Download PECB Certified Lead Cloud Security Manager Practice Exam and more Exams Technology in PDF only on Docsity!
Practice Exam
Question 1. Which characteristic of cloud computing enables users to provision computing resources automatically without human interaction? A) Broad network access B) Measured service C) Rapid elasticity D) On‑demand self‑service Answer: D Explanation: On‑demand self‑service allows consumers to unilaterally provision, configure, and release resources as needed without requiring provider interaction. Question 2. In the NIST Cloud Computing Reference Model, which layer is responsible for delivering the actual virtual machines, storage, and networking to the consumer? A) Cloud Service Consumer layer B) Cloud Service Provider layer C) Cloud Service Management layer D) Cloud Service Broker layer Answer: B Explanation: The Cloud Service Provider (CSP) layer implements the underlying infrastructure (IaaS) that delivers compute, storage, and network resources.
Practice Exam
Question 3. Which ISO/IEC standard provides guidance specifically for protecting personally identifiable information (PII) in public cloud environments? A) ISO/IEC 27001 B) ISO/IEC 27017 C) ISO/IEC 27018 D) ISO/IEC 27701 Answer: C Explanation: ISO/IEC 27018 focuses on the protection of PII in public cloud services, offering privacy‑specific controls. Question 4. Which cloud deployment model is most appropriate for an organization that wants to share infrastructure with other organizations that have similar security requirements? A) Public cloud B) Private cloud C) Community cloud D) Hybrid cloud Answer: C Explanation: A community cloud is shared among several organizations with common concerns, such as compliance, security, or policy.
Practice Exam
Question 7. In a SaaS model, which party is primarily responsible for ensuring that application‑level vulnerabilities are patched? A) End‑user B) Cloud Service Provider C) Cloud Service Broker D) Third‑party software vendor Answer: B Explanation: The CSP delivers the complete application and is responsible for maintaining and patching the software stack. Question 8. Which regulatory framework requires that personal data of EU citizens be processed with explicit consent, impacting cloud‑based PII handling? A) CCPA B) HIPAA C) GDPR D) PCI DSS Answer: C Explanation: The General Data Protection Regulation (GDPR) mandates lawful bases such as explicit consent for processing EU personal data, influencing cloud providers’ privacy controls.
Practice Exam
Question 9. Which control from ISO/IEC 27017 specifically addresses the termination of cloud services to ensure data is securely removed? A.14.1 – Secure disposal of assets B.14.2 – Cloud service termination C.15.1 – Supplier relationship management D.16.3 – Incident response testing Answer: B Explanation: ISO/IEC 27017 Annex A includes a control that requires proper procedures for terminating cloud services and securely deleting customer data. Question 10. When drafting a cloud information security policy, which component should explicitly define the organization’s approach to shared responsibility? A) Scope statement B) Risk assessment methodology C) Roles and responsibilities matrix D) Asset classification scheme Answer: C Explanation: The roles and responsibilities matrix clarifies which security duties belong to the CSP versus the CSC under the shared responsibility model.
Practice Exam
A) STRIDE
B) DREAD
C) OWASP Top 10 – API Security D) CIA Triad Answer: C Explanation: The OWASP API Security Top 10 outlines threats like broken authentication and excessive data exposure specific to cloud APIs. Question 14. Which of the following is a key benefit of measured service in cloud computing? A) Unlimited resource consumption B) Ability to manually allocate resources C) Billing based on actual usage D) Fixed‑price contracts only Answer: C Explanation: Measured service provides metering of resource usage, enabling pay‑as‑you‑go pricing. Question 15. Which ISO/IEC 27001 clause requires organizations to retain documented information for a defined period? A) A.7 – Human resource security B) A.8 – Asset management
Practice Exam
C) A.12 – Operational security D) A.13 – Communications security Answer: C Explanation: Operational security includes requirements for documentation retention and disposal. Question 16. In a hybrid cloud, which component typically handles workload orchestration across public and private environments? A) Cloud Service Broker B) Cloud Service Customer C) Cloud Service Provider D) Cloud Service Auditor Answer: A Explanation: The Cloud Service Broker can provide orchestration, integration, and brokerage services between multiple cloud environments. Question 17. Which control from ISO/IEC 27018 addresses the need for obtaining customer consent before processing PII? A.18.1 – Consent management B.18.2 – Data minimization C.18.3 – Purpose limitation D.18.4 – Transparency
Practice Exam
Explanation: The Lessons Learned phase reviews the incident, identifies root causes, and updates controls to avoid future occurrences. Question 20. Which governance document typically defines the service level objectives (SLOs) for availability and performance in a cloud contract? A) Statement of Applicability (SoA) B) Service Level Agreement (SLA) C) Business Continuity Plan (BCP) D) Risk Treatment Plan (RTP) Answer: B Explanation: An SLA outlines agreed‑upon performance metrics, including availability and response times. Question 21. Which cloud service model gives the customer the most control over the operating system and middleware? A) SaaS B) PaaS C) IaaS D) DaaS Answer: C Explanation: In IaaS, the customer manages the OS, middleware, and runtime, while the provider supplies the underlying infrastructure.
Practice Exam
Question 22. Which of the following is a primary objective of a Privacy Impact Assessment (PIA) in a cloud environment? A) Evaluate network latency B) Identify privacy risks related to PII processing C) Assess hardware compatibility D) Determine cost savings from migration Answer: B Explanation: A PIA focuses on identifying and mitigating privacy risks associated with the handling of personal data. Question 23. Which ISO/IEC 27017 control addresses the need for cloud customers to verify the CSP’s compliance with security standards? A) A.14 – Customer security requirements B) A.15 – Supplier relationship management C) A.16 – Incident management D) A.18 – Compliance with legal requirements Answer: B Explanation: Supplier relationship management includes verifying that the CSP meets contractual and regulatory security obligations.
Practice Exam
A) Provides physical data center facilities B) Manages identity and access for end users C) Acts as an intermediary to aggregate, integrate, and customize cloud services D. Develops custom operating systems for cloud platforms Answer: C Explanation: A cloud service broker aggregates and integrates multiple cloud services, offering value‑added services to customers. Question 27. Which risk assessment technique quantifies risk by assigning monetary values to potential loss? A) Qualitative assessment B) Semi‑quantitative assessment C) Quantitative assessment D) Scenario‑based assessment Answer: C Explanation: Quantitative assessments use numerical values, often monetary, to calculate expected loss. Question 28. Which of the following is a legal requirement under GDPR that directly impacts cloud data residency decisions? A) Data must be stored on-premises only B) Data transfers outside the EU require adequate protection mechanisms
Practice Exam
C) All cloud providers must be certified ISO/IEC 27001 D) Encryption is mandatory for all cloud data Answer: B Explanation: GDPR restricts cross‑border transfers unless the destination provides adequate safeguards (e.g., Standard Contractual Clauses). Question 29. Which of the following controls would most directly mitigate the risk of “container escape” in a PaaS environment? A) Enforcing least‑privilege container runtimes B) Implementing MFA for console access C) Using DDoS protection services D) Encrypting data at rest Answer: A Explanation: Limiting container privileges reduces the ability of a compromised container to break out of its isolation boundary. Question 30. Which ISO/IEC 27017 control recommends that cloud customers receive a copy of the CSP’s security incident response procedures? A) A.14 – Customer security requirements B) A.16 – Incident management C) A.18 – Compliance D) A.12 – Operational security
Practice Exam
Explanation: Elasticity allows automatic scaling of resources in response to workload fluctuations. Question 33. In a multi‑tenant public cloud, which security control is most effective at preventing data leakage between tenants? A) Physical air‑gap separation B) Virtual private cloud (VPC) isolation and ACLs C) Shared default credentials D) Single‑tenant database instances Answer: B Explanation: VPCs and access control lists provide logical isolation between tenants, mitigating cross‑tenant data leakage. Question 34. Which ISO/IEC 27018 principle requires that personal data be collected only for specified, explicit, and legitimate purposes? A) Consent B) Purpose limitation C) Data minimization D) Transparency Answer: B Explanation: Purpose limitation ensures that PII is used only for the purposes for which it was originally collected.
Practice Exam
Question 35. Which of the following best describes the purpose of a “risk treatment plan” (RTP)? A) Document the list of assets in the cloud environment B) Outline actions to reduce, transfer, or accept identified risks C) Record all security incidents that occurred in the past year D) Define the organization’s cloud migration timeline Answer: B Explanation: An RTP details the selected treatment options and implementation steps for each identified risk. Question 36. Which regulatory framework specifically governs the protection of health information in the United States, influencing cloud deployments handling such data? A) GDPR B) CCPA C) HIPAA D) PCI DSS Answer: C Explanation: The Health Insurance Portability and Accountability Act (HIPAA) sets standards for protecting PHI, including when stored in cloud services.
Practice Exam
A) Asset management B) Access control C) System acquisition, development, and maintenance D) Supplier relationships Answer: C Explanation: Vulnerability scanning falls under system acquisition, development, and maintenance, ensuring secure configuration of cloud workloads. Question 40. Which of the following cloud security controls directly supports compliance with the CCPA’s “right to delete” requirement? A) Automated data retention and disposal workflows B) Multi‑factor authentication for admin accounts C) Network segmentation between development and production D) Encryption of data in transit only Answer: A Explanation: Automated deletion processes enable timely removal of personal data upon consumer request, satisfying the CCPA’s deletion right. Question 41. Which of the following best describes “resource pooling” in cloud computing? A) Dedicated hardware for each customer B) Multiple customers share a common set of physical resources
Practice Exam
C) Unlimited storage capacity for a single tenant D) Manual allocation of resources by the provider Answer: B Explanation: Resource pooling allows multiple tenants to leverage a shared pool of compute, storage, and network resources. Question 42. In the context of cloud incident response, which AWS service provides detailed logs of API calls for forensic analysis? A) Amazon S B) AWS CloudTrail C) Amazon RDS D) AWS Lambda Answer: B Explanation: CloudTrail records API activity, enabling detection, investigation, and auditing of incidents. Question 43. Which ISO/IEC 27018 control requires that the CSP provide a clear description of the purposes for which PII is processed? A) 18.1 – Consent management B) 18.2 – Purpose specification C) 18.3 – Data minimization D) 18.4 – Transparency
