Domain 3 – Section B Review: Data Center & Risk
This section integrates:
- Secure Data Center Design
- Physical and Environmental Security
- Risk Assessment for Cloud Infrastructure
- Vulnerability and Threat Analysis
Question 1
A CSP claims Tier IV data center certification. A customer assumes this means their application will have 99.995% availability. What is wrong with this assumption?
A. Tier IV only applies to power systems
B. The tier certification guarantees facility uptime, not application availability
C. Tier IV is not a real certification
D. The customer must pay extra for Tier IV benefits
Answer & reasoning
Correct: B
Tier classifications measure facility infrastructure resilience. Application availability depends on how the customer architects their deployment, including multi-AZ design and proper failover.
Question 2
During a cloud risk assessment, the team realizes they cannot access historical outage data from the CSP. Which risk assessment approach is MOST appropriate?
A. Qualitative using expert judgment
B. Use the on-premises risk data unchanged
C. Quantitative using industry averages
D. Skip the assessment until data is available
Answer & reasoning
Correct: A
When historical data is unavailable, qualitative assessment using expert judgment and risk matrices is the most practical approach for cloud environments.
Question 3
A fire breaks out in a data center server room. The facility uses a wet-pipe sprinkler system. What is the PRIMARY concern?
A. The sprinklers will not activate
B. The fire will spread to adjacent rooms
C. The fire department cannot respond
D. Water damage to equipment will compound the impact
Answer & reasoning
Correct: D
Wet-pipe sprinklers discharge water that damages electronic equipment. Data centers should use clean agent suppression systems to extinguish fires without destroying hardware.
Question 4
A CSP uses a subcontractor for physical security at one of its data centers. The subcontractor has a history of employee background check failures. What type of risk does this represent?
A. Residual risk only
B. Fourth-party (supply chain) risk
C. Second-party risk
D. First-party risk
Answer & reasoning
Correct: B
The subcontractor is a fourth party — a party the customer has no direct relationship with. Supply chain risk from CSP subcontractors affects the customer indirectly.
Question 5
A CSPM tool identifies 300 cloud misconfigurations. The security team has capacity to address 50 this quarter. How should they prioritize?
A. Fix findings alphabetically by service name
B. Fix the oldest findings first
C. Prioritize by blast radius, starting with management plane and internet-facing issues
D. Randomly select 50 findings to fix
Answer & reasoning
Correct: C
Prioritization by blast radius ensures the highest-impact issues are addressed first. Management plane and internet-facing misconfigurations pose the greatest risk to the organization.
Question 6
An organization migrates to cloud and the CTO declares physical security risk has been “eliminated.” What is the correct interpretation?
A. Physical security risk has been transferred to the CSP, not eliminated
B. Physical security is irrelevant in cloud
C. The organization must still manage physical security at the CSP
D. The CTO is correct; cloud has no physical security risk
Answer & reasoning
Correct: A
Moving to cloud transfers execution of physical security to the CSP but the organization retains accountability for ensuring adequate protection. Risk is transferred, not eliminated.
Question 7
A customer cannot physically inspect the CSP data center. How should they verify physical security controls?
A. Require employees to visit the facility annually
B. Review SOC 2 Type II reports and ISO 27001 certification
C. Install remote monitoring cameras at the CSP facility
D. Accept the CSP marketing materials as sufficient evidence
Answer & reasoning
Correct: B
Third-party audit reports provide independent verification. CSPs do not allow customer-installed equipment or unscheduled visits.
Question 8
A vulnerability in the CSP’s hypervisor is disclosed publicly. What is the customer’s FIRST action?
A. Migrate all workloads immediately
B. Deploy compensating controls at the network layer
C. Contact the CSP to confirm awareness and remediation timeline
D. Patch the hypervisor on their instances
Answer & reasoning
Correct: C
Hypervisor management is the CSP’s responsibility. The customer should confirm the provider is aware and verify their remediation plan before taking further action.
Question 9
A cloud risk register was last updated two years ago. The CSP has since changed ownership and updated its terms of service. What is the PRIMARY concern?
A. The register is likely compliant since no incidents occurred
B. The risk register no longer reflects the current risk landscape
C. The new owner automatically inherits the old risk profile
D. Risk registers do not need updates in cloud
Answer & reasoning
Correct: B
Cloud risk is dynamic. Changes in CSP ownership and terms of service can fundamentally alter the risk profile. A stale register means the organization operates with outdated risk information.
Question 10
An organization deploys to a single region and relies on the CSP’s Tier III data center for resilience. A regional natural disaster takes the entire region offline. What should the organization have done?
A. Stored backups in the same region on different hardware
B. Deployed across multiple geographically diverse regions
C. Requested a Tier IV upgrade from the CSP
D. Purchased additional insurance coverage
Answer & reasoning
Correct: B
Regional disasters can affect entire data centers regardless of tier. Multi-region deployment is the standard mitigation for geographic-scale failures.