Ben Malisow - (ISC)2 CCSP Certified Cloud Security Professional Official Practice Tests

95 Where should the cloud provider’s data discovery requirements be listed?National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53Applicable laws and regulationsPayment Card Industry Data Security Standard (PCI DSS)The managed services contract and SLA

96 Who will determine data classifications for the cloud customer?The cloud providerNational Institute of Standards and Technology (NIST)RegulatorsThe cloud customer

97 An organization’s data classification scheme must include which of the following categories?File sizeOrigin of the dataSensitivity of the dataWhatever the data owner decides

98 Classification is usually considered a facet of data ____________.SecurityLabelingControlMarkup

99 Data classification can be ____________ or ____________.Inverse or obverseAutomatic or manualCorrect or incorrectDiurnal or nocturnal

100 Data may need to be reclassified for all the following reasons except _______________.Color changeTimeRepurposingTransfer of ownership

101 Proper __________ need(s) to be assigned to each data classification/category.Dollar valuesMetadataSecurity controlsPolicies

102 Data transformation in a cloud environment should be of great concern to organizations considering cloud migration because ____________ could affect data classification processes and implementations.MultitenancyVirtualizationRemote accessPhysical distance

103 Who is ultimately responsible for a data breach that includes personally identifiable information (PII), in the event of negligence on the part of the cloud provider?The userThe subjectThe cloud providerThe cloud customer

104 In a personally identifiable information (PII) context, who is the subject?The cloud customerThe cloud providerThe regulatorThe individual

105 In a personally identifiable information (PII) context, who is the processor?The cloud customerThe cloud providerThe regulatorThe individual

106 In a personally identifiable information (PII) context, who is the controller?The cloud customerThe cloud providerThe regulatorThe individual

107 In a personally identifiable information (PII) context, which of the following is not normally considered “processing”?StoringViewingDestroyingPrinting

108 Which of the following countries does not have a national privacy law that concerns personally identifiable information (PII) and applies to all entities?ArgentinaThe United StatesItalyAustralia

109 In protections afforded to personally identifiable information (PII) under the U.S. Health Information Portability and Accountability Act (HIPAA), the subject must __________ in order to allow the vendor to share their personal data.Opt inOpt outUndergo screeningProvide a biometric template

110 In protections afforded to personally identifiable information (PII) under the U.S. Gramm-Leach-Bliley Act (GLBA), the subject must __________ in order to prevent the vendor from sharing their personal data.Opt inOpt outUndergo screeningProvide a biometric template

111 The European Union (EU), with its implementation of privacy directives and regulations, treats individual privacy as ____________.A passing fadA human rightA legal obligationA business expense

112 If your organization collects/creates privacy data associated with European Union (EU) citizens and you operate in the cloud, you must prevent your provider from storing/moving/processing that data where?ArgentinaThe United StatesJapanIsrael

113 European Union (EU) personal privacy protections include the right to be _______________.SecureDeliveredForgottenProtected

114 The Cloud Security Alliance (CSA) has developed a model for cloud privacy frameworks called the Privacy Level Agreement (PLA). Why might a cloud service provider be reluctant to issue or adhere to a PLA?A PLA might limit the provider’s liability.A PLA would force the provider to accept more liability.A PLA is nonbinding.A PLA is not enforceable.

115 The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) lists security controls from all the following frameworks except _______________.ISACA’s Control Objectives for Information and Related Technology (COBIT)Payment Card Industry Data Security Standard (PCI DSS)The Capability Maturity Model (CMM)International Organization for Standardization (ISO) 27001

116 The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) lists security controls from all the following laws except _______________.Health Information Portability and Accountability Act (HIPAA)Family Education Rights and Privacy Act (FERPA)Personal Information Protection and Electronic Documents Act (PIPEDA)Digital Millennium Copyright Act (DMCA)

117 Digital rights management (DRM) tools might be used to protect all the following assets except _______________.A trusted deviceProprietary softwareMedical recordsFinancial data

118 Deploying digital rights management (DRM) tools in a bring-your-own-device (BYOD) environment will require _______________.User consent and actionEnhanced security protocolsUse of the cloudNewer, upgraded devices

119 Deploying digital rights management (DRM) tools in a bring-your-own-device (BYOD) environment will require _______________.A uniform browser installationPlatform-agnostic solutionsTurnstilesA secondary business continuity and disaster recovery (BC/DR) vendor

120 The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) addresses all the following security architecture elements except _______________.Physical securityInfrastructure as a service (IaaS)Application securityBusiness drivers

121 DRM requires that every data resource be provisioned with __________.A tracking deviceAn access policyA hardware security module (HSM)A biometric system

122 Digital rights management (DRM) tools can be combined with __________ to enhance security capabilities.Roaming identity services (RIS)Egress monitoring solutions (DLP)Internal hardware settings (BIOS)The TEMPEST program

123 Digital rights management (DRM) tools should enforce __________, which is the characteristic of access rights following the object, in whatever form or location it might be or move to.Continuous audit trailLimiting printing outputPersistenceAutomatic expiration

124 Digital rights management (DRM) tools should enforce __________, which is the practice of capturing all relevant system events.Continuous audit trailLimiting printing outputPersistenceAutomatic expiration

125 Digital rights management (DRM) tools should enforce __________, which is the capability to revoke access based on the decision of the object owner or an administrator action.Integration with email filtering enginesDisabling screencap capabilitiesContinuous audit trailDynamic policy control

126 Digital rights management (DRM) tools should enforce __________, which is the revocation of access based on time.PersistenceDisabling screencap capabilitiesAutomatic expirationDynamic policy control

127 Digital rights management (DRM) tools should enforce __________, which is interoperability with the organization’s other access control activities.PersistenceSupport for existing authentication security infrastructureContinuous audit trailDynamic policy control

128 In a data retention policy, what is perhaps the most crucial element?Location of the data archiveFrequency of backupsSecurity controls in long-term storageData recovery procedures

129 __________ is the practice of taking data out of the production environment and putting it into long-term storage.DeletionArchivingCrypto-shreddingStoring

130 In general, all policies within an organization should include each of the following elements except _______________.The date on which the policy will expireThe assignment of an entity to review the applicability of the possibility occasionallyThe assignment of an entity to monitor and maintain the process described in the policyA list of the laws, regulations, practices, and/or standards that drove the creation of the policy