Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Cloud Security Management Exam Questions and Answers, Exams of Nursing

A list of exam questions and answers related to cloud security management. It covers topics such as open source cloud computing platforms, data retention policies, virtualization risks, IAM components, and more. The document also includes information on various regulations and standards related to cloud security management. It is a useful resource for students studying cloud security management or professionals working in the field.

Typology: Exams

2023/2024

Available from 01/23/2024

josh1990
josh1990 🇺🇸

5

(2)

3.4K documents

1 / 8

Toggle sidebar

Related documents


Partial preview of the text

Download Cloud Security Management Exam Questions and Answers and more Exams Nursing in PDF only on Docsity! Managing Cloud Security - C838. Exam Questions with Answers Eucalyptus - Correct answer Open source cloud computing and IaaS platform for enabling private clouds Apache Cloud Stack - Correct answer Open source cloud computing and IaaS platform developed to help make creating, deploying, and managing cloud services easier by providing a complete "stack" of features and components for cloud environments FIPS 140-2 - Correct answer NIST document that lists accredited and outmoded cryptosystems NIST 800-53 - Correct answer Guidance document with the primary goal of ensuring that appropriate security requirements and controls are applied to all U.S. federal government information in information management systems Four Steps of a Business Requirements Analysis - Correct answer 1. inventory of all assets (#) 2. valuation of each asset ($) 3. determination of critical paths, processes, and assets 4. clear understanding of risk appetite Cloud Provider Defense Roles - Correct answer - strong personnel controls (background checks, and continual monitoring) - technological controls (encryption, event logging, and access control enforcement) - physical controls - governance mechanisms and enforcement (policies and audits) Cloud Customer Defense Roles - Correct answer - training programs for staff and users - contractual enforcement of policy requirements - use of encryption and logical isolation mechanisms - strong access control methods Key Components of Strong Data Retention Policies - Correct answer 1. Retention periods 2. Applicable regulation 3. Retention formats 4. Data classification 5. Archiving and retrieval procedures 6. Monitoring, maintenance and enforcement ITAR - Correct answer International Traffic in Arms Regulations United States regulation; prohibitions on defense-related exports; can include cryptography systems. EAR - Correct answer Export Administration Regulations United States regulation; prohibitions on dual-use items (technologies that could be used for both commercial and military purposes). The 3 Types of Database Encryption - Correct answer 1. File-level - encrypting the volume or folder of the database, with the encryption engine and keys residing on the instances attached to the volume; protects from media theft, lost backups, and external attack but does not protect against attacks with access to the application layer, the instance's OS, or the database itself 2. Transparent - encrypting the entire database or specific portions, such as tables; encryption engine resides within the database, and it is transparent to the application; keys usually reside within the instance, although processing and management of them may also be offloaded to an external KMS; provides effective protection from media theft, backup system intrusions, and certain database and application-level attacks 3. Application-level - encryption engine resides at the application that is utilizing the database; can act as a robust mechanism to protect against a range of threats, such as compromised administrative accounts and other database and application-level attacks; it is challenging to perform indexing, searches, and metadata collection though; can also be challenging due to the expertise requirements for cryptographic development and integration Virtualization Risks - Correct answer 1. attacks on the hypervisor 2. guest escape a.k.a. VM escape 3. information bleed 4. data seizure (of host machine) Forklifting - Correct answer moving an existing legacy enterprise application to the cloud with little or no code changes IAM Components - Correct answer Identity and Access Management 1. Authentication 2. Authorization 3. User management 4. Central user repository Four Popular Federation Standards - Correct answer 1. SAML (Security Assertion Markup Language); most popular; XML based 2. WS-Federation; uses realms 3. OAuth; often used with mobile apps 4. OpenID Connect; based on Oauth 2; allows developers to authenticate users across websites and apps Bit Splitting/Data Dispersion - Correct answer data is sliced into "chunks" that are encrypted along with parity bits and then written to various drives in the cloud cluster; can be seen as equivalent to creating a RAID array in a cloud environment SAN vs. NAS - Correct answer SAN=group of devices connected to the network that provide storage space to users; the storage is usually is mounted to a user's machine, like an empty drive; user can then format and implement a filesystem in that space according to their own preference; usually use iSCSI or Fibre Channel protocols NAS=network file server with a drive or group of drives, portions of which are assigned to users on that network; user will see a NAS as a file server and can share files to it; commonly uses TCP/IP OS Logging - Correct answer monitors performance and events; can alert admins when usage approaches a high capacity or performance degradation that may affect SLA parameters Key Parts of a BC/DR Plan - Correct answer 1. List of the Items from the Asset Inventory Deemed Critical 2. Circumstances Under Which an Event or Disaster Is Declared 3. Who Is Authorized to Make the Declaration 4. Essential Points of Contact 5. Detailed Actions, Tasks, and Activities MAD vs. RTO vs RPO - Correct answer MAD=maximum allowable downtime; how long can an interruption last before it kills the organization RTO=recovery time objective; time goal for recovery after an interruption; must be less than the MAD RPO=recovery point objective; goal for limiting data loss from an event; confusingly measured in time; ex.) if organization wants to only allow one day's loss of data, RPO is 24 hours Information Bleed - Correct answer the possibility that processing performed on one virtualized instance may be detected by other instances on the same host Administrative Law - Correct answer The body of law created by administrative agencies (in the form of rules, regulations, orders, and decisions) in order to carry out their duties and responsibilities. Doctrine of the Proper Law - Correct answer When a conflict of laws occurs, this determines in which jurisdiction the dispute will be heard. ASHRAE Recommended Datacenter Ranges for Temp & Humidity - Correct answer Temperature: 64 to 81° F (18 to 27° C) Humidity: Dew point of 42 to 59° F (5.5 to 15° C), relative humidity of 60% Maintenance Mode Requirements - Correct answer 1. All operational instances are removed from the system/device 2. Prevent all new logins 3. Ensure logging is continued, and begin enhanced logging How Long Should a UPS Provide Power? - Correct answer Long enough to save production data currently being processed SOC Reports - Correct answer Part of the SSAE 16 (replaced SAS 70) reporting format created by the AICPA; defines 3 types of audit reports SOC 1: strictly for auditing the financial reporting instruments of a corporation SOC 2: Type 1=not useful; only about design Type 2=extremely useful; how controls are implemented and maintained; cloud vendors will probably never share these SOC 3: "seal of approval" from audit; cloud vendors most likely to share ISO 31000 - Correct answer Provides an international standard for risk management as well as a generic approach to risk management applicable within any industry sector. NIST SP 800-37 - Correct answer Guide for Implementing the Risk Management Framework (RMF); developed for use by the US government, but widely accepted in the industry (at least in the US, not internationally) ENISA - Correct answer European Union Agency for Network and Information Security; similar to NIST, but for Europe; not as widely accepted internationally as ISO; a standard and model Contract vs. SLA - Correct answer Contract=performance objectives and the penalties for not meeting them SLA=specific number values attached to the objectives (example; only 6 minutes of downtime allowed per month) CSA STAR Program - Correct answer Designed to provide an independent level of program assurance for cloud consumers Consists of: 1. Cloud Controls Matrix (CCM): A list of security controls and principles appropriate for the cloud environment, cross-referenced to other control frameworks such as COBIT, ISO standards, and NIST pubs; arranged into separate security domains 2. Consensus Assessments Initiative Questionnaire (CAIQ): A self-assessment performed by cloud providers, detailing their evaluation of the practice areas and control groups they use in providing their services The 3 Levels of CSA STAR Program - Correct answer Level One: Self-Assessment: Requires the release and publication of due diligence assessments against the CSA's Consensus Assessment Initiative Questionnaire and/or Cloud Matrix (CCM) Level Two: CSA STAR Attestation: Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC 2 Level Three: CSA STAR Continuous Monitoring: Requires the release and publication of results related to the security properties of monitoring based on the CloudTrust Protocol API - Correct answer Application Programming Interface A set of routines, standards, protocols, and tools for building software applications to access a web-based software application or tool ISO/IEC 27034-1 - Correct answer One of the most widely accepted set of standards and guidelines for secure application development; provides an overview of network and infrastructure security designed to secure cloud applications; key elements include the organizational normative framework (ONF), the application normative framework (ANF), and the application security management process (APSM) Data Masking - Correct answer a program that protects privacy by replacing personal information with fake values Restatement (Second) Conflict of Law - Correct answer The basis for deciding which laws are most appropriate in a situation where conflicting laws exist ISO/IEC 27037 - Correct answer Guide for collecting, identifying, and preserving electronic evidence ISO/IEC 27050-1 - Correct answer Overview and principles for eDiscovery ISO/IEC 27042 - Correct answer Guide for digital evidence analysis ISO/IEC 27043 - Correct answer Incident investigation principles and processes ISO/IEC 27041 - Correct answer Guide for incident investigations NIST SP 800-122 - Correct answer Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Gap Analysis - Correct answer Where most audit activities begin; a lightweight audit; the purpose is to identify weaknesses so they can be remediated prior to any further actual audit work. In addition, it provides the organization with a static point of reference from which to begin work in defining their strategic goals and objectives regarding risk remediation and control implementation. It also helps define the benchmark process ISO/IEC 28000 - Correct answer Guide for addressing security risks in a supply chain The 4 Building Blocks of Cloud Computing - Correct answer 1. RAM