CCSP Free Practice Test

- (Exam Topic 4)
Above and beyond general regulations for data privacy and protection, certain types of data are subjected to more rigorous regulations and oversight.
Which of the following is not a regulatory framework for more sensitive or specialized data?

1. A. FIPS 140-2
2. B. FedRAMP
3. C. PCI DSS
4. D. HIPAA

Correct Answer: A
The FIPS 140-2 standard pertains to the certification of cryptographic modules and is not a regulatory framework. The Payment Card Industry Data Security Standard (PCI DSS), the Federal Risk and
Authorization Management Program (FedRAMP), and the Health Insurance Portability and Accountability Act (HIPAA) are all regulatory frameworks for sensitive or specialized data.

- (Exam Topic 2)
Which of the following is NOT a domain of the Cloud Controls Matrix (CCM)?

1. A. Data center security
2. B. Human resources
3. C. Mobile security
4. D. Budgetary and cost controls

Correct Answer: D
Budgetary and cost controls is not one of the domains outlined in the CCM.

- (Exam Topic 4)
What are third-party providers of IAM functions for the cloud environment?

1. A. AESs
2. B. SIEMs
3. C. DLPs
4. D. CASBs

Correct Answer: D
Data loss, leak prevention, and protection is a family of tools used to reduce the possibility of unauthorized disclosure of sensitive information. SIEMs are tools used to collate and manage log data. AES is an encryption standard.

- (Exam Topic 4)
During the course of an audit, which of the following would NOT be an input into the control requirements used as part of a gap analysis.

1. A. Contractual requirements
2. B. Regulations
3. C. Vendor recommendations
4. D. Corporate policy

Correct Answer: C
Vendor recommendations would not be pertinent to the gap analysis after an audit. Although vendor recommendations will typically play a role in the development of corporate policies or contractual requirements, they are not required. Regulations, corporate policy, and contractual requirements all determine the expected or mandated controls in place on a system.

- (Exam Topic 4)
Which of the following is the concept of segregating information or processes, within the same system or application, for security reasons?

1. A. Cell blocking
2. B. Sandboxing
3. C. Pooling
4. D. Fencing

Correct Answer: B
Sandboxing involves the segregation and isolation of information or processes from other information or processes within the same system or application, typically for security concerns. Sandboxing is generally used for data isolation (for example, keeping different communities and populations of users isolated from others with similar data). In IT terminology, pooling typically means bringing together and consolidating resources or services, not segregating or separating them. Cell blocking and fencing are both erroneous terms.