Domain 6 – Domain 6 Capstone Review: Legal, Risk & Compliance

If you can think through this review, you are thinking the way the CCSP expects for legal, risk, and compliance. These questions cross all three sections — law, audit, and vendor management.

These scenarios blend:

• International legal requirements and jurisdiction
• eDiscovery and forensics
• Privacy and data protection
• Audit reports and compliance
• Enterprise risk management
• Contracts and vendor management
• Supply chain security

Every question forces you to integrate legal, risk, and compliance thinking into a single decision framework.

Scenario questions (20)

Question 1

A US healthcare company processes EU patient data in a SaaS application hosted in the US. They have no EU office.

Which regulations apply?

A. Neither, because the SaaS provider assumes all regulatory obligations
B. Both HIPAA and GDPR, since the data subjects are EU residents and the data is health-related
C. Only HIPAA, since the company is US-based
D. Only GDPR, since the data is stored in the cloud

Question 2

An organization receives a SOC 2 Type II report from their cloud provider. The report notes three control exceptions in the security criteria.

What should the customer do?

A. Evaluate the severity and nature of the exceptions and assess whether compensating controls or remediation plans address the gaps
B. Reject the report as invalid
C. Terminate the contract due to audit failures
D. Ignore the exceptions since Type II reports always have some

Question 3

A cloud customer's contract states the provider may use subprocessors but has no notification requirement. The provider engages a new subprocessor in a country with no GDPR adequacy decision.

What is the PRIMARY risk?

A. The customer has no visibility into a new entity processing their personal data in a non-adequate jurisdiction, creating GDPR compliance risk
B. Increased service costs
C. The provider's SLA may improve
D. The subprocessor may have better technology

Question 4

An organization's risk register only includes risks rated as high. Medium and low risks are not tracked.

What governance weakness exists?

A. Medium and low risks do not need to be managed
B. The risk register is too small
C. The risk rating methodology needs calibration
D. Incomplete risk visibility — aggregate medium and low risks may exceed risk appetite even if no individual risk is high

Question 5

During eDiscovery, the legal team discovers that a critical cloud service does not support data export. Relevant data cannot be produced for litigation.

What eDiscovery readiness failure occurred?

A. The organization failed to verify data export capabilities during due diligence before selecting the service
B. The cloud provider is solely responsible for data export
C. The court should accept alternative evidence
D. The legal team should have subpoenaed the cloud provider

Question 6

A cloud provider's breach notification timeline in their contract is 30 days. The customer is subject to GDPR's 72-hour notification requirement.

What is the contractual gap?

A. The customer should notify the authority immediately without waiting for provider confirmation
B. 30 days is a reasonable notification timeline
C. The provider's 30-day notification prevents the customer from meeting their 72-hour GDPR obligation to the supervisory authority
D. GDPR's 72 hours starts from the date of the breach, not notification

Question 7

A Data Protection Impact Assessment for a cloud AI service identifies a high risk of bias in automated decisions affecting individuals.

What is the MOST appropriate action?

A. Transfer the bias risk to the AI service provider through contract terms
B. Implement bias detection and mitigation controls, establish human review for high-impact decisions, and document the risk treatment
C. Accept the risk since AI bias is difficult to eliminate
D. Abandon the AI project entirely

Question 8

An auditor discovers that the cloud customer has not implemented any of the Complementary User Entity Controls listed in the provider's SOC 2 report.

What is the impact?

A. The provider is responsible for implementing all controls
B. The SOC 2 report is invalidated
C. The overall control environment has gaps because the provider's controls depend on the customer implementing their complementary controls
D. No impact — complementary controls are suggestions

Question 9

A multinational company transfers employee data from the EU to a cloud service in India. They rely on the employees' general consent to data processing in their employment contracts.

Is this sufficient for GDPR compliance?

A. No, but only because India specifically is not adequate
B. No — general employment consent does not constitute valid GDPR consent for international transfers, which require specific mechanisms like SCCs
C. Yes, if the employees were informed at hiring
D. Yes, employment contract consent covers all processing

Question 10

A cloud customer wants to verify that data is completely deleted after contract termination. The provider says data is deleted from production but makes no guarantees about backups.

What risk remains?

A. Customer data may persist in backup systems indefinitely, accessible to the provider or future tenants
B. The contract termination clause covers backup deletion implicitly
C. No risk — production deletion is sufficient
D. Backup data is automatically encrypted and inaccessible

Question 11

An organization's internal audit finds that cloud IAM policies grant overly broad administrative access. The cloud security team says this is necessary for operational efficiency.

What is the CORRECT response?

A. Outsource IAM management to the cloud provider
B. Implement least privilege by refining IAM policies to grant only necessary permissions, using JIT access for administrative tasks
C. Accept the finding since operational efficiency is important
D. Disable administrative access entirely

Question 12

A cloud provider offers a cloud-native SIEM. The customer also uses AWS, Azure, and an on-premises data center.

What is the PRIMARY limitation of using the provider's native SIEM?

A. Cloud-native SIEMs cannot process security events
B. The provider's SIEM has weaker detection capabilities
C. Cloud-native SIEMs are always more expensive
D. A single provider's SIEM only covers that provider's environment, leaving other cloud and on-premises environments unmonitored

Question 13

During contract negotiation, a cloud provider's standard terms limit liability to 3 months of service fees. The customer will store data with a potential breach impact of $50 million.

What should the customer negotiate?

A. Negotiate higher liability caps, require cyber insurance evidence, and implement compensating controls
B. Accept the standard terms since they are industry standard
C. Only sign if liability is uncapped
D. Reduce the data sensitivity to match the liability cap

Question 14

An organization classifies all cloud vendors in the same risk tier. Their primary cloud provider hosts regulated financial data alongside a vendor providing office supply ordering.

What is the weakness?

A. Flat tiering means the critical cloud provider receives the same oversight as a low-risk office supply vendor
B. Risk tiering is unnecessary for cloud vendors
C. The financial data should not be in the cloud
D. All vendors should be high risk

Question 15

A cloud incident reveals data was stored in a jurisdiction the customer did not authorize. The customer's GDPR compliance is now at risk.

What control would have prevented this?

A. A faster incident response process
B. More frequent vulnerability scanning
C. Contractual data residency requirements with automated compliance monitoring of data location
D. Stronger encryption on the data

Question 16

An organization measures cloud risk using only technical severity scores (CVSS). A medium-severity vulnerability in a system processing millions of financial transactions is deprioritized.

What is WRONG with this approach?

A. Risk prioritization must include business impact — a medium-severity vulnerability in a high-value system may pose greater risk than a critical vulnerability in a low-value system
B. All vulnerabilities should be treated equally
C. CVSS scores are inaccurate
D. Only critical vulnerabilities need attention

Question 17

A cloud customer receives notice that their provider's ISO 27001 certification has expired. The provider says renewal is in progress.

What is the appropriate response?

A. ISO 27001 expiration has no security implications
B. Accept the provider's statement and wait for renewal
C. Request evidence of continued security practices, such as an interim audit letter, and assess the risk of the certification gap
D. Immediately migrate to a different provider

Question 18

An organization uses cloud-based AI training services. Personal data from customers is included in training data without explicit consent for this purpose.

What privacy violation has occurred?

A. Purpose limitation violation — personal data collected for service delivery is being used for AI training without appropriate consent
B. No violation, since AI training improves the service
C. Data minimization violation
D. Storage limitation violation

Question 19

A cloud contract includes a data return clause but specifies a 30-day window after termination. The customer has 5TB of data across multiple services.

What should the customer verify?

A. That the data will be compressed for faster transfer
B. That the provider will extend the window if needed
C. That 30 days provides sufficient time to extract 5TB from all services, and that data is returned in standard, portable formats
D. That 30 days is a standard industry term

Question 20

A comprehensive cloud security review identifies gaps across legal compliance, audit coverage, vendor management, and risk treatment. Management asks what to address first.

What should be prioritized?

A. Risk treatment for all identified risks
B. Audit coverage expansion
C. Vendor management improvements
D. Legal compliance gaps — regulatory non-compliance carries the most immediate and severe consequences

Domain 6 readiness checklist

If you struggled with any question, revisit this checklist:

• Did you consider all applicable jurisdictions?
• Did you identify the data controller versus data processor?
• Did you evaluate audit evidence critically?
• Did you express risk in business terms?
• Did you use formal risk treatment processes?
• Did you verify contractual provisions protect the customer?

If you can do this, you are ready

If you consistently:

• Navigate jurisdictional complexity without defaulting to one law
• Maintain accountability at the data controller level
• Evaluate audit reports for gaps, carve-outs, and currency
• Prioritize risk based on business impact
• Negotiate contracts that protect your organization
• Manage vendors continuously, not just at selection

You are thinking the way the CCSP expects for Domain 6.