ISO/IEC 27017:2015 Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services Exam Free Practice Test — 30 Questions

Question 1

A multinational corporation, \"Aethelred Enterprises,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure. Following the migration, an unauthorized third party gained access to sensitive customer data by exploiting a misconfigured virtual firewall rule on one of the virtual machines hosting the CRM application. Analysis of the incident revealed that the virtual firewall was configured by Aethelred Enterprises\' internal IT team to allow unrestricted inbound traffic on a specific port, which was not necessary for the CRM\'s operation. Which party bears the primary responsibility for the security lapse leading to this data breach, according to the principles outlined in ISO/IEC 27017:2015?

Accepted Answer

The cloud service customer (Aethelred Enterprises)

Question 2

A multinational corporation, \"Aether Dynamics,\" has migrated its critical financial systems to a public cloud infrastructure. They have implemented stringent encryption protocols for all sensitive data at rest and in transit, and have established multi-factor authentication for all user access to their cloud-based applications. Considering the shared responsibility model outlined in ISO/IEC 27017:2015, which of the following aspects of their cloud deployment is primarily the responsibility of Aether Dynamics as the cloud service customer?

Accepted Answer

The secure configuration and ongoing management of virtual network segmentation and firewall rules within their virtual private cloud environment.

Question 3

A multinational corporation, \"Aethelred Analytics,\" is migrating its sensitive customer relationship management (CRM) data to a public cloud Infrastructure as a Service (IaaS) offering. The company\'s internal security policy mandates the use of a specific, proprietary encryption algorithm for all data at rest to comply with stringent data privacy regulations in multiple jurisdictions. Aethelred Analytics has configured their virtual machines and storage volumes with this chosen encryption method. Which party is primarily responsible for ensuring the security and effectiveness of this specific encryption implementation for the CRM data at rest?

Accepted Answer

The cloud service customer

Question 4

Consider a scenario where a multinational corporation, \"Aether Dynamics,\" has migrated its customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a reputable Cloud Service Provider (CSP). Aether Dynamics has been diligent in implementing security controls for its data and user access within the PaaS environment. However, a recent audit has identified a vulnerability in the custom application code deployed by Aether Dynamics, which could lead to unauthorized data exfiltration. According to the principles outlined in ISO/IEC 27017:2015, which of the following represents Aether Dynamics\' primary responsibility in addressing this identified vulnerability within the PaaS context?

Accepted Answer

Ensuring the secure development, testing, and deployment of its custom application code and managing access controls to that code.

Question 5

A multinational corporation, \"AstraTech,\" has migrated its sensitive customer data to a public cloud infrastructure. They are operating under strict data privacy regulations, including the General Data Protection Regulation (GDPR). AstraTech has contracted with a Cloud Service Provider (CSP) that adheres to ISO/IEC 27017:2015. Considering the shared responsibility model and the specific requirements of GDPR concerning data subject rights and data protection by design, which of the following actions represents a primary responsibility of AstraTech as the Cloud Service Customer (CSC) in ensuring compliance and robust security?

Accepted Answer

Implementing and managing granular access controls for their specific cloud-based applications and data, ensuring that only authorized personnel can access sensitive customer information, and defining data retention policies aligned with GDPR.

Question 6

A multinational corporation, \"AstraTech Solutions,\" has migrated a significant portion of its sensitive customer data and internal intellectual property to a public cloud infrastructure. The company has engaged a reputable Cloud Service Provider (CSP) that adheres to ISO/IEC 27017 standards. During a recent internal audit, it was discovered that while the CSP has implemented robust security measures for the cloud environment itself, there\'s a lack of clarity regarding the specific classification and handling procedures for the data residing within AstraTech\'s cloud-hosted applications. Which of the following actions is most critical for AstraTech Solutions to undertake to ensure compliance with the shared responsibility model as defined by ISO/IEC 27017, particularly concerning data governance and protection?

Accepted Answer

Develop and implement a comprehensive data classification scheme for all data processed and stored within the cloud environment, and ensure this classification informs the application of security controls.

Question 7

A multinational corporation, \"AstraTech Dynamics,\" has migrated a significant portion of its sensitive research and development data to a public cloud infrastructure managed by a reputable Cloud Service Provider (CSP). AstraTech Dynamics\' internal security team is reviewing their cloud security posture and has identified a gap in their documented procedures for handling data breaches that originate within the cloud environment. Considering the shared responsibility model as defined by ISO/IEC 27017:2015, which of the following represents a primary security control responsibility that AstraTech Dynamics, as the Cloud Service Customer (CSC), must ensure is addressed within their own organizational framework, independent of the CSP\'s incident response capabilities?

Accepted Answer

Establishing and maintaining its own organizational incident response plan that specifically addresses cloud-based security events affecting its data and services.

Question 8

A multinational corporation, \"AstroDynamics,\" has migrated its critical research and development data to a public cloud Infrastructure as a Service (IaaS) offering. AstroDynamics is committed to adhering to ISO/IEC 27017:2015 principles to ensure robust information security. Considering the shared responsibility model inherent in cloud services, which of the following actions represents a fundamental security control responsibility that *must* be actively managed by AstroDynamics as the cloud service customer, rather than being solely delegated to the Cloud Service Provider (CSP)?

Accepted Answer

Maintaining a detailed and up-to-date inventory of all information assets, including datasets, applications, and configurations, processed or stored within the cloud environment.

Question 9

A multinational corporation, \"Aether Dynamics,\" has migrated its critical financial systems to a public cloud Infrastructure as a Service (IaaS) offering from \"Nebula Cloud Solutions.\" Aether Dynamics\' Chief Information Security Officer (CISO) is concerned about ensuring that Nebula Cloud Solutions\' security practices align with the principles outlined in ISO/IEC 27017:2015, particularly concerning the security of the underlying cloud infrastructure and the provider\'s operational security. Which of the following actions would best demonstrate Aether Dynamics\' proactive management of its responsibilities as a cloud service customer (CSC) in this scenario, according to the spirit of ISO/IEC 27017?

Accepted Answer

Establishing a robust contractual agreement with Nebula Cloud Solutions that explicitly details security responsibilities, including provisions for independent security audits and incident notification timelines, and implementing a continuous monitoring program to verify compliance.

Question 10

A multinational corporation, "Aether Dynamics," has migrated its critical financial systems to a public cloud infrastructure. They have meticulously configured granular access controls, implemented end-to-end encryption for all data at rest and in transit, and conduct regular vulnerability scans of their deployed applications. During a recent penetration test, a simulated attack vector identified a potential misconfiguration in the underlying network segmentation of the cloud provider\'s shared infrastructure, which could theoretically allow unauthorized lateral movement between tenant environments. Aether Dynamics has no direct control over this network segmentation.

What is the most appropriate immediate course of action for Aether Dynamics to address this identified potential infrastructure vulnerability?

Accepted Answer

Immediately report the suspected misconfiguration to the cloud service provider and collaborate on a joint remediation plan.

Question 11

A multinational corporation, \"AstroDynamics,\" has migrated its critical research and development data to a public cloud infrastructure managed by \"NebulaCloud.\" AstroDynamics has signed a service agreement with NebulaCloud that clearly delineates responsibilities, with NebulaCloud managing the physical security of data centers and the underlying network infrastructure. AstroDynamics is responsible for managing access to its virtual machines and the data stored within them. During a recent internal audit, it was discovered that several employees with access to sensitive R&D data had not undergone any specific cloud security awareness training tailored to the unique risks and configurations of NebulaCloud\'s platform. While NebulaCloud provides general cybersecurity awareness training to all its users, it does not customize this for individual CSCs\' specific data handling requirements. Considering the principles outlined in ISO/IEC 27017:2015, which entity bears the primary responsibility for ensuring that AstroDynamics\' personnel handling sensitive R&D data receive specialized training relevant to their roles and the cloud environment?

Accepted Answer

AstroDynamics, as the cloud service customer, is responsible for ensuring its personnel receive adequate and role-specific cloud security awareness training.

Question 12

A financial services firm, utilizing a public cloud Infrastructure as a Service (IaaS) offering, experienced a significant data exfiltration event. Forensic analysis revealed that the breach originated from an exploited zero-day vulnerability in the operating system of several virtual machines managed by the firm. The cloud service provider confirmed their infrastructure, including the hypervisor layer, was not compromised. Which of the following ISO/IEC 27017:2015 controls, when inadequately implemented by the cloud service customer, most directly contributed to this security incident?

Accepted Answer

Control 8.2.3 - Management of technical vulnerabilities

Question 13

A multinational corporation, \"AstroDynamics,\" has migrated its critical research data to a public cloud infrastructure managed by \"StellarCloud Services.\" AstroDynamics has a stringent requirement to ensure that the physical location housing its sensitive intellectual property is secured against unauthorized access and environmental hazards. StellarCloud Services has implemented robust access control mechanisms, environmental monitoring, and surveillance systems at its data center facilities. Which of the following best describes the primary responsibility for the physical security of the data center facilities where AstroDynamics\' data resides, according to the principles outlined in ISO/IEC 27017:2015?

Accepted Answer

The cloud service provider's responsibility to secure its data center facilities.

Question 14

A global financial institution, \"Aethelred Capital,\" has migrated its core trading platform to a Platform as a Service (PaaS) offering from a reputable cloud provider. Following a security audit, it was discovered that unauthorized access to sensitive customer trading data occurred due to an improperly configured access control list (ACL) within the custom-built trading application deployed by Aethelred Capital. The cloud provider\'s infrastructure and the PaaS platform itself were found to be secure and compliant with ISO/IEC 27017 controls. Considering the shared responsibility model as defined by ISO/IEC 27017, who bears the primary responsibility for the security lapse stemming from the misconfigured ACL within the customer\'s application?

Accepted Answer

The customer organization for mismanaging application-level access controls.

Question 15

Consider a scenario where a financial institution, acting as a cloud service customer, deploys a custom-built trading application on a Platform as a Service (PaaS) offering from a cloud service provider. The PaaS environment includes managed operating systems, middleware, and network infrastructure. The financial institution’s security team is reviewing their responsibilities under ISO/IEC 27017:2015. Which of the following areas represents a primary security responsibility of the financial institution as the cloud service customer in this PaaS deployment?

Accepted Answer

Ensuring the secure configuration and access management of the deployed trading application and its associated data.

Question 16

Consider a scenario where a customer utilizing a Platform as a Service (PaaS) offering experiences a data exfiltration incident. Forensic analysis reveals that the breach occurred due to an improperly configured access control list (ACL) on a storage bucket containing sensitive customer information. This ACL was set by the customer\'s internal IT team, granting overly permissive read access to unauthorized external entities. According to the principles outlined in ISO/IEC 27017:2015, which of the following best describes the primary responsibility for this security incident?

Accepted Answer

The customer's responsibility for managing their data and access controls within the PaaS environment.

Question 17

Consider a scenario where a multinational corporation, \"AstraCorp,\" has migrated its customer relationship management (CRM) system to a public cloud Infrastructure as a Service (IaaS) offering. AstraCorp has configured virtual machines, storage volumes, and network security groups. They are now reviewing their adherence to ISO/IEC 27017:2015. Which of the following actions best reflects AstraCorp\'s responsibility as a Cloud Service Customer (CSC) concerning the identification and documentation of information assets within the cloud environment, as guided by the standard?

Accepted Answer

Maintaining a comprehensive inventory of all data processed and stored on the virtual machines and storage volumes they have provisioned, including data classification and access controls.

Question 18

A multinational corporation, \"AstraTech,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure. As the cloud service customer (CSC), AstraTech is responsible for ensuring the confidentiality and integrity of its customer data stored within this cloud environment. Recent regulatory audits have highlighted the need for stringent data residency and processing controls, particularly concerning personal data of citizens within the European Union, as mandated by the General Data Protection Regulation (GDPR). Which of AstraTech\'s actions would most effectively demonstrate its adherence to the shared responsibility model for information security as outlined in ISO/IEC 27017:2015, specifically concerning the protection of EU citizen data in the cloud?

Accepted Answer

Conducting regular audits of the cloud service provider's compliance with data processing agreements and verifying that the provider's data center locations align with GDPR's data residency requirements for EU citizen data.

Question 19

A multinational corporation, \"AstroDynamics,\" has migrated its critical research data to a public cloud infrastructure managed by \"StellarCloud.\" AstroDynamics has implemented robust encryption for data at rest and in transit, and has established strict identity and access management policies for its personnel accessing the cloud environment. However, a recent incident revealed that a legacy application, deployed by AstroDynamics onto a virtual machine within StellarCloud\'s infrastructure, had unpatched vulnerabilities. This allowed an external attacker to gain unauthorized access to the virtual machine and subsequently exfiltrate sensitive research data. Considering the shared responsibility model as outlined by ISO/IEC 27017:2015, which party bears the primary responsibility for the security lapse that led to the data exfiltration in this scenario?

Accepted Answer

AstroDynamics, due to their responsibility for securing the deployed applications and operating systems within their cloud tenant.

Question 20

A telecommunications company is migrating its network functions to a public cloud environment, utilizing a Platform-as-a-Service (PaaS) offering for deploying and managing virtualized network functions (VNFs). The company has contracted with a cloud service provider (CSP) that adheres to ISO/IEC 27017:2015. The CSP manages the underlying cloud infrastructure, including the hypervisor and the physical network fabric. The telecommunications company is responsible for the configuration and operation of the VNFs themselves. Considering the shared responsibility model as outlined by ISO/IEC 27017:2015, which of the following security responsibilities would primarily fall under the telecommunications company\'s purview for the deployed VNFs?

Accepted Answer

Implementing and maintaining internal network segmentation and access control lists within the virtualized network functions.

Question 21

A multinational corporation, \"AstroCorp,\" utilizes a public cloud Infrastructure as a Service (IaaS) offering from \"NebulaCloud\" to host its critical customer relationship management (CRM) system. AstroCorp\'s security team discovers a significant data exfiltration event, traced back to an unpatched critical vulnerability in the operating system of one of their deployed virtual machines. This vulnerability allowed an external attacker to gain unauthorized access and extract sensitive customer data. Considering the shared responsibility model as outlined by ISO/IEC 27017:2015, which party bears the primary responsibility for addressing the unpatched operating system vulnerability and mitigating the impact of this data breach?

Accepted Answer

The cloud service customer (AstroCorp)

Question 22

Consider a scenario where a multinational corporation, \"Aether Dynamics,\" utilizes a public cloud Infrastructure as a Service (IaaS) offering from \"Nebula Cloud Solutions\" to host sensitive customer data. Aether Dynamics has implemented encryption for this data using keys managed through Nebula Cloud Solutions\' provided key management service. Which party bears the primary responsibility for ensuring the secure lifecycle management, including generation, storage, rotation, and revocation, of these encryption keys, in accordance with ISO/IEC 27017:2015 principles and common regulatory expectations for data protection?

Accepted Answer

Aether Dynamics, as the data owner and customer, is primarily responsible for the secure lifecycle management of the encryption keys used to protect their data, even when utilizing a CSP's key management service.

Question 23

Consider a scenario where a cloud service customer, operating under stringent data privacy regulations like GDPR, contracts with a Cloud Service Provider (CSP) that offers encryption-at-rest for data stored in the cloud. The CSP states that they manage the cryptographic keys used for this encryption. What is the primary responsibility of the customer in this arrangement concerning the security of their encrypted data?

Accepted Answer

The customer must define the cryptographic policies, oversee the key management lifecycle, and ensure the CSP's implementation aligns with these policies and regulatory mandates.

Question 24

A multinational corporation, \"AstroDynamics,\" utilizes a Platform-as-a-Service (PaaS) offering from a cloud provider for its customer relationship management (CRM) system. During a routine audit, AstroDynamics discovers a sophisticated intrusion that resulted in the unauthorized access and exfiltration of sensitive customer data, including personally identifiable information (PII). Under the shared responsibility model outlined by ISO/IEC 27017:2015, which entity bears the primary responsibility for initiating mandatory data breach notifications to relevant data protection authorities, such as those mandated by the General Data Protection Regulation (GDPR)?

Accepted Answer

The cloud service customer (AstroDynamics)

Question 25

A company utilizing an Infrastructure as a Service (IaaS) model is deploying a new customer relationship management (CRM) system. The cloud service provider (CSP) manages the underlying physical infrastructure and network. The company, as the cloud service customer (CSC), is responsible for the operating system, middleware, and applications. Considering the principles outlined in ISO/IEC 27017:2015, which of the following best describes the CSC\'s primary security responsibility concerning the newly deployed CRM application?

Accepted Answer

Ensuring the secure configuration, access management, and data protection mechanisms within the CRM application itself.

Question 26

A cloud service customer (CSC) utilizes a Platform as a Service (PaaS) offering from a cloud service provider (CSP). The CSC has developed and deployed a custom web application on this PaaS to manage sensitive client financial information. An independent security audit reveals a critical vulnerability within the application\'s data processing module, specifically an input validation flaw that allows for SQL injection attacks. Considering the shared responsibility model outlined in ISO/IEC 27017:2015, which entity bears the primary responsibility for rectifying this application-level security flaw?

Accepted Answer

The cloud service customer (CSC)

Question 27

A multinational corporation, \"AstroTech Dynamics,\" is migrating its customer relationship management (CRM) system to a Platform as a Service (PaaS) offering from a reputable cloud provider. AstroTech Dynamics needs to ensure that the security controls implemented for their CRM system are aligned with the shared responsibility model as defined by ISO/IEC 27017. Considering the nature of PaaS, which of the following sets of security controls would be most critical for AstroTech Dynamics to prioritize and implement directly to maintain the confidentiality, integrity, and availability of their CRM data and application functionality?

Accepted Answer

Implementing robust input validation and output encoding for all user-facing CRM components, encrypting sensitive customer data at rest within the application's database, and establishing granular role-based access controls for AstroTech Dynamics' internal users accessing the CRM.

Question 28

A multinational corporation, \"AstraTech Dynamics,\" has migrated its critical customer relationship management (CRM) system to a public cloud infrastructure. They have selected a reputable Cloud Service Provider (CSP) that adheres to ISO/IEC 27001 and offers services compliant with ISO/IEC 27017. AstraTech Dynamics is now reviewing its internal policies to align with the shared responsibility model. Which of the following statements best encapsulates AstraTech Dynamics\' primary responsibility concerning the security of its CRM data within the cloud environment, as dictated by ISO/IEC 27017 principles?

Accepted Answer

Ensuring that the security controls implemented by the Cloud Service Provider are sufficient for AstraTech Dynamics' specific data protection requirements and actively managing its own access controls and data classification within the cloud.

Question 29

A multinational corporation, \"AstraTech Dynamics,\" utilizes a Platform as a Service (PaaS) offering from a certified cloud service provider (CSP) for its critical business applications. AstraTech Dynamics has recently conducted an internal audit and discovered a significant number of user accounts that have been inactive for over a year, stemming from former employees who left the organization without their cloud access being promptly deprovisioned. Considering the shared responsibility model as outlined by ISO/IEC 27017:2015, which of the following actions is primarily the responsibility of AstraTech Dynamics to address this security vulnerability?

Accepted Answer

Proactively identify and disable dormant user accounts within their PaaS environment to prevent potential unauthorized access.

Question 30

Consider a scenario where a multinational corporation, \"Aether Dynamics,\" utilizes a public cloud Infrastructure as a Service (IaaS) offering from \"Nimbus Cloud Solutions\" to host its sensitive research and development data. Aether Dynamics has a strict internal policy requiring all proprietary research data to be classified as \"Confidential\" and handled only by authorized personnel with specific clearance levels. Nimbus Cloud Solutions, as the CSP, provides the secure infrastructure, network, and physical security for the data centers. Which of the following responsibilities, according to the principles outlined in ISO/IEC 27017:2015, remains primarily with Aether Dynamics, the cloud service customer, concerning the classification and handling of its proprietary research data?

Accepted Answer

Establishing and enforcing the classification scheme for proprietary research data and defining user access controls based on that classification.

ISO/IEC 27017:2015 Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services Exam Free Practice Test — 30 Questions

A lot more is already mapped out

About the ISO/IEC 27017:2015 Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services Exam Certification