ExamGecko
Home Home / ISC / CCSP

ISC CCSP Practice Test - Questions Answers, Page 39

Question list
Search
Search

List of questions

Search

Which of the following types of data would fall under data rights management (DRM) rather than information rights management (IRM)?

A.
Personnel data
A.
Personnel data
Answers
B.
Security profiles
B.
Security profiles
Answers
C.
Publications
C.
Publications
Answers
D.
Financial records
D.
Financial records
Answers
Suggested answer: C

Explanation:

Whereas IRM is used to protect a broad range of data, DRM is focused specifically on the protection of consumer media, such as publications, music, movies, and so on. IRM is used to protect general institution data, so financial records, personnel data, and security profiles would all fall under the auspices of IRM.

Different security testing methodologies offer different strategies and approaches to testing systems, requiring security personnel to determine the best type to use for their specific circumstances.

What does dynamic application security testing (DAST) NOT entail that SAST does?

A.
Discovery
A.
Discovery
Answers
B.
Knowledge of the system
B.
Knowledge of the system
Answers
C.
Scanning
C.
Scanning
Answers
D.
Probing
D.
Probing
Answers
Suggested answer: B

Explanation:

Dynamic application security testing (DAST) is considered "black-box" testing and begins with no inside knowledge of the application or its configurations.

Everything about it must be discovered during its testing. As with most types of testing, dynamic application security testing (DAST) involves probing, scanning, and a discovery process for system information.

You need to gain approval to begin moving your company's data and systems into a cloud environment. However, your CEO has mandated the ability to easily remove your IT assets from the cloud provider as a precondition.

Which of the following cloud concepts would this pertain to?

A.
Removability
A.
Removability
Answers
B.
Extraction
B.
Extraction
Answers
C.
Portability
C.
Portability
Answers
D.
Reversibility
D.
Reversibility
Answers
Suggested answer: D

Explanation:

Reversibility is the cloud concept involving the ability for a cloud customer to remove all of its data and IT assets from a cloud provider. Also, processes and agreements would be in place with the cloud provider that ensure all removals have been completed fully within the agreed upon timeframe. Portability refers to the ability to easily move between different cloud providers and not be locked into a specific one. Removability and extraction are both provided as terms similar to reversibility, but neither is the official term or concept.

What does static application security testing (SAST) offer as a tool to the testers that makes it unique compared to other common security testing methodologies?

A.
Live testing
A.
Live testing
Answers
B.
Source code access
B.
Source code access
Answers
C.
Production system scanning
C.
Production system scanning
Answers
D.
Injection attempts
D.
Injection attempts
Answers
Suggested answer: B

Explanation:

Static application security testing (SAST) is conducted against offline systems with previous knowledge of them, including their source code. Live testing is not part of static testing but rather is associated with dynamic testing. Production system scanning is not appropriate because static testing is done against offline systems. Injection attempts are done with many different types of testing and are not unique to one particular type. It is therefore not the best answer to the question.

A main objective for an organization when utilizing cloud services is to avoid vendor lock-in so as to ensure flexibility and maintain independence.

Which core concept of cloud computing is most related to vendor lock-in?

A.
Scalability
A.
Scalability
Answers
B.
Interoperability
B.
Interoperability
Answers
C.
Portability
C.
Portability
Answers
D.
Reversibility
D.
Reversibility
Answers
Suggested answer: C

Explanation:

Portability is the ability for a cloud customer to easily move their systems, services, and applications among different cloud providers. By avoiding reliance on proprietary APIs and other vendor-specific cloud features, an organization can maintain flexibility to move among the various cloud providers with greater ease.

Reversibility refers to the ability for a cloud customer to quickly and easy remove all their services and data from a cloud provider. Interoperability is the ability to reuse services and components for other applications and uses. Scalability refers to the ability of a cloud environment to add or remove resources to meet current demands.

Which of the following areas of responsibility always falls completely under the purview of the cloud provider, regardless of which cloud service category is used?

A.
Infrastructure
A.
Infrastructure
Answers
B.
Data
B.
Data
Answers
C.
Physical
C.
Physical
Answers
D.
Governance
D.
Governance
Answers
Suggested answer: C

Explanation:

Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. In many instances, the cloud provider will supply audit reports or some general information about their physical security practices, especially to those customers or potential customers that may have regulatory requirements, but otherwise the cloud customer will have very little insight into the physical environment. With IaaS, the infrastructure is a shared responsibility between the cloud provider and cloud customer. With all cloud service categories, the data and governance are always the sole responsibility of the cloud customer.

What type of masking would you employ to produce a separate data set for testing purposes based on production data without any sensitive information?

A.
Dynamic
A.
Dynamic
Answers
B.
Tokenized
B.
Tokenized
Answers
C.
Replicated
C.
Replicated
Answers
D.
Static
D.
Static
Answers
Suggested answer: D

Explanation:

Static masking involves taking a data set and replacing sensitive fields and values with non-sensitive or garbage data. This is done to enable testing of an application against data that resembles production data, both in size and format, but without containing anything sensitive. Dynamic masking involves the live and transactional masking of data while an application is using it. Tokenized would refer to tokenization, which is the replacing of sensitive data with a key value that can later be matched back to the original value, and although it could be used as part of the production of test data, it does not refer to the overall process.

Replicated is provided as an erroneous answer, as replicated data would be identical in value and would not accomplish the production of a test set.

Which aspect of data poses the biggest challenge to using automated tools for data discovery and programmatic data classification?

A.
Quantity
A.
Quantity
Answers
B.
Language
B.
Language
Answers
C.
Quality
C.
Quality
Answers
D.
Number of courses
D.
Number of courses
Answers
Suggested answer: C

Explanation:

The biggest challenge for properly using any programmatic tools in data discovery is the actual quality of the data, including the data being uniform and well structured, labels being properly applied, and other similar facets. Without data being organized in such a manner, it is extremely difficult for programmatic tools to automatically synthesize and make determinations from it. The overall quantity of data, as well as the number of sources, does not pose an enormous challenge for data discovery programs, other than requiring a longer time to process the data. The language of the data itself should not matter to a program that is designed to process it, as long as the data is well formed and consistent.

When an organization is considering a cloud environment for hosting BCDR solutions, which of the following would be the greatest concern?

A.
Self-service
A.
Self-service
Answers
B.
Resource pooling
B.
Resource pooling
Answers
C.
Availability
C.
Availability
Answers
D.
Location
D.
Location
Answers
Suggested answer: D

Explanation:

If an organization wants to use a cloud service for BCDR, the location of the cloud hosting becomes a very important security consideration due to regulations and jurisdiction, which could be dramatically different from the organization's normal hosting locations. Availability is a hallmark of any cloud service provider, and likely will not be a prime consideration when an organization is considering using a cloud for BCDR; the same goes for self-service options. Resource pooling is common among all cloud systems and would not be a concern when an organization is dealing with the provisioning of resources during a disaster.

Just like the risk management process, the BCDR planning process has a defined sequence of steps and processes to follow to ensure the production of a comprehensive and successful plan.

Which of the following is the correct sequence of steps for a BCDR plan?

A.
Define scope, gather requirements, assess risk, implement
A.
Define scope, gather requirements, assess risk, implement
Answers
B.
Define scope, gather requirements, implement, assess risk
B.
Define scope, gather requirements, implement, assess risk
Answers
C.
Gather requirements, define scope, implement, assess risk
C.
Gather requirements, define scope, implement, assess risk
Answers
D.
Gather requirements, define scope, assess risk, implement
D.
Gather requirements, define scope, assess risk, implement
Answers
Suggested answer: A

Explanation:

The correct sequence for a BCDR plan is to define the scope, gather requirements based on the scope, assess overall risk, and implement the plan. The other sequences provided are not in the correct order.

Total 512 questions
Go to page: of 52