CCZT Online Practice Questions and Answers

Correct Answer: B

Correct Answer: A

The ZT tenet of assume breach is based on the notion that malicious actors reside inside and outside the network, and that any user, device, or service can be compromised at any time. Therefore, ZT requires continuous verification and validation of all entities and transactions, and does not rely on implicit trust or perimeter-based defenses

Correct Answer: B

ABAC is an access control method that uses attributes of the requester, the resource, the environment, and the action to evaluate and enforce policies. ABAC allows for fine-grained and dynamic access control based on the context of the request, rather than predefinedroles or privileges. ABAC is suitable for SaaS and PaaS, where the features within a service may vary depending on the customer's needs, preferences, and subscription level. ABAC can help implement ZT by enforcing the principle of least privilege and verifying every request based on multiple factors. References: Attribute-Based Access Control (ABAC) Definition General Access Control Guidance for Cloud Systems A Guide to Secure SaaS Access Control Within an Organization

Correct Answer: B

Risk assessment is the process of identifying, analyzing, and evaluating the risks that an organization faces in achieving its objectives. Risk assessment helps to determine the scope of the target state definition for ZT planning, as it identifies the critical assets, threats, vulnerabilities, and impacts that need to be addressed by ZT capabilities and activities. Risk assessment also helps to prioritize and align the ZT planning with the organization's risk appetite and tolerance levels.

Correct Answer: B

Business continuity and disaster recovery are the activities of the ZT implementation preparation phase that ensure the resiliency of the organization's operations in the event of disruption. Business continuity refers to the process of

maintaining or restoring the essential functions of the organization during and after a crisis, such as a natural disaster, a cyberattack, or a pandemic. Disaster recovery refers to the process of recovering the IT systems, data, and infrastructure

that support the business continuity. ZT implementation requires planning and testing the business continuity and disaster recovery strategies and procedures, as well as aligning them with the ZT policies and controls.

References:

Zero Trust Planning - Cloud Security Alliance, section "Monitor and Measure" Zero Trust architecture: a paradigm shift in cybersecurity - PwC, section "Continuous monitoring and improvement"

Zero Trust Implementation, section "Outline Zero Trust Architecture (ZTA) implementation steps"

Correct Answer: D

In a continual improvement model, policy administrators are the ones who maintain the ZT policies. Policy administrators are ZTA policy entities that are responsible for crafting and maintaining the policies that govern the access to resources in a ZT environment1. Policy administrators define the rules and conditions that specify who, what, when, where, and how an entity can access a resource, based on the principle of least privilege2. Policy administrators also update and review the policies periodically to ensure they are aligned with the changing business and security requirements3. References: Zero Trust Architecture | NIST Zero Trust Architecture: Policy Engine and Policy Administrator Zero Trust Architecture: Policy Administration

Correct Answer: C

Device validation helps establish a trusted connection based on certificate-based keys in a ZT deployment. Device validation is the process of verifying the identity and posture of the devices that request access to the protected resources.

Device validation relies on the use of certificates, which are digital credentials that bind the device identity to a public key. Certificates are issued by a trusted authority and can be used to authenticate the device and encrypt the

communication. Device validation helps to ensure that only healthy and compliant devices can access the resources, and that the connection is secure and confidential.

References:

Certificate of Competence in Zero Trust (CCZT) prepkit, page 15, section 2.2.3 Zero Trust and Windows device health - Windows Security, section "Device health attestation on Windows"

Devices and zero trust | Google Cloud Blog, section "In a zero trust environment, every device has to earn trust in order to be granted access."

Correct Answer: B

Explanation: One of the core principles of Zero Trust (ZT) is to "never trust, always verify" every request for access to a resource, regardless of where it originates or what resource it accesses1. This means that ZT does not rely on implicit trust based on network perimeters, device types, or user roles, but rather on explicit verification based on multiple data points, such as user identity, device health, location, service, data classification, and anomalies1. References: Zero Trust Architecture | NIST Zero Trust Model - Modern Security Architecture | Microsoft Security How To Implement Zero Trust: 5-steps Approach and its challenges - Fortinet

Correct Answer: C

ZTA is based on the principle of never trusting any user or device by default, regardless of their location or ownership. ZTA policies can use various methods to verify the identity and context of third-party users and devices, such as tokens, certificates, multifactor authentication, device posture assessment, etc. ZTA policies can also enforce granular and dynamic access policies that grant the minimum necessary privileges to third-party users and devices for accessing specific resources, while hiding all other assets from their view. This reduces the attack surface and prevents unauthorized access and lateral movement within the network.

Correct Answer: D