Download PECB Certified Senior Lead Cloud Security Manager Practice Exam and more Exams Technology in PDF only on Docsity!
Practice Exam
Question 1. Which characteristic of cloud computing enables a consumer to provision computing capabilities automatically without human interaction with the service provider? A) Broad network access B) Rapid elasticity C) On‑demand self‑service D) Measured service Answer: C Explanation: On‑demand self‑service allows users to unilaterally provision resources as needed, without requiring provider intervention. Question 2. In the NIST service model hierarchy, which layer gives the customer the most control over the underlying operating system? A) SaaS B) PaaS C) IaaS D) DaaS Answer: C Explanation: IaaS provides virtualized hardware, allowing the customer to install and manage the OS and middleware.
Practice Exam
Question 3. Which cloud deployment model is typically owned, managed, and operated by a single organization but may be accessed by multiple internal business units? A) Public cloud B) Private cloud C) Community cloud D) Hybrid cloud Answer: B Explanation: A private cloud is dedicated to one organization, offering exclusive use while supporting various internal units. Question 4. Which of the following is NOT a primary limitation of cloud computing? A) Vendor lock‑in B) Unlimited bandwidth C) Latency concerns D) Governance challenges Answer: B Explanation: Unlimited bandwidth is unrealistic; limited or variable bandwidth is a common limitation.
Practice Exam
B) Consistency – configuration management C) Continuity – disaster recovery D) Compliance – audit logging Answer: A Explanation: Confidentiality is protected by mechanisms such as encryption of data stored in the cloud. Question 8. Which regulatory framework specifically addresses health‑information privacy and may affect cloud deployments for healthcare providers? A) GDPR B) PCI‑DSS C) HIPAA D) SOX Answer: C Explanation: HIPAA governs Protected Health Information (PHI) and applies to cloud services handling such data. Question 9. A cloud broker primarily performs which function? A) Hosts virtual machines for customers B) Provides network connectivity between CSPs and customers C) Mediates service selection and integration for customers
Practice Exam
D) Audits compliance of a CSP’s internal processes Answer: C Explanation: Cloud brokers act as intermediaries, helping customers select, aggregate, and manage cloud services. Question 10. Which policy type is most appropriate for establishing organization‑wide objectives for cloud security governance? A) Functional policy B) Specific policy C) Strategic policy D) Operational policy Answer: C Explanation: Strategic policies set high‑level goals and direction for cloud security across the enterprise. Question 11. When documenting cloud security procedures, which lifecycle stage ensures that obsolete documents are removed securely? A) Creation B) Approval C) Distribution D) Disposal Answer: D
Practice Exam
Question 14. What is the primary difference between a Risk Assessment and a Privacy Impact Assessment (PIA)? A) PIA evaluates financial loss only B) Risk Assessment focuses on technical controls, PIA on legal compliance C) PIA assesses privacy‑related risks to individuals, Risk Assessment covers broader organizational risks D) There is no difference; they are interchangeable terms Answer: C Explanation: PIAs specifically examine how personal data processing impacts individual privacy. Question 15. Which risk treatment option involves transferring the risk to a third party, such as an insurance provider? A) Avoid B) Modify C) Share D) Retain Answer: C Explanation: Sharing (or transferring) risk passes responsibility to another entity, often via insurance or outsourcing.
Practice Exam
Question 16. ISO/IEC 27005 aligns with which overarching standard for risk management? A) ISO 31000 B) ISO 9001 C) ISO 22301 D) ISO 27001 Answer: A Explanation: ISO 31000 provides generic risk management principles; ISO 27005 tailors them to information security. Question 17. In cloud security architecture, the term “defense‑in‑depth” most closely refers to: A) Using a single firewall at the perimeter B) Implementing multiple, layered security controls across the stack C) Relying solely on CSP’s native security features D) Encrypting data only during transmission Answer: B Explanation: Defense‑in‑depth applies overlapping controls at network, host, application, and data layers. Question 18. Which ISO/IEC 27017 control specifically addresses the secure provisioning of cloud service access for customers?
Practice Exam
B) Physical theft of servers C) Credential‑stuffing attacks D) Data leakage through misconfiguration Answer: C Explanation: MFA adds additional verification factors, reducing the success of credential‑stuffing attacks. Question 21. Which cryptographic key management practice is recommended for protecting keys used to encrypt data at rest in a public cloud? A) Storing keys in the same storage bucket as the data B) Using a cloud‑based Hardware Security Module (HSM) C) Hard‑coding keys in application source code D) Relying on default provider‑generated keys only Answer: B Explanation: Cloud‑based HSMs provide secure, isolated storage and usage of encryption keys. Question 22. In a cloud environment, which logging practice is essential for forensic investigations? A) Logging only successful login attempts B) Centralizing logs in a tamper‑evident repository C) Deleting logs after 30 days to save storage
Practice Exam
D) Encrypting logs with a shared password stored on a public wiki Answer: B Explanation: Centralized, tamper‑evident log storage preserves evidence for forensic analysis. Question 23. Which testing methodology is specifically prohibited by many CSPs without prior written authorization? A) Static Application Security Testing (SAST) B) Dynamic Application Security Testing (DAST) C) Penetration testing against the CSP’s infrastructure D) Vulnerability scanning of customer‑owned virtual machines Answer: C Explanation: Direct penetration testing of CSP infrastructure is often restricted and requires explicit permission. Question 24. The role of a Cloud Security Manager most closely aligns with which ISO/IEC 27001 control? A) A.7.2 – Competence B) A.12.4 – Logging and monitoring C) A.15.1 – Information security in supplier relationships D) A.18.2 – Technical compliance review Answer: A
Practice Exam
Question 27. When an incident involves data exfiltration from a SaaS application, the primary responsibility for containment lies with: A) The CSP, because they host the application B) The customer, because they own the data C) The cloud broker, as the intermediary D) The regulator, who must issue a directive Answer: B Explanation: In SaaS, the customer is responsible for data protection and must initiate containment actions. Question 28. Which cloud‑native tool is commonly used for continuous monitoring of configuration drift in AWS environments? A) Azure Monitor B) Google Cloud Operations Suite C) AWS Config D) VMware vRealize Answer: C Explanation: AWS Config records and evaluates configuration changes, detecting drift from desired states. Question 29. Forensic readiness in the cloud should include which of the following preparations?
Practice Exam
A) Deleting all logs after each incident B) Encrypting all forensic images with a public key only C) Defining a chain‑of‑custody process for virtual machine snapshots D) Relying solely on CSP’s internal forensics team Answer: C Explanation: A documented chain‑of‑custody for snapshots ensures evidence integrity and admissibility. Question 30. Which containment technique is most effective for isolating a compromised virtual machine without affecting other workloads? A) Shutting down the entire availability zone B) Applying a network security group rule to block all traffic to the VM C) Deleting the VM’s storage volume immediately D) Rebooting the VM with a clean image while preserving its IP address Answer: B Explanation: Updating the security group isolates the VM at the network layer while leaving other resources untouched. Question 31. In a hybrid cloud strategy, data residency requirements are typically enforced by: A) Storing all data in the public cloud and relying on encryption B) Keeping regulated data in the private cloud or on‑premises zone
Practice Exam
Answer: B Explanation: The provider processes data per the controller’s instructions, thus acting as a data processor. Question 34. Which of the following is a primary benefit of using a Cloud Access Security Broker (CASB)? A) Providing physical security for data centers B) Enforcing data loss prevention policies across SaaS applications C) Managing hypervisor patches on the CSP side D) Replacing the need for IAM solutions Answer: B Explanation: CASBs extend security controls like DLP to SaaS services beyond the CSP’s native capabilities. Question 35. A “community cloud” is best suited for which scenario? A) A single multinational corporation needing global reach B) Multiple universities sharing a common research platform C) A startup requiring rapid scaling with minimal cost D) A government agency needing strict isolation from commercial clouds Answer: B Explanation: Community clouds are shared among organizations with common concerns, such as academia.
Practice Exam
Question 36. Which ISO/IEC 27018 control mandates that a CSP must not retain PII longer than necessary for the purpose it was collected? A) 7.2 – Consent and choice B) 8.1 – Data minimization and retention C) 9.3 – Data encryption at rest D) 10.4 – Secure disposal of PII Answer: B Explanation: Control 8.1 addresses minimization and appropriate retention periods for PII. Question 37. When performing a cloud risk assessment, the term “risk appetite” refers to: A) The maximum tolerable loss the organization is willing to accept B) The probability of a threat occurring C) The total number of assets in the cloud environment D) The cost of implementing security controls Answer: A Explanation: Risk appetite defines the level of risk an organization is prepared to accept.
Practice Exam
A) SOC 2 Type II B) ISO 9001 C) PCI‑DSS D) ISO 27001 Answer: A Explanation: SOC 2 Type II reports evaluate the operational effectiveness of a CSP’s security controls. Question 41. In the context of cloud cryptography, a “customer‑managed key” (CMK) means: A) The CSP generates and stores the key without customer involvement B) The customer creates, imports, or manages the encryption key used for their data C) The key is automatically rotated by the CSP every 30 days D) The key is shared publicly for transparency purposes Answer: B Explanation: CMKs give customers direct control over key lifecycle and usage. Question 42. Which of the following is a key objective of a Cloud Security Incident Response Plan (CSIRP)? A) To eliminate the need for traditional backups B) To define communication channels with the CSP during an incident
Practice Exam
C) To guarantee zero‑day exploit prevention D) To replace all existing governance policies Answer: B Explanation: CSIRP outlines coordination, including communication with the CSP, during incidents. Question 43. When a cloud service provider experiences a regional outage, the organization’s primary mitigation strategy is: A) Relying on the CSP’s internal redundancy B) Implementing a multi‑cloud or multi‑region architecture C) Switching to on‑premises infrastructure immediately D) Ignoring the outage as it will be resolved automatically Answer: B Explanation: Multi‑cloud or multi‑region deployments provide resilience against regional failures. Question 44. Which ISO/IEC 27017 control requires that a CSP provide customers with evidence of compliance with security standards? A) 5.1 – Security governance B) 6.2 – Service level agreements (SLAs) C) 10.3 – Independent third‑party audit reports D) 12.4 – Continuous monitoring
