ISC ccsp practice test

Certified Cloud Security Professional Exam

Last exam update: Sep 30 ,2024
Page 1 out of 35. Viewing questions 1-15 out of 512

Question 1

When using a SaaS solution, what is the capability provided to the customer?

  • A. To use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
  • B. To use the consumers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
  • C. To use the consumers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
  • D. To use the providers applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Mark Question:
Answer:

D


Explanation:
According to The NIST Definition of Cloud Computing, in SaaS, The capability provided to the
consumer is to use the providers applications running on a cloud infrastructure. The applications are
accessible from various client devices through either a thin client interface, such as a web browser
(e.g., web-based e-mail), or a program interface. The consumer does not manage or control the
underlying cloud infrastructure including network, servers, operating systems, storage, or even
individual application capabilities, with the possible exception of limited user-specific application
configuration settings.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following is the dominant driver behind the regulations to which a system or
application must adhere?

  • A. Data source
  • B. Locality
  • C. Contract
  • D. SLA
Mark Question:
Answer:

B


Explanation:
The locality--or physical location and jurisdiction where the system or data resides--is the dominant
driver of regulations. This may be based on the type of data contained within the application or the
way in which the data is used. The contract and SLA both articulate requirements for regulatory
compliance and the responsibilities for the cloud provider and cloud customer, but neither artifact
defines the actual requirements. Instead, the contract and SLA merely form the official
documentation between the cloud provider and cloud customer. The source of the data may place
contractual requirements or best practice guidelines on its usage, but ultimately jurisdiction has legal
force and greater authority.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Limits for resource utilization can be set at different levels within a cloud environment to ensure that
no particular entity can consume a level of resources that impacts other cloud customers.
Which of the following is NOT a unit covered by limits?

  • A. Hypervisor
  • B. Cloud customer
  • C. Virtual machine
  • D. Service
Mark Question:
Answer:

A


Explanation:
The hypervisor level, as a backend cloud infrastructure component, is not a unit where limits may be
applied to control resource utilization. Limits can be placed at the service, virtual machine, and cloud
customer levels within a cloud environment.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Which of the following is not a risk management framework?

  • A. COBIT
  • B. Hex GBL
  • C. ISO 31000:2009
  • D. NIST SP 800-37
Mark Question:
Answer:

B


Explanation:
Hex GBL is a reference to a computer part in Terry Pratchetts fictional Discworld universe. The rest
are not.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which of the following report is most aligned with financial control audits?

  • A. SSAE 16
  • B. SOC 2
  • C. SOC 1
  • D. SOC 3
Mark Question:
Answer:

C


Explanation:
The SOC 1 report focuses primarily on controls associated with financial services. While IT controls
are certainly part of most accounting systems today, the focus is on the controls around those
financial systems.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which of the following frameworks focuses specifically on design implementation and management?

  • A. ISO 31000:2009
  • B. ISO 27017
  • C. NIST 800-92
  • D. HIPAA
Mark Question:
Answer:

A


Explanation:
ISO 31000:2009 specifically focuses on design implementation and management. HIPAA refers to
health care regulations, NIST 800-92 is about log management, and ISO 27017 is about cloud specific
security controls.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

Gap analysis is performed for what reason?

  • A. To begin the benchmarking process
  • B. To assure proper accounting practices are being used
  • C. To provide assurances to cloud customers
  • D. To ensure all controls are in place and working properly
Mark Question:
Answer:

A


Explanation:
The primary purpose of the gap analysis is to begin the benchmarking process against risk and
security standards and frameworks.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which of the following best describes a cloud carrier?

  • A. The intermediary who provides connectivity and transport of cloud providers and cloud consumers
  • B. A person or entity responsible for making a cloud service available to consumers
  • C. The person or entity responsible for transporting data across the Internet
  • D. The person or entity responsible for keeping cloud services running for customers
Mark Question:
Answer:

A


Explanation:
A cloud carrier is the intermediary who provides connectivity and transport of cloud services
between cloud providers and cloud customers.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Legal controls refer to which of the following?

  • A. ISO 27001
  • B. PCI DSS
  • C. NIST 800-53r4
  • D. Controls designed to comply with laws and regulations related to the cloud environment
Mark Question:
Answer:

D


Explanation:
Legal controls are those controls that are designed to comply with laws and regulations whether they
be local or international.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which of the following methods of addressing risk is most associated with insurance?

  • A. Mitigation
  • B. Transference
  • C. Avoidance
  • D. Acceptance
Mark Question:
Answer:

B


Explanation:
Avoidance halts the business process, mitigation entails using controls to reduce risk, acceptance
involves taking on the risk, and transference usually involves insurance.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following is not an example of a highly regulated environment?

  • A. Financial services
  • B. Healthcare
  • C. Public companies
  • D. Wholesale or distribution
Mark Question:
Answer:

D


Explanation:
Wholesalers or distributors are generally not regulated, although the products they sell may be.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the following is the primary purpose of an SOC 3 report?

  • A. HIPAA compliance
  • B. Absolute assurances
  • C. Seal of approval
  • D. Compliance with PCI/DSS
Mark Question:
Answer:

C


Explanation:
The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service
provider.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Which is the lowest level of the CSA STAR program?

  • A. Attestation
  • B. Self-assessment
  • C. Hybridization
  • D. Continuous monitoring
Mark Question:
Answer:

B


Explanation:
The lowest level is Level 1, which is self-assessment, Level 2 is an external third-party attestation,
and Level 3 is a continuous-monitoring program. Hybridization does not exist as part of the CSA STAR
program.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

Which of the following terms is not associated with cloud forensics?

  • A. eDiscovery
  • B. Chain of custody
  • C. Analysis
  • D. Plausibility
Mark Question:
Answer:

D


Explanation:
Plausibility, here, is a distractor and not specifically relevant to cloud forensics.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which of the following is not a way to manage risk?

  • A. Transferring
  • B. Accepting
  • C. Mitigating
  • D. Enveloping
Mark Question:
Answer:

D


Explanation:
Enveloping is a nonsense term, unrelated to risk management. The rest are not.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2