As you go through the questions in this book, please remember the abbreviation RTFQ, which is short for “read the full question.” There is no better advice you can possibly receive than this. Read every word of every question. Read every possible answer before selecting the one you like. The exam is 125 questions over three hours. You have more than enough time to consider each question thoroughly. There is no cause for hurry. Make sure you understand what the question is asking before responding.
Good luck on the exam. I’m hoping this book helps you pass.
CHAPTER 1 Domain 1: Cloud Concepts, Architecture, and Design
Domain 1 of the Certified Cloud Security Professional (CCSP) Exam Outline is an introductory section that touches on almost every other element of the exam outline so you’ll find a wide breadth of content and subject matter ranging over many topics. The questions in this chapter will reflect that broad scope but will also get into some level of detail on certain aspects you’ll find pertinent to the exam.
1 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which cloud service model should she most likely consider for her company’s purposes?Platform as a service (PaaS)Software as a service (SaaS)Backup as a service (Baas)Infrastructure as a service (IaaS)
2 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. Which aspect of cloud computing should she be most concerned about, in terms of security issues?MultitenancyMetered serviceService-level agreement (SLA)Remote access
3 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. In order to protect her company’s intellectual property, Alice might want to consider implementing all these techniques/solutions except ____________.Egress monitoringEncryptionTurnstilesDigital watermarking
4 Alice is the CEO for a software company; she is considering migrating the operation from the current traditional on-premises environment into the cloud. What is probably the biggest factor in her decision?Network scalabilityOff-site backup capabilityGlobal accessibilityReduced overall cost due to outsourcing administration
5 In which of the following situations does the data owner have to administer the OS?IaaSPaaSOff-site archiveSaaS
6 You are setting up a cloud implementation for an online retailer who will accept credit card payments. According to the Payment Card Industry Data Security Standard (PCI DSS), what can you never store for any length of time?Personal data of consumersThe credit card verification (CCV) numberThe credit card numberHome address of the customer
7 The Payment Card Industry Data Security Standard (PCI DSS) distinguishes merchants by different tiers, based on ____________.Number of transactions per yearDollar value of transactions per yearGeographic locationJurisdiction
8 What is usually considered the difference between business continuity (BC) efforts and disaster recovery (DR) efforts?BC involves a recovery time objective (RTO), and DR involves a recovery point objective (RPO).BC is for events caused by humans (like arson or theft), whereas DR is for natural disasters.BC is about maintaining critical functions during a disruption of normal operations, and DR is about recovering to normal operations after a disruption.BC involves protecting human assets (personnel, staff, users), whereas DR is about protecting property (assets, data).
9 For business continuity and disaster recovery (BC/DR) purposes, the contract between the primary cloud provider and customer should include all of the following except _______________.Which party will be responsible for initiating a BC/DR response activityHow a BC/DR response will be initiatedHow soon the customer’s data can be ported to a new cloud provider in the event a disruptive event makes the current provider unable to continue serviceHow much a new cloud provider will charge the customer if data has to be ported from the current cloud provider because of a disruptive event
10 When the cloud customer requests modifications to the current contract or service-level agreement (SLA) for business continuity/disaster recovery (BD/DR) purposes, who should absorb the cost of modification?The customer absorbs the cost.The provider absorbs the cost.The cost should be split equally.Modifications don’t cost anything.
11 Which of the following is not a factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?Pooled resources in the cloudShifting from IT investment as capital expenditures to operational expendituresThe time savings and efficiencies offered by the cloud serviceBranding associated with which cloud provider might be selected
12 Which of the following is the least important factor an organization might use in the cost–benefit analysis when deciding whether to migrate to a cloud environment?Depreciation of IT assetsShift in focus from IT dependencies to business process opportunitiesWhether the provider bills on a monthly or weekly basisCosts associated with utility consumption
13 Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment into the cloud?Number of usersCost of software licensingNumber of applicationsNumber of clientele
14 Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment to the cloud?Utilities costsSecurity costsLandscaping costsTravel costs
15 Which of the following is an aspect of IT costs that will likely be reduced by moving from a traditional, on-premises IT environment to the cloud?Personnel trainingPersonnel turnoverCapital expenses for IT assetsLoss due to an internal data breach
16 Although cloud migration might offer significant cost savings for an organization, which of the following factors might reduce the actual financial benefit the organization realizes in a cloud environment?Altitude of the cloud data centerSecurity controls and countermeasuresLoss of ownership of IT assetsCosts of Internet connectivity for remote users
17 What is the international standard that dictates creation of an organizational information security management system (ISMS)?NIST SP 800-53PCI DSSISO 27001NIST SP 800-37
18 ISO 27001 favors which type of technology?Open sourcePCCloud-basedNone
19 Why might an organization choose to comply with the ISO 27001 standard?PriceEase of implementationInternational acceptanceSpeed
20 Why might an organization choose to comply with NIST SP 800-series standards?PriceEase of implementationInternational acceptanceSpeed
21 Which standard contains guidance for selecting, implementing, and managing information security controls mapped to an information security management system (ISMS) framework?ISO 27002Payment Card Industry Data Security Standard (PCI DSS)NIST SP 800-37Health Insurance Portability and Accountability Act (HIPAA)
22 The current American Institute of Certified Public Accountants (AICPA) publishes the _______________ standard, from which the Service Organization Control (SOC) reports are derived.Sherwood Applied Business Security Architecture (SABSA)Statement on Standards for Attestation Engagements (SSAE) 18BibaNIST SP 800-53
23 Which U.S. federal law affects banking and insurance companies?NIST 800-53HIPAASarbanes-Oxley Act (SOX)Gramm-Leach-Bliley Act (GLBA)
24 The Statement on Standards for Attestation Engagements 18 (SSAE 18) Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). What kind of entities were SOC reports designed to audit?U.S. federal governmentPrivately held companiesCompanies that provide servicesNonprofit organizations
25 The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an IT security professional, when reviewing SOC reports for a cloud