Questions tagged [ccsp]

Certified Cloud Security Professional. A certification by ISC2 structured around cloud security and cloud computing.

20 questions
6
votes
2 answers

What's a practical example of encryption "in use" or "in process"?

I'm studying for the CCSP and from a high-level, I keep hearing encryption described in three forms: Protecting data at rest. Protecting data in transit. Protecting data in use. The first two make sense to me, but then I'm struggling to think of…
Mike B
  • 3,336
  • 4
  • 29
  • 39
6
votes
2 answers

What's the difference between "load testing" and "stress testing" within the context of a security audit?

I'm preparing for the CCSP examine and am trying to wrap my mind around the concepts of "load testing" and "stress testing" within the context of security. I think the difference here is that: Load Testing is a measure of capacity, pure and…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
2 answers

Is there a difference between "risk tolerance" and "risk appetite"?

I'm studying for the CCSP exam and I'm a little confused on the difference between "Risk Appetite" and "Risk Tolerance". Is there a clear and discernible difference? Can the terms be used interchangeably? To me, both terms are referring to the…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
1 answer

Is there a difference between "Maximum Tolerable Downtime" and "Maximum Allowed Downtime"?

I'm studying for the CCSP exam and one of the BC/DR terms that is referenced in my study material is "Maximum Allowable Downtime". The definition for it is: MAD (Maxium Allowable Downtime) How long it would take for an interruption in service to…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
2 answers

What's the difference between an API gateway and XML gateway?

I'm studying for the CCSP exam and am confused on the difference between an "API gateway" and "XML gateway". The training material I have states: API gateways are also an important part of a layered security model. They can be used to impose…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
1 answer

What's the difference between an "application-aware firewall" and a "web application firewall"?

I'm studying for the CCSP and my training material isn't very clear on the definition between "application-aware firewall" and "web application firewall". The training material states: Early on, these devices were limited to simply port blocking…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
1 answer

Why would a goal of DLP solution implementation include "loss of mitigation"?

I'm studying for the CCSP exam and a practice question read: The goals of DLP solution implementation include all of the following, except: A. Policy enforcement B. Elasticity C. Data discovery D. Loss of mitigation I chose D because I…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
2 answers

What's a practical example of how volatile information can be preserved in a digital forensics investigation?

I'm taking a study course on CCSP and am going over a section on the digital forensics investigation process. In particular, the instructor discussed the following: I'm curious on two bullet points here: Capture an accurate image of the system.…
Mike B
  • 3,336
  • 4
  • 29
  • 39
2
votes
1 answer

Is it reasonable to consider logs as a "technical control"?

I'm studying for the CCSP exam and one of the examples of technical controls (referenced in the course training material) confuse me: Technical controls, also referred to as logical controls, are those controls that enhance some facets of the…
Mike B
  • 3,336
  • 4
  • 29
  • 39
2
votes
1 answer

Does "crypto offloading" require the use of ASICs? Can the concept be applied elsewhere?

I'm studying for the CCSP exam and the training material is a little vague on the term "crypto offloading". The term was mentioned in passing while describing TLS: TLS is a protocol designed to ensure privacy when communicating between…
Mike B
  • 3,336
  • 4
  • 29
  • 39
1
vote
1 answer

Is this description of the term "event" accurate within the context of Business Continuity and Disaster recovery?

I'm studying for the CCSP exam and I came across this description: An event is any unscheduled adverse impact to the operating environment. An event is distinguished from a disaster by the duration of the impact. We consider an event's…
Mike B
  • 3,336
  • 4
  • 29
  • 39
1
vote
2 answers

What drives security controls in cloud models: Business requirements? Or SLAs?

I'm preparing for the CCSP exam and another test question is throwing me off. The question reads: In all cloud models, security controls are driven by which of the following: A. Virtualization engine B. Hypervisor C. SLAs D. …
Mike B
  • 3,336
  • 4
  • 29
  • 39
1
vote
1 answer

Does a SOC 2 SSAE report not come with a "seal of approval" from a certified auditor?

I'm studying for the CCSP exam and I'm confused with a test prep question in my study materials. The question reads: "Which kind of SSAE report comes with a seal of approval from a certified auditor?" A. SOC 1 B. SOC 2 C. SOC 3 D. SOC…
Mike B
  • 3,336
  • 4
  • 29
  • 39
1
vote
1 answer

How/why can Cloud Access Security Brokers be superior to managing access controls locally?

I'm studying for the CCSP exam and I'm a little confused on why outsourcing access controls to a third party CASB would be appropriate. Could someone please explain the rationale there (and ideally perhaps a use case)? It seems like, if anything,…
Mike B
  • 3,336
  • 4
  • 29
  • 39
1
vote
1 answer

How is cryptoshredding a "sole pragmatic option for data disposal in the cloud"?

I'm studying for the CCSP exam and I think I'm missing something here... In reviewing data destruction/disposal methods, I'm aware that an on-premise IT environment has several options: Physical destruction of media and…
Mike B
  • 3,336
  • 4
  • 29
  • 39
1
2