75 CCSP Certification Questions to Conquer the Exam

An HSM is a dedicated, tamper-resistant hardware device designed to securely generate, store, and manage cryptographic keys, performing cryptographic operations without ever exposing the keys outside its secure boundary.

Because the cloud provider manages the entire underlying runtime environment, the customer is completely absolved of the responsibility for OS and server patching, which significantly reduces the attack surface and operational burden.

This risk pertains to the cloud provider’s business stability. If the provider ceases to operate, customers can be locked out of their data and services, making vendor viability a critical due diligence check.

A qualitative risk assessment uses descriptive categories or scales (like Low, Medium, High) to evaluate the likelihood and impact of risks. It is subjective and based on judgment and experience.

RTO defines the target time within which a business process must be restored after a disaster to avoid unacceptable consequences, and RPO defines the maximum period in which data might be lost from an IT service due to a major incident.

A stateless firewall (like a network ACL) checks each packet against its rule set individually. A stateful firewall tracks the state of active connections and makes decisions based on the context of the traffic flow, automatically allowing return traffic for established sessions.

IRM protects information by encrypting it and applying a persistent set of policies (e.g., preventing printing, copying, or forwarding) that travel with the document and are enforced wherever it goes.

ITIL defines an incident as an event that disrupts service. Problem management is the process of identifying and managing the root causes of incidents to prevent them from recurring.

FedRAMP (Federal Risk and Authorization Management Program) was created to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government, standardizing the certification process.

Accurate and synchronized timestamps across all log sources are essential for placing events in the correct chronological order. Without this, it is impossible to reliably determine the sequence of actions.

The cloud’s pay-as-you-go model shifts IT spending from CapEx (buying physical assets) to OpEx (paying for services as they are consumed), which is treated as an ongoing operational cost.

Ephemeral instances are designed to be temporary, and upon termination, their associated storage volumes are typically deleted and the space is returned to the resource pool, making data collection from the instance itself impossible post-termination.

SAST analyzes an application’s source code, byte code, or binary code for security vulnerabilities without executing the application. It is ideal for integration early in the SDLC, such as in a CI/CD pipeline.

Calculating and comparing hash values proves that the forensic copy is an exact, unaltered duplicate of the original. This is a critical step in maintaining the integrity of the evidence and establishing a valid chain of custody.

BCRs are a set of internal rules and policies that allow multinational companies to transfer personal data that they control to their entities outside the EU. They must be approved by a competent data protection authority.

This characteristic means a consumer can unilaterally provision computing capabilities without needing to interact with personnel from the service provider, typically through a web-based portal or API.

Static code analysis (SAST) is a white-box testing technique performed on source code, which is part of the SDLC, not a runtime function of an API Gateway.

DAST tools test a running application from the outside-in, simulating attacks against its interfaces to find vulnerabilities, which is exactly the ‘black-box’ testing approach described.

Replication latency means there is a delay between when data is written to the primary site and when it is copied to the recovery site. This delay represents potential data loss if a disaster occurs, directly increasing the actual RPO.

The STAR program provides a registry to document the security and privacy controls provided by popular cloud computing offerings. This transparency helps users assess the security of cloud providers they currently use or are considering using.

Each cloud provider has its own unique set of security controls, APIs, and logging mechanisms, making it complex to implement and manage a uniform security posture and maintain visibility across environments.

Data dispersion involves using techniques like erasure coding to split data into fragments and distribute them across multiple locations, such that the original data can be reconstructed even if some fragments are lost. This increases availability and confidentiality.

This attack involves breaking out of the isolated guest OS environment to interact directly with the hypervisor or the host operating system, potentially giving the attacker access to other guest VMs on that host.

Integrating security checks (like SAST, SCA, and IaC scanning) into the pipeline allows vulnerabilities to be found and fixed early in the development lifecycle, which is less costly and more efficient than finding them in production.

A TPM is a secure crypto-processor that provides a root of trust. It can securely store keys, passwords, and digital certificates, and it is crucial for features like measured boot and secure boot to ensure platform integrity.

This approach allows the customer to generate their own keys and securely import them into the cloud provider’s key management service. The customer retains control and ownership of the keys, while the provider uses them for encryption.

Due diligence refers to the prudent steps a person or organization should take before entering into an agreement with another party. It involves research, analysis, and understanding the risks involved.

Modern container platforms (like Kubernetes with network policies) and dedicated security tools provide the ability to define and enforce granular, layer 7 network policies that restrict traffic between pods and services, a practice known as micro-segmentation.

Availability Zones are distinct locations within a region that are engineered to be isolated from failures in other AZs. Deploying across multiple AZs protects an application from the failure of a single data center.

A parallel test involves activating the disaster recovery environment and restoring systems, but the primary production systems remain active. This allows for testing of the recovery procedures without impacting ongoing business operations.

Services such as AWS S3 Object Lock or Azure Blob Storage immutable storage allow data to be placed in a write-once-read-many (WORM) state for a specified period, which effectively satisfies the requirements of a legal hold by preventing deletion or modification.

Object storage is designed for storing large amounts of unstructured data. Data is stored as objects, each with a unique identifier, and is accessed via HTTP-based APIs, making it highly scalable and ideal for web-accessible content.

The principle of least privilege requires that a user or process be given only those access rights and permissions necessary to perform its assigned tasks.

This hybrid approach, often called ‘Hold Your Own Key’ (HYOK), provides the maximum level of control and assurance. The customer maintains exclusive physical and logical control over the HSM and the master keys, which never leave their premises.

The right to erasure, or ‘right to be forgotten,’ enables an individual to request the deletion or removal of their personal data where there is no compelling reason for its continued processing.

A SOC 2 report assesses controls based on the Trust Services Criteria. A Type 2 report goes further than a Type 1 by testing and reporting on the operating effectiveness of those controls over a specified period (typically 6-12 months).

The core principle of zero trust is ‘never trust, always verify.’ It assumes there is no traditional network edge; networks can be local, in the cloud, or a hybrid, and no user or device is trusted by default.

A BIA is the process of analyzing business functions and the effect that a specific disaster may have on them. This analysis is foundational for defining recovery objectives like RTO and RPO.

DLP solutions are specifically designed to monitor and control data in motion, enforcing policies to prevent unauthorized sharing or exfiltration of sensitive information through channels like email, web, or file transfers.

The Data Owner is a senior management role that has ultimate responsibility for the data. They are responsible for classifying the data and approving access.

This describes the fundamental principle of RAID (specifically levels like RAID 5 or 6), where data and parity are striped across multiple disks. This approach disperses the data to protect against the failure of a single component.

Data sovereignty is the concept that data is subject to the laws and legal jurisdiction of the country in which it is located. This creates a conflict, as the data of EU citizens is now subject to US laws, which may not offer equivalent protection.

A data processor is a separate entity (e.g., a SaaS provider) that processes data according to the instructions of the data controller. They have direct legal obligations under GDPR but act under the controller’s authority.

N+1 redundancy means that for a given number of required components (N), there is one extra standby component. If any single component fails, the spare can immediately take its place, ensuring continuous operation.

Confidential computing protects data in use by performing computation in a hardware-based Trusted Execution Environment (TEE). This secure enclave isolates the data and code from the host OS, hypervisor, and any system administrators.

This concept describes the ability to automatically and quickly scale resources both up and down based on demand, which directly addresses the organization’s need for cost-effective resource management.

This process replaces sensitive data with a non-sensitive equivalent, referred to as a ‘token’. The original data is stored in a secure vault and can be retrieved when needed for authorized processing, which aligns perfectly with PCI DSS requirements.

This method involves encrypting the data with a strong key and then securely deleting the key. This action renders the encrypted data irrecoverable, providing a secure sanitization method for cloud environments.

Tampering is a threat against the integrity of data. Modifying data in transit is a classic example of a tampering attack.

OAuth 2.0 is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

The customer is responsible for the security of the application they build and deploy on the platform, which includes managing user identities, access controls, and the security of their own data.

In a DevOps/IaC model, change management evolves. The ‘request for change’ becomes a code commit, review and approval happen through peer review of pull requests, and testing is automated within the CI/CD pipeline, maintaining control while enabling speed.

This model is designed for a specific community of consumers from organizations that have shared concerns, such as mission, security requirements, policy, and compliance considerations.

Availability, often expressed as a percentage of uptime (e.g., 99.95%), directly translates to the total amount of permissible downtime over a given period. The organization would calculate the required percentage based on their 4-hour tolerance.

A preventive control stops the undesirable action from happening in the first place. Using identity and access management policies to deny permissions that allow making buckets public is the most direct and effective way to prevent this misconfiguration.

A golden image is a template that has been hardened according to security best practices, patched, and configured with necessary security agents. Using it ensures that all new VMs are deployed from a known-secure state, a process known as baselining.

The core function of a SIEM is to collect log and event data from multiple sources, normalize it, and use correlation rules and analytics to detect security incidents that might not be visible from a single log source.

Interoperability is the ability of different systems or components to exchange and make use of information. The legacy application’s networking model is not interoperable with the cloud’s virtual network design.

An email suite is a fully-formed application delivered to the end user. This represents an application capability, typically as a Software as a Service (SaaS) offering.

The data custodian is responsible for the safe custody, transport, and storage of the data and the implementation of business rules. In a cloud model, the provider’s team (or the customer’s cloud engineering team in IaaS) performs this hands-on technical role.

IaC allows organizations to version-control their infrastructure configuration. In an incident, they can quickly provision new, clean infrastructure based on a trusted configuration, significantly reducing recovery time.

SAML is an XML-based open standard for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider, to enable single sign-on.

A CCoE is a cross-functional team that establishes best practices, governance, and standardized templates (e.g., using Infrastructure as Code) for cloud adoption, ensuring that resources are provisioned in a secure and consistent manner.

Cloud providers’ AUPs or specific penetration testing policies outline the permissible and prohibited activities, including the scope, timing, and notification requirements for any security testing performed by customers.

In an SSRF attack, an attacker induces a server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. This exploits the trust relationship between the vulnerable server and other internal systems.

The cloud provider is responsible for securing the underlying infrastructure, which includes the physical hardware, networking, and the virtualization layer (hypervisor).

Semi-structured data does not conform to a formal data model like a relational database but contains tags or other markers to separate semantic elements and enforce hierarchies of records and fields, such as in XML or JSON files.

Modern applications are built using numerous third-party libraries. A vulnerability in any one of these components can compromise the entire application, making the provider’s Software Composition Analysis (SCA) and patch management processes critical.

The Annualized Rate of Occurrence (ARO) is 1/5 or 0.2. The ALE is calculated as SLE * ARO, which is $200,000 * 0.2 = $40,000.

The customer is responsible for the security of the application code they write and deploy on the platform. This includes writing code that is resilient to attacks like SQL injection.

A CASB is an on-premises or cloud-based security policy enforcement point situated between cloud service consumers and cloud service providers to interject enterprise security policies as cloud-based resources are accessed.

Services like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault provide centralized, secure storage for secrets with fine-grained access control, auditing, and rotation capabilities. Applications retrieve secrets at runtime via secure APIs.

Data may be stored in different legal jurisdictions with varying laws, and the lack of direct physical access complicates evidence collection, preservation, and maintaining chain of custody, which are core tenets of eDiscovery.

Security groups act as a virtual stateful firewall for an instance to control inbound and outbound traffic. Because they are stateful, if you send a request from your instance, the response traffic is automatically allowed, regardless of inbound security group rules.

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. It is placed in a secure zone and provides a single point of entry for administrators to connect to systems in a private subnet, reducing the overall attack surface.