CSC - Cybersecurity Compliance Cloud Security Compliance Questions and Answers

Question 1

A company deploys a custom application on virtual machines within an Infrastructure as a Service (IaaS) cloud environment. A critical vulnerability is discovered in the operating system of these virtual machines. According to the shared responsibility model, who is primarily responsible for patching the operating system vulnerability?

Accepted Answer

The customer, as they control the guest operating system and applications.

Answer

In the IaaS model, the CSP is responsible for the security *of* the cloud (physical infrastructure, network, hypervisor), while the customer is responsible for security *in* the cloud. This includes securing and patching the guest operating system, managing applications, and protecting data.

Question 2

A U.S. federal agency needs to procure a cloud service to store and process highly sensitive, unclassified data, where a breach could have a severe or catastrophic adverse effect on agency operations or assets. Which FedRAMP impact level is MOST appropriate for this cloud service?

Accepted Answer

FedRAMP High

Answer

FedRAMP High is specifically designed for the government's most sensitive, unclassified data in cloud environments. This level is appropriate for systems where the loss of confidentiality, integrity, or availability could cause severe or catastrophic harm to organizational operations, assets, or individuals.

Question 3

An organization is evaluating several cloud service providers and wants to use a standardized framework to assess their security controls against industry best practices. Which Cloud Security Alliance (CSA) tool provides a comprehensive matrix of cloud-specific controls mapped to major standards and regulations?

Accepted Answer

The Cloud Controls Matrix (CCM)

Answer

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework specifically for cloud computing. It provides a detailed list of security controls and maps them to other major frameworks like ISO 27001, NIST SP 800-53, and PCI DSS, serving as a tool for systematic assessment of a cloud provider's security posture.

Question 4

A European company is using a global SaaS provider for its HR platform, which processes employee data subject to GDPR. Which of the following is the MOST effective control for addressing data sovereignty requirements?

Accepted Answer

Contractually requiring and technically configuring the service to process and store all data within a specific EU data center region.

Answer

Data sovereignty laws, like those under GDPR, require personal data to be governed by the laws of a specific jurisdiction. The most direct way to comply is to ensure the data physically resides within that jurisdiction (e.g., the EU). This is achieved through contractual agreements and technical configurations that restrict data storage and processing to designated regions.

Question 5

A retail company is building its e-commerce platform in a public cloud and must maintain PCI DSS compliance. Even if the company uses a PCI-compliant IaaS provider, which of the following security tasks remains the company's direct responsibility?

Accepted Answer

Configuring virtual network firewalls (security groups) to restrict traffic to the Cardholder Data Environment (CDE).

Answer

According to the shared responsibility model for PCI DSS in an IaaS cloud, the provider handles physical security and the underlying infrastructure, including the hypervisor. The customer, however, is responsible for everything they build on top of that infrastructure, including configuring their virtual network, securing their operating systems, and implementing access controls like virtual firewalls (security groups) to protect the CDE.

(CSC) Cybersecurity Compliance Certification Practice Test

(CSC) Cybersecurity Compliance Certification Practice Test

CSC - Cybersecurity Compliance Cloud Security Compliance Questions and Answers