Practice questions · Cybersecurity
CCSP (ISC2): Practice Questions
Original concept-check questions on core CCSP ideas across the six cloud-security domains. Choose an answer to reveal the explanation, including why each other option is wrong. Anchor your reasoning in the shared responsibility model. These are concept checks, not real exam questions.
Answered 0 · Correct 0
-
In a SaaS deployment, who is normally responsible for securing the underlying operating system and runtime?
Correct answer: A. Under the shared responsibility model for SaaS, the provider runs the whole stack including the OS and runtime, so the provider secures them. 'The customer' is wrong because in SaaS the customer's responsibility is limited to their data, accounts and configuration, not the OS. 'A jointly appointed third party' invents a party that the model does not define. 'Neither party' is wrong because the OS is always secured by someone - here, the provider. -
Which cloud service model leaves the customer responsible for the most layers of the stack?
Correct answer: D. IaaS gives the customer the OS, applications, data and configuration to secure, which is the most layers. 'SaaS' is wrong because there the provider handles almost everything and the customer secures only data and access. 'A fully provider-managed function service' reduces customer responsibility rather than increasing it. 'PaaS' is wrong because the provider also manages the OS and runtime, leaving the customer fewer layers than IaaS. -
An organisation needs a cloud shared only by hospitals that must meet the same healthcare regulations. Which deployment model fits best?
Correct answer: C. A community cloud is shared by organisations with common requirements, such as hospitals under the same regulations, which matches exactly. 'Public cloud' is wrong because it is open to any tenant, not a specific community with shared compliance needs. 'Hybrid cloud' describes mixing private and public, which is not what is asked. 'Private cloud' serves a single organisation, but here several hospitals want to share, so it is broader than private. -
The 'shared responsibility model' in cloud security primarily defines:
Correct answer: B. The shared responsibility model defines which security duties belong to the provider and which belong to the customer. 'How costs are split between teams' confuses it with billing or chargeback, not security. 'Which encryption algorithm to use' is a specific control choice, not the responsibility split. 'The backup schedule' is one operational detail, far narrower than the model's purpose. -
A reference architecture for cloud security is most useful because it:
Correct answer: C. A reference architecture gives a vendor-neutral blueprint of the components and their relationships, which is its core value. 'Guarantees compliance automatically' overstates it; a blueprint informs design but does not by itself prove compliance. 'Replaces the need for risk assessment' is wrong because you still assess risk for your specific context. 'Eliminates the shared responsibility model' is wrong because that model still governs who secures what. -
The correct order of the cloud data lifecycle is:
Correct answer: B. The cloud data lifecycle runs create, store, use, share, archive, destroy. The order beginning 'store, create' puts 'store' before 'create', which is impossible since data must exist before it is stored. The order beginning 'use, create, store' starts with 'use' before the data has been created or stored. The order beginning 'create, destroy' places 'destroy' second, which would end the lifecycle before the data is ever used. -
Replacing a credit-card number with a non-sensitive surrogate value that maps back to it in a secure vault is:
Correct answer: D. Tokenization swaps a sensitive value for a surrogate token that maps back via a secure vault, which is exactly described. 'Hashing' is one-way and cannot be reversed to the original, so it would not map back. 'Compression' reduces size and provides no security mapping. 'Masking only' hides part of a value for display but does not create a reversible surrogate stored in a vault. -
Which technique renders cloud data unrecoverable by destroying the encryption keys instead of erasing every copy of the data?
Correct answer: A. Crypto-shredding destroys the keys so the encrypted data can no longer be decrypted, which is effective when you cannot reach every physical copy. 'Tokenization' substitutes values and does not destroy data by removing keys. 'Data masking' hides parts of values for display and leaves the underlying data intact. 'Compression' only reduces size and has nothing to do with secure destruction. -
Showing only the last four digits of an account number on a screen while hiding the rest is an example of:
Correct answer: C. Data masking hides part of a value for display while leaving enough for recognition, which matches showing only the last four digits. 'Encryption' transforms the whole value and requires a key to read, not a partial display. 'Hashing' is a one-way digest, not a partially visible value. 'Key rotation' is about replacing cryptographic keys and is unrelated to how a value is displayed. -
Keeping encryption keys in a service controlled by the customer rather than letting the provider hold them is commonly called:
Correct answer: B. Bring Your Own Key (BYOK) means the customer supplies and controls the keys used in the provider's key service. 'Provider-managed encryption' is the opposite, where the provider holds and manages the keys. 'Transport Layer Security' protects data in transit and is not a key-ownership model. 'Data masking' hides parts of values and has nothing to do with who controls the keys. -
When analysing risk for a cloud platform, the FIRST step is usually to:
Correct answer: C. Risk analysis starts by identifying and valuing the assets you are protecting, because you cannot assess risk to something you have not identified. 'Buy a security tool' jumps to a control before understanding the risk. 'Encrypt all data' is a control choice, again premature before assets and risks are known. 'Sign the provider's contract' is a procurement action, not the first step of risk analysis. -
Isolating each customer's data and workloads from other customers on shared cloud infrastructure is called:
Correct answer: A. Tenant isolation keeps one customer's data and workloads separated from others in a multi-tenant environment, which is exactly described. 'Vendor lock-in' is the difficulty of leaving a provider and is unrelated to separation between tenants. 'Crypto-shredding' is a data-destruction technique. 'Data residency' refers to where data is physically stored, not how tenants are kept apart. -
The Recovery Point Objective (RPO) for a cloud workload defines:
Correct answer: A. RPO is the maximum acceptable data loss, expressed as a point in time you can fall back to. 'The target time to restore the service' describes RTO, not RPO. 'The number of backups to keep' is a retention decision, not the RPO definition. 'The cost of the outage' is an impact figure and does not define a recovery point. -
Which control most directly limits the blast radius of a compromised virtual machine in a cloud network?
Correct answer: C. Network segmentation and security groups restrict how far an attacker can move from a compromised VM, directly limiting the blast radius. 'Verbose application logging' helps you detect and investigate but does not contain movement. 'A longer password policy' strengthens authentication but does nothing to limit lateral movement once a host is breached. 'A faster autoscaling policy' affects capacity, not containment. -
A business impact analysis (BIA) for a cloud service is primarily used to:
Correct answer: D. A BIA identifies critical business functions and the impact of disrupting them, which then drives recovery objectives like RTO and RPO. 'Choose an encryption algorithm' is a cryptography decision, not a continuity analysis. 'Configure a load balancer' is an implementation task. 'Write application code' is development work and unrelated to assessing business impact. -
Analysing an application's source code for security flaws without running it is:
Correct answer: C. SAST inspects source code at rest, without executing the application. 'DAST' is wrong because it tests a running application from the outside. 'Penetration testing of the live site' also requires the application to be running. 'Load testing' measures performance under demand and does not look for code-level security flaws. -
Building security requirements and testing into every phase of development rather than bolting it on at the end describes a:
Correct answer: D. A secure SDLC integrates security throughout development, which is exactly what is described. 'A single penetration test before launch' is one late activity, not security across every phase. 'A firewall rule set' is a network control, unrelated to the development process. 'A manual code freeze' just halts changes and does not embed security into each phase. -
Validating and sanitising input received by a cloud-hosted web application primarily prevents:
Correct answer: D. Input validation and sanitisation stop untrusted input from being interpreted as code or queries, preventing injection attacks like SQL injection and XSS. 'Power failures' are an availability and facilities concern, unrelated to input handling. 'Disk capacity issues' are a storage problem. 'DNS propagation delays' are a networking timing issue, not something input validation addresses. -
Running untrusted code in an isolated environment so it cannot affect the rest of the system is called:
Correct answer: A. Sandboxing isolates code so misbehaviour stays contained, which is exactly described. 'Tokenization' substitutes sensitive data with tokens and is a data-protection technique. 'Federation' shares identity across domains and is unrelated to code isolation. 'Key rotation' replaces cryptographic keys and has nothing to do with isolating execution. -
Putting a managed control point in front of cloud APIs to authenticate, route and throttle requests is the role of a:
Correct answer: D. An API gateway is the managed entry point that authenticates, routes and throttles API calls. 'A hardware security module' protects cryptographic keys, not API traffic. 'A data masking proxy' hides parts of data values and does not manage API routing or throttling. 'A backup vault' stores recovery copies of data and plays no part in handling live API requests. -
A SIEM in cloud security operations is used primarily to:
Correct answer: A. A SIEM aggregates and correlates logs and events to detect and investigate security incidents, which is its core purpose. 'Encrypt data at rest' is a storage-protection function handled elsewhere. 'Provision new virtual machines' is an infrastructure or orchestration task. 'Manage the billing account' is a financial function unrelated to security monitoring. -
The generally accepted order of incident response is:
Correct answer: B. The accepted order is preparation, detection and analysis, containment, eradication, recovery, then lessons learned. The order beginning with eradication starts before anything has been detected. The order beginning with recovery starts before the incident is even detected or contained. The order beginning with lessons learned puts that step first, which can only follow the response, not precede it. -
A formal change-management process in cloud operations exists mainly to:
Correct answer: B. Change management reduces the risk that changes introduce outages or security weaknesses by reviewing and controlling them. 'Speed up deployments by skipping reviews' is the opposite of its purpose and would increase risk. 'Replace the need for monitoring' is wrong because monitoring and change control are complementary, not substitutes. 'Eliminate the need for backups' confuses two unrelated controls. -
During a cloud security incident, communicating clearly with affected business stakeholders is important mainly because it:
Correct answer: C. Stakeholder communication keeps decision-makers informed so they can manage business, legal and reputational impact during an incident. 'Replaces the technical investigation' is wrong because communication runs alongside, not instead of, the technical work. 'Removes the need to keep logs' is unrelated; logs are still required as evidence. 'Automatically restores the affected systems' confuses talking to stakeholders with recovery actions. -
Continuously scanning a cloud environment for misconfigurations such as public storage buckets is the role of:
Correct answer: A. CSPM tooling continuously finds and helps remediate misconfigurations like publicly exposed storage. 'A hardware security module' safeguards keys and does not scan for misconfigurations. 'Transport Layer Security' encrypts data in transit and does not assess configuration posture. 'A business impact analysis' evaluates the impact of disruptions and is not a configuration-scanning control. -
The principle that data is subject to the laws of the country in which it is physically located is called:
Correct answer: B. Data sovereignty is the principle that data falls under the laws of the country where it resides. 'Data residency' refers to where data is stored, but not specifically to the legal jurisdiction that follows from location. 'Data masking' hides parts of values for display. 'Data classification' assigns sensitivity levels and is unrelated to legal jurisdiction. -
Which regulation primarily governs the protection of EU residents' personal data?
Correct answer: C. The GDPR governs the protection of personal data of people in the EU. 'PCI DSS' is a payment-card security standard, not a general data-protection law. 'ISO 9001' is a quality-management standard unrelated to personal data. 'SOC 1' is an assurance report focused on controls over financial reporting, not a privacy regulation. -
When a cloud customer asks a provider for a SOC 2 report, they are mainly trying to:
Correct answer: B. A SOC 2 report gives independent assurance about a provider's controls for security and related criteria, which is why customers request it. 'Negotiate a lower price' is a commercial activity unrelated to the report's purpose. 'Get the provider's source code' is not what a SOC 2 report provides. 'Bypass their own compliance obligations' is wrong because the customer remains responsible for their own compliance regardless. -
The difficulty of moving workloads away from a provider because of proprietary services or data formats is known as:
Correct answer: D. Vendor lock-in is the difficulty of leaving a provider due to proprietary dependencies or data formats. 'Shadow IT' refers to unsanctioned use of services, a different risk. 'Tenant isolation' is about separating customers on shared infrastructure. 'Crypto-shredding' is a data-destruction technique and has nothing to do with portability between providers. -
Employees using an unsanctioned cloud file-sharing service without IT approval is an example of:
Correct answer: A. Shadow IT is the use of cloud services without the organisation's approval or oversight, which is exactly described. 'Tenant isolation' is about keeping customers separated on shared infrastructure, not unsanctioned use. 'Data sovereignty' concerns which country's laws apply to data based on its location. 'Crypto-shredding' is a data-destruction technique and has nothing to do with unapproved service use.
Practice questions FAQ
- Are these real CCSP exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.