3. Santosh Poduri
About the Exam
Length of exam : 3 hours
Number of questions : 125
Question format : Multiple choice
Passing grade : 700 out of 1000 points
Exam availability : English
Testing center : Pearson VUE Testing Center
CCSP Exam
4. Domain 1- Cloud Concepts
Cloud Roles
Cloud Service Porvider
Cloud Consumer/Customer
Cloud broker
Cloud service partner
4
5. Santosh Poduri
Domain 6- Legal & Complaince
PII: Personal Identification Information , like name/email/IP address/address/ (NIST SP 800-122)
- Direct identifiers are those data elements that immediately reveal a specific individual.
- Indirect identifiers are the characteristics and traits of an individual that, when aggregated, could reveal the
identity of that person. Each indirect identifier by itself is usually not sensitive, but if enough are collected
they may provide sensitive information
• The act of removing identifiers is known as anonymization; certain jurisdictions, laws, and standards
require the anonymization of data, including both direct and indirect identifiers. Contratual PII & Regulated PII
Type of laws:
1. Criminal Law (ex: data theft) against prohibited conduct & well being of public. Law enforcement is
conducted by govt. Only . All privacy violations around the world fall under this law
2. Civial Law: (Data breach) : B/W 2 persons/organizations , involves only private entities and its known
as law suite or letigation
- Contracts: A general agremeent b/w parties to engage some specifict activity with a stipuldated time.
Generally b/w CSP and cloud customer . Ex. SLAs/ PCI DSS contracts
- Breach: Fail to perform the activity as per the agreement .
3. Adminstrative Law: Many federal agencises create/monitor/enforce their administrative law
- State Law: Associated to particluar state in US
- Federal Law: Law applied across US (whole country), they supersed states law. The restatement (second)
conflict of laws is the basis for deciding which laws are most appropriate when there are conflicting laws in the
different states.
- Tort law: This is a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm
as a result of the wrongful acts of others. Tort actions are not dependent on an agreement between the parties
6. Santosh Poduri
Domain 6- Legal & Complaince
-Copyright & Piracy Law: Copyright infrignment can be performed for finanical & non-financial gain
-Privacy Law: As right of an individual to determine when, how & what extent he/she will release personal
information.
-The doctrine of proper Law: when a conflict of laws occurs, it determines in which jusridiction the dispute will
be heard, based on contractual language professing an express selection or a clear intention through a choice
of law clause.
- ECPA: Electronic Communication Privacy Act – Restrict Govt to do wire tapping & updating them in the
form of data
- GLBA(Graham-Leach Biley Act): Allow Banks to merge with own insurance to share customer information,
kept in sceret & allow customer to opt out of sharing. Also known as financail services modernization act of
1999
- Sarbanes Oxley Act(SOX): Increase transperanyc into publicly traded companices financial activities
including securing data & expresly names of traits of CIA(confidentialy,Integraty & Avaialbility) . Not a Privacy or
IT security Law
- Healthcare Insurance portability &accountabiiity Act(HIPAA)- Protect patient information known as
ePHI(electronic patient health infromation). The office of OCR(Office of Civil Rights & Dept.of health & human
services conducts audits, issues guidelines and established in 1996. With technology changes new regulation
HITECH(Health, information technology for economy & clinical health) which provide financial incentives to
convert paper data to digital format
- Family Educational Rights &Privacy act (FEPRA)-Prevent academy institue to share student information
except with parents upto age 18
- The Digital Millenium Copy Right Act(DMCA) –Update copyright provisions to protect owned data in an
internet enabled workd.Enable copyright holders to require any site on internet to remove the content that may
7. Santosh Poduri
Domain 6- Legal & Complaince
Clarifying Lawful overseas use of data act(Cloud Act): Allows US law enforcements & courts to compel
amrecian companies to disclose data stored in foreign data centers, designed mainly for cloud computing.
FedRAMP – Isnt a Law, US federal program that mandates a standarised approach to security assessments,
autohroiszation and continous monitoring of cloud products & services. Mandate to achieve for hosting any
Govt agency/contractor.
EU treats personal privacy protection for data in electronic form as a human right, in US no specified privacy
law. EU works on Opt-In (need consent from individual to store PII) policy, US works in Opt-Out policy.
GDPR (General Data Protection Regulations): Describes the approrpriate handling of personal & private
information of all EU citizens, worlds powerful personal privacy law, any entity(govt. Agency,private company
or individual), gathering PII of any citizen of EU is subject to GDPR. Principals comes from
OECD(Organization fr Economic cooperations & development). It includes Choice, Purpose, Access, Integrity,
Security & Enforcement. GDPR denies doing business with companies, where there is no national law that
supports GDPR. Hence US brought Privacy Shield policy(Safe Harbor by dept. Of commerce) -, if
organizations dont want to follow privacy shield, they must create itnernal policies called binding corporate
rules & standard contractual clauses which complaince with GDPR:
Roles in GDPR
- Data Subject – Individual whom the PII refers
-Data Controller: Entity collecting PII (generally cloud customer), ultimate responsible for PII
- Data Processor: Entity acting on behalf of data controller, performing manipuation/storage or transmission
of PII (CSP)
8. Santosh Poduri
Austrailian Privacy Act 1988 – Compile with GDPR and EU citizens data can be stored
PIPEDA (Canda Personal information Protection Electonic Documents Act) : Compile with GDPR
Argentina’s Personal Data Protection Act: Replica of GDPR, hence many DCs are in this country dealing
EU data
EFTA & Switzerland . European Free Trade Association
APEC (Asia Pacific Economic Coperations) Privay Framework: Not legally bidnding, voluntary
complaince
ISO 27001 – ISMS (Information Security Management System)
•ISO/IEC (International Electrotechnical Commossion) 27001:2015 – Guideline regarding information
security controls applicable to the provision and use of cloud services &cloud service customers
- The ISMS is intended to provide a standardized international model for the development and
implementation of policies, procedures, and standards that take into account stakeholder identifi cation and
involvement in a top-down approach to addressing and managing risk in an organization
Harmonization Law: Is the process of creating common standards across the internal market. Destinged to
incorporate different legal systems under a basic faremwork. Ex: EU directives
Domain 6- Legal & Complaince
9. Santosh Poduri
- eDiscovery: Process of identifying and obtaining Electronic evidance. e-discovery
can be carried out online and offline (for static systems or within particular network
segments). For cloud almost it is online (SAAS/Host & 3rd party). IES 27050
standards
- Need for e-Discovery
Crime investigation
Internal Policy violation
Recovery from accidental damage
Legal hold advisories/orders
Complaince/law/regulations
- ISO/IEC 27050: (2016/2017/2018) deals with ediscovery
- Types: SAAS based /Hosted based (provider) & Data stored in the cloude (3rd
party/specialized resources operating on behalf of the customer).
- ISO/IEC 27037 offers guidance on ientifying potential data sources & acquiring the
data from the sources
Chain of Custody & Nonrepudation: Clear documentation of who accessed/how
evidance stored/what time modified/purpose for analysis on evidance. The chain of
custody provides nonrepudiation for the transactions detailed in the evidence.
Nonrepudiation means that no party to a transaction can later claim that they did not
Domain 6- Legal & Complaince
10. Santosh Poduri
- Law : Laws are legal rules that are created by government entities such as legislatures.
- Regulations are rules that are created by governmental agencies. Failure to properly follow laws and
regulations can result in punitive procedures that can include fines and imprisonment.
-Standards dictate a reasonable level of performance; standards can be created by an organization for its
own purposes (internal) or come from industry bodies/trade groups (external).
-Audit An audit is a review of an environment in order to determine if that environment is compliant with a
standard, law, configuration, or other mandate. Stages.
1. Scope
2. Gap Analysis : The gap analysis is a review of the differences, in those areas where the organization is
not yet compliant with the given standard/regulation.
3. The AICPA creates and promulgates the Generally Accepted Accounting Principles (GAAP) and Generally
Accepted Auditing Standards (GAAS), which auditors and accountants adhere to in practice. The current
AICPA audit standard, SSAE 18, outlines three families of audit reports: SOC 1, SOC 2, and SOC 3 (Sevice
Organization Control)
- SOC1 : It is an audit engagement consisting solely of an examination of organizational financial
reporting controls. The SOC 1 is instead designed to serve the needs of investors and regulators, the two sets
of people interested in the financial well-being of the target. The SOC 1 does not serve an information security
or IT security purpose.
Domain 6- Legal & Complaince
11. Santosh Poduri
- SOC2 :- SOC 2 reports review controls relevant to security, availability,
processing integrity, confidentiality, or privacy.
- Prior to SOC 2, the standard for auditors was the Statement of Auditing
Standards No. 70 (SAS 70) which was performed by certified public
accountants. Introduced in the early 90s, the intent of the SAS 70 was to report
on the effectiveness of different internal function controls. Replaced now with
SSAE 18 standard.
- In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the
growing requirement of firms to prove and announce their state of security.
- Type 1 : reports only reviews controls as designed, at a particular moment
in time. That is, the audit examines the controls chosen by the target but
not how those controls are implemented or how well those controls
actually work.(design of the controls)
- Type 2 : is a truly thorough review of the target’s controls, including how
they have been implemented and their efficacy, over a period of time
(usually several months- 12 months). (effectiveness of the controls).
- -SOC 3 : is purely for public consumption and serves only as a seal of approval
for public display, without sharing any specific information regarding audit
activity, control effectiveness, findings, and so on. The major difference
Domain 6- Legal & Complaince
12. Santosh Poduri
Audit Scope:
•Statement of purpose An overall summation and definition for the purpose of the audit. This serves as the
basis for all aspects of the audit, as well as the audience and focus of the final reports.
•Scope of audit This defines what systems, applications, services, or types of data are to be covered within
the scope of the audit. It is an affirmative statement of inclusion, informing the auditors of the structure and
configuration of the items to be audited, but it can also list any exclusions or scope limitations. Limitations can
apply broadly to the entire audit or exclude certain types of data or queries.
•Reasons and goals for audit There can be more than one reason for an audit, such as for management
oversight internal to an organization, to assure stakeholders or users, and as a requirement for compliance
with regulations or laws.
•Requirements for the audit This defines how the audit is to be conducted, what tools or technologies are to
be used, and to what extent they are to be used. Different tools and technologies will test systems and
applications to different levels of impact or comprehensiveness, and it is vital to have an agreed-upon
approach, as well as to prepare and monitor any systems and applications during testing.
•Audit criteria for assessment This defines how the audit will measure and quantify results. It is vital for the
organization and auditors to clearly understand what type and scale of rating system will be used.
•Deliverables This defines what will be produced as a result of the audit. The main deliverable will of course
be the actual report, but what format or structure the report is presented in needs to be defined. The
organization may have specific format or file type requirements, or regulatory requirements may specify exact
formats or data types for submission and processing. This area also includes what parties are to receive the
audit report.
•Classification of audit This defines the sensitivity level and any confidentiality requirements of the audit
report and any information or documents used during the preparation or execution of the audit. This can be
either organizationally confidential or officially classified by the government as Confidential, Secret, or Top
Secret.
Gap Analysis
A gap analysis is a crucial step that is performed after all information has been gathered, tested, and verified
through the auditing process.
Domain 6- Legal & Complaince
13. Santosh Poduri
Audit Planning:
Define objectives
Define scope
Conduct the audit
Lessons learned and analysis
Internal Information Security Controls System (ISMS)
The ISO/IEC 27001:2013 standard puts forth a series of domains that are established as a framework for
assisting with a formal risk assessment program. These domains cover virtually all areas of IT operations and
procedures, making ISO/IEC 27001:2013 one of the most widely used standards in the world.
Here are the domains that comprise ISO/IEC 27001:2013:
A.5 Management
A.6 Organization
A.7 Personnel
A.8 Assets
A.9 Access Control
A.10 Cryptography
A.11 Physical Security
A.12 Operations Security
A.13 Network Security
A.14 Systems Security
A.15 Supplier/Vendor Relationships
A.16 Incident Management
A.17 Business Continuity
A.18 Compliance
Domain 6- Legal & Complaince
14. Santosh Poduri
Domain 6- Legal & Complaince
- Policy :-
• KRIs(Key Risk Indicators) : metrics used by an organization to inform
management if there is impending negative impact to operations. KRIs are forward
looking , where as KPIs are already occurred
• Risk Appetite/Tolerance Risk tolerance and appetite are similar descriptors of how
the organization views risk. Senior management dictates the amount of risk an
organization is willing to take, generally based on the amount of perceived benefit
related to the risk
Quantitative Assessments. Quantitative assessments are data driven, where hard values can be
determined and used for comparison and calculative measure. The following measures and calculations
form the basis of quantitative assessments:
SLE The single loss expectancy value. The SLE is defined as the difference between the original value of
an asset and the remaining value of the asset after a single successful exploit. It is calculated by multiplying
the asset value in dollars by what is called the exposure factor, which is the loss due to a successful exploit
as a percentage.
ARO The annualized rate of occurrence value. The ARO is an estimated number of the times a threat will
successfully exploit a given vulnerability over the course of a single year.
ALE The annualized loss expectancy value. The ALE is the value of the SLE multiplied by the ARO, so the
ALE = SLE × ARO.
15. Santosh Poduri
Responding to Risk
There are four main categories for risk responses, as detailed next.
Accept the Risk An organization may opt to simply accept the risk of a particular exploit and the threats posed against
it. This occurs after a thorough risk assessment and the evaluation of the costs of mitigation. In an instance where the
cost to mitigate outweighs the cost of accepting the risk and dealing with any possible consequences, an organization
may opt to simply deal with an exploit when and if it occurs. In most instances, the decision to accept a risk will only be
permitted for low-level risks, and never for moderate or high risks.
Avoid the Risk An organization may opt to take measures to ensure that a risk is never realized, rather than accepting
or mitigating it. This typically involves a decision to not utilize certain services or systems. While this obviously could
lead to significant loss of revenue and customers, it allows an organization to avoid the risk altogether. This is typically
not a solution that an organization will undertake, with the exception of very minor feature sets of systems or
applications, where the disabling or removal will not pose a significant impediment to the users or operations.
Transfer the Risk Risk transfer is the process of having another entity assume the risk from the organization. One
thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through
insurance policies to cover the financial costs of successful risk exploits. Also, under some regulations, risk cannot be
transferred, because the business owner bears final responsibility for any exploits resulting in the loss of privacy or
confidentiality of data, especially personal data.
Mitigate the Risk Risk mitigation is the strategy most commonly expected and understood. Through risk mitigation, an
organization takes steps—sometimes involving the spending of money on new systems or technologies—to fix and
prevent any exploits from happening. This can involve taking steps to totally eliminate a particular risk or taking steps to
lower the likelihood of an exploit or the impact of a successful exploit. The decision to undertake risk mitigation will
heavily depend on the calculated cost–benefit analysis from the assessments.
NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them
directly and they are Risk Frameworks.
Domain 6- Legal & Complaince
Editor's Notes
GLBA has 3 components : 1. Financial Privacy Rule : overall collection&disclosure of finanancial information of customers & users. 2. Pretexting Provision: access/try to access PII on false representation
3. SafeGaurds Rule: Adequate security controls to protect privacy & PII