NEW QUESTION 1
Which of the following is not a component of the of the STRIDE model? Response:

• A. Spoofing
• B. Repudiation
• C. Information disclosure
• D. External pen testing

Answer: D

NEW QUESTION 2
You are the security manager for a company that is considering cloud migration to an IaaS environment. You are assisting your company’s IT architects in constructing the environment. Which of the following options do you recommend?
Response:

• A. Unrestricted public access
• B. Use of a Type I hypervisor
• C. Use of a Type II hypervisor
• D. Enhanced productivity without encryption

Answer: B

NEW QUESTION 3
Digital rights management (DRM) tools can be combined with ______, to enhance security capabilities. Response:

• A. Roaming identity services (RIS)
• B. Egress monitoring solutions (DLP)
• C. Internal hardware settings (BIOS)
• D. Remote Authentication Dial-In User Service (RADIUS)

Answer: B

NEW QUESTION 4
What is the term used to describe loss of access to data because the cloud provider has ceased operation? Response:

• A. Closing
• B. Vendor lock-out
• C. Vendor lock-in
• D. Masking

Answer: B

NEW QUESTION 5
When an organization implements an SIEM solution and begins aggregating event data, the configured event sources are only valid at the time it was configured. Application modifications, patching, and other upgrades will change the events generated and how they are represented over time.
What process is necessary to ensure events are collected and processed with this in mind?

• A. Continual review
• B. Continuous optimization
• C. Aggregation updates
• D. Event elasticity

Answer: B

NEW QUESTION 6
The Restatement (Second) Conflict of Law refers to which of the following? Response:

• A. The basis for deciding which laws are most appropriate in a situation where conflicting laws exist
• B. When judges restate the law in an opinion
• C. How jurisdictional disputes are settled
• D. Whether local or federal laws apply in a situation

Answer: A

NEW QUESTION 7
Resolving resource contentions in the cloud will most likely be the job of the ______.
Response:

• A. Router
• B. Emulator
• C. Regulator
• D. Hypervisor

Answer: D

NEW QUESTION 8
Which type of cloud service category would having a vendor-neutral encryption scheme for data at rest (DAR) be the MOST important?
Response:

• A. Public
• B. Hybrid
• C. Private
• D. Community

Answer: B

NEW QUESTION 9
You are the security director for a chain of automotive repair centers across several states. Your company uses a cloud SaaS provider, for business functions that cross several of the locations of your facilities, such as: 1) ordering parts 2) logistics and inventory 3) billing, and 4) marketing.
The manager at one of your newest locations reports that there is a competing car repair company that has a logo that looks almost exactly like the one your company uses. What will most likely affect the determination of who has ownership of the logo?
Response:

• A. Whoever first used the logo
• B. The jurisdiction where both businesses are using the logo simultaneously
• C. Whoever first applied for legal protection of the logo
• D. Whichever entity has the most customers that recognize the logo

Answer: C

NEW QUESTION 10
Which kind of SSAE report comes with a seal of approval from a certified auditor? Response:

• A. SOC 1
• B. SOC 2
• C. SOC 3
• D. SOC 4

Answer: C

NEW QUESTION 11
The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing. A cloud customer that does not perform sufficient due diligence can suffer harm if the cloud provider they’ve selected goes out of business.
What do we call this problem? Response:

• A. Vendor lock-in
• B. Vendor lock-out
• C. Vendor incapacity
• D. Unscaled

Answer: B

NEW QUESTION 12
You are the security manager for a software development firm. Your company is interested in using a managed cloud service provider for hosting its testing environment. Previous releases have shipped with major flaws that were not detected in the testing phase; leadership wants to avoid repeating that problem.
What tool/technique/technology might you suggest to aid in identifying programming errors?

• A. Vulnerability scans
• B. Open source review
• C. SOC audits
• D. Regulatory review

Answer: B

NEW QUESTION 13
Which SSAE 16 report is purposefully designed for public release (for instance, to be posted on a company’s website)?
Response:

• A. SOC 1
• B. SOC 2, Type 1
• C. SOC 2, Type 2
• D. SOC 3

Answer: D

NEW QUESTION 14
Which of the following is a risk associated with manual patching especially in the cloud?
Response:

• A. No notice before the impact is realized
• B. Lack of applicability to the environment
• C. Patches may or may not address the vulnerability they were designed to fix.
• D. The possibility for human error

Answer: D

NEW QUESTION 15
Why might an organization choose to comply with the ISO 27001 standard?
Response:

• A. Price
• B. Ease of implementation
• C. International acceptance
• D. Speed

Answer: C

NEW QUESTION 16
The Cloud Security Alliance (CSA) publishes the Notorious Nine, a list of common threats to organizations participating in cloud computing.
According to the CSA, what is one reason the threat of insecure interfaces and APIs is so prevalent in cloud computing?
Response:

• A. Most of the cloud customer’s interaction with resources will be performed through APIs.
• B. APIs are inherently insecure.
• C. Attackers have already published vulnerabilities for all known APIs.
• D. APIs are known carcinogens.

Answer: A

NEW QUESTION 17
What is the most secure form of code testing and review? Response:

• A. Open source
• B. Proprietary/internal
• C. Neither open source nor proprietary
• D. Combination of open source and proprietary

Answer: D