Certified Cloud Security Professional – CCSP – Question472

Which of the following best describes the Organizational Normative Framework (ONF)?

A. A set of application security, and best practices, catalogued and leveraged by the organization
B. A container for components of an application’s security, best practices catalogued and leveraged by the organization
C. A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization
D. A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization.

Correct Answer: D

Explanation:

Explanation: Option B is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as D, making D the better choice. C suggests that the framework contains only “some” of the components, which is why B (which describes “all” components) is better

Certified Cloud Security Professional – CCSP – Question471

Deviations from the baseline should be investigated and __________________.

A. Revealed
B. Documented
C. Encouraged
D. Enforced

Correct Answer: B

Explanation:

Explanation: All deviations from the baseline should be documented, including details of the investigation and outcome. We do not enforce or encourage deviations. Presumably, we would already be aware of the deviation, so “revealing” is not a reasonable answer.

Certified Cloud Security Professional – CCSP – Question470

The application normative framework is best described as which of the following?

A. A superset of the ONF
B. A stand-alone framework for storing security practices for the ONF
C. The complete ONF
D. A subnet of the ONF

Correct Answer: D

Explanation:

Explanation: Remember, there is a one-to-many ratio of ONF to ANF; each organization has one ONF and many ANFs (one for each application in the organization). Therefore, the ANF is a subset of the ONF.

Certified Cloud Security Professional – CCSP – Question469

In addition to whatever audit results the provider shares with the customer, what other mechanism does the customer have to ensure trust in the provider’s performance and duties?

A. HIPAA
B. The contract
C. Statutes
D. Security control matrix

Correct Answer: B

Explanation:

Explanation: The contract between the provider and customer enhances the customer’s trust by holding the provider financially liable for negligence or inadequate service (although the customer remains legally liable for all inadvertent disclosures). Statutes, however, largely leave customers liable. The security control matrix is a tool for ensuring compliance with regulations. HIPAA is a statute.

Certified Cloud Security Professional – CCSP – Question468

As a result of scandals involving publicly traded corporations such as Enron, WorldCom, and Adelphi, Congress passed legislation known as:

A. SOX
B. HIPAA
C. FERPA
D. GLBA

Correct Answer: A

Explanation:

Explanation: Sarbanes-Oxley was a direct response to corporate scandals. FERPA is related to education. GLBA is about the financial industry. HIPAA is about health care.

Certified Cloud Security Professional – CCSP – Question467

The cloud customer’s trust in the cloud provider can be enhanced by all of the following except:

A. SLAs
B. Shared administration
C. Audits
D. real-time video surveillance

Correct Answer: D

Explanation:

Explanation: Video surveillance will not provide meaningful information and will not enhance trust. All the others will do it.

Certified Cloud Security Professional – CCSP – Question466

Which kind of SSAE audit report is a cloud customer most likely to receive from a cloud provider?

A. SOC 1 Type 1
B. SOC 2 Type 2
C. SOC 3
D. SOC 1 Type 2

Correct Answer: C

Explanation:

Explanation: The SOC 3 is the least detailed, so the provider is not concerned about revealing it. The SOC 1 Types 1 and 2 are about financial reporting, and not relevant. The SOC 2 Type 2 is much more detailed and will most likely be kept closely held by the provider.

Certified Cloud Security Professional – CCSP – Question465

Hardening the operating system refers to all of the following except:

A. Limiting administrator access
B. Closing unused ports
C. Removing antimalware agents
D. Removing unnecessary services and libraries

Correct Answer: C

Explanation:

Explanation: Removing antimalware agents. Hardening the operating system means making it more secure. Limiting administrator access, closing unused ports, and removing unnecessary services and libraries all have the potential to make an OS more secure. But removing antimalware agents would actually make the system less secure. If anything, antimalware agents should be added, not removed.

Certified Cloud Security Professional – CCSP – Question464

All of the following are techniques to enhance the portability of cloud data, in order to minimize the potential of vendor lock-in except:

A. Ensure there are no physical limitations to moving
B. Use DRM and DLP solutions widely throughout the cloud operation
C. Ensure favorable contract terms to support portability
D. Avoid proprietary data formats

Correct Answer: B

Explanation:

Explanation: DRM and DLP are used for increased authentication/access control and egress monitoring, respectively, and would actually decrease portability instead of enhancing it.

Certified Cloud Security Professional – CCSP – Question463

What is the cloud service model in which the customer is responsible for administration of the OS?

A. QaaS
B. SaaS
C. PaaS
D. IaaS

Correct Answer: D

Explanation:

Explanation: In IaaS, the cloud provider only owns the hardware and supplies the utilities. The customer is responsible for the OS, programs, and data. In PaaS and SaaS, the provider also owns the OS. There is no QaaS. That is a red herring.