CCSP Free Practice Test

- (Exam Topic 4)
Which of the following best describes the Organizational Normative Framework (ONF)?

1. A. A set of application security, and best practices, catalogued and leveraged by the organization
2. B. A container for components of an application’s security, best practices catalogued and leveraged by the organization
3. C. A framework of containers for some of the components of application security, best practices, catalogued and leveraged by the organization
4. D. A framework of containers for all components of application security, best practices, catalogued and leveraged by the organization.

Correct Answer: D
Option B is incorrect, because it refers to a specific applications security elements, meaning it is about an ANF, not the ONF. C is true, but not as complete as D, making D the better choice. C suggests that the framework contains only “some” of the components, which is why B (which describes “all” components) is better

- (Exam Topic 1)
Which type of cloud model typically presents the most challenges to a cloud customer during the "destroy" phase of the cloud data lifecycle?

1. A. IaaS
2. B. DaaS
3. C. SaaS
4. D. PaaS

Correct Answer: C
With many SaaS implementations, data is not isolated to a particular customer but rather is part of the overall application. When it comes to data destruction, a particular challenge is ensuring that all of a customer's data is completely destroyed while not impacting the data of other customers.

- (Exam Topic 4)
Which of the following is NOT one of the components of multifactor authentication?

1. A. Something the user knows
2. B. Something the user has
3. C. Something the user sends
4. D. Something the user is

Correct Answer: C
Multifactor authentication systems are composed of something the user knows, has, and/or is, not something the user sends. Multifactor authentication commonly uses something that a user knows, has, and/or is (such as biometrics or features).

- (Exam Topic 4)
Data labels could include all the following, except:

1. A. Data value
2. B. Data of scheduled destruction
3. C. Date data was created
4. D. Data owner

Correct Answer: A
All the others might be included in data labels, but we don’t usually include data value, since it is prone to change frequently, and because it might not be information we want to disclose to anyone who does not have need to know.

- (Exam Topic 3)
Which phase of the cloud data lifecycle would be the MOST appropriate for the use of DLP technologies to protect the data?

1. A. Use
2. B. Store
3. C. Share
4. D. Create

Correct Answer: C
During the share phase, data is allowed to leave the application for consumption by other vendors, systems, or services. At this point, as the data is leaving the security controls of the application, the use of DLP technologies is appropriate to control how the data is used or to force expiration. During the use, create, and store phases, traditional security controls are available and are more appropriate because the data is still internal to the application.