Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Cloud Sec - S1
| Question | Answer |
|---|---|
| A security architect wants to ensure the provider’s control set aligns with the organization’s compliance needs. Which CSA tool is explicitly recommended to evaluate provider controls? | CAIQ (Consensus Assessments Initiative Questionnaire) |
| A design uses many short-lived autoscaled instances running from a central golden image. Which security requirement is most important to maintain across images? | Ensure the golden image is patched, hardened, and versioned with image provenance and CI/CD gating |
| A cloud controller places VM images on hosts and connects their storage. Which component would you inspect to verify image provenance and integrity before deployment? | Image registry and its signed hashes / image signing pipeline (CI/Cd) |
| In terms of shared responsibility, who is most likely responsible for implementing host-based firewall rules on VMs in an IaaS model? | Cloud customer |
| In a hybrid cloud design, which capability most directly enables on-premises workloads to “burst” into the public cloud? | Standardized or proprietary portability and federation technology |
| Which is the most accurate statement about RESTful cloud management APIs? | They typically run over HTTP/HTTPS and must be hardened like any public API (authentication, authorization, rate limits, logging). |
| Which of these is a primary disadvantage of using a pure SaaS solution from a security governance perspective? | Limited ability to negotiate many operational controls and visibility; responsibilities are largely with provider. |
| Which pattern is most useful to ensure least-privilege for management plane users? | Implement role-based access control (RBAc) with narrowly scoped roles and separation of duties, combined with MFA and audit logging |
| Which design choice best supports portability between different cloud providers? | Use of containerized workloads and infrastructure as code targeting standardized APIs where possible |
| A CSP documents that certain logs are not exportable due to internal format restrictions. Which governance control should a cloud customer prioritize? | Negotiate contract clauses or SLAs that ensure access to necessary audit artifacts or require export in usable formats (or choose a different provider) |
| Which approach most directly helps ensure cloud assets aren’t inadvertently left reachable after deployment? | Automate secure infrastructure provisioning and teardown (IaC with policy checks and drift detection) |
| Which is a key limitation when migrating a legacy on-premises application to a public PaaS? | Potential inability to access low-level configuration, OS tuning, or specific libraries the app requires |
| A cloud provider exposes RESTful APIs for control plane operations. Which of the following is the largest security implication? | Insecure management plane access |
| A cloud provider’s management plane exposes an API that returns unredacted metadata about tenants. Which control is most appropriate to request from the provider? | Granular access control to management APIs and strict separation of tenant metadata |
| A compliance auditor needs evidence that a provider performs logical separation between tenants. Which CSA resource is most likely to help the customer evaluate this? | Cloud Controls Matrix (CCM) and CAIQ responses from the provider |
| Which is the best justification for using API keys with limited scope and short TTLs for cloud control APIs? | Minimize blast radius and reduce long-lived credential risk in the management plane |
| Which risk is specifically introduced by exposing an orchestration API with insecure default RBAC and verbose metadata? | Increased chance of unauthorized configuration changes and information leakage that reveal resource topology and tenant relationships |
| A tenant worries about another tenant “noisy neighbor” impacting its performance. Which architectural property is primarily responsible for enabling isolation to mitigate this? | Resource pooling |
| If an attacker obtains valid credentials to the management plane, what is the most accurate worst-case impact? | Full remote access to the consumer’s deployed environment (potentially extensive control) |
| Which of the following best describes “lift and shift” migration risk relative to cloud-native design? | Can reduce security and resilience because cloud-specific controls and design patterns are not used |
| Which statement best distinguishes multitenancy from resource pooling (per CSA/NIST usage)? | Multitenancy is logical separation of tenants; resource pooling is physical aggregation of resources. |
| In the CSA logical model, “infostructure” refers to: | The data and information assets (databases, objects, files) hosted in the cloud |
| Which of the following is the weakest strategy to handle provider feature changes that might affect security posture? | Ignoring provider changelogs and assuming defaults remain secure |
| Which is the strongest technical control to reduce risk when using a public IaaS provider for sensitive workloads? | Implement encryption of data in transit and at rest with keys under customer control (where feasible) |
| A cloud user requires guaranteed data residency in a specific country. Which action best enforces that requirement? | Specify location constraints in contracts and select provider features that allow region/island locking |
| Which logical layer in the CSA logical model is primarily concerned with APIs and management plane functions? | Metastructure |
| Which scenario most clearly demonstrates a “metastructure” security failure? | An attacker leveraging stolen management API keys to reconfigure virtual networks and snapshot tenant disks |
| The cloud metastructure concept includes which of the following items? | Management and orchestration, APIs, and the management plane |
| Which architectural element is most responsible for mapping a VM image to a host and orchestrating its lifecycle? | Cloud controller / orchestration layer |
| A cloud offering advertises “broad network access” as a feature. Which test best verifies this claim from a security perspective? | Check whether resources are reachable over network interfaces and whether access control (network ACLs, security groups) and authentication are enforced appropriately |
| Which choice is not a typical benefit of using PaaS over IaaS? | Full control over hypervisor scheduling policies |
| Which control reduces risk of accidental data exposure when cloud resources are replicated across regions? | Encryption with keys restricted to specific regions and access policies that prevent key export |
| When comparing IaaS and SaaS, which statement about logging responsibility is correct? | In SaaS, the provider typically controls most application and infra logs; in IaaS the consumer must implement and manage application-level logging while the provider supplies underlying platform logs. |
| Which statement most accurately reflects the security implications of "measured service"? | Metering can provide forensic and billing evidence but must be protected since it reveals usage patterns and potential sensitive metadata. |
| Which one is a correct mapping: "Applistructure" primarily maps to which security domain? | Application security and application-level controls |
| Which deployment model gives the cloud consumer the most contractual leverage to negotiate custom SLAs? | Hosted private cloud |
| Which best practice reduces risk when using provider-managed PaaS databases? | Enforce least privilege access, strong authentication, and client-side encryption for sensitive fields if provider can't guarantee key control |
| In a PaaS offering, which consumer responsibility is still typically required? | Secure development of application code and configuration management |
| Which of these is the best description of “orchestration” in cloud architecture? | Automated coordination and management of provisioned resources and services to deliver higher-level capabilities |
| Which cloud property most enables rapid elasticity? | Orchestration + abstraction of pooled resources (automation) |
| Which characteristic from the NIST definition most directly enables a provider to bill customers for exact consumption? | Measured service |
| A provider offers a “dedicated host” option (single-tenant hardware). Which motivation is least likely? | Maximizing benefits from resource pooling for lower cost |
| Which cloud architectural pattern improves resilience against failure in a single availability zone? | Multi-AZ (availability zone) deployment with automated failover |
| When an organization uses a Database-as-a-Service (DBaaS) and is responsible for accounts and schema design while the vendor provides patching, which NIST service model best describes this? | PaaS |
| Which design decision most improves the ability to respond if a cloud provider becomes unavailable? | Architect for portability: use standard formats, exportable data, and plan for failover/multi-provider options where feasible |
| Which cloud service model typically places the most security responsibility on the consumer? | IaaS |
| When designing an IaaS tenant network, which approach most effectively reduces the management plane attack surface? | Implement strong MFA, least privilege roles, IP restrictions and central logging for management plane access |
| Which statement about virtual networks (SDN) in cloud is true? | SDNs abstract network control via software and APIs, enabling overlays and programmable network isolation. |
| Which of these is not one of the NIST five essential characteristics? | Decentralized access control |
| F2 | F2 |
| In risk assessment, “residual risk” refers to: | Risk remaining after existing controls are applied |
| Why might a public cloud’s multitenancy reduce governance flexibility? | Shared infrastructure requires uniform processes, limiting per-customer customization |
| The primary purpose of periodic provider reassessments is to: | Confirm ongoing alignment of provider controls with contractual and regulatory requirements |
| Which governance element ensures contractual clauses remain effective as laws evolve? | Periodic legal review and contract update process |
| Which governance practice mitigates risk of provider feature changes that affect compliance? | Contract clauses mandating change notification and customer impact review |
| How does the shared responsibility model affect ERM? | Divides control implementation between provider and consumer but does not transfer overall accountability from the consumer |
| What type of audit evidence gives the highest assurance for governance validation? | Independent third-party attestations scoped to the relevant services |
| When using cyber-insurance as a risk transfer mechanism, CSA v4.0 warns that: | It may cover only financial losses and exclude intangible impacts like reputation damage |
| Which principle best summarizes why governance cannot be outsourced when using a cloud provider? | Governance is an internal accountability function that cannot be transferred by contract |
| Which deployment model typically allows full customization of governance controls but at higher cost? | Hosted private cloud |
| Which activity most directly supports continuous risk management after initial assessment? | Scheduled reassessments and automated control monitoring |
| In CSA v4.0, supplier (provider) assessments rely most on which three inputs? | Self-attestations, third-party audit reports, and contractual commitments |
| Which of the following directly demonstrates alignment between governance and compliance functions? | Mapping organizational controls to external standards (e.g., CCM ↔ ISO 27001) and integrating results into risk reporting |
| What is the effect of moving from SaaS to IaaS in the service model continuum on risk management responsibilities? | Customer assumes more operational and security risk |
| Why might smaller SaaS providers pose additional governance risk? | They may lack mature compliance programs or resources for independent audits |
| In ERM, what determines whether a particular cloud risk is acceptable? | The organization’s risk tolerance and asset criticality |
| Which of the following is an example of a “governance gap” mitigation measure? | Customer implements additional monitoring and reporting to compensate for absent contractual oversight |
| Which governance gap is created if a concern is not covered in the contract? | Enforcement gap—no mechanism exists to compel compliance |
| What is the most significant governance issue unique to community clouds? | Coordinating and enforcing agreements among multiple member organizations |
| In cloud governance, what role do internal audit functions play? | Provide independent assurance that governance processes and controls are operating as intended |
| What governance consideration distinguishes a hosted private cloud from a self-hosted private cloud? | Hosted private clouds still require contractual governance with the vendor |
| If a cloud customer cannot negotiate custom SLAs with a public CSP, which governance mechanism should be emphasized instead? | Continuous monitoring and risk acceptance procedures |
| Wic statement best describes the role of the CSA STAR Registry in governance? | It lists provider assurance documentation based on CCM and CAIQ mappings |
| Which governance challenge arises from rapid provider innovation? | Contractual clauses and audits may lag behind new services, creating unmanaged risk |
| Which ISO standard defines general principles and guidelines for risk management? | ISO 31000:2009 |
| A provider in one jurisdiction is subpoenaed for data belonging to a customer in another. What is this scenario called? | Cross-border discovery |
| Which regulation compels Chinese organizations to store personal data of local citizens within China? | 2017 Cybersecurity Law |
| Which law introduced GDPR’s global reach principle, applying to organizations processing EU residents’ data regardless of location? | General Data Protection Regulation (EU) 2016/679 |
| Which legal framework was replaced by the EU–U.S. Privacy Shield invalidation in 2020? | Safe Harbor |
| Which of the following would not typically be a key contractual component of a cloud service agreement? | Source code compilation flags |
| Which of the following clauses is essential in a cloud service agreement for legal accountability? | Indemnification and liability limitation |
| Which factor most determines which country’s laws apply in a cross-border cloud arrangement? | Jurisdiction and choice-of-law clause in the contract |
| Which is not a common legal issue described by CSA Domain 3? | API rate limiting |
| What is a Hold Notice in e-discovery? | Instruction to suspend normal data deletion processes to preserve potential evidence |
| Why should a CSP maintain an audit trail of data access for legal compliance? | To demonstrate accountability and support investigations or e-discovery |
| What is the primary purpose of indemnification in a cloud contract? | To allocate financial responsibility if one party’s actions cause losses or legal claims |
| When a CSP claims “we comply with GDPR,” what must a cloud customer verify legally? | That compliance applies to the specific services and data-processing activities in scope |
| What is the best practice before signing a cloud service contract from a legal standpoint? | Comprehensive legal review of governing law, jurisdiction, liability, data protection, and audit clauses |
| Which of the following best mitigates exposure under data breach notification laws? | Encryption of personal data rendering it unreadable to unauthorized parties |
| In China’s 2017 Cybersecurity Law, which entity must comply with stricter rules for data handling and cross-border transfers? | Network operators and critical information infrastructure operators |
| In cloud contracts, a “Force Majeure” clause covers: | Uncontrollable external events (natural disasters, wars) excusing performance obligations |
| What is a critical legal risk when cloud data is stored across multiple jurisdictions? | Conflicting or overlapping data protection obligations from different laws |
| Which principle requires that data collected for one purpose not be used for incompatible purposes? | Purpose limitation |
| Which jurisdiction introduced the concept of Personal Information Protection Law (PIPL) similar to GDPR? | China |
| Why is contract negotiation typically more constrained with large public SaaS providers? | Multitenancy requires standardized terms that can’t easily be customized per customer |
| What is the most important contractual mechanism to ensure evidence access during legal disputes? | Defined audit and e-discovery support clauses in the SLA |
| Which of the following best defines regulatory arbitrage in cloud computing? | Selecting jurisdictions to minimize or avoid compliance obligations |
| Which U.S. regulation obliges healthcare cloud providers to sign Business Associate Agreements (BAAs)? | HIPAA |
| Under GDPR, what legal concept requires that personal data be processed only for specified, legitimate purposes? | Purpose limitation principle |
| What must an organization do when served with an e-discovery request involving data stored in the cloud? | Coordinate with provider to preserve, collect, and produce responsive data without violating privacy or jurisdictional laws |
| Why is it important to consider provider financial stability during supplier assessment? | To ensure provider longevity and reduce risk of sudden service disruption or data loss |
| Which governance risk is unique to hybrid environments? | Inconsistent control enforcement across connected clouds and data centers |
| In enterprise risk management (ERM), who retains ultimate ownership of risk? | Cloud customer’s executive leadership |
| Why is transitive trust a key consideration when relying on third-party audits? | It determines whether the auditor’s credibility and scope are sufficient to substitute for direct assessment |
| Which governance principle aligns with COBIT 5? | Distinguish governance (set direction) from management (execute) |
| According to CSA v4.0, the contract between provider and customer is primarily used to: | Extend governance mechanisms and allocate responsibilities |
| Which metric best indicates effective governance of a CSP relationship? | Timely completion of reassessments and remediation of control gaps |
| Which standard provides governance guidance for information security? | ISO/IEC 27014 |
| Which governance document should specify how the private-cloud vendor keeps its platform up to date? | Contract clause or SLA requiring version updates within a defined period after release |
| Which risk-treatment option involves ceasing an activity entirely? | Avoid |
| Which document identifies what portion of risk management each party assumes in a cloud relationship? | Contract and SLA with shared responsibility matrix |
| Which term best describes risk remaining after control implementation but before insurance coverage? | Residual risk |
| What is the most direct method to align risk decisions with business strategy? | Include risk criteria in enterprise governance frameworks and steering committees |
| Which contract clause can obligate a CSP to provide evidence of third-party audits? | Audit rights clause |
| Which scenario most clearly represents a legal jurisdiction conflict? | Data stored in country A is demanded by court order from country B with conflicting privacy laws |
| What is the principal obligation of a data controller under most international privacy laws when using a cloud provider? | To ensure adequate technical and organizational measures are taken to protect personal data |
| What does the “Standard of Care” concept in legal frameworks refer to? | The level of diligence and security measures a reasonable organization should apply |
| Why does the CSA recommend seeking legal counsel in every jurisdiction involved in cloud operations? | Because laws and regulations governing data protection vary and may apply concurrently based on multiple factors (location, contract, subject, etc.) |
| Which international organization first articulated the “Fair Information Principles” forming the basis of many privacy laws? | OECD (Organisation for Economic Co-operation and Development) |
| Which legislation introduced mandatory data breach notification in Australia in 2017? | Privacy Amendment (Notifiable Data Breaches) to the Privacy Act 1988 |
| In a cloud contract, a limitation of liability clause typically: | Caps the amount of damages either party can claim |
| What document should specify provider obligations for security breach notifications? | The Service Agreement or Data Processing Addendum (DPa) |
| Under the GDPR, what must organizations demonstrate to prove compliance (“accountability”)? | That they have implemented appropriate technical and organizational measures and can evidence them |
| When a CSP subcontracts a data processing function to another vendor, what must the original data controller ensure? | That the subcontractor provides equivalent data protection measures and is contractually bound to them |
| In legal discovery, what is “spoliation”? | Unauthorized alteration or destruction of evidence |
| Why is ERM broader than information security? | It includes non-technical risks such as financial, legal, and operational |
| Which action ensures continuity of governance when using multiple CSPs? | Establish a unified cloud-governance framework with consistent policies and control baselines |
| What is the main contractual challenge when governing a multitenant public cloud? | Each tenant can demand unique operational controls, but standardization limits customization |
| What is the primary governance tool to extend organizational control over an external CSP? | Service contract and SLA clauses |
| Which risk management phase follows “identify control gaps” in CSA’s simple process model? | Design and implement controls to fill the gaps |
| Which factor most influences whether risk management activities can be automated? | Availability of structured provider APIs and compliance reports |
| When a CSP refuses audit access due to multitenancy concerns, what is the usual legal compromise? | Third-party independent audit reports shared under NDA |
| What is the main difference between data controller and data processor roles under privacy law? | The controller determines purposes and means of processing, while the processor acts on behalf of the controller |
| F2 | F2 |
| In risk assessment, “residual risk” refers to: | Risk remaining after existing controls are applied |
| Why might a public cloud’s multitenancy reduce governance flexibility? | Shared infrastructure requires uniform processes, limiting per-customer customization |
| The primary purpose of periodic provider reassessments is to: | Confirm ongoing alignment of provider controls with contractual and regulatory requirements |
| Which governance element ensures contractual clauses remain effective as laws evolve? | Periodic legal review and contract update process |
| Which governance practice mitigates risk of provider feature changes that affect compliance? | Contract clauses mandating change notification and customer impact review |
| How does the shared responsibility model affect ERM? | Divides control implementation between provider and consumer but does not transfer overall accountability from the consumer |
| What type of audit evidence gives the highest assurance for governance validation? | Independent third-party attestations scoped to the relevant services |
| When using cyber-insurance as a risk transfer mechanism, CSA v4.0 warns that: | It may cover only financial losses and exclude intangible impacts like reputation damage |
| Which principle best summarizes why governance cannot be outsourced when using a cloud provider? | Governance is an internal accountability function that cannot be transferred by contract |
| Which deployment model typically allows full customization of governance controls but at higher cost? | Hosted private cloud |
| Which activity most directly supports continuous risk management after initial assessment? | Scheduled reassessments and automated control monitoring |
| In CSA v4.0, supplier (provider) assessments rely most on which three inputs? | Self-attestations, third-party audit reports, and contractual commitments |
| Which of the following directly demonstrates alignment between governance and compliance functions? | Mapping organizational controls to external standards (e.g., CCM ↔ ISO 27001) and integrating results into risk reporting |
| What is the effect of moving from SaaS to IaaS in the service model continuum on risk management responsibilities? | Customer assumes more operational and security risk |
| Why might smaller SaaS providers pose additional governance risk? | They may lack mature compliance programs or resources for independent audits |
| In ERM, what determines whether a particular cloud risk is acceptable? | The organization’s risk tolerance and asset criticality |
| Which of the following is an example of a “governance gap” mitigation measure? | Customer implements additional monitoring and reporting to compensate for absent contractual oversight |
| Which governance gap is created if a concern is not covered in the contract? | Enforcement gap—no mechanism exists to compel compliance |
| What is the most significant governance issue unique to community clouds? | Coordinating and enforcing agreements among multiple member organizations |
| In cloud governance, what role do internal audit functions play? | Provide independent assurance that governance processes and controls are operating as intended |
| What governance consideration distinguishes a hosted private cloud from a self-hosted private cloud? | Hosted private clouds still require contractual governance with the vendor |
| If a cloud customer cannot negotiate custom SLAs with a public CSP, which governance mechanism should be emphasized instead? | Continuous monitoring and risk acceptance procedures |
| Wic statement best describes the role of the CSA STAR Registry in governance? | It lists provider assurance documentation based on CCM and CAIQ mappings |
| Which governance challenge arises from rapid provider innovation? | Contractual clauses and audits may lag behind new services, creating unmanaged risk |
| Which ISO standard defines general principles and guidelines for risk management? | ISO 31000:2009 |
| A provider in one jurisdiction is subpoenaed for data belonging to a customer in another. What is this scenario called? | Cross-border discovery |
| Which regulation compels Chinese organizations to store personal data of local citizens within China? | 2017 Cybersecurity Law |
| Which law introduced GDPR’s global reach principle, applying to organizations processing EU residents’ data regardless of location? | General Data Protection Regulation (EU) 2016/679 |
| Which legal framework was replaced by the EU–U.S. Privacy Shield invalidation in 2020? | Safe Harbor |
| Which of the following would not typically be a key contractual component of a cloud service agreement? | Source code compilation flags |
| Which of the following clauses is essential in a cloud service agreement for legal accountability? | Indemnification and liability limitation |
| Which factor most determines which country’s laws apply in a cross-border cloud arrangement? | Jurisdiction and choice-of-law clause in the contract |
| Which is not a common legal issue described by CSA Domain 3? | API rate limiting |
| What is a Hold Notice in e-discovery? | Instruction to suspend normal data deletion processes to preserve potential evidence |
| Why should a CSP maintain an audit trail of data access for legal compliance? | To prevent billing errors |
| What is the primary purpose of indemnification in a cloud contract? | To allocate financial responsibility if one party’s actions cause losses or legal claims |
| When a CSP claims “we comply with GDPR,” what must a cloud customer verify legally? | That compliance applies to the specific services and data-processing activities in scope |
| What is the best practice before signing a cloud service contract from a legal standpoint? | Comprehensive legal review of governing law, jurisdiction, liability, data protection, and audit clauses |
| Which of the following best mitigates exposure under data breach notification laws? | Encryption of personal data rendering it unreadable to unauthorized parties |
| In China’s 2017 Cybersecurity Law, which entity must comply with stricter rules for data handling and cross-border transfers? | Network operators and critical information infrastructure operators |
| In cloud contracts, a “Force Majeure” clause covers: | Uncontrollable external events (natural disasters, wars) excusing performance obligations |
| What is a critical legal risk when cloud data is stored across multiple jurisdictions? | Conflicting or overlapping data protection obligations from different laws |
| Which principle requires that data collected for one purpose not be used for incompatible purposes? | Purpose limitation |
| Which jurisdiction introduced the concept of Personal Information Protection Law (PIPL) similar to GDPR? | China |
| Why is contract negotiation typically more constrained with large public SaaS providers? | Multitenancy requires standardized terms that can’t easily be customized per customer |
| What is the most important contractual mechanism to ensure evidence access during legal disputes? | Defined audit and e-discovery support clauses in the SLA |
| Which of the following best defines regulatory arbitrage in cloud computing? | Selecting jurisdictions to minimize or avoid compliance obligations |
| Which U.S. regulation obliges healthcare cloud providers to sign Business Associate Agreements (BAAs)? | HIPAA |
| Under GDPR, what legal concept requires that personal data be processed only for specified, legitimate purposes? | Purpose limitation principle |
| What must an organization do when served with an e-discovery request involving data stored in the cloud? | Coordinate with provider to preserve, collect, and produce responsive data without violating privacy or jurisdictional laws |
| Why is it important to consider provider financial stability during supplier assessment? | To ensure provider longevity and reduce risk of sudden service disruption or data loss |
| Which governance risk is unique to hybrid environments? | Inconsistent control enforcement across connected clouds and data centers |
| In enterprise risk management (ERM), who retains ultimate ownership of risk? | Cloud customer’s executive leadership |
| Why is transitive trust a key consideration when relying on third-party audits? | It determines whether the auditor’s credibility and scope are sufficient to substitute for direct assessment |
| Which governance principle aligns with COBIT 5? | Distinguish governance (set direction) from management (execute) |
| According to CSA v4.0, the contract between provider and customer is primarily used to: | Extend governance mechanisms and allocate responsibilities |
| Which metric best indicates effective governance of a CSP relationship? | Timely completion of reassessments and remediation of control gaps |
| Which standard provides governance guidance for information security? | ISO/IEC 27014 |
| Which governance document should specify how the private-cloud vendor keeps its platform up to date? | Contract clause or SLA requiring version updates within a defined period after release |
| Which risk-treatment option involves ceasing an activity entirely? | Avoid |
| Which document identifies what portion of risk management each party assumes in a cloud relationship? | Contract and SLA with shared responsibility matrix |
| Which term best describes risk remaining after control implementation but before insurance coverage? | Residual risk |
| What is the most direct method to align risk decisions with business strategy? | Include risk criteria in enterprise governance frameworks and steering committees |
| Which contract clause can obligate a CSP to provide evidence of third-party audits? | Audit rights clause |
| Which scenario most clearly represents a legal jurisdiction conflict? | Data stored in country A is demanded by court order from country B with conflicting privacy laws |
| What is the principal obligation of a data controller under most international privacy laws when using a cloud provider? | To ensure adequate technical and organizational measures are taken to protect personal data |
| What does the “Standard of Care” concept in legal frameworks refer to? | The level of diligence and security measures a reasonable organization should apply |
| Why does the CSA recommend seeking legal counsel in every jurisdiction involved in cloud operations? | Because laws and regulations governing data protection vary and may apply concurrently based on multiple factors (location, contract, subject, etc.) |
| Which international organization first articulated the “Fair Information Principles” forming the basis of many privacy laws? | OECD (Organisation for Economic Co-operation and Development) |
| Which legislation introduced mandatory data breach notification in Australia in 2017? | Privacy Amendment (Notifiable Data Breaches) to the Privacy Act 1988 |
| In a cloud contract, a limitation of liability clause typically: | Caps the amount of damages either party can claim |
| What document should specify provider obligations for security breach notifications? | The Service Agreement or Data Processing Addendum (DPa) |
| Under the GDPR, what must organizations demonstrate to prove compliance (“accountability”)? | That they have implemented appropriate technical and organizational measures and can evidence them |
| When a CSP subcontracts a data processing function to another vendor, what must the original data controller ensure? | That the subcontractor provides equivalent data protection measures and is contractually bound to them |
| In legal discovery, what is “spoliation”? | Unauthorized alteration or destruction of evidence |
| Why is ERM broader than information security? | It includes non-technical risks such as financial, legal, and operational |
| Which action ensures continuity of governance when using multiple CSPs? | Establish a unified cloud-governance framework with consistent policies and control baselines |
| What is the main contractual challenge when governing a multitenant public cloud? | Each tenant can demand unique operational controls, but standardization limits customization |
| What is the primary governance tool to extend organizational control over an external CSP? | Service contract and SLA clauses |
| Which risk management phase follows “identify control gaps” in CSA’s simple process model? | Design and implement controls to fill the gaps |
| Which factor most influences whether risk management activities can be automated? | Availability of structured provider APIs and compliance reports |
| When a CSP refuses audit access due to multitenancy concerns, what is the usual legal compromise? | Third-party independent audit reports shared under NDA |
| What is the main difference between data controller and data processor roles under privacy law? | The controller determines purposes and means of processing, while the processor acts on behalf of the controller |
| In the EU’s legal context, what must exist for a lawful international data transfer to a non-adequate country? | Written contracts using approved Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) |
| In legal terms, what does chain of custody ensure during e-discovery? | Integrity and authenticity of evidence from collection to presentation |
| Which legal concept allows individuals to demand erasure of their data? | Right to be forgotten |
| Which legal principle prevents data controllers from transferring personal data to jurisdictions lacking “adequate protection”? | Cross-border transfer restriction |
| Hybrid-cloud governance must at minimum ensure: | A common baseline of controls across interconnected environments |
| According to CSA v4.0, what is the best mitigation when a provider’s audit scope excludes key security controls? | Demand expanded audit scope or implement compensating internal controls |
| Which of the following best describes data localization laws? | Mandate certain categories of data remain stored within national borders |
| Which U.S. law compels providers to disclose data to law enforcement under specific warrants, even if stored abroad? | CLOUD Act (Clarifying Lawful Overseas Use of Data Act) |
| When personal data is transferred to another jurisdiction under a legal derogation (e.g., consent), what must still be ensured? | Transparency, proportionality, and continued data subject protection |
| Which of the following is not one of the four elements in the CSA’s simplified hierarchy of governance and risk? | Financial accounting controls |
| Which document provides the most detailed mapping between cloud security controls and multiple compliance frameworks? | CSA Cloud Controls Matrix (CCM) |
| What is the major risk of “data sprawl” in multi-tenant cloud environments from a legal standpoint? | Difficulty ensuring all copies are subject to proper jurisdictional and contractual protections |
| Which governance artifact is internal rather than contractual? | Internal service-level agreement within a self-hosted private cloud |
| What is the main purpose of a jurisdiction clause in a cloud contract? | To specify which country’s laws govern the contract and where disputes are resolved |
| Why does multi-jurisdictional data storage complicate e-discovery? | Conflicting preservation, privacy, and disclosure laws can restrict or compel access simultaneously |
Created by:
user-1835460