ISC2 CCSP Exam Questions

Correct answer: Long-term

Long-term storage refers to durable storage solutions such as Amazon Glacier, Azure Archive Storage, and Google Cloud Coldline, which are designed to store data for extended periods. These solutions often offer features like immutability, meaning stored data cannot be altered, and integrity protections to ensure data remains unchanged over time.

Ephemeral storage is temporary and only exists while an instance is running. Once the instance is terminated, the data stored in ephemeral storage is lost, making it unsuitable for durable or long-term storage.

Raw storage refers to unformatted storage that provides direct access to the underlying hardware. It does not inherently include features like immutability or integrity protections.

Object storage stores data as objects, typically with metadata and unique identifiers. While object storage can be durable and is widely used in cloud environments, immutability and integrity protections are not default features and may require additional configuration.

Correct answer: Privacy Management Framework (PMF)

The Privacy Management Framework, formerly the GAPP (Generally Accepted Privacy Principles), is a privacy standard developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. PMF contains the main privacy principles and is focused on managing and preventing threats to privacy.

The GDPR is the European Union's (EU) regulation for the member states privacy laws.

ISO/IEC 27018 is an international standard to provide guidance to cloud providers acting as data processors. Data processors process data but cannot be employees of the company. The EU GDPR defines processing to include holding or storage of data.

SOX is a U.S. regulation that requires publicly traded companies to protect the integrity of their financial statements.

Correct answer: Labeling

Labeling is the process of adding “labels” to data elements. These labels must be configured with consistency throughout the entire organization. Labels are used to group data elements together and provide information about them. The label would contain the classification level for that piece of data. The label is what is used to view what level of sensitivity (classification) a piece of data is so that the security levels can be verified.

The metadata can include the classification level as well, but it is the word label that reflects the classification. The metadata would induce the data creator or owner, date of creation, and other things that are similar.

Hashing is not involved here, but it could be a control used to verify the integrity of the data.

Correct answer: The technology chosen to meet the RTO must be able to meet the corporate needs

The RTO is the time it will take to do the work of recovery of the particular system, in this case data storage. The time of five hours in the question is actually the Recovery Point Objective (RPO), which is effectively how much data can be lost, which eliminates two of the answers.

The technology chosen must meet the corporate needs, but spending money, no matter the cost, is not wise. It is essential for security to spend money wisely. The money spent must be chosen based on a cost/benefit basis.

Correct answer: Unstructured data 

Unstructured data is data that is commonly referred to as big data. The five characteristics of big data are volume (size), variety (format), velocity, veracity, and variability. 

Structured data is predictable in size and format. It fits very nicely within databases.

Semistructured data is stored in the format of a database but can store unpredictable-sized data as well. A field or attribute that allows for a variable amount of information in that field would be unstructured in nature for that field. That makes for a semistructured format.

Correlated data have a mutual relationship with each other. It could be used to describe the information within a table of a database.

Correct answer: ITIL

Your organization is most likely using IT Infrastructure Library (ITIL) because it is an IT best practices framework. Its five core subjects are Service strategy, Service design, Service transition, Service operation, and Continual improvement.

NIST CSF provides cybersecurity guidance, not IT best practices. This is advice for cybersecurity. It consists of standards, guidelines, and best practices to manage cybersecurity risk.

ISOIEC 27001 provides requirements for an Information Security Management System (ISMS). This encompasses IT, but it is such a bigger topic. This is about managing information security throughout the entire business. So it is not specific to the topic of IT best practices.

COBIT is a business framework for enterprise governance of IT. This is similar to ISO/IEC 27001. It is a much bigger topic than IT best practices. It is governance of IT.

Correct answer: True negative

To understand true negatives, it is essential to grasp the concept of a confusion matrix, which is a table that summarizes the performance of a classification model. The confusion matrix consists of four elements:

1. True Positives (TP): The model correctly predicts positive outcomes when the actual outcomes are indeed positive.
2. True Negatives (TN): The model correctly predicts negative outcomes when the actual outcomes are indeed negative.
3. False Positives (FP): The model incorrectly predicts positive outcomes when the actual outcomes are negative.
4. False Negatives (FN): The model incorrectly predicts negative outcomes when the actual outcomes are positive.

Because there is nothing that the analyst sees about the smart appliances and there is a compromise between the virtual desktop and the database, there is no problem with the smart appliances. Therefore, it is true that there are no (negative) IoCs regarding the smart appliances being attacked.

Correct answer: Personably Identifiable Information (PII)

Personally Identifiable Information (PII) is a type of data that can either directly or indirectly identify an individual. The customer's name and account information would be considered Cardholder Data (CD), which is a specific type of PII that relates to information such as credit/debit card numbers, security codes, expiration numbers, and any information that ties these items to the cardholder.

PCI is the industry. The requirement to protect any credit card data is a contractual agreement with the PCI. That agreement is known as the Payment Card Industry - Data Security Standard (PCI-DSS). This is not the right answer because the payment card industry isn't the focus in the answer.

PHI is health data that must be protected in the US under the Health Information Portability and Accountability Act (HIPAA). The question is about credit cards, not health information.

APIs are request/response protocols such as Representational State Transfer (ReST) and SOAP. APIs may be used to communicate with SaaS, but that is not the focus of the question.

Correct answer: Configuration Management

Standards such as the Information Technology Infrastructure Library (ITIL) and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000-1 define operational controls and standards, including:

• Change Management: Change management defines a process for changes to software, processes, etc., reducing the risk that systems will break due to poorly managed changes. A formal change request should be submitted and approved or denied by a change control board after a cost-benefit analysis. If approved, the change will be implemented and tested. The team should also have a plan for how to roll back the change if something goes wrong.
• Continuity Management: Continuity management involves managing events that disrupt availability. After a business impact assessment (BIA) is performed, the organization should develop and document processes for prioritizing the recovery of affected systems and maintaining operations throughout the incident.
• Information Security Management: Information security management systems (ISMSs) define a consistent, company-wide method for managing cybersecurity risks and ensuring the confidentiality, integrity, and availability of corporate data and systems. Relevant frameworks include the ISO 27000 series, the NIST Risk Management Framework (RMF), and AICPA SOC 2.
• Continual Service Improvement Management: Continual service improvement management involves monitoring and measuring an organization’s security and IT services. This practice should be focused on continuous improvement, and an important aspect is ensuring that metrics accurately reflect the current state and potential process.
• Incident Management: Incident management refers to addressing unexpected events that harm the organization. Most incidents are managed by a corporate security team, which should have a defined and documented process in place for identifying and prioritizing incidents, notifying stakeholders, and remediating the incident.
• Problem Management: Problems are the root causes of incidents, and problem management involves identifying and addressing these issues to prevent or reduce the impact of future incidents. The organization should track known incidents and have steps documented to fix them or workarounds to provide a temporary fix.
• Release Management: Agile methodologies speed up the development cycle and leverage automated CI/CD pipelines to enable frequent releases. Release management processes ensure that software has passed required tests and manages the logistics of the release (scheduling, post-release testing, etc.).
• Deployment Management: Deployment management involves managing the process from code being committed to a repository to it being deployed to users. In automated CI/CD pipelines, the focus is on automating testing, integration, and deployment processes. Otherwise, an organization may have processes in place to perform periodic, manual deployments.
• Configuration Management: Configuration errors can render software insecure and place the organization at risk. Configuration management processes formalize the process of defining and updating the approved configuration to ensure that systems are configured to a secure state. Infrastructure as Code (IaC) provides a way to automate and standardize configuration management by building and configuring systems based on provided definition files.
• Service Level Management: Service level management deals with IT’s ability to provide services and meet service level agreements (SLAs). For example, IT may have SLAs for availability, performance, number of concurrent users, customer support response times, etc.
• Availability Management: Availability management ensures that services will be up and usable. Redundancy and resiliency are crucial to availability. Additionally, cloud customers will be partially responsible for the availability of their services (depending on the service model).
• Capacity Management: Capacity management refers to ensuring that a service provider has the necessary resources available to meet demand. With resource pooling, a cloud provider will have fewer resources than all of its users will use, but it relies on them not using all of the resources at once. Often, capacity guarantees are mandated in SLAs.

Correct answer: Enforcement

Information rights management (IRM) involves controlling access to data, including implementing access controls and managing what users can do with the data. The three main objectives of IRM are:

• Data Rights: Data rights define what users are permitted to do with data (read, write, execute, forward, etc.). It also deals with how those rights are defined, applied, changed, and revoked.
• Provisioning: Provisioning is when users are onboarded to a system and rights are assigned to them. Often, this uses roles and groups to improve the consistency and scalability of rights management, as rights can be defined granularly for a particular role or group and then applied to everyone that fits in that group.
• Access Models: Access models take how data is accessed into account when defining rights. For example, data presented via a web application has different potential rights (read, copy-paste, etc.) than data provided in files (read, write, execute, delete, etc.).

Enforcement is not the main objective of IRM.

Correct answer: Enforcement

DLP is made up of three major components. They include discovery, monitoring, and enforcement. Enforcement is the final stage of DLP implementation. It is the enforcement component that applies policies and then takes actions, such as deleting data. 

Identification is the first piece of IAAA and is the statement of who you claim to be, such as a user ID.

The CSA SecaaS Category 2 document is a good read on the topic of DLP and the cloud and is highly recommended.

Correct answer: FaaS

Cloud services are typically provided under three main service models:

• Software as a Service (SaaS): Under the SaaS model, the cloud provider offers the customer access to a complete application developed by the cloud provider. Webmail services like Google Workspace and Microsoft 365 are examples of SaaS offerings.
• Platform as a Service (PaaS): In a PaaS model, the cloud provider offers the customer a managed environment where they can build and deploy applications. The cloud provider manages compute, data storage, and other services for the application.
• Infrastructure as a Service (IaaS): In IaaS, the cloud provider offers an environment where the customer has access to various infrastructure building blocks. AWS, which allows customers to deploy virtual machines (VMs) or use block data storage in the cloud, is an example of an IaaS platform.

Function as a Service (FaaS) is a form of PaaS in which the customer creates individual functions that can run in the cloud. Examples include AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions.

Correct answer: Remove SPOFs

Single points of failure (SPOFs) are components in a system without redundancy which can cause downtime. Eliminating them reduces downtime risk. 

Many cloud customers expect their systems to be available at all times. To maintain high availability, it's critical to ensure that there are not any single points of failure. While it's good practice to perform updates and upgrades outside a business' normal operating hours, many organizations today have locations across the globe and operate 24 hours a day. This means that downtime at any time is going to be unacceptable. Cloud providers must find a way to perform updates and upgrades without causing any downtime. 

Backing up systems is very important, but all systems must be backed up, not just a select few. 

Maintenance can't be scheduled only a couple of times a year. It must be done whenever necessary, so it's important to be able to do the maintenance without causing any downtime to the customer. Updates and upgrades during non-business hours are a little difficult if this is a global company. There are ways in the cloud to do upgrades in a way that does not cause customer downtime. Orchestration is a good tool to begin that discussion.

Correct answer: The illicit or unauthorized copying of data is prohibited

Replication restrictions ensure that no unauthorized or unlawful copying of protected data occurs.

Dates and time-limitations are exactly that. It allows the company to control when and how long someone can access a particular file.

The company that controls the content can modify the level of access someone has, even after the document has been shared. 

The security mechanisms persist with the document no matter where the data is stored.

Correct answer: Redundancy

A cloud environment should not include single points of failure (SPOFs) where the outage of a single component brings down a service. High availability and duplicate systems are important for redundancy and resiliency.

A SPOF does not directly imply that an organization or environment lacks a disaster recovery plan, logging and monitoring, or confidentiality. 

Correct answer: Roles are temporarily assumed by another identity

Roles are not the same as they are in traditional data centers. Roles are in a way similar to traditional roles in that they allow a user or group a certain amount of access. The group is closer to what we traditionally called roles in Role Based Access Control (RBAC). In the cloud, roles are assumed temporarily. You can assume roles in a variety of ways, but, again, they are temporary. 

The user is not permanently assigned a specific role. A user will log in as their user identity, then assume a role. This is temporary (e.g., for 15 hours or only the life of that session).

Note the distinction between assigning and assuming roles — you might have access to certain permissions, but you only use the role and those permissions occasionally.

An additional resource for your review/study is on the AWS website. Look for the user guide regarding roles.

Correct answer: Isolated Network and Robust Access Controls

Some best practices for designing, configuring, and securing cloud environments include:

• Redundancy: A cloud environment should not include single points of failure (SPOFs) where the outage of a single component brings down a service. High availability and duplicate systems are important to redundancy and resiliency.
• Scheduled Downtime and Maintenance: Cloud systems should have scheduled maintenance windows to allow patching and other maintenance to be performed. This may require a rotating maintenance window to avoid downtime.
• Isolated Network and Robust Access Controls: Access to the management plane should be isolated using access controls and other solutions. Ideally, this will involve the use of VPNs, encryption, and least privilege access controls.
• Configuration Management and Change Management: Systems should have defined, hardened default configurations, ideally using infrastructure as code (IaC). Changes should only be made via a formal change management process.
• Logging and Monitoring: Cloud environments should have continuous logging and monitoring, and vulnerability scans should be performed regularly.

Correct answer: Private

There are four types of blockchain: private, public, consortium, and hybrid. 

Private blockchains are restricted to a specific group of participants who are granted access and permission to the network. They are typically used within organizations or consortia where participants trust each other and require more control over the network. Private blockchains offer higher transaction speeds and privacy but sacrifice decentralization compared to public blockchains.

Public blockchains, such as Bitcoin and Ethereum, are open to anyone and allow anyone to participate in the network, verify transactions, and create new blocks. They are decentralized and provide a high level of transparency and security. Public blockchains use consensus mechanisms, such as Proof of Work (PoW) or Proof of Stake (PoS), to validate transactions and secure the network.

Consortium blockchains are a hybrid of public and private blockchains. They are operated by a consortium or a group of organizations that have a shared interest in a particular industry or use case. Consortium blockchains provide a controlled and permissioned environment, while still allowing multiple entities to participate in the consensus and decision-making process.

Permissioned blockchains require users to have permission to join and participate in the network. They are typically used in enterprise settings where access control and governance are critical. Permissioned blockchains offer faster transaction speeds and are more scalable than public blockchains, but they sacrifice some decentralization and censorship resistance.

The hybrid blockchain approach allows organizations to leverage the benefits of decentralization, transparency, and immutability from public blockchains while maintaining control, privacy, and scalability through private components. It offers a flexible solution that can cater to specific business requirements and regulatory considerations.

Correct answer: Sandbox

Sandboxing is when applications are run in an isolated environment known as a sandbox, often without access to the Internet or other external systems. Sandboxing can be used for testing application code without placing the rest of the environment at risk or evaluating whether a piece of software contains malicious functionality.

QA and dev environments are preproduction environments commonly used as part of the software development process. While testing in these environments is better than testing in production, a sandbox is a better way to reduce risk.

Alpine is a lightweight operating system that often runs on containers. A sandbox may be a container, but a container is not necessarily a safe sandbox environment. 

Correct answer: Authentication

Authentication is the process of confirming an identity through the use of one or more of the factors of authentication. Authentication can be done with something you know, have, or are.

Identification is the first piece of that puzzle, which should allow a user to uniquely state their identity to a system through something like a user id or email address. This is not the correct answer because of the word confirmation in the question. Identification is just a statement of the user's name, effectively. It does not prevent a user from lying or misstating an identity.

Authorization is the process of granting access to resources. Common methods are Access Control Lists (ACL) and Role-Based Access Control (RBAC). Permissions, such as read or write, are granted at this point.

Federation is the process of implementing standard processes and technologies across various organizations so that they can join their identity management systems together.