Professional Cloud Security Manager - Mock Exam
Professional Cloud Security Manager - Mock Exam
Q1. How many tiers should an Information Security Continuous Monitoring (ISCM) (as per
NIST 800-137) have?
a) 2 – Tier 1 (Organization Business Processes), Tier 2 (Cloud Computing Strategy Implementation)
c) 3 – Tier 1 (Organization Business Processes), Tier 2 (ICSM Strategy), Tier 3 (Cloud Computing
Strategy Implementation)
Q2. Cloud services (such as IaaS, PaaS, and SaaS) can be delivered by several models.
a) Private cloud
b) Community cloud
c) Hybrid cloud
d) Shared cloud
e) Social cloud
Q5. Consider the context of data center availability and physical security.
a) Tier I
b) Tier II
c) Tier III
d) Tier IV
Q6. What is a device that safeguards and manages digital keys for strong authentication
along with providing crypto processing called?
a) Hardware Security Module (HSM)
b) Better service stability, lower complexity, better security, and ease of deployment
Q8. Consider the replication schemes and active costs, such as electricity and network
bandwidth.
a) Online Backup
Q9. What allows an organization and cloud provider to trust and share digital identities?
a) Federated Identity
c) Multi-factor Authentication
d) Tokenization
Q10. A new e-commerce application (predicted to deliver 70% of company’s revenue) is being
developed and will be hosted on IaaS and PaaS with a well- known public cloud provider.
The application will process personal data, orders, and also take payment details for
processing by external payment processing companies.
With regard to the data security, what should not be a key concern of the security
manager?
a) Ability of the application to handle the increase in number of users after a certain limit
d) Personal Identifiable Data of persons from outside US, stored in the US data centers
e) Payment processing not fully outsourced, hence the system in the full scope of PCI DSS
Q11. The Heartbleed bug in the OpenSSL was open to which of the following attacks?
a) Brute-force of the cryptographic keys used to encrypt network transmission
c) Network snooping attack with a side channel for decryption of the encrypted traffic
d) Private memory (RAM) read attack that could reveal private or session keys
Q12. What would typically be the responsibility of a cloud customer security operations team?
a) Facilities, Network infrastructure, Hypervisor security
Q13. Which of the following statements correctly depicts the use of a Concept of Operations
(CONOP) document?
a) It is a mandatory document required by an ISO 27001 related to security operations.
c) It helps an organization to document in plain language what is required and what should be
built for an information system.
Q14. Due diligence is the investigation process before committing to a contractual agreement
for cloud services. As part of the process, it is recommended to use a step by step
approach or a check list/plan which would help to look into the little details.
Which plan needs to be part of the due diligence process and has the scope of all the
services to be migrated to the cloud?
a) Transition Plan
b) Project Plan
c) Migration Plan
d) Implementation Plan
Q15. Network isolation is an important factor to establish a cloud infrastructure and hardening
process. The networking devices need to be configured with proper port configurations
to mitigate the switch spoofing and double tagging threats.
a) VM Theft
b) VLAN Hopping
c) VM Hopping
d) VLAN Escape
Q16. A container is a form of operating system virtualization that is more efficient than typical
hardware virtualization. Containers can be used as an alternative to OS-level virtualization
to run multiple isolated systems on a single host; however, there are differences in the
characteristics of virtualization and container.
c) Emulation of devices
d) Single kernel
Q17. Business continuity is a key component of any IT, security, and cloud strategy.
a) Availability
b) Contingency
c) Resilience
d) Recovery
e) Scalability
Q18. What provides assurance that the message received has not lost its original form?
a) Authentication
b) Confidentiality
c) Integrity
d) Non-Repudiation
a) First
b) Second
c) Third
d) Fourth
Q22. Which attack vector allows an attacker to break out a Virtual Machine (VM) and interact
with the host operating system?
a) Hyperjacking
b) VM Escape
c) VM Hopping
d) VM Theft
Q23. Cloud is a very effective enabler for disaster recovery or business continuity. For multisite
solution, what would help to identify the data replication method to use with regard to
disaster recovery?
a) RTO
b) RPO
c) Multi-Site Active-Active
Q24. Critical business functions and the supporting infrastructure should be unaffected by
most disruptions.
a) Availability
b) Contingency
c) Recovery
d) Resilience
Q25. Which organization has provided a globally accepted Cloud Computing Reference
Architecture?
a) Carnegie Mellon University
Q1. Answer:
a) IaaS
Q2. Answer:
a) Risks, Risks
Q3. Answer:
b) Control Analysis
Data stored and accessed through ERP application Private and confidential
Sample Answer
Two examples of factors that would be included into a monitoring program are given:
Scenario 1: The SLA includes that the service provider provides two full backups in a monthly cycle.
As part of the continuous monitoring practice, the monitoring program should keep a track that two
backup files are added in each month. If the backup files are reduced to one or less, then the monitoring
tool needs to raise an alert.
Scenario 2: In the context of availability, the continuous monitoring needs to be integrated and
monitored from the consumer and the provider side. As the service is being accessed through the
Internet, there can be a lot of reasons for unavailability. Hence to track the unavailability and its
reason, continuously monitoring is required at both ends.
Q1. Answer:
d) VM Theft
Q2. Answer:
a) SDN
Q3. Answer:
a) VM Hopping
Sample Answer
Consider a manufacturing organization using an ERP, BI, and Email applications. After classification,
the intended RTO and RPO may be represented as:
Mission Critical
● ERP – RTO<1 Minutes, RPO<2 Minutes
Business Critical
● Email – RTO<5 Minutes, RPO<15 Minutes
Important
● BI – RTO<60 Minutes, RPO<30 Minutes
Q2. Answer
a) Correct. The recognized models for cloud delivery are private cloud, community cloud, public
cloud, and hybrid cloud.
b) Correct. The recognized models for cloud delivery are private cloud, community cloud, public
cloud, and hybrid cloud.
c) Correct. The recognized models for cloud delivery are private cloud, community cloud, public
cloud, and hybrid cloud.
d) Incorrect.
e) Incorrect.
Q3. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. Hybrid cloud is a composition of two or more distinct cloud infrastructures, such as
private and public community; it can have both trusted and untrusted users. The provider
and the consumer share the management responsibility and ownership. Hybrid cloud uses
a combination of on-premise and off-premise infrastructure.
Q4. Answer
a) Incorrect.
b) Incorrect.
c) Correct. Some of the security risks within multi-tenancy design are:
1. Inadequate logical security controls
2. Malicious or ignorant tenants
3. Shared services can become single point of failure
4. Uncoordinated change controls and miss-configurations
5. Comingled tenant data
d) Incorrect.
Q5. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. Tier I is composed of a single path for power and cooling distribution, without
redundant components, providing 99.671% availability. Tier II is composed of a single path for
power and cooling distribution, with redundant components, providing 99.741% availability.
Tier III is composed of multiple active power and cooling distribution paths (with only one
path as active) has redundant components, and is concurrently maintainable, providing
99.982% availability. Tier IV is composed of multiple active power and cooling distribution
paths, has redundant components, and is fault tolerant, providing 99.995% availability.
Q6. Answer
a) Correct. A file server might be a dedicated network-attached storage (NAS) device that also
serves as a remote hard disk drive for other computers, allowing anyone on the network to
store files on it as if to their own hard drive. A hardware security module (HSM) is a physical
computing device that safeguards and manages digital keys for strong authentication and
provides cryptoprocessing. These modules traditionally come in the form of a plug-in card
or an external device that attaches directly to a computer or network server. A public key
infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed
to create, manage, distribute, use, store, and revoke digital certificates and manage public-
key encryption.
b) Incorrect.
c) Incorrect.
d) Incorrect.
Q7. Answer
a) Correct. The principle of least privilege provides better service stability, better service
security, and ease of deployment for the applications.
b) Incorrect.
c) Incorrect.
d) Incorrect.
Q8. Answer
a) Incorrect.
b) Incorrect.
c) Correct. For Warm Site Disaster recovery, data is kept at warm site by either asynchronous
or synchronous replication schemes. In this recovery solution, hardware is duplicated, but
active costs such as electricity and network bandwidth are lower during normal operation,
which provides cost-benefit advantages.
d) Incorrect.
Q9. Answer
a) Correct. Federated Identity allows the organization and cloud provider to trust and share
digital identities and attributes across both domains, and to provide a means for single sign-
on.
b) Incorrect.
c) Incorrect.
d) Incorrect.
Q10. Answer
a) Correct. The data strategy should incorporate an approach that addresses compliance
requirements and actual security threats. Leading practices should include securing
sensitive data, establishing appropriate separation of duties between IT operations and IT
security, ensuring that the use of cloud data conforms to existing enterprise policies, as well
as strong key management and strict access policies. An effective cloud security solution
should incorporate three key capabilities:
● Data lockdown
● Access policies
● Security intelligence
b) Incorrect.
c) Incorrect.
d) Incorrect.
e) Incorrect.
Q11. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
Q12. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. Cloud operations security team is responsible for the following; Operating system
Application
Account management
Security roles
Network configuration
Q13. Answer
a) Incorrect.
b) Incorrect.
d) Incorrect.
Q14. Answer
a) Correct. The due diligence process includes a short-term/long-term transition plan.
b) Incorrect.
c) Incorrect.
d) Incorrect.
Q15. Answer
a) Incorrect.
c) Incorrect.
d) Incorrect.
Q16. Answer
a) Incorrect.
b) Incorrect.
d) Incorrect.
Q17. Answer
a) Incorrect.
b) Correct. Business continuity includes three main elements: Resilience, Recovery, and
Contingency.
c) Correct. Business continuity includes three main elements: Resilience, Recovery, and
Contingency.
d) Correct. Business continuity includes three main elements: Resilience, Recovery, and
Contingency.
e) Incorrect.
Q18. Answer
a) Incorrect.
b) Incorrect.
c) Correct. Confidentiality, integrity and availability, also known as the CIA triad, is a model
designed to guide policies for information security within an organization. The elements
of the triad are considered the three most crucial components of security. However, the
concept that reflects the assurance that someone cannot deny something is called non-
repudiation. Typically, non-repudiation refers to the ability to ensure that a party to a contract
or a communication cannot deny the authenticity of their signature on a document or the
sending of a message that they originated.
d) Incorrect.
Q19. Answer
a) Incorrect.
b) Correct. The Risk Assessment methodology for cloud comprises nine steps:
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendation
9. Results Documentation
c) Incorrect.
d) Incorrect.
Q20. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. The Security Incident Management includes developing response policy and draft
security event scenarios to test incident response process. The security incident response
includes:
Q21. Answer
a) Incorrect.
b) Incorrect.
c) Correct. In SOA, all services are discoverable from a SOA registry/repository whereas in API
management, all services are discoverable from a portal.
d) Incorrect.
Q22. Answer
a) Incorrect.
b) Correct. VM Escape is the process of breaking out a virtual machine and interacting with the
host operating system is called VM Escape.
VM hopping allows an attack to move from one virtual server to compromise other virtual
server on the same physical hardware. VM theft is the ability to steal a virtual machine
file electronically, which can then be mounted and run elsewhere. Hyper jacking involves
subverting the hypervisor or inserting a rogue hypervisor.
c) Incorrect.
d) Incorrect.
Q23. Answer
a) Incorrect.
b) Correct. For multi-site solution, the data replication method that you employ will be determined
by the recovery point (RPO) you choose.
c) Incorrect.
d) Incorrect.
Q24. Answer
a) Incorrect.
b) Incorrect.
c) Incorrect.
d) Correct. Resilience refers to critical business functions and the supporting infrastructure that
are designed in such a way that they are materially unaffected by most disruptions.
Q25. Answer
a) Incorrect.
b) Incorrect.
c) Correct. National Institute of Standards and Technology (NIST) provides a globally accepted
Cloud Computing Reference Architecture.
d) Incorrect.