WGU D320 MANAGING CLOUD SECURITY OA AND
PA EXAM 2024 ACTUAL EXAM WITH 300
QUESTIONS WITH DETAILED VERIFIED ANSWERS
(100% CORRECT ANSWERS) /ALREADY GRADED A+
Sarbanes-Oxley (SOX) Act - ANSWERincrease transparency into publicly traded
corporations' financial activities
Gramm-Leach-Bliley Act (GLBA) - ANSWERallow banks to merge and own insurance
companies
Clarifying Lawful Overseas Use of Data (CLOUD) Act - ANSWERAllows US law
enforcement and courts to compel American companies to disclose data stored in
foreign data centers
FERPA - ANSWERprevent academic institutions from sharing student data other than
parents or student
Master service agreement (MSA) - ANSWERprovide an umbrella contract for the work
that a vendor does with an organization over an extended period of time
Service level agreement (SLA) - ANSWERwritten contracts that specify the conditions
of service that will be provided by the vendor and the remedies available to the
customer if the vendor fails to meet the SLA
Business partnership agreement (BPA) - ANSWERexist when two organizations agree
to do business with each other in a partnerhsip
memorandum of understanding (MOU) - ANSWERa letter written to document aspects
of the relationship to avoid future misunderstandings
OWASP Top Ten - ANSWERa standard awareness document for developers and web
application security, it represents a broad consensus about the most critical security
risks to web applications.
OWASP 1: Access Control - ANSWERenforces policy such that users cannot act
outside of their intended permissions
OWASP 2: Cryptographic Failures - ANSWERfocus is on failures related to
cryptography (or lack thereof), Which often lead to exposure of sensitive data.
,OWASP 3: Injection - ANSWERan attacker's attempt to send data to an application in a
way that will change the meaning of commands being sent to an interpreter
OWASP 4: Insecure Design - ANSWERfocuses on risks related to design and
architectural flaws, with a call for more use of threat modeling, secure design patterns,
and reference architectures
OWASP 5: Security Misconfiguration - ANSWERoccurs when system or application
configuration settings are missing or are erroneously implemented, allowing
unauthorized access
OWASP 6: Vulnerable and Outdated Components - ANSWERthird-party libraries or
frameworks used in web applications that have known vulnerabilities or are no longer
supported by their developers
OWASP 7: Identification and Authentication Failures - ANSWERThe failure of a system
to identify and/or authenticate leaves the application susceptible to attacks and leaves
user accounts/data at risk
OWASP 8: Software and Data Integrity Failures - ANSWERrelate to code and
infrastructure that does not protect against integrity violations; occur when an attacker
can modify or delete data in an unauthorized manner
OWASP 9: Security Logging and Monitoring Failures - ANSWERthis category is to help
detect, escalate, and respond to active breaches, without logging and monitoring,
breaches cannot be detected
OWASP 10: Server Side Request Forgery (SSRF) - ANSWERoccur whenever a web
application is fetching a remote resource without validating the user-supplied URL,
allows an attacker to coerce the application to send a crafted request to an unexpected
destination, even when protected by a firewall, VPN, or another type of network access
control list (ACL).
data lifecycle - ANSWERCreate, Store, Use, Share, Archive, Destroy
SOC 1 Report - ANSWERstrictly for auditing the financial reporting instruments of a
corporation
SOC 2 Report - ANSWERIntended to report audits of any controls on an organization's
security, availability, processing integrity, confidentiality, and privacy
SOC 3 Report - ANSWERDesigned to be shared with the public, does not contain any
actual data about the security controls of the audit target.
, SOC 2 Type 1 Report - ANSWERReviews the design of controls, not how they are
implemented or maintained
SOC 2 Type 2 Report - ANSWERUsed for getting a true assessment of an
organization's security posture
IaaS risks - ANSWER1. Personnel threats (insiders)
2. External threats (malware, hacking, DDoS, MITM)
3. Lack of specific skillsets
PaaS risks - ANSWER1. Interoperability issues
2. Persistent backdoors, DevOps
3. Virtualization
4. Resource sharing
SaaS risks - ANSWER1. Proprietary formats
2. Virtualization
3. Web app security
regulators - ANSWERinvolved in cloud service arrangements
critiques - ANSWERfalls under the exceptions category for "fair-use" copyrighted
material
Cloud-Secure Software Deployment Lifecycle (SDLC) - ANSWERDefining, Designing,
Development, Testing, Secure Operations, Disposal
Defining - ANSWERFocused on identifying the business requirements of the
application, such as accounting, database, or customer relationship management
Designing - ANSWERBegin to develop user stories (what the user will want to
accomplish, what the interface will look like and whether it will require the use or
development of any APIs)
Development - ANSWERwhere the code is written
Testing - ANSWERActivities such as initial penetration testing and vulnerability
scanning against the application is performed. Will use both dynamic and static testing
or DSAT (Dynamic Application Security Testing) or SAST (Static Application Security
Testing).
Secure Operations - ANSWERAfter testing, the application is deemed secure
Disposal - ANSWEROnce it's reached the end of life or has been replaced with a newer
or different application.
PA EXAM 2024 ACTUAL EXAM WITH 300
QUESTIONS WITH DETAILED VERIFIED ANSWERS
(100% CORRECT ANSWERS) /ALREADY GRADED A+
Sarbanes-Oxley (SOX) Act - ANSWERincrease transparency into publicly traded
corporations' financial activities
Gramm-Leach-Bliley Act (GLBA) - ANSWERallow banks to merge and own insurance
companies
Clarifying Lawful Overseas Use of Data (CLOUD) Act - ANSWERAllows US law
enforcement and courts to compel American companies to disclose data stored in
foreign data centers
FERPA - ANSWERprevent academic institutions from sharing student data other than
parents or student
Master service agreement (MSA) - ANSWERprovide an umbrella contract for the work
that a vendor does with an organization over an extended period of time
Service level agreement (SLA) - ANSWERwritten contracts that specify the conditions
of service that will be provided by the vendor and the remedies available to the
customer if the vendor fails to meet the SLA
Business partnership agreement (BPA) - ANSWERexist when two organizations agree
to do business with each other in a partnerhsip
memorandum of understanding (MOU) - ANSWERa letter written to document aspects
of the relationship to avoid future misunderstandings
OWASP Top Ten - ANSWERa standard awareness document for developers and web
application security, it represents a broad consensus about the most critical security
risks to web applications.
OWASP 1: Access Control - ANSWERenforces policy such that users cannot act
outside of their intended permissions
OWASP 2: Cryptographic Failures - ANSWERfocus is on failures related to
cryptography (or lack thereof), Which often lead to exposure of sensitive data.
,OWASP 3: Injection - ANSWERan attacker's attempt to send data to an application in a
way that will change the meaning of commands being sent to an interpreter
OWASP 4: Insecure Design - ANSWERfocuses on risks related to design and
architectural flaws, with a call for more use of threat modeling, secure design patterns,
and reference architectures
OWASP 5: Security Misconfiguration - ANSWERoccurs when system or application
configuration settings are missing or are erroneously implemented, allowing
unauthorized access
OWASP 6: Vulnerable and Outdated Components - ANSWERthird-party libraries or
frameworks used in web applications that have known vulnerabilities or are no longer
supported by their developers
OWASP 7: Identification and Authentication Failures - ANSWERThe failure of a system
to identify and/or authenticate leaves the application susceptible to attacks and leaves
user accounts/data at risk
OWASP 8: Software and Data Integrity Failures - ANSWERrelate to code and
infrastructure that does not protect against integrity violations; occur when an attacker
can modify or delete data in an unauthorized manner
OWASP 9: Security Logging and Monitoring Failures - ANSWERthis category is to help
detect, escalate, and respond to active breaches, without logging and monitoring,
breaches cannot be detected
OWASP 10: Server Side Request Forgery (SSRF) - ANSWERoccur whenever a web
application is fetching a remote resource without validating the user-supplied URL,
allows an attacker to coerce the application to send a crafted request to an unexpected
destination, even when protected by a firewall, VPN, or another type of network access
control list (ACL).
data lifecycle - ANSWERCreate, Store, Use, Share, Archive, Destroy
SOC 1 Report - ANSWERstrictly for auditing the financial reporting instruments of a
corporation
SOC 2 Report - ANSWERIntended to report audits of any controls on an organization's
security, availability, processing integrity, confidentiality, and privacy
SOC 3 Report - ANSWERDesigned to be shared with the public, does not contain any
actual data about the security controls of the audit target.
, SOC 2 Type 1 Report - ANSWERReviews the design of controls, not how they are
implemented or maintained
SOC 2 Type 2 Report - ANSWERUsed for getting a true assessment of an
organization's security posture
IaaS risks - ANSWER1. Personnel threats (insiders)
2. External threats (malware, hacking, DDoS, MITM)
3. Lack of specific skillsets
PaaS risks - ANSWER1. Interoperability issues
2. Persistent backdoors, DevOps
3. Virtualization
4. Resource sharing
SaaS risks - ANSWER1. Proprietary formats
2. Virtualization
3. Web app security
regulators - ANSWERinvolved in cloud service arrangements
critiques - ANSWERfalls under the exceptions category for "fair-use" copyrighted
material
Cloud-Secure Software Deployment Lifecycle (SDLC) - ANSWERDefining, Designing,
Development, Testing, Secure Operations, Disposal
Defining - ANSWERFocused on identifying the business requirements of the
application, such as accounting, database, or customer relationship management
Designing - ANSWERBegin to develop user stories (what the user will want to
accomplish, what the interface will look like and whether it will require the use or
development of any APIs)
Development - ANSWERwhere the code is written
Testing - ANSWERActivities such as initial penetration testing and vulnerability
scanning against the application is performed. Will use both dynamic and static testing
or DSAT (Dynamic Application Security Testing) or SAST (Static Application Security
Testing).
Secure Operations - ANSWERAfter testing, the application is deemed secure
Disposal - ANSWEROnce it's reached the end of life or has been replaced with a newer
or different application.
