To successfully implement ZT security, two crucial processes must be planned and aligned with existing access procedures that the ZT implementation might impact. What are these two processes?
A. Incident and response management
B. Training and awareness programs
C. Vulnerability disclosure and patching management
D. Business continuity planning (BCP) and disaster recovery (DR)
Correct Answer: B
Question 12:
To respond quickly to changes while implementing ZT Strategy, an organization requires a mindset and culture of
A. learning and growth.
B. continuous risk evaluation and policy adjustment.
C. continuous process improvement.
D. project governance.
Correct Answer: B
To respond quickly to changes while implementing ZT Strategy, an organization requires a mindset and culture of continuous risk evaluation and policy adjustment. This means that the organization should constantly monitor the threat
landscape, assess the security posture, and update the policies and controls accordingly to maintain a high level of protection and resilience. The organization should also embrace feedback, learning, and improvement as part of the ZT
journey.
References:
Certificate of Competence in Zero Trust (CCZT) prepkit, page 7, section 1.3 Cultivating a Zero Trust mindset - AWS Prescriptive Guidance, section "Continuous learning and improvement"
Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section "Continuous monitoring and improvement"
Question 13:
Which element of ZT focuses on the governance rules that define the "who, what, when, how, and why" aspects of accessing target resources?
A. Policy
B. Data sources
C. Scrutinize explicitly
D. Never trust, always verify
Correct Answer: A
Policy is the element of ZT that focuses on the governance rules that define the "who, what, when, how, and why" aspects of accessing target resources. Policy is the core component of a ZTA that determines the access decisions and
controls for each request based on various attributes and factors, such as user identity, device posture, network location, resource sensitivity, and environmental context. Policy is also the element that enables the ZT principles of "never trust,
always verify" and "scrutinize explicitly" by enforcing granular, dynamic, and data-driven rules for each access request.
References:
Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 What Is Zero Trust Architecture (ZTA)? - F5, section "Policy Engine" Zero Trust Architecture Project - NIST Computer Security Resource Center, slide 9 [Zero
ZT project implementation requires prioritization as part of the overall ZT project planning activities. One area to consider is______ Select the best answer.
A. prioritization based on risks
B. prioritization based on budget
C. prioritization based on management support
D. prioritization based on milestones
Correct Answer: A
ZT project implementation requires prioritization as part of the overall ZT project planning activities. One area to consider is prioritization based on risks, which means that the organization should identify and assess the potential threats,
vulnerabilities, and impacts that could affect its assets, operations, and reputation, and prioritize the ZT initiatives that address the most critical and urgent risks. Prioritization based on risks helps to align the ZT project with the business
objectives and needs, and optimize the use of resources and time.
References:
Zero Trust Planning - Cloud Security Alliance, section "Scope, Priority, and Business Case"
The Zero Trust Journey: 4 Phases of Implementation - SEI Blog, section "Second Phase: Assess"
Planning for a Zero Trust Architecture: A Planning Guide for Federal ..., section "Gap Analysis"
Question 15:
Of the following options, which risk/threat does SDP mitigate by mandating micro-segmentation and implementing least privilege?
A. Identification and authentication failures
B. Injection
C. Security logging and monitoring failures
D. Broken access control
Correct Answer: D
SDP mitigates the risk of broken access control by mandating micro-segmentation and implementing least privilege. Micro-segmentation divides the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. Least privilege grants the minimum necessary access to users and devices for specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents attackers from exploiting weak or misconfigured access controls
Question 16:
Which component in a ZTA is responsible for deciding whether to grant access to a resource?
A. The policy enforcement point (PEP)
B. The policy administrator (PA)
C. The policy engine (PE)
D. The policy component
Correct Answer: C
The policy engine (PE) is the component in a ZTA that is responsible for deciding whether to grant access to a resource. The PE evaluates the policies and the contextual data collected from various sources, such as the user identity, the
device posture, the network location, the resource attributes, and the environmental factors, and then generates an access decision. The PE communicates the access decision to the policy enforcement point (PEP), which enforces the
decision on the resource.
References:
Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 What Is Zero Trust Architecture (ZTA)? - F5, section "Policy Engine" What is Zero Trust Architecture (ZTA)? | NextLabs, section "Core Components" [SP 800-207,
Zero Trust Architecture], page 11, section 3.3.1
Question 17:
In a ZTA, what is a key difference between a policy decision point (PDP) and a policy enforcement point (PEP)?
A. A PDP measures incoming signals against a set of access determination criteria. A PEP uses incoming signals to open or close a connection.
B. A PDP measures incoming signals and makes dynamic risk determinations. A PEP uses incoming signals to make static risk determinations.
C. A PDP measures incoming control plane authentication signals. A PEP measures incoming data plane authorization signals.
D. A PDP measures incoming signals in an untrusted zone. A PEP measures incoming signals in an implicit trust zone.
Correct Answer: A
In a ZTA, a policy decision point (PDP) is a logical component that evaluates the incoming signals from an entity requesting access to a resource against a set of access determination criteria, such as identity, context, device, location, and behavior1. A PDP then makes a decision to grant or deny access, or to request additional information or verification, based on the policies defined by the policy administrator1. A policy enforcement point (PEP) is a logical component that uses the incoming signals from the PDP to open or close a connection between the entity and the resource1. A PEP acts as a gateway or intermediary that enforces the decision made by the PDP and prevents unauthorized or risky access2. References: Zero Trust Architecture | NIST Policy Enforcement Point (PEP) - Pomerium
Question 18:
Of the following, which option is a prerequisite action to understand the organization's protect surface clearly?
A. Data and asset classification
B. Threat intelligence capability and monitoring
C. Gap analysis of the organization's threat landscape
D. To have the latest risk register for controls implementation
Correct Answer: A
Data and asset classification is a prerequisite action to understand the organization's protect surface clearly because it helps to identify the most critical and sensitive data and assets that need to be protected by Zero Trust principles. Data and asset classification also helps to define the appropriate policies and controls for different levels of data and asset sensitivity. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 2: Data and Asset Classification
Question 19:
Which ZT tenet is based on the notion that malicious actors reside inside and outside the network?
A. Assume breach
B. Assume a hostile environment
C. Scrutinize explicitly
D. Requiring continuous monitoring
Correct Answer: A
The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses
Question 20:
In SaaS and PaaS, which access control method will ZT help define for access to the features within a service?
A. Data-based access control (DBAC)
B. Attribute-based access control (ABAC)
C. Role-based access control (RBAC)
D. Privilege-based access control (PBAC)
Correct Answer: B
ABAC is an access control method that uses attributes of the requester, the resource, the environment, and the action to evaluate and enforce policies. ABAC allows for fine-grained and dynamic access control based on the context of the request, rather than predefinedroles or privileges. ABAC is suitable for SaaS and PaaS, where the features within a service may vary depending on the customer's needs, preferences, and subscription level. ABAC can help implement ZT by enforcing the principle of least privilege and verifying every request based on multiple factors. References: Attribute-Based Access Control (ABAC) Definition General Access Control Guidance for Cloud Systems A Guide to Secure SaaS Access Control Within an Organization
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cloud Security Alliance exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CCZT exam preparations and Cloud Security Alliance certification application, do not hesitate to visit our Vcedump.com to find your solutions here.