Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Legal, Risk, and Compliance practice sets

CCSP Legal, Risk, and Compliance • Complete Question Bank

CCSP Legal, Risk, and Compliance — All Questions With Answers

Complete CCSP Legal, Risk, and Compliance question bank — all 0 questions with answers and detailed explanations.

64
Questions
Free
No signup
Certifications/CCSP/Practice Test/Legal, Risk, and Compliance/All Questions
Question 1mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A multinational company operating in the EU uses a cloud service provider based in the US to process personal data of EU data subjects. The company is considered a data controller under the GDPR. Which of the following must the company ensure is in place to lawfully transfer personal data from the EU to the US?

Question 2mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A covered entity under HIPAA is planning to migrate electronic protected health information (ePHI) to a public cloud environment. Which of the following is a mandatory requirement before using the cloud service?

Question 3hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A financial institution subject to SOX is migrating its general ledger system to a SaaS provider. Which of the following IT general controls is most critical to ensure the integrity of financial data in the cloud?

Question 4easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer receives a litigation hold notice requiring preservation of data stored in an object storage service. Which service feature should the customer use to ensure data cannot be modified or deleted until the hold is released?

Question 5mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is negotiating a cloud service agreement and wants to ensure it can verify the provider's security controls independently. Which contractual clause is essential for this purpose?

Question 6hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer needs to comply with PCI DSS for a cardholder data environment (CDE) hosted on an IaaS platform. According to PCI DSS Appendix A3, which document is critical to define the security responsibilities between the customer and the cloud provider?

Question 7mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud provider's data center is located in Country A, but the customer's data is subject to litigation in Country B. The court in Country B orders the cloud provider to produce data. The cloud provider refuses, citing Country A's laws that prohibit disclosure. This situation best illustrates which challenge in eDiscovery?

Question 8easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

When assessing cloud risk, an organization identifies that if a single cloud provider fails, the organization cannot operate. This risk is known as:

Question 9mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company using a SaaS application for HR management receives a data subject access request (DSAR) under GDPR from an employee. The cloud provider is the data processor. The company as data controller must respond within what timeframe?

Question 10hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is considering adopting a multi-cloud strategy to avoid vendor lock-in. Which risk is this strategy primarily intended to mitigate?

Question 11easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Under the CSA STAR program, which tier involves a third-party assessment resulting in a certification based on ISO 27001?

Question 12mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is terminating its contract with a cloud provider and needs to ensure all data, including backups, is permanently deleted. Which contractual clause is most relevant?

Question 13mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A cloud customer must comply with GDPR's right to erasure (right to be forgotten). Which TWO of the following are technical challenges the customer faces when the data is stored in a cloud object storage service with versioning and cross-region replication?

Question 14hardmulti select
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is selecting a cloud provider for hosting payment card data and must comply with PCI DSS. Which THREE of the following are valid considerations when assessing the provider's PCI DSS compliance?

Question 15mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A company subject to SOX is using a cloud ERP system. Which THREE of the following IT general controls are essential for SOX compliance?

Question 16mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A multinational company headquartered in the US processes personal data of EU data subjects using a cloud service provider hosted in Singapore. Under GDPR, which legal mechanism is most appropriate for lawful transfer of personal data from the EU to Singapore?

Question 17hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A covered entity under HIPAA is moving electronic protected health information (ePHI) to a public cloud. What is the primary requirement before the cloud provider hosts ePHI?

Question 18mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company subject to PCI DSS is considering a cloud provider to process credit card transactions. What must the cloud provider present to demonstrate compliance with PCI DSS?

Question 19easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company that must comply with SOX is migrating its financial systems to a cloud service. Which of the following IT general controls is most critical for SOX compliance in the cloud?

Question 20mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

During an eDiscovery process, a company needs to preserve data stored in AWS S3 that may be relevant to a lawsuit. Which AWS feature should be used to implement a legal hold?

Question 21hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is negotiating a contract and wants to ensure they have the right to verify the cloud provider's security controls. Which contractual provision is most important?

Question 22easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Which CSA STAR tier involves a third-party assessment and results in a certification based on ISO 27001?

Question 23mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is using a single cloud provider for all critical services. What is the primary risk this company faces?

Question 24hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

Under GDPR, a cloud data controller must notify the supervisory authority of a personal data breach within what timeframe?

Question 25mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer wants to ensure that when the contract ends, the cloud provider deletes all customer data, including from backups. Which contractual clause is essential?

Question 26easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is concerned about the risk of unauthorized access to data due to the shared infrastructure of a public cloud. What type of risk does this represent?

Question 27hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company needs to export data from a cloud service in a machine-readable format to comply with a data subject's right to data portability under GDPR. Which format is most appropriate?

Question 28mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is evaluating a provider's compliance with PCI DSS. Which two components are part of the PCI DSS shared responsibility model as referenced in Appendix A3? (Choose two.)

Question 29hardmulti select
Read the full Legal, Risk, and Compliance explanation →

A global company uses a cloud provider that stores data in multiple jurisdictions. During an eDiscovery request from a US court, which three challenges are most likely to arise? (Choose three.)

Question 30easymulti select
Read the full Legal, Risk, and Compliance explanation →

A company is adopting a multi-cloud strategy to reduce concentration risk. Which two benefits are directly associated with this approach? (Choose two.)

Question 31mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A healthcare organization stores protected health information (PHI) in a cloud environment. Under HIPAA, what must the organization obtain from the cloud provider before processing PHI?

Question 32hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A multinational corporation collects personal data of EU residents and uses a cloud provider with data centers in the US and Asia. Under GDPR, which mechanism is appropriate for transferring data from the EU to the US data center, assuming no adequacy decision exists?

Question 33easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Under GDPR, what is the maximum time allowed for a data controller to notify the supervisory authority of a personal data breach?

Question 34mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is subject to PCI DSS and plans to use a cloud provider to process credit card transactions. The cloud provider has been assessed by a Qualified Security Assessor (QSA). According to PCI DSS, what must the company obtain from the provider to demonstrate compliance?

Question 35easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Under SOX, which of the following is an IT general control that must be implemented for financial data systems in a cloud environment?

Question 36mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is subject to a legal hold order and uses a cloud storage service with object replication across multiple regions. Which cloud feature should the company use to prevent deletion or modification of relevant data?

Question 37hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer wants to ensure they can audit their cloud provider's security controls annually. Which contractual provision should be included in the cloud service agreement?

Question 38easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Which CSA STAR tier involves a third-party assessment against ISO 27001?

Question 39mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is evaluating the risk of using a single cloud provider for all critical workloads. Which risk is most directly associated with this scenario?

Question 40hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

In a cloud environment, a data subject exercises their right to erasure under GDPR. The cloud provider has multiple replicas and backups. What is the primary technical challenge in fulfilling this request?

Question 41easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Under GDPR, what is the role of a cloud provider that processes personal data solely on behalf of a customer?

Question 42mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company wants to export its data from a cloud provider to another provider upon contract termination. Which contract clause is essential to ensure the data can be exported in a usable format?

Question 43mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A company is negotiating a cloud contract and wants to ensure data ownership and deletion. Which TWO clauses should be included? (Select two.)

Question 44hardmulti select
Read the full Legal, Risk, and Compliance explanation →

A global enterprise is conducting a cloud risk assessment. Which THREE factors should be considered? (Select three.)

Question 45mediummulti select
Read the full Legal, Risk, and Compliance explanation →

According to GDPR, which THREE are data subject rights? (Select three.)

Question 46mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A multinational corporation with its headquarters in the United States processes personal data of European Union data subjects using a cloud-based customer relationship management (CRM) system hosted in the United States. According to the General Data Protection Regulation (GDPR), which of the following is the company's primary obligation regarding the protection of that data?

Question 47mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A healthcare provider is planning to migrate its electronic health records (EHR) system to a public cloud infrastructure. The system will store protected health information (PHI). Under HIPAA, what must the healthcare provider obtain from the cloud service provider before beginning the migration?

Question 48hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A financial institution is required to comply with the Sarbanes-Oxley Act (SOX) for its cloud-hosted financial applications. The cloud provider is responsible for the underlying infrastructure. Which of the following controls is most likely the responsibility of the financial institution as part of IT general controls (ITGC)?

Question 49mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is subject to PCI DSS because it processes credit card transactions. It plans to use a cloud provider that is not specifically listed as a PCI DSS validated service provider. What is the most important step the company must take to ensure compliance?

Question 50easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Under the General Data Protection Regulation (GDPR), if a cloud service provider (acting as a data processor) suffers a personal data breach, what is the provider's obligation regarding notification?

Question 51hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is preparing for litigation and needs to place a legal hold on specific data stored in an object storage service. The cloud provider offers features such as object lock and retention policies. What is the primary challenge the customer must address to ensure the legal hold is effective across all copies of the data?

Question 52mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A company is negotiating a cloud service agreement and wants to ensure it can periodically assess the security of the cloud provider's operations. Which contractual clause is most directly relevant to this requirement?

Question 53easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Which of the following is a key requirement for data portability under the General Data Protection Regulation (GDPR)?

Question 54hardmultiple choice
Read the full Legal, Risk, and Compliance explanation →

A multinational corporation uses multiple cloud service providers for its critical applications. The board is concerned about concentration risk. Which strategy would best address this risk?

Question 55mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is subject to eDiscovery requirements in a lawsuit. The data resides in a cloud storage service that uses encryption. What is the primary challenge in collecting this data in a forensically sound manner?

Question 56easymultiple choice
Read the full Legal, Risk, and Compliance explanation →

Which of the following best describes the purpose of the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program?

Question 57mediummultiple choice
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is concerned about the right to erasure under GDPR because the cloud provider replicates data across multiple regions and keeps backups. What technical challenge does this create for complying with a erasure request?

Question 58mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A company is drafting a cloud service contract and wants to ensure it can exit the provider without losing access to its data. Which TWO clauses are most important to include?

Question 59hardmulti select
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is assessing the risk of using a cloud provider. Which THREE factors are most important in evaluating the inherent risk of migrating data and applications to the cloud?

Question 60mediummulti select
Read the full Legal, Risk, and Compliance explanation →

In the context of eDiscovery, a legal hold must be placed on data stored in a cloud environment. Which THREE actions should the cloud customer take to ensure the legal hold is effective?

Question 61mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A financial services company is migrating its customer account management system to a public cloud provider. The company is subject to SOX compliance requirements for internal controls over financial reporting. Which TWO controls are essential for the cloud environment to meet SOX IT general control requirements? (Choose two.)

Question 62easymulti select
Read the full Legal, Risk, and Compliance explanation →

A healthcare organization is planning to use a cloud provider to host protected health information (PHI) subject to HIPAA. Which THREE requirements must be addressed before the organization can lawfully use the cloud for PHI? (Choose three.)

Question 63hardmulti select
Read the full Legal, Risk, and Compliance explanation →

A multinational corporation is implementing a multi-cloud strategy to avoid concentration risk. The risk management team is evaluating the inherent risks of using multiple cloud providers. Which THREE risks are specifically associated with a multi-cloud strategy? (Choose three.)

Question 64mediummulti select
Read the full Legal, Risk, and Compliance explanation →

A cloud customer is negotiating a contract with a new cloud provider. The customer wants to ensure they can maintain control over their data and verify the provider's security posture. Which TWO contractual provisions are most critical for these purposes? (Choose two.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 25 Questions→CCSP Practice Test 2 — 25 Questions→CCSP Practice Test 3 — 25 Questions→CCSP Practice Test 4 — 25 Questions→CCSP Practice Test 5 — 25 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Platform and Infrastructure SecurityCloud Security OperationsLegal, Risk, and ComplianceLegal, Risk and ComplianceCloud Data SecurityCloud Concepts, Architecture, and DesignCloud Application SecurityCloud Concepts, Architecture and Design

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Legal, Risk, and Compliance setsAll Legal, Risk, and Compliance questionsCCSP Practice Hub