- (Exam Topic 4)
What type of masking would you employ to produce a separate data set for testing purposes based on production data without any sensitive information?

1. A. Dynamic
2. B. Tokenized
3. C. Replicated
4. D. Static

Correct Answer: D
Static masking involves taking a data set and replacing sensitive fields and values with non-sensitive or garbage data. This is done to enable testing of an application against data that resembles production data, both in size and format, but without containing anything sensitive. Dynamic masking involves the live and transactional masking of data while an application is using it. Tokenized would refer to tokenization, which is the replacing of sensitive data with a key value that can later be matched back to the original value, and although it could be used as part of the production of test data, it does not refer to the overall process. Replicated is provided as an erroneous answer, as replicated data would be identical in value and would not accomplish the production of a test set.

- (Exam Topic 4)
Which of the following report is most aligned with financial control audits?

1. A. SSAE 16
2. B. SOC 2
3. C. SOC 1
4. D. SOC 3

Correct Answer: C
The SOC 1 report focuses primarily on controls associated with financial services. While IT controls are certainly part of most accounting systems today, the focus is on the controls around those financial systems.

- (Exam Topic 4)
Which of the following best describes SAML?

1. A. A standard used for directory synchronization
2. B. A standard for developing secure application management logistics
3. C. A standard for exchanging usernames and passwords across devices.
4. D. A standards for exchanging authentication and authorization data between security domains.

Correct Answer: D

- (Exam Topic 3)
One of the main components of system audits is the ability to track changes over time and to match these changes with continued compliance and internal processes.
Which aspect of cloud computing makes this particular component more challenging than in a traditional data center?

1. A. Portability
2. B. Virtualization
3. C. Elasticity
4. D. Resource pooling

Correct Answer: B
Cloud services make exclusive use of virtualization, and systems change over time, including the addition, subtraction, and reimaging of virtual machines. It is extremely unlikely that the exact same virtual machines and images used in a previous audit would still be in use or even available for a later audit, making the tracking of changes over time extremely difficult, or even impossible. Elasticity refers to the ability to add and remove resources from a system or service to meet current demand, and although it plays a factor in making the tracking of virtual machines very difficult over time, it is not the best answer in this case. Resource pooling pertains to a cloud environment sharing a large amount of resources between different customers and services. Portability refers to the ability to move systems or services easily between different cloud providers.

- (Exam Topic 1)
Which jurisdiction lacks specific and comprehensive privacy laws at a national or top level of legal authority?

1. A. European Union
2. B. Germany
3. C. Russia
4. D. United States

Correct Answer: D
The United States lacks a single comprehensive law at the federal level addressing data security and privacy, but there are multiple federal laws that deal with different industries.