CCSP: Domain 6 - Contracts

Question 1

Organization wants to ensure, that it will not be held accountable if something goes wrong that their PaaS provider is responsible for. What should they require in the cloud contract?

Answer 1

indemnification

Question 2

Can legal liability be transferred to the cloud provider?

Answer 2

no

Question 3

What is MSA?

Answer 3

• Master Services Agreement
• document that describes how two organizations intend to work together over time; work is then described in statements of work (SOWs)
• umbrella document that governs many different projects conducted by the same service provider

Question 4

What is SOW?

Answer 4

• Statement of Work
• governs a specific unit of work
• description of a project within Master Services Agreement

Question 5

What should MSA address?

Answer 5

compliance and process requirements the customer is passing along to CSP

Question 6

What should MSA include?

Answer 6

breach notification; CSP duty to inform the customer of a breach within a specific time period after detection

Question 7

Is SLA legally binding?

Answer 7

yes; often includes financial penalties for non-performance, and may allow customer to terminate a contract

Question 8

What is a Service Level Requirement (SLR)?

Answer 8

document that captures the specific requirements and expectations of the customer(s) before the service is designed or implemented; serves as input for the service design process

Question 9

What are the common elements documented in an SLA?

Answer 9

• uptime guarantees
• SLA violation penalties
• SLA violation penalty exclusions and limitations
• suspension of service clauses
• provider liability
• data protection and management
• disaster recovery and recovery point objectives
• security and privacy notifications and timeframes

Question 9

When is Statement of Work created?

Answer 9

after MSA has been executed

Question 10

Is SOW a legal document?

Answer 10

yes

Question 11

What does MSA typically document?

Answer 11

services and prices; focus os “overall, ongoing”

Question 12

What does SOW typically cover?

Answer 12

requirements, expectations and deliverables for a project “limited & specific”

Question 13

When is insurance broker useful?

Answer 13

• when investigating insurance options for organization’s circumstances, including:
  
  • the amount of coverage needed
  • different types of coverage, such as business interruption or cyber extortion
  • security controls that the insurance require, such as MFA

Question 14

When does cyber risk usually cover costs?

Answer 14

• investigation
• direct business losses
• recovery costs
• legal notifications
• lawsuits
• extortion
• food and related expenses