WGU E025: CLOUD SECURITY & RISK
MANAGEMENT : QUESTIONS AND
RATIONALES/GRADED A+ UPDATE
100% CORRECT
SECTION 1: CLOUD GOVERNANCE & COMPLIANCE (Questions
1-12)
1. An organization using a SaaS HR platform needs to prove to auditors that
employee data stored in the cloud is not accessible by the vendor's other
customers. Which control best demonstrates this?
• A) Data Loss Prevention (DLP) policies
• B) Logical segregation through multi-tenancy with encryption (Rationale:
In SaaS, logical isolation (schema/per-database encryption) ensures tenant
data separation, satisfying auditor requirements for data commingling risks.)
• C) Virtual Private Cloud (VPC) peering
• D) Annual penetration testing
2. Which 2026 regulatory trend imposes primary liability on the cloud
consumer, even for misconfigurations of the cloud provider’s default settings?
• A) GDPR (General Data Protection Regulation)
• B) The Cloud Consumer Accountability Act (Model Law 2025) (Rationale:
This emerging framework shifts liability to the customer for misconfigurations
like open S3 buckets or default passwords, regardless of provider defaults.)
• C) HIPAA (Health Insurance Portability and Accountability Act)
• D) FedRAMP High baseline
3. A company operates across the EU, California, and China. Which cloud
compliance framework provides the most unified set of controls to satisfy
overlapping requirements?
, • A) CSA Cloud Controls Matrix (CCM) v4 (Rationale: CCM v4 maps to GDPR,
CCPA, PIPL, and other regional laws, offering a unified control set for global
compliance management.)
• B) CIS Benchmark for cloud
• C) NIST SP 800-53 Rev 5
• D) SOC 2 Type II
4. The "Right to be Forgotten" in a cloud environment presents the greatest
technical challenge for which data storage pattern?
• A) Encrypted object storage with customer-managed keys
• B) Immutable ledger storage (e.g., blockchain-based logs) (Rationale:
Immutable storage prevents deletion or modification by design, directly
conflicting with deletion mandates under GDPR Article 17.)
• C) Ephemeral virtual machine disks
• D) Transient cache layers
5. What is the primary purpose of a "Cloud Service Provider (CSP) Audit Right"
clause in a contract?
• A) To allow the CSP to audit the customer's payment history
• B) To permit the customer or a third-party auditor to inspect the CSP’s
physical and logical controls (Rationale: This right-of-audit clause is critical
for verifying the CSP's security posture, especially for SOC 2 or ISO 27017
certifications.)
• C) To grant the CSP access to customer network logs
• D) To enforce automated patching schedules
6. Which NIST Cloud Computing reference architecture component is
responsible for managing SLAs, billing, and compliance enforcement?
• A) Cloud Broker
• B) Cloud Carrier
• C) Cloud Auditor (Rationale: The NIST cloud auditor conducts independent
assessments of security, privacy, performance, and SLAs, including billing
verification.)
• D) Cloud Consumer
7. Your cloud provider notifies you of a potential data breach affecting the
physical hard drive of a retired server. Under the shared responsibility model
(2026 revision), who is liable for customer data exposure?
• A) The customer, because they failed to encrypt the data
, • B) The provider, because physical media sanitization is always the
provider's responsibility (Rationale: The CSP owns the physical infrastructure
layer, including secure erasure or destruction of decommissioned drives.)
• C) Shared 50/50 liability
• D) The third-party logistics company that transported the drive
8. A "Bring Your Own Key" (BYOK) solution for cloud storage must ensure that
the cloud provider cannot access the plaintext key. What cryptographic
technique achieves this in 2026 standard practice?
• A) Key splitting without a trusted third party
• B) Hardware Security Module (HSM) with key wrapping using a provider-
controlled key that never leaves the HSM boundary (Rationale: BYOK uses
a trusted HSM where the customer imports a wrapped key; the CSP's HSM
performs operations without ever exposing the plaintext key to the CSP's
hypervisor.)
• C) Base64 encoding of the key
• D) Storing the key in a managed database
9. The "CSA STAR Level 2" certification requires:
• A) A self-assessment questionnaire only
• B) A third-party independent audit based on the CSA CCM (Rationale:
Level 2 provides third-party audit attestation, unlike Level 1 which is self-
assessment. Level 3 is continuous monitoring.)
• C) Continuous real-time monitoring (Level 3)
• D) ISO 27001 alone
10. A multinational bank runs a workload on a cloud provider who sub-lets
infrastructure from a "sub-CSP" in a prohibited country. The bank violates
which compliance doctrine?
• A) Right to Audit
• B) Sub-processor and geographical restriction clause (Rationale: Standard
cloud contracts restrict sub-processing without notice and ban high-risk
jurisdictions (sanctions). The bank breached the "no sub-CSP in prohibited
region" clause.)
• C) Data portability
• D) Incident response timeline
11. In 2026, the "EU Cloud Rulebook" mandates that "digital sovereignty" is
achieved only when:
• A) Data is encrypted at rest
MANAGEMENT : QUESTIONS AND
RATIONALES/GRADED A+ UPDATE
100% CORRECT
SECTION 1: CLOUD GOVERNANCE & COMPLIANCE (Questions
1-12)
1. An organization using a SaaS HR platform needs to prove to auditors that
employee data stored in the cloud is not accessible by the vendor's other
customers. Which control best demonstrates this?
• A) Data Loss Prevention (DLP) policies
• B) Logical segregation through multi-tenancy with encryption (Rationale:
In SaaS, logical isolation (schema/per-database encryption) ensures tenant
data separation, satisfying auditor requirements for data commingling risks.)
• C) Virtual Private Cloud (VPC) peering
• D) Annual penetration testing
2. Which 2026 regulatory trend imposes primary liability on the cloud
consumer, even for misconfigurations of the cloud provider’s default settings?
• A) GDPR (General Data Protection Regulation)
• B) The Cloud Consumer Accountability Act (Model Law 2025) (Rationale:
This emerging framework shifts liability to the customer for misconfigurations
like open S3 buckets or default passwords, regardless of provider defaults.)
• C) HIPAA (Health Insurance Portability and Accountability Act)
• D) FedRAMP High baseline
3. A company operates across the EU, California, and China. Which cloud
compliance framework provides the most unified set of controls to satisfy
overlapping requirements?
, • A) CSA Cloud Controls Matrix (CCM) v4 (Rationale: CCM v4 maps to GDPR,
CCPA, PIPL, and other regional laws, offering a unified control set for global
compliance management.)
• B) CIS Benchmark for cloud
• C) NIST SP 800-53 Rev 5
• D) SOC 2 Type II
4. The "Right to be Forgotten" in a cloud environment presents the greatest
technical challenge for which data storage pattern?
• A) Encrypted object storage with customer-managed keys
• B) Immutable ledger storage (e.g., blockchain-based logs) (Rationale:
Immutable storage prevents deletion or modification by design, directly
conflicting with deletion mandates under GDPR Article 17.)
• C) Ephemeral virtual machine disks
• D) Transient cache layers
5. What is the primary purpose of a "Cloud Service Provider (CSP) Audit Right"
clause in a contract?
• A) To allow the CSP to audit the customer's payment history
• B) To permit the customer or a third-party auditor to inspect the CSP’s
physical and logical controls (Rationale: This right-of-audit clause is critical
for verifying the CSP's security posture, especially for SOC 2 or ISO 27017
certifications.)
• C) To grant the CSP access to customer network logs
• D) To enforce automated patching schedules
6. Which NIST Cloud Computing reference architecture component is
responsible for managing SLAs, billing, and compliance enforcement?
• A) Cloud Broker
• B) Cloud Carrier
• C) Cloud Auditor (Rationale: The NIST cloud auditor conducts independent
assessments of security, privacy, performance, and SLAs, including billing
verification.)
• D) Cloud Consumer
7. Your cloud provider notifies you of a potential data breach affecting the
physical hard drive of a retired server. Under the shared responsibility model
(2026 revision), who is liable for customer data exposure?
• A) The customer, because they failed to encrypt the data
, • B) The provider, because physical media sanitization is always the
provider's responsibility (Rationale: The CSP owns the physical infrastructure
layer, including secure erasure or destruction of decommissioned drives.)
• C) Shared 50/50 liability
• D) The third-party logistics company that transported the drive
8. A "Bring Your Own Key" (BYOK) solution for cloud storage must ensure that
the cloud provider cannot access the plaintext key. What cryptographic
technique achieves this in 2026 standard practice?
• A) Key splitting without a trusted third party
• B) Hardware Security Module (HSM) with key wrapping using a provider-
controlled key that never leaves the HSM boundary (Rationale: BYOK uses
a trusted HSM where the customer imports a wrapped key; the CSP's HSM
performs operations without ever exposing the plaintext key to the CSP's
hypervisor.)
• C) Base64 encoding of the key
• D) Storing the key in a managed database
9. The "CSA STAR Level 2" certification requires:
• A) A self-assessment questionnaire only
• B) A third-party independent audit based on the CSA CCM (Rationale:
Level 2 provides third-party audit attestation, unlike Level 1 which is self-
assessment. Level 3 is continuous monitoring.)
• C) Continuous real-time monitoring (Level 3)
• D) ISO 27001 alone
10. A multinational bank runs a workload on a cloud provider who sub-lets
infrastructure from a "sub-CSP" in a prohibited country. The bank violates
which compliance doctrine?
• A) Right to Audit
• B) Sub-processor and geographical restriction clause (Rationale: Standard
cloud contracts restrict sub-processing without notice and ban high-risk
jurisdictions (sanctions). The bank breached the "no sub-CSP in prohibited
region" clause.)
• C) Data portability
• D) Incident response timeline
11. In 2026, the "EU Cloud Rulebook" mandates that "digital sovereignty" is
achieved only when:
• A) Data is encrypted at rest
