypt network transmission

b) Denial-of-Service attack to make website unresponsive

c) Network snooping attack with a side channel for decryption of the encrypted traffic

d) Private memory (RAM) read attack that could reveal private or session keys

Q12. What would typically be the responsibility of a cloud customer security operations team?
a) Facilities, Network infrastructure, Hypervisor security

b) Facilities, Physical security, Physical Infrastructure, Network Infrastructure, Operating

system

c) Facilities, Physical security, Physical Infrastructure, Network Infrastructure, Virtualization

Infrastructure

d) Operating System, Application, Account Management, Security Roles, Network Configuration

Copyright © 2016 │ 197

Course Book | Professional Cloud Security Manager

Q13. Which of the following statements correctly depicts the use of a Concept of Operations
(CONOP) document?
a) It is a mandatory document required by an ISO 27001 related to security operations.

b) It is a mandatory document required by the ISO 27023 related to security operations.

c) It helps an organization to document in plain language what is required and what should be
built for an information system.

d) It provides requirements for an organization to implement security management, related to

Identity and access management.

Q14. Due diligence is the investigation process before committing to a contractual agreement
for cloud services. As part of the process, it is recommended to use a step by step
approach or a check list/plan which would help to look into the little details.

Which plan needs to be part of the due diligence process and has the scope of all the
services to be migrated to the cloud?

a) Transition Plan

b) Project Plan

c) Migration Plan

d) Implementation Plan

Q15. Network isolation is an important factor to establish a cloud infrastructure and hardening
process. The networking devices need to be configured with proper port configurations
to mitigate the switch spoofing and double tagging threats.

What type of attack can be targeted from these threats?

a) VM Theft

b) VLAN Hopping

c) VM Hopping

d) VLAN Escape

198 │ Copyright © 2016

 Mock Exam

Q16. A container is a form of operating system virtualization that is more efficient than typical
hardware virtualization. Containers can be used as an alternative to OS-level virtualization
to run multiple isolated systems on a single host; however, there are differences in the
characteristics of virtualization and container.

Which of the following characteristic associates to OS-level virtualization and not

containers?

a) Applying limits per process

b) Single Network file system caching

c) Emulation of devices

d) Single kernel

Q17. Business continuity is a key component of any IT, security, and cloud strategy.

Which 3 key elements does it include? Select three options.

a) Availability

b) Contingency

c) Resilience

d) Recovery

e) Scalability

Q18. What provides assurance that the message received has not lost its original form?
a) Authentication

b) Confidentiality

c) Integrity

d) Non-Repudiation

Q19. The Risk Assessment methodology has nine steps.

Which step is ‘threat identification’?

a) First

b) Second

c) Third

d) Fourth

Copyright © 2016 │ 199

Course Book | Professional Cloud Security Manager

Q20. What is not an activity related to Incident Management in the cloud?

a) Handling complicated troubleshooting due to continuous environment changes

b) Limiting incident spill over to multiple cloud tenants

c) Managing incident investigations in a virtualized environment

d) Managing access to appropriate levels of data

Q21. What is not a characteristic of SOA?

a) All components should be exposed as services.

b) All services should use SOAP/WSDL interfaces.

c) All services are discoverable from a portal.

d) All services should use WS-* security.

Q22. Which attack vector allows an attacker to break out a Virtual Machine (VM) and interact
with the host operating system?
a) Hyperjacking

b) VM Escape

c) VM Hopping

d) VM Theft

Q23. Cloud is a very effective enabler for disaster recovery or business continuity. For multisite
solution, what would help to identify the data replication method to use with regard to
disaster recovery?
a) RTO

b) RPO

c) Multi-Site Active-Active

d) Data Center Tiers

Q24. Critical business functions and the supporting infrastructure should be unaffected by
most disruptions.

What business continuity element ensures this?

a) Availability

b) Contingency

c) Recovery

d) Resilience

200 │ Copyright © 2016

 Mock Exam

Q25. Which organization has provided a globally accepted Cloud Computing Reference
Architecture?
a) Carnegie Mellon University

b) Institute of Electrical and Electronics Engineers

c) National Institute of Standards and Technology

d) Resilience Massachusetts Institute of Technology

Copyright © 2016 │ 201

 Answers

MODULE ACTIVITIES ANSWERS

Module 02: Cloud Computing: Security, Risks, and Governance

Activity: Cloud Computing Basics

Sample Answer
Company Background
Stelford is a leading steel manufacturing company with factories spread across three countries and
Sales and Operations teams and regional offices in more than 30 countries.
Problem Description
The ERP application works in distributed architecture and the manufacturing sites and regional sales
offices have the local deployment. The syncing of data between the central site and local sites takes
approximately 24 hours. This is hindrance for the Sales and Operations teams to receive the updated
stock position in real-time mode and place just-in-time orders for the customer.
Business Requirements
● Fast and efficient synchronization between the sites and regional offices at different locations
● Availability of complete, integrated, and updated data from all sites and regional offices in
real-time mode
● Centralized control of the ERP application
● In-house control of the development environment

Benefits from Cloud Computing (using IaaS service model)

● Access to the centralized ERP application and data
● Specific development environment for the current ERP
● Complete administration access for the entire environment
● Scaling of the infrastructure to be controlled by the Stelford IT team
● Extensive resiliency

Copyright © 2016 │ 203

Course Book | Professional Cloud Security Manager

Activity: Cloud Computing Security

Sample Answer
Business risks and impacts:
● Lock-in and data portability: Lock-in refers to the inability of a cloud consumer to move
their data away from a cloud service provider. In addition, data portability issues can hinder to
change the service provider.
● Data security and privacy: The data integrity, confidentiality and privacy is a major challenge
of cloud computing.
● Data storage location: The location of data storage may hinder compliance to government
and other regulatory bodies. Cloud computing introduces the risk that data belonging to one
organization may be stored in several locations and coexist with another organization’s data.
● Loss of governance: Loss of governance to cloud service providers is perceived as a potential
security risk by organizational leaders. Businesses are exposed to many types of risks when
they entrust their data to a third party. The impact from the loss of control may lead to the
inability to comply with security requirements, a lack of confidentiality, availability, and integrity
of data, a decline in the performance and quality of service.

Technical risks and impacts:

● Availability of service: Availability of service can be a major challenge in cloud computing.
The cloud computing service can be impacted because of various reasons such as use of
cheap commodity hardware and network downgrade.
● Resource exhaustion: Cloud computing services are on-demand and resources are allocated
by the cloud service provider based on statistical projection. There is a potential of calculated
risk and high performance computing applications and transactional database systems may
lead to performance unpredictability and/or resource exhaustion.
● Distributed Denial of Service: Cloud computing systems are easy target for attackers and
transmission of viruses or the victims of a hack attack may negatively impact other organization
with data located in the same location.

Module 03: Physical and Operations Security: A Shared Responsibility

Activity: Physical and Operations Security Considerations

Sample Answer
Some of the operations areas that need focus from the perspective of security management in cloud
computing are:
● Identity management (if the organization’s identity management system is integrated with the
cloud computing system)
● Security incident management (to interface with and manage cloud computing incidents)
● Network perimeter security (as an access point to the Internet)
● Systems development (in which the cloud is part of the application infrastructure)
● IT risk and project management
● Data management (for data transmitted and stored on cloud systems)

204 │ Copyright © 2016

 Answers

Activity: Risk Management: A Shared Perspective

Q1. Answer:
a) IaaS

Q2. Answer:
a) Risks, Risks

Q3. Answer:
b) Control Analysis

Module 04: Security Management Controls in Cloud Computing

Activity: Identity and Access Management

Sample Answer
Zion can consider identity federation and multifactor authentication as the solution. Identity federation
will enable the end-users to access the email service and offers the IT administration control over
authentication and security protocols through their Active Directory server located on their private
cloud. The authentication mechanism can be extended using MFA, which can increase the security
beyond what the user knows (i.e. username and password).

Activity: Data Protection

Sample Answer

Data Source Data Category

Data stored and accessed through ERP application Private and confidential

Data stored and accessed through marketing application Sensitive

Data stored and accessed through Web application Unrestricted

Module 05: Legal, Contractual, and Operational Monitoring in the Cloud

Activity: Legal and Regulatory Landscape

Sample Answer
An example for factors considered during the due diligence process are:
● Risk identification: Data deletion if unused after a period of time, for example, 24 months
● Associated business impact: Loss of customer data and related transactions
● Technical impact: Loss of data for customer access at a later stage.
● Regulatory and compliance impact: Certain countries have regulations to hold customer data
for a certain period of time which might be higher than or lower than the threshold.
● Overall risk acceptance: Not accepted
Copyright © 2016 │ 205
Course Book | Professional Cloud Security Manager

Activity: Monitoring: Providers and Subscribers

Sample Answer
Two examples of factors that would be included into a monitoring program are given:
Scenario 1: The SLA includes that the service provider provides two full backups in a monthly cycle.
As part of the continuous monitoring practice, the monitoring program should keep a track that two
backup files are added in each month. If the backup files are reduced to one or less, then the monitoring
tool needs to raise an alert.
Scenario 2: In the context of availability, the continuous monitoring needs to be integrated and
monitored from the consumer and the provider side. As the service is being accessed through the
Internet, there can be a lot of reasons for unavailability. Hence to track the unavailability and its
reason, continuously monitoring is required at both ends.

Activity: Security Operations in the Cloud

Sample Answer
Some examples of policies and procedure elements that should be reviewed as part of cloud
deployment:
● In the cloud, the service provider network is not secure and hence needs to be hardened from
all corners within the scope of the customer.
● Internal server to server communication needs to be encrypted to prevent date leakage.
● Operating system’s need to be hardened to prevent unwanted services to be deployed by the
consumer.

Module 06: Network Security Management in the Cloud

Activity: Network Management in the Cloud

Q1. Answer:
d) VM Theft

Q2. Answer:
a) SDN

Q3. Answer:
a) VM Hopping

206 │ Copyright © 2016

 Answers

Module 07: Business Continuity, Disaster Recovery, and Capacity/Performance

Planning

Activity: Business Continuity

Sample Answer
A customer uses a CRM system such as Microsoft CRM and also deploys a load balanced resilient
site using IaaS. They load balance the traffic to provide resiliency and best performance. In the
case of any site being unavailable, the business continuity plan will include the other site to take the
complete load. In this particular example, the load balancing mechanism will be updated automatically
and hence the single available site will provide business function for the application environment.

Activity: Disaster Recovery Resilient Technology

Sample Answer
Consider a manufacturing organization using an ERP, BI, and Email applications. After classification,
the intended RTO and RPO may be represented as:
Mission Critical
● ERP – RTO<1 Minutes, RPO<2 Minutes

Business Critical
● Email – RTO<5 Minutes, RPO<15 Minutes

Important
● BI – RTO<60 Minutes, RPO<30 Minutes

Copyright © 2016 │ 207

Course Book | Professional Cloud Security Manager

CASE STUDY ANSWERS

Case Study – Solutions and Answers

Moving to the Cloud

Answer: SaaS
Rationale
Out of the three service delivery models, SaaS is the only delivery model that comply with all the given
requirements. IaaS does not comply with the fourth and fifth requirement, that is, user administration
access and cost evaluation based on number of users/sessions used. As there is no requirement for
development, PaaS model is not applicable.

Securing Storage on the Cloud

Answer: Federation
Rationale
In the cloud computing environment, federation of identity plays a key role in enabling enterprises to
authenticate using its own user repository, provide single or reduced sign-on, and exchange identity
attributes.
Clear separation of the managed identities of the cloud consumer from those of the cloud provider
must also be ensured to protect the consumer’s resources from provider-authenticated entities and
vice versa.

Securing the Data

Answer: Encryption and Multi-factor Authentication
Rationale
Encryption is about converting the plain text into cypher text and hence it can only be read by the
intended user. The user needs to have access to the encryption key in order to convert the cypher
text to normal text. The access mechanism can be made better secured using the multi-factor
authentication.

Assessing the IaaS Service Providers

Answer: No, not all practices listed by EasyCloud are part of the hardening practices. “Isolation of
subscriber storage device” does not relate to hardening.
Rationale
The steps that a service provider performs for hardening are:
● Isolate networks
● Isolation of cloud management networks
● Isolation of IP storage networks
● Isolation of subscriber data network

208 │ Copyright © 2016

 Answers

● Secure subscriber access to resources

● Secure restoration of services
● Strong authentication and authorization
● A library of secure templates
● Resource management

Increasing the Availability

Answer: Multi-Site
Rationale
A multi-site solution runs in the cloud as well as on the on-site operations in an active-active
configuration. The data replication method that is employed will be determined by the recovery point
(RPO).

Identifying the PaaS Requirements

Answer: Environment based on virtual machine
Rationale
In this case, the virtual machine is preferred over containers because of the following characteristics
of virtualization:
● Different kernels/OS
● Emulation of devices
● Several network filesystem caching
● Limits per machine
● Legacy consolidation

Copyright © 2016 │ 209

Course Book | Professional Cloud Security Manager

MOCK EXAM ANSWERS

Q1. Answer
a) Incorrect.
b) Incorrect.
c) Correct. ISCM begins with development of a strategy that addresses ISCM requirements
and activities at each organizational tier (organization, business processes, and information
systems).
d) Incorrect.

Q2. Answer
a) Correct. The recognized models for cloud delivery are private cloud, community cloud, public
cloud, and hybrid cloud.
b) Correct. The recognized models for cloud delivery are private cloud, community cloud, public
cloud, and hybrid cloud.
c) Correct. The recognized models for cloud delivery are private cloud, community cloud, public
cloud, and hybrid cloud.
d) Incorrect.
e) Incorrect.

Q3. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. Hybrid cloud is a composition of two or more distinct cloud infrastructures, such as
private and public community; it can have both trusted and untrusted users. The provider
and the consumer share the management responsibility and ownership. Hybrid cloud uses
a combination of on-premise and off-premise infrastructure.

Q4. Answer
a) Incorrect.
b) Incorrect.
c) Correct. Some of the security risks within multi-tenancy design are:
1. Inadequate logical security controls
2. Malicious or ignorant tenants
3. Shared services can become single point of failure
4. Uncoordinated change controls and miss-configurations
5. Comingled tenant data
d) Incorrect.

210 │ Copyright © 2016

 Answers

Q5. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. Tier I is composed of a single path for power and cooling distribution, without
redundant components, providing 99.671% availability. Tier II is composed of a single path for
power and cooling distribution, with redundant components, providing 99.741% availability.
Tier III is composed of multiple active power and cooling distribution paths (with only one
path as active) has redundant components, and is concurrently maintainable, providing
99.982% availability. Tier IV is composed of multiple active power and cooling distribution
paths, has redundant components, and is fault tolerant, providing 99.995% availability.

Q6. Answer
a) Correct. A file server might be a dedicated network-attached storage (NAS) device that also
serves as a remote hard disk drive for other computers, allowing anyone on the network to
store files on it as if to their own hard drive. A hardware security module (HSM) is a physical
computing device that safeguards and manages digital keys for strong authentication and
provides cryptoprocessing. These modules traditionally come in the form of a plug-in card
or an external device that attaches directly to a computer or network server. A public key
infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed
to create, manage, distribute, use, store, and revoke digital certificates and manage public-
key encryption.
b) Incorrect.
c) Incorrect.
d) Incorrect.

Q7. Answer
a) Correct. The principle of least privilege provides better service stability, better service
security, and ease of deployment for the applications.
b) Incorrect.
c) Incorrect.
d) Incorrect.

Q8. Answer
a) Incorrect.
b) Incorrect.
c) Correct. For Warm Site Disaster recovery, data is kept at warm site by either asynchronous
or synchronous replication schemes. In this recovery solution, hardware is duplicated, but
active costs such as electricity and network bandwidth are lower during normal operation,
which provides cost-benefit advantages.
d) Incorrect.

Copyright © 2016 │ 211

Course Book | Professional Cloud Security Manager

Q9. Answer
a) Correct. Federated Identity allows the organization and cloud provider to trust and share
digital identities and attributes across both domains, and to provide a means for single sign-
on.

b) Incorrect.

c) Incorrect.

d) Incorrect.

Q10. Answer
a) Correct. The data strategy should incorporate an approach that addresses compliance
requirements and actual security threats. Leading practices should include securing
sensitive data, establishing appropriate separation of duties between IT operations and IT
security, ensuring that the use of cloud data conforms to existing enterprise policies, as well
as strong key management and strict access policies. An effective cloud security solution
should incorporate three key capabilities:
● Data lockdown
● Access policies
● Security intelligence

b) Incorrect.

c) Incorrect.

d) Incorrect.

e) Incorrect.

Q11. Answer
a) Incorrect.

b) Incorrect.

c) Incorrect.

d) Correct. Heartbleed is exploited by sending a malformed heartbeat request with a small

payload and large length field to the vulnerable party (usually a server) in order to prompt
the victim's response. This permits the attackers to read up to 64 kilobytes of the victim's
memory that was likely to have been used previously by OpenSSL. Where a Heartbeat
Request might ask a party to "send back the four-letter word 'bird'", resulting in a response of
"bird", a "Heartbleed Request" (a malicious heartbeat request) of "send back the 500-letter
word 'bird'" would cause the victim to return "bird" followed by whatever 496 characters the
victim happened to have in active memory. Attackers in this way could receive sensitive
data, compromising the confidentiality of the victim's communications. Although an attacker
has some control over the disclosed memory block's size, it has no control over its location,
and therefore cannot choose what content is revealed. Source: https://en.wikipedia.org/
wiki/Heartbleed#Behavior

212 │ Copyright © 2016

 Answers

Q12. Answer
a) Incorrect.

b) Incorrect.

c) Incorrect.

d) Correct. Cloud operations security team is responsible for the following; Operating system

Application
Account management
Security roles
Network configuration

Q13. Answer
a) Incorrect.

b) Incorrect.

c) Correct. A concept of operations (CONOP) helps an organization document in plain language

what is required and what should be built for an information system.

d) Incorrect.

Q14. Answer
a) Correct. The due diligence process includes a short-term/long-term transition plan.

b) Incorrect.

c) Incorrect.

d) Incorrect.

Q15. Answer
a) Incorrect.

b) Correct. VLAN is a method of attacking networked resources on a Virtual LAN (VLAN).

c) Incorrect.

d) Incorrect.

Q16. Answer
a) Incorrect.

b) Incorrect.

c) Correct. The OS-level virtualization is based on emulation of devices; whereas containers

uses ACLs Plus syscall.

d) Incorrect.

Copyright © 2016 │ 213

Course Book | Professional Cloud Security Manager

Q17. Answer
a) Incorrect.

b) Correct. Business continuity includes three main elements: Resilience, Recovery, and
Contingency.

c) Correct. Business continuity includes three main elements: Resilience, Recovery, and
Contingency.

d) Correct. Business continuity includes three main elements: Resilience, Recovery, and
Contingency.

e) Incorrect.

Q18. Answer
a) Incorrect.

b) Incorrect.

c) Correct. Confidentiality, integrity and availability, also known as the CIA triad, is a model
designed to guide policies for information security within an organization. The elements
of the triad are considered the three most crucial components of security. However, the
concept that reflects the assurance that someone cannot deny something is called non-
repudiation. Typically, non-repudiation refers to the ability to ensure that a party to a contract
or a communication cannot deny the authenticity of their signature on a document or the
sending of a message that they originated.

d) Incorrect.

Q19. Answer
a) Incorrect.

b) Correct. The Risk Assessment methodology for cloud comprises nine steps:
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendation
9. Results Documentation

c) Incorrect.

d) Incorrect.

214 │ Copyright © 2016

 Answers

Q20. Answer
a) Incorrect.

b) Incorrect.

c) Incorrect.

d) Correct. The Security Incident Management includes developing response policy and draft
security event scenarios to test incident response process. The security incident response
includes:

Managing incident investigations in a virtualized environment Limiting incident spill over to

multiple cloud tenants
Handling complicated troubleshooting due to continuous environment changes

Q21. Answer
a) Incorrect.

b) Incorrect.

c) Correct. In SOA, all services are discoverable from a SOA registry/repository whereas in API
management, all services are discoverable from a portal.

d) Incorrect.

Q22. Answer
a) Incorrect.

b) Correct. VM Escape is the process of breaking out a virtual machine and interacting with the
host operating system is called VM Escape.

VM hopping allows an attack to move from one virtual server to compromise other virtual
server on the same physical hardware. VM theft is the ability to steal a virtual machine
file electronically, which can then be mounted and run elsewhere. Hyper jacking involves
subverting the hypervisor or inserting a rogue hypervisor.
c) Incorrect.

d) Incorrect.

Q23. Answer
a) Incorrect.

b) Correct. For multi-site solution, the data replication method that you employ will be determined
by the recovery point (RPO) you choose.

c) Incorrect.

d) Incorrect.

Copyright © 2016 │ 215

Course Book | Professional Cloud Security Manager

Q24. Answer
a) Incorrect.

b) Incorrect.

c) Incorrect.

d) Correct. Resilience refers to critical business functions and the supporting infrastructure that
are designed in such a way that they are materially unaffected by most disruptions.

Q25. Answer
a) Incorrect.

b) Incorrect.

c) Correct. National Institute of Standards and Technology (NIST) provides a globally accepted
Cloud Computing Reference Architecture.

d) Incorrect.

216 │ Copyright © 2016