CCNA Legal Risk Compliance Questions

18 of 93 questions · Page 2/2 · Legal Risk Compliance topic · Answers revealed

76
MCQmedium

A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?

A.Accept the data loss and explain to regulators that the provider has a limited retention policy.
B.Export all available logs and store them locally immediately.
C.Request that the provider place a legal hold on all logs and verify implementation.
D.Rely on the provider's backup policy, which may retain data for up to 24 months.
AnswerC

A legal hold overrides retention policies and ensures preservation; verification confirms compliance.

Why this answer

Option C is correct because a legal hold (or litigation hold) is a cloud provider feature that overrides the default retention policy to preserve data indefinitely or for a specified period, preventing automated deletion. This ensures compliance with regulatory requirements without relying on manual exports or backups, and the company must verify implementation through provider tools or APIs to confirm the hold is active.

Exam trap

ISC2 often tests the misconception that exporting logs locally is sufficient for compliance, but the trap is that this fails to preserve logs already deleted and does not meet the requirement for ongoing preservation, whereas a legal hold is the designed mechanism for regulatory holds.

How to eliminate wrong answers

Option A is wrong because accepting data loss and explaining to regulators is not a valid compliance action; regulations typically require preservation, and ignorance of retention limits is not an acceptable excuse. Option B is wrong because exporting all available logs immediately would only capture logs up to the current point, missing logs already deleted beyond 12 months, and does not address ongoing preservation for future regulatory needs. Option D is wrong because relying on the provider's backup policy is speculative and not guaranteed; backups may have shorter retention or be subject to the same deletion policies, and they are not designed for legal compliance holds.

77
MCQeasy

A company is moving its customer database to a public cloud provider. The database contains personally identifiable information (PII) of European Union citizens. Which legal framework imposes requirements on the cloud customer regarding data protection and privacy in this scenario?

A.Sarbanes-Oxley Act (SOX)
B.General Data Protection Regulation (GDPR)
C.Health Insurance Portability and Accountability Act (HIPAA)
D.Payment Card Industry Data Security Standard (PCI DSS)
AnswerB

GDPR governs processing of personal data of EU individuals.

Why this answer

The General Data Protection Regulation (GDPR) is the correct legal framework because it specifically governs the processing of personally identifiable information (PII) of European Union citizens, regardless of where the data is stored or processed. As the cloud customer is moving a customer database containing EU PII to a public cloud provider, GDPR imposes strict requirements on the data controller (the customer) for data protection, consent, breach notification, and cross-border data transfer safeguards.

Exam trap

ISC2 often tests the misconception that any data privacy law applies globally, but the trap here is that candidates may choose HIPAA or PCI DSS because they are familiar with data protection, failing to recognize that GDPR is the only framework specifically designed for EU citizen PII regardless of industry.

How to eliminate wrong answers

Option A is wrong because the Sarbanes-Oxley Act (SOX) applies to financial reporting and internal controls for publicly traded companies in the U.S., not to general PII of EU citizens. Option C is wrong because the Health Insurance Portability and Accountability Act (HIPAA) applies only to protected health information (PHI) held by covered entities in the U.S., not to a general customer database containing EU PII. Option D is wrong because the Payment Card Industry Data Security Standard (PCI DSS) applies to cardholder data and payment card transactions, not to general PII or EU citizen data.

78
MCQmedium

A company's cloud infrastructure is subject to GDPR. The DPO requires that all customer personal data be encrypted at rest and in transit. The cloud provider offers SSE-S3 for object storage and enforces TLS 1.2 for API calls. Which additional control should the company implement to meet GDPR accountability requirements?

A.Implement client-side encryption with a key management service.
B.Enable detailed logging of all access to encrypted data.
C.Automatically delete backups older than 30 days.
D.Apply data masking to all personal data fields before storage.
AnswerB

Logging provides an audit trail to demonstrate compliance with GDPR accountability.

Why this answer

While SSE-S3 and TLS 1.2 address encryption at rest and in transit, GDPR accountability requires the company to demonstrate compliance through audit trails. Enabling detailed logging of all access to encrypted data (Option B) provides the necessary records to prove who accessed personal data, when, and from where, fulfilling the 'demonstrate compliance' principle under Article 5(2) and Article 30 of the GDPR.

Exam trap

The trap here is that candidates confuse encryption controls (Options A and D) or data lifecycle policies (Option C) with accountability, which is a governance and audit requirement, not a technical data protection measure.

How to eliminate wrong answers

Option A is wrong because client-side encryption with a KMS is an additional encryption measure, but encryption is already satisfied by SSE-S3 and TLS 1.2; the gap is accountability, not encryption strength. Option C is wrong because automatically deleting backups older than 30 days is a data retention policy that may violate GDPR's storage limitation principle if not justified, and it does not address the accountability requirement for access logging. Option D is wrong because data masking before storage is a data minimization technique, but it does not create an audit trail; the DPO's requirement is specifically about accountability, not about reducing the sensitivity of stored data.

79
MCQhard

A healthcare company uses a cloud-based patient management system. The cloud provider experiences a security incident that may have exposed protected health information (PHI). The provider notifies the company within 72 hours, as required by the service agreement. The company's internal breach response policy requires a legal review of the incident before notifying affected individuals. The legal review typically takes 48 hours. However, the company is required to notify patients within 60 days under HIPAA. With the 72-hour notification from the provider, the company has 60 days to notify patients. What is the most effective approach to meet the 60-day notification requirement while ensuring compliance with internal policy?

A.Notify patients immediately and then perform the legal review.
B.Wait for the legal review to complete before notifying patients.
C.Notify patients immediately based on the provider's notification.
D.Begin the legal review immediately and prepare patient notification in parallel.
AnswerD

Parallel processing allows timely notification while ensuring legal input is incorporated.

Why this answer

Option D is correct because it allows the company to satisfy both the HIPAA 60-day notification requirement and its internal legal review policy by running the legal review and patient notification preparation concurrently. This parallel approach minimizes delay while ensuring that the notification content is legally vetted before release, which is critical for PHI incidents under HIPAA's Breach Notification Rule (45 CFR § 164.404).

Exam trap

ISC2 often tests the misconception that you must choose between compliance and internal policy, when in fact parallel processing of legal review and notification preparation is the correct approach to meet both requirements without violating the 60-day HIPAA deadline.

How to eliminate wrong answers

Option A is wrong because notifying patients immediately without legal review could expose the company to legal liability if the notification contains inaccurate or incomplete information, and it violates the internal policy requiring a legal review first. Option B is wrong because waiting for the legal review to complete before starting notification preparation could consume the entire 60-day window, risking non-compliance with HIPAA's 60-day deadline if the review takes longer than expected. Option C is wrong because notifying patients immediately based solely on the provider's notification bypasses the required legal review and may lead to premature disclosure of unverified PHI details, which could increase legal risk.

80
MCQmedium

A company is migrating to the cloud and must comply with the Health Insurance Portability and Accountability Act (HIPAA). They plan to store electronic protected health information (ePHI) in a cloud database. Which of the following is a mandatory requirement for the cloud service agreement?

A.The CSP must store data in a specific geographic location.
B.The CSP must perform quarterly penetration tests.
C.The CSP must encrypt all data at rest using AES-256.
D.The CSP must sign a Business Associate Agreement (BAA).
AnswerD

A BAA is required to ensure the CSP safeguards ePHI.

Why this answer

Under HIPAA, a covered entity or business associate must have a written Business Associate Agreement (BAA) with any cloud service provider (CSP) that creates, receives, maintains, or transmits electronic protected health information (ePHI) on their behalf. The BAA is a mandatory contractual requirement that establishes the CSP's permitted uses and disclosures of ePHI, as well as its obligations to safeguard the data. Without a signed BAA, the CSP cannot lawfully handle ePHI, making this the only option that is a direct regulatory mandate under HIPAA.

Exam trap

ISC2 often tests the distinction between mandatory (required) and addressable (optional but must be documented if not implemented) specifications under HIPAA, leading candidates to incorrectly select encryption or testing frequency as mandatory requirements.

How to eliminate wrong answers

Option A is wrong because HIPAA does not mandate a specific geographic storage location; data residency requirements may arise from other regulations or organizational policy, but they are not a HIPAA requirement. Option B is wrong because HIPAA does not prescribe a specific frequency for penetration tests; the Security Rule requires periodic assessments of security measures, but quarterly testing is not a mandatory requirement. Option C is wrong because while encryption of ePHI at rest is an addressable implementation specification under the HIPAA Security Rule, AES-256 is not explicitly mandated; the rule allows for equivalent alternatives that meet the standard of protecting data.

81
Multi-Selectmedium

Which THREE of the following are key components of a data protection impact assessment (DPIA) under GDPR?

Select 3 answers
A.List of all data subjects' names
B.Copy of the encryption algorithm
C.Measures to address risks
D.Description of processing operations
E.Assessment of necessity and proportionality
AnswersC, D, E

Correct. The DPIA must describe measures to mitigate identified risks.

Why this answer

Option C is correct because Article 35 of the GDPR explicitly requires a DPIA to include 'measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.' This is a core component that demonstrates how the controller will mitigate identified privacy risks to an acceptable level.

Exam trap

ISC2 often tests the misconception that a DPIA is a technical audit checklist requiring detailed cryptographic or personal data inventories, when in fact it is a risk management document focused on necessity, proportionality, and risk mitigation measures.

82
MCQhard

During a cloud audit, the auditor finds that the CSP's data deletion process does not meet contractual requirements. The customer's data may still be recoverable after termination. What is the best next step for the customer?

A.Initiate a remediation plan with defined timelines
B.Immediately terminate the contract with the CSP
C.Report the CSP to the regulatory authority
D.Ignore the finding because it is a minor issue
AnswerA

Working with the CSP to correct the process is the appropriate first step.

Why this answer

Option D is correct because the customer should initiate a remediation plan with defined timelines to fix the process. Option A is wrong because terminating the contract may not solve the data issue immediately. Option B is wrong because reporting to the regulator may be premature.

Option C is wrong because ignoring is not acceptable.

83
Multi-Selectmedium

Which TWO of the following are key elements of a cloud service agreement (CSA) for legal compliance?

Select 2 answers
A.Audit rights
B.Encryption key management
C.Data portability tools
D.Service level agreements (SLA) uptime guarantee
E.Data processing terms (DPA)
AnswersA, E

Allows customer to verify compliance, often legally required.

Why this answer

Data processing terms (DPA) and audit rights are standard CSA elements addressing legal compliance. Encryption key management and portability are more about security and operations, but not always considered 'key legal compliance' elements.

84
Multi-Selectmedium

Which THREE of the following are typical responsibilities of a cloud customer under the shared responsibility model?

Select 3 answers
A.Classifying data and managing data encryption.
B.Physical security of data centers.
C.Managing user identities and access permissions.
D.Patching the hypervisor.
E.Patching operating systems on virtual machines.
AnswersA, C, E

Data classification and encryption are customer responsibilities.

Why this answer

Option A is correct because under the shared responsibility model, the cloud customer is responsible for classifying their data and managing encryption (both at rest and in transit) using tools like AWS KMS, Azure Key Vault, or client-side encryption libraries. The provider secures the infrastructure, but the customer controls access to the data itself.

Exam trap

ISC2 often tests the misconception that customers are responsible for patching the hypervisor or physical security, when in fact those are always provider obligations under the shared responsibility model.

85
MCQhard

An organization wants to ensure that its CSP does not access customer data for any purpose other than providing the service. Which clause should be included?

A.Right to audit
B.Security incident response
C.Data use restriction
D.Non-disclosure agreement
AnswerC

This clause restricts the provider's use of data to specified purposes.

Why this answer

A data use restriction clause explicitly limits the provider's use of customer data to only what is necessary to provide the service. Non-disclosure agreements protect confidentiality but don't restrict use. Right to audit provides oversight, and security incident response addresses breach management.

86
MCQhard

An organization experiences a data breach in the cloud. The CSP claims they are not liable because the breach was due to customer misconfiguration. The customer disagrees. What document should be reviewed to determine liability?

A.The CSP's privacy policy
B.The SOC 2 Type II report from the CSP
C.The incident response plan
D.The shared responsibility matrix in the service contract
AnswerD

This matrix explicitly defines responsibilities for security controls.

Why this answer

The shared responsibility matrix (SRM) is the definitive contractual document that delineates which security controls are managed by the cloud service provider (CSP) and which are the customer's obligation. In a breach caused by misconfiguration, the SRM specifies whether the configuration of the affected resource (e.g., an S3 bucket ACL or a security group rule) falls under the customer's responsibility. Without reviewing the SRM, liability cannot be determined because the matrix explicitly maps each control layer (e.g., network, compute, data) to the responsible party.

Exam trap

ISC2 often tests the misconception that a SOC report or privacy policy defines liability, when in fact only the contractual shared responsibility matrix legally allocates responsibility for specific security controls.

How to eliminate wrong answers

Option A is wrong because a privacy policy describes how the CSP handles personal data (e.g., GDPR compliance), not the operational security responsibilities for configuration management. Option B is wrong because a SOC 2 Type II report provides an independent audit of the CSP's controls over a period of time, but it does not define contractual liability boundaries or assign responsibility for specific misconfigurations. Option C is wrong because an incident response plan outlines the steps to detect, contain, and recover from a breach, not the pre-defined allocation of liability between the CSP and the customer.

87
Multi-Selectmedium

Which THREE of the following are commonly required when conducting a cloud vendor risk assessment?

Select 3 answers
A.Security certifications (e.g., ISO 27001)
B.Financial stability of the vendor
C.Vendor's incident response plan
D.Pricing compared to competitors
E.Marketing materials and brand reputation
AnswersA, B, C

Evidence of security posture.

Why this answer

Financial stability, certifications, and incident response plans are standard vendor risk assessment items. Pricing comparison is procurement, not risk; marketing materials are irrelevant.

88
MCQeasy

Refer to the exhibit. A cloud administrator discovers this Azure role assignment in the Finance resource group. The role definition ID corresponds to 'Storage Blob Data Contributor'. What is the immediate compliance concern?

A.The principal ID is not a human-readable name
B.The assignment is scoped to a storage account
C.The assignment has no expiration date
D.The assignment provides unconstrained access without any condition
AnswerD

Lack of conditions such as IP restrictions or MFA could lead to unauthorized access.

Why this answer

Option D is correct because the role assignment 'Storage Blob Data Contributor' grants full read, write, and delete permissions on blob data within the scope, without any Azure attribute-based access control (ABAC) conditions. This violates the principle of least privilege, as it allows unconstrained access to all blob containers and blobs in the storage account, which is a compliance concern under frameworks like SOC 2 or ISO 27001 that require fine-grained access controls.

Exam trap

The trap here is that candidates often overlook the absence of conditions (ABAC) and focus on superficial details like the principal ID format or scope, but the core compliance issue is the lack of constrained access, which is a direct violation of least privilege and data governance requirements.

How to eliminate wrong answers

Option A is wrong because the principal ID being a GUID rather than a human-readable name is a normal Azure behavior; the actual identity (user, group, or service principal) is resolved via Azure AD, and this does not inherently create a compliance issue. Option B is wrong because scoping the assignment to a storage account is actually a best practice—it limits the blast radius compared to a subscription or management group scope, so it is not a compliance concern. Option C is wrong because Azure role assignments do not have an expiration date by default; they are permanent until explicitly removed, and the absence of an expiration date is not a compliance violation unless a specific policy requires temporary access, which is not indicated here.

89
MCQmedium

During a cloud migration, a company discovers that data stored in a specific region must remain there per contract. The cloud provider offers data replication across regions. What is the best practice to ensure compliance?

A.Use data residency controls provided by the cloud provider
B.Negotiate a new contract to allow replication
C.Disable all data replication features
D.Encrypt data before storing it
AnswerA

Technical controls enforce data location at the storage or service level.

Why this answer

Configuring data residency controls (like tagging and policies) ensures data stays within the required region. Disabling replication across regions is too restrictive and may affect availability; contract negotiation is less efficient than technical controls.

90
MCQhard

A company uses a cloud-based intrusion detection system (IDS) that generates logs containing IP addresses. The company is headquartered in a country with data localization laws. What is the primary compliance risk?

A.The logs may be tampered with in transit
B.The IDS logs consume too much storage
C.Log data containing personal data may be processed in a different jurisdiction
D.The IDS may miss certain attack patterns
AnswerC

Data localization laws restrict cross-border transfer of personal data.

Why this answer

Logs contain IP addresses (personal data under many laws) and may be transferred abroad if the IDS vendor processes logs in another jurisdiction, violating localization requirements. Encryption does not solve localization.

91
MCQmedium

An organization stores customer data in a cloud that is subject to GDPR. The organization uses a cloud provider that does not allow audits of its data centers. What is the best way to satisfy GDPR audit requirements?

A.Minimize data stored to reduce risk
B.Request a contractual waiver for audit rights
C.Switch to a provider that allows on-site audits
D.Rely on the provider's SOC 2 Type II report
AnswerD

SOC 2 provides independent audit evidence.

Why this answer

GDPR requires adequate assurances from processors. If direct audits are not possible, the customer can rely on third-party certifications like SOC 2 Type II or ISO 27001, which provide independent assurance. Waivers and data minimization do not meet audit requirements.

92
Multi-Selectmedium

Which TWO of the following are required for GDPR compliance when processing personal data in the cloud?

Select 2 answers
A.Appoint a Data Protection Officer (DPO) for all organizations
B.Store data only within the European Union
C.Use only ISO 27001 certified cloud service providers
D.Conduct a Data Protection Impact Assessment (DPIA) when processing is likely to result in high risk
E.Maintain a record of processing activities
AnswersD, E

GDPR requires DPIA for high-risk processing.

Why this answer

Options A and B are correct. DPIA is required for high-risk processing, and records of processing activities are mandatory. Option C is wrong because data can be stored outside EU with adequate safeguards.

Option D is wrong because DPO is only required in certain cases. Option E is wrong because CSP certification is not a legal requirement.

93
Multi-Selecthard

Which THREE of the following are key considerations when conducting a cloud risk assessment?

Select 3 answers
A.Reviewing legal and regulatory requirements applicable to the organization
B.Analyzing network latency between cloud regions
C.Identifying threats specific to cloud deployment models (IaaS, PaaS, SaaS)
D.Evaluating the CSP's physical security controls in detail
E.Assessing the impact of shared tenancy on data isolation
AnswersA, C, E

Compliance with laws is a key risk consideration.

Why this answer

Option A is correct because legal and regulatory requirements (e.g., GDPR, HIPAA, PCI DSS) directly dictate data residency, privacy controls, and breach notification obligations. A cloud risk assessment must map these requirements to the specific cloud deployment to identify compliance gaps and potential liabilities.

Exam trap

ISC2 often tests the distinction between operational metrics (like latency) and risk assessment inputs, tricking candidates into selecting performance-related options as risk factors.

← PreviousPage 2 of 2 · 93 questions total

Ready to test yourself?

Try a timed practice session using only Legal Risk Compliance questions.