Pass the WGU Courses and Certificates Managing-Cloud-Security Questions and answers with CertsForce

Risk is the foundational factor upon which a business continuity plan (BCP) should be based. Managing Cloud principles explain that BCP development begins with identifying and analyzing risks that could disrupt critical business operations.

Risk assessment evaluates threats, vulnerabilities, and potential impacts, allowing organizations to prioritize resources and define recovery strategies. By focusing on risk, organizations ensure that continuity planning addresses the most significant threats to operations, data, and services.

Costs, customers, and locations are important considerations but are secondary to risk analysis. Therefore, risks form the correct basis for a business continuity plan.

NIST SP 800-37 provides a detailed guide for implementing the Risk Management Framework (RMF). Managing Cloud documentation explains that this framework offers a structured process for integrating security and risk management into system development and operational activities.

NIST SP 800-37 outlines steps such as categorizing systems, selecting and implementing security controls, assessing effectiveness, authorizing systems, and continuous monitoring. This lifecycle-based approach helps organizations manage risk in cloud and traditional environments consistently.

ISO 31000 provides general risk management principles, ISO 27001 focuses on information security management systems, and PCI DSS is a compliance standard. Therefore, NIST SP 800-37 is the correct guide for implementing the RMF.

Functional testing validates that new or updated code performs correctly from the end user’s perspective. This type of testing ensures that the patch delivers intended results without introducing errors. It focuses on verifying user interactions, workflows, and outputs.

Full testing may cover all aspects, but it is broader than necessary. Nonfunctional testing evaluates performance, scalability, or usability, not direct functionality. Tabletop testing is a discussion-based exercise, often used for incident response.

Functional testing ensures customer satisfaction by aligning patches with expected system behavior. It is a core component of Agile and DevOps pipelines, where user experience and rapid delivery are prioritized.

Runtime Application Self-Protection (RASP) prevents environments from being over-controlled with performance-degrading security measures. Managing Cloud guidance explains that RASP operates from within the application, monitoring behavior and responding to threats in real time.

Because RASP provides contextual awareness of application logic, it reduces the need for excessive external security controls such as heavy network filtering or constant scanning. This minimizes performance impact while maintaining effective protection against attacks like injection, unauthorized access, and misuse of application functions.

QoS manages traffic prioritization, DDoS describes an attack type, and IDS detects threats but does not prevent over-control. Therefore, RASP is the correct technology.

A core goal of OS baseline compliance and monitoring is to ensure that virtual images and operating systems adhere to approved baseline configuration requirements. Managing Cloud documentation explains that baseline configurations define secure settings for operating systems, including disabled services, patch levels, access controls, and logging configurations.

Compliance monitoring continuously verifies that systems remain aligned with these baselines over time. This helps detect unauthorized changes, configuration drift, or misconfigurations that could introduce vulnerabilities. Ensuring that virtual images meet baseline standards before deployment also reduces risk across scaled cloud environments.

The other options relate to availability, network isolation, or data separation, which are addressed by different controls. Therefore, ensuring baseline configuration compliance is the primary goal of OS baseline monitoring.

A rollback is the safeguard that restores a system to its previous, stable state when a new code release introduces issues. In DevOps workflows, rollbacks provide a rapid recovery mechanism, reducing downtime and minimizing customer impact.

Staging, code review, and testing are preventive controls that reduce the likelihood of defects reaching production, but once a bug has already been deployed, rollback is the corrective control.

Rollback strategies often rely on version control systems, container orchestration, or infrastructure-as-code automation to quickly revert to earlier configurations. This practice is essential for maintaining reliability and availability, especially in cloud environments with continuous deployment pipelines.

Service level agreement (SLA) penalties are a risk mitigation technique that compensates customers for failures by the cloud service provider. Managing Cloud principles explain that SLAs define performance commitments such as availability, response time, and reliability.

When a provider fails to meet these commitments, SLA penalties—often in the form of service credits or financial compensation—are applied. While penalties do not prevent failures, they provide accountability and partial financial remediation.

Recovery time objectives define recovery goals, data protection requirements address security controls, and suspension clauses govern service termination. None of these compensate customers directly. Therefore, SLA penalties are the correct mitigation technique.

UESTION NO: 121 [Conducts Risk Management]

Which risk is assumed by an enterprise that chooses to use vendor-provided cloud resources?

A. Incompatible infrastructure

B. Multitenant deployments

C. Lack of skilled technical personnel

D. Loss of certification

Answer: B

By choosing vendor-provided cloud resources, an enterprise inherently assumes the risk associated with multitenant deployments. Managing Cloud principles explain that public and some community cloud environments are built on shared infrastructure where multiple customers’ workloads coexist on the same physical hardware.

Although strong logical isolation mechanisms are implemented by cloud providers, multitenancy introduces risks such as data leakage, side-channel attacks, and resource contention. These risks do not exist to the same degree in dedicated on-premises environments. Enterprises must therefore rely on the provider’s ability to enforce isolation, access control, and monitoring.

The other options are not intrinsic cloud risks. Incompatible infrastructure can be addressed through architecture design, lack of skilled personnel is an internal organizational issue, and loss of certification relates to compliance management. Therefore, multitenant deployments represent the risk assumed when using vendor-provided cloud resources.

The correct contractual safeguard is an escrow agreement. Data escrow involves storing critical data or software with a neutral third party, which can release it to the customer if the provider fails to meet obligations, such as bankruptcy or service discontinuation.

Indemnification covers liability, offboarding manages termination processes, and encryption secures data but does not ensure availability if the provider disappears.

Escrow provisions protect business continuity by guaranteeing customer access to data regardless of provider viability. They are especially important for organizations handling mission-critical workloads or long-term regulatory obligations in the cloud.

A cloud service customer is the role that subscribes to a software as a service (SaaS) application. Managing Cloud principles define the cloud service customer as the individual or organization that consumes cloud services provided by a cloud service provider.

In a SaaS model, the customer accesses applications through a subscription-based arrangement, typically via a web interface. The customer does not manage the underlying infrastructure or platform but is responsible for configuring user access and ensuring proper use of the service.

The cloud service provider delivers and manages the application, while “cloud computing” and “cloud application” are not roles. Therefore, the cloud service customer is the correct role.

Tabletop testing is the disaster recovery testing method with the least impact on production systems. Managing Cloud guidance explains that tabletop exercises are discussion-based scenarios where stakeholders walk through response procedures without executing actual system changes.

This approach allows teams to validate roles, responsibilities, communication paths, and decision-making processes. Tabletop testing is cost-effective, low-risk, and ideal for early validation of disaster recovery and business continuity plans.

Dry runs and full tests involve actual system actions and can impact production. Unit testing focuses on individual components. Therefore, tabletop testing is the correct answer.