Effective CISSP Questions

Your company is a well-known cloud services provider. A cloud storage solution is sold to consumers as SaaS. As a security professional, you identified the risk that individuals might store copyrighted materials on the cloud storage and violate intellectual property laws. Which of the following is the most appropriate risk mitigation strategy?
A. Remove copyrighted materials immediately if the risk has materialized.
B. Capture the copyrighted materials as evidence to present to the court.
C. Leave copyrighted materials intact as those who uploaded them are responsible.
D. Conduct digital forensics and preserve the evidence chain of custody.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Remove copyrighted materials immediately if the risk has materialized.


I’m not a lawyer, and I shared my perspective for discussion purpose, please do read my disclaimer first.

Disclaimer: No information contained in this web site should be considered as legal advice or other professional advice. Your reliance upon information and content obtained by you at or through this web site is solely at your own risk. The author assumes no liability or responsibility for damage or injury to you, other persons, or property arising from any use of any product, information, idea, or instruction contained in the content or services provided to you through this web site.

Infringement of copyright is one of the compliance or legal risks that cloud services providers may suffer. As the applicability of laws and regulations varies from country to country and to be complete, this question should explicitly state the cloud services provider is US-based.


When cloud services users store unlicensed copyrighted materials on the cloud storage and the copyright owner has issued a “takedown notice” to the service provider, the risk has materialized; actions should be taken to mitigate the consequences. If a service provider fails to do so, it may lose its exemption (safe harbor protection) and be subject to an infringement suit. To be exempted, a service provider shall meet the following requirements but not limited to:

  • Designate an agent to receive Notifications of Claimed Infringement.
  • Respond expeditiously, upon receipt of a compliant takedown notice, to remove, or disable access to, the material that is claimed to be infringing or to be the subject of the infringing activity.


In addition to storage service, transmission or “transitory activities” of users may cause the problem. The DMCA (Digital Millennium Copyright Act, 1998) also limits the liability of Internet service providers when their circuits are used by criminals violating the copyright law. To qualify for this exemption, the service provider must meet the following requirements:

  1. the transmission of the material was initiated by or at the direction of a person other than the service provider;
  2. the transmission, routing, provision of connections, or storage is carried out through an automatic technical process without selection of the material by the service provider;
  3. the service provider does not select the recipients of the material except as an automatic response to the request of another person;
  4. no copy of the material made by the service provider in the course of such intermediate or transient storage is maintained on the system or network in a manner ordinarily accessible to anyone other than anticipated recipients, and no such copy is maintained on the system or network in a manner ordinarily accessible to such anticipated recipients for a longer period than is reasonably necessary for the transmission, routing, or provision of connections; and
  5. the material is transmitted through the system or network without modification of its content.

Source: DMCA, 1998





Leave a Reply