74 Which of the following probably poses the most significant risk to the organization?Not having essential BC/DR personnel available during a contingencyNot including all BC/DR elements in the cloud contractReturning to normal operations too soonTelecommunications outages
75 Which of the following probably poses the most significant risk to the organization?Lack of data confidentiality during a contingencyLack of regulatory compliance during a contingencyReturning to normal operations too lateLack of encrypted communications during a contingency
76 Why does the physical location of your data backup and/or BC/DR failover environment matter?It may affect regulatory compliance.Lack of physical security.Environmental factors such as humidity.It doesn’t matter. Data can be saved anywhere without consequence.
77 According to the European Union Agency for Network and Information Security (ENISA), a cloud risk assessment should provide a means for customers to accomplish all these assurance tasks except ___________________.Assess risks associated with cloud migrationCompare offerings from different cloud providersReduce the risk of regulatory noncomplianceReduce the assurance burden on cloud providers
78 The European Union Agency for Network and Information Security’s (ENISA’s) definition of cloud computing differs slightly from the definition offered by (ISC)2 (and, for instance, NIST). What is one of the characteristics listed by ENISA but not included in the (ISC)2 definition?Metered serviceShared resourcesScalabilityProgrammatic management
79 Risk should always be considered from a business perspective. Risk is often balanced by corresponding ___________________.ProfitPerformanceCostOpportunity
80 When considering the option to migrate from an on-premise environment to a hosted cloud service, an organization should weigh the risks of allowing external entities to access the cloud data for collaborative purposes against ___________________.Not securing the data in the traditional environmentDisclosing the data publiclyInviting external personnel into the traditional workspace in order to enhance collaborationSending the data outside the traditional environment for collaborative purposes
81 There are many ways to handle risk. However, the usual methods for addressing risk are not all possible in the cloud because ___________________.Cloud data risks cannot be mitigatedMigrating into a cloud environment necessarily means you are accepting all risksSome risks cannot be transferred to a cloud providerCloud providers cannot avoid risk
82 In which cloud service model does the customer lose the most control over governance?Infrastructure as a service (IaaS)Platform as a service (PaaS)Software as a service (SaaS)Private cloud
83 Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise IT environment?Internal threatsMultitenancyNatural disastersDistributed denial-of-service (DDoS) attacks
84 In addition to the security offered by the cloud provider, a cloud customer must consider the security offered by ___________________.The respective regulatorThe end user(s)Any vendor the cloud customer previously used in the on-premise environmentAny third parties the provider depends on
85 Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise IT environment?User carelessnessInadvertent breachDevice failureResource exhaustion
86 Where is isolation failure probably least likely to pose a significant risk?Public cloudPrivate cloudPaaS environmentSaaS environment
87 Which of the following poses a new risk in the cloud, not affecting the traditional, on-premise environment?FireLegal seizure of another firm’s assetsMandatory privacy data breach notificationsFlooding
88 Which of these does the cloud customer need to ensure protection of intellectual property created in the cloud?Digital rights management (DRM) solutionsIdentity and access management (IAM) solutionsStrong contractual clausesCrypto-shredding
89 What could be the result of failure of the cloud provider to secure the hypervisor in such a way that one user on a virtual machine can see the resource calls of another user’s virtual machine?Unauthorized data disclosureInference attacksSocial engineeringPhysical intrusion
90 Key generation in a cloud environment might have less entropy than the traditional environment for all the following reasons except ___________________.Lack of direct input devicesNo social factorsUniform buildVirtualization
91 Lack of industry-wide standards for cloud computing creates a potential for ___________________.Privacy data breachPrivacy data disclosurevendor lock-invendor lock-out
92 What can hamper the ability of a cloud customer to protect their assets in a managed services arrangement?Prohibitions on port scanning and penetration testingGeographical dispersionRules against training usersLaws that prevent them from doing so
93 Cloud administration almost necessarily violates the principles of the ___________________ security model.Brewer-Nash (Chinese Wall)Graham-DenningBell-LaPadulaBiba
94 The physical layout of a cloud data center campus should include redundancies of all the following except ___________________.Physical perimeter security controls (fences, lights, walls, etc.)The administration/support staff buildingElectrical utility linesCommunications connectivity lines
95 Best practice for planning the physical resiliency for a cloud data center facility includes ___________________.Having one point of egress for personnelEnsuring that any cabling/connectivity enters the facility from different sides of the building/propertyEnsuring that all parking areas are near generators so that personnel in high-traffic areas are always illuminated by emergency lighting, even when utility power is not availableEnsuring that the foundation of the facility is rated to withstand earthquake tremors
96 The physical layout of a cloud data center campus should include redundancies of all the following except ___________________.GeneratorsHVAC unitsGenerator fuel storagePoints of personnel ingress
97 There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them?It costs more to conduct a test at the same location as the primary workplace.You don’t want to waste travel budget on what is only a test.The risk of negative impact to both production and backup is too high.There won’t be enough room for everyone to sit in the primary facility.
98 There are two reasons to conduct a test of the organization’s recovery from backup in an environment other than the primary production environment. Which of the following is one of them?It is good to invest in more than one community.You want to approximate contingency conditions, which includes not operating in the primary location.It is good for your personnel to see other places occasionally.Your regulators won’t follow you off-site, so you’ll be unobserved during your test.
99 In an IaaS arrangement, who accepts responsibility for securing cloud-based applications?The cloud providerThe cloud customerThe regulatorThe end user/client
100 Industry best practices dictate that cloud customers do not ___________________.Create their own identity and access management (IAM) solutionsCreate contract language that favors them over the providerRetrain personnel for cloud operationsEncrypt data before it reaches the cloud
101 It is possible for the cloud customer to transfer ___________________ risk to the provider, but the cloud customer always retains ultimate legal risk.MarketPerceptionDataFinancial
102 A process for ___________________ can aid in protecting against data disclosure due to lost devices.User punishmentCredential revocationLaw enforcement notificationDevice tracking
103 All of the following can be used in the process of anomaly detection except ___________________.The ratio of failed to successful loginsTransactions completed successfullyEvent time of dayMultiple concurrent logins
104 Critical components should be protected with ___________________.Strong passwordsChain-link fencesHomomorphic encryptionMultifactor authentication
105 It’s important to maintain a current asset inventory list, including surveying your environment on a regular