Company XYZ provides hosting services for hundreds of companies across multiple industries including
healthcare, education, and manufacturing. The security architect for company XYZ is reviewing a vendor
proposal to reduce company XYZ’s hardware costs by combining multiple physical hosts through the use of
virtualization technologies. The security architect notes concerns about data separation, confidentiality,
regulatory requirements concerning PII, and administrative complexity on the proposal. Which of the following
BEST describes the core concerns of the security architect?

A company is deploying a new iSCSI-based SAN. The requirements are as follows:
SAN nodes must authenticate each other.
Shared keys must NOT be used.
Do NOT use encryption in order to gain performance.
Which of the following design specifications meet all the requirements? (Select TWO).

A forensic analyst works for an e-discovery firm where several gigabytes of data are processed daily. While the
business is lucrative, they do not have the resources or the scalability to adequately serve their clients. Since it
is an e-discovery firm where chain of custody is important, which of the following scenarios should they
consider?

An extensible commercial software system was upgraded to the next minor release version to patch a security
vulnerability. After the upgrade, an unauthorized intrusion into the system was detected. The software vendor is
called in to troubleshoot the issue and reports that all core components were updated properly. Which of the
following has been overlooked in securing the system? (Select TWO).

An organization would like to allow employees to use their network username and password to access a thirdparty service. The company is using Active Directory Federated Services for their directory service. Which of
the following should the company ensure is supported by the third- party? (Select TWO).

The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system
operational for the next two years. The legacy system is out of support because the vendor and security
patches are no longer released. Additionally, this is a proprietary embedded system and little is documented
and known about it. Which of the following should the Information Technology department implement to reduce
the security risk from a compromise of this system?

A system administrator needs to meet the maximum amount of security goals for a new DNS infrastructure.
The administrator deploys DNSSEC extensions to the domain names and infrastructure. Which of the following
security goals does this meet? (Select TWO).

A penetration tester is assessing a mobile banking application. Man-in-the-middle attempts via a HTTP
intercepting proxy are failing with SSL errors. Which of the following controls has likely been implemented by
the developers?

A security company is developing a new cloud-based log analytics platform. Its purpose is to allow:
Customers to upload their log files to the “big data” platform Customers to perform remote log search
Customers to integrate into the platform using an API so that third party business intelligence tools can be used
for the purpose of trending, insights, and/or discovery
Which of the following are the BEST security considerations to protect data from one customer being disclosed
to other customers? (Select THREE).

Company A needs to export sensitive data from its financial system to company B’s database, using company
B’s API in an automated manner. Company A’s policy prohibits the use of any intermediary external systems to
transfer or store its sensitive data, therefore the transfer must occur directly between company A’s financial
system and company B’s destination server using the supplied API. Additionally, company A’s legacy financial
software does not support encryption, while company B’s API supports encryption. Which of the following will
provide end-to-end encryption for the data transfer while adhering to these requirements?