Explore cloud security standards and requirements with this quiz on GDPR, HIPAA, and SOC 2 compliance. Assess your understanding of privacy obligations, security controls, and data protection in cloud environments for regulated industries.
Under the GDPR, which of the following is a specific right granted to individuals regarding their personal data stored in the cloud, such as their right to request deletion of old email records?
Explanation: The Right to be Forgotten allows individuals to request the deletion of their personal data under GDPR, which is especially important for cloud-stored information. 'Right to Rectitude' is not a recognized concept; the correct term is Right to Rectification. 'Right of Compliance' is not an individual right but refers to an obligation of organizations. 'Right to Anonymity' is not specifically described in GDPR, although data minimization and pseudonymization are covered.
Which type of information in a cloud database would qualify as Protected Health Information (PHI) under HIPAA regulations if it contains a patient's medical history linked to their full name?
Explanation: Identifiable medical records that include both health information and identifiers like a full name fall under PHI according to HIPAA. Anonymized vital statistics and de-identified appointment records, by definition, have had identifying data removed and so do not qualify as PHI. Aggregate usage statistics involve grouped, non-identifiable data and are also not PHI under HIPAA.
When a cloud provider undergoes SOC 2 examination, which of the following is considered one of the main Trust Services Criteria addressed?
Explanation: Confidentiality is one of the central Trust Services Criteria for SOC 2, focusing on the protection of information designated as confidential. Profitability, productivity, and marketability are unrelated to SOC 2 compliance and do not form part of its security and privacy principles. These distractors refer to business outcomes rather than compliance standards.
If a cloud storage provider detects a personal data breach affecting EU data subjects, what is the maximum time allowed by GDPR to notify the appropriate supervisory authority?
Explanation: GDPR mandates that organizations notify the supervisory authority within 72 hours after becoming aware of a breach affecting personal data. The 24-hour period is shorter than necessary and not specified by GDPR. Seven days and one month exceed the legally required timeframe and could result in non-compliance penalties.
Before uploading patient records to a cloud computing platform, what must a healthcare provider ensure is in place with the cloud vendor to comply with HIPAA?
Explanation: A Business Associate Agreement is required by HIPAA to ensure that vendors handling PHI implement appropriate safeguards. A Non-Disclosure Arrangement is useful for confidentiality but does not meet HIPAA's specific requirements. An End-User License Contract pertains to software usage rights, not data protection. A Memorandum of Insurance is unrelated to data privacy or security obligations.