Cloud Security Alliance

CCSK
Certificate Of Cloud Security Knowledge

Questions and Answers (PDF)

For More Information - Visit:

https://www.certkillers.net/

Additional Features:

 90 Days Free Updates


 Instant Download
 24/7 Live Chat Support

Visit us at https://www.certkillers.net/ccsk/
 Total Questions: 117
Latest Version: 8.0
Question: 1
What is resource pooling?

A. The provider’s computing resources are pooled to serve multiple consumers.

B. Internet-based CPUs are pooled to enable multi-threading.
C. The dedicated computing resources of each client are pooled together in a colocation facility.
D. Placing Internet (“cloud”) data centers near multiple sources of energy, such as hydroelectric
dams.
E. None of the above.

Answer: A

Question: 2
Your SLA with your cloud provider ensures continuity for all services.

A. False
B. True

Answer: A

Question: 3
Which of the following is NOT normally a method for detecting and preventing data migration
into the cloud?

A. Intrusion Prevention System

B. URL filters
C. Data Loss Prevention
D. Cloud Access and Security Brokers (CASB)
E. Database Activity Monitoring

Visit us at https://www.certschief.com/ccsk/
 Answer: A

Question: 4
In which type of environment is it impractical to allow the customer to conduct their own audit,
making it important that the data center operators are required to provide auditing for the
customers?

A. Multi-application, single tenant environments

B. Long distance relationships
C. Multi-tenant environments
D. Distributed computing arrangements
E. Single tenant environments

Answer: C

Question: 5
ENISA: Lock-in is ranked as a high risk in ENISA research, a key underlying vulnerability causing
lock in is:

A. Lack of completeness and transparency in terms of use

B. Lack of information on jurisdictions
C. No source escrow agreement
D. Unclear asset ownership
E. Audit or certification not available to customers

Answer: A

Question: 6
What is the best way to ensure that all data has been removed from a public cloud environment
including all media such as back-up tapes?

A. Allowing the cloud provider to manage your keys so that they have the ability to access and
delete the data from the main and back-up storage.

Visit us at https://www.certschief.com/ccsk/
B. Maintaining customer managed key management and revoking or deleting keys from the key
management system to prevent the data from being accessed again.
C. Practice Integration of Duties (IOD) so that everyone is able to delete the encrypted data.
D. Keep the keys stored on the client side so that they are secure and so that the users have the
ability to delete their own data.
E. Both B and D.

Answer: B

Question: 7
ENISA: A reason for risk concerns of a cloud provider being acquired is:

A. Arbitrary contract termination by acquiring company

B. Resource isolation may fail
C. Provider may change physical location
D. Mass layoffs may occur
E. Non-binding agreements put at risk

Answer: E

Question: 8
Which communication methods within a cloud environment must be exposed for partners or
consumers to access database information using a web application?

A. Software Development Kits (SDKs)

B. Resource Description Framework (RDF)
C. Extensible Markup Language (XML)
D. Application Binary Interface (ABI)
E. Application Programming Interface (API)

Answer: E

Question: 9

Visit us at https://www.certschief.com/ccsk/
A cloud deployment of two or more unique clouds is known as:

A. Infrastructures as a Service
B. A Private Cloud
C. A Community Cloud
D. A Hybrid Cloud
E. Jericho Cloud Cube Model

Answer: C

Question: 10
ENISA: Which is not one of the five key legal issues common across all scenarios:

A. Data protection
B. Professional negligence
C. Globalization
D. Intellectual property
E. Outsourcing services and changes in control

Answer: C

Question: 11
ENISA: An example high risk role for malicious insiders within a Cloud Provider includes

A. Sales
B. Marketing
C. Legal counsel
D. Auditors
E. Accounting

Answer: D

Question: 12

Visit us at https://www.certschief.com/ccsk/
What are the primary security responsibilities of the cloud provider in the management
infrastructure?

A. Building and properly configuring a secure network infrastructure

B. Configuring second factor authentication across the network
C. Properly configuring the deployment of the virtual network, especially the firewalls
D. Properly configuring the deployment of the virtual network, except the firewalls
E. Providing as many API endpoints as possible for custom access and configurations

Answer: D

Question: 13
What is true of a workload?

A. It is a unit of processing that consumes memory

B. It does not require a hardware stack
C. It is always a virtual machine
D. It is configured for specific, established tasks
E. It must be containerized

Answer: A

Question: 14
ENISA: Which is a potential security benefit of cloud computing?

A. More efficient and timely system updates

B. ISO 27001 certification
C. Provider can obfuscate system O/S and versions
D. Greater compatibility with customer IT infrastructure
E. Lock-In

Answer: A

Question: 15

Visit us at https://www.certschief.com/ccsk/
The Software Defined Perimeter (SDP) includes which components?

A. Client, Controller, and Gateway

B. Client, Controller, Firewall, and Gateway
C. Client, Firewall, and Gateway
D. Controller, Firewall, and Gateway
E. Client, Controller, and Firewall

Answer: A

Question: 16
Which cloud security model type provides generalized templates for helping implement cloud
security?

A. Conceptual models or frameworks

B. Design patterns
C. Controls models or frameworks
D. Reference architectures
E. Cloud Controls Matrix (CCM)

Answer: D

Question: 17
Select the statement below which best describes the relationship between identities and
attributes

A. Attributes belong to entities and identities belong to attributes. Each attribute can have
multiple identities but only one entity.
B. An attribute is a unique object within a database. Each attribute it has a number of identities
which help define its parameters.
C. An identity is a distinct and unique object within a particular namespace. Attributes are
properties which belong to an identity. Each identity can have multiple attributes.
D. Attributes are made unique by their identities.
E. Identities are the network names given to servers. Attributes are the characteristics of each
server.

Visit us at https://www.certschief.com/ccsk/
 Answer: D

Question: 18
What is a potential concern of using Security-as-a-Service (SecaaS)?

A. Lack of visibility
B. Deployment flexibility
C. Scaling and costs
D. Intelligence sharing
E. Insulation of clients

Answer: A

Question: 19
How should an SDLC be modified to address application security in a Cloud Computing
environment?

A. Integrated development environments

B. Updated threat and trust models
C. No modification is needed
D. Just-in-time compilers
E. Both B and C

Answer: A

Question: 20
Which governance domain focuses on proper and adequate incident detection, response,
notification, and remediation?

A. Data Security and Encryption

B. Information Governance
C. Incident Response, Notification and Remediation
D. Compliance and Audit Management

Visit us at https://www.certschief.com/ccsk/
E. Infrastructure Security

Answer: C

Question: 21
Which opportunity helps reduce common application security issues?

A. Elastic infrastructure
B. Default deny
C. Decreased use of micro-services
D. Segregation by default
E. Fewer serverless configurations

Answer: A

Question: 22
What is the most significant security difference between traditional infrastructure and cloud
computing?

A. Management plane
B. Intrusion detection options
C. Secondary authentication factors
D. Network access points
E. Mobile security configuration options

Answer: A

Question: 23
A security failure at the root network of a cloud provider will not compromise the security of all
customers because of multitenancy configuration.

A. False
B. True

Visit us at https://www.certschief.com/ccsk/
 Answer: A

Question: 24
When investigating an incident in an Infrastructure as a Service (IaaS) environment, what can
the user investigate on their own?

A. The CSP server facility

B. The logs of all customers in a multi-tenant cloud
C. The network components controlled by the CSP
D. The CSP office spaces
E. Their own virtual instances in the cloud

Answer: E

Question: 25
If in certain litigations and investigations, the actual cloud application or environment itself is
relevant to resolving the dispute in the litigation or investigation, how is the information likely to
be obtained?

A. It may require a subpoena of the provider directly

B. It would require a previous access agreement
C. It would require an act of war
D. It would require a previous contractual agreement to obtain the application or access to the
environment
E. It would never be obtained in this situation

Answer: D

Question: 26
The containment phase of the incident response lifecycle requires taking systems offline.

A. False

Visit us at https://www.certschief.com/ccsk/
B. True

Answer: B

Question: 27
What are the primary security responsibilities of the cloud provider in compute virtualizations?

A. Enforce isolation and maintain a secure virtualization infrastructure

B. Monitor and log workloads and configure the security settings
C. Enforce isolation and configure the security settings
D. Maintain a secure virtualization infrastructure and configure the security settings
E. Enforce isolation and monitor and log workloads

Answer: A

Question: 28
What should every cloud customer set up with its cloud service provider (CSP) that can be
utilized in the event of an incident?

A. A data destruction plan

B. A communication plan
C. A back-up website
D. A spill remediation kit
E. A rainy day fund

Answer: B

Question: 29
Audits should be robustly designed to reflect best practice, appropriate resources, and tested
protocols and standards. They should also use what type of auditors?

A. Auditors working in the interest of the cloud customer

B. Independent auditors

Visit us at https://www.certschief.com/ccsk/
C. Certified by CSA
D. Auditors working in the interest of the cloud provider
E. None of the above

Answer: B

Question: 30
Which of the following statements is true in regards to Data Loss Prevention (DLP)?

A. DLP can provide options for quickly deleting all of the data stored in a cloud environment.
B. DLP can classify all data in a storage repository.
C. DLP never provides options for how data found in violation of a policy can be handled.
D. DLP can provide options for where data is stored.
E. DLP can provide options for how data found in violation of a policy can be handled.

Answer: E

Question: 31
CCM: The Architectural Relevance column in the CCM indicates the applicability of the cloud
security control to which of the following elements?

A. Service Provider or Tenant/Consumer

B. Physical, Network, Compute, Storage, Application or Data
C. SaaS, PaaS or IaaS

Answer: C

Question: 32
For third-party audits or attestations, what is critical for providers to publish and customers to
evaluate?

A. Scope of the assessment and the exact included features and services for the assessment
B. Provider infrastructure information including maintenance windows and contracts

Visit us at https://www.certschief.com/ccsk/
C. Network or architecture diagrams including all end point security devices in use
D. Service-level agreements between all parties
E. Full API access to all required services

Answer: C

Question: 33
When mapping functions to lifecycle phases, which functions are required to successfully
process data?

A. Create, Store, Use, and Share

B. Create and Store
C. Create and Use
D. Create, Store, and Use
E. Create, Use, Store, and Delete

Answer: A

Question: 34
When designing an encryption system, you should start with a threat model.

A. False
B. True

Answer: B

Question: 35
Which of the following is one of the five essential characteristics of cloud computing as defined
by NIST?

A. Multi-tenancy
B. Nation-state boundaries
C. Measured service

Visit us at https://www.certschief.com/ccsk/
D. Unlimited bandwidth
E. Hybrid clouds

Answer: C

Question: 36
What type of information is contained in the Cloud Security Alliance's Cloud Control Matrix?

A. Network traffic rules for cloud environments

B. A number of requirements to be implemented, based upon numerous standards and
regulatory requirements
C. Federal legal business requirements for all cloud operators
D. A list of cloud configurations including traffic logic and efficient routes
E. The command and control management hierarchy of typical cloud company

Answer: B

Question: 37
Vulnerability assessments cannot be easily integrated into CI/CD pipelines because of provider
restrictions.

A. False
B. True

Answer: A

Question: 38
How can key management be leveraged to prevent cloud providers from inappropriately
accessing customer data?

A. Use strong multi-factor authentication

B. Secure backup processes for key management systems
C. Segregate keys from the provider hosting data

Visit us at https://www.certschief.com/ccsk/
D. Stipulate encryption in contract language
E. Select cloud providers within the same country as customer

Answer: C

Question: 39
CCM: A company wants to use the IaaS offering of some CSP. Which of the following options for
using CCM is NOT suitable for the company as a cloud customer?

A. Submit the CCM on behalf of the CSP to CSA Security, Trust & Assurance Registry (STAR), a
free, publicly accessible registry that documents the security controls provided by CSPs
B. Use CCM to build a detailed list of requirements and controls that they want their CSP to
implement
C. Use CCM to help assess the risk associated with the CSP
D. None of the above

Answer: D

Question: 40
If the management plane has been breached, you should confirm the templates/configurations
for your infrastructure or applications have not also been compromised.

A. False
B. True

Answer: A

Question: 41
CCM: A hypothetical start-up company called "ABC" provides a cloud based IT management
solution. They are growing rapidly and therefore need to put controls in place in order to
manage any changes in
their production environment. Which of the following Change Control & Configuration
Management production environment specific control should they implement in this scenario?

Visit us at https://www.certschief.com/ccsk/
A. Policies and procedures shall be established for managing the risks associated with applying
changes to business-critical or customer (tenant)-impacting (physical and virtual) applications
and system-
B. Policies and procedures shall be established, and supporting business processes and technical
measures implemented, to restrict the installation of unauthorized software on organizationally-
owned or
C. All cloud-based services used by the company's mobile devices or BYOD shall be pre-approved
for usage and the storage of company business data.
D. None of the above

Answer: A

Question: 42
Containers are highly portable code execution environments.

A. False
B. True

Answer: B

Question: 43
Which statement best describes the Data Security Lifecycle?

A. The Data Security Lifecycle has six stages, is strictly linear, and never varies.
B. The Data Security Lifecycle has six stages, can be non-linear, and varies in that some data may
never pass through all stages.
C. The Data Security Lifecycle has five stages, is circular, and varies in that some data may never
pass through all stages.
D. The Data Security Lifecycle has six stages, can be non-linear, and is distinct in that data must
always pass through all phases.
E. The Data Security Lifecycle has five stages, can be non-linear, and is distinct in that data must
always pass through all phases.

Answer: B

Visit us at https://www.certschief.com/ccsk/
 Question: 44
Which of the following encryption methods would be utilized when object storage is used as the
back-end for an application?

A. Database encryption
B. Media encryption
C. Asymmetric encryption
D. Object encryption
E. Client/application encryption

Answer: E

Question: 45
In the Software-as-a-service relationship, who is responsible for the majority of the security?

A. Application Consumer
B. Database Manager
C. Application Developer
D. Cloud Provider
E. Web Application CISO

Answer: D

Question: 46
What method can be utilized along with data fragmentation to enhance security?

A. Encryption
B. Organization
C. Knowledge management
D. IDS
E. Insulation

Answer: E

Visit us at https://www.certschief.com/ccsk/
 Question: 47
Which of the following statements best defines the "authorization" as a component of identity,
entitlement, and access management?

A. The process of specifying and maintaining access policies

B. Checking data storage to make sure it meets compliance requirements
C. Giving a third party vendor permission to work on your cloud solution
D. Establishing/asserting the identity to the application
E. Enforcing the rules by which access is granted to the resources

Answer: D

Question: 48
How can web security as a service be deployed for a cloud consumer?

A. By proxying or redirecting web traffic to the cloud provider

B. By utilizing a partitioned network drive
C. On the premise through a software or appliance installation
D. Both A and C
E. None of the above

Answer: A

Question: 49
When configured properly, logs can track every code, infrastructure, and configuration change
and connect it back to the submitter and approver, including the test results.

A. False
B. True

Answer: B

Visit us at https://www.certschief.com/ccsk/
 Question: 50
What of the following is NOT an essential characteristic of cloud computing?

A. Broad Network Access

B. Measured Service
C. Third Party Service
D. Rapid Elasticity
E. Resource Pooling

Answer: C

Question: 51
Without virtualization, there is no cloud.

A. False
B. True

Answer: B

Question: 52
All assets require the same continuity in the cloud.

A. False
B. True

Answer: A

Question: 53

Visit us at https://www.certschief.com/ccsk/
Which type of application security testing tests running applications and includes tests such as
web vulnerability testing and fuzzing?

A. Code Review
B. Static Application Security Testing (SAST)
C. Unit Testing
D. Functional Testing
E. Dynamic Application Security Testing (DAST)

Answer: E

Question: 54
CCM: The Cloud Service Delivery Model Applicability column in the CCM indicates the
applicability of the cloud security control to which of the following elements?

A. Mappings to well-known standards and frameworks

B. Service Provider or Tenant/Consumer
C. Physical, Network, Compute, Storage, Application or Data
D. SaaS, PaaS or IaaS

Answer: D

Question: 55
Any given processor and memory will nearly always be running multiple workloads, often from
different tenants.

A. False
B. True

Answer: B

Question: 56

Visit us at https://www.certschief.com/ccsk/
In which deployment model should the governance strategy consider the minimum common set
of controls comprised of the Cloud Service Provider contract and the organization's internal
governance agreements?

A. Public
B. PaaS
C. Private
D. IaaS
E. Hybrid

Answer: E

Question: 57
What is known as the interface used to connect with the metastructure and configure the cloud
environment?

A. Administrative access
B. Management plane
C. Identity and Access Management
D. Single sign-on
E. Cloud dashboard

Answer: B

Question: 58
What does it mean if the system or environment is built automatically from a template?

A. Nothing.
B. It depends on how the automation is configured.
C. Changes made in production are overwritten by the next code or template change.
D. Changes made in test are overwritten by the next code or template change.
E. Changes made in production are untouched by the next code or template change.

Answer: D

Visit us at https://www.certschief.com/ccsk/
 Question: 59
CCM: Cloud Controls Matrix (CCM) is a completely independent cloud
assessment toolkit that does not map any existing standards.

A. True
B. False

Answer: B

Question: 60
Which of the following statements best describes an identity
federation?

A. A library of data definitions

B. A group of entities which have decided to exist together in a single
C. Identities which share similar attributes
D. Several countries which have agreed to define their identities with
E. The connection of one identity repository to another

Answer: E

Question: 61
What is a core tenant of risk management?

A. The provider is accountable for all risk management.

B. You can manage, transfer, accept, or avoid risks.
C. The consumers are completely responsible for all risk.
D. If there is still residual risk after assessments and controls are in
E. Risk insurance covers all financial losses, including loss of

Answer: B

Visit us at https://www.certschief.com/ccsk/
 Question: 62
What can be implemented to help with account granularity and limit
blast radius with laaS an PaaS?

A. Configuring secondary authentication

B. Establishing multiple accounts
C. Maintaining tight control of the primary account holder credentials
D. Implementing least privilege accounts
E. Configuring role-based authentication

Answer: B

Question: 63
What are the encryption options available for SaaS consumers?

A. Any encryption option that is available for volume storage, object storage, or PaaS
B. Provider-managed and (sometimes) proxy encryption
C. Client/application and file/folder encryption
D. Object encryption Volume storage encryption

Answer: B

Question: 64
In the cloud provider and consumer relationship, which entity
manages the virtual or abstracted infrastructure?

A. Only the cloud consumer

B. Only the cloud provider
C. Both the cloud provider and consumer
D. It is determined in the agreement between the entities
E. It is outsourced as per the entity agreement

Answer: C

Visit us at https://www.certschief.com/ccsk/
 Question: 65
Which term describes any situation where the cloud consumer does
not manage any of the underlying hardware or virtual machines?

A. Serverless computing
B. Virtual machineless
C. Abstraction
D. Container
E. Provider managed

Answer: A

Question: 66
All cloud services utilize virtualization technologies.

A. False
B. True

Answer: B

Question: 67
If there are gaps in network logging data, what can you do?

A. Nothing. There are simply limitations around the data that can be logged in the cloud.
B. Ask the cloud provider to open more ports.
C. You can instrument the technology stack with your own logging.
D. Ask the cloud provider to close more ports.
E. Nothing. The cloud provider must make the information available.

Answer: C

Visit us at https://www.certschief.com/ccsk/
 Question: 68
CCM: In the CCM tool, a is a measure that modifies risk and includes any process, policy, device,
practice or any other actions which modify risk.

A. Risk Impact
B. Domain
C. Control Specification

Answer: C

Question: 69
Who is responsible for the security of the physical infrastructure and virtualization platform?

A. The cloud consumer

B. The majority is covered by the consumer
C. It depends on the agreement
D. The responsibility is split equally
E. The cloud provider

Answer: E

Question: 70
What factors should you understand about the data specifically due to legal, regulatory, and
jurisdictional factors?

A. The physical location of the data and how it is accessed

B. The fragmentation and encryption algorithms employed
C. The language of the data and how it affects the user
D. The implications of storing complex information on simple storage systems
E. The actual size of the data and the storage format

Answer: D

Visit us at https://www.certschief.com/ccsk/
 Question: 71
Which cloud-based service model enables companies to provide client-based access for partners
to databases or applications?

A. Platform-as-a-service (PaaS)
B. Desktop-as-a-service (DaaS)
C. Infrastructure-as-a-service (IaaS)
D. Identity-as-a-service (IDaaS)
E. Software-as-a-service (SaaS)

Answer: A

Question: 72
CCM: The following list of controls belong to which domain of the CCM?
GRM 06 – Policy GRM 07 – Policy Enforcement GRM 08 – Policy Impact on Risk Assessments
GRM 09 – Policy Reviews GRM 10 – Risk Assessments GRM 11 – Risk Management Framework

A. Governance and Retention Management

B. Governance and Risk Management
C. Governing and Risk Metrics

Answer: B

Question: 73
Which attack surfaces, if any, does virtualization technology introduce?

A. The hypervisor
B. Virtualization management components apart from the hypervisor
C. Configuration and VM sprawl issues
D. All of the above

Answer: D

Visit us at https://www.certschief.com/ccsk/
 Question: 74
APIs and web services require extensive hardening and must assume attacks from authenticated
and unauthenticated adversaries.

A. False
B. True

Answer: B

Question: 75
Which of the following is NOT a cloud computing characteristic that impacts incidence
response?

A. The on demand self-service nature of cloud computing environments.

B. Privacy concerns for co-tenants regarding the collection and analysis of telemetry and
artifacts associated with an incident.
C. The possibility of data crossing geographic or jurisdictional boundaries.
D. Object-based storage in a private cloud.
E. The resource pooling practiced by cloud services, in addition to the rapid elasticity offered by
cloud infrastructures.

Answer: B

Question: 76
Big data includes high volume, high variety, and high velocity.

A. False
B. True

Answer: B

Visit us at https://www.certschief.com/ccsk/
 Question: 77
CCM: A hypothetical company called: “Health4Sure” is located in the United States and provides
cloud based services for tracking patient health. The company is compliant with HIPAA/HITECH
Act among other industry standards. Health4Sure decides to assess the overall security of their
cloud service against the CCM toolkit so that they will be able to present this document to
potential clients.
Which of the following approach would be most suitable to assess the overall security posture
of Health4Sure’s cloud service?

A. The CCM columns are mapped to HIPAA/HITECH Act and therefore Health4Sure could verify
the CCM controls already covered ad a result of their compliance with HIPPA/HITECH Act. They
could then assess the remaining controls. This approach will save time.
B. The CCM domain controls are mapped to HIPAA/HITECH Act and therefore Health4Sure could
verify the CCM controls already covered as a result of their compliance with HIPPA/HITECH Act.
They could then assess the remaining controls thoroughly. This approach saves time while being
able to assess the company’s overall security posture in an efficient manner.
C. The CCM domains are not mapped to HIPAA/HITECH Act. Therefore Health4Sure should
assess the security posture of their cloud service against each and every control in the CCM. This
approach will allow a thorough assessment of the security posture.

Answer: C

Question: 78
A defining set of rules composed of claims and attributes of the entities in a transaction, which is
used to determine their level of access to cloud-based resources is called what?

A. An entitlement matrix
B. A support table
C. An entry log
D. A validation process
E. An access log

Answer: D

Question: 79

Visit us at https://www.certschief.com/ccsk/
Cloud applications can use virtual networks and other structures, for hyper-segregated
environments.

A. False
B. True

Answer: B

Question: 80
Your cloud and on-premises infrastructures should always use the same network address
ranges.

A. False
B. True

Answer: A

Question: 81
Which layer is the most important for securing because it is considered to be the foundation for
secure cloud operations?

A. Infrastructure
B. Datastructure
C. Infostructure
D. Applistructure
E. Metastructure

Answer: A

Question: 82
Why is a service type of network typically isolated on different hardware?

A. It requires distinct access controls

Visit us at https://www.certschief.com/ccsk/
B. It manages resource pools for cloud consumers
C. It has distinct functions from other networks
D. It manages the traffic between other networks
E. It requires unique security

Answer: D

Question: 83
Which governance domain deals with evaluating how cloud computing affects compliance with
internal
security policies and various legal requirements, such as regulatory and legislative?

A. Legal Issues: Contracts and Electronic Discovery

B. Infrastructure Security
C. Compliance and Audit Management
D. Information Governance
E. Governance and Enterprise Risk Management

Answer: C

Question: 84
An important consideration when performing a remote vulnerability test of a cloud-based
application is to

A. Obtain provider permission for test

B. Use techniques to evade cloud provider’s detection systems
C. Use application layer testing tools exclusively
D. Use network layer testing tools exclusively
E. Schedule vulnerability test at night

Answer: A

Question: 85

Visit us at https://www.certschief.com/ccsk/
Cloud services exhibit five essential characteristics that demonstrate their relation to, and
differences from, traditional computing approaches. Which one of the five characteristics is
described as: a consumer can unilaterally provision computing capabilities such as server time
and network storage as needed.

A. Rapid elasticity
B. Resource pooling
C. Broad network access
D. Measured service
E. On-demand self-service

Answer: E

Question: 86
REST APIs are the standard for web-based services because they run over HTTPS and work well
across diverse environments.

A. False
B. True

Answer: B

Question: 87
Which of the following statements are NOT requirements of governance and enterprise risk
management in a cloud environment?

A. Inspect and account for risks inherited from other members of the cloud supply chain and
take active measures to mitigate and contain risks through operational resiliency.
B. Respect the interdependency of the risks inherent in the cloud supply chain and communicate
the corporate risk posture and readiness to consumers and dependent parties.
C. Negotiate long-term contracts with companies who use well-vetted software application to
avoid the transient nature of the cloud environment.
D. Provide transparency to stakeholders and shareholders demonstrating fiscal solvency and
organizational transparency.
E. Both B and C.

Answer: C

Visit us at https://www.certschief.com/ccsk/
 Question: 88
What is defined as the process by which an opposing party may obtain private documents for
use in litigation?

A. Discovery
B. Custody
C. Subpoena
D. Risk Assessment
E. Scope

Answer: A

Question: 89
What item below allows disparate directory services and independent security domains to be
interconnected?

A. Coalition
B. Cloud
C. Intersection
D. Union
E. Federation

Answer: E

Question: 90
Use elastic servers when possible and move workloads to new instances.

A. False
B. True

Answer: B

Visit us at https://www.certschief.com/ccsk/
 Question: 91
To understand their compliance alignments and gaps with a cloud provider, what must cloud
customers rely on?

A. Provider documentation
B. Provider run audits and reports
C. Third-party attestations
D. Provider and consumer contracts
E. EDiscovery tools

Answer: C

Question: 92
Which of the following is a perceived advantage or disadvantage of managing enterprise risk for
cloud deployments?

A. More physical control over assets and processes.

B. Greater reliance on contracts, audits, and assessments due to lack of visibility or
management.
C. Decreased requirement for proactive management of relationship and adherence to
contracts.
D. Increased need, but reduction in costs, for managing risks accepted by the cloud provider.
E. None of the above.

Answer: B

Question: 93
Which data security control is the LEAST likely to be assigned to an IaaS provider?

A. Application logic
B. Access controls
C. Encryption solutions
D. Physical destruction

Visit us at https://www.certschief.com/ccsk/
E. Asset management and tracking

Answer: A

Question: 94
How does virtualized storage help avoid data loss if a drive fails?

A. Multiple copies in different locations

B. Drives are backed up, swapped, and archived constantly
C. Full back ups weekly
D. Data loss is unavoidable with drive failures
E. Incremental backups daily

Answer: A

Question: 95
What is the newer application development methodology and philosophy focused on
automation of application development and deployment?

A. Agile
B. BusOps
C. DevOps
D. SecDevOps
E. Scrum

Answer: C

Question: 96
Sending data to a provider’s storage over an API is likely as much more reliable and secure than
setting up your own SFTP server on a VM in the same provider

A. False
B. True

Visit us at https://www.certschief.com/ccsk/
 Answer: B

Question: 97
What is true of searching data across cloud environments?

A. You might not have the ability or administrative rights to search or access all hosted data.
B. The cloud provider must conduct the search with the full administrative controls.
C. All cloud-hosted email accounts are easily searchable.
D. Search and discovery time is always factored into a contract between the consumer and
provider.
E. You can easily search across your environment using any E-Discovery tool.

Answer: A

Question: 98
How does running applications on distinct virtual networks and only connecting networks as
needed help?

A. It reduces hardware costs

B. It provides dynamic and granular policies with less management overhead
C. It locks down access and provides stronger data security
D. It reduces the blast radius of a compromised system
E. It enables you to configure applications around business groups

Answer: D

Question: 99
How can virtual machine communications bypass network security controls?

A. VM communications may use a virtual network on the same hardware host

B. The guest OS can invoke stealth mode
C. Hypervisors depend upon multiple network interfaces

Visit us at https://www.certschief.com/ccsk/
D. VM images can contain rootkits programmed to bypass firewalls
E. Most network security systems do not recognize encrypted VM traffic

Answer: A

Question: 100
ENISA: “VM hopping” is:

A. Improper management of VM instances, causing customer VMs to be commingled with other

customer systems.
B. Looping within virtualized routing systems.
C. Lack of vulnerability management standards.
D. Using a compromised VM to exploit a hypervisor, used to take control of other VMs.
E. Instability in VM patch management causing VM routing errors.

Answer: D

Question: 101
Which concept is a mapping of an identity, including roles, personas, and attributes, to an
authorization?

A. Access control
B. Federated Identity Management
C. Authoritative source
D. Entitlement
E. Authentication

Answer: D

Question: 102
Which concept provides the abstraction needed for resource pools?

A. Virtualization

Visit us at https://www.certschief.com/ccsk/
B. Applistructure
C. Hypervisor
D. Metastructure
E. Orchestration

Answer: A

Question: 103
Network logs from cloud providers are typically flow records, not full packet captures.

A. False
B. True

Answer: B

Question: 104
Select the best definition of “compliance” from the options below.

A. The development of a routine that covers all necessary security measures.

B. The diligent habits of good security practices and recording of the same.
C. The timely and efficient filing of security reports.
D. The awareness and adherence to obligations, including the assessment and prioritization of
corrective actions deemed necessary and appropriate.
E. The process of completing all forms and paperwork necessary to develop a defensible paper
trail.

Answer: D

Question: 105
CCM: In the CCM tool, “Encryption and Key Management” is an example of which of the
following?

A. Risk Impact

Visit us at https://www.certschief.com/ccsk/
B. Domain
C. Control Specification

Answer: B

Question: 106
In volume storage, what method is often used to support resiliency and security?

A. proxy encryption
B. data rights management
C. hypervisor agents
D. data dispersion
E. random placement

Answer: D

Question: 107
What is true of security as it relates to cloud network infrastructure?

A. You should apply cloud firewalls on a per-network basis.

B. You should deploy your cloud firewalls identical to the existing firewalls.
C. You should always open traffic between workloads in the same virtual subnet for better
visibility.
D. You should implement a default allow with cloud firewalls and then restrict as necessary.
E. You should implement a default deny with cloud firewalls.

Answer: E

Question: 108
Which statement best describes the impact of Cloud Computing on business continuity
management?

Visit us at https://www.certschief.com/ccsk/
A. A general lack of interoperability standards means that extra focus must be placed on the
security aspects of migration between Cloud providers.
B. The size of data sets hosted at a Cloud provider can present challenges if migration to another
provider becomes necessary.
C. Customers of SaaS providers in particular need to mitigate the risks of application lock-in.
D. Clients need to do business continuity planning due diligence in case they suddenly need to
switch providers.
E. Geographic redundancy ensures that Cloud Providers provide highly available services.

Answer: E

Question: 109
What is known as a code execution environment running within an operating system that shares
and uses the resources of the operating system?

A. Platform-based Workload
B. Pod
C. Abstraction
D. Container
E. Virtual machine

Answer: D

Question: 110
Which term is used to describe the use of tools to selectively degrade portions of the cloud to
continuously test business continuity?

A. Planned Outages
B. Resiliency Planning
C. Expected Engineering
D. Chaos Engineering
E. Organized Downtime

Answer: D

Visit us at https://www.certschief.com/ccsk/
 Question: 111
What is true of companies considering a cloud computing business relationship?

A. The laws protecting customer data are based on the cloud provider and customer location
only.
B. The confidentiality agreements between companies using cloud computing services is limited
legally to the company, not the provider.
C. The companies using the cloud providers are the custodians of the data entrusted to them.
D. The cloud computing companies are absolved of all data security and associated risks through
contracts and data laws.
E. The cloud computing companies own all customer data.

Answer: C

Question: 112
Dynamic Application Security Testing (DAST) might be limited or require pre-testing permission
from the provider.

A. False
B. True

Answer: B

Question: 113
When deploying Security as a Service in a highly regulated industry or environment, what should
both parties agree on in advance and include in the SLA?

A. The metrics defining the service level required to achieve regulatory objectives.
B. The duration of time that a security violation can occur before the client begins assessing
regulatory fines.
C. The cost per incident for security breaches of regulated information.
D. The regulations that are pertinent to the contract and how to circumvent them.
E. The type of security software which meets regulations and the number of licenses that will be
needed.

Visit us at https://www.certschief.com/ccsk/
 Answer: A

Question: 114
Which cloud storage technology is basically a virtual hard drive for instanced or VMs?

A. Volume storage
B. Platform
C. Database
D. Application
E. Object storage

Answer: A

Question: 115
Which of the following items is NOT an example of Security as a Service (SecaaS)?

A. Spam filtering
B. Authentication
C. Provisioning
D. Web filtering
E. Intrusion detection

Answer: C

Question: 116
How is encryption managed on multi-tenant storage?

A. Single key for all data owners

B. One key per data owner
C. Multiple keys per data owner
D. The answer could be A, B, or C depending on the provider
E. C for data subject to the EU Data Protection Directive; B for all others

Visit us at https://www.certschief.com/ccsk/
 Answer: B

Question: 117
Which statement best describes why it is important to know how data is being accessed?

A. The devices used to access data have different storage formats.

B. The devices used to access data use a variety of operating systems and may have different
programs installed on them.
C. The device may affect data dispersion.
D. The devices used to access data use a variety of applications or clients and may have different
security characteristics.
E. The devices used to access data may have different ownership characteristics.

Answer: D

Visit us at https://www.certschief.com/ccsk/