You are the IT security manager for a video game software development company. Which
of the following is most likely to be your primary concern on a daily basis?
Response:

A.

Health and human safety

B.

Security flaws in your products

C.

Security flaws in your organization

D.

Regulatory compliance

You are the security subject matter expert (SME) for an organization considering a
transition from the legacy environment into a hosted cloud provider’s data center.
One of the challenges you’re facing is whether the provider will have undue control over
your data once it is within the provider’s data center; will the provider be able to hold your
organization hostage because they have your data?
This is a(n) _________ issue.
Response:

A.

Interoperability

B.

Portability

C.

Availability

D.

Security

Which type of cloud service category would having a vendor-neutral encryption scheme for
data at rest (DAR) be the MOST important?
Response:

A.

Public

B.

Hybrid

C.

Private

D.

Community

What are the four cloud deployment models?
Response:

A.

Public, Internal, Hybrid, and Community

B.

External, Private, Hybrid, and Community

C.

Public, Private, Joint, and Community

D.

Public, Private, Hybrid, and Community

What is a key component of GLBA?
Response:

A.

The right to be forgotten

B.

EU Data Directives

C.

The information security program

D.

The right to audit

You are the security policy lead for your organization, which is considering migrating from
your on-premises, legacy environment into the cloud. You are reviewing the Cloud Security
Alliance Cloud Controls Matrix (CSA CCM) as a tool for your organization.
What is probably the best benefit offered by the CCM?
Response:

A.

The low cost of the tool

B.

Allowing your organization to leverage existing controls across multiple frameworks so
as not to duplicate effort 

C.

 Simplicity of control selection from the list of approved choices

D.

Ease of implementation by choosing controls from the list of qualified vendors

Which one of the following is not one of the three common threat modeling techniques?
Response:

A.

Focused on assets

B.

Focused on attackers

C.

Focused on software

D.

Focused on social engineering

Which SSAE 16 report is purposefully designed for public release (for instance, to be
posted on a company’s website)?
Response:

A.

SOC 1

B.

SOC 2, Type 1

C.

SOC 2, Type 2

D.

SOC 3

In application-level encryption, where does the encryption engine reside?
Response:

A.

In the application accessing the database

B.

In the OS on which the application is run

C.

Within the database accessed by the application

D.

In the volume where the database resides

Which cloud service category is MOST likely to use a client-side key management system?
Response:

A.

IaaS

B.

SaaS

C.

PaaS

D.

DaaS