CompTIA CASP+ (CAS-004) — Question 168

In order to save money, a company has moved its data to the cloud with a low-cost provider. The company did not perform a security review prior to the move; however, the company requires all of its data to be stored within the country where the headquarters is located. A new employee on the security team has been asked to evaluate the current provider against the most important requirements. The current cloud provider that the company is using offers:

• Only multitenant cloud hosting
• Minimal physical security
• Few access controls
• No access to the data center

The following information has been uncovered:

• The company is located in a known floodplain. which flooded last year.
• Government regulations require data to be stored within the country.

Which of the following should be addressed FIRST?

Answer options

• A. Update the disaster recovery plan to account for natural disasters.
• B. Establish a new memorandum of understanding with the cloud provider.
• C. Establish a new service-level agreement with the cloud provider.
• D. Provision services according to the appropriate legal requirements.

Correct answer: D

Explanation

The correct answer is D because compliance with legal requirements regarding data storage is paramount, especially given the regulations that mandate data must be stored within the country. While updating the disaster recovery plan (A), establishing a memorandum of understanding (B), and creating a service-level agreement (C) are important, they do not take precedence over ensuring compliance with legal obligations.