Google Cloud Professional Cloud Security Engineer — Question 135

Your organization wants to be continuously evaluated against CIS Google Cloud Computing Foundations Benchmark v1.3.0 (CIS Google Cloud Foundation 1.3). Some of the controls are irrelevant to your organization and must be disregarded in evaluation. You need to create an automated system or process to ensure that only the relevant controls are evaluated.

What should you do?

Answer options

• A. Mark all security findings that are irrelevant with a tag and a value that indicates a security exception. Select all marked findings, and mute them on the console every time they appear. Activate Security Command Center (SCC) Premium.
• B. Activate Security Command Center (SCC) Premium. Create a rule to mute the security findings in SCC so they are not evaluated.
• C. Download all findings from Security Command Center (SCC) to a CSV file. Mark the findings that are part of CIS Google Cloud Foundation 1.3 in the file. Ignore the entries that are irrelevant and out of scope for the company.
• D. Ask an external audit company to provide independent reports including needed CIS benchmarks. In the scope of the audit, clarify that some of the controls are not needed and must be disregarded.

Correct answer: B

Explanation

The correct answer is B because activating Security Command Center (SCC) Premium and creating a rule to mute specific findings directly addresses the need to disregard irrelevant controls during evaluations. Option A requires manual intervention each time findings appear, which is less efficient. Option C involves a manual process of tracking findings in a CSV, which does not automate the exclusion. Option D relies on external audits, which may not provide a continuous evaluation process.