[2022年03月06日] 最新をゲットせよ！CCSK認定練習テスト問題と試験問題集 [Q40-Q65]

[2022年03月06日] 最新をゲットせよ！CCSK認定練習テスト問題と試験問題集

リアルCCSK試験問題集解答で有効なCCSK問題集PDF

質問 40
What is true of companies considering a cloud computing business relationship?

• A. The confidentiality agreements between companies using cloud computing services is limited legally to the company, not the provider.
• B. The cloud computing companies are absolved of all data security and associated risks through contracts and data laws.
• C. The companies using the cloud providers are the custodians of the data entrusted to them.
• D. The cloud computing companies own all customer data.
• E. The laws protecting customer data are based on the cloud provider and customer location only.

正解: C

 

質問 41
Who is responsible for infrastructure Security in Software as a Service(SaaS) service model?

• A. Cloud Customer
• B. Cloud Service Provider
• C. It's a shared responsibility between Cloud Service Provider and Cloud Customer
• D. Cloud Carrier

正解: B

解説:
Cloud service Provider is responsible for infrastructure in Software as a service(SaaS) service Model

 

質問 42
Which of the following is NOT a characteristic of Object Storage?

• A. Stored in cloud
• B. Has additional Metadata
• C. Accessed through web interface
• D. Cannot be accessed through web interface

正解: D

解説:
Object storage: Similar to a file share accessed via APIs or a web interface. Examples include Amazon S3 and Rackspace cloud files.

 

質問 43
What refers refer the model that allows customers to scale their computer and/ or storage needs with little or no intervention from or prior communication with the provider. The services happen in real time?

• A. Broad network access
• B. On-demand self-service
• C. Rapid elasticity
• D. Resource pooling

正解: B

解説:
It is the characteristic of 0n-demand self-service that allows customers to scale their computer and/ or storage needs with little or no intervention from or prior communication with the provider

 

質問 44
Logs, documentation, and other materials needed for audits and compliance and often serve as evidence of compliance activities are known as:

• A. Artifacts
• B. Documented Evidence
• C. Proof of Audit
• D. Log Trail

正解: A

解説:
Artifacts are the logs, documentation, and other materials needed for audits and compliance; they are the evidence to support compliance activities. Both providers and customers have responsibilities for producing and managing their respective artifacts.
Reference: CSA Security GuidelinesV.4(reproduced here for the educational purpose)

 

質問 45
Your cloud and on-premises infrastructures should always use the same network address ranges.

• A. True
• B. False

正解: B

 

質問 46
"Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. " Which of the following characteristics defines this?

• A. Broad network access
• B. Measured service
• C. Rapid elasticity
• D. Resource pooling

正解: B

解説:
Measured service is defined as "Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service. "

 

質問 47
Which document defines the minimum levels of service availability, security, controls, processes, communications & support?

• A. Service Level agreement(SLA)
• B. Statement of Applicability (SOA)
• C. Standard Operating Procedure(SOP)
• D. Operation level agreement(OLA)

正解: A

解説:
SLA is correct answer here. Operational Level Agreements(0LA) refers to agreements that are done between business units within the organisation. Standard Operating procedure(SOP)as the name suggest refers to procedural document to conduct an activity/process. Statement of Applicability(SOA) is alS027001 compliance document which list all the relevant security controls applied to the organisation.

 

質問 48
Metrics which govern the contractual obligations of cloud service are found in:

• A. Service Book
• B. Contract itself
• C. Service Level agreements(SLA)
• D. Operational Level Agreement(OLA)

正解: C

解説:
The SLA is the list of defined, specific, numerical metrics that will used to determine whether the provider is sufficiently meeting the contract terms during each period of performance.

 

質問 49
ln which of the following cloud service models is the customer required to maintain the operating system?

• A. IaaS
• B. Public Cloud
• C. PaaS
• D. SaaS

正解: A

解説:
According to "The NIST Definition of Cloud Computing," in IaaS, "the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include OSs and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over OSs, storage, and deployed applications; and possibly limited control of select networking components (e.g, host firewalls)."

 

質問 50
Cloud Security provider is responsible for Platform Security in Platform as a Service(PaaS) model.

• A. True
• B. False

正解: B

解説:
It is false. Platform security is a shared responsibility between cloud service provider and cloud service customer in Platform as a Service(PaaS) model.

 

質問 51
Policy documentation and training is a:

• A. Technical control
• B. Physical control
• C. Administrative control
• D. Logical control

正解: C

解説:
There are three, commonly accepted forms of Controls:
Administrative-These are the laws, regulations, policies, practices and guidelines that govern the overall requirements and controls for an Information Security or other operational risk program. For example, a law or regulation may require merchants and financial institutions to protect and implement controls for customer account data to prevent identity theft. The business, in order to comply with the law or regulation, may adopt policies and procedures laying out the internal requirements for protecting this data, which requirements are a form of control.
Logical -These are the virtual, application and technical controls (systems and software), such as firewalls, antivirus software, encryption and maker/checker application routines.
Physical -Whereas a firewall provides a "logical" key to obtain access to a network, a "physical" key to a door can be used to gain access to an office space or storage room. Other examples of physical controls are video surveillance systems, gates and barricades, the use of guards or other personnel to govern access to an office, and remote backup facilities.

 

質問 52
Which of the following is NOT one of the vulnerabilities that can lead of risk of "abuse of high privilege roles" or "Cloud provider malicious insider''?

• A. Poor enforcement of role definitions
• B. Lack of data centre hardware redundancy
• C. AAA Vulnerabilities
• D. System and 0S vulnerabilities

正解: B

解説:
Redundancy has nothing to do with abuse of high privilege roles. All others can lead to risk of risk of
"abuse of high privilege roles" or "Cloud provider malicious insider"

 

質問 53
Which is the most common control used for Risk Transfer?

• A. Insurance
• B. Web Application Firewall
• C. SLA
• D. Contracts

正解: A

解説:
Buying insurance is most common method of transferring risk.

 

質問 54
The ability of a cloud services datacentre and its associated components. including servers. storage. and so on. to continue operating in the event of a disruption. which may be equipment failure. power outage. or a natural disaster. known as:

• A. Continuity
• B. Disaster recovery
• C. Redundancy
• D. Resiliency

正解: D

解説:
Resiliency is the correct answer but other options look very similar and is provided to create confusion.
One need to be careful while answering the question.
Resiliency is often confused with redundancy, Key difference is
A redundant system includes multiple channels to provide alternate paths for communications in case of individual failures.
... Resilience, on the other hand, refers to a system's ability to adapt to failures and to resume normal operations when the failure has been resolved.

 

質問 55
The individual's right to have data(PII) removed from a entity/ provider at anytime per their request. is known as:

• A. Right to be forgotten
• B. Right to claim
• C. Right of erasure
• D. Right to disclosure

正解: A

解説:
Under this principle of "Right to be forgotten", any individual can notify any entity that has PII fort hat individual and instruct that entity to delete and destroy all of that individual's PII in that entity's control.
This is a very serious and powerful individual right, and compliance can be extremely difficult.

 

質問 56
Which of the cloud service model has least maintenance or administration from a cloud customer perspective?

• A. SaaS
• B. XaaS
• C. PaaS
• D. IaaS

正解: A

解説:
SaaS requires least maintenance from the customer as all the infrastructure up to application is managed by the cloud service provider

 

質問 57
What factors should you understand about the data specifically due to legal, regulatory, and jurisdictional factors?

• A. The implications of storing complex information on simple storage systems
• B. The physical location of the data and how it is accessed
• C. The fragmentation and encryption algorithms employed
• D. The actual size of the data and the storage format
• E. The language of the data and how it affects the user

正解: A

 

質問 58
ANF and ONF are referred in which of the following ISO standards?

• A. ISO 27032
• B. ISO 27001
• C. ISO 27005
• D. ISO 27034-1

正解: D

解説:
ISO/ IEC 27034-1, "Information Technology - Security Techniques - Application Security," provides one of the most widely accepted set of standards and guidelines for secure application development. IS0/ IEC27034-1 is a comprehensive set of standards that cover many aspects of application development. A few of the key elements include the organizational normative framework (ONF), the application normative framework (ANF), and the application security management process (APSM).

 

質問 59
Which is the set of technologies that are designed to detect conditions indicative of a security vulnerability in an application in its running state?

• A. STRIDE
• B. Dynamic application security testing(DAST)
• C. Enterprise Threat Modelling
• D. Static application security Testing(SAST)

正解: B

解説:
Definitions:
SAST- Static application security testing(SAST) is a type of security testing that relies on inspecting the source code of an application. ln general, SAST involves looking at the ways the code is designed to pinpoint possible security flaws.
DAST- Dynamic application security testing(DAST) technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state

 

質問 60
The risk left in any system after all countermeasures and strategies have been applied is called:

• A. Leftover risk
• B. Mitigated Risk
• C. Residual Risk
• D. Annualised Risk

正解: C

解説:
Thats the definition of residual risk

 

質問 61
CCM: In the CCM tool, a is a measure that modifies risk and includes any process, policy, device, practice or any other actions which modify risk.

• A. Risk Impact
• B. Domain
• C. Control Specification

正解: C

 

質問 62
Where does the encryption engine and key reside when doing file-level encryption?

• A. On the KMS attached to the system
• B. On the client side
• C. Encryption engine resides on the server and keys on the client side
• D. On the instance attached to the system

正解: D

解説:
File-level encryption: Database servers typically reside on volume storage. For this deployment, you are encrypting the volume or folder of the database, with the encryption engine and keys residing on the instances attached to the volume.
External file system encryption protects from media theft, lost backups, and external attack but does not protect against attacks with access to the application layer, the instances 0S, or the data

 

質問 63
John's Laptop was stolen. He had saved all his passwords in a text file stored in his laptop. Adversary used the passwords from the text file and gained access to company's network and sensitive databases, of which John was the data base administrator. It resulted in theft of thousands of customer information. This incident could have been prevented by?

• A. Data Loss Prevention Implementation
• B. Web Application Firewall
• C. Monitoring through SIEM device
• D. Using multi-factor authentication

正解: D

解説:
Use of multifactor authentication would have prevented adversary from logging in to the system. Other mechanisms would not help as they will see traffic coming from legimitate user.

 

質問 64
Cloud services exhibit five essential characteristics that demonstrate their relation to, and differences from, traditional computing approaches. Which one of the five characteristics is described as: a consumer can unilaterally provision computing capabilities such as server time and network storage as needed.

• A. Broad network access
• B. On-demand self-service
• C. Rapid elasticity
• D. Resource pooling
• E. Measured service

正解: B

 

質問 65
......

CCSK試験問題集でPDF問題とテストエンジン：https://www.jpntest.com/shiken/CCSK-mondaishu