Legal, Risk, and Compliance for CCSP

Sample Practice Questions

1. Question 1

   Which of the following is not a component of contractual PII?
   1. A. Scope of processing
   2. B. Value of data
   3. C. Location of data
   4. D. Use of subcontractors
   Explanation

   The correct answer is: B. Value of data.

   Contractual PII clauses define the operational handling parameters under which a processor may touch personal data on behalf of a controller: the scope of processing (purposes, types of data, duration), the locations where data is stored or accessed, and the chain of subcontractors (sub-processors) authorized to participate. The intrinsic value of the data is not a contractual term because value is the controller's internal asset-classification concern, not something written into a data-processing agreement. GDPR Article 28 enumerates these required DPA elements but does not require parties to negotiate the data's monetary value. Therefore value of data is the non-component.

2. Question 2

   Which of the following cloud aspects complicates eDiscovery?
   1. A. Resource pooling
   2. B. On-demand self-service
   3. C. Multitenancy
   4. D. Measured service
   Explanation

   The correct answer is: C. Multitenancy.

   Multitenancy is the NIST essential cloud characteristic that places multiple customers' data on shared physical and virtual infrastructure, and it directly complicates eDiscovery because legal-hold preservation, targeted collection, and forensically defensible imaging must isolate one tenant's responsive ESI without exposing or disturbing other tenants' data under FRCP and EDRM expectations. Resource pooling describes the economic abstraction of resources but does not by itself create the data-commingling problem. On-demand self-service is the provisioning model, and measured service is the metering and billing characteristic; neither poses the chain-of-custody and segregation challenges that multitenancy introduces to discovery, forensics, and litigation hold.

3. Question 3

   What is a serious complication an organization faces from the perspective of compliance with international operations?
   1. A. Different certifications
   2. B. Multiple jurisdictions
   3. C. Different capabilities
   4. D. Different operational procedures
   Explanation

   The correct answer is: B. Multiple jurisdictions.

   Multiple jurisdictions present the deepest compliance complication in international operations because each country brings its own privacy law (GDPR in the EU, PIPL in China, LGPD in Brazil, PIPEDA in Canada, sectoral laws in the U.S.), its own data-localization rules, its own breach-notification timing, and its own lawful access regime, and those frameworks frequently conflict. Data subject location, server location, processor location, and contracting party location can each trigger separate legal obligations simultaneously. Different certifications are a manageable matter of mapping controls and acquiring attestations and are not the core legal complication. Different capabilities of cloud services across regions are a procurement and architecture issue, not a compliance one. Different operational procedures matter for service quality but are not the dominant compliance hurdle. The plurality of jurisdictions is the controlling difficulty.

4. Question 4

   Which United States law is focused on data related to health records and privacy?
   1. A. Safe Harbor
   2. B. SOX
   3. C. GLBA
   4. D. HIPAA
   Explanation

   The correct answer is: D. HIPAA.

   HIPAA (the Health Insurance Portability and Accountability Act of 1996, expanded by HITECH in 2009) is the principal US federal statute governing the privacy and security of protected health information, imposing the Privacy Rule, Security Rule, and Breach Notification Rule on covered entities (providers, health plans, clearinghouses) and their business associates; HHS Office for Civil Rights enforces it with civil penalties and 60-day breach notification requirements. Safe Harbor was a US-EU transfer mechanism, SOX governs public-company financial reporting, and GLBA covers financial institutions' handling of nonpublic personal information. Only HIPAA specifically targets health records and patient privacy.

5. Question 5

   Which of the following is NOT a criterion for data within the scope of eDiscovery?
   1. A. Possession
   2. B. Custody
   3. C. Control
   4. D. Archive
   Explanation

   The correct answer is: D. Archive.

   The US Federal Rules of Civil Procedure define eDiscovery scope around electronically stored information that a party has in its possession, custody, or control, the three terms of art that determine whether the party must preserve and produce the data. Possession means physical or virtual holding, custody means responsibility for safekeeping, and control means the legal right to obtain the data from a third party (a critical cloud nuance because customer data sits in the provider's possession but the customer's control). Archive describes a storage state, not a discoverability criterion; archived ESI is still in scope if the party has possession, custody, or control. Archive is the non-criterion.

Other CCSP domains

• Cloud Application Security (71 questions)
• Cloud Concepts, Architecture, and Design (97 questions)
• Cloud Data Security (107 questions)
• Cloud Platform and Infrastructure Security (74 questions)
• Cloud Security Operations (48 questions)