The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerD
A is incorrect: Drive wiping overwrites storage media with patterns of data to remove previously stored information. While wiping can be effective when performed correctly and multiple passes are used, it depends on the reliability of the wiping process and the integrity of the storage device. Additionally, some modern storage technologies such as SSDs may not guarantee complete overwriting due to wear-leveling mechanisms. Because the question requires the best method to ensure no data remnants can be recovered prior to disposal, wiping may not provide the highest assurance.
B is incorrect: Degaussing uses a strong magnetic field to disrupt the magnetic domains on traditional magnetic storage media such as hard disk drives and magnetic tapes. This process renders the stored data unreadable and can also make the device inoperable. However, degaussing is only effective on magnetic storage media and does not work on solid-state drives or other non-magnetic storage technologies commonly found in modern servers. Because servers may contain multiple storage types, degaussing alone may not ensure complete data destruction in all cases.
C is incorrect: Purging is a broader data sanitization category that includes methods such as cryptographic erasure, degaussing, or other techniques designed to make data unrecoverable using laboratory techniques. While purging represents a strong sanitization level in data destruction standards, it describes a classification of sanitization methodsrather than a specific action. The question asks for the best method to ensure that no data remnants can be recovered prior to disposal. A more definitive and direct approach is physical destruction of the storage media.
D is correct: Physical destruction is the correct answer because it ensures that storage media cannot be reconstructed or accessed. This process involves shredding, crushing, drilling, or otherwise destroying the physical components of storage devices so that the platters, chips, or storage cells are permanently damaged. Physical destruction provides the highest level of assurance that sensitive data cannot be recovered, regardless of the storage technology used. For hardware that is being discarded and will not be reused, physical destruction is considered the most definitive method for eliminating any possibility of data recovery.
Correct AnswerA
A is correct: Static Application Security Testing (SAST) analyzes source code, bytecode, or binaries without executing the application. SAST tools integrate directly into development environments and CI/CD pipelines, allowing developers to detect vulnerabilities while writing or compiling code. This enables early identification of security issues such as injection flaws, insecure functions, and improper input validation before the application is deployed. CASP+ secure development practices emphasize using SAST early in the software development lifecycle to detect vulnerabilities during coding and ensure issues are addressed before release.
B is incorrect: Dynamic Application Security Testing (DAST) evaluates a running application from the outside by simulating attacks against the deployed system. While effective for identifying runtime vulnerabilities in web applications, DAST occurs after the application has been built and deployed to a test environment. Because the requirement is to allow developers to validate code as it is written, DAST does not meet the need for early-stage code validation.
C is incorrect: Fuzz testing involves supplying unexpected or malformed input to an application to identify crashes, memory leaks, or unexpected behavior. While fuzzing can uncover vulnerabilities, it generally requires the application to be compiled and running. Therefore, it is not typically used to validate code during development as it is written.
D is incorrect: An intercepting proxy is a tool used in application testing to capture and modify web traffic between a client and server. Security testers use proxies to analyze requests and responses and attempt exploitation during penetration testing. However, this method focuses on runtime testing of deployed applications rather than validating source code during development.
Correct AnswerB
A is incorrect: SCAP scanners evaluate systems against security configuration baselines and vulnerability definitions using standardized content such as OVAL and XCCDF. While SCAP tools help identify vulnerabilities and configuration issues, they still rely on network-based discovery or host information and may encounter the same duplication problem when scanning multihomed systems with multiple interfaces. Therefore, using a SCAP scanner would not directly solve the issue of vulnerability duplication across multiple NICs.
B is correct: Deploying an agent on each host allows the vulnerability management platform to associate scan results directly with the host itself rather than relying on network interface identification. Agent-based scanning collects vulnerability data locally from the system and reports it to the scanning platform, which eliminates duplicate entries that occur when multiple network interfaces are detected. This approach ensures vulnerabilities are correlated with the correct system regardless of the number of NICs present. As a result, agent-based scanning effectively deduplicates vulnerability findings and provides more accurate host-level reporting.
C is incorrect: A discovery scan identifies active hosts, services, and open ports across the network. It is typically used during the initial phase of vulnerability scanning to determine which systems exist in the environment. However, discovery scanning does not address the duplication of vulnerabilities caused by multihomed systems because it still treats each network interface as a separate scan target. Therefore, it would not resolve the deduplication issue described in the scenario.
D is incorrect: Nmap is a network scanning tool used to identify hosts, open ports, and services running on systems. It is commonly used for network reconnaissance, service enumeration, and basic vulnerability detection when combined with scripts. However, Nmap operates at the network level and would not resolve the duplication problem caused by multiple NICs on a single host. The issue requires associating vulnerabilities with the system itself rather than its network interfaces, which is best accomplished using host-based agents.
Correct AnswerA
A is correct: A. Network security. This is the correct answer because in the Platform as a Service (PaaS) shared responsibility model the cloud provider manages the underlying infrastructure, operating system, runtime, and platform services, while the customer remains responsible for securing the applications and configurations deployed within the platform. This includes configuring network security controls such as security groups, firewall rules, access control policies, and segmentation for the deployed applications. Therefore, customers must ensure their applications are properly restricted and protected from unauthorized network access.
B is incorrect: B. Physical security. Physical security of the data center environment—including facilities, physical access control systems, environmental protections, and hardware protection—is handled entirely by the cloud service provider in all cloud service models (IaaS, PaaS, and SaaS). Customers do not have access to or responsibility for securing the provider’s physical infrastructure.
C is incorrect: C. OS security. In the PaaS model, the cloud provider manages the operating system that supports the platform environment. This includes tasks such as OS patching, system hardening, and vulnerability management at the operating system level. Customers interact with the platform through development frameworks and runtime environments rather than managing the OS directly.
D is incorrect: D. Host infrastructure. Host infrastructure refers to the physical servers, storage systems, virtualization layer, and core networking infrastructure that support the cloud platform. These components are fully managed and secured by the cloud provider in the PaaS model. Customers are abstracted from this layer and therefore do not manage or secure the host infrastructure.
Correct AnswerB
A is incorrect: Creating a change management process establishes a structured method for reviewing, approving, and implementing changes to systems or infrastructure. While change management contributes to maintaining system stability and reducing operational risk, it does not directly provide a way to measure or quantify the effectiveness of security controls. Since the scenario specifically requires establishing measures to evaluate and communicate control effectiveness, change management alone would not fulfill that requirement.
B is correct: Establishing key performance indicators (KPIs) is the correct answer because KPIs provide measurable metrics used to evaluate the effectiveness and performance of security controls over time. Organizations use KPIs to quantify how well security processes are functioning and to communicate results to leadership and stakeholders. Examples might include metrics related to patching timelines, incident detection rates, or compliance levels with security policies. By defining KPIs, the organization can objectively measure control effectiveness and track improvements or deficiencies as part of a security assessment roadmap.
C is incorrect: Creating an integrated master schedule is a project management tool used to coordinate timelines and dependencies across multiple projects or programs. While such schedules help manage project delivery and resource allocation, they do not directly establish measurable indicators for evaluating security control effectiveness. Because the requirement focuses on quantifying and communicating the effectiveness of controls, a project scheduling artifact would not address the measurement requirement.
D is incorrect: Developing a communication plan outlines how information will be shared among stakeholders, including reporting structures, communication channels, and escalation paths. Although communication plans help ensure stakeholders receive relevant information, they do not define the metrics or measurement framework required to evaluate security controls. Without defined metrics such as KPIs, communication alone cannot effectively convey the performance or effectiveness of security controls.
E is incorrect: Performing a security control assessmentevaluates whether security controls are properly implemented and functioning as intended. While such assessments are important for identifying weaknesses and verifying compliance, they represent an activity rather than a measurement framework. The question specifically states that the organization must establish measures to quantify and communicate effectiveness. Therefore, defining measurable indicators such as KPIs is the necessary step before or alongside performing assessments.
Correct AnswerB
A is incorrect: Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time, such as the amount of data that can be lost during a disruption. While important for disaster recovery planning, RPO does not quantify financial impact or expected annual loss from recurring threats.
B is correct: Annualized Loss Expectancy (ALE) is a quantitative risk metric that estimates the expected monetary loss from a threat over a one-year period. It is calculated by multiplying the Single Loss Expectancy (SLE) by the Annualized Rate of Occurrence (ARO). ALE directly provides a financial estimate for planning and risk management purposes, making it the appropriate metric for quantifying expected loss from recurring threats.
C is incorrect: Mean Time Between Failure (MTBF) measures the average time between failures of a system or component. While useful for reliability and maintenance planning, MTBF does not provide an estimate of financial loss or risk exposure due to recurring threats.
D is incorrect: Key Risk Indicators (KRIs) are metrics used to monitor and track the level of risk exposure for specific risk areas. KRIs provide early warning signals but do not directly quantify expected annual monetary loss from threats.
Correct AnswerC
A is incorrect: Network load balancingdistributes incoming traffic across multiple backend systems to improve availability and performance. While load balancers can generate operational logs about traffic distribution, they are not designed to aggregate telemetry or analyze security events across different cloud environments. Because the requirement involves detecting suspicious activity across multiple cloud providers using unified analytics, load balancing does not provide the necessary centralized monitoring or correlation capabilities.
B is incorrect: Host-based intrusion detection systems (HIDS) monitor activity on individual hosts by analyzing system logs, file integrity, and local behavior for signs of compromise. Although HIDS can detect suspicious activity on specific machines, they operate at the host level and do not inherently provide centralized visibility across multiple cloud providers or environments. Managing multiple isolated HIDS deployments would not offer the unified analytics platform required by the scenario.
C is correct: Centralized SIEM ingesting cloud audit logs is the correct answer because SIEM platforms aggregate and correlate telemetry from multiple sources into a unified analytics system. By ingesting cloud control plane audit logs from different providers, the SIEM can monitor administrative actions, infrastructure changes, and API usage across all environments. This centralized visibility allows analysts to detect suspicious activity patterns, correlate events across providers, and investigate incidents using a single analytics platform. Security operations practices emphasize SIEM integration with cloud audit logs to enable enterprise-wide monitoring and detection.
D is incorrect: Reverse proxy inspectionmonitors and filters web traffic that passes through a proxy before reaching backend services. Reverse proxies can provide application-layer security, authentication enforcement, and request logging. However, they only analyze traffic routed through the proxy and do not provide visibility into cloud control plane activities or infrastructure-level events across multiple cloud providers. Since the requirement is to detect suspicious activity across cloud environments broadly, reverse proxy inspection does not meet the objective.
Correct AnswerD
A is incorrect: A. have non-deterministic behavior and are not deployed with encryption. Non-deterministic communication means that message delivery timing cannot be guaranteed. Real-time safety-critical systems—such as those used in industrial control systems, avionics, or automotive control networks—require predictable and guaranteed timing behavior for commands and responses. Non-deterministic buses would introduce timing uncertainty, which could lead to system instability or unsafe operations. Therefore, this option is inconsistent with the fundamental design requirements of safety-critical real-time systems.
B is incorrect: B. have non-deterministic behavior and are deployed with encryption. Although encryption can improve confidentiality and integrity, non-deterministic communication timing remains incompatible with real-time safety-critical environments. These systems depend on guaranteed message delivery timing to ensure that control instructions occur within strict time windows. Encryption alone does not resolve timing unpredictability, and introducing cryptographic operations can add latency that interferes with real-time requirements. Therefore, this combination does not align with the operational characteristics of safety-critical serial communication systems.
C is incorrect: C. have deterministic behavior and are deployed with encryption.Deterministic communication—where message timing and delivery are predictable—is indeed a critical requirement for real-time safety systems. However, traditional safety-critical serial buses such as those used in industrial or embedded control environments often prioritize timing reliability and minimal latency over cryptographic protections. Encryption introduces processing overhead and latency that may interfere with strict timing constraints. Consequently, these buses historically do not include built-in encryption mechanisms, making this option less accurate.
D is correct: D. have deterministic behavior and are not deployed with encryption.This is the correct answer because real-time, safety-critical systems rely on deterministic communication, meaning the timing of messages on the bus is predictable and consistent. Deterministic behavior ensures that commands and control signals are delivered within guaranteed time frames, which is essential for systems controlling physical processes or safety mechanisms. Many traditional serial buses used in such environments—such as those in industrial control systems or embedded devices—were designed before modern cybersecurity requirements and therefore often lack native encryption. The design priority is predictable timing and reliability rather than cryptographic protection.
Correct AnswerD
A is incorrect: Exporting weekly reports and manually disabling accounts introduces delays and human error. If accounts are reviewed only once per week, terminated employees could retain access for several days after termination, creating a significant security risk. Manual processes are also less reliable and harder to enforce consistently in large environments.
B is incorrect: Granting human resources staff permission to disable accounts directly may speed up the process, but it introduces additional access control risks by expanding administrative privileges beyond the IT or identity management teams. It also relies on manual action, which can still result in delays or mistakes.
C is incorrect: Configuring login times to business hours does not address the core issue of terminated employees retaining active accounts. Even with time restrictions, former employees could still authenticate during allowed hours if their accounts remain active. Therefore, this control does not sufficiently mitigate the risk.
D is correct: Integrating the human resources information system (HRIS) with Active Directory allows account status changes to occur automatically when employee status changes are recorded in the HR system. When an employee is marked as terminated, the integration can immediately disable the corresponding account, reducing the window of unauthorized access and eliminating reliance on manual intervention. CASP+ identity governance practices emphasize automating identity lifecycle management by integrating HR systems with identity and access management platforms to enforce timely provisioning and deprovisioning of accounts.
Correct AnswerC
A is incorrect: Endpoint monitoringfocuses on detecting suspicious processes, malware, or anomalous activity occurring on hosts or endpoints. While it can identify malicious behavior at runtime, it does not verify the integrity or authenticity of container images before they are deployed into production. The requirement is to ensure the image itself has not been altered since security approval, which endpoint monitoring does not guarantee.
B is incorrect: Firewall filteringenforces network access control policies by allowing or blocking traffic based on rules such as IP addresses, ports, and protocols. Firewalls protect systems from unauthorized network communications but do not validate the integrity of container images or ensure that images deployed in production are the same as those approved by security teams. Therefore, firewall filtering does not address the supply chain integrity requirement described in the scenario.
C is correct: Container image signing is the correct answer because it provides cryptographic verification that an image has not been altered since it was approved and signed. During the build or approval process, the image is digitally signed using a trusted key. When the image is later deployed, the platform verifies the signature to ensure the image matches the approved version and has not been tampered with. This mechanism enforces integrity and authenticity for container artifacts within the software supply chain and is commonly integrated into Kubernetes admission controls or container registries.
D is incorrect: Network segmentationdivides networks into smaller zones to restrict communication between systems and reduce lateral movement risks. Although segmentation improves overall security architecture, it does not verify the integrity of container images or ensure that deployed artifacts match approved versions. Because the scenario requires validating that container images have not been modified since approval, segmentation does not address the requirement.
