CSC - Cybersecurity Compliance Cloud Security Compliance Questions and Answers

Question 1

A company deploys a custom application on virtual machines within an Infrastructure as a Service (IaaS) cloud environment.
A critical vulnerability is discovered in the operating system of these virtual machines.
According to the shared responsibility model, who is primarily responsible for patching the operating system vulnerability?

Accepted Answer

The customer, as they control the guest operating system and applications.

Answer

The cloud service provider (CSP), as they manage the underlying infrastructure.

Answer

The operating system vendor, who is solely responsible for issuing patches.

Answer

Both the CSP and the customer, who must coordinate the patching process together.

Question 2

A U.S. federal agency needs to procure a cloud service to store and process highly sensitive, unclassified data, where a breach could have a severe or catastrophic adverse effect on agency operations or assets. Which FedRAMP impact level is MOST appropriate for this cloud service?

Accepted Answer

FedRAMP High

Answer

FedRAMP Low

Answer

FedRAMP Moderate

Answer

FedRAMP Ready

Question 3

An organization is evaluating several cloud service providers and wants to use a standardized framework to assess their security controls against industry best practices. Which Cloud Security Alliance (CSA) tool provides a comprehensive matrix of cloud-specific controls mapped to major standards and regulations?

Accepted Answer

The Cloud Controls Matrix (CCM)

Answer

The Consensus Assessments Initiative Questionnaire (CAIQ)

Answer

The STAR (Security, Trust, Assurance, and Risk) Registry

Answer

The Top Threats to Cloud Computing Report

Question 4

A European company is using a global SaaS provider for its HR platform, which processes employee data subject to GDPR. Which of the following is the MOST effective control for addressing data sovereignty requirements?

Accepted Answer

Contractually requiring and technically configuring the service to process and store all data within a specific EU data center region.

Answer

Implementing multi-factor authentication for all platform users.

Answer

Ensuring the SaaS provider has a current SOC 2 Type 2 attestation.

Answer

Encrypting all data at rest and in transit using industry-standard algorithms.

Question 5

A retail company is building its e-commerce platform in a public cloud and must maintain PCI DSS compliance. Even if the company uses a PCI-compliant IaaS provider, which of the following security tasks remains the company's direct responsibility?

Accepted Answer

Configuring virtual network firewalls (security groups) to restrict traffic to the Cardholder Data Environment (CDE).

Answer

Disposing of physical hard drives from decommissioned servers.

Answer

Securing the physical data center facilities against unauthorized access.

Answer

Managing the hypervisor that hosts the company's virtual machines.

Question 6

A medical software company uses a cloud service provider (CSP) to store and process electronic Protected Health Information (ePHI). What is the essential legal agreement required by HIPAA that must be executed between the company and the CSP?

Accepted Answer

A Business Associate Agreement (BAA)

Answer

A Master Service Agreement (MSA)

Answer

A Non-Disclosure Agreement (NDA)

Answer

A Service Level Agreement (SLA)