良質なCCSKのPDF問題集でCCSK試験問題を試せます [Q49-Q73]

良質なCCSKのPDF問題集でCCSK試験問題を試せます

一番最新のCloud Security Alliance CCSK試験問題集PDF2024年更新

質問 # 49
CCM: In the CCM tool, a is a measure that modifies risk and includes any process, policy, device, practice or any other actions which modify risk.

• A. Risk Impact
• B. Domain
• C. Control Specification

正解：C

質問 # 50
"Cloud provider acquisition" as a risk fall under which of the following categories?

• A. Technical risk
• B. Policy and Organizational Risk
• C. Environmental Risk
• D. Legal Risk

正解：B

解説：
Cloud provider acquisition comes under Policy and Organizational Risk and can be categorised as follows.
As in any new IT market, competitive pressure, an inadequate business strategy, lack of financial support, etc, could lead some providers to go out of business or at least to force them to restructure their service portfolio offering. In other words, it is possible that in the short or medium term some cloud computing services could be terminated.

質問 # 51
Which of the following is one of the five essential characteristics of cloud computing as defined by NIST?

• A. Multi-tenancy
• B. Unlimited bandwidth
• C. Measured service
• D. Hybrid clouds
• E. Nation-state boundaries

正解：C

質問 # 52
Which of the following authentication is most secured?

• A. Multi-factor Authentication
• B. Active Directory
• C. Bio metric Access
• D. Username and encrypted password

正解：A

解説：
All privileged user accounts should use multi-factor authentication(MFA). If possible, all cloud accounts(even individual user accounts) should use MFA. It's one of the single most effective security controls to defend against a wide range of attacks. This is also true regardless of the service model: MFA is just as important for SaaS as it is for IaaS.
Reference: CSA Security GuidelinesV.4(reproduced here for the educational purpose)

質問 # 53
What of the following is NOT an essential characteristic of cloud computing?

• A. Broad Network Access
• B. Resource Pooling
• C. Third Party Service
• D. Measured Service
• E. Rapid Elasticity

正解：C

質問 # 54
Which statement best describes why it is important to know how data is being accessed?

• A. The devices used to access data may have different ownership characteristics.
• B. The devices used to access data use a variety of operating systems and may have different programs installed on them.
• C. The devices used to access data use a variety of applications or clients and may have different security characteristics.
• D. The devices used to access data have different storage formats.
• E. The device may affect data dispersion.

正解：C

質問 # 55
Which of the following is key component of regulated PII components?

• A. Data disclosure
• B. Cloud Service Provider Consent
• C. E-discovery
• D. Mandatory Breach Reporting

正解：D

解説：
The key component and differentiator related to regulated PII is mandatory breach reporting requirements. At present. 47 states and territories within the United States, including the District of Columbia. Puerto Rico. and the Virgin Islands, have legislation in place that requires both private and government entities to notify and inform individuals of any security breaches involving PII.

質問 # 56
Security Governance, Risk and Compliance(GRC) is, generally, responsibility of which of the following across all the platforms (IaaS, PaaS and SaaS)?

• A. Joint Responsibility
• B. Cloud Service Provider
• C. Customer
• D. Shared responsibility

正解：C

解説：
GRC is responsibility of the customer across all service models.

質問 # 57
Amount of risk that the leadership and stakeholders of an organization are willing to accept. is known as:

• A. Residual Risk
• B. Risk Avoidance
• C. Risk Tolerance
• D. Risk Limitation

正解：C

解説：
Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept.

質問 # 58
Which of the following type of risk assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action?

• A. Third party Risk Analysis
• B. Outsourced risk analysis
• C. Qualitative Analysis
• D. Quantitative Analysis

正解：D

解説：
Quantitative assessments typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers This type of assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action.

質問 # 59
ISO 27001 certification can be taken as proof to achieve Third-party assessment level in CSA star program.

• A. True
• B. False

正解：A

解説：
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC
27001:2013 management system standard together with the CSA Cloud Controls Matrix.

質問 # 60
Which of the following is also knows as white-box test and can be used to find XSS errors, SQL injection.
buffer overflows. unhandled error conditions. and potential backdoors?

• A. Threat Modelling
• B. Dynamic Application Security Testing(DAST)
• C. Static Application Security Testing(SAST)
• D. Static Application Security Testing(SAST)

正解：D

解説：
Static application security testing(SAST) is generally considered a white-box test, where the application test performs an analysis of the application source code, byte code, and binaries without executing the application code. SAST is used to determine coding errors and omissions that are indicative of security vulnerabilities. SAST is often used as a test method while the tool is under development(early in the development lifecycle).
SAST can be used to find XSS errors, SQL injection, buffer overflows, unhandled error conditions, and potential backdoors.

質問 # 61
According to ISO 27018. data processor has explicit control over how CSPs are to use PII.

• A. False
• B. True

正解：A

解説：
In ISO 27018, it is the customer who has explicit right over how CSPs will use their information

質問 # 62
Which of the following uses security and encryption as means to prevent unauthorized copying and limitations on distribution to only those who pay?

• A. IPSEC
• B. Data Dispersion
• C. Data Encryption
• D. Digital Rights Management(DRM)

正解：D

解説：
Digital rights management(DRM)was designed to focus on security and encryption as a means of preventing unauthorized copying and limitations on distribution of content to only those authorized(purchasers).

質問 # 63
Ensuring the use of data and information complies with organizational policies, standards and strategy- including regulatory, contractual, and business objectives, known as:

• A. Corporate Governance
• B. Data Governance
• C. IT Governance
• D. Enterprise Governance

正解：B

解説：
It is definition of Data Governance

質問 # 64
The granting of right to access to a user. program or process. is called:

• A. Authentication
• B. Entitlement
• C. RBAC
• D. Authorization

正解：D

解説：
Authorization is the process of granting of right to access to a user, program or process. It should not be confused with Authentication.

質問 # 65
CCM: A company wants to use the IaaS offering of some CSP. Which of the following options for using CCM is NOT suitable for the company as a cloud customer?

• A. Use CCM to build a detailed list of requirements and controls that they want their CSP to implement
• B. None of the above
• C. Submit the CCM on behalf of the CSP to CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that documents the security controls provided by CSPs
• D. Use CCM to help assess the risk associated with the CSP

正解：B

質問 # 66
ENISA: Which is a potential security benefit of cloud computing?

• A. ISO 27001 certification
• B. Greater compatibility with customer IT infrastructure
• C. Provider can obfuscate system O/S and versions
• D. Lock-In
• E. More efficient and timely system updates

正解：E

質問 # 67
What is the process to determine any weaknesses in the application and the potential ingress, egress, and actors involved before the weakness is introduced to production?

• A. STRIDE
• B. Vulnerability Assessment
• C. Threat Detection
• D. Threat Modelling

正解：D

解説：
Threat modelling is performed once an application design is created. The goal of threat modelling is to determine any weaknesses in the application and the potential ingress, egress, and actors involved before the weakness is introduced to production. It is the overall attack surface that is amplified by the cloud, and the threat model has to take that into account.

質問 # 68
Which of the following is a perceived advantage or disadvantage of managing enterprise risk for cloud deployments?

• A. Greater reliance on contracts, audits, and assessments due to lack of visibility or management.
• B. None of the above.
• C. More physical control over assets and processes.
• D. Decreased requirement for proactive management of relationship and adherence to contracts.
• E. Increased need, but reduction in costs, for managing risks accepted by the cloud provider.

正解：A

質問 # 69
As with security. compliance in the cloud is a shared responsibility model.

• A. True
• B. False

正解：A

解説：
As with security. compliance in the cloud is a shared responsibility model. Both the cloud provider and customer have responsibilities. But the customer is always ultimately responsible for their own compliance. These responsibilities are defined through contracts, audits/assessments. and specifics of the compliance requirements.
Reference: CSA Security Guidelines V.4(reproduced here for the educational purpose)

質問 # 70
How should an SDLC be modified to address application security in a Cloud Computing environment?

• A. Both B and C
• B. Updated threat and trust models
• C. No modification is needed
• D. Just-in-time compilers
• E. Integrated development environments

正解：E

質問 # 71
An important consideration when performing a remote vulnerability test of a cloud-based application is to

• A. Schedule vulnerability test at night
• B. Use techniques to evade cloud provider's detection systems
• C. Use application layer testing tools exclusively
• D. Obtain provider permission for test
• E. Use network layer testing tools exclusively

正解：D

質問 # 72
Which of the following document defines the roles and responsibilities for risk management between a cloud provider and a cloud customer?

• A. Service Level Agreement
• B. Risk Management Agreement
• C. Operational level Agreement
• D. Contract

正解：D

解説：
Contract defines defines the roles and responsibilities for risk management between a cloud provider and a cloud customer

質問 # 73
......

100%無料Cloud Security Knowledge CCSK問題集PDFお試しサンプル認定ガイドカバー率：https://www.jpntest.com/shiken/CCSK-mondaishu