CCNA Legal, Risk, and Compliance Questions

64 questions · Legal, Risk, and Compliance · All types, answers revealed

1
MCQmedium

A company is subject to PCI DSS and plans to use a cloud provider to process credit card transactions. The cloud provider has been assessed by a Qualified Security Assessor (QSA). According to PCI DSS, what must the company obtain from the provider to demonstrate compliance?

A.The provider's PCI DSS Attestation of Compliance (AOC) and Responsibility Matrix
B.A signed Business Associate Agreement
C.An ISO 27001 certificate
D.A SOC 2 Type II report
AnswerA

Correct. The AOC and Responsibility Matrix show the provider's compliance scope and responsibilities.

Why this answer

PCI DSS requires that the service provider's responsibilities are mapped in a Cloud Provider Responsibility Matrix, typically in Appendix A3. Additionally, the customer must obtain evidence of the provider's QSA assessment.

2
MCQhard

A cloud customer is preparing for litigation and needs to place a legal hold on specific data stored in an object storage service. The cloud provider offers features such as object lock and retention policies. What is the primary challenge the customer must address to ensure the legal hold is effective across all copies of the data?

A.Ensuring that the legal hold is time-limited and automatically expires after 90 days.
B.Ensuring that the legal hold is applied to all copies of the data, including replicas and backups, and that the hold prevents modification as well as deletion.
C.Verifying that the cloud provider has a backup of the data in a different geographic region.
D.Obtaining a court order that specifically authorizes the cloud provider to preserve the data.
AnswerB

This covers the main challenge: comprehensive hold across all copies.

Why this answer

In cloud environments, data may be replicated across multiple regions or stored in backups. A legal hold must prevent deletion or alteration of all copies, including replicas and backups. Failure to apply hold to all copies can result in spoliation.

3
Multi-Selectmedium

A company subject to SOX is using a cloud ERP system. Which THREE of the following IT general controls are essential for SOX compliance?

Select 3 answers
A.Audit logging of user activities and system changes
B.Physical security of the cloud provider's data centers
C.Access controls to ensure segregation of duties
D.Change management procedures for the ERP system
E.Multi-factor authentication for all cloud provider administrators
AnswersA, C, D

Logs provide evidence of control effectiveness.

Why this answer

SOX IT general controls include change management (ensuring system changes are controlled), access controls (preventing unauthorized access), and audit logs (monitoring and accountability).

4
Multi-Selectmedium

A cloud customer must comply with GDPR's right to erasure (right to be forgotten). Which TWO of the following are technical challenges the customer faces when the data is stored in a cloud object storage service with versioning and cross-region replication?

Select 2 answers
A.Ensuring data is accessible only via a specific IP range
B.Removing previous versions of objects
C.Encrypting the data at rest with customer-managed keys
D.Exporting data in a machine-readable format
E.Deleting data from all replicated copies across regions
AnswersB, E

Versioning preserves old versions that must be deleted.

Why this answer

GDPR right to erasure requires deletion of all copies. Versioning creates multiple versions that must be deleted. Cross-region replication creates additional copies in other regions that must also be deleted.

5
MCQeasy

Which CSA STAR tier involves a third-party assessment against ISO 27001?

A.Tier 4 – Peer review
B.Tier 1 – Self-assessment
C.Tier 3 – Continuous monitoring
D.Tier 2 – Third-party assessment
AnswerD

Correct. Tier 2 includes certification based on ISO 27001.

Why this answer

The CSA STAR (Security, Trust, Assurance, and Risk) program has three tiers: Tier 1 (Self-Assessment), Tier 2 (Third-Party Assessment), and Tier 3 (Continuous Monitoring). Tier 2 specifically requires a third-party assessment against the ISO/IEC 27001 standard, where an accredited certification body audits the cloud service provider's Information Security Management System (ISMS) for compliance. This tier provides a higher level of assurance than self-assessment, as it involves independent validation of security controls.

Exam trap

Cisco often tests the misconception that Tier 2 is the 'self-assessment' tier, confusing it with Tier 1, or that there is a Tier 4 for peer review, which does not exist in the CSA STAR framework.

How to eliminate wrong answers

Option A is wrong because Tier 4 does not exist in the CSA STAR program; the tiers are limited to 1, 2, and 3, and 'Peer review' is not a defined tier. Option B is wrong because Tier 1 is the Self-Assessment tier, which involves the cloud provider completing a Consensus Assessments Initiative Questionnaire (CAIQ) without any third-party involvement or ISO 27001 audit. Option C is wrong because Tier 3 is Continuous Monitoring, which focuses on ongoing security telemetry and automated reporting (e.g., via the CSA STAR Watch program), not a one-time third-party assessment against ISO 27001.

6
Multi-Selectmedium

A cloud customer is evaluating a provider's compliance with PCI DSS. Which two components are part of the PCI DSS shared responsibility model as referenced in Appendix A3? (Choose two.)

Select 2 answers
A.Network perimeter controls
B.Physical security of data centers
C.User access management
D.Application security for custom code
E.Encryption key management
AnswersB, C

The cloud provider is responsible for physical security.

Why this answer

PCI DSS Appendix A3 requires a Cloud Provider Responsibility Matrix that delineates responsibilities; typical shared responsibilities include physical security (provider) and access controls (customer).

7
MCQhard

A cloud customer wants to ensure they can audit their cloud provider's security controls annually. Which contractual provision should be included in the cloud service agreement?

A.Service level agreement (SLA) with uptime guarantees
B.Data deletion clause
C.Data portability clause
D.Right to audit clause
AnswerD

Correct. A right to audit clause provides the legal basis for auditing the provider.

Why this answer

A right to audit clause gives the customer the contractual ability to perform audits, review security reports, or bring in a third-party auditor.

8
Multi-Selecteasy

A healthcare organization is planning to use a cloud provider to host protected health information (PHI) subject to HIPAA. Which THREE requirements must be addressed before the organization can lawfully use the cloud for PHI? (Choose three.)

Select 3 answers
A.Configure access controls to limit PHI access to authorized personnel
B.Sign a Business Associate Agreement (BAA) with the cloud provider
C.Implement data portability features to export PHI
D.Ensure encryption of PHI at rest and in transit
E.Conduct quarterly penetration testing on the cloud infrastructure
AnswersA, B, D

Access controls are required to ensure only authorized individuals can access PHI.

Why this answer

Under HIPAA, a covered entity must have a Business Associate Agreement (BAA) with the cloud provider, ensure encryption of PHI at rest and in transit, and implement access controls. Penetration testing is not a HIPAA requirement but a good practice, and data portability is not a HIPAA requirement.

9
MCQmedium

A cloud customer is terminating its contract with a cloud provider and needs to ensure all data, including backups, is permanently deleted. Which contractual clause is most relevant?

A.Service Level Agreement
B.Data deletion clause
C.Data portability clause
D.Right to audit clause
AnswerB

This clause ensures data is securely deleted after contract end.

Why this answer

Data deletion clauses specify the provider's obligation to delete customer data, including from backups, upon termination.

10
MCQmedium

A company is subject to PCI DSS because it processes credit card transactions. It plans to use a cloud provider that is not specifically listed as a PCI DSS validated service provider. What is the most important step the company must take to ensure compliance?

A.The company must sign a Business Associate Agreement (BAA) with the cloud provider.
B.The company must conduct its own on-site audit of the cloud provider's data centers.
C.The company must ensure that the cloud provider encrypts all cardholder data at rest and in transit.
D.The company must obtain a copy of the cloud provider's PCI DSS Attestation of Compliance (AOC) and ensure the provider is assessed by a Qualified Security Assessor (QSA).
AnswerD

The customer must verify the provider's PCI DSS compliance through a valid AOC.

Why this answer

PCI DSS requires that if a cloud provider is not already validated, the customer must ensure the provider undergoes a PCI DSS assessment. The shared responsibility matrix (SRM) is used to delineate which controls are the provider's and which are the customer's.

11
MCQmedium

A company is negotiating a cloud service agreement and wants to ensure it can periodically assess the security of the cloud provider's operations. Which contractual clause is most directly relevant to this requirement?

A.Right to Audit clause permitting the customer to review the provider's security controls and certifications
B.Data portability clause ensuring data can be exported in a usable format
C.Service Level Agreement (SLA) with uptime guarantees
D.Data deletion clause specifying how data is deleted after contract termination
AnswerA

This is the correct clause for security assessment.

Why this answer

A right to audit clause allows the customer to conduct or commission audits of the provider's controls. This is a key contract consideration for cloud customers.

12
MCQmedium

A multinational company operating in the EU uses a cloud service provider based in the US to process personal data of EU data subjects. The company is considered a data controller under the GDPR. Which of the following must the company ensure is in place to lawfully transfer personal data from the EU to the US?

A.A binding corporate rule approved by the US Department of Commerce
B.Standard Contractual Clauses adopted by the European Commission
C.An adequacy decision by the US Federal Trade Commission
D.A data processing agreement solely between the cloud provider and the data subjects
AnswerB

SCCs are a standard data transfer mechanism under GDPR for transfers to third countries.

Why this answer

Under GDPR, transfers of personal data to third countries require an adequate level of protection. Standard Contractual Clauses (SCCs) are a valid transfer mechanism approved by the European Commission.

13
MCQeasy

Under GDPR, what is the maximum time allowed for a data controller to notify the supervisory authority of a personal data breach?

A.7 days
B.24 hours
C.72 hours
D.48 hours
AnswerC

Correct. The GDPR requires notification within 72 hours.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to rights and freedoms.

14
MCQeasy

Under GDPR, what is the role of a cloud provider that processes personal data solely on behalf of a customer?

A.Data controller
B.Supervisory authority
C.Data subject
D.Data processor
AnswerD

Correct. The provider processes data on behalf of the controller.

Why this answer

The cloud provider is a data processor, as it processes data on behalf of the data controller (the customer).

15
MCQeasy

Under SOX, which of the following is an IT general control that must be implemented for financial data systems in a cloud environment?

A.Access controls over financial systems
B.Data encryption at rest
C.Multi-factor authentication
D.Annual penetration testing
AnswerA

Correct. Access controls are a fundamental ITGC under SOX.

Why this answer

SOX requires IT general controls (ITGCs) such as access controls to ensure the integrity of financial data. Audit logs support monitoring but are not the only control.

16
Multi-Selectmedium

A cloud customer is negotiating a contract with a new cloud provider. The customer wants to ensure they can maintain control over their data and verify the provider's security posture. Which TWO contractual provisions are most critical for these purposes? (Choose two.)

Select 2 answers
A.Data portability clause to export data in a usable format
B.Data ownership clause specifying customer retains all rights to data
C.Data deletion clause for removal upon contract termination
D.Service Level Agreement (SLA) for uptime and performance
E.Right to audit the cloud provider's security controls
AnswersB, E

This ensures the provider does not claim ownership of customer data.

Why this answer

Option B is correct because a data ownership clause explicitly states that the customer retains all rights, title, and interest in their data, ensuring legal control even when data is stored on the provider's infrastructure. This clause is foundational for maintaining data sovereignty and preventing the provider from claiming any ownership or usage rights over the customer's data.

Exam trap

Cisco often tests the distinction between contractual clauses that provide legal ownership (data ownership) versus operational capabilities (data portability, deletion) versus performance guarantees (SLA), and candidates frequently confuse the right to audit with a general SLA or data portability clause.

17
MCQhard

A cloud customer needs to comply with PCI DSS for a cardholder data environment (CDE) hosted on an IaaS platform. According to PCI DSS Appendix A3, which document is critical to define the security responsibilities between the customer and the cloud provider?

A.Cloud Provider Responsibility Matrix
B.Service Organization Control (SOC) 2 report
C.Business Associate Agreement (BAA)
D.Data Processing Agreement (DPA)
AnswerA

This matrix is specifically mandated by PCI DSS for cloud environments.

Why this answer

PCI DSS Appendix A3 requires cloud customers and providers to clearly define and document their respective security responsibilities for the cardholder data environment (CDE). The Cloud Provider Responsibility Matrix (often called a Shared Responsibility Matrix) is the critical document that delineates which party is responsible for each security control, such as firewall management, patch management, and access controls, ensuring compliance with PCI DSS requirements.

Exam trap

Cisco often tests the distinction between compliance-specific documents (like the Responsibility Matrix for PCI DSS) and general operational or regulatory documents (like SOC 2, BAA, or DPA), leading candidates to confuse a broad audit report or a different regulation's agreement with the precise shared responsibility definition required by PCI DSS Appendix A3.

How to eliminate wrong answers

Option B is wrong because a Service Organization Control (SOC) 2 report provides an independent auditor's assessment of a service provider's controls relevant to security, availability, processing integrity, confidentiality, or privacy, but it does not define the specific division of security responsibilities between the customer and the provider for PCI DSS compliance. Option C is wrong because a Business Associate Agreement (BAA) is specific to HIPAA compliance for protected health information (PHI) and has no relevance to PCI DSS or cardholder data environments. Option D is wrong because a Data Processing Agreement (DPA) is used under GDPR to govern the processing of personal data by a data processor, not to define security responsibilities for PCI DSS compliance in a cloud CDE.

18
MCQeasy

Which of the following is a key requirement for data portability under the General Data Protection Regulation (GDPR)?

A.Data must be transferred directly to the data subject's own device.
B.Data must be provided in a structured, commonly used, and machine-readable format.
C.Data portability applies only to pseudonymized data.
D.Data must be deleted within 30 days of a portability request.
AnswerB

This is the core requirement of the right to data portability.

Why this answer

GDPR Article 20 gives data subjects the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. This includes the cloud provider providing export functionality.

19
MCQhard

A multinational corporation collects personal data of EU residents and uses a cloud provider with data centers in the US and Asia. Under GDPR, which mechanism is appropriate for transferring data from the EU to the US data center, assuming no adequacy decision exists?

A.Adequacy decision by the US
B.Data Subject's explicit consent
C.Binding Corporate Rules (BCRs)
D.Standard Contractual Clauses (SCCs)
AnswerD

Correct. SCCs are a common transfer mechanism for data transfers to non-adequate countries.

Why this answer

Standard Contractual Clauses (SCCs) are a GDPR-approved mechanism for lawful data transfers to countries without an adequacy decision, provided the parties contractually commit to GDPR protections.

20
MCQhard

A cloud customer is negotiating a contract and wants to ensure they have the right to verify the cloud provider's security controls. Which contractual provision is most important?

A.Data portability clause
B.Data deletion clause
C.Right to audit clause
D.Service Level Agreement (SLA) for uptime
AnswerC

This clause explicitly permits the customer to audit the provider's security controls.

Why this answer

A right to audit clause gives the customer the ability to review the provider's security measures, often through independent reports or on-site assessments.

21
MCQmedium

A healthcare organization stores protected health information (PHI) in a cloud environment. Under HIPAA, what must the organization obtain from the cloud provider before processing PHI?

A.A Data Processing Agreement (DPA) under GDPR
B.A Business Associate Agreement (BAA)
C.A Service Organization Control (SOC) 2 report
D.An ISO 27001 certification
AnswerB

Correct. A BAA is legally required under HIPAA for any business associate that handles PHI.

Why this answer

HIPAA requires a covered entity to obtain a Business Associate Agreement (BAA) from any cloud provider that will handle PHI. The BAA ensures the provider agrees to safeguard the PHI appropriately.

22
MCQmedium

A multinational company headquartered in the US processes personal data of EU data subjects using a cloud service provider hosted in Singapore. Under GDPR, which legal mechanism is most appropriate for lawful transfer of personal data from the EU to Singapore?

A.Standard Contractual Clauses (SCCs)
B.Binding Corporate Rules (BCRs)
C.Adequacy decision by the European Commission
D.Data Protection Agreement (DPA) with the cloud provider
AnswerA

SCCs are approved by the European Commission and can be used as a transfer mechanism to a cloud provider in a non-adequate country.

Why this answer

GDPR requires an appropriate safeguard for transfers to third countries without an adequacy decision. Standard Contractual Clauses (SCCs) are a common mechanism.

23
Multi-Selecthard

A cloud customer is assessing the risk of using a cloud provider. Which THREE factors are most important in evaluating the inherent risk of migrating data and applications to the cloud?

Select 3 answers
A.Data leaving the customer's direct control and being stored on shared infrastructure
B.Dependence on the provider's security controls and the risk of a provider-side breach affecting multiple tenants
C.The provider's compliance certifications (e.g., ISO 27001, SOC 2)
D.The shared responsibility model and potential for misconfiguration by the customer
E.The provider's physical security controls at data centers
AnswersA, B, D

Loss of physical control is an inherent risk.

Why this answer

Inherent risk includes data leaving the customer's premises, the shared infrastructure model (multi-tenancy), and dependency on the provider's security controls. These are fundamental to cloud risk assessment.

24
MCQmedium

A company using a SaaS application for HR management receives a data subject access request (DSAR) under GDPR from an employee. The cloud provider is the data processor. The company as data controller must respond within what timeframe?

A.One month
B.90 days
C.45 days
D.72 hours
AnswerA

GDPR Article 12 specifies one month for responses to data subject requests.

Why this answer

GDPR requires the controller to respond to data subject requests without undue delay and in any event within one month of receipt.

25
MCQmedium

A cloud customer is subject to eDiscovery requirements in a lawsuit. The data resides in a cloud storage service that uses encryption. What is the primary challenge in collecting this data in a forensically sound manner?

A.Obtaining a search warrant for data stored in the cloud
B.Decrypting the data without the encryption keys
C.Ensuring the integrity and chain of custody when data is collected via API or provider tools rather than physical seizure
D.Identifying the specific geographic location of the data
AnswerC

Lack of physical access requires reliance on provider's tools, making chain of custody more difficult.

Why this answer

Cloud environments often lack physical access, and data may be distributed across multiple servers and jurisdictions. Ensuring the collection methodology preserves integrity and metadata is challenging without provider cooperation.

26
MCQmedium

A company wants to export its data from a cloud provider to another provider upon contract termination. Which contract clause is essential to ensure the data can be exported in a usable format?

A.Service level agreement
B.Data portability clause
C.Right to audit
D.Data deletion clause
AnswerB

Correct. This clause ensures the ability to export data.

Why this answer

A data portability clause ensures the customer has the right to export data in a machine-readable format, often with provider assistance.

27
Multi-Selecthard

A global company uses a cloud provider that stores data in multiple jurisdictions. During an eDiscovery request from a US court, which three challenges are most likely to arise? (Choose three.)

Select 3 answers
A.Jurisdictional conflicts over which court has authority
B.Lack of encryption options
C.Ensuring data is preserved without alteration (legal hold)
D.Inability to perform forensically sound collection due to lack of physical access
E.Excessive cost of cloud storage
AnswersA, C, D

Data in multiple countries may be subject to conflicting laws.

Why this answer

eDiscovery in the cloud poses jurisdictional conflicts, data access limitations, and data preservation challenges.

28
MCQeasy

When assessing cloud risk, an organization identifies that if a single cloud provider fails, the organization cannot operate. This risk is known as:

A.Third-party risk
B.Inherent risk
C.Concentration risk
D.Residual risk
AnswerC

This is the risk of depending heavily on one provider.

Why this answer

Concentration risk refers to over-reliance on a single vendor, which can lead to significant business impact if that vendor experiences a failure.

29
MCQmedium

A covered entity under HIPAA is planning to migrate electronic protected health information (ePHI) to a public cloud environment. Which of the following is a mandatory requirement before using the cloud service?

A.Encrypt all ePHI with keys managed solely by the covered entity
B.Conduct a physical on-site audit of the cloud provider's data centers
C.Obtain a signed Business Associate Agreement from the cloud provider
D.Ensure the cloud provider is certified under the Privacy Shield framework
AnswerC

A BAA is required to ensure the cloud provider agrees to safeguard ePHI.

Why this answer

HIPAA requires covered entities to obtain satisfactory assurances that PHI will be protected, typically through a Business Associate Agreement (BAA) with the cloud provider.

30
MCQeasy

Under the General Data Protection Regulation (GDPR), if a cloud service provider (acting as a data processor) suffers a personal data breach, what is the provider's obligation regarding notification?

A.The processor must notify the data controller without undue delay upon becoming aware of the breach.
B.The processor must notify the supervisory authority within 72 hours.
C.The processor does not have any notification obligation under GDPR.
D.The processor must notify the affected data subjects directly within 72 hours.
AnswerA

This is correct per GDPR Article 33(2).

Why this answer

GDPR Article 33 requires the data processor to notify the data controller without undue delay after becoming aware of a breach. The controller then has 72 hours to notify the supervisory authority.

31
MCQhard

A company needs to export data from a cloud service in a machine-readable format to comply with a data subject's right to data portability under GDPR. Which format is most appropriate?

A.HTML
B.PDF
C.CSV (Comma-Separated Values)
D.JPEG
AnswerC

CSV is machine-readable and commonly used for data portability.

Why this answer

GDPR requires data to be provided in a structured, commonly used, machine-readable format; CSV is widely accepted.

32
MCQmedium

A company is evaluating the risk of using a single cloud provider for all critical workloads. Which risk is most directly associated with this scenario?

A.Inherent risk of shared infrastructure
B.Third-party risk
C.Concentration risk
D.Control effectiveness risk
AnswerC

Correct. Concentration risk is the risk of relying on a single provider.

Why this answer

Concentration risk refers to the over-reliance on a single provider, leading to high impact if that provider suffers an outage or data loss.

33
Multi-Selecteasy

A company is adopting a multi-cloud strategy to reduce concentration risk. Which two benefits are directly associated with this approach? (Choose two.)

Select 2 answers
A.Reduced vendor lock-in
B.Increased resilience
C.Simplified compliance management
D.Unified security controls
E.Lower network latency
AnswersA, B

Multiple providers reduce dependency on one vendor.

Why this answer

Multi-cloud reduces dependency on a single provider (concentration risk) and allows flexibility to use best-of-breed services.

34
MCQeasy

Which of the following best describes the purpose of the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program?

A.To offer a certification program for cloud security professionals
B.To define mandatory security requirements for all cloud services
C.To provide a legal framework for cloud contracts
D.To allow cloud providers to publicly document their security controls and achieve different levels of assurance
AnswerD

STAR includes self-assessment (Tier 1), third-party assessment (Tier 2), and continuous monitoring (Tier 3).

Why this answer

CSA STAR provides a framework for cloud providers to demonstrate their security posture through self-assessment or third-party assessments. It increases transparency and helps customers assess risk.

35
MCQmedium

A company is subject to a legal hold order and uses a cloud storage service with object replication across multiple regions. Which cloud feature should the company use to prevent deletion or modification of relevant data?

A.Versioning of objects
B.Cross-region replication
C.Backup to another provider
D.Legal hold policies (e.g., S3 Object Lock)
AnswerD

Correct. Legal hold policies ensure data cannot be deleted or overwritten.

Why this answer

Legal hold features like S3 Object Lock (AWS) or Azure Immutable Blob prevent data from being deleted or modified during the hold period, even if replication exists.

36
MCQmedium

A company subject to PCI DSS is considering a cloud provider to process credit card transactions. What must the cloud provider present to demonstrate compliance with PCI DSS?

A.A CSA STAR Level 1 self-assessment
B.A PCI DSS Attestation of Compliance (AOC) from a QSA
C.A SOC 2 Type II report
D.An ISO 27001 certificate
AnswerB

The AOC is the formal evidence of a PCI DSS assessment by a Qualified Security Assessor.

Why this answer

PCI DSS allows cloud providers to be assessed by a QSA; the resulting Attestation of Compliance (AOC) demonstrates compliance.

37
Multi-Selectmedium

A financial services company is migrating its customer account management system to a public cloud provider. The company is subject to SOX compliance requirements for internal controls over financial reporting. Which TWO controls are essential for the cloud environment to meet SOX IT general control requirements? (Choose two.)

Select 2 answers
A.Enforcing role-based access control with least privilege
B.Establishing a formal change management process
C.Enabling detailed audit logging for all user and system activities
D.Implementing encryption for data at rest and in transit
E.Configuring automated backups with daily snapshots
AnswersB, C

Change management is a key ITGC required by SOX to ensure system changes are controlled and documented.

Why this answer

SOX requires IT general controls (ITGC) for systems that support financial reporting. Change management ensures that changes to the system are authorized and tested, and audit logs provide evidence of user activities and system events. While encryption and backup are important security measures, they are not specifically ITGC requirements under SOX.

38
MCQmedium

A cloud provider's data center is located in Country A, but the customer's data is subject to litigation in Country B. The court in Country B orders the cloud provider to produce data. The cloud provider refuses, citing Country A's laws that prohibit disclosure. This situation best illustrates which challenge in eDiscovery?

A.Data portability
B.Jurisdiction issues
C.Data preservation
D.Forensic soundness
AnswerB

This demonstrates conflicting legal requirements across jurisdictions.

Why this answer

Jurisdictional issues arise when data is stored in multiple legal jurisdictions, and courts in one country may not have authority over data in another, leading to conflicts of law.

39
MCQmedium

A cloud customer wants to ensure that when the contract ends, the cloud provider deletes all customer data, including from backups. Which contractual clause is essential?

A.Right to audit clause
B.Data deletion clause
C.Data portability clause
D.Service Level Agreement
AnswerB

This clause mandates the provider to delete all copies of customer data.

Why this answer

A data deletion clause should specify the obligation to delete customer data, including backups, upon termination.

40
MCQeasy

Under the CSA STAR program, which tier involves a third-party assessment resulting in a certification based on ISO 27001?

A.Tier 4: Nonexistent
B.Tier 1: Self-assessment
C.Tier 3: Continuous monitoring
D.Tier 2: Third-party assessment
AnswerD

Tier 2 includes STAR Certification (ISO 27001 + cloud controls) and STAR Attestation (SOC 2).

Why this answer

CSA STAR Tier 2 includes STAR Certification, which builds on ISO 27001 certification and includes cloud-specific controls.

41
MCQhard

A cloud customer is considering adopting a multi-cloud strategy to avoid vendor lock-in. Which risk is this strategy primarily intended to mitigate?

A.Third-party risk from a specific provider
B.Concentration risk
C.Residual risk after controls
D.Inherent risk of data leaving premises
AnswerB

Multi-cloud spreads workloads across providers to avoid single point of failure.

Why this answer

Multi-cloud reduces dependency on a single provider, thus mitigating concentration risk.

42
Multi-Selectmedium

A company is drafting a cloud service contract and wants to ensure it can exit the provider without losing access to its data. Which TWO clauses are most important to include?

Select 2 answers
A.Data deletion clause requiring deletion of all data, including backups, after termination
B.Data portability clause specifying the right to export data in a standard format
C.Service Level Agreement (SLA) for availability
D.Non-disclosure agreement (NDA)
E.Right to audit clause
AnswersA, B

Ensures data is not retained after exit.

Why this answer

Data portability ensures the customer can export data in a usable format. Data deletion ensures the provider deletes all copies of customer data after termination. These clauses are critical for a clean exit.

43
MCQhard

Under GDPR, a cloud data controller must notify the supervisory authority of a personal data breach within what timeframe?

A.24 hours
B.72 hours
C.7 days
D.48 hours
AnswerB

72 hours is the correct timeframe under GDPR.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of the breach.

44
MCQmedium

A cloud customer is concerned about the right to erasure under GDPR because the cloud provider replicates data across multiple regions and keeps backups. What technical challenge does this create for complying with a erasure request?

A.The data must be anonymized instead of deleted.
B.The customer must notify all other users who may have accessed the data.
C.The cloud provider may not be able to delete data from all replicas and backups within the required time frame.
D.The cloud provider must retain the data for audit purposes.
AnswerC

Replication and backups create multiple copies that must all be erased, which can be challenging.

Why this answer

Under GDPR, the right to erasure requires deletion of all copies of the data. In cloud environments, data may be replicated across regions and stored in backups with different retention periods, making it technically difficult to ensure complete deletion from all locations.

45
Multi-Selecthard

A global enterprise is conducting a cloud risk assessment. Which THREE factors should be considered? (Select three.)

Select 3 answers
A.Color of the provider's logo
B.Inherent risk of data leaving the on-premises environment
C.Provider's stock price
D.Concentration risk from using a single cloud provider
E.Effectiveness of provider controls as evidenced by audit reports
AnswersB, D, E

Correct. Moving data to cloud introduces inherent risks.

Why this answer

Inherent risk relates to data leaving premises. Provider control effectiveness is assessed via audit reports. Concentration risk is the risk of over-reliance on a single provider.

46
MCQeasy

A company that must comply with SOX is migrating its financial systems to a cloud service. Which of the following IT general controls is most critical for SOX compliance in the cloud?

A.Multi-factor authentication
B.Data encryption at rest
C.Automated backup procedures
D.Change management controls
AnswerD

Change management is a fundamental IT general control for SOX to ensure integrity of financial systems.

Why this answer

SOX requires strong controls over financial data; change management ensures changes to systems are authorized and tested.

47
MCQhard

A multinational corporation uses multiple cloud service providers for its critical applications. The board is concerned about concentration risk. Which strategy would best address this risk?

A.Negotiating a longer contract with the primary cloud provider to ensure stability
B.Implementing a hybrid cloud model with on-premises infrastructure only
C.Adopting a multi-cloud strategy that distributes applications across multiple cloud providers
D.Requiring each business unit to use the same cloud provider for consistency
AnswerC

Multi-cloud reduces dependency on a single provider.

Why this answer

Concentration risk refers to over-reliance on a single provider. A multi-cloud strategy reduces this risk by distributing workloads across multiple providers, avoiding a single point of failure.

48
MCQhard

A financial institution subject to SOX is migrating its general ledger system to a SaaS provider. Which of the following IT general controls is most critical to ensure the integrity of financial data in the cloud?

A.Annual penetration testing of the SaaS provider's infrastructure
B.Change management procedures for the SaaS application
C.Daily backups of the financial database
D.Implementation of multi-factor authentication for all users
AnswerB

Change management is a key IT general control that directly impacts the reliability of financial data.

Why this answer

SOX requires controls over financial reporting. Change management ensures that modifications to the system are authorized, tested, and documented, which is critical for data integrity.

49
MCQhard

A covered entity under HIPAA is moving electronic protected health information (ePHI) to a public cloud. What is the primary requirement before the cloud provider hosts ePHI?

A.The cloud provider must be located within the United States
B.The cloud provider must sign a Business Associate Agreement (BAA)
C.The cloud provider must be certified under ISO 27001
D.The covered entity must obtain written authorization from each patient
AnswerB

A BAA is required to establish the cloud provider as a business associate and outline permitted uses of PHI.

Why this answer

HIPAA requires a Business Associate Agreement (BAA) between the covered entity and the cloud provider to ensure PHI is handled appropriately.

50
MCQeasy

Which CSA STAR tier involves a third-party assessment and results in a certification based on ISO 27001?

A.Tier 4: Auditing
B.Tier 3: Continuous monitoring
C.Tier 2: Third-party assessment
D.Tier 1: Self-assessment
AnswerC

Tier 2 includes STAR Certification (ISO 27001 + CCM) and STAR Attestation (SOC 2).

Why this answer

CSA STAR Tier 2 includes STAR Certification, which is based on ISO 27001 plus cloud-specific controls.

51
MCQhard

A financial institution is required to comply with the Sarbanes-Oxley Act (SOX) for its cloud-hosted financial applications. The cloud provider is responsible for the underlying infrastructure. Which of the following controls is most likely the responsibility of the financial institution as part of IT general controls (ITGC)?

A.Physical security of the data center housing the cloud servers
B.Logical access controls to the financial application, including user provisioning and segregation of duties
C.Network intrusion detection at the cloud perimeter
D.Patching of the hypervisor that hosts the virtual machines
AnswerB

The customer controls user access to the application and data, which is a key ITGC area.

Why this answer

SOX requires organizations to maintain ITGCs over systems that support financial reporting. Logical access controls (e.g., user provisioning, authentication) are typically the responsibility of the customer (the financial institution) because they manage who can access the application and data.

52
MCQeasy

A cloud customer is concerned about the risk of unauthorized access to data due to the shared infrastructure of a public cloud. What type of risk does this represent?

A.Control risk
B.Detection risk
C.Inherent risk
D.Residual risk
AnswerC

Inherent risk is the natural risk arising from the use of shared cloud infrastructure.

Why this answer

Inherent risk is the risk that exists before any controls are applied; shared infrastructure is a key inherent risk of cloud computing.

53
MCQmedium

A company is negotiating a cloud service agreement and wants to ensure it can verify the provider's security controls independently. Which contractual clause is essential for this purpose?

A.Data deletion clause
B.Right to audit clause
C.Service Level Agreement (SLA) on uptime
D.Data portability clause
AnswerB

This clause grants the customer the right to conduct audits or review third-party audit reports.

Why this answer

A right to audit clause gives the customer the contractual ability to assess the provider's controls, either through on-site audits or review of audit reports.

54
MCQhard

In a cloud environment, a data subject exercises their right to erasure under GDPR. The cloud provider has multiple replicas and backups. What is the primary technical challenge in fulfilling this request?

A.Transferring data to another controller
B.Ensuring deletion from backups and replicas within retention periods
C.Obtaining consent from other data subjects
D.Identifying the data subject's data across all systems
AnswerB

Correct. Backups are often immutable or have retention periods that prevent immediate deletion.

Why this answer

GDPR's right to erasure requires deletion of all copies, including from backups and replicas, which is technically complex due to retention policies and storage architecture.

55
Multi-Selectmedium

In the context of eDiscovery, a legal hold must be placed on data stored in a cloud environment. Which THREE actions should the cloud customer take to ensure the legal hold is effective?

Select 3 answers
A.Ensure the legal hold prevents both deletion and modification of the data.
B.Delete any non-relevant data to reduce storage costs.
C.Rely solely on the cloud provider's default backup retention policies.
D.Apply the legal hold to all copies of the data, including backups and replicas in different regions.
E.Notify the cloud provider of the legal hold and request technical enforcement such as object lock.
AnswersA, D, E

Modification can alter evidence; hold must prevent both.

Why this answer

A legal hold requires preserving all relevant data, including backups and replicas. It must also prevent modification, not just deletion. Communication with the provider ensures technical enforcement.

56
MCQmedium

A multinational corporation with its headquarters in the United States processes personal data of European Union data subjects using a cloud-based customer relationship management (CRM) system hosted in the United States. According to the General Data Protection Regulation (GDPR), which of the following is the company's primary obligation regarding the protection of that data?

A.The company must delete all personal data within 30 days of collection.
B.The company is not subject to GDPR because its headquarters and the cloud server are located outside the EU.
C.The company must appoint a representative in the EU and ensure that any data transfers outside the EU are covered by an adequacy decision, standard contractual clauses, or binding corporate rules.
D.The company must obtain explicit consent from each data subject before processing their data.
AnswerC

This is correct. GDPR requires a representative if the controller is not established in the EU, and transfers must have a legal mechanism.

Why this answer

GDPR applies to any organization processing personal data of EU data subjects, regardless of where the processing occurs. The company is a data controller and must comply with all GDPR requirements, including data subject rights and breach notification.

57
Multi-Selecthard

A cloud customer is selecting a cloud provider for hosting payment card data and must comply with PCI DSS. Which THREE of the following are valid considerations when assessing the provider's PCI DSS compliance?

Select 3 answers
A.The provider must have a Cloud Provider Responsibility Matrix
B.The provider must sign a Business Associate Agreement
C.The cloud provider can be assessed by a Qualified Security Assessor (QSA)
D.A shared responsibility matrix must define security controls for the CDE
E.The cloud provider must be a Level 1 service provider
AnswersA, C, D

This is required by PCI DSS for cloud environments.

Why this answer

PCI DSS allows cloud providers to be assessed by a QSA. Shared responsibility must be clearly defined. The provider may have a Responsibility Matrix as per Appendix A3.

58
Multi-Selectmedium

A company is negotiating a cloud contract and wants to ensure data ownership and deletion. Which TWO clauses should be included? (Select two.)

Select 2 answers
A.Right to audit clause
B.Non-disclosure agreement
C.Data ownership clause
D.Service level agreement
E.Data deletion clause
AnswersC, E

Correct. This clause confirms the customer retains ownership.

Why this answer

Data ownership clause clarifies that the customer owns the data. Data deletion clause ensures the provider deletes data upon termination, including backups.

59
MCQeasy

A cloud customer receives a litigation hold notice requiring preservation of data stored in an object storage service. Which service feature should the customer use to ensure data cannot be modified or deleted until the hold is released?

A.Apply a retention policy using Object Lock
B.Set a lifecycle policy to transition to archival storage
C.Enable versioning on the bucket
D.Configure server-side encryption
AnswerA

Object Lock with retention periods prevents object deletion or modification.

Why this answer

Object lock features like S3 Object Lock enable a write-once-read-many (WORM) model to prevent deletion or modification, meeting legal hold requirements.

60
Multi-Selectmedium

According to GDPR, which THREE are data subject rights? (Select three.)

Select 3 answers
A.Right to transfer data to a third country
B.Right to object to processing for direct marketing
C.Right to access
D.Right to erasure
E.Right to portability
AnswersC, D, E

Correct. Article 15 provides the right of access.

Why this answer

Right to erasure, right to portability, and right to access are explicit rights under GDPR. Right to rectification is also a right, but the options included correct ones.

61
Multi-Selecthard

A multinational corporation is implementing a multi-cloud strategy to avoid concentration risk. The risk management team is evaluating the inherent risks of using multiple cloud providers. Which THREE risks are specifically associated with a multi-cloud strategy? (Choose three.)

Select 3 answers
A.Higher likelihood of vendor lock-in due to proprietary services
B.Expanded attack surface due to more entry points and APIs
C.Increased complexity in managing consistent security policies across providers
D.Greater difficulty in meeting data sovereignty requirements across jurisdictions
E.Need for specialized skills and expertise for each cloud platform
AnswersB, C, E

Each provider adds its own set of APIs and interfaces, increasing potential vulnerabilities.

Why this answer

Multi-cloud strategies introduce complexity in managing different security models, increase the attack surface, and require expertise across multiple platforms. Vendor lock-in is reduced, not increased, and data sovereignty issues are not inherently worse than single-cloud.

62
MCQmedium

A company is using a single cloud provider for all critical services. What is the primary risk this company faces?

A.Data sovereignty risk
B.Compliance risk
C.Insider threat risk
D.Concentration risk
AnswerD

Concentration risk is the risk of relying too heavily on one vendor.

Why this answer

Concentration risk (vendor lock-in) arises from over-reliance on one provider, leading to potential business disruption if the provider fails.

63
MCQmedium

A healthcare provider is planning to migrate its electronic health records (EHR) system to a public cloud infrastructure. The system will store protected health information (PHI). Under HIPAA, what must the healthcare provider obtain from the cloud service provider before beginning the migration?

A.A Business Associate Agreement (BAA) that outlines the permitted uses of PHI and the security safeguards in place
B.A signed letter of attestation that the cloud provider is HIPAA-compliant
C.A Data Processing Agreement (DPA) as defined under GDPR
D.A Service Organization Control (SOC) 2 Type II report
AnswerA

A BAA is mandatory for any business associate handling PHI.

Why this answer

HIPAA requires covered entities to have a Business Associate Agreement (BAA) with any business associate that creates, receives, maintains, or transmits PHI on their behalf. The cloud provider is a business associate.

64
MCQmedium

During an eDiscovery process, a company needs to preserve data stored in AWS S3 that may be relevant to a lawsuit. Which AWS feature should be used to implement a legal hold?

A.AWS CloudTrail
B.S3 Object Lock
C.S3 Versioning
D.AWS Config
AnswerB

S3 Object Lock enforces a retention policy that can serve as a legal hold.

Why this answer

S3 Object Lock prevents object deletion or modification for a specified period, meeting legal hold requirements.

Ready to test yourself?

Try a timed practice session using only Legal, Risk, and Compliance questions.