Domain 6 – Section C Review: Contracts & Vendors

Section C tested whether you can manage cloud vendor relationships as ongoing risk management. Contracts, vendor oversight, and supply chain awareness are the final pieces of the compliance puzzle.

These questions combine contract analysis, vendor management, and supply chain security. Focus on risk management, accountability, and continuous oversight.

Scenario questions (10)

Question 1

A cloud contract limits the provider's liability for a data breach to 12 months of service fees. The customer stores data with potential regulatory fines exceeding $10 million.

What risk does this liability cap create?

A. The customer bears the financial risk of any breach impact exceeding the capped liability amount
B. The liability cap makes the provider less likely to experience a breach
C. The provider may raise their fees
D. The customer's insurance automatically covers the gap

Question 2

An organization's cloud provider notifies them of a subcontractor change. The new subcontractor processes customer data in a jurisdiction the customer has not assessed.

What is the FIRST action?

A. Immediately migrate to a different cloud provider
B. Accept the change since the primary provider manages subcontractor security
C. File a complaint with the provider's account manager
D. Assess whether the new subcontractor and jurisdiction meet regulatory and security requirements

Question 3

A company evaluates a new cloud provider. The provider has no SOC 2 report, no ISO certification, and declines to discuss their security architecture.

What is the MOST appropriate decision?

A. Require verifiable security evidence before contracting, or select a provider with demonstrated security posture
B. Proceed if the pricing is competitive
C. Request a self-assessment questionnaire
D. Accept the risk since all cloud providers have adequate security

Question 4

A cloud contract is terminating. The customer requests data return. The provider can only export data in a proprietary format incompatible with other platforms.

What contractual provision would have prevented this?

A. A data portability clause requiring data return in standard, interoperable formats
B. A more detailed SLA for the export process
C. A longer contract term
D. A requirement for indefinite account maintenance

Question 5

An organization uses a single cloud provider for all critical business functions. A 24-hour provider outage halts all business operations.

What risk management principle was neglected?

A. The provider should have communicated sooner
B. The organization needed a larger IT budget
C. Concentration risk assessment and mitigation through diversification
D. The SLA should have guaranteed zero downtime

Question 6

A development team uses unverified container images from a public registry in their cloud production environment.

What supply chain risk does this introduce?

A. Licensing conflicts
B. Inefficient container performance
C. Slower download speeds
D. The images may contain malicious code, backdoors, or known vulnerabilities that were never detected

Question 7

An organization evaluates their cloud provider annually during initial selection but has not reassessed in three years.

What vendor management failure exists?

A. The initial evaluation was too thorough
B. The initial SOC 2 report is still valid
C. Vendor risk assessment must be ongoing — security, financial health, and compliance can change significantly
D. Three years is acceptable for cloud providers

Question 8

A cloud provider's standard terms of service state they can use customer data for service improvement and analytics. The customer processes regulated healthcare data.

What is the PRIMARY concern?

A. The analytics may reveal competitive intelligence
B. Using regulated healthcare data for purposes beyond service delivery may violate data protection regulations
C. Service improvement will slow the application
D. The provider may share analytics with other customers

Question 9

A cloud customer wants to verify that their data is completely deleted after contract termination, including from backups.

What contractual provision addresses this?

A. An SLA for data availability
B. A standard termination clause
C. A non-disclosure agreement
D. A data destruction verification clause requiring certified complete deletion across all systems

Question 10

An organization's third-party risk management program classifies all vendors into the same risk tier regardless of data sensitivity or service criticality.

What is the PRIMARY weakness?

A. Risk tiering is unnecessary for cloud providers
B. The organization has too many vendors
C. All vendors should be classified as high risk
D. Flat risk tiering means high-risk vendors receive the same oversight as low-risk vendors, creating monitoring gaps

Section C master pattern

When answering Domain 6 Section C questions, ask yourself:

• Was this risk identified during due diligence or after signing?
• Is vendor oversight ongoing or one-time?
• Does the contract protect the customer or just the provider?
• Is the supply chain visible and verified?
• Can the customer exit the relationship with their data intact?

If you plan before signing, monitor continuously, and protect your exit, you will answer correctly.