This document provides an overview of the CCSP exam, including the 6 domains covered, exam logistics, and key concepts in each domain. Domain 1 discusses cloud roles like cloud service providers, customers, and brokers. Domain 6 covers legal and compliance topics such as privacy laws, data protection regulations, and standards for eDiscovery, auditing, and nonrepudiation in cloud environments. Key frameworks referenced include GDPR, ISO 27001, FedRAMP, and privacy shield.
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Data protection for Lend.io - legal analysis by Bird and BirdCoadec
New EU data protection rules are coming, with the General Data Protection Regulation likely to be agreed in the next few months. It will have a massive impact on digital businesses
To bring this rather dry subject to life, Coadec working together with techUK has commissioned a leading data protection law firm to look at what current drafts of the new law would mean for a fintech startup we invented, Lend.io.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
This week, Europe's data protection rules will undergo their largest reform in several decades. The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive, effective as of May 25, 2018.
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Data protection for Lend.io - legal analysis by Bird and BirdCoadec
New EU data protection rules are coming, with the General Data Protection Regulation likely to be agreed in the next few months. It will have a massive impact on digital businesses
To bring this rather dry subject to life, Coadec working together with techUK has commissioned a leading data protection law firm to look at what current drafts of the new law would mean for a fintech startup we invented, Lend.io.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
This week, Europe's data protection rules will undergo their largest reform in several decades. The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive, effective as of May 25, 2018.
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxPECB
ISO/IEC 27701 and EU-U.S. Privacy Regulations: What’s next?
Nowadays, several privacy frameworks have been developed in order to make it easier for organizations to comply with the ongoing privacy laws and regulations. Hence, ISO/IEC 27701 helps individuals to better understand data privacy and how this standard relates to the EU-U.S privacy regulations.
Amongst others, the webinar covers:
• ISO/IEC 27701
• How ISO/IEC 27701 helps to better understand data privacy
• EU-U.S privacy regulations
• How does ISO/IEC 27701 relate to EU-U.S privacy regulations
Presenters:
Jeffrey Zeskind
Jeffrey Zeskind has over 40 years of experience in compliance, audit, and development of systems, processes, and audits. He is a certified Health Care Information Security and Privacy Practitioner, an ISO/IEC 27701:2019 Lead Auditor, ISO/IEC 27001:2013 Lead Auditor, ISO 9001:2015 Lead Auditor, ISO 13485:2016 Lead Auditor, ISO/IEC 20000-1:2018 Lead Auditor, ISO 22301:2019 Lead Auditor, and a Six Sigma Master Black Belt specializing in cross-functional process analyses with additional certifications in Risk Management, Lean, and Total Quality Management.
Jeffrey has served as an HIPAA Chief Privacy Officer, GDPR Data Protection Officer, Director of Compliance Services, systems auditor, and compliance auditor relative to HIPAA, HITECH, FERPA, GDPR, DPA, PIPEDA, Part 11, and state information privacy laws. He has consulted with government, quasi-government, EHRs, group health plans, clearinghouses, healthcare entities (hospitals, telehealth, at-home providers, medical and dental practices, research, mobile medicine, & clinics), pharma, aviation, accounting, insurance, utilities, universities, medical schools, adult daycare, automotive, medical device, law, finance, IT, and PBMs. Jeffrey has been the lead auditor for dozens of privacy-security, EHR system-portal, compliance, and accessibility audits. He has consulted on more than 100 merger, acquisition, and divestiture transactions. Jeffrey has authored and presented more than 35 role-sensitive learning modules and has served as an evaluator for others.
Alexandru Gheorghe
Alex is a lawyer with 15 years of experience, passionate about online businesses and especially e-commerce. He is certified as a Data Protection Officer (2018) and a Cybersecurity Program Implementation Manager (ISO 27032) - 2020 by PECB. Alex is also certified as an Expert in Legal Design after obtaining a certification from Legal Creatives in 2021.
Alex founded a successful Data Privacy Consultancy company in 2017, offering privacy advice and support to internationally-owned companies both in Romania and within the European Union.
In his professional career, he has gone through several commercial merger experiences and was implicated directly in the due-diligence pre-merger procedures and has an extensive overall 11 years of e-commerce legal experience working with several web-shops and e-commerce startups across Europe.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Round table discussion of vector databases, unstructured data, ai, big data, real-time, robots and Milvus.
A lively discussion with NJ Gen AI Meetup Lead, Prasad and Procure.FYI's Co-Found
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
Published in the European Official Journal on May 4 2016 and become effective on May 24 2016, at a distance of two years, the legislation that will reform the European legislation on protection of data, matches its direct implementation in Italy.
The General Data Protection Regulation, better known as GDPR, will enter into force on May 25 2018: the legislation is going to make a significant change on how data is managed and protected by – and from - private companies.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
ISO-IEC 27701 and EU-U.S. Privacy Regulations What’s next.pptxPECB
ISO/IEC 27701 and EU-U.S. Privacy Regulations: What’s next?
Nowadays, several privacy frameworks have been developed in order to make it easier for organizations to comply with the ongoing privacy laws and regulations. Hence, ISO/IEC 27701 helps individuals to better understand data privacy and how this standard relates to the EU-U.S privacy regulations.
Amongst others, the webinar covers:
• ISO/IEC 27701
• How ISO/IEC 27701 helps to better understand data privacy
• EU-U.S privacy regulations
• How does ISO/IEC 27701 relate to EU-U.S privacy regulations
Presenters:
Jeffrey Zeskind
Jeffrey Zeskind has over 40 years of experience in compliance, audit, and development of systems, processes, and audits. He is a certified Health Care Information Security and Privacy Practitioner, an ISO/IEC 27701:2019 Lead Auditor, ISO/IEC 27001:2013 Lead Auditor, ISO 9001:2015 Lead Auditor, ISO 13485:2016 Lead Auditor, ISO/IEC 20000-1:2018 Lead Auditor, ISO 22301:2019 Lead Auditor, and a Six Sigma Master Black Belt specializing in cross-functional process analyses with additional certifications in Risk Management, Lean, and Total Quality Management.
Jeffrey has served as an HIPAA Chief Privacy Officer, GDPR Data Protection Officer, Director of Compliance Services, systems auditor, and compliance auditor relative to HIPAA, HITECH, FERPA, GDPR, DPA, PIPEDA, Part 11, and state information privacy laws. He has consulted with government, quasi-government, EHRs, group health plans, clearinghouses, healthcare entities (hospitals, telehealth, at-home providers, medical and dental practices, research, mobile medicine, & clinics), pharma, aviation, accounting, insurance, utilities, universities, medical schools, adult daycare, automotive, medical device, law, finance, IT, and PBMs. Jeffrey has been the lead auditor for dozens of privacy-security, EHR system-portal, compliance, and accessibility audits. He has consulted on more than 100 merger, acquisition, and divestiture transactions. Jeffrey has authored and presented more than 35 role-sensitive learning modules and has served as an evaluator for others.
Alexandru Gheorghe
Alex is a lawyer with 15 years of experience, passionate about online businesses and especially e-commerce. He is certified as a Data Protection Officer (2018) and a Cybersecurity Program Implementation Manager (ISO 27032) - 2020 by PECB. Alex is also certified as an Expert in Legal Design after obtaining a certification from Legal Creatives in 2021.
Alex founded a successful Data Privacy Consultancy company in 2017, offering privacy advice and support to internationally-owned companies both in Romania and within the European Union.
In his professional career, he has gone through several commercial merger experiences and was implicated directly in the due-diligence pre-merger procedures and has an extensive overall 11 years of e-commerce legal experience working with several web-shops and e-commerce startups across Europe.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Round table discussion of vector databases, unstructured data, ai, big data, real-time, robots and Milvus.
A lively discussion with NJ Gen AI Meetup Lead, Prasad and Procure.FYI's Co-Found
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
3. Santosh Poduri
About the Exam
Length of exam : 3 hours
Number of questions : 125
Question format : Multiple choice
Passing grade : 700 out of 1000 points
Exam availability : English
Testing center : Pearson VUE Testing Center
CCSP Exam
4. Domain 1- Cloud Concepts
Cloud Roles
Cloud Service Porvider
Cloud Consumer/Customer
Cloud broker
Cloud service partner
4
5. Santosh Poduri
Domain 6- Legal & Complaince
PII: Personal Identification Information , like name/email/IP address/address/ (NIST SP 800-122)
- Direct identifiers are those data elements that immediately reveal a specific individual.
- Indirect identifiers are the characteristics and traits of an individual that, when aggregated, could reveal the
identity of that person. Each indirect identifier by itself is usually not sensitive, but if enough are collected
they may provide sensitive information
• The act of removing identifiers is known as anonymization; certain jurisdictions, laws, and standards
require the anonymization of data, including both direct and indirect identifiers. Contratual PII & Regulated PII
Type of laws:
1. Criminal Law (ex: data theft) against prohibited conduct & well being of public. Law enforcement is
conducted by govt. Only . All privacy violations around the world fall under this law
2. Civial Law: (Data breach) : B/W 2 persons/organizations , involves only private entities and its known
as law suite or letigation
- Contracts: A general agremeent b/w parties to engage some specifict activity with a stipuldated time.
Generally b/w CSP and cloud customer . Ex. SLAs/ PCI DSS contracts
- Breach: Fail to perform the activity as per the agreement .
3. Adminstrative Law: Many federal agencises create/monitor/enforce their administrative law
- State Law: Associated to particluar state in US
- Federal Law: Law applied across US (whole country), they supersed states law. The restatement (second)
conflict of laws is the basis for deciding which laws are most appropriate when there are conflicting laws in the
different states.
- Tort law: This is a body of rights, obligations, and remedies that sets out reliefs for persons suffering harm
as a result of the wrongful acts of others. Tort actions are not dependent on an agreement between the parties
6. Santosh Poduri
Domain 6- Legal & Complaince
-Copyright & Piracy Law: Copyright infrignment can be performed for finanical & non-financial gain
-Privacy Law: As right of an individual to determine when, how & what extent he/she will release personal
information.
-The doctrine of proper Law: when a conflict of laws occurs, it determines in which jusridiction the dispute will
be heard, based on contractual language professing an express selection or a clear intention through a choice
of law clause.
- ECPA: Electronic Communication Privacy Act – Restrict Govt to do wire tapping & updating them in the
form of data
- GLBA(Graham-Leach Biley Act): Allow Banks to merge with own insurance to share customer information,
kept in sceret & allow customer to opt out of sharing. Also known as financail services modernization act of
1999
- Sarbanes Oxley Act(SOX): Increase transperanyc into publicly traded companices financial activities
including securing data & expresly names of traits of CIA(confidentialy,Integraty & Avaialbility) . Not a Privacy or
IT security Law
- Healthcare Insurance portability &accountabiiity Act(HIPAA)- Protect patient information known as
ePHI(electronic patient health infromation). The office of OCR(Office of Civil Rights & Dept.of health & human
services conducts audits, issues guidelines and established in 1996. With technology changes new regulation
HITECH(Health, information technology for economy & clinical health) which provide financial incentives to
convert paper data to digital format
- Family Educational Rights &Privacy act (FEPRA)-Prevent academy institue to share student information
except with parents upto age 18
- The Digital Millenium Copy Right Act(DMCA) –Update copyright provisions to protect owned data in an
internet enabled workd.Enable copyright holders to require any site on internet to remove the content that may
7. Santosh Poduri
Domain 6- Legal & Complaince
Clarifying Lawful overseas use of data act(Cloud Act): Allows US law enforcements & courts to compel
amrecian companies to disclose data stored in foreign data centers, designed mainly for cloud computing.
FedRAMP – Isnt a Law, US federal program that mandates a standarised approach to security assessments,
autohroiszation and continous monitoring of cloud products & services. Mandate to achieve for hosting any
Govt agency/contractor.
EU treats personal privacy protection for data in electronic form as a human right, in US no specified privacy
law. EU works on Opt-In (need consent from individual to store PII) policy, US works in Opt-Out policy.
GDPR (General Data Protection Regulations): Describes the approrpriate handling of personal & private
information of all EU citizens, worlds powerful personal privacy law, any entity(govt. Agency,private company
or individual), gathering PII of any citizen of EU is subject to GDPR. Principals comes from
OECD(Organization fr Economic cooperations & development). It includes Choice, Purpose, Access, Integrity,
Security & Enforcement. GDPR denies doing business with companies, where there is no national law that
supports GDPR. Hence US brought Privacy Shield policy(Safe Harbor by dept. Of commerce) -, if
organizations dont want to follow privacy shield, they must create itnernal policies called binding corporate
rules & standard contractual clauses which complaince with GDPR:
Roles in GDPR
- Data Subject – Individual whom the PII refers
-Data Controller: Entity collecting PII (generally cloud customer), ultimate responsible for PII
- Data Processor: Entity acting on behalf of data controller, performing manipuation/storage or transmission
of PII (CSP)
8. Santosh Poduri
Austrailian Privacy Act 1988 – Compile with GDPR and EU citizens data can be stored
PIPEDA (Canda Personal information Protection Electonic Documents Act) : Compile with GDPR
Argentina’s Personal Data Protection Act: Replica of GDPR, hence many DCs are in this country dealing
EU data
EFTA & Switzerland . European Free Trade Association
APEC (Asia Pacific Economic Coperations) Privay Framework: Not legally bidnding, voluntary
complaince
ISO 27001 – ISMS (Information Security Management System)
•ISO/IEC (International Electrotechnical Commossion) 27001:2015 – Guideline regarding information
security controls applicable to the provision and use of cloud services &cloud service customers
- The ISMS is intended to provide a standardized international model for the development and
implementation of policies, procedures, and standards that take into account stakeholder identifi cation and
involvement in a top-down approach to addressing and managing risk in an organization
Harmonization Law: Is the process of creating common standards across the internal market. Destinged to
incorporate different legal systems under a basic faremwork. Ex: EU directives
Domain 6- Legal & Complaince
9. Santosh Poduri
- eDiscovery: Process of identifying and obtaining Electronic evidance. e-discovery
can be carried out online and offline (for static systems or within particular network
segments). For cloud almost it is online (SAAS/Host & 3rd party). IES 27050
standards
- Need for e-Discovery
Crime investigation
Internal Policy violation
Recovery from accidental damage
Legal hold advisories/orders
Complaince/law/regulations
- ISO/IEC 27050: (2016/2017/2018) deals with ediscovery
- Types: SAAS based /Hosted based (provider) & Data stored in the cloude (3rd
party/specialized resources operating on behalf of the customer).
- ISO/IEC 27037 offers guidance on ientifying potential data sources & acquiring the
data from the sources
Chain of Custody & Nonrepudation: Clear documentation of who accessed/how
evidance stored/what time modified/purpose for analysis on evidance. The chain of
custody provides nonrepudiation for the transactions detailed in the evidence.
Nonrepudiation means that no party to a transaction can later claim that they did not
Domain 6- Legal & Complaince
10. Santosh Poduri
- Law : Laws are legal rules that are created by government entities such as legislatures.
- Regulations are rules that are created by governmental agencies. Failure to properly follow laws and
regulations can result in punitive procedures that can include fines and imprisonment.
-Standards dictate a reasonable level of performance; standards can be created by an organization for its
own purposes (internal) or come from industry bodies/trade groups (external).
-Audit An audit is a review of an environment in order to determine if that environment is compliant with a
standard, law, configuration, or other mandate. Stages.
1. Scope
2. Gap Analysis : The gap analysis is a review of the differences, in those areas where the organization is
not yet compliant with the given standard/regulation.
3. The AICPA creates and promulgates the Generally Accepted Accounting Principles (GAAP) and Generally
Accepted Auditing Standards (GAAS), which auditors and accountants adhere to in practice. The current
AICPA audit standard, SSAE 18, outlines three families of audit reports: SOC 1, SOC 2, and SOC 3 (Sevice
Organization Control)
- SOC1 : It is an audit engagement consisting solely of an examination of organizational financial
reporting controls. The SOC 1 is instead designed to serve the needs of investors and regulators, the two sets
of people interested in the financial well-being of the target. The SOC 1 does not serve an information security
or IT security purpose.
Domain 6- Legal & Complaince
11. Santosh Poduri
- SOC2 :- SOC 2 reports review controls relevant to security, availability,
processing integrity, confidentiality, or privacy.
- Prior to SOC 2, the standard for auditors was the Statement of Auditing
Standards No. 70 (SAS 70) which was performed by certified public
accountants. Introduced in the early 90s, the intent of the SAS 70 was to report
on the effectiveness of different internal function controls. Replaced now with
SSAE 18 standard.
- In the 2010s, the AICPA introduced SOC 1 and SOC 2 reports to address the
growing requirement of firms to prove and announce their state of security.
- Type 1 : reports only reviews controls as designed, at a particular moment
in time. That is, the audit examines the controls chosen by the target but
not how those controls are implemented or how well those controls
actually work.(design of the controls)
- Type 2 : is a truly thorough review of the target’s controls, including how
they have been implemented and their efficacy, over a period of time
(usually several months- 12 months). (effectiveness of the controls).
- -SOC 3 : is purely for public consumption and serves only as a seal of approval
for public display, without sharing any specific information regarding audit
activity, control effectiveness, findings, and so on. The major difference
Domain 6- Legal & Complaince
12. Santosh Poduri
Audit Scope:
•Statement of purpose An overall summation and definition for the purpose of the audit. This serves as the
basis for all aspects of the audit, as well as the audience and focus of the final reports.
•Scope of audit This defines what systems, applications, services, or types of data are to be covered within
the scope of the audit. It is an affirmative statement of inclusion, informing the auditors of the structure and
configuration of the items to be audited, but it can also list any exclusions or scope limitations. Limitations can
apply broadly to the entire audit or exclude certain types of data or queries.
•Reasons and goals for audit There can be more than one reason for an audit, such as for management
oversight internal to an organization, to assure stakeholders or users, and as a requirement for compliance
with regulations or laws.
•Requirements for the audit This defines how the audit is to be conducted, what tools or technologies are to
be used, and to what extent they are to be used. Different tools and technologies will test systems and
applications to different levels of impact or comprehensiveness, and it is vital to have an agreed-upon
approach, as well as to prepare and monitor any systems and applications during testing.
•Audit criteria for assessment This defines how the audit will measure and quantify results. It is vital for the
organization and auditors to clearly understand what type and scale of rating system will be used.
•Deliverables This defines what will be produced as a result of the audit. The main deliverable will of course
be the actual report, but what format or structure the report is presented in needs to be defined. The
organization may have specific format or file type requirements, or regulatory requirements may specify exact
formats or data types for submission and processing. This area also includes what parties are to receive the
audit report.
•Classification of audit This defines the sensitivity level and any confidentiality requirements of the audit
report and any information or documents used during the preparation or execution of the audit. This can be
either organizationally confidential or officially classified by the government as Confidential, Secret, or Top
Secret.
Gap Analysis
A gap analysis is a crucial step that is performed after all information has been gathered, tested, and verified
through the auditing process.
Domain 6- Legal & Complaince
13. Santosh Poduri
Audit Planning:
Define objectives
Define scope
Conduct the audit
Lessons learned and analysis
Internal Information Security Controls System (ISMS)
The ISO/IEC 27001:2013 standard puts forth a series of domains that are established as a framework for
assisting with a formal risk assessment program. These domains cover virtually all areas of IT operations and
procedures, making ISO/IEC 27001:2013 one of the most widely used standards in the world.
Here are the domains that comprise ISO/IEC 27001:2013:
A.5 Management
A.6 Organization
A.7 Personnel
A.8 Assets
A.9 Access Control
A.10 Cryptography
A.11 Physical Security
A.12 Operations Security
A.13 Network Security
A.14 Systems Security
A.15 Supplier/Vendor Relationships
A.16 Incident Management
A.17 Business Continuity
A.18 Compliance
Domain 6- Legal & Complaince
14. Santosh Poduri
Domain 6- Legal & Complaince
- Policy :-
• KRIs(Key Risk Indicators) : metrics used by an organization to inform
management if there is impending negative impact to operations. KRIs are forward
looking , where as KPIs are already occurred
• Risk Appetite/Tolerance Risk tolerance and appetite are similar descriptors of how
the organization views risk. Senior management dictates the amount of risk an
organization is willing to take, generally based on the amount of perceived benefit
related to the risk
Quantitative Assessments. Quantitative assessments are data driven, where hard values can be
determined and used for comparison and calculative measure. The following measures and calculations
form the basis of quantitative assessments:
SLE The single loss expectancy value. The SLE is defined as the difference between the original value of
an asset and the remaining value of the asset after a single successful exploit. It is calculated by multiplying
the asset value in dollars by what is called the exposure factor, which is the loss due to a successful exploit
as a percentage.
ARO The annualized rate of occurrence value. The ARO is an estimated number of the times a threat will
successfully exploit a given vulnerability over the course of a single year.
ALE The annualized loss expectancy value. The ALE is the value of the SLE multiplied by the ARO, so the
ALE = SLE × ARO.
15. Santosh Poduri
Responding to Risk
There are four main categories for risk responses, as detailed next.
Accept the Risk An organization may opt to simply accept the risk of a particular exploit and the threats posed against
it. This occurs after a thorough risk assessment and the evaluation of the costs of mitigation. In an instance where the
cost to mitigate outweighs the cost of accepting the risk and dealing with any possible consequences, an organization
may opt to simply deal with an exploit when and if it occurs. In most instances, the decision to accept a risk will only be
permitted for low-level risks, and never for moderate or high risks.
Avoid the Risk An organization may opt to take measures to ensure that a risk is never realized, rather than accepting
or mitigating it. This typically involves a decision to not utilize certain services or systems. While this obviously could
lead to significant loss of revenue and customers, it allows an organization to avoid the risk altogether. This is typically
not a solution that an organization will undertake, with the exception of very minor feature sets of systems or
applications, where the disabling or removal will not pose a significant impediment to the users or operations.
Transfer the Risk Risk transfer is the process of having another entity assume the risk from the organization. One
thing to note, though, is that risk cannot always be transferred to another entity. A prime example of transfer is through
insurance policies to cover the financial costs of successful risk exploits. Also, under some regulations, risk cannot be
transferred, because the business owner bears final responsibility for any exploits resulting in the loss of privacy or
confidentiality of data, especially personal data.
Mitigate the Risk Risk mitigation is the strategy most commonly expected and understood. Through risk mitigation, an
organization takes steps—sometimes involving the spending of money on new systems or technologies—to fix and
prevent any exploits from happening. This can involve taking steps to totally eliminate a particular risk or taking steps to
lower the likelihood of an exploit or the impact of a successful exploit. The decision to undertake risk mitigation will
heavily depend on the calculated cost–benefit analysis from the assessments.
NIST, ENISA, and ISO/IEC 31000:2018 are all specifically focused on systems, threats, and risks facing them
directly and they are Risk Frameworks.
Domain 6- Legal & Complaince
Editor's Notes
GLBA has 3 components : 1. Financial Privacy Rule : overall collection&disclosure of finanancial information of customers & users. 2. Pretexting Provision: access/try to access PII on false representation
3. SafeGaurds Rule: Adequate security controls to protect privacy & PII