Which of the following is not an example of a highly regulated environment? A. Financial services B. Healthcare C. Public companies D. Wholesale or distribution
Correct Answer: D
Explanation:
Explanation: Wholesalers or distributors are generally not regulated, although the products they sell may be.
Which of the following is the primary purpose of an SOC 3 report? A. HIPAA compliance B. Absolute assurances C. Seal of approval D. Compliance with PCI/DSS
Correct Answer: C
Explanation:
Explanation: The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service provider.
Which is the lowest level of the CSA STAR program? A. Attestation B. Self-assessment C. Hybridization D. Continuous monitoring
Correct Answer: B
Explanation:
Explanation: The lowest level is Level 1, which is self-assessment, Level 2 is an external third-party attestation, and Level 3 is a continuous-monitoring program. Hybridization does not exist as part of the CSA STAR program.
Which of the following components are part of what a CCSP should review when looking at contracting with a cloud service provider? A. Redundant uplink grafts B. Background checks for the provider’s personnel C. The physical layout of the datacenter D. Use of subcontractors
Correct Answer: D
Explanation:
Explanation: The use of subcontractors can add risk to the supply chain and should be considered; trusting the provider’s management of their vendors and suppliers (including subcontractors) is important to trusting the provider. Conversely, the customer is not likely to be allowed to review the physical design of the datacenter (or, indeed, even know the exact location of the datacenter) or the personnel security specifics for the provider’s staff. “Redundant uplink grafts” is a nonsense term used as a distractor.
Which of the following is the best example of a key component of regulated PII? A. Audit rights of subcontractors B. Items that should be implemented C. PCI DSS D. Mandatory breach reporting
Correct Answer: D
Explanation:
Explanation: Mandatory breach reporting is the best example of regulated PII components. The rest are generally considered components of contractual PII.
Which of the following is a valid risk management metric? A. KPI B. KRI C. SOC D. SLA
Correct Answer: B
Explanation:
Explanation: KRI stands for key risk indicator. KRIs are the red flags if you will in the world of risk management. When these change, they indicate something is amiss and should be looked at quickly to determine if the change is minor or indicative of something important.
What is the Cloud Security Alliance Cloud Controls Matrix (CCM)? A. A set of software development life cycle requirements for cloud service providers B. An inventory of cloud services security controls that are arranged into a hierarchy of security domains C. An inventory of cloud service security controls that are arranged into separate security domains D. A set of regulatory requirements for cloud service providers
Correct Answer: C
Explanation:
Explanation: The CSA CCM is an inventory of cloud service security controls that are arranged into separate security domains, not a hierarchy.
Which of the following is the least challenging with regard to eDiscovery in the cloud? A. Identifying roles such as data owner, controller and processor B. Decentralization of data storage C. Forensic analysis D. Complexities of International law
Correct Answer: C
Explanation:
Explanation: Forensic analysis is the least challenging of the answers provided as it refers to the analysis of data once it is obtained. The challenges revolve around obtaining the data for analysis due to the complexities of international law, the decentralization of data storage or difficulty knowing where to look, and identifying the data owner, controller, and processor.
Please disable your adblocker or whitelist this site!