ISO 27017:2015 - Cloud Services Security Controls Professional Free Practice Test — 30 Questions

Question 1

Considering the shared responsibility model inherent in cloud computing as delineated by ISO 27017:2015, which of the following best describes the primary responsibility of a Cloud Service Provider (CSP) concerning the establishment of foundational security policies when offering Infrastructure as a Service (IaaS)?

Accepted Answer

The CSP is primarily responsible for establishing and maintaining information security policies that govern the security of the cloud service itself, including the underlying infrastructure and the security of data processed by the service.

Question 2

A financial institution, operating as a cloud service customer (CSC), has migrated its customer relationship management (CRM) system to a public cloud infrastructure. The cloud service provider (CSP) has implemented robust physical security for the data centers and network security for the cloud platform itself. However, the CSC\'s internal IT team failed to configure granular access controls within the CRM application, allowing unauthorized internal personnel to view sensitive customer financial details. This oversight led to a data exfiltration incident. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for the security lapse that enabled this specific breach?

Accepted Answer

The cloud service customer (CSC)

Question 3

A multinational corporation, \"Aether Dynamics,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure. They are operating under stringent data residency requirements mandated by the European Union\'s General Data Protection Regulation (GDPR) for their European customer data. Aether Dynamics\' internal audit team has identified a potential gap in their understanding of the division of security responsibilities concerning data location and access logging for the CRM system. Which of the following best reflects the primary responsibility of Aether Dynamics, as a cloud service customer (CSC), in this scenario according to ISO 27017:2015, considering the GDPR implications?

Accepted Answer

Ensuring that the cloud service provider (CSP) implements and maintains adequate logging of all access to the CRM system and that these logs are retained in a manner compliant with GDPR data residency requirements.

Question 4

A multinational corporation, \"Aether Dynamics,\" has migrated its sensitive research and development data to a public cloud infrastructure. They are operating under a Platform as a Service (PaaS) model. Considering the shared responsibility framework outlined by ISO 27017:2015, which of the following security responsibilities remains unequivocally with Aether Dynamics as the cloud service customer, irrespective of the PaaS offering\'s specific features?

Accepted Answer

Ensuring the confidentiality and integrity of their proprietary algorithms stored within the cloud platform's storage services.

Question 5

A multinational corporation, \"Aether Dynamics,\" has migrated its critical customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a certified cloud service provider. Aether Dynamics\' security team has implemented robust network security controls and has ensured the underlying cloud infrastructure is configured according to best practices. However, an incident occurs where unauthorized external actors gain access to sensitive customer data within the CRM. Forensic analysis reveals that the compromise was facilitated by the exploitation of weak, reused passwords associated with administrative accounts that Aether Dynamics itself created and managed for their specific CRM application instance. Considering the shared responsibility model as defined by ISO 27017:2015, which of the following best describes the primary locus of responsibility for this security incident?

Accepted Answer

The customer's responsibility for securing their data and application configurations within the PaaS environment.

Question 6

A financial institution, operating as a cloud service customer (CSC), has migrated its core banking application and associated sensitive customer data to a public cloud infrastructure. The cloud service provider (CSP) has assured compliance with ISO 27001 and offers services compliant with ISO 27017. The CSC is concerned about the specific security responsibilities it retains for protecting this critical data within the cloud environment. Considering the shared responsibility model as delineated by ISO 27017:2015, which of the following represents a primary security obligation that the CSC must fulfill for the data residing in the cloud database?

Accepted Answer

Ensuring the secure configuration and access management of the cloud-hosted database instance and the data it contains.

Question 7

Consider a scenario where a financial institution, operating under strict data residency and privacy regulations such as the European Union\'s General Data Protection Regulation (GDPR), is migrating its customer transaction data to a public cloud Infrastructure as a Service (IaaS) offering. The institution\'s internal audit team has identified that while the cloud service provider (CSP) offers robust physical security for its data centers and network segmentation capabilities, the specific configuration of data encryption at rest and granular access controls for the virtual machines hosting the transaction data remains the responsibility of the cloud service customer (CSC). Given the sensitive nature of the data and the regulatory landscape, which of the following best describes the primary responsibility of the CSC in this context according to ISO 27017:2015 principles?

Accepted Answer

Ensuring the implementation and management of data encryption at rest and granular access controls for the virtual machines, aligning with regulatory requirements and the institution's data classification policies.

Question 8

A multinational corporation, \"AstroDynamics,\" has migrated its critical research data to a public cloud infrastructure managed by \"CosmoCloud.\" AstroDynamics has deployed several virtual machines (VMs) on CosmoCloud\'s platform to host their data analytics applications. An external threat actor successfully exploited a known vulnerability in a third-party analytics library that AstroDynamics had installed within one of its VMs, gaining unauthorized access to sensitive research findings. CosmoCloud\'s infrastructure, including the hypervisor and network fabric, was not compromised. Which party bears the primary responsibility for the security lapse that led to the data breach, according to the principles outlined in ISO 27017:2015?

Accepted Answer

AstroDynamics, due to their responsibility for managing the security of their deployed applications and data within the cloud environment.

Question 9

A cloud service customer (CSC) operating an Infrastructure as a Service (IaaS) environment experiences a significant data exfiltration event. Forensic analysis reveals that the breach was caused by an improperly configured network access control list (ACL) on a virtual machine\'s storage volume, allowing unauthorized external access to sensitive customer data. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for addressing the root cause of this security incident and implementing corrective actions?

Accepted Answer

The cloud service customer (CSC) is primarily responsible for reconfiguring the ACL and implementing enhanced access management controls.

Question 10

A multinational corporation, \"AstroDynamics,\" is migrating its sensitive research and development data to a public cloud infrastructure. As the Cloud Service Customer (CSC), AstroDynamics must define its security posture. Considering the shared responsibility model as delineated by ISO 27017:2015, which of the following represents a primary responsibility of AstroDynamics in establishing the security framework for its cloud-hosted data?

Accepted Answer

Defining the information security requirements for the cloud service, including data classification and security objectives.

Question 11

A multinational corporation, \"AstroDynamics,\" has migrated its critical research and development simulations to an Infrastructure as a Service (IaaS) platform provided by \"NebulaCloud.\" AstroDynamics\' security team has discovered a critical zero-day vulnerability in the operating system distribution they have deployed on their virtual machines. Considering the shared responsibility model as delineated by ISO 27017:2015, which entity bears the primary responsibility for patching this operating system vulnerability to mitigate the risk to AstroDynamics\' sensitive simulation data?

Accepted Answer

AstroDynamics, as the cloud service customer, is responsible for managing and patching the operating system and any software deployed within their virtual environment.

Question 12

A multinational corporation, \"Aether Dynamics,\" is migrating its critical financial systems to an Infrastructure as a Service (IaaS) offering from a reputable cloud service provider, \"Nebula Cloud Services.\" Aether Dynamics is concerned about ensuring compliance with data protection regulations, such as GDPR, and maintaining the confidentiality and integrity of its sensitive financial data. Given the shared responsibility model inherent in IaaS, which of the following accurately delineates Nebula Cloud Services\' primary security responsibility concerning the network infrastructure supporting Aether Dynamics\' virtualized environment, as guided by ISO 27017 principles?

Accepted Answer

Ensuring the security of the underlying physical and logical network infrastructure, including network segmentation and the secure operation of the hypervisor's network interfaces.

Question 13

A multinational corporation, \"Aethelred Innovations,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure. They are utilizing Infrastructure as a Service (IaaS) and have deployed virtual machines to host their CRM application and database. A security audit reveals a significant data exfiltration incident, traced back to an improperly configured network security group (NSG) on one of the virtual machines, which inadvertently allowed unrestricted inbound traffic from the public internet to the database port. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for the security lapse that led to this data breach?

Accepted Answer

The cloud service customer (Aethelred Innovations) due to their responsibility for configuring and managing the security of their virtual machine instances and associated network controls.

Question 14

A cloud service customer (CSC) experiences a significant data exfiltration event where sensitive customer information stored within a Platform as a Service (PaaS) offering is compromised. Investigations reveal that the breach exploited a previously unknown vulnerability in the underlying operating system managed by the cloud service provider (CSP). However, the CSC had not implemented any granular access controls or data encryption for the specific data sets that were exfiltrated. According to the principles outlined in ISO 27017:2015, which party holds the primary responsibility for the security of the compromised data in this scenario?

Accepted Answer

The cloud service customer (CSC)

Question 15

A multinational corporation, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a public cloud infrastructure. The company\'s chief information security officer (CISO) is reviewing a recent security audit report that identified a vulnerability leading to unauthorized access to sensitive customer data. The audit revealed that the access control lists (ACLs) for the CRM database, which were managed by Aether Dynamics\' internal IT team, were improperly configured, allowing broader access than intended. The cloud service provider (CSP) has confirmed that their underlying infrastructure and the CRM platform itself were not compromised. Considering the shared responsibility model as defined by ISO 27017:2015, which of the following best describes Aether Dynamics\' primary responsibility in preventing this specific type of security incident?

Accepted Answer

Implementing and maintaining appropriate access controls and data protection mechanisms for the data and applications it manages within the cloud.

Question 16

A multinational corporation, \"Aethelred Innovations,\" has migrated its critical customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a reputable cloud provider. Aethelred Innovations is concerned about maintaining compliance with data protection regulations like GDPR and ensuring the integrity of their customer data. Considering the shared responsibility model as defined by ISO 27017:2015, which of the following accurately delineates the primary security responsibilities of Aethelred Innovations in this PaaS deployment?

Accepted Answer

Securing the operating system and deployed applications, managing user access controls, and ensuring the confidentiality and integrity of customer data stored within the CRM.

Question 17

When a public sector organization, subject to stringent data residency and sovereignty laws, migrates its citizen data processing to a public cloud service, what is the paramount consideration for the organization\'s Information Security Officer (ISO) in ensuring compliance with ISO 27017:2015 principles, beyond the standard contractual security clauses?

Accepted Answer

The verifiable assurance from the Cloud Service Provider (CSP) that their data handling practices align with the specific data residency and sovereignty mandates of the organization's jurisdiction, supported by independent audit reports or recognized certifications.

Question 18

A multinational corporation, \"Aethelred Dynamics,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure. They have contracted with a Cloud Service Provider (CSP) that adheres to ISO 27017 standards. Aethelred Dynamics\' internal security team is reviewing their responsibilities concerning data protection and access management within the cloud environment. Considering the shared responsibility model outlined by ISO 27017, which of the following represents a primary security control responsibility that remains with Aethelred Dynamics as the customer entity?

Accepted Answer

Implementing and managing granular access controls and authentication for users accessing the CRM system and its data.

Question 19

A burgeoning e-commerce enterprise, \"AstroGoods,\" has transitioned its entire operational infrastructure to a cloud computing environment, opting for an Infrastructure as a Service (IaaS) model. They are now in the process of formalizing their security posture and contractual agreements with the cloud service provider. Considering the principles outlined in ISO 27017:2015, which of the following elements is paramount for AstroGoods to establish a robust and compliant cloud security framework with their provider?

Accepted Answer

The precise definition and contractual agreement on the shared responsibilities for security controls between the cloud service provider and AstroGoods.

Question 20

A multinational corporation, \"AstraTech,\" has migrated its sensitive research and development data to a public cloud infrastructure. After a project concludes, AstraTech decides to terminate its usage of a specific cloud storage service. While the cloud service provider (CSP) has a policy for secure deletion of data from their underlying physical media upon service termination, AstraTech\'s internal compliance team is concerned about the residual data and its lifecycle management. According to the principles of ISO 27017:2015, what is AstraTech\'s primary responsibility concerning the data it had stored in the now-terminated cloud storage service?

Accepted Answer

To initiate the secure deletion of its data from the cloud service and verify its removal according to its own data retention and disposal policies.

Question 21

When a cloud service customer (CSC) is undertaking a significant migration of sensitive operational data to a cloud service provider (CSP), and the cloud service agreement (CSA) has been established, what is the paramount factor in determining the specific responsibility for implementing and managing a particular information security control during this transition phase, as guided by ISO 27017:2015?

Accepted Answer

The explicit definition of responsibilities within the cloud service agreement, informed by the shared responsibility model.

Question 22

A multinational corporation, \"Aether Dynamics,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure, adhering to ISO 27017 principles. Following a comprehensive audit, it was discovered that unauthorized external access led to a significant data exfiltration event. Investigation revealed that a specific virtual machine hosting a component of the CRM was inadvertently exposed to the public internet due to an overly permissive firewall rule implemented by Aether Dynamics\' internal IT team. The cloud service provider\'s infrastructure itself remained secure and unaffected. Which primary area of responsibility, as delineated by ISO 27017, was most directly compromised by Aether Dynamics, leading to this security incident?

Accepted Answer

Customer's responsibility for securing the deployed virtual machines and their configurations

Question 23

A financial services firm, utilizing a Platform as a Service (PaaS) offering, experienced a significant data breach involving sensitive customer financial records. Subsequent investigation revealed that while the PaaS provider maintained robust security for the underlying infrastructure, the firm had not implemented granular access controls for its deployed applications, nor had it encrypted the sensitive data at rest within the provided storage. This oversight allowed an external attacker, who gained access to a compromised administrator account with broad privileges, to exfiltrate the financial data. Considering the shared responsibility model and the specific controls outlined in ISO 27017, how should this incident\'s root cause be primarily categorized from the perspective of the customer\'s obligations?

Accepted Answer

Insufficient implementation of security controls for data and access management by the customer.

Question 24

Consider a scenario where a multinational corporation, \"Aether Dynamics,\" has migrated its core financial systems to a public cloud provider using an Infrastructure as a Service (IaaS) model. Aether Dynamics has contracted with a cloud service provider (CSP) that adheres to ISO 27017:2015 standards. A recent internal audit revealed a critical vulnerability in the operating system of several virtual servers hosting sensitive financial data. The vulnerability, if exploited, could lead to unauthorized data exfiltration. Based on the shared responsibility model as delineated by ISO 27017:2015, which of the following represents the primary security responsibility of Aether Dynamics in this specific IaaS context?

Accepted Answer

Ensuring the timely patching and secure configuration of the operating systems deployed on the virtual servers.

Question 25

Consider a scenario where a multinational corporation, \"Aether Dynamics,\" is using a Platform as a Service (PaaS) offering from a cloud service provider (CSP) to host its proprietary customer relationship management (CRM) application. A critical data exfiltration incident occurs, where sensitive customer information is accessed and copied without authorization. Forensic analysis reveals that the breach originated from an improperly configured access control list (ACL) applied to a data repository within the PaaS environment, which was directly managed and modified by Aether Dynamics\' internal IT team to grant broader access than necessary for a recent development project. Which party is primarily accountable for the security lapse leading to this data exfiltration, according to the principles outlined in ISO 27017?

Accepted Answer

The cloud service customer (Aether Dynamics) due to misconfiguration of access controls on their data and application.

Question 26

A multinational corporation, \"AstroDynamics,\" has migrated its critical research data to a public cloud infrastructure, engaging a certified cloud service provider (CSP) that adheres to ISO 27017:2015. A security audit reveals that a misconfiguration in the virtual machine\'s firewall rules, implemented by AstroDynamics\' internal IT team, allowed unauthorized external access, leading to the exfiltration of sensitive project blueprints. Which party bears the primary responsibility for the security lapse that enabled this unauthorized access, according to the principles of ISO 27017:2015?

Accepted Answer

The cloud service customer (AstroDynamics) due to their responsibility for configuring and managing their deployed virtual machines and associated security controls.

Question 27

A multinational corporation, \"Aether Dynamics,\" is migrating its critical customer relationship management (CRM) system to a public cloud Infrastructure as a Service (IaaS) offering. The Cloud Service Provider (CSP) has provided a comprehensive Service Level Agreement (SLA) detailing their security responsibilities, including physical security of data centers and network segmentation. Aether Dynamics\' Chief Information Security Officer (CISO) is tasked with ensuring their organization\'s compliance with ISO 27017:2015. Considering the shared responsibility model and the specific requirements for cloud service customers, what is the most critical foundational step Aether Dynamics must undertake to establish its security posture for this cloud deployment?

Accepted Answer

Develop and implement an internal information security policy that explicitly addresses the use of cloud services, defining the organization's security requirements and responsibilities in relation to the CSP's offerings.

Question 28

Consider a scenario where a cloud service customer (CSC) operating a multi-tenant SaaS application hosted by a cloud service provider (CSP) experiences a significant data exfiltration event. Forensic analysis reveals that the breach was caused by an improperly configured access control list (ACL) on a storage bucket containing sensitive customer data, which was directly accessible from the public internet due to an oversight during the CSC\'s deployment of their application. According to the principles outlined in ISO 27017:2015, which party bears the primary responsibility for rectifying the misconfiguration and addressing the security incident?

Accepted Answer

The cloud service customer (CSC)

Question 29

A multinational corporation, \"Aether Dynamics,\" has migrated its critical financial systems to an Infrastructure as a Service (IaaS) cloud environment. They are reviewing their contractual obligations and security responsibilities with their chosen Cloud Service Provider (CSP), \"Nebula Cloud Solutions.\" Aether Dynamics is concerned about ensuring compliance with relevant data protection regulations, such as GDPR, and maintaining the integrity of their financial data. Which of the following areas of security control implementation would primarily remain the responsibility of Aether Dynamics, as per the principles outlined in ISO 27017:2015, given the IaaS model?

Accepted Answer

Implementing and managing security patches for the operating systems and applications deployed on the virtual machines.

Question 30

A multinational corporation, \"Aether Dynamics,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure managed by \"Nebula Cloud Services.\" Aether Dynamics has contracted with Nebula Cloud Services under an agreement that explicitly references ISO 27017:2015. Following a security audit, it was discovered that an unauthorized third party gained access to sensitive customer data stored within Aether Dynamics\' CRM. Investigation revealed that the breach originated from a misconfiguration of network access controls within the virtual machine instances provisioned by Aether Dynamics, allowing unrestricted inbound traffic to a database port. Which of the following statements best reflects the allocation of responsibility for this security incident according to ISO 27017:2015 principles?

Accepted Answer

Aether Dynamics is primarily responsible for the misconfiguration of its virtual machine's network access controls, as this falls under the customer's responsibility for managing their deployed services and data.

ISO 27017:2015 - Cloud Services Security Controls Professional Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO 27017:2015 - Cloud Services Security Controls Professional Certification