Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCSPDomainsLegal, Risk and Compliance
CCSPFree — No Signup

Legal, Risk and Compliance

Practice CCSP Legal, Risk and Compliance questions with full explanations on every answer.

93questions

Start practicing

Legal, Risk and Compliance — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CCSP Domains

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice Legal, Risk and Compliance questions

10Q20Q30Q50Q

All CCSP Legal, Risk and Compliance questions (93)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

2

A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?

3

A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?

4

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

5

An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?

6

A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?

7

A cloud customer wants to ensure that their data is not accessible to the cloud provider's employees. Which of the following controls would best address this requirement?

8

Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?

9

Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?

10

Which TWO of the following are key components of an Information Security Management System (ISMS) as defined by ISO 27001?

11

Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?

12

Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?

13

A healthcare organization is migrating its electronic health record (EHR) system to a public cloud. The system stores sensitive patient data subject to HIPAA. The cloud architect has designed a multi-tier architecture with load balancers, web servers, application servers, and a PostgreSQL database. The database contains ePHI. To meet compliance, the architect plans to encrypt the database at rest using AWS RDS encryption with KMS. However, during a security review, the compliance officer notes that the database backups are stored in an S3 bucket that is not encrypted. Additionally, the application logs, which may contain patient data, are sent to CloudWatch Logs without encryption. The compliance officer insists that all data stores containing ePHI must be encrypted at rest. Which action should the architect take to ensure compliance?

14

A multinational corporation is migrating its customer data to a cloud provider that operates data centers in multiple jurisdictions. To comply with the General Data Protection Regulation (GDPR), the company must ensure that customer data remains within the European Economic Area (EEA) unless adequate safeguards are in place. The cloud provider offers data residency options but does not guarantee that data will never be accessed from outside the EEA. What is the BEST course of action for the company?

15

A cloud service provider (CSP) is designing a multi-tenant infrastructure and needs to ensure that a security incident in one tenant's environment does not compromise the confidentiality or integrity of other tenants. The CSP plans to use a combination of network segmentation, hypervisor isolation, and encryption. Which additional control is MOST critical to prevent side-channel attacks that could leak cryptographic keys or other sensitive data across tenants?

16

A cloud architect is designing a disaster recovery (DR) plan for a financial services application hosted on a public cloud. The plan must meet a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. The application uses a relational database and stores files in object storage. Which TWO strategies should the architect recommend to meet these objectives?

17

A large healthcare organization uses a hybrid cloud environment with on-premises systems and Microsoft Azure. They store protected health information (PHI) in Azure Blob Storage and use Azure SQL Database for transactional data. The organization must comply with HIPAA and has implemented encryption at rest using Azure Storage Service Encryption and Transparent Data Encryption (TDE) for SQL. During a recent audit, the security team discovered that the organization does not have a formal process to identify and respond to security incidents that involve PHI. Additionally, the organization's backup strategy stores encrypted backups in a separate Azure region, but the backup encryption keys are managed by Azure and are not customer-controlled. The compliance officer is concerned about the ability to demonstrate HIPAA compliance in the event of an audit. Which of the following actions should the organization take FIRST to address the most critical gap?

18

A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?

19

A cloud service provider (CSP) is undergoing a SOC 2 Type II audit. The auditor reviews the CSP's access control policies and identifies that user access reviews are performed quarterly. However, the auditor notes that there is no automated termination of access for terminated employees. Which TWO of the following control objectives are likely to be non-compliant based on this finding?

20

An administrator applies the above S3 bucket policy to a bucket named 'data-bucket' that contains sensitive logs. The policy is intended to allow uploads only over HTTPS. After applying, the administrator finds that uploads using the AWS CLI without HTTPS still succeed. What is the most likely reason?

21

Drag and drop the steps for setting up a cloud access security broker (CASB) in a SaaS environment into the correct order.

22

Drag and drop the steps for setting up a virtual private cloud (VPC) with public and private subnets in AWS into the correct order.

23

Match each IAM term to its definition.

24

Match each cloud security tool to its primary purpose.

25

A healthcare organization is migrating patient data to a public cloud. Which legal framework most directly governs the protection of this data?

26

During a cloud migration, a company discovers that data stored in a specific region must remain there per contract. The cloud provider offers data replication across regions. What is the best practice to ensure compliance?

27

A cloud service provider (CSP) includes a limitation of liability clause capped at the total fees paid in the past 12 months. A customer suffers a data breach due to provider negligence, losing $2M in business. The customer's annual spend is $500K. What is the customer's likely recovery?

28

A company wants to use a cloud service to store financial records. Which compliance framework most likely applies?

29

A cloud customer receives a legal hold notice for pending litigation. The data resides in multi-tenant storage. What is the most appropriate initial action?

30

A company uses a cloud-based intrusion detection system (IDS) that generates logs containing IP addresses. The company is headquartered in a country with data localization laws. What is the primary compliance risk?

31

Which risk assessment method uses subjective scales to assign probabilities and impacts?

32

An organization stores customer data in a cloud that is subject to GDPR. The organization uses a cloud provider that does not allow audits of its data centers. What is the best way to satisfy GDPR audit requirements?

33

A company is required to retain logs for 7 years per regulation. The cloud provider's default retention is 90 days. What is the most effective approach?

34

Which TWO of the following are key elements of a cloud service agreement (CSA) for legal compliance?

35

Which THREE of the following are typical requirements for compliance with eDiscovery in a cloud environment?

36

Which THREE of the following are commonly required when conducting a cloud vendor risk assessment?

37

A customer discovers the provider added a new sub-processor without notification. Which compliance risk is most directly exposed?

38

A company uses this IAM policy on an S3 bucket containing logs with personally identifiable information (PII). What is the most immediate compliance risk?

39

A customer relies on this SOC 2 Type II report to assess a cloud provider's controls. What is the primary limitation of this report?

40

A company is contracting with a cloud provider and wants to ensure they have visibility into the provider's security controls. Which contract clause is most important to include?

41

A financial services company must store customer transaction data in a cloud that complies with PCI DSS. Which of the following is a primary requirement for the cloud environment?

42

A multinational corporation uses a SaaS application that stores data in multiple jurisdictions. The company's legal team is concerned about cross-border data transfers under the GDPR. What is the recommended mechanism to legitimize such transfers?

43

A company has a contractual requirement that the CSP must delete all customer data within 30 days of contract termination. Which document should specify this requirement?

44

An organization wants to assess the security controls of a cloud provider before entering into a contract. What is the most efficient method?

45

A cloud customer is subject to the EU General Data Protection Regulation (GDPR) and uses a cloud provider that subcontracts data processing to a third party without notification. Which GDPR requirement is violated?

46

Which of the following is a key consideration when defining a cloud provider's liability for data breaches?

47

A company needs to ensure that its cloud-stored data is retained only for a specific period due to legal requirements. Which process should be automated?

48

An organization wants to ensure that its CSP does not access customer data for any purpose other than providing the service. Which clause should be included?

49

A company is evaluating cloud providers for compliance with the GDPR. Which TWO of the following are mandatory data protection roles under the GDPR?

50

A company is implementing a cloud risk management program. Which THREE of the following are essential components of a risk assessment according to NIST SP 800-30?

51

Which THREE of the following are typical data privacy principles found in most regulations?

52

Refer to the exhibit. A security analyst sees this alert. According to the shared responsibility model, who is primarily responsible for ensuring that the IAM policy correctly restricts access?

53

Refer to the exhibit. A cloud administrator is reviewing this bucket policy. What is the most significant security concern?

54

Refer to the exhibit. A company uses AWS Config to evaluate compliance with a rule that requires S3 buckets to enforce SSL. What should the administrator do next?

55

A company stores PII in the cloud and needs to ensure compliance with GDPR. What is the first step they should take?

56

A cloud service provider (CSP) experiences a security incident affecting customer data. The contract requires notification within 72 hours, but the CSP fails to notify. What is the most likely legal consequence for the CSP?

57

An organization uses a multi-cloud strategy and wants to perform a risk assessment that accounts for the shared responsibility model. Which approach is most appropriate?

58

A company is migrating healthcare data to the cloud and must comply with HIPAA. They need to sign a Business Associate Agreement (BAA) with the CSP. What key element must be included in the BAA?

59

Which legal concept allows customers to retain ownership of data stored in the cloud regardless of where it is physically stored?

60

During a cloud audit, the auditor finds that the CSP's data deletion process does not meet contractual requirements. The customer's data may still be recoverable after termination. What is the best next step for the customer?

61

A company uses a cloud database that stores customer financial information. To ensure compliance with PCI DSS, which control is required?

62

What is the primary purpose of a Data Processing Agreement (DPA) between a data controller and a cloud service provider?

63

An organization experiences a data breach in the cloud. The CSP claims they are not liable because the breach was due to customer misconfiguration. The customer disagrees. What document should be reviewed to determine liability?

64

Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?

65

Which THREE of the following are key considerations when conducting a cloud risk assessment?

66

Which TWO of the following are examples of data sovereignty laws that directly affect cloud data storage?

67

Refer to the exhibit. An organization has this S3 bucket policy for a bucket containing sensitive customer data. What is the primary risk associated with this policy?

68

Refer to the exhibit. A security engineer reviews this CloudTrail log entry. The company has a policy that all deletion operations must be approved by the compliance team. What is the most likely compliance issue?

69

Refer to the exhibit. A cloud administrator discovers this Azure role assignment in the Finance resource group. The role definition ID corresponds to 'Storage Blob Data Contributor'. What is the immediate compliance concern?

70

A cloud service provider stores customer data in a multi-tenant environment. A customer from the European Union requests that all personal data be encrypted at rest to comply with GDPR. What is the primary reason for this requirement?

71

A company identifies a high-risk vulnerability in a cloud application. The cost to remediate is significantly higher than the potential loss from exploitation. Which risk treatment strategy is most appropriate?

72

During litigation, a company receives a legal hold notice for electronically stored information (ESI) in a cloud environment. The cloud provider's standard service agreement includes a clause that automatically deletes data 30 days after termination of service. What should the company do to ensure compliance?

73

A US-based company uses a cloud provider with data centers in the US and Europe. To transfer personal data of EU citizens to the US, which mechanism is most appropriate under GDPR?

74

A client is negotiating a cloud service agreement and wants to conduct on-site audits of the provider's data centers. The provider argues that on-site audits are unnecessary due to SOC 2 reports. Which is the best approach for the client?

75

A cloud customer is subject to the Health Insurance Portability and Accountability Act (HIPAA). They are considering using a cloud provider that offers infrastructure as a service (IaaS). Which of the following is the customer's responsibility under the HIPAA shared responsibility model?

76

A company is performing a risk assessment of its cloud environment. They have identified a risk with a likelihood of 4 (on a scale of 1-5) and an impact of 3 (on a scale of 1-5). The company decides to implement controls that will reduce the likelihood to 2 and impact to 1. What is the residual risk score after controls?

77

A cloud provider experiences a data breach affecting customer data. Which of the following laws most likely requires the provider to notify affected customers within 72 hours?

78

A company wants to ensure that its cloud provider's data deletion process is verifiable. Which of the following should the company require in the service level agreement?

79

Which THREE of the following are key components of a data protection impact assessment (DPIA) under GDPR?

80

Which TWO of the following are common risk treatment options in cloud risk management?

81

Which TWO of the following are requirements for a cloud service agreement to comply with the European Data Protection Board (EDPB) guidelines on data processing?

82

Refer to the exhibit. An administrator is reviewing an AWS S3 bucket policy. Based on the policy, which of the following is true?

83

Your organization, a healthcare provider subject to HIPAA, has migrated electronic protected health information (ePHI) to a public cloud IaaS provider. The cloud provider offers default encryption at rest using their managed key service. During a recent audit, it was discovered that the encryption keys are generated and stored by the cloud provider without any customer involvement. The auditor states that this arrangement may violate HIPAA requirements because the covered entity does not have exclusive control over the keys. You need to ensure compliance while maintaining cost efficiency. After discussing with the cloud provider, they suggest the following options: A. Enable client-side encryption using a custom key management system (KMS) on the customer's premises. B. Use the provider's default encryption and rely on their BAA that states they will protect the keys. C. Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer. D. Disable encryption and rely on access controls and auditing only. Which option best addresses the compliance requirement while considering the operational impact?

84

A multinational corporation uses a SaaS application for customer relationship management (CRM). The CRM application stores customer data including names, email addresses, and purchase history. The company has operations in the EU, California, and Japan. A new regulation in Japan requires that any transfer of personal data outside Japan must have the data subject's consent if the destination country does not have an adequacy decision. The company's cloud provider stores data in the United States. The company currently relies on the provider's data processing agreement that includes standard contractual clauses (SCCs). However, the Japanese regulator has stated that SCCs are not sufficient for transfers from Japan unless supplemented. You are tasked with ensuring compliance for Japanese data subjects. Which of the following is the most appropriate next step? A. Obtain explicit consent from each Japanese data subject for data transfer to the US. B. Move the data for Japanese subjects to a data center in Japan. C. Continue using SCCs as they are recognized internationally. D. Pseudonymize the data before transfer. Which option best addresses the compliance requirement while considering the operational impact?

85

A regional bank is migrating its customer data to a cloud provider that offers services in multiple jurisdictions. The bank's legal team is concerned about compliance with data protection regulations, specifically regarding the right to be forgotten. During a review, the bank discovers that the cloud provider's data deletion process takes up to 90 days for archived data. The bank needs to ensure it can comply with customer deletion requests within 30 days as required by GDPR. What should the bank do?

86

A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?

87

A healthcare company uses a cloud-based patient management system. The cloud provider experiences a security incident that may have exposed protected health information (PHI). The provider notifies the company within 72 hours, as required by the service agreement. The company's internal breach response policy requires a legal review of the incident before notifying affected individuals. The legal review typically takes 48 hours. However, the company is required to notify patients within 60 days under HIPAA. With the 72-hour notification from the provider, the company has 60 days to notify patients. What is the most effective approach to meet the 60-day notification requirement while ensuring compliance with internal policy?

88

A company receives an erasure request under GDPR. The cloud provider can delete from active storage within 24 hours but requires 90 days to delete from archives. The company has a contractual obligation to ensure deletion within 30 days. What should the company do?

89

A defense contractor uses a cloud provider that is FedRAMP authorized at the Moderate impact level. The contractor's contract requires compliance with DFARS 252.204-7012, which mandates safeguarding covered defense information (CDI) and reporting cyber incidents. The contractor's security team wants to ensure the cloud provider's security controls are adequate. The provider offers a FedRAMP package that includes a System Security Plan (SSP) and a Security Assessment Report (SAR). The contractor's legal department has determined that if the provider is FedRAMP authorized, the audit requirements are satisfied. What is the most efficient way to verify compliance?

90

Which TWO of the following are primary responsibilities of a cloud service customer under the shared responsibility model regarding compliance with regulations such as GDPR?

91

A multinational corporation stores customer data in an AWS S3 bucket located in the US. The company's European customers' personal data must comply with GDPR. Which TWO actions should the company take to ensure compliance with GDPR data transfer requirements?

92

Refer to the exhibit. A security analyst discovers this bucket policy attached to an S3 bucket containing sensitive customer data. What is the MOST significant security risk posed by this policy?

93

A healthcare company, MedSecure, is migrating its critical patient record application to a public cloud IaaS environment. The application processes Protected Health Information (PHI) subject to HIPAA in the US and also includes some patient data from EU residents subject to GDPR. MedSecure has signed Business Associate Agreements (BAAs) with the cloud provider covering US HIPAA compliance. However, the compliance officer is concerned about GDPR requirements for EU patient data. The architecture uses AWS EC2 instances behind an Application Load Balancer, with data stored in Amazon RDS (MySQL) using encryption at rest and TLS for transmission. The company uses AWS CloudTrail for logging but only retains logs for 90 days. The compliance officer has identified that the current logging retention does not meet the GDPR requirement for logs to be retained for a minimum of 12 months for audit purposes. Additionally, the data stored in RDS is in a single AWS region in the US (us-east-1). The company plans to expand to EU customers. The GDPR requires that personal data of EU residents be stored in the EU or have adequate safeguards for transfer. Currently, the company has not implemented any data residency controls. What course of action should MedSecure take to address the most critical compliance gaps?

Practice all 93 Legal, Risk and Compliance questions

Other CCSP exam domains

Cloud Application SecurityCloud Security OperationsCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Frequently asked questions

What does the Legal, Risk and Compliance domain cover on the CCSP exam?

The Legal, Risk and Compliance domain covers the key concepts tested in this area of the CCSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CCSP domains — no account required.

How many Legal, Risk and Compliance questions are in the CCSP question bank?

The Courseiva CCSP question bank contains 93 questions in the Legal, Risk and Compliance domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Legal, Risk and Compliance for CCSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Legal, Risk and Compliance questions for CCSP?

Yes — the session launcher on this page draws questions exclusively from the Legal, Risk and Compliance domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CCSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISSPSCS-C02AZ-500