Certified Cloud Security Practice Exams ISC2 CCSP

Within a business continuity and disaster recovery framework how is the term Recovery Service Level commonly defined?

• ❏ A. Cloud Monitoring

• ❏ B. The maximum permissible duration that services can remain unavailable during a disaster recovery incident

• ❏ C. The proportion of normal production performance that must be recovered to meet business continuity and disaster recovery goals

• ❏ D. The mean time typically required to restore services back to standard production operation

Which storage characteristic should be given the highest priority to ensure maximum security for confidential records?

• ❏ A. Key management service

• ❏ B. Replicated across multiple regions

• ❏ C. Partitioned by access control groups

What advantage does hosting workloads in a dedicated private cloud provide when compared with deploying to public hybrid or community cloud environments?

• ❏ A. Lower total cost of ownership

• ❏ B. Faster initial deployment

• ❏ C. Stronger security and control

• ❏ D. Greater scalability

Which United States law is officially titled the Financial Modernization Act of 1999?

• ❏ A. Dodd Frank Act

• ❏ B. Gramm Leach Bliley Act

• ❏ C. Sarbanes Oxley Act

You are the cloud security lead at Meridian Cloud Services and you have found unauthorized alterations to your cloud setup that stray from defined security baselines and create weaknesses. Which security threat is most likely to arise from these unauthorized configuration changes?

• ❏ A. Insufficient logging and monitoring

• ❏ B. Insecure direct object references

• ❏ C. Sensitive data exposure

• ❏ D. Security misconfiguration

Which interfaces provide application features and allow administrators to manage a hosted cloud environment?

• ❏ A. Management Console

• ❏ B. APIs

• ❏ C. Object Storage

Which term describes the ability to independently verify the source and authenticity of data with a high degree of confidence?

• ❏ A. Hashing

• ❏ B. Public key infrastructure

• ❏ C. Digital signatures

• ❏ D. Non-repudiation

Which responsibility typically falls outside a cloud provider’s service level agreement and therefore remains the responsibility of the organization?

• ❏ A. Performance targets and measurement standards for the cloud services

• ❏ B. The organization’s internal audit calendar that describes the timing and scope of internal assessments

• ❏ C. Infrastructure patching for provider managed systems

• ❏ D. Agreed service uptime percentages and availability metrics the provider must meet

Which action demonstrates data sanitization when decommissioning storage hardware?

• ❏ A. An administrator changed their password every 90 days to reduce the chance of account compromise

• ❏ B. An engineer fitted new locks on the server cabinet to prevent unauthorized physical entry

• ❏ C. A technician crushed an old hard disk after replacing it so that its data could not be retrieved

• ❏ D. Google Cloud KMS

In which data protection process are masking, obfuscation, and anonymization used?

• ❏ A. Encryption

• ❏ B. Data deidentification

• ❏ C. Tokenization

All ISC2 questions are from my ISC2 CCSP Udemy course and certificationexams.pro

Which responsibility remains exclusively with the cloud customer regardless of the cloud deployment model they choose?

• ❏ A. Identity and access management controls

• ❏ B. Application code and runtime

• ❏ C. Physical infrastructure and networking

• ❏ D. Governance and compliance

Which audit report may be published to demonstrate a cloud provider’s security controls to the general public?

• ❏ A. ISO 27001

• ❏ B. SOC 2

• ❏ C. SOC 3

Which mechanism should a cloud administrator use to prioritize and allocate user resource requests when the infrastructure cannot satisfy all incoming demands?

• ❏ A. Quotas

• ❏ B. Limits

• ❏ C. Reservations

• ❏ D. Shares

What security benefit does maintaining a comprehensive cloud archive and backup program provide for protecting data integrity and ensuring availability?

• ❏ A. Identity and access management

• ❏ B. Allows restoration to known good states after tampering or deletion

• ❏ C. Supports regulatory compliance reporting

Which statement accurately describes who is responsible for maintenance and version control across cloud service models such as IaaS PaaS and SaaS?

• ❏ A. The cloud provider arranges update and patch schedules with clients for both SaaS and PaaS

• ❏ B. In an IaaS deployment the cloud customer manages hardware networking storage and the virtualization layer

• ❏ C. In PaaS the cloud customer maintains and versions the applications they buy or build while the provider maintains the platform tools and underlying infrastructure

• ❏ D. In a SaaS offering the customer is responsible for maintenance and versioning of every component

Which capability do information rights management systems not typically provide?

• ❏ A. User authentication

• ❏ B. Policy enforcement

• ❏ C. Deletion

You are a cloud architect responsible for a regional payment platform’s infrastructure and you must design the environment to remain operational when individual components fail. Which architectural principle should be prioritized to ensure continuous service availability?

• ❏ A. Centralized operations management

• ❏ B. Isolated tenant environments

• ❏ C. Distributed redundancy

• ❏ D. Elastic scaling

What is a significant drawback of storing data fragments in multiple legal jurisdictions?

• ❏ A. Reconstruction and reassembly overhead

• ❏ B. Distributed erasure coding

• ❏ C. Cross border data movement

• ❏ D. More complex key lifecycle management

A technology company named Meridian Cloud is adopting OpenID Connect for single sign on and wants to know which authorization framework OpenID Connect is built on and uses for authenticating users?

• ❏ A. WS Federation

• ❏ B. LDAP

• ❏ C. OAuth 2.0

• ❏ D. SAML 2.0

Which type of incident describes sensitive records being disclosed to someone who is not authorized to receive them?

• ❏ A. Insider threat

• ❏ B. Unauthorized data exposure

• ❏ C. Data loss

All ISC2 questions are from my ISC2 CCSP Udemy course and certificationexams.pro

When securing the management plane of a cloud deployment which factor is least important to prioritize?

• ❏ A. Network isolation for management interfaces

• ❏ B. Identity and access management controls

• ❏ C. Management activity logging

• ❏ D. Data backups

Which type of organization is subject to FISMA requirements and would be assessed by a third party security assessor?

• ❏ A. Cloud service provider

• ❏ B. Government agency

• ❏ C. Healthcare provider

In cloud security it is important to distinguish between incidents that destroy or make data unavailable and incidents that expose data to unauthorized parties. Which of the following scenarios is misclassified as data loss and should instead be treated as a data breach?

• ❏ A. An administrator unintentionally deletes rows from a production database

• ❏ B. Sensitive data stolen by attackers exploiting vulnerabilities in an application

• ❏ C. A misconfigured Cloud Storage lifecycle rule causing objects to be permanently removed

• ❏ D. Loss of encryption keys that makes stored backups unreadable

What term describes a cloud platform that automatically scales compute and storage resources to match changing workload demands?

• ❏ A. Resource pooling

• ❏ B. Rapid elasticity

• ❏ C. On-demand self-service

While negotiating terms with a prospective client at BluePeak Cloud you are clarifying policies about how long customer records are retained and how they are securely erased when they are no longer required. Which section of a service level agreement is most relevant to these concerns?

• ❏ A. Incident response procedures

• ❏ B. Service performance targets

• ❏ C. Billing and invoice terms

• ❏ D. Data governance

Which of the following is an example of an Internet of Things device found in a home?

• ❏ A. Google Cloud Pub/Sub

• ❏ B. Connected refrigerator that sends a shopping list to the owner’s phone

• ❏ C. A system that infers and carries out tasks without being explicitly programmed

When a web service uses SOAP to exchange data what structure does it wrap the message in?

• ❏ A. HTTP body

• ❏ B. Packet

• ❏ C. Envelope

• ❏ D. Frame

Which mechanism ensures that other tenants maintain compute and network access when a single tenant on shared hardware experiences a volumetric denial of service attack?

• ❏ A. Network rate limiting

• ❏ B. Resource reservations

• ❏ C. Quotas

You are defining the deployment approach for a new retail web application for Northfield Commerce and you must pick a cloud service model that provides the most control over the operating system storage configuration and installed software. Which cloud model delivers the highest degree of control over the OS storage and deployed applications?

• ❏ A. Platform as a Service PaaS

• ❏ B. Software as a Service SaaS

• ❏ C. Function as a Service FaaS

• ❏ D. Infrastructure as a Service IaaS

What is the process for locating and collecting electronic messages and documents to be used as evidence in litigation?

• ❏ A. Legal hold

• ❏ B. eDiscovery

• ❏ C. Digital forensics

All ISC2 questions are from my ISC2 CCSP Udemy course and certificationexams.pro

When a client and server establish a TLS session which of the following tasks is not carried out by the handshake protocol?

• ❏ A. Negotiating protocol parameters

• ❏ B. Creating a session identifier

• ❏ C. Encrypting application data

• ❏ D. Exchanging cryptographic keys

Which type of testing verifies that code changes have not broken existing functionality or reintroduced previously resolved defects?

• ❏ A. Integration testing

• ❏ B. Regression testing

• ❏ C. Smoke testing

A software company runs its cloud platform inside its own on-site data center and uses an outside vendor to provide backup services to satisfy its continuity policies. Which deployment description best matches this configuration?

• ❏ A. Public cloud deployment with backups managed by an external cloud vendor

• ❏ B. On-premises private cloud with backups retained on local backup appliances

• ❏ C. Private cloud hosted in the company data center with backups stored by a cloud backup service

• ❏ D. Externally hosted cloud services with backups written to on-site storage

Which control offers the least protection for REST and gRPC API endpoints?

• ❏ A. Mutual TLS

• ❏ B. Static API keys

• ❏ C. API gateway

• ❏ D. Web application firewall

A cyber security event disrupted several servers and network appliances at a regional retail group. A security analyst used the SIEM to search for the attacker IP address and retrieved every log tied to the event across multiple hosts. Which capability of a SIEM does this demonstrate?

• ❏ A. Aggregation

• ❏ B. Normalization

• ❏ C. Correlation

• ❏ D. Compliance

Which factors most affect the performance and responsiveness of cloud services?

• ❏ A. Storage IOPS and disk latency

• ❏ B. Network latency and throughput

• ❏ C. Identity and access management

When protecting information as it moves across a cloud network which of the following technologies is not normally used to secure data while it travels between systems?

• ❏ A. IPsec

• ❏ B. DNSSEC

• ❏ C. HTTPS

• ❏ D. VPN

What term describes protections that attach access and usage controls directly to data objects?

• ❏ A. Data loss prevention

• ❏ B. Data rights management

• ❏ C. Identity and access management

Which term describes a person or company that acts as an intermediary between cloud consumers and a cloud service provider?

• ❏ A. Cloud reseller

• ❏ B. Cloud service broker

• ❏ C. Cloud consumer

• ❏ D. Cloud compliance auditor

What does the A in the DREAD risk model represent and why is it important to risk assessment?

• ❏ A. Exploitability

• ❏ B. Affected users

• ❏ C. Reproducibility

When engineers build a new cloud hosting platform for a firm such as Nimbus Cloud Services which component needs the strongest security because a breach could give an attacker control of every hosted instance?

• ❏ A. Virtual router

• ❏ B. Management plane

• ❏ C. Hypervisor

• ❏ D. Virtual machine

Which cloud service model allows developers to build, deploy, and run applications without managing servers or operating systems?

• ❏ A. Infrastructure as a Service

• ❏ B. Function as a Service

• ❏ C. Platform as a Service

You are designing a disaster recovery plan for a cloud hosted payments platform at a company called FinBeacon. The platform processes mission critical payment transactions and losing recent transaction data would cause major customer and financial harm. When defining recovery objectives you must establish the maximum amount of transactional data that could be lost without harming the business. Which disaster recovery metric should you focus on to set that limit and why is that metric vital for data protection?

• ❏ A. The regularity of data backups which determines how current backup copies are

• ❏ B. The Recovery Time Objective which indicates how long systems can remain unavailable

• ❏ C. The Recovery Point Objective which defines the maximum tolerated data loss measured in time

• ❏ D. The total cost of the disaster recovery solution which constrains budget and tooling choices

Which action is most appropriate for identifying known vulnerabilities across cloud infrastructure and producing a report that lists those issues?

• ❏ A. Conduct a penetration test

• ❏ B. Run a vulnerability scan

• ❏ C. Perform static application security testing

Maya from NovaFin plans to deploy a security information and event management system for her company Cloudhaven. Which capability should she expect it to provide?

• ❏ A. Cloud Key Management Service

• ❏ B. Generate consolidated reports and dashboards

• ❏ C. Google Cloud Security Command Center

• ❏ D. Perform long term backups of event archives to Cloud Storage

Where can an administrator find the manufacturer’s recommended procedures for securing a server motherboard’s firmware?

• ❏ A. Operating system manuals

• ❏ B. Vendor technical guides

• ❏ C. Organizational security policies

As an engineer integrating XML web services at a fintech startup called Meridian Labs you need to know which SOAP structural element serves as the outermost wrapper for a SOAP message and defines its boundaries?

• ❏ A. Packet

• ❏ B. Object

• ❏ C. Message Body

• ❏ D. Envelope

Which method protects sensitive data by replacing the values in a column with alternate characters or substitute values?

• ❏ A. Tokenization

• ❏ B. Data masking

• ❏ C. Encryption

A standards consortium published the Generally Accepted Privacy Principles to help organizations build privacy programs. Which of the following is not listed among the ten GAPP principles?

• ❏ A. Quality

• ❏ B. Access

• ❏ C. Reliability

• ❏ D. Management

Which category of data best describes psychotherapy treatment records stored in a telemedicine portal?

• ❏ A. Personally identifiable information PII

• ❏ B. Protected health information PHI

• ❏ C. Payment card information PCI

All ISC2 questions are from my ISC2 CCSP Udemy course and certificationexams.pro

You are designing a secure runtime for a cloud team at Aurora Fintech to run a program in an isolated environment so staff can observe its behavior without risking the host system. Which security principle does this scenario represent?

• ❏ A. Virtualization

• ❏ B. Sandboxing

• ❏ C. Network segmentation

• ❏ D. Containerization

Which ISO/IEC standard provides guidance on electronic discovery and the retrieval of information?

• ❏ A. ISO/IEC 27701

• ❏ B. ISO/IEC 27018

• ❏ C. ISO/IEC 27050

• ❏ D. ISO/IEC 27001

Which entry in the OWASP Top 10 focuses on safeguarding personally identifiable information that a web application stores or transmits?

• ❏ A. Using components with known vulnerabilities

• ❏ B. Broken access control

• ❏ C. Insecure deserialization

• ❏ D. Sensitive data exposure

Which federation protocol should an organization prioritize to securely exchange authentication assertions across different domains?

• ❏ A. OAuth 2.0

• ❏ B. SAML

• ❏ C. OpenID Connect

A regional retailer called Harbor Goods is seeing repeated service outages and wants the process that reduces impact by finding and eliminating the underlying causes of incidents. Which practice should they implement?

• ❏ A. Cloud Deployment Manager

• ❏ B. Incident management

• ❏ C. Problem management

• ❏ D. Change management

Which control can a cloud provider implement to secure DNS responses and prevent attackers from altering DNS entries?

• ❏ A. Anycast DNS routing

• ❏ B. DNSSEC signed zones

• ❏ C. IPsec encrypted tunnels

As a cloud security lead assessing liability boundaries with a public cloud vendor what area is commonly outside the cloud customer’s direct responsibility?

• ❏ A. Virtual network and firewall configuration

• ❏ B. Data encryption and key management

• ❏ C. Physical infrastructure security

• ❏ D. Endpoint security controls

What advantage does a vendor supplied API typically provide compared with an open source API?

• ❏ A. Contractual support and service level agreements

• ❏ B. Formalized vendor patch and update management

• ❏ C. Freedom to modify source code

What is the primary risk when a company keeps its key management system in-house rather than managed inside their cloud provider?

• ❏ A. Secrecy of the key material

• ❏ B. Ability to transfer keys between environments

• ❏ C. Uninterrupted access to encryption keys

• ❏ D. Integrity of the keys

What does an EAL4 Common Criteria rating indicate about a product’s security design and the extent of its verification and testing?

• ❏ A. Formally verified with mathematical proof

• ❏ B. Methodically designed tested and reviewed

• ❏ C. Semi formally designed and subjected to testing

An information security audit team at Meridian Systems is mapping the four core phases of audit planning. What is the correct order of those planning phases?

• ❏ A. Set the scope, define objectives, perform the audit, monitor outcomes

• ❏ B. Establish objectives, set audit criteria and controls, collect evidence, prepare the report

• ❏ C. Define objectives, define scope, conduct the audit, document lessons learned

• ❏ D. Define objectives, execute the audit, review findings, schedule a follow up audit

What is the primary goal of performing a cloud security gap analysis?

• ❏ A. Generate customer security assurances

• ❏ B. Benchmark current security against accepted standards and best practices

• ❏ C. Map deficiencies to cloud services

Which organization issues the most commonly referenced standard for data center tier topologies?

• ❏ A. Google Cloud

• ❏ B. Uptime Council

• ❏ C. Information Technology Infrastructure Library

• ❏ D. National Fire Safety Association

At which stage of the data lifecycle should information be classified as sensitive?

• ❏ A. While the data is actively in use

• ❏ B. At the moment the data is created

• ❏ C. During transmission between systems

A security analyst at Nimbus Solutions is using the DREAD scoring method to prioritize software vulnerabilities. Which factor in the list is not part of the DREAD evaluation?

• ❏ A. Measure of how difficult it is to discover the vulnerability

• ❏ B. Measure of the amount of damage to systems if an exploit succeeds

• ❏ C. Measure of how reliably an exploit can be repeated

• ❏ D. Measure of the expected recovery time objective and disaster recovery tasks after a breach

• ❏ E. Measure of the technical skill and resources needed to carry out an attack

The correct option is The proportion of normal production performance that must be recovered to meet business continuity and disaster recovery goals.

Recovery Service Level describes the required level of performance or capacity that must be restored after an incident so that business functions can continue at an acceptable level. It expresses recovery as a proportion or percentage of normal production capability rather than as a time or a specific tool.

Recovery Service Level is used to define targets in business continuity and disaster recovery planning so stakeholders know how much functionality must be available after recovery. This allows planners to choose appropriate recovery strategies and resources to meet business priorities and to include those targets in agreements.

Cloud Monitoring is incorrect because monitoring is a capability that observes performance and events and it does not define the target proportion of performance that must be recovered. Monitoring can help measure whether recovery targets are met but it is not itself a recovery service level.

The maximum permissible duration that services can remain unavailable during a disaster recovery incident is incorrect because that statement defines the recovery time objective or RTO. RTO is about time and not about the proportion of normal production performance that must be restored.

The mean time typically required to restore services back to standard production operation is incorrect because that describes mean time to repair or restore and it is an operational metric. It does not specify the fraction of service performance that must be recovered to meet business continuity goals.

The correct option is Replicated across multiple regions.

Choosing Replicated across multiple regions improves availability and durability which are core aspects of security when you consider confidentiality integrity and availability together. Replicating data to multiple geographic locations reduces the risk of total data loss from regional outages natural disasters or targeted incidents and it supports disaster recovery and continuity for confidential records.

Replication does not remove the need for strong confidentiality controls so Replicated across multiple regions should be used alongside encryption access controls and proper key management to protect the data itself. Replication ensures resilient storage and availability while other controls protect confidentiality and integrity.

Key management service is important for encrypting and protecting keys but it is a supporting service rather than a storage characteristic, so it does not directly answer the question about which storage characteristic to prioritize.

Partitioned by access control groups helps with segmentation and least privilege but partitioning alone does not address availability or resilience against regional failures, and it depends on correct policy configuration to be effective.

The correct answer is Stronger security and control.

A dedicated private cloud gives an organization exclusive infrastructure which allows tighter security policies and full administrative control. This makes it easier to enforce network segmentation, manage encryption keys, control physical access, and apply customized host configurations that meet strict compliance requirements.

Because the hardware and tenancy are dedicated there is less risk from noisy neighbors and multi tenancy vulnerabilities. The environment also allows organizations to implement specific monitoring, patching, and access controls that would be difficult to guarantee in public or community clouds.

Lower total cost of ownership is incorrect because private clouds typically require capital expense for hardware and ongoing operational staff. Public cloud models often reduce upfront costs and can be cheaper for variable workloads.

Faster initial deployment is incorrect because public cloud platforms can provision services almost instantly. Private cloud deployments often take longer due to procurement setup and configuration of dedicated infrastructure.

Greater scalability is incorrect because public clouds usually offer the broadest on demand scalability across regions and services. Private clouds can scale but they are constrained by the physical resources that an organization owns or leases.

The correct answer is Gramm Leach Bliley Act.

The Gramm Leach Bliley Act is formally titled the Financial Modernization Act of 1999 and it was enacted in 1999 to modernize aspects of the financial services industry. The law removed certain restrictions from earlier legislation and established privacy and information security obligations for financial institutions to protect consumers.

Dodd Frank Act is incorrect because that law was enacted in 2010 in response to the 2008 financial crisis and its formal title is the Dodd Frank Wall Street Reform and Consumer Protection Act rather than the Financial Modernization Act of 1999.

Sarbanes Oxley Act is incorrect because that statute was passed in 2002 to strengthen corporate governance and financial reporting and it is known by names associated with corporate accountability rather than the Financial Modernization Act of 1999.

The correct option is Security misconfiguration.

Security misconfiguration best matches the scenario because it describes unauthorized or incorrect settings that deviate from defined security baselines and introduce weaknesses across cloud services, permissions, network rules, and management interfaces. These kinds of changes are configuration issues by nature and they create attack surfaces that were not intended by the baseline.

Insufficient logging and monitoring is focused on the absence of detection and auditing controls and does not directly name unauthorized configuration changes. It can be a consequence of misconfiguration but it is not the primary classification of the described problem.

Insecure direct object references refers to improper access control where internal object identifiers are exposed and can be manipulated. That vulnerability is about access to objects and does not describe stray or altered configuration settings in the cloud environment.

Sensitive data exposure describes failures to protect data at rest or in transit and is an outcome that can result from many causes. While misconfiguration can lead to data exposure, the question specifically points to unauthorized changes to configuration and baselines which is best categorized as security misconfiguration.

APIs is the correct option.

APIs provide programmatic interfaces that let applications invoke cloud features and let administrators automate provisioning, configuration, monitoring, and control of hosted resources. They expose endpoints and operations that SDKs and automation tools use so features can be integrated into applications and scripts without human interaction.

APIs are the foundation for infrastructure as code, CI CD pipelines, and service integrations. They enable role based access, audit logging, and granular controls that administrators rely on to manage environments at scale.

Management Console is a human oriented graphical interface that administrators use to view and change settings interactively. It does not itself provide the programmatic hooks that applications use to enable features or to automate large scale management, although the Management Console typically calls the underlying APIs.

Object Storage is a storage service for blobs and files and it represents a resource rather than a management interface. It may expose its own APIs for storing and retrieving objects but the option names a service and not the general interface used to enable application features and manage the overall hosted environment.

Non-repudiation is correct because it names the property of being able to independently verify the source and authenticity of data with a high degree of confidence.

This property is typically achieved by combining cryptographic methods such as Digital signatures with secure key management and trusted timestamps. A signature shows that a specific private key signed the data and a certificate issued by a Public key infrastructure links that key to an identity which supports the non-repudiation claim.

Hashing is incorrect because a hash demonstrates content integrity but it does not prove who created or signed the data. A hash alone offers no evidence tying the data to a particular originator.

Public key infrastructure is incorrect because it is an ecosystem for issuing and managing keys and certificates that supports non-repudiation but it is not the term that describes the property itself.

Digital signatures is incorrect because signatures are the mechanism that can provide non-repudiation when used with proper key management and certificates. The question asked for the property that describes the ability to verify source and authenticity rather than the mechanism.

The organization’s internal audit calendar that describes the timing and scope of internal assessments is correct because internal audit planning is an internal governance activity that remains the responsibility of the organization rather than the cloud provider.

This answer is correct because internal audits concern organizational risk acceptance choices and compliance schedules and they depend on internal policies and audit scope decisions. The cloud provider can supply logs and evidence to support audits but the design and timing of an internal audit calendar stays with the customer.

Performance targets and measurement standards for the cloud services is incorrect because those items are commonly defined in the provider’s SLA and detail how the provider measures and reports service performance.

Infrastructure patching for provider managed systems is incorrect because patching of systems that the provider manages normally falls under the provider’s operational responsibilities or under a clear shared responsibility statement depending on the service model.

Agreed service uptime percentages and availability metrics the provider must meet is incorrect because uptime and availability metrics are classic SLA elements that the provider commits to and measures.

The correct answer is A technician crushed an old hard disk after replacing it so that its data could not be retrieved.

Crushing a hard disk is a direct form of data sanitization because it physically destroys the storage media and prevents reconstruction of the platters and recovery of data. Physical destruction is an accepted sanitization method for decommissioning storage hardware when the device will not be reused and when irreversible removal of data is required.

An administrator changed their password every 90 days to reduce the chance of account compromise is incorrect because changing passwords protects user accounts and access controls and it does not remove or sanitize data on retired storage devices.

An engineer fitted new locks on the server cabinet to prevent unauthorized physical entry is incorrect because improving physical security can prevent theft or tampering but it does not sanitize or destroy data on hardware that is being decommissioned.

Google Cloud KMS is incorrect because a key management service handles encryption keys and access to encrypted data rather than physically removing or destroying data on decommissioned drives. While cryptographic erasure by destroying keys can serve as a sanitization method in some contexts the KMS product name alone does not describe physical media sanitization.

The correct answer is Data deidentification.

This process uses techniques such as masking, obfuscation, and anonymization to reduce or remove the ability to identify individuals from datasets. These techniques change or suppress identifying attributes so that the data can be used for analytics or testing without exposing personal identifiers.

Encryption is incorrect because it is a cryptographic transformation that protects confidentiality by making data unreadable without keys. Encryption does not remove identifying attributes and it is generally reversible with the correct key, so it is not categorized as the masking or anonymization process asked about here.

Tokenization is incorrect in this question because it replaces sensitive values with tokens that map back to the original value via a secure vault. Tokenization is often reversible and is treated as a distinct technique used for protecting specific values, so it is not the same category as the masking and anonymization methods referenced by data deidentification.

The correct answer is Governance and compliance.

Governance and compliance remain the customer responsibility across all cloud deployment models because legal obligations and organizational policies cannot be delegated to a vendor. Providers can supply controls and compliance documentation, but the customer must set governance policies, classify data, accept risk, and demonstrate compliance to auditors and regulators.

Identity and access management controls is not exclusively the customer responsibility because providers operate and secure the IAM infrastructure and sometimes manage identities for customers. In many models IAM is shared between provider and customer depending on the service.

Application code and runtime is not exclusively the customer responsibility because platform and software as a service offerings place the runtime and application management with the provider. Responsibility shifts depending on whether the service is IaaS, PaaS, or SaaS.

Physical infrastructure and networking is not the customer responsibility because cloud providers own and operate the data center hardware and the underlying network. Those components are typically managed by the provider in all public cloud models.

The correct answer is SOC 3.

SOC 3 is a general use attestation report that is explicitly designed to be shared publicly to demonstrate that an organization has effective controls related to security availability processing integrity confidentiality or privacy depending on the engagement. It gives a high level attestation without the detailed control descriptions and testing evidence so it is suitable for the general public.

SOC 2 is incorrect because that report contains detailed descriptions of controls and the auditor testing results and it is intended for customers and other stakeholders rather than broad public distribution. Organizations normally share SOC 2 reports under nondisclosure agreements.

ISO 27001 is incorrect because it is a certification of an information security management system rather than a public attestation report in the SOC format. A certificate or statement of certification may be published but the formal audit evidence and detailed reports are not typically released to the general public and the certificate does not serve as the same public assurance document as a SOC 3.

Shares is correct because it provides a way to assign relative priority or weights so that when total demand exceeds available capacity the system divides resources proportionally according to those weights.

This method is used by hypervisors and operating systems to implement fair allocation under contention. Administrators set shares to express the importance of workloads without permanently reserving capacity and the scheduler uses those weights to prioritize and allocate scarce resources.

Quotas set maximum allowable usage per user or project and they prevent overconsumption but they do not define how remaining capacity is distributed among competing requests when resources are constrained.

Limits impose absolute caps on resource consumption for a given object and they prevent a single tenant from exceeding a ceiling but they do not provide a proportional prioritization mechanism for dividing scarce resources.

Reservations guarantee capacity for a specific tenant or workload by holding resources aside and they ensure availability for that entity but they are not a general method for prioritizing or fairly allocating resources among multiple competing requests.

The correct answer is Allows restoration to known good states after tampering or deletion.

Allows restoration to known good states after tampering or deletion is correct because a comprehensive archive and backup program creates isolated copies and versioned snapshots so organizations can recover data integrity after corruption or malicious alteration and restore availability when primary data is lost.

A robust backup program typically includes immutability, offsite or logically separated copies, checksums or other integrity checks, and regular restore testing. These elements together make it possible to perform reliable point in time recovery and meet recovery time and recovery point objectives.

Identity and access management is incorrect because IAM focuses on controlling who can access resources and what actions they can perform. IAM does not by itself provide historical copies or point in time recovery needed to restore data after tampering or deletion.

Supports regulatory compliance reporting is incorrect because although archives and backups can assist with audits and evidence retention, their primary security benefit for integrity and availability is the ability to recover data. Compliance reporting is a secondary outcome rather than the core recovery capability.

The correct option is In PaaS the cloud customer maintains and versions the applications they buy or build while the provider maintains the platform tools and underlying infrastructure.

This is correct because in PaaS the cloud provider supplies and maintains the platform runtime, middleware, operating system, virtualization, and physical hardware while the customer is responsible for their own application code, dependencies, deployments, updates, and version control. The customer therefore manages application maintenance and versioning and the provider manages the platform and infrastructure maintenance.

The cloud provider arranges update and patch schedules with clients for both SaaS and PaaS is incorrect because providers do not arrange or perform application level update schedules for customer built applications on PaaS. Providers handle platform and SaaS application patches, but customers control updates and versioning for their own applications on PaaS.

In an IaaS deployment the cloud customer manages hardware networking storage and the virtualization layer is incorrect because in IaaS the provider is responsible for the physical hardware, networking, storage, and the hypervisor or virtualization layer. The customer manages the operating systems, middleware, runtimes, and applications running on the provisioned virtual machines.

In a SaaS offering the customer is responsible for maintenance and versioning of every component is incorrect because SaaS vendors deliver and maintain the application and its underlying components. Customers generally only manage their data, configuration choices, and access controls rather than the application code or platform stack.

The correct answer is Deletion.

Information rights management systems are designed to protect content by controlling who can open and what actions they can take on files. They implement encryption, apply usage policies, and allow revocation and expiration of rights, but they do not typically perform a guaranteed Deletion that removes every copy of a file from every device and storage location.

Some vendors may offer integrations with device management or remote wipe tools to help remove files from managed endpoints and those features can approximate Deletion. Those features are separate from the core IRM capability and they depend on endpoint management rather than rights enforcement alone.

User authentication is incorrect because IRM solutions depend on authenticating users so that rights can be bound to identities and enforced.

Policy enforcement is incorrect because enforcing access and usage policies is a primary function of IRM and is how the systems control printing, copying, editing, and expiration of protected content.

The correct option is Distributed redundancy.

Distributed redundancy is the architectural principle that replicates critical components across independent failure domains so the service can continue when individual parts fail. This includes placing instances in multiple availability zones or regions, using load balancers and health checks for automatic failover, and keeping data replicated so clients can be served from other replicas without interruption.

Centralized operations management is important for monitoring and coordination but it concentrates control and does not by itself remove single points of failure in the runtime path. It helps operations but it does not guarantee that the service stays up when components fail.

Isolated tenant environments improve security and limit the blast radius between tenants, but isolation alone does not create redundant replicas or automatic failover that preserve availability when components fail.

Elastic scaling helps handle changes in load by adding or removing capacity, but scaling addresses capacity and performance more than resilience to individual component failure. Elastic scaling can complement redundancy but it is not the primary design principle for surviving component failures.

Cross border data movement is the correct answer. Dispersing data fragments across multiple legal jurisdictions can create serious legal and compliance challenges because different countries have different rules about data protection, lawful access, and export of personal information. The movement of fragments across borders can trigger data transfer restrictions, require contractual safeguards or approvals, and expose the data to foreign legal process even when no single location holds the complete data set.

For example, regulators may treat reassembled or reconstructible fragments as subject to local privacy laws and oversight. Organisations that fragment data to improve resilience can still face obligations under regimes such as the GDPR and similar national laws when any fragment crosses a jurisdictional boundary. Those obligations often demand technical, contractual, or legal safeguards and can significantly complicate a deployment compared with keeping data within a single legal territory.

Reconstruction and reassembly overhead is not the best answer because while there is some technical cost to reassembling fragments, that is primarily a performance and architectural concern and not the major legal drawback posed by storing fragments in different countries.

Distributed erasure coding is not correct because it names a technique used to disperse data rather than a drawback. Erasure coding is often chosen to improve durability and availability and it is not inherently a legal issue.

More complex key lifecycle management is not the best choice because key management can be made consistent with centralised key services or hardware security modules. Key lifecycle complexity is a technical and operational challenge but it does not capture the primary legal risk that arises when fragments cross national borders.

The correct answer is OAuth 2.0.

OpenID Connect is an identity layer built on top of OAuth 2.0 and it uses the OAuth 2.0 authorization flows to authenticate users and issue tokens such as the ID token and access token. OpenID Connect adds standardized identity claims and discovery on top of the OAuth 2.0 framework and commonly relies on the authorization code flow for secure authentication.

WS Federation is an older Microsoft web services federation protocol and it is not the base protocol for OpenID Connect. Microsoft and other vendors have moved toward OAuth 2.0 and OpenID Connect for modern single sign on so WS Federation is less relevant on newer exams.

LDAP is a directory access protocol used for querying and managing directory information and it is not an authorization framework that OpenID Connect is built on. LDAP serves different purposes and does not provide the OAuth style grants that OIDC depends on.

SAML 2.0 is an XML based federation and single sign on standard that operates separately from OpenID Connect. SAML 2.0 can be used for SSO in many environments but it is not the underlying authorization framework for OpenID Connect which is built on OAuth 2.0.

The correct answer is Unauthorized data exposure.

Unauthorized data exposure describes an incident in which sensitive records are disclosed to someone who does not have permission to see them. This covers accidental exposures from misconfigured permissions and deliberate disclosures where confidentiality is broken, so it matches the description exactly.

Insider threat is not the best choice because it describes the actor or source of risk rather than the specific incident type. An insider threat can cause an unauthorized exposure but the phrase does not specifically mean records were disclosed without authorization.

Data loss is also incorrect because it usually refers to loss of access, deletion, or destruction of data rather than the unauthorized disclosure of sensitive records to an outside or unauthorized party.

When securing the management plane of a cloud deployment the least important factor to prioritize is Data backups.

Data backups are essential for resilience and for restoring data and configurations after loss or corruption. They do not however directly reduce the risk of unauthorized access to control interfaces or credentials, so they are a lower priority when the question is specifically about hardening the management plane.

Network isolation for management interfaces is critical because isolating management networks reduces the attack surface and limits lateral movement. Strong network controls ensure that only authorized administrators can reach management endpoints and they are therefore a high priority for management plane security.

Identity and access management controls are essential because they determine who can perform management actions and how credentials are protected. Enforcing least privilege and multifactor authentication directly defends the management plane and makes IAM a top priority.

Management activity logging is important because it provides detection and forensic capability for suspected misuse or compromise of management interfaces. Audit logs enable timely response and investigation so logging is also a high priority for the management plane.

Government agency is correct.

FISMA is a federal law that requires federal agencies to develop, document, and implement an information security program and to undergo periodic independent assessments. A government agency is the entity that is directly subject to FISMA and that must engage or be assessed by a third party security assessor as part of its compliance and authorization processes.

Cloud service provider is not the primary entity covered by FISMA. Cloud providers that host federal systems may be assessed under FedRAMP when they serve federal customers, but the FISMA responsibility and formal authorization rests with the federal agency that owns the system.

Healthcare provider is generally regulated by laws such as HIPAA and HITECH and is not directly subject to FISMA unless it is a federal health agency. Private healthcare organizations are not assessed under FISMA in the same way that federal agencies are assessed.

Sensitive data stolen by attackers exploiting vulnerabilities in an application is correct because it describes confidential information being accessed and taken by unauthorized parties and therefore should be treated as a data breach.

This scenario involves external actors exploiting a vulnerability to exfiltrate information which means confidentiality has been violated. A data breach requires responses that include containment of the attacker and notification obligations when sensitive information has been exposed to unauthorized parties.

An administrator unintentionally deletes rows from a production database is wrong because that scenario describes accidental destruction or unavailability of data rather than exposure to outsiders. The primary response is recovery and improving change controls and backups rather than breach notification.

A misconfigured Cloud Storage lifecycle rule causing objects to be permanently removed is wrong because the objects are being removed and thus become unavailable or destroyed. This is a data loss incident that requires restoration and configuration fixes and not a breach unless the objects were also disclosed to unauthorized parties.

Loss of encryption keys that makes stored backups unreadable is wrong in this phrasing because the data becomes unusable and unavailable and confidentiality may remain intact. This is a data loss event. If the keys were stolen or otherwise exposed then it could become a breach but loss alone without exposure is not a breach.

Rapid elasticity is correct because it explicitly refers to a cloud platform automatically scaling compute and storage to match changing workload demands.

Rapid elasticity describes the capability to quickly add or remove resources such as compute instances and storage so capacity aligns with demand. This characteristic emphasizes automatic and dynamic scaling that can occur without manual intervention and it is the cloud trait that maps directly to the scenario in the question.

Resource pooling is incorrect because it refers to the provider pooling computing resources to serve multiple consumers and it focuses on multi tenancy and efficient resource use rather than automatic scaling behavior.

On-demand self-service is incorrect because it means customers can provision resources themselves without human interaction from the provider and it does not by itself describe automatic, dynamic scaling to match changing workloads.

The correct option is Data governance.

Data governance is the SLA section that defines how customer data is managed across its lifecycle. This section typically specifies retention periods, legal and regulatory obligations, the responsibilities of the provider and the customer, and the required processes for secure erasure or return of records when they are no longer needed.

Incident response procedures is about detecting, reporting, and remediating security incidents and breaches. It does not set retention schedules or describe how customer records are securely erased.

Service performance targets cover availability levels, throughput, response times, and other operational metrics. They do not address data lifecycle management or deletion practices.

Billing and invoice terms govern pricing, invoicing cycles, payment methods, and dispute resolution for charges. They do not define data retention policies or secure disposal requirements.

The correct answer is Connected refrigerator that sends a shopping list to the owner’s phone.

This is an Internet of Things device because it is a physical appliance with embedded sensors and network connectivity that communicates state and actionable data to a user and other systems. The connected refrigerator monitors inventory or usage and sends the shopping list to the owner’s phone over the network, which matches the common definition of an IoT device in a home.

Google Cloud Pub/Sub is incorrect because it is a cloud messaging service used to move data between applications and services rather than a physical device in a home. It can be part of an IoT solution for transporting messages but it is not itself an IoT device.

A system that infers and carries out tasks without being explicitly programmed is incorrect because that describes artificial intelligence or autonomous software rather than a tangible home device. Such systems may augment IoT devices but the statement does not describe an example of a home IoT device.

The correct answer is Envelope.

The SOAP specification defines an XML Envelope element as the required root element that wraps the entire SOAP message. The Envelope contains an optional Header and a mandatory Body and it is the SOAP-defined wrapper regardless of how the message is transported.

HTTP body is incorrect because it describes where a SOAP XML document may be placed when sent over HTTP but it does not describe the SOAP message structure itself. The transport container is not the same as the SOAP wrapper.

Packet is incorrect because a packet is a generic network transport unit used at the network layer and it does not define the XML structure of a SOAP message. SOAP defines an XML envelope rather than a network packet format.

Frame is incorrect because a frame refers to a data link layer unit such as an Ethernet frame and it is unrelated to the XML wrapper that SOAP requires.

The correct option is Resource reservations. Resource reservations ensure the cloud or hypervisor sets aside compute and network capacity for other tenants so they retain access when one tenant generates a volumetric denial of service on shared hardware.

Resource reservations are implemented by the scheduler and the network fabric to allocate guaranteed slices of CPU memory and bandwidth to tenants. These reservations create enforced isolation so a noisy tenant cannot consume the shared pools and cause compute or network starvation for others.

Network rate limiting is not the best answer because it focuses on controlling traffic flows and can help mitigate bandwidth floods but it does not by itself reserve compute capacity on shared hosts. Rate limiting is often applied at network edges and may not protect CPU or memory resources from being exhausted.

Quotas are administrative limits on usage such as number of instances or amount of storage and they do not guarantee real time compute or network bandwidth during an attack. Quotas prevent excessive provisioning but they do not provide the runtime guarantees that reservations do.

Infrastructure as a Service IaaS is correct because it delivers the highest degree of control over the operating system storage configuration and the software you deploy.

Infrastructure as a Service IaaS provides virtual machines virtual networks and raw block or object storage that you provision and configure. You are responsible for the guest operating system middleware and any applications that run on the instances. The cloud provider manages the physical hosts networking and the hypervisor while you control disk layout file systems OS settings and installed system software.

Platform as a Service PaaS is incorrect because the provider manages the underlying OS and runtime environment. You can control your application code and certain platform settings but you do not get full control over the guest operating system or low level storage configuration.

Software as a Service SaaS is incorrect because the vendor delivers a complete application that you consume as a service. You have little or no access to the operating system or storage configuration and you cannot install system level software.

Function as a Service FaaS is incorrect because it is a serverless model that abstracts away OS and instance management. Functions are ephemeral and focused on code execution so you cannot control the guest OS or persistent storage layout.

The correct answer is eDiscovery.

eDiscovery refers to the legal process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information for use as evidence in litigation or regulatory matters. It specifically covers locating and collecting electronic messages and documents so they can be evaluated and exchanged under legal rules.

Legal hold is incorrect because it denotes the duty to preserve potentially relevant data and to suspend routine deletion policies, and it does not by itself describe the full process of locating and collecting evidence for litigation.

Digital forensics is incorrect because it emphasizes the technical investigation and analysis of devices and data to reconstruct events or recover evidence, and it is not the same as the broader legal discovery lifecycle of collecting and producing electronically stored information for court proceedings.

Encrypting application data is not carried out by the TLS handshake protocol.

The TLS handshake is responsible for Negotiating protocol parameters, Creating a session identifier, and Exchanging cryptographic keys. It authenticates parties when required and derives the shared secrets and cipher state that will protect application traffic. The actual encryption and integrity protection of application data is performed by the TLS record protocol after the handshake completes and the keys are in place.

Negotiating protocol parameters is handled during the ClientHello and ServerHello exchange where the TLS version, cipher suite and extensions are agreed. That negotiation is part of the handshake so this option is not correct.

Creating a session identifier is performed by the server in the ServerHello message and it enables session resumption. The identifier is established as part of the handshake process and so this option is not correct.

Exchanging cryptographic keys is a core function of the handshake because key exchange messages and certificates are used to establish shared secrets. The handshake negotiates or derives key material rather than performing the ongoing encryption of application payloads.

The correct answer is Regression testing.

Regression testing verifies that code changes do not break existing features and that previously fixed defects have not reappeared. It does this by rerunning previously passing test cases and by focusing on areas that could be impacted by recent changes.

Regression testing is often automated so that suites can be executed frequently after builds and before releases to catch unintended side effects early.

Integration testing checks how individual modules or components work together and whether their interfaces function correctly. It is not primarily aimed at ensuring that unrelated existing features remain intact after code changes.

Smoke testing is a quick set of sanity checks that confirm a build is stable enough for further testing. It is shallow by design and does not cover the full range of tests needed to detect regressions across the application.

The correct option is Private cloud hosted in the company data center with backups stored by a cloud backup service.

This option matches the scenario because the company runs its cloud platform inside its own on-site data center so the infrastructure is a private cloud hosted on premises. The backups are provided by an external vendor and are stored by that vendor in their cloud backup service rather than being kept only on local appliances.

Public cloud deployment with backups managed by an external cloud vendor is incorrect because a public cloud means the cloud infrastructure is provided and hosted by a third party off site. The scenario describes the platform running inside the company data center so it is not a public cloud deployment.

On-premises private cloud with backups retained on local backup appliances is incorrect because it specifies that backups are retained on local backup appliances. The scenario states that an outside vendor provides backup services, so backups are not retained only on local appliances.

Externally hosted cloud services with backups written to on-site storage is incorrect because it describes externally hosted services with backups written to on-site storage. The company runs the cloud platform on site and uses an external cloud backup service, so the roles are reversed from what that option describes.

The correct option is Static API keys.

Static API keys are the weakest protection because they act as simple bearer credentials that are often hard coded, long lived, and easy to leak. They do not provide cryptographic proof of the client per connection and they offer no built in rotation, scoping, or replay protection. An attacker who obtains a static key can reuse it across REST or gRPC calls until the key is revoked, which makes this control far weaker than mechanisms that bind identity to a secure channel or validate per request.

Mutual TLS is incorrect because it provides strong mutual authentication and channel protection by using client and server certificates. That cryptographic binding prevents simple credential replay and gives a much stronger guarantee of client identity than a static key.

API gateway is incorrect because a gateway can centralize and enforce authentication, validate tokens or certificates, perform key rotation, and apply rate limits and policy checks. Those capabilities strengthen protection for REST and gRPC endpoints beyond a lone static key.

Web application firewall is incorrect because a WAF focuses on detecting and blocking malicious request patterns and exploits at layer seven. A WAF can mitigate certain attacks but it does not replace proper client authentication or prevent reuse of leaked static keys.

The correct answer is Correlation.

Correlation is the SIEM capability that links related events from multiple sources by matching indicators such as an attacker IP and builds a unified view or timeline of the incident. This lets an analyst retrieve every log tied to the same activity across hosts so they can see how the attack moved through the environment and which devices were affected.

Aggregation describes collecting and centralizing log data from many devices into a single repository. Aggregation makes searching possible but it does not by itself associate or relate events into a single incident.

Normalization is the process of converting diverse log formats into a common schema to enable consistent searching and analysis. Normalization helps make data usable but it does not perform the cross host linking or event matching that the scenario requires.

Compliance features are focused on retention, reporting, and meeting audit requirements for logs and configurations. Compliance supports regulatory needs and evidence preservation but it does not create the event relationships an analyst used to trace the attacker IP across multiple systems.

Network latency and throughput is the correct answer because these factors most directly determine how quickly cloud services can send and receive data and how responsive they will feel to users.

Network latency measures the time it takes for a packet to travel between endpoints and back and it has a major effect on interactive applications and API response times. Throughput measures the maximum amount of data that can be transferred per second and it governs bulk transfers and streaming performance. Together they set the practical limits on end to end responsiveness across regions and between services.

Storage IOPS and disk latency can significantly affect storage bound workloads and database operations because they determine how fast read and write operations complete. However they only impact the parts of a service that perform disk I O and they are not the dominant factor for overall networked service responsiveness in many cloud deployments.

Identity and access management is about authentication and authorization and it is essential for security and compliance. It does not directly determine bandwidth or packet delay and so it is not a primary performance factor unless it is misconfigured in a way that introduces extra latency.

The correct option is DNSSEC.

DNSSEC ensures the authenticity and integrity of DNS records by digitally signing responses so clients can detect tampering and spoofing. It does not provide confidentiality for general application data and it does not encrypt traffic between systems, so it is not a mechanism used to secure arbitrary data while it travels across a cloud network.

IPsec operates at the IP layer and provides encryption and integrity for IP packets between hosts or gateways. It is commonly used to protect data in transit so it is not the correct choice here.

HTTPS is HTTP over TLS and it encrypts application layer traffic between clients and servers. It secures web traffic while it moves across networks so it is not the odd one out.

VPN creates encrypted tunnels often using IPsec or TLS to protect traffic between endpoints or networks. It is a standard way to secure data in transit and therefore it is not the correct answer.

The correct answer is Data rights management.

Data rights management refers to attaching access and usage policies directly to data objects so that protections persist with the file or document. It typically uses encryption and embedded policy metadata to control who can open a file and what actions they can perform such as view edit print copy set expiration or revoke access after distribution.

Data loss prevention focuses on detecting preventing and alerting on sensitive data leaving systems and on enforcing policies at endpoints networks and email. It generally acts at enforcement points and does not embed persistent usage controls into the data object itself.

Identity and access management manages identities and controls authentication and authorization to resources. It governs who can access systems and services but it does not itself attach usage rules to files so it does not provide the persistent object level protections described in the question.

Cloud service broker is correct because it specifically refers to a person or company that acts as an intermediary between cloud consumers and cloud service providers.

Cloud service broker intermediates and adds value by aggregating services from one or more providers and by integrating or customizing services to meet a consumer’s needs. A broker can handle tasks such as service selection, negotiation, and single pane of glass management so the consumer does not have to interact directly with multiple providers.

Cloud reseller is incorrect because a reseller typically purchases cloud services and resells them without necessarily performing the integration, aggregation, or mediation functions that define a broker.

Cloud consumer is incorrect because that term denotes the user or organization that consumes cloud services rather than an intermediary that negotiates or integrates services.

Cloud compliance auditor is incorrect because an auditor assesses compliance and controls instead of acting as an intermediary between consumers and providers.

Affected users is correct because the A in DREAD measures how many users or systems will suffer harm if a vulnerability is exploited which directly drives the impact portion of a risk assessment.

Affected users captures the scope and severity of impact because a flaw that affects many users presents a greater overall risk than one that affects a single system. This factor helps prioritize remediation when combined with the other DREAD components and it enables meaningful comparisons between different vulnerabilities.

When scoring risk the number of Affected users is used to estimate potential business damage and to guide remediation urgency and resource allocation.

Exploitability is incorrect because exploitability refers to how easy it is to carry out an attack and not to how many users are impacted.

Reproducibility is incorrect because reproducibility concerns whether the issue can be reliably repeated and not the scope of affected users.

The correct option is Management plane.

Management plane is the central control surface for the cloud platform and it exposes the administrative APIs and consoles used to provision and configure tenants networks and instances and to manage access. A breach of the Management plane can allow an attacker to create or delete instances escalate privileges alter network policies or obtain credentials that give platform wide control across all hosts.

Virtual router is an important networking component and compromise could enable traffic interception or segmentation bypass. It is less likely to give an attacker automatic control of every hosted instance because it does not typically provide orchestration or credential management for the entire platform.

Hypervisor runs beneath virtual machines and a compromise can be severe for workloads on the affected host. It is not the best answer here because hypervisor compromise normally impacts the machines on that host and platform architectures apply additional hardening and isolation while the management plane controls operations across all hosts.

Virtual machine is a tenant level workload and compromise typically grants access to that instance and possibly to lateral targets but it does not by itself provide administrative control over every hosted instance in the cloud.

The correct option is Platform as a Service.

This model lets developers build, deploy, and run applications while the cloud provider manages servers and operating systems. The provider supplies runtimes, middleware, development tools, and managed services so teams do not handle virtual machine provisioning, operating system updates, or low level infrastructure scaling.

Infrastructure as a Service is incorrect because it provides virtualized compute, storage, and networking while leaving operating system and runtime management to the customer. That means you still manage servers and system software, which the question rules out.

Function as a Service is incorrect because it focuses on running discrete, event driven functions and is a narrower serverless offering. It abstracts servers but it is aimed at small pieces of code rather than providing the broader application hosting and platform tooling that Platform as a Service delivers.

The Recovery Point Objective which defines the maximum tolerated data loss measured in time is the correct metric for this scenario.

The Recovery Point Objective or RPO specifies how much recent transactional data the business can afford to lose expressed as a time interval. For a payments platform that processes mission critical transactions you must limit potential data loss to avoid customer and financial harm and RPO directly defines that limit.

Specifying an RPO drives technical choices such as synchronous replication or continuous data protection, transaction logging frequency, and backup cadence so that the implemented solution can meet the tolerated data loss window. Meeting a very small RPO often requires near real time replication or durable write-ahead logs instead of relying only on periodic full backups.

The regularity of data backups which determines how current backup copies are is related because backup frequency affects how much data might be lost, but it is not the metric itself. Backup schedule is an operational control that you adjust to achieve the RPO.

The Recovery Time Objective which indicates how long systems can remain unavailable is about how quickly systems must be restored after an outage. It does not define the amount of data loss and so it does not set the maximum tolerated transactional data loss.

The total cost of the disaster recovery solution which constrains budget and tooling choices is an important planning consideration, but cost is a constraint rather than a metric for tolerated data loss. Cost helps you select technologies to meet an RPO but it does not replace the RPO itself.

Run a vulnerability scan is correct because that action is intended to identify known vulnerabilities across cloud infrastructure and to produce a report that lists the issues.

Such scans are automated tools that compare discovered hosts and services against vulnerability databases and configuration checks. They report known CVEs and common misconfigurations, provide severity ratings, and often include remediation guidance so teams can prioritize fixes across cloud accounts and assets.

Conduct a penetration test is incorrect because penetration testing focuses on exploiting vulnerabilities to demonstrate impact and to find chains of compromise. A pen test is not primarily an automated inventory that lists all known issues across an environment on a scheduled basis.

Perform static application security testing is incorrect because SAST examines source code and build artifacts for coding flaws inside applications. SAST does not scan cloud infrastructure, network configurations, or deployed hosts to produce an infrastructure vulnerability report.

The correct option is Generate consolidated reports and dashboards.

A security information and event management system centralizes log and event data from many sources and then correlates and analyzes that data to surface incidents. It is designed to provide consolidated reports and dashboards so security teams can monitor trends, investigate incidents, and demonstrate compliance.

Cloud Key Management Service is incorrect because a key management service is focused on creating, storing, and managing cryptographic keys and not on aggregating and analyzing security events.

Google Cloud Security Command Center is incorrect because it is a security posture management and asset discovery service rather than a full SIEM, although it can integrate with SIEMs to provide findings.

Perform long term backups of event archives to Cloud Storage is incorrect because long term archival to object storage is an operational retention option and not a core SIEM capability, even though some SIEMs can export or tier older data to cloud storage for cost management.

The correct option is Vendor technical guides.

Manufacturer or vendor technical guides are the authoritative source for motherboard firmware hardening because they provide model specific procedures. These guides include step by step instructions for updating BIOS or UEFI firmware, enabling and configuring Secure Boot, applying vendor supplied firmware signing and verification, and using the vendor’s management utilities to perform safe updates. Following the vendor guidance reduces the risk of bricking hardware and preserves support and warranty coverage.

Vendors also publish firmware security advisories and dedicated tools for servers and motherboards. Examples include vendor out of band management interfaces and update utilities that are specific to their hardware and firmware stacks. Using those vendor tools and guides ensures you follow supported sequences and prerequisites for a given motherboard and firmware version.

Operating system manuals are not correct because they focus on the operating system and its configuration rather than on the motherboard firmware. They may cover how the OS interacts with firmware features but they do not contain manufacturer specific firmware update steps or recovery procedures.

Organizational security policies are also not correct as the primary source for manufacturer recommended steps. Policies define requirements and controls at the organizational level and they should reference vendor technical guides for exact procedures, but they do not provide the firmware vendor’s step by step instructions or model specific details.

The correct answer is Envelope.

The Envelope element is the outermost container of a SOAP message and it defines the message boundaries and the namespace for SOAP processing. It contains an optional header and the required body which holds the application payload. Because the Envelope encloses the entire message it is the structural element that serves as the wrapper and defines the SOAP message scope.

Packet is not a SOAP structural element. Some frameworks may use the term packet informally but it does not appear in the SOAP specification and it does not define SOAP message boundaries.

Object is a generic programming term and not part of the SOAP XML structure. It is not an element that wraps or defines a SOAP message.

Message Body is misleading because the SOAP element is named Body and it is nested inside the Envelope. The Body holds the message payload but it does not act as the outermost wrapper or define the overall message boundaries.

The correct answer is Data masking. Data masking replaces a column’s real values with alternate characters or realistic but fictitious values to protect sensitive data while preserving the original data format and usefulness for testing or display.

Data masking can be implemented as static masking where a non production copy is created with masked values or as dynamic masking where values are transformed in real time for certain users. Masking is typically designed to be non reversible so that the original sensitive values are not recoverable from the masked output.

Tokenization is incorrect because tokenization substitutes sensitive data with tokens while keeping a secure mapping or vault that allows the original value to be restored. That reversible mapping differentiates tokenization from the non reversible substitution implied by the question.

Encryption is incorrect because encryption converts data into ciphertext using keys and is intended for confidentiality at rest or in transit. Encryption does not produce alternate readable characters for testing or display and it is reversible with the correct decryption key.

Reliability is the correct option because it is not one of the ten Generally Accepted Privacy Principles (GAPP).

The GAPP set of ten principles includes Management, Notice, Choice and Consent, Collection, Use, Retention, Access, Disclosure to Third Parties, Security for Privacy, and Quality. Since Reliability does not appear in that list it is the non matching choice.

Quality is incorrect because it is explicitly one of the ten GAPP principles and it covers data accuracy and integrity requirements for personal information.

Access is incorrect because access rights are a defined GAPP principle that addresses an individual’s ability to review and correct their personal information.

Management is incorrect because governance and oversight of the privacy program is a core GAPP principle and it appears as one of the ten.

The correct option is Protected health information PHI.

Psychotherapy treatment records in a telemedicine portal are clinical notes and treatment information tied to an identifiable patient and they therefore meet the definition of PHI under HIPAA. Psychotherapy notes often receive additional privacy protections in addition to the standard protections for PHI.

Personally identifiable information PII is a general term for data that can identify an individual but it does not specifically indicate health care content or the regulatory protections that apply to medical records. Telemedicine psychotherapy records are health information and so they are classified as PHI rather than only as Personally identifiable information PII.

Payment card information PCI covers credit card and payment details and it is governed by payment security standards. It does not describe clinical treatment records and so it is not the correct classification for psychotherapy records in a telemedicine portal.

The correct option is Containerization.

Containerization provides lightweight, process level isolation by using operating system features such as namespaces and cgroups so a team can run a program in an isolated runtime while observing its behavior without risking the host system. Containers share the host kernel and start quickly which makes them suitable for ephemeral analysis and monitoring in cloud environments.

Virtualization involves running full virtual machines with separate guest operating systems and kernels. Virtual machines offer strong isolation but they are heavier and have more overhead than containers, so this option does not best match the lightweight cloud runtime described.

Sandboxing is a broad security concept that isolates untrusted code and is used in many contexts such as browsers and application sandboxes. It is conceptually similar but the question calls for the specific cloud runtime pattern that is typically implemented with containers, so sandboxing is not the answer the exam expects.

Network segmentation separates networks into zones to control traffic and reduce attack surface. It does not create an isolated execution environment for running and observing a program, so it does not match the scenario.

The correct answer is ISO/IEC 27050.

ISO/IEC 27050 is the ISO family that provides guidance on electronic discovery and information retrieval. It covers the identification preservation collection processing search and review of electronically stored information so organizations can respond to legal and regulatory requests.

ISO/IEC 27701 is focused on privacy information management and extends an ISMS to address personally identifiable information rather than providing eDiscovery procedures.

ISO/IEC 27018 is a code of practice for protecting personal data in public cloud services and it addresses cloud privacy controls rather than methods for electronic discovery and retrieval of evidence.

ISO/IEC 27001 specifies requirements for an information security management system and it defines a management framework for controls rather than detailing electronic discovery processes.

The correct answer is Sensitive data exposure.

Sensitive data exposure refers to failures to protect personally identifiable information that an application stores or transmits. It encompasses weak or missing encryption for data at rest and in transit, poor key management, and insecure handling of secrets and tokens which can lead to disclosure of PII.

Using components with known vulnerabilities is focused on risks introduced by outdated or vulnerable libraries and frameworks that attackers can exploit, and it does not specifically address protecting stored or transmitted personal data.

Broken access control concerns improper enforcement of user permissions and can lead to unauthorized access, but it is about who can access resources rather than how data is protected in storage or transit.

Insecure deserialization involves unsafe processing of serialized objects that can result in remote code execution or other logic flaws, and it is not primarily about safeguarding personally identifiable information in storage or transmission.

SAML is the correct option for prioritizing a federation protocol to securely share authentication assertions across domains.

SAML is an XML based federation standard that was designed to exchange authentication and attribute assertions between an identity provider and a service provider across domain boundaries. It supports signed and optionally encrypted assertions and a standardized metadata and trust model which makes it well suited for enterprise single sign on and cross domain federations.

SAML is widely deployed in enterprise and education federations and exam questions that focus on sharing authentication assertions across domains typically expect this protocol to be the prioritized answer.

OAuth 2.0 is an authorization framework for delegated access to protected resources and not an assertion based authentication protocol. It does not itself define standardized identity assertions so it is not the correct choice when the question asks specifically about sharing authentication assertions across domains.

OpenID Connect is an authentication layer built on top of OAuth 2.0 and it uses JSON web tokens and RESTful flows which make it well suited for modern web and mobile scenarios. While it can convey identity information across domains, exam items that emphasize enterprise federation and XML assertion exchange generally expect SAML rather than OpenID Connect.

The correct option is Problem management.

Problem management is the IT service practice that focuses on identifying and eliminating the underlying causes of incidents so that outages are reduced or prevented in the future. It uses root cause analysis and proactive problem detection to stop incidents from recurring rather than only restoring service.

Cloud Deployment Manager is a tool for provisioning and managing cloud resources and it does not implement the service practice of diagnosing and eliminating incident root causes.

Incident management is concerned with restoring normal service operation as quickly as possible and minimizing immediate impact, and it does not primarily aim to find and remove underlying causes.

Change management controls and coordinates changes to reduce risk and ensure stable releases, but it is not the process whose primary purpose is root cause analysis to eliminate recurring incidents.

DNSSEC signed zones is the correct option because it adds a verifiable cryptographic layer to DNS records so resolvers can detect tampering.

DNSSEC uses digital signatures on DNS records and corresponding public keys in the DNS chain of trust so a validating resolver can confirm that a DNS response came from the authoritative source and was not altered in transit. Enabling DNSSEC on hosted zones is the appropriate control a cloud provider can deploy to prevent attackers from altering DNS entries.

Anycast DNS routing improves distribution and availability by advertising the same IP address from many locations, but it does not provide cryptographic validation of DNS data. Anycast DNS routing therefore cannot prevent an attacker from changing zone data or spoofing responses.

IPsec encrypted tunnels protect confidentiality and integrity of traffic between specific endpoints, but they do not sign DNS records and are not a practical global solution for validating public DNS responses. IPsec encrypted tunnels will not stop a compromised authoritative zone or cached spoofed responses outside the tunnel.

The correct option is Physical infrastructure security. This area is commonly outside the cloud customer’s direct responsibility and is therefore the correct choice.

Physical infrastructure security covers the data center facilities, physical servers, networking hardware, power systems and physical access controls. The cloud provider is responsible for these items because they own and operate the underlying infrastructure that hosts customer services.

Virtual network and firewall configuration is incorrect because customers usually configure their own virtual network settings and firewall rules for their tenants and workloads even though the provider supplies network primitives and managed firewall services.

Data encryption and key management is incorrect because customers often control encryption of their data and the keys when they use customer managed keys or client side encryption. Providers may offer managed key services but the choices about key custody and data encryption usually remain a customer responsibility.

Endpoint security controls is incorrect because securing virtual machines, containers and client devices is typically the customer’s responsibility. The customer must apply patches, endpoint protection and configuration management for their instances and devices.

Formalized vendor patch and update management is the correct option.

Vendor supplied APIs commonly come with formalized patch and update programs that provide scheduled fixes, coordinated security advisories, and a clear vendor point of contact for distributing updates and tracking vulnerabilities. Those formal processes reduce operational burden for customers and create accountability for timely updates.

Contractual support and service level agreements is not necessarily a unique advantage of a vendor supplied API. Commercial support and SLAs can be arranged for open source products through third party vendors or paid subscriptions, and an SLA is a contractual arrangement rather than an inherent property of the API itself.

Freedom to modify source code is characteristic of open source APIs and is generally not an advantage of vendor supplied APIs. Vendor supplied offerings are often closed or restricted by license, so the ability to change source code points to open source rather than vendor controlled APIs.

The correct answer is Uninterrupted access to encryption keys.

Keeping key management in-house creates the primary risk that your cloud workloads will not be able to obtain keys when they are needed, so Uninterrupted access to encryption keys is the main concern. If an on premises key service, network link, or the staff who operate the keys become unavailable then cloud resources that require keys to decrypt data or to start will be unable to function and you will face downtime and operational loss.

Secrecy of the key material is not the primary risk because holding keys in-house often gives you more direct control over confidentiality and you can deploy hardware security modules and strict access controls to protect secrecy. Poor practices can still expose keys but confidentiality is not the central operational risk compared with availability.

Ability to transfer keys between environments is not the main concern because there are established procedures and Bring Your Own Key workflows to export, rewrap, or migrate keys when needed. Portability is an operational task and it is typically manageable compared with the immediate impact of losing access to keys.

Integrity of the keys is also not the primary risk because integrity can be preserved with HSM protections, cryptographic checks, and auditing. Tampering is a serious issue but it is usually mitigated by technical controls and monitoring and it is not the principal downside of keeping key management outside the cloud provider.

The correct option is Methodically designed tested and reviewed.

EAL4 indicates that the product was developed using a methodical engineering approach and that the design and implementation have been subjected to structured testing and independent review. This assurance level requires developer documentation design analysis and independent evaluator testing to show that the claimed security functions are implemented correctly and consistently.

Formally verified with mathematical proof is incorrect because formal mathematical proofs and full formal verification are not required at EAL4. Those activities are associated with much higher assurance levels and specifically with EAL7.

Semi formally designed and subjected to testing is incorrect because semi formal design and more rigorous model based verification correspond to higher Common Criteria levels such as EAL5 or EAL6 rather than EAL4.

The correct answer is Define objectives, define scope, conduct the audit, document lessons learned.

This sequence is correct because audit planning begins with clear objectives and then defines the scope so the audit team knows what is in and out of the engagement. Conducting the audit follows planning and covers evidence collection testing and analysis. Documenting lessons learned completes the cycle and enables continuous improvement of the audit process and future planning.

Set the scope, define objectives, perform the audit, monitor outcomes is incorrect because it places scope before objectives and it emphasizes monitoring rather than capturing lessons learned as a formal closure activity.

Establish objectives, set audit criteria and controls, collect evidence, prepare the report is incorrect because it mixes planning and execution steps and it does not explicitly include defining the scope or closing the audit with lessons learned.

Define objectives, execute the audit, review findings, schedule a follow up audit is incorrect because it moves directly to execution without an explicit scope definition and it treats follow up scheduling as the main closure instead of documenting lessons learned for process improvement.

The correct answer is Benchmark current security against accepted standards and best practices.

A cloud security gap analysis is primarily about comparing an organization�s existing controls, processes, and configurations to established frameworks and industry best practices. This comparison or benchmarking reveals where controls are missing or insufficient and produces a prioritized set of gaps to remediate so risk and compliance issues can be addressed.

Using recognized frameworks such as NIST, ISO, or CSA gives the analysis an objective baseline and produces actionable recommendations and a remediation roadmap rather than just a list of services or customer claims.

Generate customer security assurances is incorrect because the main purpose of a gap analysis is to identify and prioritize internal security deficiencies. Organizations may later use the findings to support customer assurances but that is a secondary outcome rather than the primary objective.

Map deficiencies to cloud services is incorrect because while a gap analysis can include mapping deficiencies to specific cloud services it is broader than that activity. The core aim is to benchmark controls and practices against accepted standards and best practices so that overall risk and compliance gaps are understood and remediated.

The correct answer is Uptime Council.

Uptime Council is the body associated with the well known tier classification for data center topologies and it is the source most commonly cited when discussing Tier I through Tier IV designs and certifications. The Council publishes the topology criteria and the availability expectations that designers and operators use to label and certify data center infrastructure.

Google Cloud is incorrect because it is a cloud service provider that designs and operates its own facilities and services, and it does not publish the industry standard tier classification for data center topologies.

Information Technology Infrastructure Library is incorrect because it is a framework for IT service management rather than a standards body that defines physical data center topology tiers.

National Fire Safety Association is incorrect because fire and safety codes are handled by organizations focused on safety standards and regulations, and they do not issue the commonly referenced tier topology standard for data centers.

At the moment the data is created is the correct answer.

Classifying information at creation ensures that appropriate protections are applied from the start and that handling, storage, and access controls follow the data through its lifecycle. This approach supports privacy by design and reduces the chance that sensitive data is exposed before controls are put in place.

Applying classification as data is created also makes it easier to automate protection measures such as encryption, access controls, and retention rules. It creates a persistent label that travels with the data or is enforced by the systems that store and process it.

While the data is actively in use is incorrect because waiting until the data is being used can leave periods when the data had no protections. Classification at use is reactive and may allow accidental exposure or improper handling before protections are applied.

During transmission between systems is incorrect because transmission controls rely on knowing the data sensitivity ahead of time. If classification only occurs during transit then upstream systems and storage locations may not have applied appropriate protections, and handling decisions may already be too late.

The correct option is Measure of the expected recovery time objective and disaster recovery tasks after a breach.

This choice is not part of the DREAD evaluation because DREAD is a vulnerability risk rating model that focuses on the characteristics of a vulnerability and an exploit. It measures Damage Reproducibility Exploitability Affected users and Discoverability and it does not include operational recovery time objectives or disaster recovery tasks.

Measure of how difficult it is to discover the vulnerability is incorrect because Discoverability is the D in DREAD and it specifically rates how easily the vulnerability can be found.

Measure of the amount of damage to systems if an exploit succeeds is incorrect because Damage is the first D in DREAD and it captures the impact or damage that an exploit can cause.

Measure of how reliably an exploit can be repeated is incorrect because Reproducibility is the R in DREAD and it assesses whether an exploit can be reproduced consistently.

Measure of the technical skill and resources needed to carry out an attack is incorrect because Exploitability is the E in DREAD and it evaluates the skill and resources required to exploit the vulnerability.