NEW QUESTION 1

What is the experimental technology that might lead to the possibility of processing encrypted data without having to decrypt it first?

• A. One-time pads
• B. Link encryption
• C. Homomorphic encryption
• D. AES

Answer: C

Explanation:
AES is an encryption standard. Link encryption is a method for protecting communications traffic. One-time pads are an encryption method.

NEW QUESTION 2

When an API is being leveraged, it will encapsulate its data for transmission back to the requesting party or service.
What is the data encapsulation used with the SOAP protocol referred to as?

• A. Packet
• B. Payload
• C. Object
• D. Envelope

Answer: D

Explanation:
Simple Object Access Protocol (SOAP) encapsulates its information in what is known as a SOAP envelope. It then leverages common communications protocols for transmission. Object is a type of cloud storage, but also a commonly used term with certain types of programming languages. Packet and payload are terms that sound similar to envelope but are not correct in this case.

NEW QUESTION 3

With a federated identity system, where would a user perform their authentication when requesting services or application access?

• A. Cloud provider
• B. The application
• C. Their home organization
• D. Third-party authentication system

Answer: C

Explanation:
With a federated identity system, a user will perform authentication with their home organization, and the application will accept the authentication tokens and user information from the identity provider in order to grant access. The purpose of a federated system is to allow users to authenticate from their home organization. Therefore, using the application or a third-party authentication system would be contrary to the purpose of a federated system because it necessitates the creation of additional accounts. The use of a cloud provider would not be relevant to the operations of a federated system.

NEW QUESTION 4

What is a serious complication an organization faces from the perspective of compliance with international operations?

• A. Different certifications
• B. Multiple jurisdictions
• C. Different capabilities
• D. Different operational procedures

Answer: B

Explanation:
When operating within a global framework, a security professional runs into a multitude of jurisdictions and requirements, and many times they might be in contention with one other or not clearly applicable. These requirements can include the location of the users and the type of data they enter into systems, the laws governing the organization that owns the application and any regulatory requirements they may have, as well as the appropriate laws and regulations for the jurisdiction housing the IT resources and where the data is actually stored, which might be multiple jurisdictions as well.

NEW QUESTION 5

Which of the following is NOT considered a type of data loss?

• A. Data corruption
• B. Stolen by hackers
• C. Accidental deletion
• D. Lost or destroyed encryption keys

Answer: B

Explanation:
The exposure of data by hackers is considered a data breach. Data loss focuses on the data availability rather than security. Data loss occurs when data becomes lost, unavailable, or destroyed, when it should not have been.

NEW QUESTION 6

GAAPs are created and maintained by which organization?

• A. ISO/IEC
• B. AICPA
• C. PCI Council
• D. ISO

Answer: B

Explanation:
The AICPA is the organization responsible for generating and maintaining what are the Generally Accepted Accounting Practices in the United States.

NEW QUESTION 7

Which of the following pertains to a macro level approach to data center design rather than the traditional tiered approach to data centers?

• A. IDCA
• B. NFPA
• C. BICSI
• D. Uptime Institute

Answer: A

Explanation:
The standards put out by the International Data Center Authority (IDCA) have established the Infinity Paradigm, which is intended to be a comprehensive data center design and operations framework. The Infinity Paradigm shifts away from many models that rely on tiered architecture for data centers, where each successive tier increases redundancy. Instead, it emphasizes data centers being approached at a macro level, without a specific and isolated focus on certain aspects to achieve tier status.

NEW QUESTION 8

During which phase of the cloud data lifecycle is it possible for the classification of data to change?

• A. Use
• B. Archive
• C. Create
• D. Share

Answer: C

Explanation:
The create phase encompasses any time data is created, imported, or modified. With any change in the content or value of data, the classification may also change. It must be continually reevaluated to ensure proper security. During the use, share, and archive phases, the data is not modified in any way, so the original classification is still relevant.

NEW QUESTION 9

What type of storage structure does object storage employ to maintain files?

• A. Directory
• B. Hierarchical
• C. tree
• D. Flat

Answer: D

Explanation:
Object storage uses a flat file system to hold storage objects; it assigns files a key value that is then used to access them, rather than relying on directories or descriptive filenames. Typical storage layouts such as tree, directory, and hierarchical structures are used within volume storage, whereas object storage maintains a flat structure with key values.

NEW QUESTION 10

Which of the following areas of responsibility would be shared between the cloud customer and cloud provider within the Software as a Service (SaaS) category?

• A. Data
• B. Governance
• C. Application
• D. Physical

Answer: C

Explanation:
With SaaS, the application is a shared responsibility between the cloud provider and cloud customer. Although the cloud provider is responsible for deploying, maintaining, and securing the application, the cloud customer does carry some responsibility for the configuration of users and options. Regardless of the cloud service category used, the physical environment is always the sole responsibility of the cloud provider. With all cloud service categories, the data and governance are always the sole responsibility of the cloud customer.

NEW QUESTION 11

Which type of testing uses the same strategies and toolsets that hackers would use?

• A. Penetration
• B. Dynamic
• C. Static
• D. Malicious

Answer: A

Explanation:
Penetration testing involves using the same strategies and toolsets that hackers would use against a system to discovery potential vulnerabilities.

NEW QUESTION 12

Which of the following is not a component of contractual PII?

• A. Scope of processing
• B. Value of data
• C. Location of data
• D. Use of subcontractors

Answer: C

Explanation:
The value of data itself has nothing to do with it being considered a part of contractual

NEW QUESTION 13

What is the minimum regularity for testing a BCDR plan to meet best practices?

• A. Once year
• B. Once a month
• C. Every six months
• D. When the budget allows it

Answer: A

Explanation:
Best practices and industry standards dictate that a BCDR solution should be tested at least once a year, though specific regulatory requirements may dictate more regular testing. The BCDR plan should also be tested whenever a major modification to a system occurs.

NEW QUESTION 14

Which United States law is focused on accounting and financial practices of organizations?

• A. Safe Harbor
• B. GLBA
• C. SOX
• D. HIPAA

Answer: C

Explanation:
The Sarbanes-Oxley (SOX) Act is not an act that pertains to privacy or IT security directly, but rather regulates accounting and financial practices used by organizations. It was passed to protect stakeholders and shareholders from improper practices and errors, and it sets forth rules for compliance, regulated and enforced by the Securities and Exchange Commission (SEC). The main influence on IT systems and operations is the requirements it sets for data retention, specifically in regard to what types of records must be preserved and for how long.

NEW QUESTION 15

What is an often overlooked concept that is essential to protecting the confidentiality of data?

• A. Strong password
• B. Training
• C. Security controls
• D. Policies

Answer: B

Explanation:
While the main focus of confidentiality revolves around technological requirements or particular security methods, an important and often overlooked aspect of safeguarding data confidentiality is appropriate and comprehensive training for those with access to it. Training should be focused on the safe handling of sensitive information overall, including best practices for network activities as well as physical security of the devices or workstations used to access the application.

NEW QUESTION 16

What is the term we use to describe the general ease and efficiency of moving data from one cloud provider either to another cloud provider or down from the cloud?

• A. Obfuscation
• B. Elasticity
• C. Mobility
• D. Portability

Answer: D

Explanation:
Elasticity is the name for the benefit of cloud computing where resources can be apportioned as necessary to meet customer demand. Obfuscation is a technique to hide full raw datasets, either from personnel who do not have need to know or for use in testing. Mobility is not a term pertinent to the CBK.

NEW QUESTION 17
......