Question 1

The correct option is TLS 1.3.

TLS 1.3 reduces handshake round trips which lowers network latency and it mandates modern key exchange algorithms that provide forward secrecy and improved security. It also removes many legacy features and obsolete ciphers so the implementation surface is smaller and easier to securely configure while keeping performance high. It supports session resumption and optional 0-RTT to further reduce latency for resumed sessions while you must manage the inherent 0-RTT replay considerations.

TLS 1.2 can be configured securely and it is widely deployed, but it allows older cipher suites and requires a heavier handshake which can increase latency compared with TLS 1.3. It does not include the same simplifications and mandatory forward secrecy that make TLS 1.3 a better fit for low-latency, high-security use cases.

SSL 3.0 is deprecated and has known vulnerabilities such as POODLE which make it unsuitable for protecting sensitive financial data. It is retired from modern use and is not acceptable for secure deployments or current exams.

SSL 2.0 is an obsolete protocol with numerous fundamental flaws and it was withdrawn for security reasons. It should never be used and it is not a correct choice on contemporary exams or in production environments.

Question 2

The correct option is Adoption of open standards and common specifications.

Choosing Adoption of open standards and common specifications emphasizes using standardized interfaces, data formats, and protocols which enable applications and services to run on different cloud platforms with minimal rework. Open standards reduce proprietary bindings and make it easier to move workloads because clients, tooling, and orchestration behave consistently across vendors.

Standards such as container and API specifications, and common configuration formats help decouple application logic from provider specific services. By designing around Adoption of open standards and common specifications you create portability at the application and data levels which is the primary enabler of true multi vendor mobility.

Anthos is incorrect because it is a Google managed platform that helps run workloads across environments but it is still a vendor solution and can introduce dependencies tied to that vendor. It is an operational approach rather than the fundamental attribute of portability that open standards provide.

Proprietary vendor features and custom APIs is incorrect because those choices increase vendor lock in and make migration harder. Using provider specific services requires significant redesign and rework to move to another vendor.

A strategy of deploying across multiple cloud providers is incorrect because running in multiple clouds can improve resilience and reduce single vendor risk but it does not by itself ensure that applications can be moved. Portability depends on how the applications are built and whether they follow open standards and common specifications.

Question 3

Integrity is the correct option.

Integrity focuses on preventing unauthorized modification so that records remain accurate and trustworthy. Controls that enforce Integrity include cryptographic hashing and digital signatures, immutability and versioning, strict authorization policies, and auditing so that any changes can be detected and traced.

Availability is incorrect because availability is about ensuring data and services are accessible when needed. It does not address whether the data has been altered which is the concern of Integrity.

Authentication is incorrect because authentication verifies the identity of users or systems. It supports integrity by confirming who is acting but it does not by itself prevent unauthorized modification or ensure data has not been tampered with.

Confidentiality is incorrect because confidentiality protects data from unauthorized disclosure. It ensures only authorized parties can read the data but it does not guarantee that the data remains unchanged which is the role of Integrity.

Question 4

Honeypot is correct. A honeypot is an isolated, non production system that is deliberately exposed to attackers so defenders can observe their techniques and learn their objectives on the network.

A honeypot is designed to look like a real server or service while being instrumented to record activity and to limit risk to production systems. Security teams use the data from a honeypot to analyze attacker behavior, gather indicators of compromise, and improve detection and response capabilities.

Cloud IDS is incorrect because a cloud intrusion detection system focuses on detecting suspicious activity in cloud environments and it does not serve as an isolated decoy to attract and study attackers.

Host based intrusion detection system is incorrect because a host based IDS monitors and analyzes activity on a specific host for signs of compromise and it is not an intentionally exposed, decoy system for luring attackers.

Demilitarized zone is incorrect because a DMZ is a network segment that hosts public facing services to separate them from internal networks and it is part of production architecture rather than a monitored decoy environment.

Question 5

The correct option is Application programming interfaces.

Application programming interfaces are used by the management plane because they provide a programmatic and standardized way to perform administrative operations on hypervisors such as provisioning, configuration, lifecycle actions, migration, and snapshot management.

Application programming interfaces support automation and integration with orchestration tools and configuration management systems and they allow authentication, authorization, and auditing to be applied centrally which fits the needs of a management plane.

Remote Desktop Protocol is incorrect because it provides interactive graphical access to an individual host and it is not designed for automated, centralized management of multiple hypervisors.

Cloud SDK command line tools are incorrect because they are client tools that often call underlying APIs and they are not the intrinsic mechanism used by the management plane itself.

Automation scripts are incorrect as a primary mechanism because they typically drive APIs or command line tools to perform actions and they are an implementation approach rather than the core, exposed management interface.

Question 6

The correct option is Nonrepudiation of origin.

The term Nonrepudiation of origin describes the ability to verify with high confidence who created or sent a piece of data and to confirm that the data has not been tampered with. Cryptographic mechanisms such as digital signatures combined with trusted time stamps create verifiable evidence that supports nonrepudiation and thus establish provenance and authenticity.

Cloud KMS is incorrect because it names a key management service rather than the property being described. A key management service can help implement signatures and key protection but the term asked for is the security property, not the service.

Data integrity is incorrect because it focuses on detecting or preventing unauthorized modification of data. Data integrity is necessary for authenticity but it does not by itself prove who originated the data or provide the nonrepudiable evidence that is implied by nonrepudiation of origin.

Question 7

The correct option is Quantum computing technology.

Quantum computing technology can run algorithms such as Shor’s algorithm which can factor large integers and compute discrete logarithms efficiently on a sufficiently large quantum computer. This ability directly undermines common public key schemes like RSA and ECC and it also reduces the effective security of symmetric ciphers through Grover’s algorithm which forces much larger key sizes to maintain equivalent security.

Quantum computing technology is therefore the realistic emerging threat that could break the mathematical hardness assumptions underlying many of the encryption schemes that protect data today, and that is why organizations and standards bodies are actively developing post quantum cryptography.

Machine learning may help with pattern detection or accelerate certain cryptanalytic tasks in limited scenarios but it does not change the fundamental mathematical problems such as integer factorization in the way that quantum algorithms can, so it is not the correct choice.

Cloud TPUs are accelerators for classical machine learning workloads and they increase classical compute capacity. They do not implement quantum algorithms and they do not alter the computational complexity assumptions that protect modern cryptography.

Blockchain is a distributed ledger technology and it affects how data is recorded and verified. It can expose implementation or key management weaknesses but it is not an emerging compute model that can break cryptographic primitives by itself.

Question 8

The correct option is Performing technical forensic analysis of data artifacts.

Performing technical forensic analysis of data artifacts is generally the least difficult to address because it is a technical activity that relies on established tools and repeatable procedures. Forensic acquisition and analysis workflows can often be standardized and automated when investigators have access to logs, metadata, and storage snapshots. While cloud vendor APIs and access constraints must be handled, the core tasks of imaging, hashing, and artifact examination follow known methodologies.

Assigning responsibility among data owners processors and controllers is harder because it requires legal interpretation, contract review, and organizational governance. Determining who legally controls or must preserve data often involves multiple parties and contractual nuances.

Cloud Storage is not the least difficult because storage in cloud environments can be distributed, ephemeral, and subject to complex metadata and access control models. Preserving chain of custody and ensuring complete data capture across object stores, snapshots, and multi-region deployments requires coordination with cloud providers.

Reconciling divergent international legal and jurisdictional requirements is commonly the most difficult challenge because laws and data residency rules vary across countries and cross border access can require formal legal processes. This issue involves regulators and governments and it can delay or restrict collections.

Question 9

The correct option is ISMS.

An ISMS is a formal information security management program that integrates processes, technology and personnel to safeguard and govern a companys information assets. It defines policies, performs risk assessments, selects and implements controls, assigns roles and responsibilities, and supports continuous monitoring and improvement. Standards such as ISO/IEC 27001 describe the requirements for implementing an ISMS across an organization.

GAAP are accounting standards for financial reporting and they do not establish a management program for information security. They focus on how financial information is prepared and presented rather than how to govern information assets.

Cloud IAM denotes identity and access management solutions used in cloud environments and it provides authentication and authorization capabilities. It is an important security component but it is not a comprehensive program that covers processes, governance and all personnel responsibilities.

GLBA is the Gramm Leach Bliley Act which is a regulatory law that imposes privacy and data protection requirements on financial institutions. It can drive elements of an information security program but it is not itself a management system that implements and governs security controls.

Question 10

The correct answer is Payload encryption.

Payload encryption is not typically an attribute used by edge firewall rule engines when making simple allow or deny decisions because those decisions are based on packet header information. Firewalls evaluate header fields and connection metadata and they cannot see or rely on an encrypted payload unless they perform deep packet inspection or terminate the encryption.

Transport protocol is incorrect because firewalls commonly match on protocols such as TCP, UDP, or ICMP to apply appropriate rules and state tracking.

Destination port is incorrect because port numbers identify services and are a primary match criterion for permitting or blocking traffic to specific applications.

Source IP address is incorrect because source addresses are used to filter traffic and to enforce network level access controls and policies.

Question 11

The correct answer is Virtual machine escape.

Virtual machine escape describes when code running inside a guest virtual machine exploits a vulnerability and breaks out of the VM sandbox to interact directly with the host hypervisor or host OS. This term specifically captures the crossing of the virtual boundary and is used when an attacker gains control beyond the guest and can affect the host or other guests.

Denial of service attack is incorrect because a denial of service attack aims to make a service unavailable or degrade performance and does not imply breaking out of a VM to gain access to the host hypervisor.

Side channel attack is incorrect because side channel attacks try to infer sensitive information by observing shared resource behavior or timing differences and they do not necessarily involve directly compromising the hypervisor or escaping the VM boundary.

Privilege escalation attack is incorrect in this context because privilege escalation normally refers to gaining higher privileges within the same operating system or environment. While an escape can result in higher control, the precise term for leaving the VM to control the hypervisor is Virtual machine escape.

Question 12

The correct option is Vulnerability scanning.

Vulnerability scanning relies on a database of known vulnerability signatures and standardized checks to automatically test systems and services. Scanners use published identifiers such as CVEs and plugin based tests to validate that hardening controls are in place and to detect missing patches or insecure configurations.

Vulnerability scanning also produces management oriented output such as severity ratings, summary dashboards, and remediation guidance which makes it suitable for regular compliance and hardening validation across many hosts.

Penetration testing is incorrect because penetration testing is typically manual or semi automated and focuses on exploiting vulnerabilities to prove impact rather than performing broad signature based checks for ongoing hardening validation.

Cloud Security Posture Management is incorrect because CSPM tools focus on cloud configuration and policy compliance and not primarily on signature based vulnerability scans, although some CSPM platforms may integrate vulnerability data.

Question 13

The correct option is Oversight of software license compliance and agreements.

In a Software as a Service arrangement the cloud provider operates the infrastructure and the application and they handle hosting, updates, and most operational controls. The customer retains responsibility for Oversight of software license compliance and agreements because they must ensure users, integrations, and any third party components comply with license terms and with contractual obligations.

Operating the application hosting infrastructure is incorrect because that responsibility is handled by the SaaS provider rather than the customer. The provider runs the servers, networking, and platform services for the application.

Coordinating the application development lifecycle is incorrect because the vendor owns and manages the SaaS application’s development and release processes. Customers may manage integrations or custom code on their side but they do not coordinate the provider’s development lifecycle.

Purchasing the software for in house installation is incorrect because SaaS is delivered as a hosted subscription and customers do not buy copies for internal installation. The model shifts acquisition to subscription and service agreements rather than on prem purchases.

Question 14

The correct answer is NIST RMF.

NIST RMF is the NIST Risk Management Framework and FISMA requires federal departments to align their risk assessment and authorization processes with NIST guidance. The RMF is implemented through NIST Special Publication 800-37 and it ties to the security controls in NIST Special Publication 800-53 that agencies use to assess and manage risk.

ISO/IEC 27001 is an international information security management standard and it is not the mandated framework under FISMA. Agencies may map practices to that standard for broader alignment but FISMA compliance is based on NIST guidance rather than ISO certification.

FedRAMP is a program for standardized security assessment and authorization of cloud service providers and it supports cloud authorizations. It does not replace the agency level RMF requirement for overall federal risk assessments.

NIST CSF is the Cybersecurity Framework and it provides voluntary guidance for improving cybersecurity posture. It can complement the RMF but it is not the specific framework that FISMA mandates for federal risk assessments and authorization.

Question 15

Adopt a Secure Software Development Lifecycle approach is correct because it describes an organizational practice that embeds security throughout development to catch defects earlier.

A Secure Software Development Lifecycle integrates security activities into requirements, design, implementation, testing and deployment so defects are detected and remediated well before release. It includes practices such as threat modeling during design, secure coding standards, peer code review, and automated testing tools like static and dynamic analysis which all reduce the cost of fixes.

This approach moves security earlier in the development process which lowers remediation cost and reduces the chance that defects reach production.

Google Cloud Security Command Center is a cloud security product for finding and monitoring risks in deployed cloud resources but it is not a development lifecycle practice that prevents defects early in the build process.

OWASP guidance and resources provide valuable standards, checklists and tools for secure coding and testing, but they are reference materials rather than the end to end process the question asks for. They support a Secure SDLC but do not by themselves define the practice to implement.

Secure Software Development Framework may sound similar and there are formal frameworks like NIST SSDF, but the exam answer emphasizes adopting a Secure Software Development Lifecycle as the practical, team level process to prevent late discovered defects. The option as written is less clearly the lifecycle practice the question targets.

Question 16

The correct option is Honeypot. A Honeypot is an isolated decoy system that is kept separate from live services to lure intruders and allow analysis of their actions.

A Honeypot is intentionally instrumented so defenders can observe attacker behavior, capture malware samples, and gather forensic data without risking production systems. Honeypots can be low interaction to reduce risk or high interaction to collect richer intelligence, and they are deployed with strict isolation and monitoring to prevent attackers from using them as a pivot into real assets.

Demilitarized zone is incorrect because a DMZ is a network segment used to host public facing services while protecting the internal network, and it is not meant to serve as a deliberate decoy for studying attackers.

Cloud IDS is incorrect because an intrusion detection system monitors and alerts on suspicious activity but does not provide a separate, intentionally vulnerable environment designed to attract attackers for analysis.

Bastion host is incorrect because a bastion host is a hardened gateway used to securely access internal systems and it is not an isolated decoy for capturing attacker behavior.

Question 17

The correct answer is Physical location of the provider data centers.

For a regional credit union robust data governance depends first on where customer and transaction data are physically stored because laws and regulators assign rights and obligations based on location. Choosing a provider whose Physical location of the provider data centers aligns with the credit union jurisdiction and applicable privacy and banking rules reduces legal exposure and simplifies compliance with data residency, retention, eDiscovery, and supervisory examination requirements.

The physical location also affects how quickly the credit union can enforce contractual controls and respond to incidents. Local storage can limit foreign government access under other countries laws and it makes it easier to meet regulator expectations for audit, records retention, and examination access. Those operational and legal controls are central to effective data governance in regulated financial services.

Provider marketing and promotional tactics are incorrect because glossy marketing claims do not determine legal control over data. Marketing can highlight features and benefits but it cannot change where data is legally stored or how local laws apply.

Availability of compliance certifications and third party audit reports is incorrect because certifications document controls at a point in time but they do not guarantee that data will remain in a permitted jurisdiction. Certifications are useful evidence but they are not a substitute for verifying physical data location and contractual residency commitments.

Provider scale and workforce size is incorrect because a large scale or big workforce may support reliability and global operations but these factors do not by themselves ensure that data governance requirements for a regional credit union are met. Governance depends more on legal jurisdiction, contractual terms, and technical controls than on provider size.

Question 18

Conduct a cost benefit analysis is the correct initial activity an organization should undertake before migrating IT workloads to the cloud.

Performing a conduct a cost benefit analysis establishes the business case and helps determine total cost of ownership and expected return on investment. It identifies financial impacts such as migration costs licensing differences and ongoing operational expenses and it also surfaces compliance and contractual considerations that affect the feasibility of migration.

A conduct a cost benefit analysis guides prioritization by revealing which workloads deliver the most value when moved and which workloads might be better left on premises. This high level decision is needed before investing in detailed technical assessments or pilot projects.

Build a pilot deployment is incorrect because a pilot is a technical validation step that is normally performed after the organization has decided to proceed and completed initial financial and strategic analysis. A pilot tests migration approaches and performance but it does not by itself justify whether migration should occur.

Inventory and classify applications is incorrect in this context because inventory is an important part of the detailed assessment and planning phase. Discovering and classifying applications supports costing and migration planning but it usually follows or runs alongside the business level cost benefit work that informs whether and how to proceed.

Question 19

The correct option is Packet filtering.

Software defined networking separates the control plane from the forwarding plane and moves decision making into a centralized controller. Packet filtering is a policy decision about which packets to allow or block and it is typically expressed as rules that the controller programs into forwarding devices. That separation means the filtering policy is defined and managed out of band while the switches perform fast forwarding based on the installed rules.

Routing is not the correct choice because routing is a control plane function that computes paths and populates forwarding tables, and it remains tightly linked to the forwarding plane to ensure packets are delivered. The exam item treats routing as a distinct control activity rather than the specific policy enforcement called out by the correct answer.

Session state tracking is not correct because session or flow state is a stateful function that often must be maintained close to the packet stream for performance and correctness. Stateful tracking is typically implemented in devices or data plane elements that handle individual flows rather than being wholly separated into a controller in the same way as simple packet filtering rules.

Perimeter firewall enforcement is not correct because full firewall enforcement often requires stateful inspection and complex processing that is implemented in specialized appliances or in the data plane. The term also implies enforcement at a boundary device rather than the generic control plane policy separation described by SDN, so it is not the best match for the question.

Question 20

Gramm-Leach-Bliley Act is the correct statute officially designated as the Financial Modernization Act of 1999.

The Gramm-Leach-Bliley Act is Public Law 106-102 and it was enacted by the United States Congress in 1999. The law is commonly referred to by its official designation as the Financial Services Modernization Act of 1999 and it reformed the regulatory structure for banks securities firms and insurance companies while adding privacy and data protection requirements for financial institutions.

General Data Protection Regulation is incorrect because that is an EU regulation adopted in 2016 that governs personal data protection in the European Union and it is not a United States statute nor was it enacted in 1999.

Payment Card Industry Data Security Standard is incorrect because it is an industry security standard created by the PCI Security Standards Council to protect cardholder data and it is not a federal statute or titled as the Financial Modernization Act of 1999.

Sarbanes Oxley Act is incorrect because that United States federal law was enacted in 2002 to address corporate governance and financial reporting and it does not carry the Financial Modernization Act of 1999 designation.

Question 21

The correct answer is Legal jurisdiction.

The physical placement of a data center determines which national and local laws and regulations apply to the data stored there. This affects data residency rules, government access and lawful disclosure, cross border transfer restrictions, and compliance obligations that can vary widely between countries.

Choosing a site therefore requires evaluating the legal and regulatory environment where the facility sits and matching that environment to your compliance and contractual needs. Laws can impose requirements that are not solvable by technology alone, and they can create obligations for how data must be handled and where it may be moved.

Network latency and performance is an important operational consideration when picking a location but it is not the primary concern the question targets. The exam is asking about the legal consequence of geographic placement which is about jurisdiction rather than speed.

Data encryption is a technical control that you apply regardless of the data center location. Encryption helps protect data in transit and at rest but it does not change which country�s laws govern the data or how local authorities may request access.

Physical storage capacity is a logistical and provisioning matter and it can usually be adjusted by choosing different offerings or scaling resources. It does not address the legal and regulatory impacts that flow from the data center�s geographic jurisdiction.

Question 22

The correct answer is Cloud service provider.

A cloud service provider usually acts as the data processor that performs processing activities on behalf of the data controller and that manages storage and handling of that data. The provider hosts infrastructure and implements technical and organizational measures under a data processing agreement with the controller. The controller retains responsibility for the purposes and means of processing while the provider carries out operations such as storage, backup, and compute on behalf of the controller.

An Identity and access administrator is a role that manages user identities and access rights and it does not generally perform processing and storage of customer data on behalf of the controller.

The Cloud service customer is normally the data controller or an agent of the controller and it determines the purposes and means of processing so it is not the processor that handles storage on the controller’s behalf.

A Cloud Access Security Broker provides visibility and policy enforcement between users and cloud services but it is an intermediary and not usually the primary party that stores and processes data as the processor.

Question 23

The correct answer is Snapshot.

Snapshot refers to a point in time capture of a storage volume that preserves the state of data and metadata at that instant. Cloud providers and hypervisors use snapshots to record the full contents or pointers to the data without necessarily copying every byte immediately and this allows fast restores to the exact captured state.

Snapshot implementations often use copy on write or redirect on write techniques to be space efficient while presenting what looks like a full, instantaneous backup to the system. That behavior matches the description in the question about capturing the full contents of a volume at one instant and preserving that state.

Data replication is incorrect because replication continuously copies data to another location for redundancy or availability and it does not by itself create an atomic, point in time backup of a volume.

Incremental backup is incorrect because incremental backups only transfer changes since a previous backup and they form part of a backup sequence rather than producing a single instant snapshot of the whole volume.

Disk image backup is incorrect because a disk image is a full copy of a disk used for recovery but the term does not specifically describe the hypervisor or cloud provider feature that takes an instantaneous, point in time capture and preserves the live state in the efficient manner that snapshots do.

Question 24

The correct answer is SOX.

The Sarbanes-Oxley Act establishes corporate governance and recordkeeping requirements for public companies and it specifically requires retention of financial and audit records and creates penalties for improper destruction of those records. The statute was enacted to improve transparency and accountability in financial reporting and it is the primary source for the required retention periods referenced in the question.

SEC regulations govern securities markets and public company disclosures but they do not by themselves set the statutory retention periods for corporate financial and audit records in the same comprehensive way as the Sarbanes-Oxley Act. The SEC does have recordkeeping rules in specific contexts such as for broker-dealers, but that is a different regulatory area.

GLBA focuses on consumer financial privacy and information security requirements for financial institutions and it does not establish corporate audit and financial record retention periods for public companies.

IRS recordkeeping rules require taxpayers to retain records needed to support tax filings and assessments and they are oriented toward tax administration rather than establishing the broader corporate financial and audit record retention framework mandated by the Sarbanes-Oxley Act.

Question 25

The correct answer is Standardizing on OpenID Connect and SAML for cross provider compatibility and seamless single sign on.

Choosing standards like OpenID Connect and SAML ensures consistent authentication flows and token semantics across different cloud providers and enables true single sign on. These protocols define how identity and trust are exchanged so each vendor can accept the same tokens and claims which keeps the user experience uniform and frictionless.

Standardizing on these protocols also reduces the need for custom adapters and repeated login prompts because a central identity provider can be trusted by every cloud platform. That approach minimizes user disruption and streamlines session handling across applications and services.

The option Minimizing the overall cost of identity infrastructure is incorrect because cost is an important consideration but it is not the primary factor for preserving a consistent user experience. Prioritizing cost alone can lead to bespoke or incompatible solutions that increase friction for users.

The option Google Cloud IAM is incorrect because it is a vendor specific service and does not by itself provide cross provider compatibility. Relying solely on a single cloud provider’s IAM will not guarantee seamless federation with other clouds unless standard protocols are used.

The option Consolidating all identity services with a single cloud vendor is incorrect because that strategy creates vendor lock in and may be impractical across multiple clouds. It can force custom integrations and still fail to provide the consistent, standards based experience that federated OpenID Connect or SAML do.