Domain 6: Legal, Risk and Compliance
6.1 Articulate legal requirements and unique risks within the cloud environment
- Conflicting international legislation
- Evaluation of legal risks specific to cloud computing
- Legal framework and guidelines
- eDiscovery
- International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27050
- Cloud Security Alliance (CSA) Guidance
- Forensics requirements
6.2 Understand privacy issues
- Difference between contractual and regulated private data
- Protected health information (PHI)
- Personally identifiable information (PII)
- Country-specific legislation related to private data
- Protected health information (PHI)
- Personally identifiable information (PII)
- Jurisdictional differences in data privacy
- Standard privacy requirements
- Privacy Impact Assessments (PIA)
6.3 Understand audit process, methodologies, and required adaptations for a cloud environment
- Internal and external audit controls
- Impact of audit requirements
- Identify assurance challenges of virtualization and cloud
- Types of audit reports
- Statement on Standards for Attestation Engagements (SSAE)
- Service Organization Control (SOC)
- International Standard on Assurance Engagements (ISAE)
- Restrictions of audit scope statements
- Statement on Standards for Attestation Engagements (SSAE)
- International Standard on Assurance Engagements (ISAE)
- Gap analysis
- Control analysis
- Baselines
- Audit planning
- Internal information security management system
- Internal information security controls system
- Policies
- Organizational
- Functional
- Cloud computing
- Identification and involvement of relevant stakeholders
- Specialized compliance requirements for highly-regulated industries
- Impact of distributed information technology (IT) model
- Diverse geographical locations and crossing over legal jurisdictions
6.4 Understand implications of cloud to enterprise risk management
- Assess providers risk management programs
- Controls
- Methodologies
- Policies
- Risk profile
- Risk appetite
- Difference between data owner/controller vs. data custodian/processor
- Regulatory transparency requirements
- Risk treatment
- Avoid
- Mitigate
- Transfer
- Share
- Acceptance
- Different risk frameworks
- Metrics for risk management
- Assessment of risk environment
- Service
- Vendor
- Infrastructure
- Business
6.5 Understand outsourcing and cloud contract design
- Business requirements
- Service-level agreement (SLA)
- Master service agreement (MSA)
- Statement of work (SOW)
- Vendor management
- Vendor assessments
- Vendor lock-in risks
- Vendor viability
- Escrow
- Contract management
- Right to audit
- Metrics
- Definitions
- Termination
- Litigation
- Assurance
- Compliance
- Access to cloud/data
- Cyber risk insurance
- Supply-chain management
