The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerD
A is incorrect: SSH keys are used for secure remote access to systems and are unrelated to email encryption mechanisms such as S/MIME or PGP. Email encryption relies on certificate-based public/private key pairs associated with email identities. Therefore, mismatched SSH key validity dates would not affect the ability to send encrypted email messages to a specific recipient.
B is incorrect: If the external recipient’s key pair had expired, encrypted communication would typically fail in both directions. In the scenario, the external recipient can still send encrypted emails to internal users, indicating that their key pair remains usable for encryption and signing. Additionally, if a key had expired, most mail systems would detect the expiration during encryption attempts rather than relying on revocation status alone.
C is incorrect: OCSP or CRL configuration on the internal organization’s mail servers would likely affect certificate validation for multiple recipients or across the entire email infrastructure. The scenario specifies that encrypted emails work for all other recipients except one external user. Because the issue is isolated to a single recipient, a system-wide certificate validation configuration problem is unlikely.
D is correct: Email encryption systems rely on public keys that are bound to specific email identities within certificates. When sending an encrypted message, the sender’s system searches for a certificate that matches the recipient’s email address. If the email address associated with the recipient’s certificate does not match the address used by the sender, the encryption process can fail because the system cannot validate that the key belongs to the intended recipient. Since the recipient can still send encrypted messages to internal users, the most likely issue is a mismatch between the recipient’s email address and the email identity contained in their public key certificate.
Correct AnswerA
A is correct: Data protection and governance remain the responsibility of the client in a Software as a Service (SaaS) shared responsibility model. Although the cloud provider manages the infrastructure, platform, and application operation, the customer retains responsibility for the security, classification, access control, and governance of the data stored within the SaaS application. This includes ensuring proper permissions, encryption configuration where applicable, and compliance with regulatory requirements. Therefore, safeguarding and managing the data itself is the client’s responsibility.
B is incorrect: Storage infrastructure is managed by the SaaS provider. The cloud vendor is responsible for maintaining the underlying storage systems, ensuring availability, redundancy, patching, and operational security of the storage environment. Clients interact with the storage only through the application interface and do not manage the storage hardware or architecture directly.
C is incorrect: Physical security of the data centers that host SaaS infrastructure is the responsibility of the cloud service provider. This includes securing facilities, implementing surveillance, controlling physical access, and protecting the hardware hosting the service. Customers typically have no direct control or involvement in these physical protections.
D is incorrect: Network infrastructure supporting the SaaS platform is also managed by the cloud provider. The provider maintains and secures the networking components within the cloud environment, including routing, switching, and infrastructure connectivity. While the client may configure application-level access or identity controls, the underlying network infrastructure remains the provider’s responsibility.
Correct AnswerD
A is incorrect: A Trusted Platform Module (TPM) is a hardware-based cryptographic component used to store keys securely and support secure boot and device identity. While TPMs protect cryptographic material on individual devices, they are not designed to centrally manage credentials used by CI/CD pipelines or shared service accounts. Additionally, TPMs do not provide centralized auditing or access monitoring for shared credentials in development environments.
B is incorrect: Storing credentials in a local secure password file may protect them from casual access but does not provide enterprise-level security controls such as centralized management, auditing, access control policies, or integration with automated pipelines. Local storage also introduces risk if the file system is compromised and does not easily enforce the requirement that developers cannot directly access the credentials. Therefore, it does not meet the requirement for secure storage and monitoring.
C is incorrect: Multi-factor authentication (MFA) enhances authentication security for user accounts by requiring multiple verification factors. However, the requirement involves storing shared credentials used by an automated pipeline service account rather than authenticating an interactive user. MFA does not provide a secure storage mechanism for secrets or credentials and therefore does not address the core requirement of secure credential storage and monitoring.
D is correct: A key vault is designed specifically to store sensitive credentials such as API keys, passwords, certificates, and secrets in a secure and centralized repository. Key vault solutions enforce strict access controls, allowing only authorized identities such as pipeline service accounts to retrieve credentials while preventing developers from directly accessing them. Additionally, key vaults provide auditing and monitoring capabilities to track access to secrets. This approach satisfies both requirements: secure storage and restricted, monitored access to shared credentials used in the CI/CD pipeline.
Correct AnswerC
A is incorrect: Data field watermarking embeds identifying information into data to detect unauthorized copying or leakage. It is typically used for intellectual property protection and tracking distribution of documents or media. Watermarking does not replace sensitive data with tokens nor provide reversible mapping required for payment processing systems. Therefore, it is not relevant to implementing tokenization for credit card numbers.
B is incorrect: Field tagging involves labeling or classifying data fields (for example, marking fields as sensitive or confidential) to support policy enforcement such as access control or DLP rules. While field tagging can help identify which fields contain sensitive information that should be protected, it does not perform the tokenization function or manage the mapping between original data and tokens. Thus, it is not the primary consideration for the tokenization system described.
C is correct: Single-use translation aligns with tokenization systems that generate temporary tokens mapped to original sensitive values, often used in payment systems. Because the organization implemented a one-to-many mapping between the real credit card number and temporary card numbers, the tokens can be used independently without revealing the original data. In many tokenization implementations, tokens may be unique per transaction or per request, meaning they are effectively single-use representations of the underlying sensitive data. This design reduces exposure of the original card number and minimizes the impact of token compromise. Therefore, single-use translation is the key characteristic the CISO should consider.
D is incorrect: Salted hashing is a cryptographic technique that adds a random value (salt) before hashing data to prevent rainbow table attacks. However, hashing is a one-way process and does not allow the original value to be retrieved. Tokenization requires the ability to map tokens back to the original data (for example, during payment processing), so salted hashing cannot serve as a replacement for tokenization in this scenario.
Correct AnswerD
A is incorrect: A. SDLC. The Software Development Life Cycle (SDLC) is a framework that defines the phases involved in developing software, including planning, design, development, testing, deployment, and maintenance. While secure SDLC practices encourage integrating security controls throughout the development process, the SDLC itself does not provide specific guidance on mitigating particular web application attacks such as cross-site scripting (XSS). It establishes the methodology for building software securely but does not offer detailed vulnerability mitigation guidance for web applications.
B is incorrect: B. OVAL. The Open Vulnerability and Assessment Language (OVAL) is a standardized language used to describe security configuration checks and vulnerabilities on systems. It enables automated tools to determine whether systems are vulnerable or compliant with certain security baselines. However, OVAL primarily focuses on system configuration assessment and vulnerability detection, not application-level security guidance for developers. Therefore, it would not be the most appropriate source for guidance on preventing XSS vulnerabilities in a web application.
C is incorrect: C. IEEE. The Institute of Electrical and Electronics Engineers (IEEE) develops technical standards across many engineering and computing domains. Although IEEE publishes standards related to software engineering and information technology, it does not specifically focus on common web application security vulnerabilities or provide detailed mitigation strategies for attacks such as XSS. As a result, IEEE standards would not be the most practical reference for addressing this particular application security concern.
D is correct: D. OWASP. This is the correct answer because the Open Worldwide Application Security Project (OWASP) provides extensive guidance on web application security, including documentation on common vulnerabilities such as cross-site scripting. OWASP resources—such as the OWASP Top 10, developer cheat sheets, and secure coding guidelines—describe the causes of XSS vulnerabilities and recommend mitigation techniques such as input validation, output encoding, and secure framework usage. Security architects and developers commonly consult OWASP resources when designing and implementing controls to prevent web application attacks.
Correct AnswerA
A is correct: An Interconnection Security Agreement (ISA) defines the technical and security requirements for systems that connect or share data with external entities, including third-party vendors. It specifies the responsibilities of each party, the required security controls, and how sensitive data should be protected while in transit or at rest. In this scenario, the company wants to ensure vendors meet contractual security obligations for access to sensitive data. An ISA is the appropriate document to establish these requirements and ensure compliance with agreed-upon security standards.
B is incorrect: A Memorandum of Understanding (MOU) outlines the general terms of cooperation between organizations but typically does not include detailed technical or security requirements. MOUs are high-level agreements that describe intentions and responsibilities rather than enforceable security controls, making them insufficient for defining contractual security obligations for sensitive data access.
C is incorrect: A Non-disclosure Agreement (NDA) is a legal contract that protects confidential information from unauthorized disclosure. While an NDA helps ensure confidentiality, it does not specify detailed technical security controls or operational responsibilities for third-party vendors. Therefore, it does not fully define the contractual security obligations required for system access.
D is incorrect: A privacy notice informs individuals about how their personal data is collected, used, and shared by an organization. Privacy notices are intended for transparency and regulatory compliance, not for establishing contractual security obligations with third-party vendors. As such, a privacy notice is not suitable for defining technical security requirements for vendor access.
Correct AnswerB
A is incorrect: Shared service accountsallow multiple services or applications to authenticate using the same credentials. While this approach can simplify access management, it introduces significant security risks because credentials are often distributed and stored in configuration files or application code. This increases the likelihood of credential exposure and makes it difficult to track which specific workload performed an action. Since the requirement is to avoid storing long-term credentials and provide secure access for containerized applications, shared service accounts are not the best solution.
B is correct: Managed workload identities is the correct answer because it allows containerized applications to authenticate to cloud services without storing credentials in code or configuration files. The cloud platform automatically provides temporary identity tokens to workloads based on their assigned identity. These tokens are short-lived and rotated automatically, reducing the risk of credential compromise. This approach follows modern cloud security best practices by eliminating embedded secrets and using identity-based authentication mechanisms to securely access cloud resources.
C is incorrect: Static API keys are long-lived credentials used by applications to authenticate to cloud services. These keys are commonly stored in configuration files, environment variables, or source code repositories. If exposed, attackers can use them to access cloud resources until they are manually revoked. Because the scenario specifically requires avoiding long-term credentials and preventing secret storage in code, static API keys do not meet the security objective.
D is incorrect: Local credential filesstore authentication credentials on the local file system of an application host or container. Although they may be protected with access controls, these files still contain long-term credentials that can be stolen if the system or container is compromised. Managing and rotating these credentials also creates operational complexity. Since the requirement is to avoid storing credentials and instead use secure authentication mechanisms for container workloads, local credential files are not the best option.
Correct AnswerC
A is incorrect: Shared root shells grant multiple administrators direct privileged access to the same systems. This approach introduces configuration drift because different administrators may modify system settings manually over time. It also violates accountability and least privilege principles. Immutable infrastructure relies on controlled, reproducible builds rather than direct modification of running systems. Therefore, shared root shells undermine the consistency and repeatability required by immutable infrastructure.
B is incorrect: Manual configuration on long-lived servers is characteristic of traditional infrastructure management. Systems are patched, reconfigured, and updated directly while they continue to run. Over time this leads to configuration drift, inconsistent environments, and difficulty reproducing system states. CASP+ architectural guidance favors automated and consistent deployment methods to maintain security and reliability across environments. Manual configuration contradicts immutable infrastructure principles because the system state changes incrementally rather than being rebuilt from a trusted image.
C is correct: Immutable infrastructure is based on the concept that servers or workloads are never modified after deployment. Instead, when updates or patches are required, new instances are built from updated images and the existing instances are replaced. This approach ensures consistent configurations, eliminates configuration drift, and supports secure, repeatable deployments. CASP+ architecture guidance emphasizes automation, standardized images, and controlled deployment pipelines to maintain system integrity and reliability across environments. Replacing instances rather than modifying them directly aligns with these principles and therefore best supports immutable infrastructure.
D is incorrect: Direct production debugging involves administrators logging into live systems to troubleshoot or modify configurations. While this may resolve immediate issues, it bypasses controlled deployment processes and introduces undocumented changes to running infrastructure. Immutable infrastructure discourages direct modifications to production environments because they create inconsistencies and weaken configuration management controls. Therefore, direct production debugging conflicts with immutable infrastructure design principles.
Correct AnswerB
A is incorrect: Comparing deployed equipment to the published CVE disclosure allows the engineer to determine whether the organization’s OT devices are affected by the newly announced vulnerability. CVE advisories typically include the affected vendor products, firmware versions, and vulnerability details. By matching the deployed OT devices and their versions against the CVE information, the engineer can quickly identify which systems are susceptible and require mitigation. CASP+ guidance emphasizes using vulnerability disclosures and threat intelligence sources such as CVE databases to determine whether organizational assets are affected by known vulnerabilities.
B is correct: Passive vulnerability scanners are often used in OT environments because they minimize disruption to sensitive operational systems. However, they primarily detect vulnerabilities through network observation and behavioral analysis rather than directly confirming whether a specific CVE affects deployed devices. While useful for monitoring, this approach is less precise for determining susceptibility to a newly disclosed vulnerability.
C is incorrect: Threat hunting focuses on identifying indicators of compromise or ongoing malicious activity within a network environment. The scenario involves determining whether devices are vulnerable to a recently announced flaw, not whether an attack has already occurred. Therefore, threat hunting would not be the most appropriate initial method for identifying vulnerable OT devices.
D is incorrect: Reviewing the software inventory for vulnerable versions may help identify potentially affected systems, but it still requires correlation with the vulnerability disclosure to determine whether those versions are actually impacted. Inventory alone does not confirm exploitability or whether the vulnerability specifically applies to the deployed devices without referencing the CVE details.
Correct AnswerD
A is incorrect: A is incorrect. The Asset Reporting Format (ARF) is a standardized reporting structure used to communicate asset information and vulnerability assessment results. It is designed to store and exchange the results of security assessments rather than define the checks themselves. In vulnerability management ecosystems, ARF acts as a container for reporting scan results or compliance information generated by scanning tools. Because the scenario requires creating a new vulnerability check for an internally discovered zero-day vulnerability, ARF does not provide the mechanism to define or implement detection logic. Instead, it is used after scanning to structure reporting data.
B is incorrect: B is incorrect. Information Sharing and Analysis Centers (ISACs) are industry-specific organizations that facilitate sharing of threat intelligence, vulnerability information, and security best practices among member organizations. They are useful for disseminating information about emerging threats and vulnerabilities across sectors. However, ISACs do not provide a technical framework for creating vulnerability detection logic within scanning tools. In this scenario, the requirement is to create a technical check within the vulnerability management system, which ISACs do not enable.
C is incorrect: C is incorrect. Node.js is a server-side JavaScript runtime environment used for developing web applications and backend services. While it can be used to build security tools or automation scripts, it is not a vulnerability assessment standard or specification used to define vulnerability checks within scanning frameworks. The question specifically asks for a method suited to defining checks for a vulnerability management system, which requires a standardized language for describing system configuration and vulnerability conditions rather than a programming runtime environment.
D is correct: D is correct. Open Vulnerability and Assessment Language (OVAL) is a standardized language used to define and implement system vulnerability checks within vulnerability management tools. OVAL allows security engineers to create machine-readable definitions that describe how to test systems for the presence of vulnerabilities, configuration issues, or patch levels. CASP+ materials emphasize OVAL as part of the Security Content Automation Protocol (SCAP) ecosystem used for automated vulnerability assessment. In this scenario, the engineer must create a custom vulnerability check for a newly discovered zero-day vulnerability, and OVAL provides the mechanism to define the detection logic and integrate it into vulnerability scanning systems. Therefore, it is the most appropriate choice.
