Cloud Security Alliance Cloud Security Alliance Certifications CCSK Questions & Answers

• Question 21:

  When mapping functions to lifecycle phases, which functions are required to successfully process data?

  A. Create, Store, Use, and Share

  B. Create and Store

  C. Create and Use

  D. Create, Store, and Use

  E. Create, Use, Store, and Delete

  Correct Answer: C

  From Security Guidance v4. Section 5.1.2.2, Table 1--Information Lifecycle Phases:

  Function "Read" to ALL phases,

  Function "Process" to Create and Use, and

  Function "Store" to Store and Archive.

• Question 22:

  When designing an encryption system, you should start with a threat model.

  A. False

  B. True

  Correct Answer: B

  B. True

  When designing an encryption system, it is highly recommended to start with a threat model.

  A threat model helps identify potential risks, vulnerabilities, and attack vectors that the encryption system may face. It involves analyzing the system's assets, potential adversaries, and the potential impact of successful attacks. By understanding the threats and risks, designers can make informed decisions about the appropriate encryption algorithms, key management practices, and overall system architecture.

  Threat modeling allows designers to identify potential weaknesses in the encryption system and make proactive decisions to mitigate those risks. It helps ensure that the encryption system is designed to effectively protect sensitive data and withstand potential attacks.

  Therefore, starting the design process with a threat model is an important step in developing a robust and secure encryption system.

• Question 23:

  Which of the following statements is true in regards to Data Loss Prevention (DLP)?

  A. DLP can provide options for quickly deleting all of the data stored in a cloud environment.

  B. DLP can classify all data in a storage repository.

  C. DLP never provides options for how data found in violation of a policy can be handled.

  D. DLP can provide options for where data is stored.

  E. DLP can provide options for how data found in violation of a policy can be handled.

  Correct Answer: E

  Data Loss Prevention (DLP) solutions are designed to monitor and protect sensitive data in various environments, such as cloud storage, networks, and endpoints. When sensitive data is identified, DLP systems can provide options for handling the data based on predefined policies. These options may include actions such as blocking the data transmission, encrypting the data, alerting administrators, quarantining the data, or applying remediation measures. The goal is to prevent data loss or unauthorized exposure of sensitive information.

• Question 24:

  Audits should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards. They should also use what type of auditors?

  A. Auditors working in the interest of the cloud customer

  B. Independent auditors

  C. Certified by CSA

  D. Auditors working in the interest of the cloud provider

  E. None of the above

  Correct Answer: B

  (Security Guidance p57) Proper organizational governance naturally includes audit and assurance. Audits must be independently conducted and should be robustly designed to reflect best practice, appropriate resources, and tested protocols and standards. Before delving into cloud implications we need to define the scope of audit management related to information security.

• Question 25:

  What should every cloud customer set up with its cloud service provider (CSP) that can be utilized in the event of an incident?

  A. A data destruction plan

  B. A communication plan

  C. A back-up website

  D. A spill remediation kit

  E. A rainy day fund

  Correct Answer: B

  (Security Guidance p.107) • Cloud customers must set up proper communication paths with the provider that can be utilized in the event of an incident. Existing open standards can facilitate incident communication.

• Question 26:

  What are the primary security responsibilities of the cloud provider in compute virtualizations?

  A. Enforce isolation and maintain a secure virtualization infrastructure

  B. Monitor and log workloads and configure the security settings

  C. Enforce isolation and configure the security settings

  D. Maintain a secure virtualization infrastructure and configure the security settings

  E. Enforce isolation and monitor and log workloads

  Correct Answer: A

  A. Enforce isolation and maintain a secure virtualization infrastructure.

  Cloud providers are responsible for ensuring that virtualized resources are isolated from each other, providing strong segregation between tenants. They must implement robust virtualization technologies and mechanisms to enforce this isolation, preventing unauthorized access or interference between different workloads.

  Additionally, cloud providers have the responsibility to maintain a secure virtualization infrastructure. This includes regularly patching and updating the underlying hypervisors, managing the host environment's security configurations, and implementing security measures to protect against vulnerabilities or attacks targeting the virtualization layer.

  While customers have their own security responsibilities within their virtual instances, the cloud provider's role primarily involves enforcing isolation and maintaining a secure virtualization infrastructure. Customers, on the other hand, are responsible for configuring the security settings within their virtual instances and monitoring and logging their own workloads (option B and E).

• Question 27:

  Which governance domain focuses on proper and adequate incident detection, response, notification, and remediation?

  A. Data Security and Encryption

  B. Information Governance

  C. Incident Response, Notification and Remediation

  D. Compliance and Audit Management

  E. Infrastructure Security

  Correct Answer: C

• Question 28:

  Which opportunity helps reduce common application security issues?

  A. Elastic infrastructure

  B. Default deny

  C. Decreased use of micro-services

  D. Segregation by default

  E. Fewer serverless configurations

  Correct Answer: D

  10.1.5 Some of these have nothing directly to do with security, but the following trends offer opportunities to reduce common security issues: Segregation by default

• Question 29:

  What is the most significant security difference between traditional infrastructure and cloud computing?

  A. Management plane

  B. Intrusion detection options

  C. Secondary authentication factors

  D. Network access points E. Mobile security configuration options

  Correct Answer: A

• Question 30:

  A security failure at the root network of a cloud provider will not compromise the security of all customers because of multitenancy configuration.

  A. False

  B. True

  Correct Answer: A