During the cloud service provider evaluation process, which of the following BEST helps identify baseline configuration requirements?
Correct Answer: C
During the cloud service provider evaluation process, benchmark controls lists BEST help identify baseline configuration requirements. Benchmark controls lists are standardized sets of security and compliance controls that are applicable to different cloud service models, deployment models, and industry sectors1. They provide a common framework and language for assessing and comparing the security posture and capabilities of cloud service providers2. They also help cloud customers to define their own security and compliance requirements and expectations based on best practices and industry standards3. Some examples of benchmark controls lists are: * The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which is a comprehensive list of 133 control objectives that cover 16 domains of cloud security4. * The National Institute of Standards and Technology (NIST) Special Publication 800-53, which is a catalog of 325 security and privacy controls for federal information systems and organizations, including cloud-based systems5. * The International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27017, which is a code of practice that provides guidance on 121 information security controls for cloud services based on ISO/IEC 270026. Vendor requirements, product benchmarks, and contract terms and conditions are not the best sources for identifying baseline configuration requirements. Vendor requirements are the specifications and expectations that the cloud service provider has for its customers, such as minimum hardware, software, network, or support requirements7. Product benchmarks are the measurements and comparisons of the performance, quality, or features of different cloud services or products8. Contract terms and conditions are the legal agreements that define the rights, obligations, and responsibilities of the parties involved in a cloud service contract9. These sources may provide some information on the configuration requirements, but they are not as comprehensive, standardized, or objective as benchmark controls lists. References: * CSA Security Guidance for Cloud Computing | CSA1, section on Identify necessary security and compliance requirements * Evaluation Criteria for Cloud Infrastructure as a Service - Gartner2, section on Security Controls * Checklist: Cloud Services Provider Evaluation Criteria | Synoptek3, section on Security * Cloud Controls Matrix | CSA4, section on Overview * NIST Special Publication 800-53 - NIST Pages5, section on Abstract * ISO/IEC 27017:2015(en), Information technology - Security techniques ...6, section on Scope * What is vendor management? Definition from WhatIs.com7, section on Vendor management * What is Benchmarking? Definition from WhatIs.com8, section on Benchmarking * What is Terms and Conditions? Definition from WhatIs.com9, section on Terms and Conditions
Question 37
Which of the following is an example of availability technical impact?
Correct Answer: C
A distributed denial of service (DDoS) attack renders the customer's cloud inaccessible for 24 hours is an example of availability technical impact. Availability is the protection of data and services from disruption or denial, and it is one of the three dimensions of information security, along with confidentiality and integrity. Availability technical impact refers to the extent of damage or harm that a threat can cause to the availability of the information system and its components, such as servers, networks, applications, and data. A DDoS attack is a malicious attempt to overwhelm a target system with a large volume of traffic or requests from multiple sources, making it unable to respond to legitimate requests or perform its normal functions. A DDoS attack can cause a significant availability technical impact by rendering the customer's cloud inaccessible for a prolonged period of time, resulting in loss of productivity, revenue, customer satisfaction, and reputation. References := CCAK Study Guide, Chapter 4: A Threat Analysis Methodology for Cloud Using CCM, page 81; What is a DDoS Attack? | Cloudflare
Question 38
What is a sign that an organization has adopted a shift-left concept of code release cycles?
Correct Answer: D
Explanation The shift-left concept of code release cycles is an approach that moves testing, quality, and performance evaluation early in the development process, often before any code is written. The goal of shift-left testing is to anticipate and resolve software defects, bugs, errors, and vulnerabilities as soon as possible, reducing the cost and time of fixing them later in the production stage. To achieve this, shift-left testing relies on automation tools and techniques that enable continuous integration, continuous delivery, and continuous deployment of code. Automation also facilitates collaboration and feedback among developers, testers, security experts, and other stakeholders throughout the development lifecycle. Therefore, the incorporation of automation to identify and address software code problems early is a sign that an organization has adopted a shift-left concept of code release cycles. References The 'Shift Left' Is A Growing Theme For Cloud Cybersecurity In 2022 Shift left vs shift right: A DevOps mystery solved How to shift left with continuous integration
Question 39
Which of the following metrics are frequently immature?
Correct Answer: C
Question 40
Which of the following is a tool that visually depicts the gaps in an organization's security capabilities?
