SlideShare a Scribd company logo

CCSP_Self_Domain_6.ppt

Download as PPT, PDF
Samir Jha, profile picture
Samir Jha

This document provides an overview of the CCSP exam, including the 6 domains covered, exam logistics, and key concepts in each domain. Domain 1 discusses cloud roles like cloud service providers, customers, and brokers. Domain 6 covers legal and compliance topics such as privacy laws, data protection regulations, and standards for eDiscovery, auditing, and nonrepudiation in cloud environments. Key frameworks referenced include GDPR, ISO 27001, FedRAMP, and privacy shield.

Data & Analytics
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
SANTOSH PODURI 1 CCSP Exam
Course Content Santosh Poduri 2 Exam Overview Domain 1 - Cloud Concepts, Architecture and Design Domain 2 - Cloud Data Security Domain 3 - Cloud Platform & Infrastructure Security Domain 4 - Cloud Application Security Domain 5 - Cloud Security Operations Domain 6 - Legal, Risk and Compliance
Santosh Poduri About the Exam Length of exam : 3 hours Number of questions : 125 Question format : Multiple choice Passing grade : 700 out of 1000 points Exam availability : English Testing center : Pearson VUE Testing Center CCSP Exam
Domain 1- Cloud Concepts Cloud Roles Cloud Service Porvider Cloud Consumer/Customer Cloud broker Cloud service partner 4
Santosh Poduri Domain 6- Legal & Complaince PII: Personal Identification Information , like name/email/IP address/address/ (NIST SP 800-122) - Direct identifiers are those data elements that immediately reveal a specific individual. - Indirect identifiers are the characteristics and traits of an individual that, when aggregated, could reveal the identity of that person. Each indirect identifier by itself is usually not sensitive, but if enough are collected they may provide sensitive information • The act of removing identifiers is known as anonymization; certain jurisdictions, laws, and standards require the anonymization of data, including both direct and indirect identifiers. Contratual PII & Regulated PII Type of laws: 1. Criminal Law (ex: data theft) against prohibited conduct & well being of public. Law enforcement is conducted by govt. Only . All privacy violations around the world fall under this law 2. Civial Law: (Data breach) : B/W 2 persons/organizations , involves only private entities and its known as law suite or letigation - Contracts: A general agremeent b/w parties to engage some specifict activity with a stipuldated time. Generally b/w CSP and cloud customer . Ex. SLAs/ PCI DSS contracts - Breach: Fail to perform the activity as per the agreement . 3. Adminstrative Law: Many federal agencises create/monitor/enforce their administrative law - State Law: Associated to particluar state in US - Federal Law: Law applied across US (whole country), they supersed states law. The restatement (second) conflict of laws is the basis for deciding which laws are most appropriate when there are conflicting laws in the different states. - Tort law: This is a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm as a result of the wrongful acts of others. Tort actions are not dependent on an agreement between the parties
Santosh Poduri Domain 6- Legal & Complaince -Copyright & Piracy Law: Copyright infrignment can be performed for finanical & non-financial gain -Privacy Law: As right of an individual to determine when, how & what extent he/she will release personal information. -The doctrine of proper Law: when a conflict of laws occurs, it determines in which jusridiction the dispute will be heard, based on contractual language professing an express selection or a clear intention through a choice of law clause. - ECPA: Electronic Communication Privacy Act – Restrict Govt to do wire tapping & updating them in the form of data - GLBA(Graham-Leach Biley Act): Allow Banks to merge with own insurance to share customer information, kept in sceret & allow customer to opt out of sharing. Also known as financail services modernization act of 1999 - Sarbanes Oxley Act(SOX): Increase transperanyc into publicly traded companices financial activities including securing data & expresly names of traits of CIA(confidentialy,Integraty & Avaialbility) . Not a Privacy or IT security Law - Healthcare Insurance portability &accountabiiity Act(HIPAA)- Protect patient information known as ePHI(electronic patient health infromation). The office of OCR(Office of Civil Rights & Dept.of health & human services conducts audits, issues guidelines and established in 1996. With technology changes new regulation HITECH(Health, information technology for economy & clinical health) which provide financial incentives to convert paper data to digital format - Family Educational Rights &Privacy act (FEPRA)-Prevent academy institue to share student information except with parents upto age 18 - The Digital Millenium Copy Right Act(DMCA) –Update copyright provisions to protect owned data in an internet enabled workd.Enable copyright holders to require any site on internet to remove the content that may
Santosh Poduri Domain 6- Legal & Complaince Clarifying Lawful overseas use of data act(Cloud Act): Allows US law enforcements & courts to compel amrecian companies to disclose data stored in foreign data centers, designed mainly for cloud computing. FedRAMP – Isnt a Law, US federal program that mandates a standarised approach to security assessments, autohroiszation and continous monitoring of cloud products & services. Mandate to achieve for hosting any Govt agency/contractor. EU treats personal privacy protection for data in electronic form as a human right, in US no specified privacy law. EU works on Opt-In (need consent from individual to store PII) policy, US works in Opt-Out policy. GDPR (General Data Protection Regulations): Describes the approrpriate handling of personal & private information of all EU citizens, worlds powerful personal privacy law, any entity(govt. Agency,private company or individual), gathering PII of any citizen of EU is subject to GDPR. Principals comes from OECD(Organization fr Economic cooperations & development). It includes Choice, Purpose, Access, Integrity, Security & Enforcement. GDPR denies doing business with companies, where there is no national law that supports GDPR. Hence US brought Privacy Shield policy(Safe Harbor by dept. Of commerce) -, if organizations dont want to follow privacy shield, they must create itnernal policies called binding corporate rules & standard contractual clauses which complaince with GDPR: Roles in GDPR - Data Subject – Individual whom the PII refers -Data Controller: Entity collecting PII (generally cloud customer), ultimate responsible for PII - Data Processor: Entity acting on behalf of data controller, performing manipuation/storage or transmission of PII (CSP)
Santosh Poduri Austrailian Privacy Act 1988 – Compile with GDPR and EU citizens data can be stored PIPEDA (Canda Personal information Protection Electonic Documents Act) : Compile with GDPR Argentina’s Personal Data Protection Act: Replica of GDPR, hence many DCs are in this country dealing EU data EFTA & Switzerland . European Free Trade Association APEC (Asia Pacific Economic Coperations) Privay Framework: Not legally bidnding, voluntary complaince ISO 27001 – ISMS (Information Security Management System) •ISO/IEC (International Electrotechnical Commossion) 27001:2015 – Guideline regarding information security controls applicable to the provision and use of cloud services &cloud service customers - The ISMS is intended to provide a standardized international model for the development and implementation of policies, procedures, and standards that take into account stakeholder identifi cation and involvement in a top-down approach to addressing and managing risk in an organization Harmonization Law: Is the process of creating common standards across the internal market. Destinged to incorporate different legal systems under a basic faremwork. Ex: EU directives Domain 6- Legal & Complaince
Santosh Poduri - eDiscovery: Process of identifying and obtaining Electronic evidance. e-discovery can be carried out online and offline (for static systems or within particular network segments). For cloud almost it is online (SAAS/Host & 3rd party). IES 27050 standards - Need for e-Discovery Crime investigation Internal Policy violation Recovery from accidental damage Legal hold advisories/orders Complaince/law/regulations - ISO/IEC 27050: (2016/2017/2018) deals with ediscovery - Types: SAAS based /Hosted based (provider) & Data stored in the cloude (3rd party/specialized resources operating on behalf of the customer). - ISO/IEC 27037 offers guidance on ientifying potential data sources & acquiring the data from the sources Chain of Custody & Nonrepudation: Clear documentation of who accessed/how evidance stored/what time modified/purpose for analysis on evidance. The chain of custody provides nonrepudiation for the transactions detailed in the evidence. Nonrepudiation means that no party to a transaction can later claim that they did not Domain 6- Legal & Complaince
Santosh Poduri - Law : Laws are legal rules that are created by government entities such as legislatures. - Regulations are rules that are created by governmental agencies. Failure to properly follow laws and regulations can result in punitive procedures that can include fines and imprisonment. -Standards dictate a reasonable level of performance; standards can be created by an organization for its own purposes (internal) or come from industry bodies/trade groups (external). -Audit An audit is a review of an environment in order to determine if that environment is compliant with a standard, law, configuration, or other mandate. Stages. 1. Scope 2. Gap Analysis : The gap analysis is a review of the differences, in those areas where the organization is not yet compliant with the given standard/regulation. 3. The AICPA creates and promulgates the Generally Accepted Accounting Principles (GAAP) and Generally Accepted Auditing Standards (GAAS), which auditors and accountants adhere to in practice. The current AICPA audit standard, SSAE 18, outlines three families of audit reports: SOC 1, SOC 2, and SOC 3 (Sevice Organization Control) - SOC1 : It is an audit engagement consisting solely of an examination of organizational financial reporting controls. The SOC 1 is instead designed to serve the needs of investors and regulators, the two sets of people interested in the financial well-being of the target. The SOC 1 does not serve an information security or IT security purpose. Domain 6- Legal & Complaince
Santosh Poduri - SOC2 :- SOC 2 reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. - Prior to SOC 2, the standard for auditors was the Statement of Auditing Standards No. 70 (SAS 70) which was performed by certified public accountants. Introduced in the early 90s, the intent of the SAS 70 was to report on the effectiveness of different internal function controls. Replaced now with SSAE 18 standard. - In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the growing requirement of firms to prove and announce their state of security. - Type 1 : reports only reviews controls as designed, at a particular moment in time. That is, the audit examines the controls chosen by the target but not how those controls are implemented or how well those controls actually work.(design of the controls) - Type 2 : is a truly thorough review of the target’s controls, including how they have been implemented and their efficacy, over a period of time (usually several months- 12 months). (effectiveness of the controls). - -SOC 3 : is purely for public consumption and serves only as a seal of approval for public display, without sharing any specific information regarding audit activity, control effectiveness, findings, and so on. The major difference Domain 6- Legal & Complaince
Santosh Poduri Audit Scope: •Statement of purpose An overall summation and definition for the purpose of the audit. This serves as the basis for all aspects of the audit, as well as the audience and focus of the final reports. •Scope of audit This defines what systems, applications, services, or types of data are to be covered within the scope of the audit. It is an affirmative statement of inclusion, informing the auditors of the structure and configuration of the items to be audited, but it can also list any exclusions or scope limitations. Limitations can apply broadly to the entire audit or exclude certain types of data or queries. •Reasons and goals for audit There can be more than one reason for an audit, such as for management oversight internal to an organization, to assure stakeholders or users, and as a requirement for compliance with regulations or laws. •Requirements for the audit This defines how the audit is to be conducted, what tools or technologies are to be used, and to what extent they are to be used. Different tools and technologies will test systems and applications to different levels of impact or comprehensiveness, and it is vital to have an agreed-upon approach, as well as to prepare and monitor any systems and applications during testing. •Audit criteria for assessment This defines how the audit will measure and quantify results. It is vital for the organization and auditors to clearly understand what type and scale of rating system will be used. •Deliverables This defines what will be produced as a result of the audit. The main deliverable will of course be the actual report, but what format or structure the report is presented in needs to be defined. The organization may have specific format or file type requirements, or regulatory requirements may specify exact formats or data types for submission and processing. This area also includes what parties are to receive the audit report. •Classification of audit This defines the sensitivity level and any confidentiality requirements of the audit report and any information or documents used during the preparation or execution of the audit. This can be either organizationally confidential or officially classified by the government as Confidential, Secret, or Top Secret. Gap Analysis A gap analysis is a crucial step that is performed after all information has been gathered, tested, and verified through the auditing process. Domain 6- Legal & Complaince
Santosh Poduri Audit Planning:  Define objectives  Define scope  Conduct the audit  Lessons learned and analysis Internal Information Security Controls System (ISMS) The ISO/IEC 27001:2013 standard puts forth a series of domains that are established as a framework for assisting with a formal risk assessment program. These domains cover virtually all areas of IT operations and procedures, making ISO/IEC 27001:2013 one of the most widely used standards in the world. Here are the domains that comprise ISO/IEC 27001:2013: A.5 Management A.6 Organization A.7 Personnel A.8 Assets A.9 Access Control A.10 Cryptography A.11 Physical Security A.12 Operations Security A.13 Network Security A.14 Systems Security A.15 Supplier/Vendor Relationships A.16 Incident Management A.17 Business Continuity A.18 Compliance Domain 6- Legal & Complaince
Santosh Poduri Domain 6- Legal & Complaince - Policy :- • KRIs(Key Risk Indicators) : metrics used by an organization to inform management if there is impending negative impact to operations. KRIs are forward looking , where as KPIs are already occurred • Risk Appetite/Tolerance Risk tolerance and appetite are similar descriptors of how the organization views risk. Senior management dictates the amount of risk an organization is willing to take, generally based on the amount of perceived benefit related to the risk  Quantitative Assessments. Quantitative assessments are data driven, where hard values can be determined and used for comparison and calculative measure. The following measures and calculations form the basis of quantitative assessments:  SLE The single loss expectancy value. The SLE is defined as the difference between the original value of an asset and the remaining value of the asset after a single successful exploit. It is calculated by multiplying the asset value in dollars by what is called the exposure factor, which is the loss due to a successful exploit as a percentage.  ARO The annualized rate of occurrence value. The ARO is an estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year.  ALE The annualized loss expectancy value. The ALE is the value of the SLE multiplied by the ARO, so the ALE = SLE × ARO.
Santosh Poduri Responding to Risk There are four main categories for risk responses, as detailed next. Accept the Risk An organization may opt to simply accept the risk of a particular exploit and the threats posed against it. This occurs after a thorough risk assessment and the evaluation of the costs of mitigation. In an instance where the cost to mitigate outweighs the cost of accepting the risk and dealing with any possible consequences, an organization may opt to simply deal with an exploit when and if it occurs. In most instances, the decision to accept a risk will only be permitted for low-level risks, and never for moderate or high risks. Avoid the Risk An organization may opt to take measures to ensure that a risk is never realized, rather than accepting or mitigating it. This typically involves a decision to not utilize certain services or systems. While this obviously could lead to significant loss of revenue and customers, it allows an organization to avoid the risk altogether. This is typically not a solution that an organization will undertake, with the exception of very minor feature sets of systems or applications, where the disabling or removal will not pose a significant impediment to the users or operations. Transfer the Risk Risk transfer is the process of having another entity assume the risk from the organization. One thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through insurance policies to cover the financial costs of successful risk exploits. Also, under some regulations, risk cannot be transferred, because the business owner bears final responsibility for any exploits resulting in the loss of privacy or confidentiality of data, especially personal data. Mitigate the Risk Risk mitigation is the strategy most commonly expected and understood. Through risk mitigation, an organization takes steps—sometimes involving the spending of money on new systems or technologies—to fix and prevent any exploits from happening. This can involve taking steps to totally eliminate a particular risk or taking steps to lower the likelihood of an exploit or the impact of a successful exploit. The decision to undertake risk mitigation will heavily depend on the calculated cost–benefit analysis from the assessments. NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them directly and they are Risk Frameworks. Domain 6- Legal & Complaince

More Related Content

PPTX
Introduction to Val IT
Varuna Harshana
 
PPTX
Business Continuity Planning
Institute for Business Continuity Training
 
PPT
Contabilidad
Samuel Valero
 
PDF
Business continuity management www.reconglobal.in
Satya Yadav
 
PDF
Data Security Law and Management.pdf
MeshalALshammari12
 
PPT
10. law invest & ethics
7wounders
 
PPT
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
amiable_indian
 
PDF
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 
Introduction to Val IT
Varuna Harshana
 
Business Continuity Planning
Institute for Business Continuity Training
 
Contabilidad
Samuel Valero
 
Business continuity management www.reconglobal.in
Satya Yadav
 
Data Security Law and Management.pdf
MeshalALshammari12
 
10. law invest & ethics
7wounders
 
COMPUTER LAW, INVESTIGATION AND ETHICS DOMAIN
amiable_indian
 
1.1 Data Security Presentation.pdf
ChunLei(peter) Che
 

Similar to CCSP_Self_Domain_6.ppt (20)

PPTX
ch 19- computer security prenciples and practice
AbeerAlkhwaldi
 
PPTX
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
PPTX
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
PPTX
Legal-Ethical-Professionalin-IS.pptx
Shruthi48
 
PDF
Cs8792 cns - unit i
ArthyR3
 
PPTX
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby
 
PPTX
Lecture-45.pptxLecture-33 programming lacture notes.pptx
MUHAMMADAHMAD173574
 
PPTX
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
PPTX
02 Legal, Ethical, and Professional Issues in Information Security
sappingtonkr
 
PPTX
Law and Order in PK in a country is most important
AssadLeo1
 
PPTX
COI/ IT LAWS AND PRACTICES Module 1.pptx
RBeze58
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 2)
Sam Bowne
 
PPTX
Basic terms and scope of audit in cyber security
alphaa2test
 
PDF
Session 6.2 Prof Ian Walden
Commonwealth Telecommunications Organisation
 
PDF
CISSP Domain 1 - Security And Risk Management.pdf
hemant6552
 
PPT
Presentation on Law and Ethics in Information Security.ppt
Dawoodkhan980027
 
PPTX
Whitman_Ch03.pptx
Siphamandla9
 
PDF
Legal And Privacy Issues In Information Security Grama Joanna Lyn
zaedowjir
 
PPTX
Slides CapTechTalks Webinar April 2024 Ilia Kolochenko.pptx
CapitolTechU
 
PPTX
Privacy in India: Legal issues
Sagar Rahurkar
 
ch 19- computer security prenciples and practice
AbeerAlkhwaldi
 
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
Technology Law: Regulations on the Internet and Emerging Technologies
Infinity Software Solutions
 
Legal-Ethical-Professionalin-IS.pptx
Shruthi48
 
Cs8792 cns - unit i
ArthyR3
 
Tim Willoughby - Presentation to Innovation Masters 2016
Tim Willoughby
 
Lecture-45.pptxLecture-33 programming lacture notes.pptx
MUHAMMADAHMAD173574
 
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
 
02 Legal, Ethical, and Professional Issues in Information Security
sappingtonkr
 
Law and Order in PK in a country is most important
AssadLeo1
 
COI/ IT LAWS AND PRACTICES Module 1.pptx
RBeze58
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
Sam Bowne
 
Basic terms and scope of audit in cyber security
alphaa2test
 
Session 6.2 Prof Ian Walden
Commonwealth Telecommunications Organisation
 
CISSP Domain 1 - Security And Risk Management.pdf
hemant6552
 
Presentation on Law and Ethics in Information Security.ppt
Dawoodkhan980027
 
Whitman_Ch03.pptx
Siphamandla9
 
Legal And Privacy Issues In Information Security Grama Joanna Lyn
zaedowjir
 
Slides CapTechTalks Webinar April 2024 Ilia Kolochenko.pptx
CapitolTechU
 
Privacy in India: Legal issues
Sagar Rahurkar
 
Ad

Recently uploaded (20)

PDF
How to run a consulting project- client discovery
P&CO
 
PPTX
Managing Community Partner Relationships
alexmderr
 
PPTX
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
PPTX
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
PPTX
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
PPTX
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
PDF
Business Analytics and business intelligence.pdf
khalidisah4750
 
PDF
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
PDF
Introduction to Data Science and Data Analysis
Suraj Patil
 
PPTX
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
PDF
Lecture1 pattern recognition............
ZafriFarid
 
PDF
annual-report-2024-2025 original latest.
nityanema19
 
PPTX
Modelling in Business Intelligence , information system
anantyakhrisna1
 
PPTX
Topic 5 Presentation 5 Lesson 5 Corporate Fin
kevinluvr
 
PPTX
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
PPTX
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
PDF
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
PDF
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
PPTX
Leprosy and NLEP programme community medicine
Vinodhini Balamurugan
 
PDF
Microsoft Core Cloud Services powerpoint
KamelAbouSaleh1
 
How to run a consulting project- client discovery
P&CO
 
Managing Community Partner Relationships
alexmderr
 
CEE 2 REPORT G7.pptxbdbshjdgsgjgsjfiuhsd
hildogavino28
 
AI Strategy room jwfjksfksfjsjsjsjsjfsjfsj
ankitpratapsingh28
 
The THESIS FINAL-DEFENSE-PRESENTATION.pptx
hshakobe3
 
climate analysis of Dhaka ,Banglades.pptx
rrawjatun
 
Business Analytics and business intelligence.pdf
khalidisah4750
 
REAL ILLUMINATI AGENT IN KAMPALA UGANDA CALL ON+256765750853/0705037305
Real illuminati agent from Uganda Kampala call 0782561496/0756664682
 
Introduction to Data Science and Data Analysis
Suraj Patil
 
IBA_Chapter_11_Slides_Final_Accessible.pptx
SrikantKapoor1
 
Lecture1 pattern recognition............
ZafriFarid
 
annual-report-2024-2025 original latest.
nityanema19
 
Modelling in Business Intelligence , information system
anantyakhrisna1
 
Topic 5 Presentation 5 Lesson 5 Corporate Fin
kevinluvr
 
Acceptance and paychological effects of mandatory extra coach I classes.pptx
ZaheerAhmad228692
 
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
"Python Programming for Geospatial Data Science." ...
institute of Geoinformatics and Earth Observation at PMAS ARID Agriculture University of Rawalpindi
 
Galatica Smart Energy Infrastructure Startup Pitch Deck
Shahzaib Ajmal
 
Leprosy and NLEP programme community medicine
Vinodhini Balamurugan
 
Microsoft Core Cloud Services powerpoint
KamelAbouSaleh1
 
Ad

CCSP_Self_Domain_6.ppt

  • 2. Course Content Santosh Poduri 2 Exam Overview Domain 1 - Cloud Concepts, Architecture and Design Domain 2 - Cloud Data Security Domain 3 - Cloud Platform & Infrastructure Security Domain 4 - Cloud Application Security Domain 5 - Cloud Security Operations Domain 6 - Legal, Risk and Compliance
  • 3. Santosh Poduri About the Exam Length of exam : 3 hours Number of questions : 125 Question format : Multiple choice Passing grade : 700 out of 1000 points Exam availability : English Testing center : Pearson VUE Testing Center CCSP Exam
  • 4. Domain 1- Cloud Concepts Cloud Roles Cloud Service Porvider Cloud Consumer/Customer Cloud broker Cloud service partner 4
  • 5. Santosh Poduri Domain 6- Legal & Complaince PII: Personal Identification Information , like name/email/IP address/address/ (NIST SP 800-122) - Direct identifiers are those data elements that immediately reveal a specific individual. - Indirect identifiers are the characteristics and traits of an individual that, when aggregated, could reveal the identity of that person. Each indirect identifier by itself is usually not sensitive, but if enough are collected they may provide sensitive information • The act of removing identifiers is known as anonymization; certain jurisdictions, laws, and standards require the anonymization of data, including both direct and indirect identifiers. Contratual PII & Regulated PII Type of laws: 1. Criminal Law (ex: data theft) against prohibited conduct & well being of public. Law enforcement is conducted by govt. Only . All privacy violations around the world fall under this law 2. Civial Law: (Data breach) : B/W 2 persons/organizations , involves only private entities and its known as law suite or letigation - Contracts: A general agremeent b/w parties to engage some specifict activity with a stipuldated time. Generally b/w CSP and cloud customer . Ex. SLAs/ PCI DSS contracts - Breach: Fail to perform the activity as per the agreement . 3. Adminstrative Law: Many federal agencises create/monitor/enforce their administrative law - State Law: Associated to particluar state in US - Federal Law: Law applied across US (whole country), they supersed states law. The restatement (second) conflict of laws is the basis for deciding which laws are most appropriate when there are conflicting laws in the different states. - Tort law: This is a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm as a result of the wrongful acts of others. Tort actions are not dependent on an agreement between the parties
  • 6. Santosh Poduri Domain 6- Legal & Complaince -Copyright & Piracy Law: Copyright infrignment can be performed for finanical & non-financial gain -Privacy Law: As right of an individual to determine when, how & what extent he/she will release personal information. -The doctrine of proper Law: when a conflict of laws occurs, it determines in which jusridiction the dispute will be heard, based on contractual language professing an express selection or a clear intention through a choice of law clause. - ECPA: Electronic Communication Privacy Act – Restrict Govt to do wire tapping & updating them in the form of data - GLBA(Graham-Leach Biley Act): Allow Banks to merge with own insurance to share customer information, kept in sceret & allow customer to opt out of sharing. Also known as financail services modernization act of 1999 - Sarbanes Oxley Act(SOX): Increase transperanyc into publicly traded companices financial activities including securing data & expresly names of traits of CIA(confidentialy,Integraty & Avaialbility) . Not a Privacy or IT security Law - Healthcare Insurance portability &accountabiiity Act(HIPAA)- Protect patient information known as ePHI(electronic patient health infromation). The office of OCR(Office of Civil Rights & Dept.of health & human services conducts audits, issues guidelines and established in 1996. With technology changes new regulation HITECH(Health, information technology for economy & clinical health) which provide financial incentives to convert paper data to digital format - Family Educational Rights &Privacy act (FEPRA)-Prevent academy institue to share student information except with parents upto age 18 - The Digital Millenium Copy Right Act(DMCA) –Update copyright provisions to protect owned data in an internet enabled workd.Enable copyright holders to require any site on internet to remove the content that may
  • 7. Santosh Poduri Domain 6- Legal & Complaince Clarifying Lawful overseas use of data act(Cloud Act): Allows US law enforcements & courts to compel amrecian companies to disclose data stored in foreign data centers, designed mainly for cloud computing. FedRAMP – Isnt a Law, US federal program that mandates a standarised approach to security assessments, autohroiszation and continous monitoring of cloud products & services. Mandate to achieve for hosting any Govt agency/contractor. EU treats personal privacy protection for data in electronic form as a human right, in US no specified privacy law. EU works on Opt-In (need consent from individual to store PII) policy, US works in Opt-Out policy. GDPR (General Data Protection Regulations): Describes the approrpriate handling of personal & private information of all EU citizens, worlds powerful personal privacy law, any entity(govt. Agency,private company or individual), gathering PII of any citizen of EU is subject to GDPR. Principals comes from OECD(Organization fr Economic cooperations & development). It includes Choice, Purpose, Access, Integrity, Security & Enforcement. GDPR denies doing business with companies, where there is no national law that supports GDPR. Hence US brought Privacy Shield policy(Safe Harbor by dept. Of commerce) -, if organizations dont want to follow privacy shield, they must create itnernal policies called binding corporate rules & standard contractual clauses which complaince with GDPR: Roles in GDPR - Data Subject – Individual whom the PII refers -Data Controller: Entity collecting PII (generally cloud customer), ultimate responsible for PII - Data Processor: Entity acting on behalf of data controller, performing manipuation/storage or transmission of PII (CSP)
  • 8. Santosh Poduri Austrailian Privacy Act 1988 – Compile with GDPR and EU citizens data can be stored PIPEDA (Canda Personal information Protection Electonic Documents Act) : Compile with GDPR Argentina’s Personal Data Protection Act: Replica of GDPR, hence many DCs are in this country dealing EU data EFTA & Switzerland . European Free Trade Association APEC (Asia Pacific Economic Coperations) Privay Framework: Not legally bidnding, voluntary complaince ISO 27001 – ISMS (Information Security Management System) •ISO/IEC (International Electrotechnical Commossion) 27001:2015 – Guideline regarding information security controls applicable to the provision and use of cloud services &cloud service customers - The ISMS is intended to provide a standardized international model for the development and implementation of policies, procedures, and standards that take into account stakeholder identifi cation and involvement in a top-down approach to addressing and managing risk in an organization Harmonization Law: Is the process of creating common standards across the internal market. Destinged to incorporate different legal systems under a basic faremwork. Ex: EU directives Domain 6- Legal & Complaince
  • 9. Santosh Poduri - eDiscovery: Process of identifying and obtaining Electronic evidance. e-discovery can be carried out online and offline (for static systems or within particular network segments). For cloud almost it is online (SAAS/Host & 3rd party). IES 27050 standards - Need for e-Discovery Crime investigation Internal Policy violation Recovery from accidental damage Legal hold advisories/orders Complaince/law/regulations - ISO/IEC 27050: (2016/2017/2018) deals with ediscovery - Types: SAAS based /Hosted based (provider) & Data stored in the cloude (3rd party/specialized resources operating on behalf of the customer). - ISO/IEC 27037 offers guidance on ientifying potential data sources & acquiring the data from the sources Chain of Custody & Nonrepudation: Clear documentation of who accessed/how evidance stored/what time modified/purpose for analysis on evidance. The chain of custody provides nonrepudiation for the transactions detailed in the evidence. Nonrepudiation means that no party to a transaction can later claim that they did not Domain 6- Legal & Complaince
  • 10. Santosh Poduri - Law : Laws are legal rules that are created by government entities such as legislatures. - Regulations are rules that are created by governmental agencies. Failure to properly follow laws and regulations can result in punitive procedures that can include fines and imprisonment. -Standards dictate a reasonable level of performance; standards can be created by an organization for its own purposes (internal) or come from industry bodies/trade groups (external). -Audit An audit is a review of an environment in order to determine if that environment is compliant with a standard, law, configuration, or other mandate. Stages. 1. Scope 2. Gap Analysis : The gap analysis is a review of the differences, in those areas where the organization is not yet compliant with the given standard/regulation. 3. The AICPA creates and promulgates the Generally Accepted Accounting Principles (GAAP) and Generally Accepted Auditing Standards (GAAS), which auditors and accountants adhere to in practice. The current AICPA audit standard, SSAE 18, outlines three families of audit reports: SOC 1, SOC 2, and SOC 3 (Sevice Organization Control) - SOC1 : It is an audit engagement consisting solely of an examination of organizational financial reporting controls. The SOC 1 is instead designed to serve the needs of investors and regulators, the two sets of people interested in the financial well-being of the target. The SOC 1 does not serve an information security or IT security purpose. Domain 6- Legal & Complaince
  • 11. Santosh Poduri - SOC2 :- SOC 2 reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. - Prior to SOC 2, the standard for auditors was the Statement of Auditing Standards No. 70 (SAS 70) which was performed by certified public accountants. Introduced in the early 90s, the intent of the SAS 70 was to report on the effectiveness of different internal function controls. Replaced now with SSAE 18 standard. - In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the growing requirement of firms to prove and announce their state of security. - Type 1 : reports only reviews controls as designed, at a particular moment in time. That is, the audit examines the controls chosen by the target but not how those controls are implemented or how well those controls actually work.(design of the controls) - Type 2 : is a truly thorough review of the target’s controls, including how they have been implemented and their efficacy, over a period of time (usually several months- 12 months). (effectiveness of the controls). - -SOC 3 : is purely for public consumption and serves only as a seal of approval for public display, without sharing any specific information regarding audit activity, control effectiveness, findings, and so on. The major difference Domain 6- Legal & Complaince
  • 12. Santosh Poduri Audit Scope: •Statement of purpose An overall summation and definition for the purpose of the audit. This serves as the basis for all aspects of the audit, as well as the audience and focus of the final reports. •Scope of audit This defines what systems, applications, services, or types of data are to be covered within the scope of the audit. It is an affirmative statement of inclusion, informing the auditors of the structure and configuration of the items to be audited, but it can also list any exclusions or scope limitations. Limitations can apply broadly to the entire audit or exclude certain types of data or queries. •Reasons and goals for audit There can be more than one reason for an audit, such as for management oversight internal to an organization, to assure stakeholders or users, and as a requirement for compliance with regulations or laws. •Requirements for the audit This defines how the audit is to be conducted, what tools or technologies are to be used, and to what extent they are to be used. Different tools and technologies will test systems and applications to different levels of impact or comprehensiveness, and it is vital to have an agreed-upon approach, as well as to prepare and monitor any systems and applications during testing. •Audit criteria for assessment This defines how the audit will measure and quantify results. It is vital for the organization and auditors to clearly understand what type and scale of rating system will be used. •Deliverables This defines what will be produced as a result of the audit. The main deliverable will of course be the actual report, but what format or structure the report is presented in needs to be defined. The organization may have specific format or file type requirements, or regulatory requirements may specify exact formats or data types for submission and processing. This area also includes what parties are to receive the audit report. •Classification of audit This defines the sensitivity level and any confidentiality requirements of the audit report and any information or documents used during the preparation or execution of the audit. This can be either organizationally confidential or officially classified by the government as Confidential, Secret, or Top Secret. Gap Analysis A gap analysis is a crucial step that is performed after all information has been gathered, tested, and verified through the auditing process. Domain 6- Legal & Complaince
  • 13. Santosh Poduri Audit Planning:  Define objectives  Define scope  Conduct the audit  Lessons learned and analysis Internal Information Security Controls System (ISMS) The ISO/IEC 27001:2013 standard puts forth a series of domains that are established as a framework for assisting with a formal risk assessment program. These domains cover virtually all areas of IT operations and procedures, making ISO/IEC 27001:2013 one of the most widely used standards in the world. Here are the domains that comprise ISO/IEC 27001:2013: A.5 Management A.6 Organization A.7 Personnel A.8 Assets A.9 Access Control A.10 Cryptography A.11 Physical Security A.12 Operations Security A.13 Network Security A.14 Systems Security A.15 Supplier/Vendor Relationships A.16 Incident Management A.17 Business Continuity A.18 Compliance Domain 6- Legal & Complaince
  • 14. Santosh Poduri Domain 6- Legal & Complaince - Policy :- • KRIs(Key Risk Indicators) : metrics used by an organization to inform management if there is impending negative impact to operations. KRIs are forward looking , where as KPIs are already occurred • Risk Appetite/Tolerance Risk tolerance and appetite are similar descriptors of how the organization views risk. Senior management dictates the amount of risk an organization is willing to take, generally based on the amount of perceived benefit related to the risk  Quantitative Assessments. Quantitative assessments are data driven, where hard values can be determined and used for comparison and calculative measure. The following measures and calculations form the basis of quantitative assessments:  SLE The single loss expectancy value. The SLE is defined as the difference between the original value of an asset and the remaining value of the asset after a single successful exploit. It is calculated by multiplying the asset value in dollars by what is called the exposure factor, which is the loss due to a successful exploit as a percentage.  ARO The annualized rate of occurrence value. The ARO is an estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year.  ALE The annualized loss expectancy value. The ALE is the value of the SLE multiplied by the ARO, so the ALE = SLE × ARO.
  • 15. Santosh Poduri Responding to Risk There are four main categories for risk responses, as detailed next. Accept the Risk An organization may opt to simply accept the risk of a particular exploit and the threats posed against it. This occurs after a thorough risk assessment and the evaluation of the costs of mitigation. In an instance where the cost to mitigate outweighs the cost of accepting the risk and dealing with any possible consequences, an organization may opt to simply deal with an exploit when and if it occurs. In most instances, the decision to accept a risk will only be permitted for low-level risks, and never for moderate or high risks. Avoid the Risk An organization may opt to take measures to ensure that a risk is never realized, rather than accepting or mitigating it. This typically involves a decision to not utilize certain services or systems. While this obviously could lead to significant loss of revenue and customers, it allows an organization to avoid the risk altogether. This is typically not a solution that an organization will undertake, with the exception of very minor feature sets of systems or applications, where the disabling or removal will not pose a significant impediment to the users or operations. Transfer the Risk Risk transfer is the process of having another entity assume the risk from the organization. One thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through insurance policies to cover the financial costs of successful risk exploits. Also, under some regulations, risk cannot be transferred, because the business owner bears final responsibility for any exploits resulting in the loss of privacy or confidentiality of data, especially personal data. Mitigate the Risk Risk mitigation is the strategy most commonly expected and understood. Through risk mitigation, an organization takes steps—sometimes involving the spending of money on new systems or technologies—to fix and prevent any exploits from happening. This can involve taking steps to totally eliminate a particular risk or taking steps to lower the likelihood of an exploit or the impact of a successful exploit. The decision to undertake risk mitigation will heavily depend on the calculated cost–benefit analysis from the assessments. NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them directly and they are Risk Frameworks. Domain 6- Legal & Complaince

Editor's Notes

  • #7: GLBA has 3 components : 1. Financial Privacy Rule : overall collection&disclosure of finanancial information of customers & users. 2. Pretexting Provision: access/try to access PII on false representation 3. SafeGaurds Rule: Adequate security controls to protect privacy & PII