Page 1 of 79
Managing Cloud Security Assessment Questions (WGU
D320/C838) 2026 | Verified CCSP Exam Prep & Study Guide
Meena needs to document what a contractor will do as part of an engagement,
including project deliverables, timelines, and the payment terms and conditions.
What type of document could she use to accomplish this? - ANSWER-A SOW
A SOW, or statement of work, is used to describe a project's or effort's requirements,
including the work that will be performed, project deliverables, the timeline,
payment terms and conditions, and other details about how the work will be done.
An NDA is a nondisclosure agreement; an MSA is master services agreement, which is
the document that describes how organizations will work together over time through
terms and conditions; and an SLA is a service-level agreement used to define what
service levels will be.
The company Kim works for is preparing to lease space in a data center. The data
center sells space by the rack to customers, with multiple data center bays filled with
racks at the provider's site. Which of the following security controls is not one that
Kim should look for in a shared-space data center environment like this if they are
looking for a high-security environment? - ANSWER-Shared racks with per-
customer system labeling
Shared racks cannot be appropriately secured in an environment like this, and Kim's
company is looking for a high security environment. Dedicated physical space would
be even more ideal, but many organizations cannot afford the expense of their own
dedicated space, resulting in locked, per-customer keyed racks and appropriate
monitoring and access controls being needed for secure, shared data center
environments.
Derek's organization operates in a cloud software as a service environment. When
data is deleted, what is the best option that is typically available to SaaS customers to
, Page 2 of 79
ensure media containing data is properly sanitized? - ANSWER-Software as a
service providers do not provide access to the underlying storage in a way that allows
customers to erase data. If Derek wants to ensure this, his best option is to ensure
that the SaaS provider uses internal processes that include cryptographic erase for
customer data and that data security practices are included in a service-level
agreement and/or the contract with the service provider.
What external requirement drives many data retention policies? - ANSWER-
Compliance requirements
Compliance requirements often drive data retention policies and may require
specific timeframes for retention. Once compliance requirements have been met,
considerations like business needs and the potential for litigation come into play, but
legal holds don't drive retention policies; they merely require the organization to
retain data for the hold, not as a matter of ongoing policy. Neither business
continuity nor disaster recovery drive most retention policies. Instead, business
continuity and disaster recovery are likely to drive technical design and procedures
to ensure data is available.
As part of their security testing process, Jacob's team intentionally attempts to break
software as an attacker would. What type of testing is his team conducting? -
ANSWER-Abuse case testing
Abuse case testing is intended to replicate an attacker's or malicious actor's likely
actions against a software package or application. Use case testing is designed to
simulate normal use. Dynamic testing is done live with software, while static testing
looks at the code of the software itself.
Charles wants to use federated identity for his organization and has selected Google
as an identity provider. What information will his organization receive from Google
when they log on with a Google account? - ANSWER-An authentication validation
, Page 3 of 79
Identity providers validate logins through their own infrastructure and provide
service providers like Charles with validated authentication, not the password or a
hash of the password, thus keeping the account and authentication process secure.
That's where the trust in federation comes into play; Charles has to trust that Google
is properly authenticating users to its services if he wants to use the service.
Megan wants to ensure that her hardware security module (HSM) is using acceptable
cryptographic techniques. What U.S.-based certification should she look for? -
ANSWER-FIPS 140-2
Many HSM security requirements standards point to FIPS 140-2 (and soon, FIPS 140-
3 because 140-2 is end of life) as a useful standard to validate cryptographic
components against. None of the other options listed are used to validate
cryptographic components.
Chelsea wants to use a cloud service to provide a customer relationship management
(CRM) system. She wants to have significant control over the configuration and
customization of the system but does not want to operate underlying hardware or
operating systems. What cloud service model should she select? - ANSWER-PaaS
Chelsea's design requirements match a platform as a service environment; the
provider delivers an environment where the customers can configure the service but
does not run systems. This provides more control and flexibility than SaaS but not as
much control as a full independent infrastructure as a service, or IaaS, environment.
Finally, IDaaS is identity as a service.
The service provider that Jim is preparing to sign a contract with notes that it uses
cryptographic modules that are FIPS 140-2 certified. What does Jim know about the
organization based on that? - ANSWER-The cryptographic modules have met at least
basic security requirements
There are four levels of FIPS 140-2, but the problem doesn't mention which has been
met. That means that Jim only knows that its cryptographic modules have met at
, Page 4 of 79
least a basic level of security like using an approved algorithm, but he does not know
if there are physical security mechanisms or other features involved. If the service
provider identified the FIPS level (1-4) that its devices were certified to, Jim would be
able to better understand its underlying technology and security posture.
Asha needs to search through emails that her organization sent via its cloud email
host. What type of data discovery is Asha conducting? - ANSWER-Unstructured data
discovery
Asha is performing unstructured data discovery. Emails, documents, websites, and
social media are all common examples of unstructured data. This makes tools that
can do keyword searches and data mapping very useful.
What stage of the cloud data lifecycle typically includes data classification? -
ANSWER-Creation
Data should be classified when it created. This ensures that the data can be handled
according to its classification throughout its lifecycle.
John has determined the recovery point objective for his organization as part of its
disaster recovery plan. What does setting an RPO achieve? - ANSWER-It determines
how old the data that can be restored will be in the event of a disaster
A recovery point objective determines how much data can be lost in a disaster and
thus how much may have to be reentered or assumed to be permanently lost. It does
not determine how long a service recovery will take in the event of a disaster.
What is the key goal of the change management process in ITIL? - ANSWER-To
minimize the risk associated with changes
Managing Cloud Security Assessment Questions (WGU
D320/C838) 2026 | Verified CCSP Exam Prep & Study Guide
Meena needs to document what a contractor will do as part of an engagement,
including project deliverables, timelines, and the payment terms and conditions.
What type of document could she use to accomplish this? - ANSWER-A SOW
A SOW, or statement of work, is used to describe a project's or effort's requirements,
including the work that will be performed, project deliverables, the timeline,
payment terms and conditions, and other details about how the work will be done.
An NDA is a nondisclosure agreement; an MSA is master services agreement, which is
the document that describes how organizations will work together over time through
terms and conditions; and an SLA is a service-level agreement used to define what
service levels will be.
The company Kim works for is preparing to lease space in a data center. The data
center sells space by the rack to customers, with multiple data center bays filled with
racks at the provider's site. Which of the following security controls is not one that
Kim should look for in a shared-space data center environment like this if they are
looking for a high-security environment? - ANSWER-Shared racks with per-
customer system labeling
Shared racks cannot be appropriately secured in an environment like this, and Kim's
company is looking for a high security environment. Dedicated physical space would
be even more ideal, but many organizations cannot afford the expense of their own
dedicated space, resulting in locked, per-customer keyed racks and appropriate
monitoring and access controls being needed for secure, shared data center
environments.
Derek's organization operates in a cloud software as a service environment. When
data is deleted, what is the best option that is typically available to SaaS customers to
, Page 2 of 79
ensure media containing data is properly sanitized? - ANSWER-Software as a
service providers do not provide access to the underlying storage in a way that allows
customers to erase data. If Derek wants to ensure this, his best option is to ensure
that the SaaS provider uses internal processes that include cryptographic erase for
customer data and that data security practices are included in a service-level
agreement and/or the contract with the service provider.
What external requirement drives many data retention policies? - ANSWER-
Compliance requirements
Compliance requirements often drive data retention policies and may require
specific timeframes for retention. Once compliance requirements have been met,
considerations like business needs and the potential for litigation come into play, but
legal holds don't drive retention policies; they merely require the organization to
retain data for the hold, not as a matter of ongoing policy. Neither business
continuity nor disaster recovery drive most retention policies. Instead, business
continuity and disaster recovery are likely to drive technical design and procedures
to ensure data is available.
As part of their security testing process, Jacob's team intentionally attempts to break
software as an attacker would. What type of testing is his team conducting? -
ANSWER-Abuse case testing
Abuse case testing is intended to replicate an attacker's or malicious actor's likely
actions against a software package or application. Use case testing is designed to
simulate normal use. Dynamic testing is done live with software, while static testing
looks at the code of the software itself.
Charles wants to use federated identity for his organization and has selected Google
as an identity provider. What information will his organization receive from Google
when they log on with a Google account? - ANSWER-An authentication validation
, Page 3 of 79
Identity providers validate logins through their own infrastructure and provide
service providers like Charles with validated authentication, not the password or a
hash of the password, thus keeping the account and authentication process secure.
That's where the trust in federation comes into play; Charles has to trust that Google
is properly authenticating users to its services if he wants to use the service.
Megan wants to ensure that her hardware security module (HSM) is using acceptable
cryptographic techniques. What U.S.-based certification should she look for? -
ANSWER-FIPS 140-2
Many HSM security requirements standards point to FIPS 140-2 (and soon, FIPS 140-
3 because 140-2 is end of life) as a useful standard to validate cryptographic
components against. None of the other options listed are used to validate
cryptographic components.
Chelsea wants to use a cloud service to provide a customer relationship management
(CRM) system. She wants to have significant control over the configuration and
customization of the system but does not want to operate underlying hardware or
operating systems. What cloud service model should she select? - ANSWER-PaaS
Chelsea's design requirements match a platform as a service environment; the
provider delivers an environment where the customers can configure the service but
does not run systems. This provides more control and flexibility than SaaS but not as
much control as a full independent infrastructure as a service, or IaaS, environment.
Finally, IDaaS is identity as a service.
The service provider that Jim is preparing to sign a contract with notes that it uses
cryptographic modules that are FIPS 140-2 certified. What does Jim know about the
organization based on that? - ANSWER-The cryptographic modules have met at least
basic security requirements
There are four levels of FIPS 140-2, but the problem doesn't mention which has been
met. That means that Jim only knows that its cryptographic modules have met at
, Page 4 of 79
least a basic level of security like using an approved algorithm, but he does not know
if there are physical security mechanisms or other features involved. If the service
provider identified the FIPS level (1-4) that its devices were certified to, Jim would be
able to better understand its underlying technology and security posture.
Asha needs to search through emails that her organization sent via its cloud email
host. What type of data discovery is Asha conducting? - ANSWER-Unstructured data
discovery
Asha is performing unstructured data discovery. Emails, documents, websites, and
social media are all common examples of unstructured data. This makes tools that
can do keyword searches and data mapping very useful.
What stage of the cloud data lifecycle typically includes data classification? -
ANSWER-Creation
Data should be classified when it created. This ensures that the data can be handled
according to its classification throughout its lifecycle.
John has determined the recovery point objective for his organization as part of its
disaster recovery plan. What does setting an RPO achieve? - ANSWER-It determines
how old the data that can be restored will be in the event of a disaster
A recovery point objective determines how much data can be lost in a disaster and
thus how much may have to be reentered or assumed to be permanently lost. It does
not determine how long a service recovery will take in the event of a disaster.
What is the key goal of the change management process in ITIL? - ANSWER-To
minimize the risk associated with changes
