Free Access CompTIA.CAS-003.v2022-04-30.q141 Practice Test (Page 15)

Question 66

A company is in the process of outsourcing its customer relationship management system to a cloud provider. It will host the entire organization's customer database. The database will be accessed by both the company's users and its customers. The procurement department has asked what security activities must be performed for the deal to proceed. Which of the following are the MOST appropriate security activities to be performed as part of due diligence? (Select TWO).

A.Physical penetration test of the datacenter to ensure there are appropriate controls.

B.Penetration testing of the solution to ensure that the customer data is well protected.

C.Security clauses are implemented into the contract such as the right to audit.

D.Review of the organizations security policies, procedures and relevant hosting certifications.

E.Code review of the solution to ensure that there are no back doors located in the software.

Correct Answer: C,D

Due diligence refers to an investigation of a business or person prior to signing a contract. Due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance. Due diligence should verify the data supplied in the RFP and concentrate on the following:
Company profile, strategy, mission, and reputation
Financial status, including reviews of audited financial statements
Customer references, preferably from companies that have outsourced similar processes Management qualifications, including criminal background checks Process expertise, methodology, and effectiveness Quality initiatives and certifications Technology, infrastructure stability, and applications Security and audit controls Legal and regulatory compliance, including any outstanding complaints or litigation Use of subcontractors Insurance Disaster recovery and business continuity policies C and D form part of Security and audit controls.
Incorrect Answers:
A: A Physical Penetration Test recognizes the security weaknesses and strengths of the physical security. It will, therefore, not form part of due diligence because due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance.
B: A penetration test is a software attack on a computer system that looks for security weaknesses. It will, therefore, not form part of due diligence because due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance.
E: A security code review is an examination of an application that is designed to identify and assess threats to an organization. It will, therefore, not form part of due diligence because due diligence verifies information supplied by vendors with regards to processes, financials, experience, and performance.
References:
https://en.wikipedia.org/wiki/Due_diligence
http://www.ftpress.com/articles/article.aspx?p=465313&seqNum=5
http://seclists.org/pen-test/2004/Dec/11
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John Wiley & Sons, Indianapolis, 2012, p. 169

Question 67

An organization has just released a new mobile application for its customers.
The application has an inbuilt browser and native application to render content from existing websites and the organization's new web services gateway.
All rendering of the content is performed on the mobile application.
The application requires SSO between the application, the web services gateway and legacy UI.
Which of the following controls MUST be implemented to securely enable SSO?

A.The identity is passed between the applications as a HTTP header over REST.

B.Attestation of the XACML payload to ensure that the client is authorized.

C.A registration process is implemented to have a random number stored on the client.

D.Local storage of the authenticated token on the mobile application is secured.

Question 68

A recent CRM upgrade at a branch office was completed after the desired deadline.
Several technical issues were found during the upgrade and need to be discussed in depth before the next branch office is upgraded. Which of the following should be used to identify weak processes and other vulnerabilities?

A.Lessons learned report

B.Gap analysis

C.Benchmarks and baseline results

D.Risk assessment

Question 69

A new database application was added to a company's hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The company's cloud security broker then identified abnormal from a database user on-site. Upon further investigation, the security team noticed the user ran code on a VM that provided access to the hypervisor directly and access to other sensitive data.
Which of the following should the security do to help mitigate future attacks within the VM environment? (Choose two.)

A.Change the user's access privileges.

B.Install perimeter NGFW.

C.Update virus definitions on all endpoints.

D.Deprovision database VM.

E.Configure VM isolation.

F.Install the appropriate patches.

Question 70

Drag and drop the cloud deployment model to the associated use-case scenario. Options may be used only once or not at all.

Premium Bundle

Newest CAS-003 Exam PDF Dumps shared by BraindumpsPass.com for Helping Passing CAS-003 Exam! BraindumpsPass.com now offer the updated CAS-003 exam dumps, the BraindumpsPass.com CAS-003 exam questions have been updated and answers have been corrected get the latest BraindumpsPass.com CAS-003 pdf dumps with Exam Engine here:

Access CAS-003 Premium Version

(683 Q&As Dumps, 40%OFF Special Discount: Exam-Tests)

Other Version: 7485CompTIA.CAS-003.v2022-09-22.q535; 6510CompTIA.CAS-003.v2022-08-15.q472; 4321CompTIA.CAS-003.v2022-05-05.q206; 84CompTIA.Actualtestpdf.CAS-003.v2022-01-19.by.morgan.327q.pdf

Latest Upload: 105OCEG.GRCP.v2025-09-11.q211; 104HP.HPE0-V27.v2025-09-11.q78; 118Oracle.1Z0-1057-23.v2025-09-10.q47; 153Google.Professional-Cloud-Network-Engineer.v2025-09-09.q179; 131SAP.C-S4EWM-2023.v2025-09-08.q83; 166TheSecOpsGroup.CNSP.v2025-09-08.q20; 229CFAInstitute.ESG-Investing.v2025-09-08.q173; 176PECB.ISO-IEC-27001-Lead-Implementer.v2025-09-06.q132; 152Salesforce.Data-Architect.v2025-09-05.q216; 148Adobe.AD0-E605.v2025-09-05.q50