SlideShare a Scribd company logo

CCSP_Self_Domain_6.ppt

Download as PPT, PDF
Samir Jha
Samir Jha

ccsp

Data & Analytics
1 of 15
SANTOSH PODURI 1 CCSP Exam
Course Content Santosh Poduri 2 Exam Overview Domain 1 - Cloud Concepts, Architecture and Design Domain 2 - Cloud Data Security Domain 3 - Cloud Platform & Infrastructure Security Domain 4 - Cloud Application Security Domain 5 - Cloud Security Operations Domain 6 - Legal, Risk and Compliance
Santosh Poduri About the Exam Length of exam : 3 hours Number of questions : 125 Question format : Multiple choice Passing grade : 700 out of 1000 points Exam availability : English Testing center : Pearson VUE Testing Center CCSP Exam
Domain 1- Cloud Concepts Cloud Roles Cloud Service Porvider Cloud Consumer/Customer Cloud broker Cloud service partner 4
Santosh Poduri Domain 6- Legal & Complaince PII: Personal Identification Information , like name/email/IP address/address/ (NIST SP 800-122) - Direct identifiers are those data elements that immediately reveal a specific individual. - Indirect identifiers are the characteristics and traits of an individual that, when aggregated, could reveal the identity of that person. Each indirect identifier by itself is usually not sensitive, but if enough are collected they may provide sensitive information • The act of removing identifiers is known as anonymization; certain jurisdictions, laws, and standards require the anonymization of data, including both direct and indirect identifiers. Contratual PII & Regulated PII Type of laws: 1. Criminal Law (ex: data theft) against prohibited conduct & well being of public. Law enforcement is conducted by govt. Only . All privacy violations around the world fall under this law 2. Civial Law: (Data breach) : B/W 2 persons/organizations , involves only private entities and its known as law suite or letigation - Contracts: A general agremeent b/w parties to engage some specifict activity with a stipuldated time. Generally b/w CSP and cloud customer . Ex. SLAs/ PCI DSS contracts - Breach: Fail to perform the activity as per the agreement . 3. Adminstrative Law: Many federal agencises create/monitor/enforce their administrative law - State Law: Associated to particluar state in US - Federal Law: Law applied across US (whole country), they supersed states law. The restatement (second) conflict of laws is the basis for deciding which laws are most appropriate when there are conflicting laws in the different states. - Tort law: This is a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm as a result of the wrongful acts of others. Tort actions are not dependent on an agreement between the parties
Santosh Poduri Domain 6- Legal & Complaince -Copyright & Piracy Law: Copyright infrignment can be performed for finanical & non-financial gain -Privacy Law: As right of an individual to determine when, how & what extent he/she will release personal information. -The doctrine of proper Law: when a conflict of laws occurs, it determines in which jusridiction the dispute will be heard, based on contractual language professing an express selection or a clear intention through a choice of law clause. - ECPA: Electronic Communication Privacy Act – Restrict Govt to do wire tapping & updating them in the form of data - GLBA(Graham-Leach Biley Act): Allow Banks to merge with own insurance to share customer information, kept in sceret & allow customer to opt out of sharing. Also known as financail services modernization act of 1999 - Sarbanes Oxley Act(SOX): Increase transperanyc into publicly traded companices financial activities including securing data & expresly names of traits of CIA(confidentialy,Integraty & Avaialbility) . Not a Privacy or IT security Law - Healthcare Insurance portability &accountabiiity Act(HIPAA)- Protect patient information known as ePHI(electronic patient health infromation). The office of OCR(Office of Civil Rights & Dept.of health & human services conducts audits, issues guidelines and established in 1996. With technology changes new regulation HITECH(Health, information technology for economy & clinical health) which provide financial incentives to convert paper data to digital format - Family Educational Rights &Privacy act (FEPRA)-Prevent academy institue to share student information except with parents upto age 18 - The Digital Millenium Copy Right Act(DMCA) –Update copyright provisions to protect owned data in an internet enabled workd.Enable copyright holders to require any site on internet to remove the content that may
Santosh Poduri Domain 6- Legal & Complaince Clarifying Lawful overseas use of data act(Cloud Act): Allows US law enforcements & courts to compel amrecian companies to disclose data stored in foreign data centers, designed mainly for cloud computing. FedRAMP – Isnt a Law, US federal program that mandates a standarised approach to security assessments, autohroiszation and continous monitoring of cloud products & services. Mandate to achieve for hosting any Govt agency/contractor. EU treats personal privacy protection for data in electronic form as a human right, in US no specified privacy law. EU works on Opt-In (need consent from individual to store PII) policy, US works in Opt-Out policy. GDPR (General Data Protection Regulations): Describes the approrpriate handling of personal & private information of all EU citizens, worlds powerful personal privacy law, any entity(govt. Agency,private company or individual), gathering PII of any citizen of EU is subject to GDPR. Principals comes from OECD(Organization fr Economic cooperations & development). It includes Choice, Purpose, Access, Integrity, Security & Enforcement. GDPR denies doing business with companies, where there is no national law that supports GDPR. Hence US brought Privacy Shield policy(Safe Harbor by dept. Of commerce) -, if organizations dont want to follow privacy shield, they must create itnernal policies called binding corporate rules & standard contractual clauses which complaince with GDPR: Roles in GDPR - Data Subject – Individual whom the PII refers -Data Controller: Entity collecting PII (generally cloud customer), ultimate responsible for PII - Data Processor: Entity acting on behalf of data controller, performing manipuation/storage or transmission of PII (CSP)
Santosh Poduri Austrailian Privacy Act 1988 – Compile with GDPR and EU citizens data can be stored PIPEDA (Canda Personal information Protection Electonic Documents Act) : Compile with GDPR Argentina’s Personal Data Protection Act: Replica of GDPR, hence many DCs are in this country dealing EU data EFTA & Switzerland . European Free Trade Association APEC (Asia Pacific Economic Coperations) Privay Framework: Not legally bidnding, voluntary complaince ISO 27001 – ISMS (Information Security Management System) •ISO/IEC (International Electrotechnical Commossion) 27001:2015 – Guideline regarding information security controls applicable to the provision and use of cloud services &cloud service customers - The ISMS is intended to provide a standardized international model for the development and implementation of policies, procedures, and standards that take into account stakeholder identifi cation and involvement in a top-down approach to addressing and managing risk in an organization Harmonization Law: Is the process of creating common standards across the internal market. Destinged to incorporate different legal systems under a basic faremwork. Ex: EU directives Domain 6- Legal & Complaince
Santosh Poduri - eDiscovery: Process of identifying and obtaining Electronic evidance. e-discovery can be carried out online and offline (for static systems or within particular network segments). For cloud almost it is online (SAAS/Host & 3rd party). IES 27050 standards - Need for e-Discovery Crime investigation Internal Policy violation Recovery from accidental damage Legal hold advisories/orders Complaince/law/regulations - ISO/IEC 27050: (2016/2017/2018) deals with ediscovery - Types: SAAS based /Hosted based (provider) & Data stored in the cloude (3rd party/specialized resources operating on behalf of the customer). - ISO/IEC 27037 offers guidance on ientifying potential data sources & acquiring the data from the sources Chain of Custody & Nonrepudation: Clear documentation of who accessed/how evidance stored/what time modified/purpose for analysis on evidance. The chain of custody provides nonrepudiation for the transactions detailed in the evidence. Nonrepudiation means that no party to a transaction can later claim that they did not Domain 6- Legal & Complaince
Santosh Poduri - Law : Laws are legal rules that are created by government entities such as legislatures. - Regulations are rules that are created by governmental agencies. Failure to properly follow laws and regulations can result in punitive procedures that can include fines and imprisonment. -Standards dictate a reasonable level of performance; standards can be created by an organization for its own purposes (internal) or come from industry bodies/trade groups (external). -Audit An audit is a review of an environment in order to determine if that environment is compliant with a standard, law, configuration, or other mandate. Stages. 1. Scope 2. Gap Analysis : The gap analysis is a review of the differences, in those areas where the organization is not yet compliant with the given standard/regulation. 3. The AICPA creates and promulgates the Generally Accepted Accounting Principles (GAAP) and Generally Accepted Auditing Standards (GAAS), which auditors and accountants adhere to in practice. The current AICPA audit standard, SSAE 18, outlines three families of audit reports: SOC 1, SOC 2, and SOC 3 (Sevice Organization Control) - SOC1 : It is an audit engagement consisting solely of an examination of organizational financial reporting controls. The SOC 1 is instead designed to serve the needs of investors and regulators, the two sets of people interested in the financial well-being of the target. The SOC 1 does not serve an information security or IT security purpose. Domain 6- Legal & Complaince
Santosh Poduri - SOC2 :- SOC 2 reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. - Prior to SOC 2, the standard for auditors was the Statement of Auditing Standards No. 70 (SAS 70) which was performed by certified public accountants. Introduced in the early 90s, the intent of the SAS 70 was to report on the effectiveness of different internal function controls. Replaced now with SSAE 18 standard. - In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the growing requirement of firms to prove and announce their state of security. - Type 1 : reports only reviews controls as designed, at a particular moment in time. That is, the audit examines the controls chosen by the target but not how those controls are implemented or how well those controls actually work.(design of the controls) - Type 2 : is a truly thorough review of the target’s controls, including how they have been implemented and their efficacy, over a period of time (usually several months- 12 months). (effectiveness of the controls). - -SOC 3 : is purely for public consumption and serves only as a seal of approval for public display, without sharing any specific information regarding audit activity, control effectiveness, findings, and so on. The major difference Domain 6- Legal & Complaince
Santosh Poduri Audit Scope: •Statement of purpose An overall summation and definition for the purpose of the audit. This serves as the basis for all aspects of the audit, as well as the audience and focus of the final reports. •Scope of audit This defines what systems, applications, services, or types of data are to be covered within the scope of the audit. It is an affirmative statement of inclusion, informing the auditors of the structure and configuration of the items to be audited, but it can also list any exclusions or scope limitations. Limitations can apply broadly to the entire audit or exclude certain types of data or queries. •Reasons and goals for audit There can be more than one reason for an audit, such as for management oversight internal to an organization, to assure stakeholders or users, and as a requirement for compliance with regulations or laws. •Requirements for the audit This defines how the audit is to be conducted, what tools or technologies are to be used, and to what extent they are to be used. Different tools and technologies will test systems and applications to different levels of impact or comprehensiveness, and it is vital to have an agreed-upon approach, as well as to prepare and monitor any systems and applications during testing. •Audit criteria for assessment This defines how the audit will measure and quantify results. It is vital for the organization and auditors to clearly understand what type and scale of rating system will be used. •Deliverables This defines what will be produced as a result of the audit. The main deliverable will of course be the actual report, but what format or structure the report is presented in needs to be defined. The organization may have specific format or file type requirements, or regulatory requirements may specify exact formats or data types for submission and processing. This area also includes what parties are to receive the audit report. •Classification of audit This defines the sensitivity level and any confidentiality requirements of the audit report and any information or documents used during the preparation or execution of the audit. This can be either organizationally confidential or officially classified by the government as Confidential, Secret, or Top Secret. Gap Analysis A gap analysis is a crucial step that is performed after all information has been gathered, tested, and verified through the auditing process. Domain 6- Legal & Complaince
Santosh Poduri Audit Planning:  Define objectives  Define scope  Conduct the audit  Lessons learned and analysis Internal Information Security Controls System (ISMS) The ISO/IEC 27001:2013 standard puts forth a series of domains that are established as a framework for assisting with a formal risk assessment program. These domains cover virtually all areas of IT operations and procedures, making ISO/IEC 27001:2013 one of the most widely used standards in the world. Here are the domains that comprise ISO/IEC 27001:2013: A.5 Management A.6 Organization A.7 Personnel A.8 Assets A.9 Access Control A.10 Cryptography A.11 Physical Security A.12 Operations Security A.13 Network Security A.14 Systems Security A.15 Supplier/Vendor Relationships A.16 Incident Management A.17 Business Continuity A.18 Compliance Domain 6- Legal & Complaince
Santosh Poduri Domain 6- Legal & Complaince - Policy :- • KRIs(Key Risk Indicators) : metrics used by an organization to inform management if there is impending negative impact to operations. KRIs are forward looking , where as KPIs are already occurred • Risk Appetite/Tolerance Risk tolerance and appetite are similar descriptors of how the organization views risk. Senior management dictates the amount of risk an organization is willing to take, generally based on the amount of perceived benefit related to the risk  Quantitative Assessments. Quantitative assessments are data driven, where hard values can be determined and used for comparison and calculative measure. The following measures and calculations form the basis of quantitative assessments:  SLE The single loss expectancy value. The SLE is defined as the difference between the original value of an asset and the remaining value of the asset after a single successful exploit. It is calculated by multiplying the asset value in dollars by what is called the exposure factor, which is the loss due to a successful exploit as a percentage.  ARO The annualized rate of occurrence value. The ARO is an estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year.  ALE The annualized loss expectancy value. The ALE is the value of the SLE multiplied by the ARO, so the ALE = SLE × ARO.
Santosh Poduri Responding to Risk There are four main categories for risk responses, as detailed next. Accept the Risk An organization may opt to simply accept the risk of a particular exploit and the threats posed against it. This occurs after a thorough risk assessment and the evaluation of the costs of mitigation. In an instance where the cost to mitigate outweighs the cost of accepting the risk and dealing with any possible consequences, an organization may opt to simply deal with an exploit when and if it occurs. In most instances, the decision to accept a risk will only be permitted for low-level risks, and never for moderate or high risks. Avoid the Risk An organization may opt to take measures to ensure that a risk is never realized, rather than accepting or mitigating it. This typically involves a decision to not utilize certain services or systems. While this obviously could lead to significant loss of revenue and customers, it allows an organization to avoid the risk altogether. This is typically not a solution that an organization will undertake, with the exception of very minor feature sets of systems or applications, where the disabling or removal will not pose a significant impediment to the users or operations. Transfer the Risk Risk transfer is the process of having another entity assume the risk from the organization. One thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through insurance policies to cover the financial costs of successful risk exploits. Also, under some regulations, risk cannot be transferred, because the business owner bears final responsibility for any exploits resulting in the loss of privacy or confidentiality of data, especially personal data. Mitigate the Risk Risk mitigation is the strategy most commonly expected and understood. Through risk mitigation, an organization takes steps—sometimes involving the spending of money on new systems or technologies—to fix and prevent any exploits from happening. This can involve taking steps to totally eliminate a particular risk or taking steps to lower the likelihood of an exploit or the impact of a successful exploit. The decision to undertake risk mitigation will heavily depend on the calculated cost–benefit analysis from the assessments. NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them directly and they are Risk Frameworks. Domain 6- Legal & Complaince

Recommended

Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
MeshalALshammari12
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and Bird
Coadec
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
Parsons Behle & Latimer
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
BenjaminShalevSalovi
 

Recommended

Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
MeshalALshammari12
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Data protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and BirdData protection for Lend.io - legal analysis by Bird and Bird
Data protection for Lend.io - legal analysis by Bird and Bird
Coadec
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
Parsons Behle & Latimer
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
BenjaminShalevSalovi
 
Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
Ulf Mattsson
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
Interlogica
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
James '​-- Mckinlay
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
abdukadirabdullahuad
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptx
EdFeranil
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
Parsons Behle & Latimer
 
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
PECB
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Morgan
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
Ishay Tentser
 
Are you GDPR ready?
Are you GDPR ready?Are you GDPR ready?
Are you GDPR ready?
INSZoom
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
Knowledge Management Associates, LLC
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
Dr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
amy56318795
 
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
gajnagarg
 

More Related Content

Similar to CCSP_Self_Domain_6.ppt

ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
PECB
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 

Similar to CCSP_Self_Domain_6.ppt (20)

Examples of international privacy legislation
Examples of international privacy legislationExamples of international privacy legislation
Examples of international privacy legislation
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
GDPR - The new era of data protection
GDPR - The new era of data protectionGDPR - The new era of data protection
GDPR - The new era of data protection
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Lecture 8.pdf
Lecture 8.pdfLecture 8.pdf
Lecture 8.pdf
 
Law and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptxLaw and Ethics in Information Security.pptx
Law and Ethics in Information Security.pptx
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
 
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptx
 
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
 
Are you GDPR ready?
Are you GDPR ready?Are you GDPR ready?
Are you GDPR ready?
 
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy LawKMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
KMA Insights Webinar July 2009 -- Compliance with MA Privacy Law
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 

Recently uploaded

Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
gajnagarg
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
only4webmaster01
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
amitlee9823
 
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
gajnagarg
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
karishmasinghjnh
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
Timothy Spann
 
Detecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachDetecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning Approach
Boston Institute of Analytics
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
amitlee9823
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
amitlee9823
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
amitlee9823
 
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
amitlee9823
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
amitlee9823
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
amitlee9823
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
amitlee9823
 
Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...
Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...
Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...
gajnagarg
 

Recently uploaded (20)

5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
5CL-ADBA,5cladba, Chinese supplier, safety is guaranteed
 
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
Just Call Vip call girls Palakkad Escorts ☎️9352988975 Two shot with one girl...
 
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 9155563397 👗 Top Class Call Girl Service B...
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
Just Call Vip call girls roorkee Escorts ☎️9352988975 Two shot with one girl ...
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
 
Detecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachDetecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning Approach
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts ServiceCall Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
Call Girls In Shalimar Bagh ( Delhi) 9953330565 Escorts Service
 
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
 
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
➥🔝 7737669865 🔝▻ Bangalore Call-girls in Women Seeking Men 🔝Bangalore🔝 Esc...
 
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Marol Naka Call On 9920725232 With Body to body massage...
 
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
SAC 25 Final National, Regional & Local Angel Group Investing Insights 2024 0...
 
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
Call Girls Hsr Layout Just Call 👗 7737669865 👗 Top Class Call Girl Service Ba...
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
Call Girls Bannerghatta Road Just Call 👗 7737669865 👗 Top Class Call Girl Ser...
 
Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...
Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...
Just Call Vip call girls Erode Escorts ☎️9352988975 Two shot with one girl (E...
 

CCSP_Self_Domain_6.ppt

  • 2. Course Content Santosh Poduri 2 Exam Overview Domain 1 - Cloud Concepts, Architecture and Design Domain 2 - Cloud Data Security Domain 3 - Cloud Platform & Infrastructure Security Domain 4 - Cloud Application Security Domain 5 - Cloud Security Operations Domain 6 - Legal, Risk and Compliance
  • 3. Santosh Poduri About the Exam Length of exam : 3 hours Number of questions : 125 Question format : Multiple choice Passing grade : 700 out of 1000 points Exam availability : English Testing center : Pearson VUE Testing Center CCSP Exam
  • 4. Domain 1- Cloud Concepts Cloud Roles Cloud Service Porvider Cloud Consumer/Customer Cloud broker Cloud service partner 4
  • 5. Santosh Poduri Domain 6- Legal & Complaince PII: Personal Identification Information , like name/email/IP address/address/ (NIST SP 800-122) - Direct identifiers are those data elements that immediately reveal a specific individual. - Indirect identifiers are the characteristics and traits of an individual that, when aggregated, could reveal the identity of that person. Each indirect identifier by itself is usually not sensitive, but if enough are collected they may provide sensitive information • The act of removing identifiers is known as anonymization; certain jurisdictions, laws, and standards require the anonymization of data, including both direct and indirect identifiers. Contratual PII & Regulated PII Type of laws: 1. Criminal Law (ex: data theft) against prohibited conduct & well being of public. Law enforcement is conducted by govt. Only . All privacy violations around the world fall under this law 2. Civial Law: (Data breach) : B/W 2 persons/organizations , involves only private entities and its known as law suite or letigation - Contracts: A general agremeent b/w parties to engage some specifict activity with a stipuldated time. Generally b/w CSP and cloud customer . Ex. SLAs/ PCI DSS contracts - Breach: Fail to perform the activity as per the agreement . 3. Adminstrative Law: Many federal agencises create/monitor/enforce their administrative law - State Law: Associated to particluar state in US - Federal Law: Law applied across US (whole country), they supersed states law. The restatement (second) conflict of laws is the basis for deciding which laws are most appropriate when there are conflicting laws in the different states. - Tort law: This is a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm as a result of the wrongful acts of others. Tort actions are not dependent on an agreement between the parties
  • 6. Santosh Poduri Domain 6- Legal & Complaince -Copyright & Piracy Law: Copyright infrignment can be performed for finanical & non-financial gain -Privacy Law: As right of an individual to determine when, how & what extent he/she will release personal information. -The doctrine of proper Law: when a conflict of laws occurs, it determines in which jusridiction the dispute will be heard, based on contractual language professing an express selection or a clear intention through a choice of law clause. - ECPA: Electronic Communication Privacy Act – Restrict Govt to do wire tapping & updating them in the form of data - GLBA(Graham-Leach Biley Act): Allow Banks to merge with own insurance to share customer information, kept in sceret & allow customer to opt out of sharing. Also known as financail services modernization act of 1999 - Sarbanes Oxley Act(SOX): Increase transperanyc into publicly traded companices financial activities including securing data & expresly names of traits of CIA(confidentialy,Integraty & Avaialbility) . Not a Privacy or IT security Law - Healthcare Insurance portability &accountabiiity Act(HIPAA)- Protect patient information known as ePHI(electronic patient health infromation). The office of OCR(Office of Civil Rights & Dept.of health & human services conducts audits, issues guidelines and established in 1996. With technology changes new regulation HITECH(Health, information technology for economy & clinical health) which provide financial incentives to convert paper data to digital format - Family Educational Rights &Privacy act (FEPRA)-Prevent academy institue to share student information except with parents upto age 18 - The Digital Millenium Copy Right Act(DMCA) –Update copyright provisions to protect owned data in an internet enabled workd.Enable copyright holders to require any site on internet to remove the content that may
  • 7. Santosh Poduri Domain 6- Legal & Complaince Clarifying Lawful overseas use of data act(Cloud Act): Allows US law enforcements & courts to compel amrecian companies to disclose data stored in foreign data centers, designed mainly for cloud computing. FedRAMP – Isnt a Law, US federal program that mandates a standarised approach to security assessments, autohroiszation and continous monitoring of cloud products & services. Mandate to achieve for hosting any Govt agency/contractor. EU treats personal privacy protection for data in electronic form as a human right, in US no specified privacy law. EU works on Opt-In (need consent from individual to store PII) policy, US works in Opt-Out policy. GDPR (General Data Protection Regulations): Describes the approrpriate handling of personal & private information of all EU citizens, worlds powerful personal privacy law, any entity(govt. Agency,private company or individual), gathering PII of any citizen of EU is subject to GDPR. Principals comes from OECD(Organization fr Economic cooperations & development). It includes Choice, Purpose, Access, Integrity, Security & Enforcement. GDPR denies doing business with companies, where there is no national law that supports GDPR. Hence US brought Privacy Shield policy(Safe Harbor by dept. Of commerce) -, if organizations dont want to follow privacy shield, they must create itnernal policies called binding corporate rules & standard contractual clauses which complaince with GDPR: Roles in GDPR - Data Subject – Individual whom the PII refers -Data Controller: Entity collecting PII (generally cloud customer), ultimate responsible for PII - Data Processor: Entity acting on behalf of data controller, performing manipuation/storage or transmission of PII (CSP)
  • 8. Santosh Poduri Austrailian Privacy Act 1988 – Compile with GDPR and EU citizens data can be stored PIPEDA (Canda Personal information Protection Electonic Documents Act) : Compile with GDPR Argentina’s Personal Data Protection Act: Replica of GDPR, hence many DCs are in this country dealing EU data EFTA & Switzerland . European Free Trade Association APEC (Asia Pacific Economic Coperations) Privay Framework: Not legally bidnding, voluntary complaince ISO 27001 – ISMS (Information Security Management System) •ISO/IEC (International Electrotechnical Commossion) 27001:2015 – Guideline regarding information security controls applicable to the provision and use of cloud services &cloud service customers - The ISMS is intended to provide a standardized international model for the development and implementation of policies, procedures, and standards that take into account stakeholder identifi cation and involvement in a top-down approach to addressing and managing risk in an organization Harmonization Law: Is the process of creating common standards across the internal market. Destinged to incorporate different legal systems under a basic faremwork. Ex: EU directives Domain 6- Legal & Complaince
  • 9. Santosh Poduri - eDiscovery: Process of identifying and obtaining Electronic evidance. e-discovery can be carried out online and offline (for static systems or within particular network segments). For cloud almost it is online (SAAS/Host & 3rd party). IES 27050 standards - Need for e-Discovery Crime investigation Internal Policy violation Recovery from accidental damage Legal hold advisories/orders Complaince/law/regulations - ISO/IEC 27050: (2016/2017/2018) deals with ediscovery - Types: SAAS based /Hosted based (provider) & Data stored in the cloude (3rd party/specialized resources operating on behalf of the customer). - ISO/IEC 27037 offers guidance on ientifying potential data sources & acquiring the data from the sources Chain of Custody & Nonrepudation: Clear documentation of who accessed/how evidance stored/what time modified/purpose for analysis on evidance. The chain of custody provides nonrepudiation for the transactions detailed in the evidence. Nonrepudiation means that no party to a transaction can later claim that they did not Domain 6- Legal & Complaince
  • 10. Santosh Poduri - Law : Laws are legal rules that are created by government entities such as legislatures. - Regulations are rules that are created by governmental agencies. Failure to properly follow laws and regulations can result in punitive procedures that can include fines and imprisonment. -Standards dictate a reasonable level of performance; standards can be created by an organization for its own purposes (internal) or come from industry bodies/trade groups (external). -Audit An audit is a review of an environment in order to determine if that environment is compliant with a standard, law, configuration, or other mandate. Stages. 1. Scope 2. Gap Analysis : The gap analysis is a review of the differences, in those areas where the organization is not yet compliant with the given standard/regulation. 3. The AICPA creates and promulgates the Generally Accepted Accounting Principles (GAAP) and Generally Accepted Auditing Standards (GAAS), which auditors and accountants adhere to in practice. The current AICPA audit standard, SSAE 18, outlines three families of audit reports: SOC 1, SOC 2, and SOC 3 (Sevice Organization Control) - SOC1 : It is an audit engagement consisting solely of an examination of organizational financial reporting controls. The SOC 1 is instead designed to serve the needs of investors and regulators, the two sets of people interested in the financial well-being of the target. The SOC 1 does not serve an information security or IT security purpose. Domain 6- Legal & Complaince
  • 11. Santosh Poduri - SOC2 :- SOC 2 reports review controls relevant to security, availability, processing integrity, confidentiality, or privacy. - Prior to SOC 2, the standard for auditors was the Statement of Auditing Standards No. 70 (SAS 70) which was performed by certified public accountants. Introduced in the early 90s, the intent of the SAS 70 was to report on the effectiveness of different internal function controls. Replaced now with SSAE 18 standard. - In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the growing requirement of firms to prove and announce their state of security. - Type 1 : reports only reviews controls as designed, at a particular moment in time. That is, the audit examines the controls chosen by the target but not how those controls are implemented or how well those controls actually work.(design of the controls) - Type 2 : is a truly thorough review of the target’s controls, including how they have been implemented and their efficacy, over a period of time (usually several months- 12 months). (effectiveness of the controls). - -SOC 3 : is purely for public consumption and serves only as a seal of approval for public display, without sharing any specific information regarding audit activity, control effectiveness, findings, and so on. The major difference Domain 6- Legal & Complaince
  • 12. Santosh Poduri Audit Scope: •Statement of purpose An overall summation and definition for the purpose of the audit. This serves as the basis for all aspects of the audit, as well as the audience and focus of the final reports. •Scope of audit This defines what systems, applications, services, or types of data are to be covered within the scope of the audit. It is an affirmative statement of inclusion, informing the auditors of the structure and configuration of the items to be audited, but it can also list any exclusions or scope limitations. Limitations can apply broadly to the entire audit or exclude certain types of data or queries. •Reasons and goals for audit There can be more than one reason for an audit, such as for management oversight internal to an organization, to assure stakeholders or users, and as a requirement for compliance with regulations or laws. •Requirements for the audit This defines how the audit is to be conducted, what tools or technologies are to be used, and to what extent they are to be used. Different tools and technologies will test systems and applications to different levels of impact or comprehensiveness, and it is vital to have an agreed-upon approach, as well as to prepare and monitor any systems and applications during testing. •Audit criteria for assessment This defines how the audit will measure and quantify results. It is vital for the organization and auditors to clearly understand what type and scale of rating system will be used. •Deliverables This defines what will be produced as a result of the audit. The main deliverable will of course be the actual report, but what format or structure the report is presented in needs to be defined. The organization may have specific format or file type requirements, or regulatory requirements may specify exact formats or data types for submission and processing. This area also includes what parties are to receive the audit report. •Classification of audit This defines the sensitivity level and any confidentiality requirements of the audit report and any information or documents used during the preparation or execution of the audit. This can be either organizationally confidential or officially classified by the government as Confidential, Secret, or Top Secret. Gap Analysis A gap analysis is a crucial step that is performed after all information has been gathered, tested, and verified through the auditing process. Domain 6- Legal & Complaince
  • 13. Santosh Poduri Audit Planning:  Define objectives  Define scope  Conduct the audit  Lessons learned and analysis Internal Information Security Controls System (ISMS) The ISO/IEC 27001:2013 standard puts forth a series of domains that are established as a framework for assisting with a formal risk assessment program. These domains cover virtually all areas of IT operations and procedures, making ISO/IEC 27001:2013 one of the most widely used standards in the world. Here are the domains that comprise ISO/IEC 27001:2013: A.5 Management A.6 Organization A.7 Personnel A.8 Assets A.9 Access Control A.10 Cryptography A.11 Physical Security A.12 Operations Security A.13 Network Security A.14 Systems Security A.15 Supplier/Vendor Relationships A.16 Incident Management A.17 Business Continuity A.18 Compliance Domain 6- Legal & Complaince
  • 14. Santosh Poduri Domain 6- Legal & Complaince - Policy :- • KRIs(Key Risk Indicators) : metrics used by an organization to inform management if there is impending negative impact to operations. KRIs are forward looking , where as KPIs are already occurred • Risk Appetite/Tolerance Risk tolerance and appetite are similar descriptors of how the organization views risk. Senior management dictates the amount of risk an organization is willing to take, generally based on the amount of perceived benefit related to the risk  Quantitative Assessments. Quantitative assessments are data driven, where hard values can be determined and used for comparison and calculative measure. The following measures and calculations form the basis of quantitative assessments:  SLE The single loss expectancy value. The SLE is defined as the difference between the original value of an asset and the remaining value of the asset after a single successful exploit. It is calculated by multiplying the asset value in dollars by what is called the exposure factor, which is the loss due to a successful exploit as a percentage.  ARO The annualized rate of occurrence value. The ARO is an estimated number of the times a threat will successfully exploit a given vulnerability over the course of a single year.  ALE The annualized loss expectancy value. The ALE is the value of the SLE multiplied by the ARO, so the ALE = SLE × ARO.
  • 15. Santosh Poduri Responding to Risk There are four main categories for risk responses, as detailed next. Accept the Risk An organization may opt to simply accept the risk of a particular exploit and the threats posed against it. This occurs after a thorough risk assessment and the evaluation of the costs of mitigation. In an instance where the cost to mitigate outweighs the cost of accepting the risk and dealing with any possible consequences, an organization may opt to simply deal with an exploit when and if it occurs. In most instances, the decision to accept a risk will only be permitted for low-level risks, and never for moderate or high risks. Avoid the Risk An organization may opt to take measures to ensure that a risk is never realized, rather than accepting or mitigating it. This typically involves a decision to not utilize certain services or systems. While this obviously could lead to significant loss of revenue and customers, it allows an organization to avoid the risk altogether. This is typically not a solution that an organization will undertake, with the exception of very minor feature sets of systems or applications, where the disabling or removal will not pose a significant impediment to the users or operations. Transfer the Risk Risk transfer is the process of having another entity assume the risk from the organization. One thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through insurance policies to cover the financial costs of successful risk exploits. Also, under some regulations, risk cannot be transferred, because the business owner bears final responsibility for any exploits resulting in the loss of privacy or confidentiality of data, especially personal data. Mitigate the Risk Risk mitigation is the strategy most commonly expected and understood. Through risk mitigation, an organization takes steps—sometimes involving the spending of money on new systems or technologies—to fix and prevent any exploits from happening. This can involve taking steps to totally eliminate a particular risk or taking steps to lower the likelihood of an exploit or the impact of a successful exploit. The decision to undertake risk mitigation will heavily depend on the calculated cost–benefit analysis from the assessments. NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them directly and they are Risk Frameworks. Domain 6- Legal & Complaince

Editor's Notes

  1. GLBA has 3 components : 1. Financial Privacy Rule : overall collection&disclosure of finanancial information of customers & users. 2. Pretexting Provision: access/try to access PII on false representation 3. SafeGaurds Rule: Adequate security controls to protect privacy & PII