Domain 2: Cloud Data Security Section C Review

Domain 2 – Section C Review: Data Governance

CCSP Domain 2 — Cloud Data Security Section C Review 10 scenarios
This section review tests your ability to apply concepts from the preceding modules to realistic exam scenarios. Work through each question, commit to an answer, then reveal the reasoning. Focus on understanding WHY the correct answer is right and why the distractors are wrong.

Scenario 1

A company shares confidential documents via a cloud collaboration platform. After a partnership ends, they want to revoke access to all shared documents including copies saved locally by the partner. Which technology enables this?

  1. A) IRM (Information Rights Management) — embedded access policies require authentication with the rights management server, which can be updated to deny access even to locally saved copies
  2. B) Cloud storage access control revocation
  3. C) DLP blocking all further file sharing
  4. D) Revoking the partner's VPN access
Answer & reasoning

Correct: A

IRM embeds access controls in documents that persist regardless of location. When the partner opens a locally saved IRM-protected document, it contacts the rights server for authentication, which denies access based on the updated policy.

Scenario 2

An organization under legal hold discovers that automated backup rotation deleted relevant evidence 2 weeks after the hold was issued. The backup rotation was not suspended. What are the potential legal consequences?

  1. A) No consequences — backups are not considered primary evidence
  2. B) The cloud provider is liable since the deletion was automated
  3. C) Spoliation — the court may impose sanctions including adverse inference (assuming destroyed evidence was unfavorable), monetary penalties, or case-adverse rulings. The organization failed to implement the hold on all data systems
  4. D) The legal hold only applies to primary data, not backups
Answer & reasoning

Correct: C

Failure to suspend automated deletion during a legal hold constitutes spoliation. Courts can impose severe sanctions. The organization must immediately suspend all automated data lifecycle processes for held data, including backup rotations.

Scenario 3

Five cloud administrators share a root account. A database is maliciously deleted. Audit logs show the root account performed the deletion but cannot identify which administrator. The investigation stalls. What must change?

  1. A) Implement more detailed logging that captures biometric information
  2. B) Eliminate shared accounts. Create individual administrator accounts with role-based access. Implement break-glass procedures for root access with individual authentication and audit trails
  3. C) Require administrators to sign a log book before using the root account
  4. D) Add security cameras to the office to identify who was at their computer
Answer & reasoning

Correct: B

Shared accounts fundamentally prevent individual accountability. Regardless of logging detail, actions can only be attributed to the shared identity. Individual accounts are required for accountability, non-repudiation, and forensic attribution.

Scenario 4

An organization subject to GDPR and US financial regulation receives a GDPR erasure request for a customer whose financial transaction data must be retained for 7 years. How should they respond?

  1. A) Retain data required by the financial regulation (GDPR exempts data needed for legal obligations) while deleting any personal data not covered by the retention requirement. Document the legal basis for continued retention
  2. B) Delete everything immediately — GDPR supersedes all other regulations
  3. C) Ask the customer to wait 7 years for deletion
  4. D) Ignore the GDPR request until the 7-year retention period expires
Answer & reasoning

Correct: A

GDPR Article 17(3)(b) exempts data processing necessary for legal obligations. The organization must precisely separate legally required data from data that can be deleted, respond to the subject explaining the partial exemption, and delete what is not legally required to keep.

Scenario 5

A cloud forensic analyst creates a VM snapshot for investigation, downloads it, and begins analysis without recording hashes or documenting the collection process. Defense attorneys challenge the evidence. What is the outcome?

  1. A) The evidence may be ruled inadmissible. Without hash verification and chain of custody documentation (who collected it, when, how, why), the integrity and authenticity of the evidence cannot be proven, undermining its legal value
  2. B) Snapshots are automatically documented by the cloud provider
  3. C) Chain of custody only applies to physical evidence, not digital
  4. D) The snapshot is valid evidence regardless of documentation
Answer & reasoning

Correct: A

Digital evidence requires the same chain of custody rigor as physical evidence. Without hash verification at collection and documentation of every step, there is no way to prove the evidence was not tampered with between collection and analysis.

Scenario 6

A company deletes data from their cloud database upon contract termination. The cloud provider confirms deletion. Six months later, the data appears in a backup snapshot that was not included in the deletion scope. What process failed?

  1. A) The deletion process was incomplete — it addressed primary storage but failed to identify and address all data copies including backup snapshots, replicas, and archives. A comprehensive data map should have identified all copies before deletion
  2. B) The cloud provider failed their deletion obligations
  3. C) This is expected behavior in cloud environments and does not represent a failure
  4. D) Backup snapshots are not the customer's responsibility
Answer & reasoning

Correct: A

Incomplete deletion is a common cloud data management failure. All copies must be identified (requiring a data map) and either deleted or rendered unrecoverable through crypto-shredding. Addressing only primary storage leaves data in backups, replicas, and caches.

Scenario 7

Audit logs for cloud services are stored in the same account as production systems. An attacker gains administrative access and deletes the logs. What architectural control was missing?

  1. A) More frequent log backups would have mitigated the impact
  2. B) The cloud provider should protect logs from deletion automatically
  3. C) Log encryption would have prevented the attacker from deleting them
  4. D) Logs should be stored in a separate, restricted account with write-once (immutable) storage. This ensures even an attacker with administrative access to production cannot access, modify, or delete audit evidence
Answer & reasoning

Correct: D

Log integrity requires architectural separation. Storing logs in a separate account with immutable storage and restricted access ensures they survive even when the production environment is fully compromised.

Scenario 8

A user denies approving a $2M cloud resource purchase order. The system log shows the transaction was digitally signed with the user's private key from their authenticated session. The user claims their account was hacked. What does the evidence establish?

  1. A) Non-repudiation — the digital signature binds the action to the user's private key. The user must prove their key was compromised to dispute it. The combination of digital signature, authenticated session, and audit logs creates strong non-repudiation evidence
  2. B) Digital signatures can be easily forged and prove nothing
  3. C) The user's claim of being hacked automatically invalidates the evidence
  4. D) The log proves the user made the purchase beyond any doubt
Answer & reasoning

Correct: A

Digital signatures provide non-repudiation. The user cannot simply deny the action — they must affirmatively prove their private key was compromised. The combination of digital signature, session authentication, and immutable audit logs creates a strong evidentiary chain.

Scenario 9

An organization archives encrypted data with a 20-year retention requirement. The encryption keys are stored in the cloud provider's KMS. Ten years later, the provider discontinues the KMS service with 12 months' notice. What risk materializes?

  1. A) No risk — encryption keys can be exported to any system
  2. B) The provider must maintain the KMS for the full 20 years
  3. C) Key accessibility risk — if the keys cannot be exported or migrated to a replacement KMS before service discontinuation, 10 years of archived encrypted data becomes permanently inaccessible. Long-term key management strategy should include key portability planning
  4. D) The encrypted data can be decrypted without the original keys
Answer & reasoning

Correct: C

Long-term encrypted archives require key management longevity planning. If the KMS service is discontinued and keys cannot be exported, all encrypted data becomes permanently inaccessible. Key portability and backup strategies must be established at the outset, not 10 years later.

Scenario 10

A stale data map created 2 years ago shows 15 data stores. The organization has since added 3 cloud services, migrated 2 databases, and expanded to a new region. A compliance audit uses the old data map. What is the risk?

  1. A) The audit will produce false assurance — new services, migrated data, and the new region are not reflected in the stale map. Security controls, compliance verification, and incident response based on the outdated map will miss significant portions of the data landscape
  2. B) Only the new services need a separate assessment
  3. C) The old data map provides a useful baseline that the auditor can work from
  4. D) Data maps are point-in-time documents and the auditor should know this
Answer & reasoning

Correct: A

A stale data map creates blind spots. The audit will not assess data in new services, migrated databases, or the new region, producing findings that cover only a fraction of the actual data landscape. Data maps must be continuously maintained.

Up Next Domain 2 Capstone Review