Which of the following is not an example of a highly regulated environment?
D
Explanation:
Wholesalers or distributors are generally not regulated, although the products they sell may be.
Which of the following is the primary purpose of an SOC 3 report?
C
Explanation:
The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service
provider.
Which is the lowest level of the CSA STAR program?
B
Explanation:
The lowest level is Level 1, which is self-assessment, Level 2 is an external third-party attestation,
and Level 3 is a continuous-monitoring program. Hybridization does not exist as part of the CSA STAR
program.
Which of the following terms is not associated with cloud forensics?
D
Explanation:
Plausibility, here, is a distractor and not specifically relevant to cloud forensics.
Which of the following is not a way to manage risk?
D
Explanation:
Enveloping is a nonsense term, unrelated to risk management. The rest are not.
Which of the following components are part of what a CCSP should review when looking at
contracting with a cloud service provider?
D
Explanation:
The use of subcontractors can add risk to the supply chain and should be considered; trusting the
providers management of their vendors and suppliers (including subcontractors) is important to
trusting the provider. Conversely, the customer is not likely to be allowed to review the physical
design of the datacenter (or, indeed, even know the exact location of the datacenter) or the
personnel security specifics for the providers staff. Redundant uplink grafts is a nonsense term
used as a distractor.
Which of the following is the best example of a key component of regulated PII?
D
Explanation:
Mandatory breach reporting is the best example of regulated PII components. The rest are generally
considered components of contractual PII.
Which of the following is a valid risk management metric?
B
Explanation:
KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management.
When these change, they indicate something is amiss and should be looked at quickly to determine
if the change is minor or indicative of something important.
What is the Cloud Security Alliance Cloud Controls Matrix (CCM)?
C
Explanation:
The CSA CCM is an inventory of cloud service security controls that are arranged into separate
security domains, not a hierarchy.
Which of the following is the least challenging with regard to eDiscovery in the cloud?
C
Explanation:
Forensic analysis is the least challenging of the answers provided as it refers to the analysis of data
once it is obtained. The challenges revolve around obtaining the data for analysis due to the
complexities of international law, the decentralization of data storage or difficulty knowing where to
look, and identifying the data owner, controller, and processor.
A data custodian is responsible for which of the following?
C
Explanation:
A data custodian is responsible for the safe custody, transport, and storage of data, and the
implementation of business roles.
Which of the following storage types is most closely associated with a database-type storage
implementation?
A. Object
B. Unstructured
C. Volume
D. Structured
D
Explanation:
Structured storage involves organized and categorized data, which most closely resembles and
operates like a database system would.
Which of the following roles is responsible for creating cloud components and the testing and
validation of services?
D
Explanation:
The cloud service developer is responsible for developing and creating cloud components and
services, as well as for testing and validating services.
The baseline should cover which of the following?
C
Explanation:
The more systems that be included in the baseline, the more cost-effective and scalable the baseline
is. The baseline does not deal with breaches or version control; those are the provinces of the
security office and CMB, respectively. Regulatory compliance might (and usually will) go beyond the
baseline and involve systems, processes, and personnel that are not subject to the baseline.
The BC/DR kit should include all of the following except:
C
Explanation:
While hard drives may be useful in the kit (for instance, if they store BC/DR data such as inventory
lists, baselines, and patches), they are not necessarily required. All the other items should be
included.