ISC ccsp practice test

Certified Cloud Security Professional Exam

Last exam update: May 12 ,2024
Page 1 out of 34. Viewing questions 1-15 out of 512

Question 1

Which of the following is not an example of a highly regulated environment?

  • A. Financial services
  • B. Healthcare
  • C. Public companies
  • D. Wholesale or distribution
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Wholesalers or distributors are generally not regulated, although the products they sell may be.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following is the primary purpose of an SOC 3 report?

  • A. HIPAA compliance
  • B. Absolute assurances
  • C. Seal of approval
  • D. Compliance with PCI/DSS
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service
provider.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Which is the lowest level of the CSA STAR program?

  • A. Attestation
  • B. Self-assessment
  • C. Hybridization
  • D. Continuous monitoring
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The lowest level is Level 1, which is self-assessment, Level 2 is an external third-party attestation,
and Level 3 is a continuous-monitoring program. Hybridization does not exist as part of the CSA STAR
program.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Which of the following terms is not associated with cloud forensics?

  • A. eDiscovery
  • B. Chain of custody
  • C. Analysis
  • D. Plausibility
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Plausibility, here, is a distractor and not specifically relevant to cloud forensics.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which of the following is not a way to manage risk?

  • A. Transferring
  • B. Accepting
  • C. Mitigating
  • D. Enveloping
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Enveloping is a nonsense term, unrelated to risk management. The rest are not.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which of the following components are part of what a CCSP should review when looking at
contracting with a cloud service provider?

  • A. Redundant uplink grafts
  • B. Background checks for the provider’s personnel
  • C. The physical layout of the datacenter
  • D. Use of subcontractors
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The use of subcontractors can add risk to the supply chain and should be considered; trusting the
providers management of their vendors and suppliers (including subcontractors) is important to
trusting the provider. Conversely, the customer is not likely to be allowed to review the physical
design of the datacenter (or, indeed, even know the exact location of the datacenter) or the
personnel security specifics for the providers staff. Redundant uplink grafts is a nonsense term
used as a distractor.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Which of the following is the best example of a key component of regulated PII?

  • A. Audit rights of subcontractors
  • B. Items that should be implemented
  • C. PCI DSS
  • D. Mandatory breach reporting
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Mandatory breach reporting is the best example of regulated PII components. The rest are generally
considered components of contractual PII.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which of the following is a valid risk management metric?

  • A. KPI
  • B. KRI
  • C. SOC
  • D. SLA
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management.
When these change, they indicate something is amiss and should be looked at quickly to determine
if the change is minor or indicative of something important.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

What is the Cloud Security Alliance Cloud Controls Matrix (CCM)?

  • A. A set of software development life cycle requirements for cloud service providers
  • B. An inventory of cloud services security controls that are arranged into a hierarchy of security domains
  • C. An inventory of cloud service security controls that are arranged into separate security domains
  • D. A set of regulatory requirements for cloud service providers
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The CSA CCM is an inventory of cloud service security controls that are arranged into separate
security domains, not a hierarchy.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which of the following is the least challenging with regard to eDiscovery in the cloud?

  • A. Identifying roles such as data owner, controller and processor
  • B. Decentralization of data storage
  • C. Forensic analysis
  • D. Complexities of International law
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Forensic analysis is the least challenging of the answers provided as it refers to the analysis of data
once it is obtained. The challenges revolve around obtaining the data for analysis due to the
complexities of international law, the decentralization of data storage or difficulty knowing where to
look, and identifying the data owner, controller, and processor.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

A data custodian is responsible for which of the following?

  • A. Data context
  • B. Data content
  • C. The safe custody, transport, storage of the data, and implementation of business rules
  • D. Logging access and alerts
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
A data custodian is responsible for the safe custody, transport, and storage of data, and the
implementation of business roles.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the following storage types is most closely associated with a database-type storage
implementation?
A. Object
B. Unstructured
C. Volume
D. Structured

Answer:

D

Explanation:
Structured storage involves organized and categorized data, which most closely resembles and
operates like a database system would.

Discussions
0 / 1000

Question 13

Which of the following roles is responsible for creating cloud components and the testing and
validation of services?

  • A. Cloud auditor
  • B. Inter-cloud provider
  • C. Cloud service broker
  • D. Cloud service developer
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The cloud service developer is responsible for developing and creating cloud components and
services, as well as for testing and validating services.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

The baseline should cover which of the following?

  • A. Data breach alerting and reporting
  • B. All regulatory compliance requirements
  • C. As many systems throughout the organization as possible
  • D. A process for version control
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
The more systems that be included in the baseline, the more cost-effective and scalable the baseline
is. The baseline does not deal with breaches or version control; those are the provinces of the
security office and CMB, respectively. Regulatory compliance might (and usually will) go beyond the
baseline and involve systems, processes, and personnel that are not subject to the baseline.

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

The BC/DR kit should include all of the following except:

  • A. Annotated asset inventory
  • B. Flashlight
  • C. Hard drives
  • D. Documentation equipment
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
While hard drives may be useful in the kit (for instance, if they store BC/DR data such as inventory
lists, baselines, and patches), they are not necessarily required. All the other items should be
included.

Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2