Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Legal, Risk and Compliance practice sets

CCSP Legal, Risk and Compliance • Complete Question Bank

CCSP Legal, Risk and Compliance — All Questions With Answers

Complete CCSP Legal, Risk and Compliance question bank — all 0 questions with answers and detailed explanations.

93
Questions
Free
No signup
Certifications/CCSP/Practice Test/Legal, Risk and Compliance/All Questions
Question 1mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

Question 2hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A financial institution uses a multi-cloud strategy with AWS and Azure. They must comply with PCI DSS. The security team found that a developer accidentally stored a file with credit card numbers in an S3 bucket that is publicly readable. Which immediate action should be taken to contain the breach?

Question 3easymultiple choice
Study the full virtualization explanation →

A cloud service provider (CSP) offers a shared responsibility model. According to this model, who is responsible for patching the hypervisor?

Question 4mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

Question 5hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

An e-commerce company uses a cloud-based web application firewall (WAF) to protect against common web exploits. The security team notices that a specific IP address is sending a high volume of requests that appear to be a DDoS attack. What is the best immediate response to mitigate the attack while minimizing impact on legitimate users?

Question 6easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is conducting a risk assessment for a new cloud service. They identify a vulnerability that could lead to a data breach. The likelihood is low, but the impact is high. According to common risk management frameworks, how should this risk be addressed?

Question 7mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud customer wants to ensure that their data is not accessible to the cloud provider's employees. Which of the following controls would best address this requirement?

Question 8hardmulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are required elements of a valid Business Continuity Plan (BCP) in the cloud?

Question 9mediummulti select
Read the full Legal, Risk and Compliance explanation →

Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?

Question 10easymulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are key components of an Information Security Management System (ISMS) as defined by ISO 27001?

Question 11hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A security engineer discovers that the S3 bucket policy allows public read access from the entire corporate network (10.0.0.0/16). However, the company wants to restrict access only to the security team's subnet (10.0.1.0/24). What modification should be made to the policy?

Exhibit

Refer to the exhibit.
Bucket: my-company-logs
Region: us-east-1
Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-company-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 12mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A cloud administrator sees this error log from AWS CloudTrail. The user [email protected] is a member of the 'Analysts' group. Which of the following is the most likely cause of the AccessDenied error?

Exhibit

Refer to the exhibit.
Error Log Entry:
Timestamp: 2024-08-15T14:23:10Z
User: [email protected]
Action: PutObject
Resource: s3://finance-reports/quarterly.xlsx
Status: AccessDenied
Source IP: 203.0.113.45
UserAgent: [ConsoleLogin]
Additional: The user does not have permissions to write to this bucket.
Question 13hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating its electronic health record (EHR) system to a public cloud. The system stores sensitive patient data subject to HIPAA. The cloud architect has designed a multi-tier architecture with load balancers, web servers, application servers, and a PostgreSQL database. The database contains ePHI. To meet compliance, the architect plans to encrypt the database at rest using AWS RDS encryption with KMS. However, during a security review, the compliance officer notes that the database backups are stored in an S3 bucket that is not encrypted. Additionally, the application logs, which may contain patient data, are sent to CloudWatch Logs without encryption. The compliance officer insists that all data stores containing ePHI must be encrypted at rest. Which action should the architect take to ensure compliance?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its customer data to a cloud provider that operates data centers in multiple jurisdictions. To comply with the General Data Protection Regulation (GDPR), the company must ensure that customer data remains within the European Economic Area (EEA) unless adequate safeguards are in place. The cloud provider offers data residency options but does not guarantee that data will never be accessed from outside the EEA. What is the BEST course of action for the company?

Question 15hardmultiple choice
Study the full virtualization explanation →

A cloud service provider (CSP) is designing a multi-tenant infrastructure and needs to ensure that a security incident in one tenant's environment does not compromise the confidentiality or integrity of other tenants. The CSP plans to use a combination of network segmentation, hypervisor isolation, and encryption. Which additional control is MOST critical to prevent side-channel attacks that could leak cryptographic keys or other sensitive data across tenants?

Question 16mediummulti select
Read the full Legal, Risk and Compliance explanation →

A cloud architect is designing a disaster recovery (DR) plan for a financial services application hosted on a public cloud. The plan must meet a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. The application uses a relational database and stores files in object storage. Which TWO strategies should the architect recommend to meet these objectives?

Question 17hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A large healthcare organization uses a hybrid cloud environment with on-premises systems and Microsoft Azure. They store protected health information (PHI) in Azure Blob Storage and use Azure SQL Database for transactional data. The organization must comply with HIPAA and has implemented encryption at rest using Azure Storage Service Encryption and Transparent Data Encryption (TDE) for SQL. During a recent audit, the security team discovered that the organization does not have a formal process to identify and respond to security incidents that involve PHI. Additionally, the organization's backup strategy stores encrypted backups in a separate Azure region, but the backup encryption keys are managed by Azure and are not customer-controlled. The compliance officer is concerned about the ability to demonstrate HIPAA compliance in the event of an audit. Which of the following actions should the organization take FIRST to address the most critical gap?

Question 18easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?

Question 19mediummulti select
Read the full NAT/PAT explanation →

A cloud service provider (CSP) is undergoing a SOC 2 Type II audit. The auditor reviews the CSP's access control policies and identifies that user access reviews are performed quarterly. However, the auditor notes that there is no automated termination of access for terminated employees. Which TWO of the following control objectives are likely to be non-compliant based on this finding?

Question 20hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

An administrator applies the above S3 bucket policy to a bucket named 'data-bucket' that contains sensitive logs. The policy is intended to allow uploads only over HTTPS. After applying, the administrator finds that uploads using the AWS CLI without HTTPS still succeed. What is the most likely reason?

Exhibit

Refer to the exhibit.

---
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::data-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
---
Question 21mediumdrag order
Read the full Legal, Risk and Compliance explanation →

Drag and drop the steps for setting up a cloud access security broker (CASB) in a SaaS environment into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediumdrag order
Review the full subnetting walkthrough →

Drag and drop the steps for setting up a virtual private cloud (VPC) with public and private subnets in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediummatching
Read the full Legal, Risk and Compliance explanation →

Match each IAM term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Trust relationship between identity providers

Single authentication for multiple systems

Multiple authentication factors

Access based on role assignments

Question 24mediummatching
Read the full Legal, Risk and Compliance explanation →

Match each cloud security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cloud security posture management

Cloud workload protection platform

Cloud access security broker

Security information and event management

Question 25easymultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is migrating patient data to a public cloud. Which legal framework most directly governs the protection of this data?

Question 26mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

During a cloud migration, a company discovers that data stored in a specific region must remain there per contract. The cloud provider offers data replication across regions. What is the best practice to ensure compliance?

Question 27hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud service provider (CSP) includes a limitation of liability clause capped at the total fees paid in the past 12 months. A customer suffers a data breach due to provider negligence, losing $2M in business. The customer's annual spend is $500K. What is the customer's likely recovery?

Question 28easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company wants to use a cloud service to store financial records. Which compliance framework most likely applies?

Question 29mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud customer receives a legal hold notice for pending litigation. The data resides in multi-tenant storage. What is the most appropriate initial action?

Question 30hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A company uses a cloud-based intrusion detection system (IDS) that generates logs containing IP addresses. The company is headquartered in a country with data localization laws. What is the primary compliance risk?

Question 31easymultiple choice
Read the full Legal, Risk and Compliance explanation →

Which risk assessment method uses subjective scales to assign probabilities and impacts?

Question 32mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

An organization stores customer data in a cloud that is subject to GDPR. The organization uses a cloud provider that does not allow audits of its data centers. What is the best way to satisfy GDPR audit requirements?

Question 33hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is required to retain logs for 7 years per regulation. The cloud provider's default retention is 90 days. What is the most effective approach?

Question 34mediummulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are key elements of a cloud service agreement (CSA) for legal compliance?

Question 35hardmulti select
Read the full Legal, Risk and Compliance explanation →

Which THREE of the following are typical requirements for compliance with eDiscovery in a cloud environment?

Question 36mediummulti select
Read the full Legal, Risk and Compliance explanation →

Which THREE of the following are commonly required when conducting a cloud vendor risk assessment?

Question 37hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A customer discovers the provider added a new sub-processor without notification. Which compliance risk is most directly exposed?

Exhibit

Refer to the exhibit.
```
Contract Clause:
"The Provider shall ensure that all Sub-Processors adhere to a level of protection at least equivalent to that provided by this Agreement. Provider shall notify Customer of any intended changes concerning addition or replacement of Sub-Processors, thereby giving Customer the opportunity to object to such changes."
```
Question 38mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company uses this IAM policy on an S3 bucket containing logs with personally identifiable information (PII). What is the most immediate compliance risk?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::mybucket/*"
    }
  ]
}
```
Question 39easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A customer relies on this SOC 2 Type II report to assess a cloud provider's controls. What is the primary limitation of this report?

Exhibit

Refer to the exhibit.
```
SOC 2 Type II Report Sections:
1. System Description
2. Control Criteria
3. Tests of Controls and Results (Audit period: Jan 1 - Dec 31, 2023)
Report Issued: Feb 15, 2024
```
Question 40easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is contracting with a cloud provider and wants to ensure they have visibility into the provider's security controls. Which contract clause is most important to include?

Question 41mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A financial services company must store customer transaction data in a cloud that complies with PCI DSS. Which of the following is a primary requirement for the cloud environment?

Question 42hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a SaaS application that stores data in multiple jurisdictions. The company's legal team is concerned about cross-border data transfers under the GDPR. What is the recommended mechanism to legitimize such transfers?

Question 43easymultiple choice
Read the full NAT/PAT explanation →

A company has a contractual requirement that the CSP must delete all customer data within 30 days of contract termination. Which document should specify this requirement?

Question 44mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

An organization wants to assess the security controls of a cloud provider before entering into a contract. What is the most efficient method?

Question 45hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud customer is subject to the EU General Data Protection Regulation (GDPR) and uses a cloud provider that subcontracts data processing to a third party without notification. Which GDPR requirement is violated?

Question 46easymultiple choice
Read the full Legal, Risk and Compliance explanation →

Which of the following is a key consideration when defining a cloud provider's liability for data breaches?

Question 47mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company needs to ensure that its cloud-stored data is retained only for a specific period due to legal requirements. Which process should be automated?

Question 48hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

An organization wants to ensure that its CSP does not access customer data for any purpose other than providing the service. Which clause should be included?

Question 49mediummulti select
Read the full Legal, Risk and Compliance explanation →

A company is evaluating cloud providers for compliance with the GDPR. Which TWO of the following are mandatory data protection roles under the GDPR?

Question 50hardmulti select
Read the full Legal, Risk and Compliance explanation →

A company is implementing a cloud risk management program. Which THREE of the following are essential components of a risk assessment according to NIST SP 800-30?

Question 51easymulti select
Read the full Legal, Risk and Compliance explanation →

Which THREE of the following are typical data privacy principles found in most regulations?

Question 52mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A security analyst sees this alert. According to the shared responsibility model, who is primarily responsible for ensuring that the IAM policy correctly restricts access?

Exhibit

[2023-10-05 14:23:11] ALERT: Unauthorized access attempt detected from IP 203.0.113.50 to customer data bucket. Access denied due to IAM policy restriction. Incident ID: INC-78901.
Question 53hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A cloud administrator is reviewing this bucket policy. What is the most significant security concern?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-data/*"
    }
  ]
}
Question 54easymultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A company uses AWS Config to evaluate compliance with a rule that requires S3 buckets to enforce SSL. What should the administrator do next?

Network Topology
$ aws configservice describe-compliance-by-config-ruleconfig-rule-names s3-bucket-ssl-requests-only"ComplianceByConfigRules": ["ConfigRuleName": "s3-bucket-ssl-requests-only","Compliance": "NON_COMPLIANT"
Question 55easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company stores PII in the cloud and needs to ensure compliance with GDPR. What is the first step they should take?

Question 56mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud service provider (CSP) experiences a security incident affecting customer data. The contract requires notification within 72 hours, but the CSP fails to notify. What is the most likely legal consequence for the CSP?

Question 57hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

An organization uses a multi-cloud strategy and wants to perform a risk assessment that accounts for the shared responsibility model. Which approach is most appropriate?

Question 58mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is migrating healthcare data to the cloud and must comply with HIPAA. They need to sign a Business Associate Agreement (BAA) with the CSP. What key element must be included in the BAA?

Question 59easymultiple choice
Read the full Legal, Risk and Compliance explanation →

Which legal concept allows customers to retain ownership of data stored in the cloud regardless of where it is physically stored?

Question 60hardmultiple choice
Read the full NAT/PAT explanation →

During a cloud audit, the auditor finds that the CSP's data deletion process does not meet contractual requirements. The customer's data may still be recoverable after termination. What is the best next step for the customer?

Question 61mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company uses a cloud database that stores customer financial information. To ensure compliance with PCI DSS, which control is required?

Question 62easymultiple choice
Read the full Legal, Risk and Compliance explanation →

What is the primary purpose of a Data Processing Agreement (DPA) between a data controller and a cloud service provider?

Question 63hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

An organization experiences a data breach in the cloud. The CSP claims they are not liable because the breach was due to customer misconfiguration. The customer disagrees. What document should be reviewed to determine liability?

Question 64mediummulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?

Question 65hardmulti select
Read the full Legal, Risk and Compliance explanation →

Which THREE of the following are key considerations when conducting a cloud risk assessment?

Question 66easymulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are examples of data sovereignty laws that directly affect cloud data storage?

Question 67mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. An organization has this S3 bucket policy for a bucket containing sensitive customer data. What is the primary risk associated with this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 68hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A security engineer reviews this CloudTrail log entry. The company has a policy that all deletion operations must be approved by the compliance team. What is the most likely compliance issue?

Exhibit

{
  "eventSource": "s3.amazonaws.com",
  "eventName": "DeleteObject",
  "requestParameters": {
    "bucketName": "prod-customer-data",
    "key": "records/2023/01/taxinfo.csv"
  },
  "userIdentity": {
    "arn": "arn:aws:iam::123456789012:user/john.doe",
    "accountId": "123456789012"
  },
  "sourceIPAddress": "10.0.0.5",
  "responseElements": {
    "x-amz-id-2": "example"
  }
}
Question 69easymultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A cloud administrator discovers this Azure role assignment in the Finance resource group. The role definition ID corresponds to 'Storage Blob Data Contributor'. What is the immediate compliance concern?

Exhibit

{
  "properties": {
    "roleDefinitionId": "/subscriptions/.../providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "scope": "/subscriptions/.../resourceGroups/Finance/providers/Microsoft.Storage/storageAccounts/finance-data",
    "condition": null
  }
}
Question 70easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud service provider stores customer data in a multi-tenant environment. A customer from the European Union requests that all personal data be encrypted at rest to comply with GDPR. What is the primary reason for this requirement?

Question 71mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company identifies a high-risk vulnerability in a cloud application. The cost to remediate is significantly higher than the potential loss from exploitation. Which risk treatment strategy is most appropriate?

Question 72hardmultiple choice
Read the full NAT/PAT explanation →

During litigation, a company receives a legal hold notice for electronically stored information (ESI) in a cloud environment. The cloud provider's standard service agreement includes a clause that automatically deletes data 30 days after termination of service. What should the company do to ensure compliance?

Question 73easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A US-based company uses a cloud provider with data centers in the US and Europe. To transfer personal data of EU citizens to the US, which mechanism is most appropriate under GDPR?

Question 74mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A client is negotiating a cloud service agreement and wants to conduct on-site audits of the provider's data centers. The provider argues that on-site audits are unnecessary due to SOC 2 reports. Which is the best approach for the client?

Question 75hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud customer is subject to the Health Insurance Portability and Accountability Act (HIPAA). They are considering using a cloud provider that offers infrastructure as a service (IaaS). Which of the following is the customer's responsibility under the HIPAA shared responsibility model?

Question 76mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A company is performing a risk assessment of its cloud environment. They have identified a risk with a likelihood of 4 (on a scale of 1-5) and an impact of 3 (on a scale of 1-5). The company decides to implement controls that will reduce the likelihood to 2 and impact to 1. What is the residual risk score after controls?

Question 77hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

A cloud provider experiences a data breach affecting customer data. Which of the following laws most likely requires the provider to notify affected customers within 72 hours?

Question 78easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company wants to ensure that its cloud provider's data deletion process is verifiable. Which of the following should the company require in the service level agreement?

Question 79mediummulti select
Read the full Legal, Risk and Compliance explanation →

Which THREE of the following are key components of a data protection impact assessment (DPIA) under GDPR?

Question 80mediummulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are common risk treatment options in cloud risk management?

Question 81hardmulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are requirements for a cloud service agreement to comply with the European Data Protection Board (EDPB) guidelines on data processing?

Question 82mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. An administrator is reviewing an AWS S3 bucket policy. Based on the policy, which of the following is true?

Exhibit

Refer to the exhibit.

exhibit:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 83hardmultiple choice
Read the full Legal, Risk and Compliance explanation →

Your organization, a healthcare provider subject to HIPAA, has migrated electronic protected health information (ePHI) to a public cloud IaaS provider. The cloud provider offers default encryption at rest using their managed key service. During a recent audit, it was discovered that the encryption keys are generated and stored by the cloud provider without any customer involvement. The auditor states that this arrangement may violate HIPAA requirements because the covered entity does not have exclusive control over the keys. You need to ensure compliance while maintaining cost efficiency. After discussing with the cloud provider, they suggest the following options: A. Enable client-side encryption using a custom key management system (KMS) on the customer's premises. B. Use the provider's default encryption and rely on their BAA that states they will protect the keys. C. Implement a third-party key management solution that stores keys in the cloud but is controlled by the customer. D. Disable encryption and rely on access controls and auditing only.

Which option best addresses the compliance requirement while considering the operational impact?

Question 84mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a SaaS application for customer relationship management (CRM). The CRM application stores customer data including names, email addresses, and purchase history. The company has operations in the EU, California, and Japan. A new regulation in Japan requires that any transfer of personal data outside Japan must have the data subject's consent if the destination country does not have an adequacy decision. The company's cloud provider stores data in the United States. The company currently relies on the provider's data processing agreement that includes standard contractual clauses (SCCs). However, the Japanese regulator has stated that SCCs are not sufficient for transfers from Japan unless supplemented. You are tasked with ensuring compliance for Japanese data subjects. Which of the following is the most appropriate next step? A. Obtain explicit consent from each Japanese data subject for data transfer to the US. B. Move the data for Japanese subjects to a data center in Japan. C. Continue using SCCs as they are recognized internationally. D. Pseudonymize the data before transfer.

Which option best addresses the compliance requirement while considering the operational impact?

Question 85easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A regional bank is migrating its customer data to a cloud provider that offers services in multiple jurisdictions. The bank's legal team is concerned about compliance with data protection regulations, specifically regarding the right to be forgotten. During a review, the bank discovers that the cloud provider's data deletion process takes up to 90 days for archived data. The bank needs to ensure it can comply with customer deletion requests within 30 days as required by GDPR. What should the bank do?

Question 86mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?

Question 87hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company uses a cloud-based patient management system. The cloud provider experiences a security incident that may have exposed protected health information (PHI). The provider notifies the company within 72 hours, as required by the service agreement. The company's internal breach response policy requires a legal review of the incident before notifying affected individuals. The legal review typically takes 48 hours. However, the company is required to notify patients within 60 days under HIPAA. With the 72-hour notification from the provider, the company has 60 days to notify patients. What is the most effective approach to meet the 60-day notification requirement while ensuring compliance with internal policy?

Question 88easymultiple choice
Read the full Legal, Risk and Compliance explanation →

A company receives an erasure request under GDPR. The cloud provider can delete from active storage within 24 hours but requires 90 days to delete from archives. The company has a contractual obligation to ensure deletion within 30 days. What should the company do?

Question 89mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

A defense contractor uses a cloud provider that is FedRAMP authorized at the Moderate impact level. The contractor's contract requires compliance with DFARS 252.204-7012, which mandates safeguarding covered defense information (CDI) and reporting cyber incidents. The contractor's security team wants to ensure the cloud provider's security controls are adequate. The provider offers a FedRAMP package that includes a System Security Plan (SSP) and a Security Assessment Report (SAR). The contractor's legal department has determined that if the provider is FedRAMP authorized, the audit requirements are satisfied. What is the most efficient way to verify compliance?

Question 90hardmulti select
Read the full Legal, Risk and Compliance explanation →

Which TWO of the following are primary responsibilities of a cloud service customer under the shared responsibility model regarding compliance with regulations such as GDPR?

Question 91easymulti select
Read the full NAT/PAT explanation →

A multinational corporation stores customer data in an AWS S3 bucket located in the US. The company's European customers' personal data must comply with GDPR. Which TWO actions should the company take to ensure compliance with GDPR data transfer requirements?

Question 92mediummultiple choice
Read the full Legal, Risk and Compliance explanation →

Refer to the exhibit. A security analyst discovers this bucket policy attached to an S3 bucket containing sensitive customer data. What is the MOST significant security risk posed by this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "*"},
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-data/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
Question 93hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company, MedSecure, is migrating its critical patient record application to a public cloud IaaS environment. The application processes Protected Health Information (PHI) subject to HIPAA in the US and also includes some patient data from EU residents subject to GDPR. MedSecure has signed Business Associate Agreements (BAAs) with the cloud provider covering US HIPAA compliance. However, the compliance officer is concerned about GDPR requirements for EU patient data. The architecture uses AWS EC2 instances behind an Application Load Balancer, with data stored in Amazon RDS (MySQL) using encryption at rest and TLS for transmission. The company uses AWS CloudTrail for logging but only retains logs for 90 days. The compliance officer has identified that the current logging retention does not meet the GDPR requirement for logs to be retained for a minimum of 12 months for audit purposes. Additionally, the data stored in RDS is in a single AWS region in the US (us-east-1). The company plans to expand to EU customers. The GDPR requires that personal data of EU residents be stored in the EU or have adequate safeguards for transfer. Currently, the company has not implemented any data residency controls. What course of action should MedSecure take to address the most critical compliance gaps?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CCSP Practice Test 1 — 10 Questions→CCSP Practice Test 2 — 10 Questions→CCSP Practice Test 3 — 10 Questions→CCSP Practice Test 4 — 10 Questions→CCSP Practice Test 5 — 10 Questions→CCSP Practice Exam 1 — 20 Questions→CCSP Practice Exam 2 — 20 Questions→CCSP Practice Exam 3 — 20 Questions→CCSP Practice Exam 4 — 20 Questions→Free CCSP Practice Test 1 — 30 Questions→Free CCSP Practice Test 2 — 30 Questions→Free CCSP Practice Test 3 — 30 Questions→CCSP Practice Questions 1 — 50 Questions→CCSP Practice Questions 2 — 50 Questions→CCSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Cloud Application SecurityCloud Security OperationsLegal, Risk and ComplianceCloud Concepts, Architecture and DesignCloud Platform and Infrastructure SecurityCloud Data Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Legal, Risk and Compliance setsAll Legal, Risk and Compliance questionsCCSP Practice Hub