ISO 27017:2015 - Cloud Security Foundation Free Practice Test — 30 Questions

Question 1

Consider a scenario where a cloud service customer (CSC) is utilizing a Platform as a Service (PaaS) offering from a cloud service provider (CSP). A security audit reveals that sensitive customer data stored within the PaaS application has been inadvertently exposed due to overly permissive access controls configured within the CSC\'s application deployment. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for rectifying this specific security lapse?

Accepted Answer

The cloud service customer, for misconfiguring the access controls within their deployed application.

Question 2

Consider a scenario where a company, \"Aether Dynamics,\" utilizes a Platform as a Service (PaaS) offering from a cloud provider for developing and deploying its customer relationship management (CRM) application. Aether Dynamics has implemented robust access controls for its employees to the CRM application and ensures that all sensitive customer data stored within the application is encrypted. However, a vulnerability in the underlying operating system managed by the cloud provider is exploited, leading to a data breach. According to the principles outlined in ISO 27017:2015, which of the following best describes Aether Dynamics\' primary responsibility in preventing such a breach within this PaaS context?

Accepted Answer

Ensuring the security of their deployed CRM application code and the data it processes, including access management to the application.

Question 3

A cloud service provider (CSP) utilizing ISO 27017:2015 controls detects a significant security incident resulting in unauthorized access to customer data. The CSP has completed its internal assessment and containment procedures. Considering the CSP\'s obligations to its customers and the broader regulatory environment, what is the most critical immediate action regarding customer notification?

Accepted Answer

Promptly inform affected customers about the breach, detailing the nature of the incident, the types of data compromised, and the remedial actions being implemented, in accordance with applicable data protection regulations.

Question 4

A company, \"Astro-Dynamics,\" has migrated its critical research simulation software to a Platform as a Service (PaaS) offering from a reputable cloud provider. Astro-Dynamics\' security team is reviewing their responsibilities under ISO 27017:2015 to ensure compliance. Considering the shared responsibility model inherent in PaaS, which of the following security domains would Astro-Dynamics, as the cloud service customer, be primarily accountable for securing within the provided PaaS environment?

Accepted Answer

The underlying hypervisor and the physical security of the data center hosting the infrastructure.

Question 5

A company, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a major cloud provider. Aether Dynamics is now developing a custom reporting module for this CRM that will process sensitive customer financial data. Considering the shared responsibility model as defined by ISO 27017:2015, which of the following actions is primarily the responsibility of Aether Dynamics to ensure the security of this new reporting module and its data?

Accepted Answer

Implementing robust encryption for sensitive customer financial data both at rest within the PaaS database and in transit between the reporting module and the CRM application.

Question 6

A cloud service customer (CSC) has contracted a specialized third-party firm to develop a new customer relationship management (CRM) application that will be hosted on a public cloud infrastructure provided by a cloud service provider (CSP). The CSC has provided the third-party firm with access to a development environment within the cloud, which contains anonymized sample data for testing. Considering the shared responsibility model outlined in ISO 27017:2015, which of the following represents the primary security obligation of the CSC concerning the development and deployment of this custom CRM application?

Accepted Answer

Ensuring the third-party developer adheres to secure coding practices and that the application's data handling mechanisms comply with the CSC's data protection policies.

Question 7

A multinational corporation, \"AstroDynamics,\" is migrating its customer relationship management (CRM) system to a cloud-based Platform as a Service (PaaS) offering from a reputable provider. AstroDynamics needs to ensure that sensitive customer data remains protected and that only authorized personnel can access and modify records. Considering the shared responsibility model outlined in ISO 27017:2015, which of the following represents a primary security responsibility that AstroDynamics, as the cloud service customer, must undertake for this PaaS deployment?

Accepted Answer

Ensuring the integrity and confidentiality of customer data stored within the PaaS, including implementing appropriate access controls for their own users.

Question 8

A multinational corporation, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a reputable cloud provider. Aether Dynamics\' security team is reviewing their responsibilities under ISO 27017:2015. Considering the typical division of responsibilities in a PaaS model, which of the following areas would Aether Dynamics, as the cloud service customer, be primarily accountable for securing?

Accepted Answer

The security of the underlying operating system and middleware supporting the CRM application.

Question 9

A financial institution, operating under strict data residency regulations like GDPR and the California Consumer Privacy Act (CCPA), is migrating a legacy customer relationship management (CRM) system to a Platform as a Service (PaaS) cloud environment. The cloud service provider (CSP) has assured compliance with ISO 27001 and offers services compliant with ISO 27017. Given the shared responsibility model inherent in PaaS, what is the primary security responsibility that remains with the financial institution (the cloud service customer) concerning the migrated CRM application and its sensitive customer data?

Accepted Answer

Implementing and managing application-level access controls and ensuring the security of the application code itself.

Question 10

Consider a scenario where a cloud service customer (CSC) is using Infrastructure as a Service (IaaS) from a cloud service provider (CSP). The CSC deploys a virtual machine (VM) to host a sensitive customer database. Due to a misconfiguration of network access controls on the VM by the CSC\'s IT team, an external attacker gains unauthorized access and exfiltrates a significant portion of the customer database. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for the security lapse that led to the data exfiltration in this specific instance?

Accepted Answer

The cloud service customer (CSC)

Question 11

A financial institution, operating as a cloud service customer (CSC), has contracted with a cloud service provider (CSP) for an Infrastructure as a Service (IaaS) offering. The CSC has deployed a custom-built financial transaction processing application on top of a Linux operating system provided and managed by the CSP. A critical zero-day vulnerability is subsequently disclosed in the Linux kernel, affecting the specific version deployed by the CSP. Which party bears the primary responsibility for addressing this kernel-level vulnerability according to the principles outlined in ISO 27017:2015, considering the typical IaaS shared responsibility model?

Accepted Answer

The cloud service customer (CSC)

Question 12

Consider a scenario where a cloud service customer (CSC) is utilizing a Platform as a Service (PaaS) offering from a cloud service provider (CSP) for developing and deploying a critical financial application. The CSC has developed custom code for transaction processing and stores sensitive customer financial data within the PaaS environment. According to ISO 27017:2015, which of the following accurately delineates the primary security responsibilities of the CSC in this PaaS context, particularly concerning the application\'s code and the data it processes?

Accepted Answer

The CSC is responsible for securing the custom application code, managing access controls to the application, and protecting the confidentiality and integrity of the financial data processed and stored within the PaaS.

Question 13

A global financial institution, \"Quantum Bank,\" is migrating its customer relationship management (CRM) system to a cloud environment using a Platform as a Service (PaaS) model. They have selected a reputable cloud service provider (CSP) that adheres to ISO 27017:2015. Quantum Bank needs to define the scope of their security responsibilities to ensure compliance with stringent financial regulations, including data localization requirements and robust access control for sensitive customer financial data. Which of the following best delineates Quantum Bank\'s primary security responsibilities within this PaaS arrangement, considering the shared responsibility model and the need to meet regulatory obligations?

Accepted Answer

Implementing granular access controls for the CRM application, securing the data stored within the PaaS database, and ensuring the security configuration of deployed application code, in alignment with financial data protection mandates.

Question 14

Consider a scenario where a company, \"Aethelred Innovations,\" has adopted a Platform as a Service (PaaS) offering from a cloud provider to host its proprietary customer relationship management (CRM) application. Aethelred Innovations is concerned about ensuring compliance with ISO 27017:2015, particularly regarding the protection of sensitive customer data processed by their CRM. Which of the following actions would be the most direct and critical responsibility of Aethelred Innovations, as the cloud service customer, to uphold the security principles outlined in ISO 27017:2015 for this PaaS deployment?

Accepted Answer

Implementing robust encryption for customer data at rest and in transit within the CRM application, and establishing granular access control policies for user roles accessing the CRM.

Question 15

Considering the shared responsibility model as defined by ISO 27017:2015, a cloud service customer (CSC) has contracted with a cloud service provider (CSP) for a Platform as a Service (PaaS) offering. The CSC is developing and deploying a custom web application on this PaaS. Which of the following security responsibilities would fall *exclusively* under the CSC\'s purview in this specific scenario, according to the standard\'s guidance on cloud service customer responsibilities?

Accepted Answer

Securing the underlying network infrastructure and virtualization layer of the PaaS.

Question 16

A multinational corporation, \"Aether Dynamics,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure managed by a certified cloud service provider (CSP). Following a recent security audit, it was discovered that several former employees retained access to sensitive customer data within the CRM, leading to a potential data privacy violation under regulations like GDPR. Aether Dynamics\' internal security team has identified that the access revocation process for departing personnel was inconsistently applied across different departments, with some managers failing to promptly remove user accounts and associated privileges. Which of the following actions, aligned with ISO 27017:2015 principles, should Aether Dynamics prioritize to mitigate such risks in the future?

Accepted Answer

Establish and enforce a rigorous identity and access management (IAM) policy that mandates timely user access revocation upon employee departure and implements role-based access control with the principle of least privilege.

Question 17

A multinational corporation, \"Aether Dynamics,\" is migrating its customer relationship management (CRM) system to a public cloud infrastructure, adopting an Infrastructure as a Service (IaaS) model. Aether Dynamics\' internal security team is tasked with ensuring that all data transmissions between the CRM application servers and the company\'s on-premises legacy database, which contains sensitive customer information, are encrypted using a specific cipher suite and that detailed audit logs of all access attempts to this data are maintained. Considering the principles outlined in ISO 27017:2015, which of the following best describes the primary responsibility for implementing and managing these specific security measures?

Accepted Answer

The cloud service customer (Aether Dynamics) is primarily responsible for configuring network access controls, implementing data encryption for inter-system communication, and establishing comprehensive audit logging for application-level access.

Question 18

A cloud service customer (CSC) operating a web application on a Platform as a Service (PaaS) offering from a cloud service provider (CSP) notices an unusual spike in inbound traffic directed to their application\'s endpoints, originating from a broad range of IP addresses not typically associated with their user base. The CSC suspects a potential denial-of-service (DoS) attack. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for investigating and mitigating this specific type of network-level traffic anomaly impacting the PaaS environment?

Accepted Answer

The cloud service customer (CSC) is primarily responsible for analyzing traffic patterns and implementing application-level or network-level controls within their PaaS deployment to mitigate the anomaly.

Question 19

A multinational corporation, \"Aether Dynamics,\" is migrating its critical financial data processing to a public cloud infrastructure. They have selected a CSP that claims adherence to ISO 27017:2015. Aether Dynamics\' internal audit team has raised concerns about the clarity of security responsibilities, particularly regarding data segregation and access revocation for former employees. What is the primary obligation of Aether Dynamics, as the cloud service customer, in ensuring these specific security aspects are adequately addressed within the framework of ISO 27017:2015?

Accepted Answer

Aether Dynamics must independently document and manage its security responsibilities for data segregation and access revocation, ensuring these controls are implemented and effective according to their specific risk assessment, even if the CSP provides related services.

Question 20

A technology firm, \"Aether Innovations,\" has migrated its proprietary customer relationship management (CRM) software to a Platform as a Service (PaaS) offering from a major cloud provider. During a routine security audit, a critical zero-day vulnerability is identified within the authentication module of Aether Innovations\' custom-built CRM application. This vulnerability could allow unauthorized access to sensitive customer data. Given the shared responsibility model as outlined by ISO 27017:2015, who bears the primary responsibility for addressing this specific vulnerability within the CRM application\'s authentication module?

Accepted Answer

Aether Innovations, as the vulnerability exists within their custom-developed application code.

Question 21

A cloud service provider (CSP) offers Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings to a diverse clientele. A significant portion of their customer base utilizes these services for hosting critical business applications and sensitive data. The CSP has implemented a comprehensive set of security controls aligned with ISO 27001 and aims to further enhance its cloud security posture by adhering to ISO 27017:2015. Considering the shared responsibility model inherent in cloud computing, what is the primary security obligation of the CSP concerning the security of the underlying cloud infrastructure when providing IaaS and PaaS, as guided by ISO 27017:2015 principles?

Accepted Answer

Ensuring the security of the physical infrastructure, network, and hypervisor layers supporting the cloud services.

Question 22

A multinational corporation, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a public cloud Infrastructure as a Service (IaaS) offering. The CRM data contains sensitive personal information of their clients. Aether Dynamics\' IT security team has configured the virtual network and firewall rules for the CRM servers. However, a recent security audit revealed an unauthorized access incident where an external attacker exploited a vulnerability in the CRM application\'s authentication module, which was developed and deployed by Aether Dynamics\' internal development team. The cloud service provider (CSP) has confirmed that their underlying IaaS infrastructure was not compromised. According to the principles outlined in ISO 27017:2015, to which party does the primary responsibility for mitigating the impact of this specific data breach primarily fall, considering the nature of the exploit?

Accepted Answer

The cloud service customer (Aether Dynamics)

Question 23

A cloud service customer (CSC) utilizes a Platform as a Service (PaaS) offering from a cloud service provider (CSP). The CSC has deployed a custom application on this PaaS. A security vulnerability within the CSC\'s application code is exploited, leading to unauthorized access and exfiltration of sensitive customer data. According to the principles outlined in ISO 27017:2015, which entity bears the primary responsibility for initiating and executing the incident response procedures for this specific data exfiltration event?

Accepted Answer

The cloud service customer (CSC)

Question 24

A multinational corporation, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a public cloud infrastructure. They have deployed a custom-built application on virtual machines managed by the cloud service provider. This application processes and stores sensitive personal identifiable information (PII) of their global clientele. A recent internal audit identified potential vulnerabilities in how the application handles data at rest and in transit. According to the principles outlined in ISO 27017:2015, which entity bears the primary responsibility for ensuring the security of the PII data stored and processed by this custom application within the cloud environment?

Accepted Answer

The cloud service customer (Aether Dynamics)

Question 25

A multinational corporation, \"Aether Dynamics,\" is migrating its critical financial systems to a public cloud infrastructure. They are committed to adhering to ISO 27017:2015 principles to ensure robust cloud security. Considering the shared responsibility model inherent in cloud services, which of the following represents the most critical area of focus for Aether Dynamics as a cloud service customer (CSC) to ensure compliance and maintain an effective security posture, particularly in light of potential data residency and privacy regulations like the California Consumer Privacy Act (CCPA)?

Accepted Answer

Establishing clear contractual clauses with the Cloud Service Provider (CSP) that explicitly define data ownership, data processing locations, and the CSP's obligations for data breach notification and remediation, while also implementing internal controls for data classification and access management.

Question 26

A company, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a cloud provider. Aether Dynamics is concerned about ensuring compliance with data protection regulations, such as GDPR, within this new cloud environment. Considering the shared responsibility model as defined by ISO 27017:2015, what is Aether Dynamics\' principal area of security responsibility concerning their CRM application and the data it handles?

Accepted Answer

Implementing and managing security controls for the CRM application's code, data access, and user authentication, as well as ensuring data encryption at rest and in transit for customer information.

Question 27

Consider a scenario where a financial services organization, \"FinSecure Corp,\" has adopted a Platform as a Service (PaaS) offering from a cloud service provider (CSP) to host its proprietary trading analytics application. FinSecure Corp needs to ensure compliance with stringent data protection regulations, such as GDPR and CCPA, which mandate robust controls over personal data. Given the shared responsibility model inherent in PaaS, which of the following accurately describes FinSecure Corp\'s primary security obligations concerning its trading analytics application and associated customer data within this cloud environment, as guided by the principles of ISO 27017:2015?

Accepted Answer

Securing the deployed trading analytics application, managing access controls for users interacting with the application, and ensuring the confidentiality and integrity of customer data processed by the application.

Question 28

A multinational corporation, \"Aethelred Innovations,\" has migrated its customer relationship management (CRM) system to a cloud-based Platform as a Service (PaaS) offering from a reputable provider. Aethelred Innovations is concerned about maintaining compliance with data protection regulations, such as the General Data Protection Regulation (GDPR), within this new cloud environment. Considering the shared responsibility model as defined by ISO 27017:2015, which of the following areas of security control would Aethelred Innovations primarily be responsible for managing and securing within their PaaS CRM system?

Accepted Answer

The security of the underlying network infrastructure and the hypervisor layer supporting the PaaS.

Question 29

Consider a scenario where a company, \"Aether Dynamics,\" utilizes an Infrastructure as a Service (IaaS) offering from a cloud provider for its critical business operations. A security vulnerability is discovered within the operating system of a virtual machine (VM) that Aether Dynamics has deployed. According to the principles outlined in ISO 27017:2015, which of the following actions is primarily the responsibility of Aether Dynamics to address this vulnerability?

Accepted Answer

Applying security patches and updates to the virtual machine's operating system.

Question 30

A cloud service provider operating an Infrastructure as a Service (IaaS) platform has identified a significant security incident involving unauthorized access to a shared storage environment, potentially exposing customer data. The provider has contained the incident and is assessing the full scope of the compromise. What is the most critical immediate action the provider must take concerning its customers, in accordance with ISO 27017:2015 principles for managing cloud security incidents and customer responsibilities?

Accepted Answer

Proactively inform affected customers about the nature, scope, and potential impact of the incident to enable them to fulfill their own security obligations.

ISO 27017:2015 - Cloud Security Foundation Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO 27017:2015 - Cloud Security Foundation Certification