Free Practice Questions for WGU Managing-Cloud-Security Exam

Cloud providers typically manage multi-tenant infrastructure, where physical hardware is shared among customers. Therefore, drives are not destroyed for each customer unless explicitly required in thecontract. If the customer’s agreement specifies dedicated hardware disposal, then the provider must comply by physically destroying the drives.

Cryptographic erasure and degaussing are valid sanitization methods, but they may not meet the specific contractual requirement of physical destruction. Insurance clauses are unrelated to disposal.

This question underscores the importance of negotiating contractual terms in cloud agreements. Customers handling highly sensitive or regulated data may require physical destruction, while others may accept logical erasure. Clear agreements ensure both compliance and alignment of security responsibilities.

The capability to rapidly create and destroy virtual systems as demand fluctuates is known asephemeral computing. These short-lived resources are provisioned automatically when needed and decommissioned when demand subsides.

Resource scheduling helps allocate resources but does not imply temporary lifespans. High availability ensures continuous service, and maintenance mode is used for administrative tasks.

Ephemeral computing is central to elasticity in cloud environments, reducing costs and improving scalability. For example, containers or serverless functions may run only while needed and then disappear. This model optimizes utilization, lowers expenses, and supports modern application architectures that demand agility.

The cloud data life cycle defines distinct stages that data goes through from its origin until its disposal. TheCreatephase is the very first stage, and this is where data is generated or captured by systems, applications, or users. At this point, data does not yet have context for storage or use, so it must be appropriately categorized and classified. Activities like labeling, marking, tagging, and assigning metadata are critical because they establish the foundation for enforcing controls throughout the rest of the life cycle.

Classification ensures that data is aligned with sensitivity levels, regulatory requirements, and business value. For example, financial records may be labeled “confidential” while general marketing content may be marked “public.” These distinctions guide how encryption, access controls, and monitoring will be applied in subsequent phases such as storage, sharing, or use.

According to industry frameworks, starting security at theCreatephase ensures that controls “follow the data” across environments. Without proper classification at creation, organizations risk mismanaging sensitive data downstream.

The STRIDE threat model identifies six categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. In this scenario, the accountant modified data they were not authorized to change. This is an act ofTampering, which refers to unauthorized alteration of data or systems.

Spoofing would involve impersonating another identity, denial of service would block availability, and elevation of privilege would involve gaining higher access rights. The accountant already had legitimate access but misused it to alter data outside their scope of responsibility.

Tampering compromises data integrity, one of the pillars of the CIA triad. In cloud and enterprise systems, safeguards against tampering include role-based access control, least privilege, and auditing to detect unauthorized changes. Recognizing this as tampering helps in identifying insider misuse and implementing compensating controls.

Federal agencies in the U.S. rely onNIST SP 800-37, Risk Management Framework (RMF), to manage enterprise risk. RMF provides a structured process for categorizing systems, selecting controls, implementing safeguards, assessing effectiveness, authorizing operations, and continuous monitoring.

ISO 37500 deals with outsourcing governance, SSAE 18 governs service provider audits, and COSO is a corporate governance framework but not specific to federal agencies.

NIST RMF is integrated with the Federal Information Security Modernization Act (FISMA) requirements, ensuring agencies manage cybersecurity risks consistently. Its adoption is expanding beyond government into industries seeking comprehensive, repeatable risk management processes.

The unplanned event described is adisruptionof service. In IT service management frameworks like ITIL, disruptions occur when an incident prevents normal service delivery. The goal of incident management is to restore service quickly and minimize impact on customers.

A bug refers to a software defect, which may cause disruptions but is not synonymous with the event itself. An error represents a fault, while change refers to deliberate modifications. Only disruption captures the unplanned nature of service unavailability.

Recognizing incidents as disruptions helps organizations apply structured processes such as escalation, root-cause analysis, and communication. It ensures resilience in cloud-based environments where uptime is a key performance indicator and customer trust is closely tied to availability.

Proceduresare detailed, step-by-step instructions that guide personnel on how to perform specific tasks in alignment with higher-level policies. In an investigation, when uncertainty arises about handling a dataset, procedures provide the exact operational guidance required.

Policies establish high-level rules (e.g., “financial data must be protected”), while procedures explain how to achieve compliance with those policies (e.g., “verify encryption, label dataset, log access, and escalate to compliance officer”). Legal rulings and definitions are external references but do not provide operational steps.

By following documented procedures, investigators ensure consistency, compliance, and defensibility in legal contexts. This also ensures that evidence is handled properly, supporting admissibility in court and protecting the organization against legal or regulatory challenges.

TheSarbanes-Oxley (SOX) Act of 2002was enacted to restore investor confidence after major corporate accounting scandals. It requires publicly traded corporations to maintain accurate financial reporting and implement internal controls to safeguard the integrity of disclosed information.

GLBA focuses on protecting consumer financial data, GDPR is a European regulation governing privacy, and the CLOUD Act addresses cross-border law enforcement access to data. Only SOX directly mandates financial disclosure and corporate accountability.

SOX compliance includes maintaining audit trails, securing data integrity, and ensuring that executives certify financial statements. Failure to comply carries severe penalties, both civil and criminal. For cloud environments, SOX compliance extends to ensuring IT systems used for financial data are secure, monitored, and auditable.

Acceptance testingevaluates whether the system meets user requirements and performs as expected in real-world conditions. In this case, employees need the graphical interface to work properly for customer data entry. Acceptance testing confirms usability, accuracy, and functionality from the end user’s perspective.

Load testing measures performance under stress, regression testing checks for errors introduced by new changes, and security testing ensures system defenses. These are valuable, but they do not validate end-user satisfaction and workflow alignment.

Acceptance testing is the final validation step before production deployment. It ensures that updates deliver intended business value and user experience. By involving employees in acceptance testing, organizations ensure successful adoption of new systems.