ISC2 CCSP Exam Questions

Correct answer: It has been structurally tested

ISO 15408 is known as the common criteria. It is a testing criteria for security products to ensure fair and even testing when performed in different labs in different countries for similar products.

The possible Evaluation Assurance Level (EAL) scores are as follows:

• EAL1 - Functionally tested
• EAL2 - Structurally tested
• EAL3 - Methodically tested and checked
• EAL4- Methodically designed, tested, and reviewed
• EAL5 - Semi-formally designed and tested
• EAL6 - Semi-formally verified design and tested
• EAL7 - Formally verified design and tested

Although this is a very simple question, it is worth noting that this is information that could be useful to know for the test.

Correct answer: Security, Confidentiality, Processing Integrity, Availability, and Privacy

The AICPA defines the five trust principles as Security, Confidentiality, Processing Integrity, Availability, and Privacy. 

Sensitivity and classification are subjects that businesses do need to concern themselves about. A classification, such as a secret, indicates the level of sensitivity of that piece of data. This then tells the employees how they should be protecting that information, which would be defined within corporate policy.

Non-repudiation means that someone cannot argue with the information or evidence that says that they did something. It is usually first accomplished by using asymmetric cryptographic systems that enable the user to digitally sign something that they created, such as a contract or an email. A digital signature by itself is not enough though. There should also be the following:

• Public Key Infrastructure (PKI)
• Badge or otherwise controlled doors
• Logins to the computer and/or network
• Video cameras around the businesses
• etc.

Correct answer: Generator and Uninterruptible Power Supply (UPS)

Cloud providers will need to have multiple independent power feeds in case a power feed goes down. In addition, they will also typically have a generator or battery backup (UPS) to serve in the meantime when a power feed goes out.  

The answers that contain "second power feed" are not correct because that already exists in the question with the word "multiple." It is not necessary to have a third power feed. It may not be a bad idea, but it is not required.

Correct answer: One-way movement through phases

Software development teams can use various development methodologies. Some of the most common include:

• Waterfall: The waterfall design methodology strictly enforces the steps of the SDLC. Generally, every part of each stage must be completed before moving on to the next; however, some versions allow stepping back to an earlier phase as needed or only addressing some of the software’s requirements in each go-through.
• Agile: Agile development methodologies differ from Waterfall in that they are iterative. During each iteration, the team identifies requirements and works to fulfill them in a set (short) period before moving on to the next phase. Shorter development cycles enable the team to adapt to changing requirements, and Agile practices commonly embrace automation to support repeated processes and security testing (DevSecOps) to streamline the development process.

Correct answer: Threat Detection

The security operations center (SOC) is responsible for managing an organization’s cybersecurity. Some of the key duties of the SOC include:

• Threat Prevention: Threat prevention involves implementing processes and security controls designed to close potential attack vectors and security gaps before they can be exploited by an attacker.
• Threat Detection: SOC analysts use Security Information and Event Management (SIEM) solutions and various other security tools to identify, triage, and investigate potential security incidents to detect real threats to the organization.
• Incident Management: If an incident has occurred, the SOC may work with the incident response team (IRT) to contain, investigate, remediate, and recover from the identified incident.

Quality Assurance is not a core SOC responsibility.

Correct answer: Data Steward

There are several roles and responsibilities related to data ownership, including:

• Data Owner: The data owner creates or collects the data and is responsible for it.
• Data Custodian: A data custodian is responsible for maintaining or administrating the data. This includes securing the data based on instructions from the data owner.
• Data Steward: The data steward ensures that the data’s context and meaning are understood and that it is used properly.
• Data Processor: A data processor uses the data, including manipulating, storing, or moving it. Cloud providers are data processors.

Correct answer: Log Collection

Three essential audit mechanisms in cloud environments include:

• Log Collection: Log files contain useful information about events that can be used for auditing and threat detection. In cloud environments, it is important to identify useful log files and collect this information for analysis. However, data overload is a common issue with log management, so it is important to collect only what is necessary and useful.
• Correlation: Individual log files provide a partial picture of what is going on in a system. Correlation looks at relationships between multiple log files and events to identify potential trends or anomalies that could point to a security incident.
• Packet Capture: Packet capture tools collect the traffic flowing over a network. This is often only possible in the cloud in an IaaS environment or using a vendor-provided network mirroring capability.

Access controls are important but not one of the three core audit mechanisms in cloud environments.

Correct answer: Budgetary constraints applied by management

As with any new system or plan being implemented, it's important to assess the risks of the changes. Budgetary constraints are not a main risk when developing a DR plan. 

The main risks associated with developing a BCDR plan include the load capacity at the BCDR site, migration of services, and legal or contractual issues. 

Correct answer: Private Cloud

An uninterruptable power supply (UPS) is an emergency power device that is often part of the physical infrastructure in a data center. 

The physical environment where cloud resources are hosted depends on the cloud model in use:

• Public Cloud: Public cloud infrastructure will be hosted by the CSP within their data centers.
• Private Cloud: Private clouds are usually hosted by an organization within its data center. However, third-party CSPs can also offer virtual private cloud (VPC) services.
• Community Cloud: In a community cloud, one member of the community hosts the cloud infrastructure in their data center. Third-party CSPs can also host community clouds in an isolated part of their environment.

Hybrid and multi-cloud environments will likely have infrastructure hosted by different organizations. A hybrid cloud combines public and private cloud environments, and a multi-cloud infrastructure uses multiple cloud providers' services.

Correct answer: Bastion host

A bastion host is a hardened and fortified device. To harden, you change the default password, close unnecessary ports, disable unnecessary services, etc. 

A VPC is a virtualized environment that is isolated to make it harder for bad actors to interfere with business processes.

Micro-segmentation is when a virtual network is created that has one or just a few virtual machines behind its own firewall. 

A firewall is a security device that blocks or allows traffic. It should be a hardened device as well, hopefully by design.

Correct answer: Tier 2

The Uptime Institute publishes the most widely used standard for data center topologies. The standard is based on a series of four tiers. The standard also incorporates compliance tests.

A tier 1 data center has generators, UPS devices, pumps, and fuel tanks to ensure continued operations within the data center.

A tier 2 data center has everything that is found in a tier 1 data center, but it also has partial redundancy in the HVAC and electrical systems. This aligns with the data center described in the question.

A tier 3 data center adds a redundant distribution path, the path the power takes. It also moves up to concurrently maintainable infrastructure. The servers and other equipment have the capacity to be hot swappable. It is not necessary to shut down equipment to swap out, for example, a power supply or line card. It is also often described as 2n, meaning it has double the equipment that it needs.

A tier 4 data center adds critical fault tolerance to the IT infrastructure. It is also often described as 2n+1. It has more than double the equipment needed for normal operations.

Correct answer: A compromised hypervisor can be used to attack all virtual machines on that hypervisor and also be used to attack other hypervisors

A compromised hypervisor can have serious consequences. If an attacker can compromise a hypervisor, they will then have access to all the virtual machines that are hosted on that hypervisor. In addition, the attacker could use the hypervisor as a launching pad for additional attacks on other hypervisors since each hypervisor plays a central role in the cloud environment. 

Correct answer: Quantitative assessment, SLE

Quantitative risk assessments use numeric values to analyze risk. In this case, Acme Inc. is using US dollars. Qualitative assessments use descriptive values (e.g., high, low, critical). 

Single loss expectancy (SLE) is the value that indicates the loss expected from a single occurrence of an event. 

Annual rate of occurrence (ARO) is how often per year an event is expected to occur. 

Annual loss expectancy (ALE) is the expected loss per year attributed to a specific event or risk. 

Correct answer: Semi-structured data

Semi-structured data adds some structure to a dataset, but is not as structured as structured data, like relational databases. Tagging is often used with semi-structured data because it adds some structure without being too rigid. Markup formats like JSON, XML, and HTML are common examples of semi-structured data. Object-oriented databases using these techniques are a common practical example of semi-structured data.

Unstructured data refers to any data that cannot be qualified as structured data. Unstructured data doesn't conform to any defined data structures or formats. Examples of unstructured data include emails, pictures, videos, and text files.

Structured data is predictable in format and size. A database is a great example of structured data. Every record (row) has exactly the same attributes (columns) with the same data type in that column. Semi-structured data has an element of prediction, but just not all together.

Personal data is information about a natural human being, such as name, address, and phone number. There is some of this in thies question because of the customer information, but that is only a small piece of it.

Correct answer: Black box penetration test with permission and approval from the cloud provider

During a penetration test, the tester is trying to actively break into the live systems. This is meant to simulate a real-life scenario, and therefore, the tester will use the same techniques, methodologies, and toolsets that an actual attacker would use to compromise a system. As this is an IaaS permission, approval from the cloud provider is necessary. Their assistance is not needed.

During static application security testing (SAST), the tester has knowledge of and access to the source code, and all testing is done in an offline manner.

Vulnerability scans are usually done by an organization to ensure that their systems are hardened against known vulnerabilities. It assesses the environment, looking for unpatched systems, open ports, or any other vulnerabilities based on the systems that are in place.

Black box testing implies the tester has no special knowledge of the system under test, which is the case here. In white box testing, the tester has access to insider information such as source code and internal documentation. 

Correct answer: Accessing multiple servers from a set of input/output devices

A keyboard, video, mouse (KVM) switch is used to connect a keyboard, mouse, and monitor to physical servers in a data center to provide access, or in today’s terms, a laptop.  It's important in a data center that security measures are put in place to prevent unauthorized access using the KVM. 

There is some confusion with the acronym KVM because it also stands for kernel-based virtual machine, which is an open-source Linux-based hypervisor.

None of the other options directly relate to what a KVM switch primarily does. 

Correct answer: Litigation

A contract between a customer and a vendor can have various terms. Some of the most common include:

• Right to Audit: CSPs rarely allow customers to perform audits, but contracts commonly include acceptance of a third-party audit in the form of a SOC 2 or ISO 27001 certification.
• Metrics: The contract may define metrics used to measure the service provided and assess compliance with service level agreements (SLAs).
• Definitions: Contracts will define various relevant terms (security, privacy, breach notification requirements, etc.) to ensure a common understanding between the two parties.
• Termination: The contract will define the terms by which it may be ended, including failure to provide service, failure to pay, a set duration, or with a certain amount of notice.
• Litigation: Contracts may include litigation terms such as requiring arbitration rather than a trial in court.
• Assurance: Assurance requirements set expectations for both parties. For example, the provider may be required to provide an annual SOC 2 audit report to demonstrate the effectiveness of its controls.
• Compliance: Cloud providers will need to have controls in place and undergo audits to ensure that their systems meet the compliance requirements of regulations and standards that apply to their customers.
• Access to Cloud/Data: Contracts may ensure access to services and data to protect a customer against vendor lock-in.

Correct answer: SaaS

Cloud services are typically provided under three main service models:

• Software as a Service (SaaS): Under the SaaS model, the cloud provider offers the customer access to a complete application developed by the cloud provider. Webmail services like Google Workspace and Microsoft 365 are examples of SaaS offerings.
• Platform as a Service (PaaS): In a PaaS model, the cloud provider offers the customer a managed environment where they can build and deploy applications. The cloud provider manages compute, data storage, and other services for the application.
• Infrastructure as a Service (IaaS): In IaaS, the cloud provider offers an environment where the customer has access to various infrastructure building blocks. AWS, which allows customers to deploy virtual machines (VMs) or use block data storage in the cloud, is an example of an IaaS platform.

Function as a Service (FaaS) is a form of PaaS in which the customer creates individual functions that can run in the cloud. Examples include AWS Lambda, Microsoft Azure Functions, and Google Cloud Functions.
 

Correct answer: SANS Institute 

The SANS Institute is responsible for the CWE TOP 25 Most Dangerous Software Errors list, which enumerates 25 top software weaknesses. 

The Open Web Application Security Project (OWASP) Top 10 list identifies the 10 most critical web application security risks at a given time. 

ITIL is a UK creation that is managed by the UK government and Axelos. It is a framework to standardize the overall lifecycle of IT services from planning to maintenance.   

Correct answer: Clear

When data is no longer needed, it should be disposed of using an approved and appropriate mechanism. NIST SP 800-88, Guidelines for Media Sanitization, defines three levels of data destruction:

• Clear: Clearing is the least secure method of data destruction and involves using mechanisms like deleting files from the system and the Recycle Bin. These files still exist on the system but are not visible to the computer. This form of data destruction is inappropriate for sensitive information.
• Purge: Purging destroys data by overwriting it with random or dummy data or performing cryptographic erasure (cryptoshredding). Often, purging is the only available option for sensitive data stored in the cloud, since an organization doesn’t have the ability to physically destroy the disks where their data is stored. However, in some cases, data can be recovered from media where sensitive data has just been overwritten with other data.
• Destroy: Destroying damages the physical media in a way that makes it unusable and the data on it unreadable. The media could be pulverized, incinerated, shredded, dipped in acid, or undergo similar methods.

Wipe is not a NIST-defined method of media sanitization.