CCSP Cloud Computing Study Guide: Questions and Answers, Exams of Public Health

A comprehensive study guide for cloud computing, focusing on key concepts and definitions according to nist standards. It includes multiple-choice questions and detailed answers covering essential characteristics, service models, deployment models, and security controls in cloud environments. This guide is designed to help students and professionals prepare for cloud computing certifications and gain a deeper understanding of cloud technologies. It covers topics such as data centers, availability zones, regions, and the shift from capex to opex. The guide also addresses the iso/iec 17789 cloud computing reference architecture and various cloud service roles.

Typology: Exams

2025/2026

Available from 10/09/2025

may-blessed
may-blessed 🇺🇸

4.1

(8)

31K documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CCSP Study1 – Complete Study Guide
What is the definition of cloud computing according to NIST?
A. Cloud computing is a model for enabling ubiquitous,
convenient, on- demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction
B. Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a dedicated pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction
C. Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provi
Ans - A. The correct answer is A. As per NIST SP 800-45,
cloud computing is a model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction.
What are the essential cloud computing characteristics?
A. On-demand self-service, limited network access, and resource
pooling B. Broadcast service, broad network access, resource
pooling, and rapid
elasticity
C. On-demand self-service, broad network access, resource
pooling, rapid elasticity, and measured service
D. On-demand self-service, broad network access, dedicated
resourcing, rapid elasticity, and measured service Ans - C.
On-demand self-service, broad network access, resource pooling,
rapid elasticity, and measured service
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download CCSP Cloud Computing Study Guide: Questions and Answers and more Exams Public Health in PDF only on Docsity!

CCSP Study1 – Complete Study Guide

What is the definition of cloud computing according to NIST? A. Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction B. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a dedicated pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction C. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provi ✔Ans - A. The correct answer is A. As per NIST SP 800-45, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. What are the essential cloud computing characteristics? A. On-demand self-service, limited network access, and resource pooling B. Broadcast service, broad network access, resource pooling, and rapid elasticity C. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service D. On-demand self-service, broad network access, dedicated resourcing, rapid elasticity, and measured service ✔Ans - C. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service

According to NIST SP 800-45, the five essential cloud computing characteristics are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Global cloud service providers are generally organized in a three- level structure. Please select the correct structure from one of the options below. A. Data centers, services, customers B. Data centers, availability zones, regions C. Infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) D. Cloud service provider (CSP), managed service provider (MSP), consumer ✔Ans - B. Data centers, availability zones, regions The correct answer is B. Individual physical data centers house physical computers, storage, data center networking, environmental management equipment, and electrical power. An availability zone (AZ) consists of two or more geographically local data centers. The AZ data centers will normally have independent sources of power and data connectivity. A region typically consists of two or more availability zones. To ensure operational geographical redundancy, cloud-based solutions should deploy redundant infrastructures in two or more regions with mutual data backup capability. Please select the main key driver for cloud computing. A. Shift from CapEx (capital expenditure) to OpEx (operational expenditure) B. Scalability C. Elasticity D. Collaboration ✔Ans - A. Shift from CapEx (capital expenditure) to OpEx (operational expenditure) The correct answer is A. The main key driver for cloud computing is the shift from capital expenditure (CapEx), where organizations had to invest large sums of money, to operational expenditure (OpEx), which now enables companies to pay per use and avail themselves of pricing structures similar to monthly or quarterly leasing agreements.

D. Support multiple programming languages and frameworks ✔Ans - D. Support multiple programming languages and frameworks The correct answer is D. PaaS should support multiple programming languages and frameworks, thus enabling the developers to code in whichever language they prefer or whichever the design requirements specify. An organization is planning to move some of its functions to the cloud but doesn't have resources/skills to operate the cloud environment. It will rely on a third party to do so, but it wants to keep control of its governance. What technology implementation option is best suited for the company? A. Enterprise IT B. Enterprise cloud C. Managed service provider D. Cloud service provider ✔Ans - C. Managed service provider The correct answer is C. When enterprises opt to use managed service providers for information technology, compliance with enterprise-imposed IT governance is typically required. According to the NIST service delivery models, which one provides the ability for the cloud consumer to scale services up and down based on usage? A. Software as a service (SaaS) B.Platform as a service (PaaS) C. Infrastructure as a service (IaaS) D. Anything as a service (XaaS) ✔Ans - C. Infrastructure as a service (IaaS) The correct answer is C. IaaS provides the cloud consumer the ability to scale infrastructure services up and down based on usage, which is particularly useful and beneficial where there are significant spikes and dips in usage within the infrastructure. According to the NIST service deployment models, which one allows "cloud bursting"? A. Private B. Public C. Community

D. Hybrid ✔Ans - D. Hybrid The correct answer is D. "Cloud bursting" occurs when a private cloud workload maximum is reached, and public cloud resources are utilized to help support the additional workload. Disaster recovery can be enhanced by hybrid cloud deployments. Transitioning from a traditional enterprise IT infrastructure to the private cloud model involves: A. Significant investment B. Operational modifications C. Cultural change D. All the above ✔Ans - D. All the above A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a: A. Management control B. Technical control C. Operational control D. Cloud control ✔Ans - A. Management control The correct answer is A. Policies, standards, processes, procedures, and guidelines set by corporate administrative entities (e.g., executive- and/or mid-level management) are management/administrative controls. A company utilizing cloud services cannot deploy multi-factor authentication (MFA) due to a limitation by the SaaS provider, so its CISO implements a password policy that establishes passwords must be changed every 30 days. What sort of security control is this? A. Detective B. Corrective C. Compensating D. Preventive ✔Ans - C. Compensating The correct answer is C. Also called an alternative control, a compensating security control is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

Unstructured: Information not aligned or organized along any schema or in any repeatable fashion. Examples include email messages, videos, and audio files. As a result of multitenancy, multiple users can store their data using the applications provided by SaaS. Within these architectures, the data of various users will reside at the same location or across multiple locations and sites. What is a key security consideration when protecting the user data? A. Data aggregation B. Data encryption C. Data segregation D. Data manipulation ✔Ans - C. Data segregation The correct answer is C. A SaaS model should ensure a clear segregation for each user's data. The segregation must be ensured not only at the physical level but also at the application level. The service should be intelligent enough to segregate the data from different users. What is the main document that describes the overall relationship between a cloud service provider and consumer? A. Acceptable use policy B. Service-level agreement C. Cloud service agreement D. Cloud relationship policy ✔Ans - C. Cloud service agreement The correct answer is C. The cloud service agreement (CSA) describes the overall relationship between the customer and provider. Since service management includes the processes and procedures used by the cloud provider, explicit definitions of the roles, responsibilities, and execution of processes need to be formally agreed upon. A user has uploaded copyrighted materials to their employer's public cloud environment and shared it with friends online, resulting in a movie studio suing the employer for copyright infringement. What policy has been violated by the user? A.Cloud copyright policy B. Data sharing policy C. User access management policy

D. Acceptable use policy ✔Ans - D. Acceptable use policy The correct answer is D. The acceptable use policy prohibits activities that providers consider to be an improper or outright illegal use of their service. This is one area of a CSA where there is considerable consistency across cloud providers. A cloud consumer suffered a 24-hour outage and is now challenging the service provider to provide financial credits due to this unavailability of services. What agreement needs to be reviewed by both parties to assess the request? A. Cloud-level agreement (CLA) B. Service-level agreement (SLA) C. Penalty-level agreement (PLA) D. Outage-level agreement (OLA) ✔Ans - B. Service-level agreement (SLA) The correct answer is B. The SLA specifies thresholds and financial penalties associated with violations of these thresholds. Well-designed SLAs can significantly contribute to avoiding conflict and can facilitate the resolution of an issue before it escalates into a dispute. It serves as both the blueprint and warranty for cloud computing services. Please fill in the blanks using the terms below. ___________ are the foundation of corporate governance. ___________ are the result of either a regulation, which is a legislative requirement, or a contractual requirement such as a contract agreement or industry requirement such as a Payment Card Industry Data Security Standard (PCI DSS). A. Standards, policies B. Policies, standards C. Standards, procedures D. Policies, procedures ✔Ans - B. Policies, standards The correct answer is B. Policies are the foundation of corporate governance. They require penalties as well as senior management sponsorship to be effective. Policies are created in response to a requirement such as a standard or requirement benchmark. A policy is a high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes.

C. Only the cloud service provider (CSP) D. Cloud auditor ✔Ans - C. Only the cloud service provider (CSP) The correct answer is C. Under the order of a court, certain legal discovery documents, or orders, will specify that you and the cloud service provider are not allowed to disclose any activities undertaken in support of the court order. In some cases, the cloud service provider might be restricted from disclosing a court order or an investigation to you. What are the five rules of evidence A. Be authentic, accurate, complete, convincing, and admissible in court B. Be authentic, appropriate, complete, convincing, and admissible in court C. Be trustworthy, accurate, complete, convincing, and admissible in court D. Be trustworthy, appropriate, complete, convincing, and admissible in court ✔Ans - A. Be authentic, accurate, complete, convincing, and admissible in court The correct answer is A. The five rules of evidence are to be authentic (evidence needs to be tied back to the scene to be used), to be accurate (using collection processes, your evidence must maintain authenticity and veracity), to be complete (all evidence should be collected, including evidence that supports and that can diminish the reliability of other incriminating evidence), to be convincing (the evidence should be clear and easy to understand, and believable to a jury), and to be admissible (the evidence must be able to be used in a court of law). You are about to purchase movie tickets, but the website offering them is asking you for your parents' names, which you think is excessive to purchase the tickets. Based on the OECD's privacy recommendations, which principle is not being followed by the movie's website? A. Data Quality Principle B. Purpose Specification Principle C. Collection Limitation Principle

D. Accountability Principle ✔Ans - C. Collection Limitation Principle The correct answer is C. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. https://marcomm.mccarthy.ca/pubs/share2.htm Which of the following statements is a benefit of the General Data Protection Regulation (GDPR)? A. It harmonizes data privacy laws across Europe B. It protects and empowers all citizens' data privacy C. It reshapes the way organizations across the world approach data privacy D. All the above ✔Ans - A. It harmonizes data privacy laws across Europe The correct answer is A. The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, protect and empower all EU citizens' data privacy, and reshape the way organizations across the region approach data privacy. You are a European citizen and created an account with one of the major public cloud service providers headquartered in the U.S. Your data is stored with the EU affiliate and no data access from the non-EU corporate parents is possible. Can U.S. authorities access your data using the U.S. CLOUD Act? A. No, the data is protected through GDPR B. No, the affiliate is a separate entity from the parent and there is no technical possibility to access data from the affiliate in the EU C. Yes, the U.S. CLOUD Act is stronger legislation than GDPR D. Yes, through a formal request to the cloud service provider ✔Ans - B. No, the affiliate is a separate entity from the parent and there is no technical possibility to access data from the affiliate in the EU The correct answer is B. The data held at the EU affiliate would not likely be accessible to U.S. authorities under the CLOUD Act if it is not possible for personnel of the corporate parent to reach

B. Define audit scope, define audit objectives, refine audit processes based on lessons learned, analysis, fieldwork, reporting C. Define audit objectives, define audit scope, fieldwork, analysis, reporting, refine audit processes based on lessons learned D. Define audit scope, define audit objectives, fieldwork, analysis, reporting, refine audit processes based on lessons learned ✔Ans

  • A. Define audit objectives, define audit scope, refine audit processes based on lessons learned, fieldwork, analysis, reporting An audit plan encompasses the following activities (in this order): define audit objectives, define audit scope, refine audit processes based on lessons learned, fieldwork, analysis, reporting. Your organization is planning to move to the cloud and is evaluating various cloud services providers. One of the main factors for selection is their security posture. What industry standard tool can you utilize to assess the overall security capabilities of a cloud provider? A. Cloud Assessment Questionnaire B. Consensus Assessment Initiative Questionnaire C. Cloud Security Assessment Checklist D. Cloud Security Risk Checklist ✔Ans - B. Consensus Assessment Initiative Questionnaire The correct answer is B. The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CSA Security Trust Assurance and Risk (STAR) Program is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. What CSA STAR level provides continuous monitoring of the current security practices of cloud providers? A. Level 1 B. Level 2 C. Level 3

D. Level 4 ✔Ans - C. Level 3 C. CSA STAR Level 3 (Continuous Monitoring) enables automation of the current security practices of cloud providers. Each level of STAR has a continuous monitoring option to offer increased transparency on a regular basis. You work in a service organization and recently received an audit report from external auditors involving your organization's financial statements. This report was on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. What type of report have you received? A. SOC 1, Type 1 B. SOC 1, Type 2 C. SOC 2, Type 1 D. SOC 2, Type 2 ✔Ans - B. SOC 1, Type 2 The correct answer is B. There are two types of reports for these engagements: SOC 1, Type 1: Report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. SOC 1, Type 2: Report on the fairness of the presentation of management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. What are the "Trust Services Principles" in a SOC 2 report? A. Security, availability, processing integrity, confidentiality, and privacy B. Confidentiality, processing integrity, and availability C. Trust, security, and privacy D. Trust and security principles ✔Ans - A. Security, availability, processing integrity, confidentiality, and privacy

Standard (PCI DSS), which has been described as "the global industry standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices." An e-commerce store is collecting personal data from customers purchasing items, including details such as full name, address, items purchased, quantities, etc. The e- commerce store is managed and hosted by a managed cloud service provider. Additionally, all data is copied offsite to a backup service provider in case of a disaster recovery. Which entity is the data controller in this scenario? A. The e-commerce store B. The managed service provider C. The backup service provider D. The customer ✔Ans - A. The e-commerce store The data controller determines the purposes for which and the means by which personal data is processed. If your company/organization decides why and how the personal data should be processed, it is the data controller. Employees processing personal data within your organization do so to fulfil your tasks as data controller. What is it called when an organization performs background checks of its potential employees? A. Due care B. Due diligence C. Due attention D. Due background check ✔Ans - B. Due diligence Due diligence is the act of investigating and understanding the risks a company faces. Maintaining due diligence in daily practice should be a core tenet of a security professional. A platform-as-a-service (PaaS) application typically depends on third parties' application programming interfaces (APIs) to provide services to its customers. If an API used by the PaaS application becomes compromised by a malicious actor, then the

customers could become victims of the attack. The risk of this happening is known as A. API vulnerability risk B. PaaS attack risk C. Supply chain risk D. Application stack risk ✔Ans - C. Supply chain risk An API provided by a third party becomes part of your supply chain. The key component the supply chain introduces is risk; not only can it transfer or reduce certain components of risk (dependent on the organization), but it can create increased risk too. What is the correct order of the data security lifecycle phases? A. Create, store, use, share, archive, and destroy B. Create, use, store, share, archive, and sanitize C. Classify, store, use, share, archive, and destroy D. Classify, use, store, share, archive, and sanitize ✔Ans - A. Create, store, use, share, archive, and destroy You host a SaaS application in a public cloud environment and are concerned that government authorities can seize your customers' data from a specific geographical location. What technique can you use to limit the exposure to this risk? A. Data deletion B. Data anonymization C. Data tokenization D. Data dispersion ✔Ans - D. Data dispersion When using the data dispersion technique, each storage block is fragmented and the storage application writes each bit into different physical storage containers to achieve greater information assurance, just like the old-fashioned RAID system, only scattered across different physical devices and/or geographical locations. Which critical properties need to be understood after mapping the various data phases but before deploying controls in a cloud environment? A.People, processes, technology

B. Through the hypervisor C. Through API calls D. Through the database management layer ✔Ans - C. Through API calls What type of storage is utilized when accessing a CDN (content delivery network)? A. Volume storage B. Raw storage C. Ephemeral storage D. Object storage ✔Ans - D. Object storage The correct answer is D. A content delivery network (CDN) utilizes object storage, which is then distributed to multiple geographically distributed nodes to improve internet consumption speed. A database administrator has been tasked to remove sensitive details from a production database so it can be used in a test environment. This recommendation comes from the security officer due to concerns about data leakage. What technique would you recommend? A. Static masking B. Dynamic masking C. Random substitution D. Algorithmic substitution ✔Ans - A. Static masking The correct answer is A. In static masking, a new copy of the data is created with the masked values. Static masking is typically efficient when creating clean, nonproduction environments. Direct identifiers are fields that uniquely identify the subject (e.g., name, address) and are usually referred to as personally identifiable information. Indirect identifiers typically consist of demographic or socioeconomic information, dates, or events. How would you remove indirect identifiers in a database? A. Deletion B. Tokenization C. Anonymization D. Masking ✔Ans - C. Anonymization

C. Anonymization is the process of removing the indirect identifiers in order to prevent data analysis tools or other intelligent mechanisms from collating or pulling data from multiple sources to identify an individual or sensitive information. You are the security officer of a heavily regulated organization and are concerned that data currently stored in the public cloud can be leaked to the public due to a misconfiguration or malicious insider. How can you reduce the likelihood of this happening while fulfilling your regulatory requirements? A. Deploy a data leakage prevention tool B. Deploy a data encryption engine tool C. Deploy a data anonymization tool D. Deploy a data tokenization tool ✔Ans - A. Deploy a data leakage prevention tool The correct answer is A. The appropriate implementation and use of DLP will reduce both security and regulatory risks for the organization. You want to guarantee the integrity of an encrypted file received from a colleague. How would you achieve that? A. Ask your colleague for the encryption key of the file B. Ask your colleague for the hash of the file and compare it with the hash you produced C. Perform a hash of the file and compare it with the encryption key D. Perform encryption of the file and compare it with the hashed file ✔Ans - B. Ask your colleague for the hash of the file and compare it with the hash you produced The correct answer is B. In order to guarantee integrity of a file, you need to compare the hash values of the origin and recipient file. What is a widely accepted algorithm to exchange or negotiate a symmetric key? A. El Gamal B. RSA C. Elliptic curve