ISC2 CCSP — Certified Cloud Security Professional · Domain 2 · 20% of exam

Cloud Data Security

Drill 20 practice questions focused entirely on Cloud Data Security for the ISC2 CCSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A cloud forensics investigator at a financial services firm is collecting log data from a CSP-managed SIEM to support an anticipated fraud lawsuit. To ensure the collected logs will be admissible and defensible in court, which control is MOST critical for the investigator to establish and document throughout the collection and handling process?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services company stores seven years of customer transaction archives in a cloud object storage bucket that is shared across multiple tenants under the provider's control. A customer whose retention period has legally expired requests that their specific archived data be rendered permanently unrecoverable. Because the underlying storage media is multitenant and physical destruction is impossible, which approach BEST guarantees the data is effectively destroyed?

Reviewed for accuracy · Report an issue
Question 3 of 20

A financial services firm must archive customer transaction records for seven years to meet regulatory requirements. The archived data is stored encrypted in a cloud object storage tier and is rarely accessed. During a compliance audit in year four, the security team discovers that some older archives cannot be decrypted because the encryption keys used to protect them were rotated and the previous key versions were destroyed after the standard 90-day key retention window. What is the MOST important consideration the team overlooked when designing the Archive phase of the data lifecycle?

Reviewed for accuracy · Report an issue
Question 4 of 20

A cloud security engineer is designing the logging architecture for a regulated healthcare SaaS platform. Auditors require that once an access log entry is written, no administrator — including those with root-level cloud console privileges — can alter or delete individual records without detection during the mandated retention window. Which control BEST satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services firm has completed a data discovery scan across its cloud environment and produced a classification catalog tagging datasets as Public, Internal, Confidential, and Restricted. The security architect now wants to ensure that the classification effort produces measurable security value rather than remaining a compliance artifact. Which action best leverages the completed classification to strengthen data protection?

Reviewed for accuracy · Report an issue
Question 6 of 20

A financial services company is preparing to deploy an information rights management (IRM) solution across its SaaS collaboration platform to enforce persistent protections such as document expiration and copy/print restrictions. During planning, the security architect insists that a specific activity must be completed first to ensure the IRM policies apply the correct level of protection to each document. Which activity should be completed before the IRM controls can be effectively configured?

Reviewed for accuracy · Report an issue
Question 7 of 20

A cloud security architect is deploying a data discovery solution across a large object storage repository containing millions of unstructured files uploaded by many business units. The organization needs to identify files containing PII even when the files were never tagged, poorly named, or stored in unexpected buckets. Which data discovery approach BEST meets this requirement?

Reviewed for accuracy · Report an issue
Question 8 of 20

A cloud architect is designing an object storage system for a healthcare provider. The security requirement is that no single storage node holds a complete, readable copy of any patient record, so that theft of a single disk or compromise of one node does not expose usable data, while still providing resilience against node failure. Which cloud data security technique BEST satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services company is implementing a cloud data governance program. Their data discovery tool has scanned an object storage repository and identified thousands of files. The security architect wants to ensure that once data is discovered, appropriate handling controls (encryption requirements, access restrictions, and retention rules) can be automatically enforced by downstream tools such as the IRM and DLP systems. Which activity is the essential next step that enables those downstream controls to function correctly?

Reviewed for accuracy · Report an issue
Question 10 of 20

A financial services company is designing a data governance program for its new cloud analytics platform. Security architects want to ensure that appropriate protection controls (encryption levels, access restrictions, and retention rules) are automatically applied to each dataset the moment it enters the platform. During which phase of the cloud data lifecycle should classification tags be assigned to maximize the effectiveness of downstream security controls?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial analytics firm stores customer records in a cloud data warehouse. During a quarterly review, the security team maps controls to each phase of the cloud data lifecycle. They note that while data is actively being queried and processed by analysts and BI tools, the primary risk is unauthorized viewing or manipulation by users who have legitimate system access but should not see certain fields. Which control set is MOST appropriate to emphasize for this specific lifecycle phase?

Reviewed for accuracy · Report an issue
Question 12 of 20

A healthcare SaaS provider must supply realistic data to an offshore development team for building a new reporting feature. The dataset contains patient records with PHI. Developers need referential integrity across tables and must run repeatable test cases, but they should never see real patient identifiers, and the masked copy will be stored in a persistent non-production database. Which data protection approach best fits these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A healthcare analytics team needs to run aggregate statistical queries on a large patient dataset stored in a cloud data warehouse. Regulators require that individual patient identifiers be irreversibly obscured before analysts access the data, and the analysts must still be able to count distinct patients across queries. Which data protection technique best satisfies both the irreversibility requirement AND the need to correlate the same patient across records?

Reviewed for accuracy · Report an issue
Question 14 of 20

A healthcare organization must retain patient imaging records in cloud archive storage for 25 years to meet regulatory requirements. The compliance team is drafting the data retention and archiving policy. Which consideration is MOST critical to ensuring the archived data remains usable and defensible throughout the entire retention period?

Reviewed for accuracy · Report an issue
Question 15 of 20

A retail analytics team stores customer purchase records across two cloud databases. To comply with PCI DSS, primary account numbers (PANs) must be removed from the analytics environment, but analysts still need to join transactions belonging to the same card across both databases and count distinct cardholders. The security architect wants to preserve this ability without exposing any actual PAN values. Which data protection approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 20

A media company distributes confidential pre-release films to external review partners using an Information Rights Management (IRM) solution. Executives require that a reviewer's access to a downloaded film be automatically revoked the moment their contract ends, even if the file already resides on the reviewer's laptop. During testing, the security team discovers that some reviewers can still open protected files days after their contract termination date. Which IRM configuration issue is the MOST likely root cause?

Reviewed for accuracy · Report an issue
Question 17 of 20

A media company distributes pre-release film scripts to external partners as PDF files. Executives are concerned that once a script leaves the corporate network, they lose all control over who can open it and for how long. They want the ability to revoke access to already-distributed copies and prevent printing or copying, even after files have been downloaded to partner devices. Which technology BEST addresses these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

A media company distributes pre-release film scripts to external contractors through a SaaS collaboration platform. Recently, a leaked script appeared online after a contractor downloaded and forwarded the file outside the platform. Management wants a control that keeps access restrictions and usage policies attached to the document even after it leaves the company's storage environment. Which technology best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 19 of 20

A financial services firm is adopting a SaaS analytics platform that encrypts all tenant data at rest. Regulators require that the firm be able to revoke the provider's ability to decrypt its data at any moment, without waiting on the provider's cooperation. Which key management approach best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services company stores encrypted customer records in an IaaS environment. During a compliance review, the auditor notes that while the data is encrypted with a strong algorithm, the cloud provider's administrators technically have the ability to retrieve the encryption keys from the provider-managed key store. The security team must eliminate the risk that provider personnel could decrypt customer data while still using the provider's storage services. Which approach BEST addresses this concern?

Reviewed for accuracy · Report an issue

More CCSP practice

Keep going with the other ISC2 CCSP — Certified Cloud Security Professional domains, or take a full timed mock exam.

← Back to CCSP overview