Download PrepIQ PECB Certified Cloud Security Manager Ultimate Exam and more Exams Technology in PDF only on Docsity!
Manager Ultimate Exam
Question 1. Which ISO/IEC standard provides guidelines specifically for security controls in cloud services? A) ISO/IEC 27001 B) ISO/IEC 27017 C) ISO/IEC 27018 D) ISO/IEC 27035 Answer: B Explanation: ISO/IEC 27017 focuses on information security controls for cloud service providers and customers, extending ISO/IEC 27002. Question 2. In the shared responsibility model for IaaS, which of the following is typically the customer's responsibility? A) Physical security of data centers B) Hypervisor patching C) Operating system configuration D) Network backbone maintenance Answer: C Explanation: In IaaS, the provider secures the physical infrastructure and hypervisor, while the customer manages the OS, middleware, and applications. Question 3. Which cloud characteristic describes the ability to provision computing resources automatically without human interaction? A) Broad network access B) Measured service C) Rapid elasticity D) On-demand self-service
Manager Ultimate Exam
Answer: D Explanation: On-demand self-service allows users to provision resources automatically via a portal or API. Question 4. A public cloud service provider offers a SaaS application that processes EU citizens’ personal data. Which regulation is most directly applicable? A) HIPAA B) GDPR C) PCI-DSS D) SOX Answer: B Explanation: The General Data Protection Regulation (GDPR) applies to processing personal data of EU residents, regardless of where the service is hosted. Question 5. Which cloud deployment model is best suited for multiple organizations with shared concerns such as compliance or security requirements? A) Public cloud B) Private cloud C) Community cloud D) Hybrid cloud Answer: C Explanation: A community cloud is shared by several organizations with common objectives, policies, and compliance needs. Question 6. According to ISO/IEC 27018, which control is essential for protecting PII in a public cloud?
Manager Ultimate Exam
Question 9. Which threat modeling technique focuses on categorizing threats as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege? A) STRIDE B) PASTA C) OCTAVE D) Attack Trees Answer: A Explanation: STRIDE is a widely used model that classifies threats into those six categories. Question 10. When performing a cloud-specific Privacy Impact Assessment (PIA), the primary focus is on: A) Availability of services B) Confidentiality of encryption keys C) Impact of processing personal data on privacy rights D) Cost of cloud services Answer: C Explanation: A PIA evaluates how personal data processing may affect individuals’ privacy, identifying mitigation measures. Question 11. Which ISO/IEC 27017 control addresses the need for a cloud customer to maintain an inventory of its cloud assets? A. A.5 – Information security policy B. A.8 – Asset management C. A.9 – Access control D. A.12 – Operations security Answer: B
Manager Ultimate Exam
Explanation: Control A.8 deals with asset management, including maintaining inventories of assets used in the cloud. Question 12. In a hybrid cloud architecture, data that must remain on-premise for compliance reasons is typically stored in: A) The public cloud tier B) The private cloud tier C) A community cloud tier D) A SaaS application Answer: B Explanation: Hybrid clouds combine private (on-premise or private) and public resources; sensitive data stays in the private tier to meet compliance. Question 13. Which of the following is a key difference between SaaS and PaaS regarding the shared responsibility model? A) In SaaS, the provider secures the underlying OS. B) In PaaS, the customer is responsible for physical security. C) In SaaS, the customer manages the network stack. D) In PaaS, the provider manages the application code. Answer: A Explanation: In SaaS, the provider handles everything from physical infrastructure to the operating system and application, leaving the customer mainly responsible for data and user access. Question 14. Which ISO/IEC 27005 activity is performed first when managing cloud security risks? A) Risk treatment planning B) Risk identification
Manager Ultimate Exam
A) Tester has no knowledge of the environment. B) Tester only knows public IP addresses. C) Tester receives architecture diagrams and source code. D) Tester performs social engineering only. Answer: C Explanation: White-box testing provides the tester with detailed internal information, such as designs and code. Question 18. Which metric is most appropriate for measuring the effectiveness of a cloud logging solution? A) Number of virtual machines deployed per month B) Percentage of log entries retained for the required retention period C) Average CPU utilization of cloud instances D) Total storage cost per month Answer: B Explanation: Retaining the correct proportion of logs is a direct measure of logging effectiveness and compliance. Question 19. Under ISO/IEC 27018, “Consent” for processing PII in the cloud must be: A) Implied by usage of the service B) Obtained after data is processed C) Explicit, specific, informed, and freely given D) Optional for non-EU citizens Answer: C Explanation: ISO/IEC 27018 aligns with GDPR principles, requiring explicit and informed consent.
Manager Ultimate Exam
Question 20. Which of the following is a primary function of a Cloud Access Security Broker (CASB)? A) Provide physical security for data centers B) Enforce security policies on cloud service usage C) Manufacture server hardware D) Offer DNS resolution services Answer: B Explanation: CASBs sit between cloud users and providers to enforce security, compliance, and governance policies. Question 21. When selecting a cloud provider, an organization should assess the provider’s compliance with which of the following standards to demonstrate alignment with ISO/IEC 27001? A) ISO/IEC 27017 certification only B) SOC 2 Type II report C) PCI-DSS Level 1 D) ISO 9001 certification Answer: B Explanation: A SOC 2 Type II report evaluates controls relevant to security, availability, and confidentiality, complementing ISO/IEC 27001 requirements. Question 22. Which of the following is a recommended practice for key management in a multi-tenant cloud environment? A) Store all keys in a shared database accessible by all tenants. B) Use a dedicated Hardware Security Module (HSM) per tenant. C) Rotate keys only when a breach is detected. D) Generate keys manually and distribute via email.
Manager Ultimate Exam
C) Rapid elasticity D) Resource pooling Answer: B Explanation: Measured service means resources are monitored, controlled, and billed based on usage. Question 26. Which of the following statements best describes “rapid elasticity” in cloud computing? A) Resources are allocated manually by administrators. B) Capacity can be scaled up or down automatically in response to demand. C) All resources are pre-provisioned regardless of need. D) Billing is fixed monthly regardless of usage. Answer: B Explanation: Rapid elasticity enables automatic scaling of resources to match workload fluctuations. Question 27. Under ISO/IEC 27032, which domain primarily addresses cloud-related threats? A) Cyber-crime B) Cloud-specific threats and vulnerabilities C) Physical security D) Human resource security Answer: B Explanation: ISO/IEC 27032’s “Cloud-specific threats and vulnerabilities” domain focuses on issues unique to cloud environments. Question 28. Which of the following is a key benefit of using a multi-cloud strategy from a security perspective?
Manager Ultimate Exam
A) Reduces the need for encryption. B) Eliminates all third-party risk. C) Increases resilience by avoiding vendor lock-in. D) Guarantees compliance with all regulations automatically. Answer: C Explanation: Multi-cloud improves resilience and reduces dependency on a single provider, enhancing overall security posture. Question 29. In ISO/IEC 27018, the control “A.14.2 – Secure development lifecycle” is intended to ensure: A) Physical security of data centers. B) Secure handling of PII throughout software development. C) Proper financial accounting of cloud services. D) Availability of backup copies. Answer: B Explanation: A.14.2 requires security considerations be integrated into all phases of software development, especially for PII handling. Question 30. Which of the following is an example of a “technical control” for protecting data in transit in a cloud environment? A) Security awareness training B. Encryption using TLS C. Contractual clauses with the provider D. Physical lock on the server rack Answer: B Explanation: TLS encryption is a technical measure that protects data while it moves across networks.
Manager Ultimate Exam
Explanation: Awareness programs aim to educate users about security threats, such as phishing, to reduce risk. Question 34. In a cloud environment, which of the following is the most appropriate method for ensuring integrity of stored objects? A) Storing objects in plain text B) Using checksums or hash values for each object C) Relying on the provider’s physical security only D) Disabling versioning to save storage space Answer: B Explanation: Checksums or cryptographic hashes allow verification that stored data has not been altered. Question 35. Which risk assessment methodology is specifically tailored for cloud environments and incorporates service level objectives? A) NIST SP 800- 30 B) ISO/IEC 27005 C) Cloud Risk Assessment Framework (CRAF) D) OCTAVE Allegro Answer: C Explanation: CRAF is designed for cloud risk assessment, aligning risks with service level objectives and cloud-specific factors. Question 36. According to ISO/IEC 27017, who is primarily responsible for ensuring that encryption keys are destroyed when no longer needed? A) Cloud provider B) Cloud broker C) Cloud customer
Manager Ultimate Exam
D) Regulatory authority Answer: C Explanation: The customer retains responsibility for key lifecycle management, including secure destruction, under the shared responsibility model. Question 37. Which of the following is a core component of a Cloud Security Posture Management (CSPM) solution? A) Automated patching of on-premise servers B) Continuous compliance monitoring of cloud configurations C) Physical security guard scheduling D. Network cable management Answer: B Explanation: CSPM tools continuously assess cloud configurations against best-practice and regulatory standards. Question 38. In the context of ISO/IEC 27018, which of the following is considered “Sensitive Personal Data”? A) A public email address listed on a website B) A user’s hashed password stored in a database C) A customer’s full credit-card number D) System logs that contain only timestamps Answer: C Explanation: Credit-card numbers are classified as sensitive personal data requiring special protection. Question 39. Which of the following activities is part of the “risk treatment” phase?
Manager Ultimate Exam
Question 42. In a cloud incident response plan, the “communication” section should define: A) The encryption algorithm for data at rest B) The internal and external notification procedures, including regulatory reporting timelines C. The pricing model for additional bandwidth D. The physical layout of the data center Answer: B Explanation: Effective incident response includes clear communication channels and reporting obligations. Question 43. Which of the following is a legal implication of failing to comply with ISO/IEC 27018 when processing EU citizens’ data? A. Increased latency in cloud services B. Potential fines under GDPR C. Loss of DNS resolution D. Higher storage costs Answer: B Explanation: Non-compliance with ISO/IEC 27018 may lead to GDPR violations, resulting in regulatory fines. Question 44. Which of the following best illustrates “resource pooling” in cloud computing? A) Each tenant receives dedicated hardware. B) Multiple tenants share the same physical resources, such as CPU and storage, via virtualization. C) Resources are allocated manually by an administrator. D. Users must purchase hardware upfront.
Manager Ultimate Exam
Answer: B Explanation: Resource pooling enables multiple customers to share pooled resources, achieving economies of scale. Question 45. Which control from ISO/IEC 27017 A.12 focuses on ensuring that cloud operations are monitored for security events? A. A.12.1 – Logging and monitoring B. A.12.2 – Backup C. A.12.3 – Change management D. A.12.4 – Capacity management Answer: A Explanation: A.12.1 specifically requires logging and monitoring to detect security events. Question 46. When an organization adopts a “Zero Trust” model for its cloud environment, which principle is most emphasized? A. Implicit trust for internal network traffic B. Trust only after continuous verification of identity, device, and context C. Relying solely on perimeter firewalls D. Using only physical security controls Answer: B Explanation: Zero Trust requires verification of every access request, regardless of location. Question 47. Which of the following is a typical deliverable of a Cloud Security Risk Assessment? A. Service level agreement template B. List of identified risks with likelihood, impact, and recommended controls
Manager Ultimate Exam
A. A.9.2 – User access provisioning B. A.9.4 – Password management system C. A.7.2 – Security awareness training D. A.12.3 – Change management Answer: B Explanation: A.9.4 specifies requirements for password management, including complexity and rotation. Question 51. A cloud provider offers a “serverless” computing platform. Which cloud service model does this most closely align with? A. Infrastructure as a Service (IaaS) B. Platform as a Service (PaaS) C. Software as a Service (SaaS) D. Function as a Service (FaaS) – a subset of PaaS Answer: D Explanation: Serverless (FaaS) is considered a subset of PaaS where developers focus solely on code execution. Question 52. Which of the following is a primary reason for implementing encryption of data in transit for cloud workloads? A. To reduce storage costs B. To comply with physical security standards C. To protect confidentiality against interception D. To improve application performance Answer: C Explanation: Encryption in transit safeguards data from eavesdropping and man-in-the-middle attacks.
Manager Ultimate Exam
Question 53. Under ISO/IEC 27017, the control “A.13.1 – Network security management” includes which of the following activities? A. Physical access control to server rooms B. Configuring firewalls and virtual private networks (VPNs) C. Conducting user security awareness training D. Managing backup schedules Answer: B Explanation: Network security management involves protecting network traffic through firewalls, VPNs, and segmentation. Question 54. Which of the following best describes “elastic load balancing” in a cloud environment? A. Manually assigning traffic to a single server B. Dynamically distributing incoming traffic across multiple instances based on demand C. Using a fixed DNS record for all traffic D. Disabling auto-scaling features Answer: B Explanation: Elastic load balancing automatically routes traffic to maintain performance as demand changes. Question 55. A cloud customer is required to retain audit logs for three years to meet regulatory requirements. Which ISO/IEC 27017 control supports this need? A. A.12.4 – Logging and monitoring retention B. A.8.2 – Asset classification C. A.9.5 – Access review D. A.15.3 – Supplier audit
