nerdexam
(ISC)2

CISSP · Question #590

A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligation

The correct answer is A. No, because the encryption solution is internal to the cloud provider.. The CISO did not address all the legal requirements in this situation, because the encryption solution is internal to the cloud provider. Moving the main business application to the cloud involves transferring the data and the processing of the data from the organization's own pr

Submitted by joshua94· Mar 5, 2026Security and Risk Management

Question

A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?

Options

  • ANo, because the encryption solution is internal to the cloud provider.
  • BYes, because the cloud provider meets all regulations requirements.
  • CYes, because the cloud provider is GDPR compliant.
  • DNo, because the cloud provider is not certified to host government data.

How the community answered

(60 responses)
  • A
    68% (41)
  • B
    17% (10)
  • C
    10% (6)
  • D
    5% (3)

Explanation

The CISO did not address all the legal requirements in this situation, because the encryption solution is internal to the cloud provider. Moving the main business application to the cloud involves transferring the data and the processing of the data from the organization's own premises to the cloud provider's premises. This may raise several legal and regulatory issues, such as the compliance with the data protection laws, the data sovereignty laws, the data breach notification laws, and the contractual obligations. The General Data Protection Regulation (GDPR) is one of the data protection laws that applies to the organizations that process the personal data of the individuals in the European Union (EU), regardless of where the processing takes place. The GDPR requires the organizations to ensure the confidentiality, the integrity, and the availability of the personal data, and to implement appropriate technical and organizational measures to protect the personal data from unauthorized or unlawful access, use, disclosure, alteration, or destruction. One of the technical measures that can be used to protect the personal data is encryption, which is a technique that transforms the data into an unreadable or unintelligible form, using a key and an algorithm, and that prevents unauthorized access, modification, or disclosure of the data. However, the encryption solution that the cloud provider offers is internal to the cloud provider, meaning that the cloud provider has the control and the access to the encryption keys and the encryption algorithms. This may pose a risk to the data confidentiality, as the cloud provider may be able to decrypt the data, or may be compelled to disclose the data to third parties, such as law enforcement agencies or other governments. Therefore, the CISO did not address all the legal requirements in this situation, as the encryption solution is internal to the cloud provider, and does not guarantee the data confidentiality. The organization may need to use its own encryption solution, or to negotiate with the cloud provider to have more control and visibility over the encryption keys and the encryption algorithms.

Topics

#Cloud security#GDPR compliance#Key management#Shared responsibility

Community Discussion

No community discussion yet for this question.

Full CISSP Practice