Menu

Legal, Risk and Compliance

  1. Articulate Legal Requirements and Unique Risks within the Cloud Environment
    • Conflicting International Legislation
    • Evaluation of Legal Risks Specific to Cloud Computing
    • Legal Framework and Guidelines
    • eDiscovery (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050, Cloud Security Alliance (CSA) Guidance)
    • Forensics Requirements
  2. Understand Privacy Issues
    • Difference Between Contractual and Regulated Private Data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))
    • Country-Specific Legislation Related to Private Data (e.g., Protected Health Information (PHI), Personally Identifiable Information (PII))
    • Jurisdictional Differences in Data Privacy
    • Standard Privacy Requirements (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27018, Generally Accepted Privacy Principles (GAPP), General Data Protection Regulation (GDPR))
  3. Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment
    • Internal and External Audit Controls
    • Impact of Audit Requirements
    • Identify Assurance Challenges of Virtualization and Cloud
    • Types of Audit Reports (e.g., Statement on Standards for Attestation Engagements (SSAE), Service Organization Control (SOC), International Standard on Assurance Engagements (ISAE))
    • Restrictions of Audit Scope Statements (e.g., Statement on Standards for Attestation Engagements (SSAE), International Standard on Assurance Engagements (ISAE))
    • Gap Analysis
    • Audit Planning
    • Internal Information Security Management System (ISMS)
    • Internal Information Security Controls System
    • Policies (e.g., organizational, functional, cloud computing)
    • Identification and Involvement of Relevant Stakeholders
    • Specialized Compliance Requirements for Highly-Regulated Industries (e.g., North American Electric Reliability Corporation/Critical Infrastructure Protection (NERC/CIP), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI))
    • Impact of Distributed Information Technology (IT) Model (e.g., diverse geographical locations and crossing over legal jurisdictions)
  4. Understand Implications of Cloud to Enterprise Risk Management
    • Assess Providers Risk Management Programs (e.g., controls, methodologies, policies)
    • Difference Between Data Owner/Controller vs. Data Custodian/Processor (e.g., risk profile, risk appetite, responsibility)
    • Regulatory Transparency Requirements (e.g., breach notification, Sarbanes-Oxley (SOX), General Data Protection Regulation (GDPR))
    • Risk Treatment (i.e., avoid, modify, share, retain)
    • Different Risk Frameworks
    • Metrics for Risk Management
    • Assessment of Risk Environment (e.g., service, vendor, infrastructure)
  5. Understand Outsourcing and Cloud Contract Design
    • Business Requirements (e.g., Service Level Agreement (SLA), Master Service Agreement (MSA), Statement of Work (SOW))
    • Vendor Management
    • Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data, cyber risk insurance)
    • Supply-Chain Management (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27036)

CCSP

  1. Cloud Concepts, Architecture, and Design
  2. Cloud Data Security
  3. Cloud Platform and Infrastructure Security
  4. Cloud Application Security
  5. Cloud Security Operations
  6. Legal, Risk, and Compliance