The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerB
A is incorrect: Service Level Agreements (SLAs) define the expected level of service between a provider and a customer, including performance metrics, availability targets, and response times. While SLAs are important for defining operational expectations for help desk services, they do not typically specify security requirements or technical controls needed for establishing secure connectivity such as a dedicated VPN between organizations.
B is correct: Interconnection Security Agreements (ISAs) are the correct answer because they define the security requirements, responsibilities, and technical specifications for connecting two organizations’ information systems. An ISA typically includes details about authentication mechanisms, encryption requirements, network boundaries, and monitoring responsibilities for the connection. CASP+ materials describe ISAs as the formal documentation required when establishing secure system-to-system connections, such as VPNs between partner organizations.
C is incorrect: Non-disclosure agreements (NDAs) are legal contracts used to protect confidential information shared between organizations. While an NDA may be necessary when working with external partners, it focuses on protecting sensitive information rather than defining technical and security controls for network interconnections.
D is incorrect: Memorandums of Understanding (MOUs) describe general intentions and cooperative relationships between organizations but are typically less formal and do not include detailed security control requirements. An MOU might outline the purpose of collaboration, but it would not contain the specific security details needed for implementing a VPN connection.
Correct AnswerA
A is correct: A is correct. Instance-based encryption occurs within the virtual machine or operating system layer of the cloud instance. In this model, encryption is performed directly by the host instance before data is written to storage. This means the customer retains control over encryption keys and the encryption process rather than relying on the cloud provider’s infrastructure components. CASP+ guidance emphasizes that when organizations require the highest level of security, encryption should be performed as close to the data owner as possible to maintain control over key management and cryptographic processes. In an IaaS environment, instance-based encryption provides stronger assurance because encryption occurs before the data leaves the instance. This ensures that even cloud storage subsystems or infrastructure administrators cannot access plaintext data. As a result, instance-level encryption aligns with a defense-in-depth approach and is considered the most secure option when the organization demands maximum control over encryption.
B is incorrect: B is incorrect. Storage-based encryption typically occurs at the storage service layer provided by the cloud provider. While it protects data at rest, the encryption process is handled by the cloud storage infrastructure rather than by the customer-controlled compute instance. This approach reduces administrative overhead but also reduces direct control over encryption implementation and key handling. From a CASP+ governance perspective, storage-based encryption is often sufficient for many workloads but does not provide the same level of security assurance as encrypting data before it reaches the storage layer. Because the CEO explicitly requires the highest level of security, relying solely on storage-layer encryption is less preferable than instance-level encryption.
C is incorrect: C is incorrect. Proxy-based encryption involves routing traffic through an intermediary system that performs encryption or decryption before data reaches its destination. This method is commonly used in gateway encryption scenarios or for protecting communications across networks. However, it introduces an additional system in the data path and does not necessarily ensure that data is encrypted within the compute instance itself. In an IaaS architecture, proxy-based encryption focuses more on data in transit or gateway protection rather than ensuring the strongest control over encryption at the workload level. Because the question emphasizes maximum security for the cloud implementation, proxy-based encryption is not the most appropriate option.
D is incorrect: D is incorrect. Array controller-based encryption occurs at the storage hardware controller level, typically within storage arrays or disk subsystems. This is a hardware-based encryption approach often used in traditional data center storage infrastructure. While it can provide efficient encryption with minimal performance impact, it is managed by the storage platform rather than the compute instance. In cloud environments, this approach places encryption control entirely in the provider’s storage infrastructure. According to CASP+ architectural principles, solutions that require the highest security assurance generally prioritize encryption closer to the application or instance level, where the organization maintains control over keys and encryption processes. Therefore, array controller-based encryption is not the best choice in this scenario.
Correct AnswerA
A is correct: Securely configuring authentication mechanisms is the correct responsibility for the DevOps team in a PaaS environment. In the cloud shared responsibility model, the cloud service provider manages the underlying infrastructure, including hardware, networking, and operating systems, while the customer is responsible for securing applications, identities, access control, and configuration of services deployed on the platform. Since the DevOps team deployed databases, event-driven services, and an API gateway, they must ensure that authentication and authorization mechanisms—such as API authentication, identity management, and access policies—are securely configured. Proper identity and access management is a critical customer responsibility in PaaS because misconfigured authentication could expose sensitive billing data or APIs.
B is incorrect: Patching the infrastructure at the operating system levelis generally the responsibility of the cloud service provider in a PaaS model. One of the key benefits of PaaS is that the provider manages the underlying operating systems, runtime environments, and infrastructure updates. This reduces operational overhead for the customer and ensures consistent platform maintenance. The DevOps team focuses on application configuration, data protection, and access controls rather than maintaining the OS or platform infrastructure. Therefore, patching the operating system is not a responsibility the DevOps team must perform in this model.
C is incorrect: Executing port scanning against the services is typically part of security testing or vulnerability assessment activities rather than a core operational security responsibility. Additionally, many cloud providers restrict or require authorization for active scanning of cloud resources to avoid unintended service disruption or policy violations. While organizations may perform vulnerability assessments as part of a broader security program, the question asks which security responsibility the DevOps team must perform within the PaaS shared responsibility model. Port scanning is not the primary security responsibility in this context.
D is incorrect: Upgrading the service as part of life-cycle management is typically handled by the cloud service provider in a PaaS model. Providers manage platform updates, runtime environments, and service lifecycle improvements to maintain platform stability and security. Customers using PaaS consume these services and focus on application code, configuration, and integration with other services. Because the provider maintains the platform services themselves, the DevOps team is not responsible for upgrading the underlying PaaS services as part of infrastructure lifecycle management.
Correct AnswerC
A is incorrect: Risk rejection (often referred to as risk acceptance) occurs when an organization decides to acknowledge a risk but take no action to reduce or transfer it. In this situation, the organization knowingly accepts the potential consequences if the risk materializes. The scenario states that the company is considering purchasing cybersecurity insurance to handle incidents. This demonstrates that the organization is taking action to manage potential financial impact rather than accepting the risk without intervention. Therefore, risk rejection does not describe the strategy being used.
B is incorrect: Risk mitigation involves implementing controls that reduce either the likelihood of a risk occurring or the severity of its impact. Examples include deploying security tools, improving monitoring, implementing stronger authentication, or hardening systems. While mitigation reduces exposure to threats, purchasing cyber insurance does not reduce the probability of an incident or strengthen security controls. Instead, it focuses on managing financial consequences if a breach occurs. Therefore, mitigation does not accurately describe the response outlined in the scenario.
C is correct: Risk transference is the correct answer because it involves shifting the financial impact or responsibility for a risk to a third party. This is commonly achieved through insurance policies, contractual agreements, or outsourcing arrangements. By purchasing cybersecurity insurance, the company transfers a portion of the financial risk associated with cyber incidents—such as breach response costs, legal expenses, or recovery costs—to the insurance provider. Risk transference does not eliminate the risk itself, but it helps reduce the organization’s financial exposure if the event occurs.
D is incorrect: Risk avoidance occurs when an organization eliminates the risk entirely by discontinuing the activity that creates the risk. For example, a company might stop offering a vulnerable service, avoid storing sensitive data, or remove an exposed system from operation. In the scenario, the organization is not eliminating the activity that exposes it to cyber risk; instead, it continues operating while planning to purchase insurance to manage potential losses. Because the risk remains present, this approach does not represent risk avoidance.
Correct AnswerC
A is incorrect: DHCP reservation tables are used to assign consistent IP addresses to devices based on MAC addresses. While useful for network management and device identification, they do not collect or analyze security telemetry. They also lack capabilities for event correlation, log aggregation, and alert generation across multiple systems. CASP+ guidance on security operations emphasizes centralized monitoring platforms for analyzing security events. Therefore, DHCP reservations do not provide centralized logging or threat correlation capabilities.
B is incorrect: Static ACL reviews involve examining configured access control lists on network devices to ensure proper filtering rules are in place. While ACLs contribute to network security by controlling traffic flows, reviewing them is a manual configuration or auditing activity rather than a monitoring or analytics platform. Static ACL reviews cannot aggregate logs from diverse sources or correlate security events across hybrid environments. Consequently, this option does not fulfill the requirement for centralized logging and correlation.
C is correct: A Security Information and Event Management (SIEM) platform aggregates logs from multiple sources—including servers, network devices, applications, and cloud services—and correlates events to detect potential security incidents. SIEM systems analyze log data, generate alerts, and provide centralized visibility across hybrid environments. CASP+ materials highlight SIEM solutions as essential components for monitoring, log aggregation, and incident detection across enterprise infrastructures. Because SIEM platforms centralize logs, alerts, and event correlation, they are the best capability for this requirement.
D is incorrect: Port security is a switch-level control that restricts which devices can connect to a network port based on MAC addresses. It helps prevent unauthorized devices from connecting to a network but does not collect logs or perform event correlation across infrastructure components. While port security contributes to network access control, it does not provide centralized monitoring or analytics capabilities required for hybrid security operations. Therefore, it does not satisfy the requirement described in the question.
Correct AnswerD
A is incorrect: This is incorrect. While encouraging the team to accelerate the replacement timeline could reduce long-term risk, the scenario states that the legacy system remains critical and will be replaced within the year. Simply insisting on immediate replacement does not provide a practical mitigation for the current operational requirement. Security architecture decisions must balance operational continuity with risk reduction rather than eliminating required functionality without an alternative solution.
B is incorrect: This is incorrect. Air-gapping the system and using a dedicated laptop with an end-of-life operating system connected via a crossover cable would significantly isolate the system from network threats. However, this approach introduces operational complexity and maintenance challenges. It also relies on unsupported software and hardware that may introduce additional vulnerabilities. While isolation is beneficial, this approach is more disruptive than necessary for a system that must still interact with network infrastructure for SNMP monitoring.
C is incorrect: This is incorrect. Requesting a vendor update that removes the Flash requirement would be an ideal long-term solution, but it does not mitigate the immediate operational risk. The scenario indicates that the system will be replaced within a year, and there is no guarantee that the vendor can or will provide an updated version of the system. Therefore, this option does not provide a reliable short-term mitigation strategy.
D is correct: This is correct. Isolating the management interface within a private VLAN limits exposure of the vulnerable Flash-based interface to the rest of the network. Running the legacy browser within a virtual machine further contains the risk by preventing direct exposure on a primary workstation and allowing the environment to be controlled, monitored, and reset if compromised. This approach supports continued management of the legacy system while applying compensating controls such as network segmentation and virtualization to reduce the attack surface. This aligns with secure design principles for handling legacy technologies that cannot immediately be replaced.
Correct AnswerD
A is incorrect: A. Implement network access control to perform host validation of installed patches. Network access control (NAC) can verify endpoint posture—such as patch levels, antivirus status, or configuration compliance—before granting network access. While NAC supports enforcing security baselines at connection time, it typically validates compliance attributes rather than performing full vulnerability scans. In the scenario, the organization already relies on dedicated vulnerability scanners deployed within subnets, and remote laptops rarely connect to the internal network. NAC alone would not provide the same depth of vulnerability analysis required by the existing scanning approach. Therefore, this option only partially addresses the requirement.
B is incorrect: B. Create an 802.1X implementation with certificate-based device identification. IEEE 802.1X provides network authentication and device identity verification through mechanisms such as certificate-based authentication. This control ensures only authorized devices connect to the network. However, 802.1X focuses on authentication and access control, not vulnerability scanning or validation of security baselines related to software vulnerabilities. As a result, while it strengthens network access security, it does not ensure that remote endpoints are scanned for vulnerabilities before being granted access.
C is incorrect: C. Create a vulnerability scanning subnet for remote workers to connect to on the network at headquarters.Establishing a dedicated scanning subnet at headquarters would require remote workers to physically connect to the corporate network for scanning. This solution is impractical for remote users who may rarely visit corporate offices. It also does not address the scenario’s key challenge: ensuring remote endpoints are assessed even when they are not regularly connected to the internal network infrastructure. Therefore, this approach does not scale well for distributed workforces.
D is correct: D. Install a vulnerability scanning agent on each remote laptop to submit scan data. This is the correct answer because agent-based vulnerability scanning allows endpoints to be assessed regardless of their location or network connectivity. Installing scanning agents on remote laptops enables the organization to collect vulnerability data and enforce security baseline checks even when devices are outside the corporate network. The agent can transmit scan results to a central management system once connectivity is available. This approach ensures remote worker devices are continuously evaluated and meet security requirements before being granted access to enterprise resources.
Correct AnswerD
A is incorrect: A screened subnet (DMZ) architecture places public-facing systems in a separate network segment isolated from internal networks. While this design improves perimeter security and protects internal resources from external threats, it primarily focuses on separating external services from internal infrastructure. It does not provide granular segmentation between containerized workloads with different data classifications within the same virtualized environment. Therefore, it would not adequately address the requirement for fine-grained policy control and workload isolation.
B is incorrect: A virtual private cloud (VPC) provides logical network isolation within a cloud provider’s environment. It allows organizations to define subnets, routing policies, and security controls around cloud resources. While a VPC provides network-level segmentation and isolation from other tenants in the cloud, it does not inherently provide granular workload-level segmentation between containers with different data classifications. Additional controls would still be required to enforce policies between individual workloads.
C is incorrect: Serverless functions allow developers to run application logic without managing the underlying servers. While this model improves scalability and operational efficiency, it does not specifically address the requirements for isolating containerized workloads with different classification levels or enforcing granular segmentation policies. Serverless architectures also abstract much of the infrastructure control away from the organization, making them less suitable for detailed policy enforcement between workloads.
D is correct: Microsegmentation divides a network or virtualized environment into very small, isolated segments that can be controlled through fine-grained security policies. In containerized and virtualized environments, microsegmentation enables administrators to enforce access controls between individual workloads, containers, or application components based on classification levels and security requirements. This architecture supports centralized policy management while limiting lateral movement by attackers. By isolating workloads and applying granular security policies, microsegmentation provides strong defense against advanced persistent threats and malware propagation.
Correct AnswerD
A is incorrect: Endpoint antivirusprotects individual systems by detecting malware, malicious files, or suspicious processes on endpoints such as servers or workstations. It focuses on host-level threats like viruses, trojans, and ransomware. However, the scenario concerns detecting unauthorized changes to cloud infrastructure across multiple cloud accounts, which typically involves configuration drift, unauthorized resource creation, or misconfigurations in cloud environments. Endpoint antivirus does not monitor cloud infrastructure configurations or account-level changes, so it does not address the stated requirement.
B is incorrect: Network intrusion detection systems (NIDS)monitor network traffic for indicators of compromise, malicious patterns, or suspicious communication behavior. These systems analyze packets and network flows to detect attacks such as reconnaissance, exploitation attempts, or command-and-control traffic. While NIDS improves visibility into network threats, it does not track configuration changes within cloud control planes or detect unauthorized modifications to cloud infrastructure resources. Because the scenario focuses on monitoring infrastructure changes across cloud accounts, NIDS does not best satisfy the requirement.
C is incorrect: Reverse proxy loggingcaptures request and response information from traffic passing through a reverse proxy, typically for web applications. These logs help analyze client behavior, detect malicious HTTP requests, and support troubleshooting or forensic investigations. However, reverse proxy logs only provide visibility into application-layer traffic and do not monitor cloud resource configurations or administrative changes within cloud platforms. Since the requirement involves identifying unauthorized infrastructure modifications across multiple cloud accounts, reverse proxy logging is not the most appropriate solution.
D is correct: Cloud Security Posture Management (CSPM) is the correct answer because it continuously monitors cloud environments for misconfigurations, policy violations, and unauthorized infrastructure changes. CSPM solutions integrate with cloud provider APIs to assess security configurations, track changes across accounts, and enforce compliance with security policies and governance frameworks. These tools provide centralized visibility across multi-account or multi-cloud deployments and generate alerts when infrastructure changes deviate from approved configurations. Security guidance for cloud environments highlights CSPM as a key capability for detecting configuration drift and unauthorized changes in cloud infrastructure.
Correct AnswerA
A is correct: A Subject Alternative Name (SAN) certificate allows a single certificate to secure multiple domain names and subdomains simultaneously. In this scenario, the organization operates several domains and subdomains across two different parent domains (.com and .org). A SAN certificate can include all required entries (www.mycompany.org, www.mycompany.com, campus.mycompany.com, and wiki.mycompany.org) within one certificate. This approach minimizes cost because only one certificate must be purchased and managed, while still allowing browsers to trust the certificate authority and warn users of potential man-in-the-middle or on-path attacks. SAN certificates are specifically designed for multi-domain environments where several hostnames must be protected by a single certificate.
B is incorrect: Self-signed certificates are generated by the organization rather than a trusted certificate authority. Because browsers and operating systems do not inherently trust these certificates, users would receive security warnings when connecting to the websites. These warnings undermine user trust and prevent reliable detection of real on-path attacks since every connection would already appear untrusted. CASP+ guidance generally discourages self-signed certificates for public-facing services due to trust and security validation limitations.
C is incorrect: Purchasing a separate certificate for each website would technically protect the domains, but it significantly increases cost and administrative overhead. Each certificate would require individual procurement, deployment, monitoring, and renewal. The scenario explicitly states that the solution must save costs while protecting multiple websites, making this option inefficient compared to solutions that consolidate certificate coverage.
D is incorrect: A wildcard certificate protects unlimited subdomains under a single parent domain (for example, *.mycompany.com). However, wildcard certificates only apply to one domain namespace and cannot cover different parent domains simultaneously. In this case, the organization uses both mycompany.com and mycompany.org domains, meaning a single wildcard certificate would not protect all listed websites. Multiple wildcard certificates would therefore be required, increasing cost and failing to meet the requirement of a single cost-efficient solution.
