CCSP Domain 6: Legal, Risk, and Compliance

Question 1

Policies

Answer 1

Interpretations of laws and practices deemed essential to the firm, policies for the foundation of corporate governance by setting rules that must be followed by employees of the firm; as such, they require approval by senior management and penalties for non-compliance.

Policies, which are general principles, are often supported by standards – unambiguous benchmarks for compliance with policy – and guidelines – prototype policies and standards for emerging but as of yet undecided rules of conduct.

Question 2

Criminal Law

Answer 2

A body of rules and statutes that define conduct prohibited by the government so as to foster the safety and well being of the public.

Question 3

Tort Law

Answer 3

A body of rights, obligations, and remedies that set our relief for people suffering harm because of the wrongful acts of others.

Question 4

E-discovery

Answer 4

The identification, preservation, collection, processing, review, analysis, or production or electronically stored information.

Triggered by: investigation of a crime, internal policy violation, recovery from accidental damage, legal hold, and violations of compliance or regulations.

Question 5

Forensic Requirements

Answer 5

1) Document all steps taken and discoveries made
2) Photograph computer set-ups and peripheral devices used in discovery (e.g. show your work)
3) Before touching a system, photograph / note any information displayed on the monitor, peripherals, etc.
4) Maintain chain of custody – e.g. ideally, have one person gather all evidence

Question 6

ISO/IEC 27037

Answer 6

Guidance on identification of data sources, acquisition of data, and preservation of data in e-discovery and forensic analysis.

Question 7

Five Rules of Evidence

Answer 7

1) Be authentic : evidence needs to tie back to the scene (i.e. a clean chain of custody)
2) Be accurate : evidence must have authenticity and veracity
3) Be complete : gather all evidence even if it contradicts the hypothesis of the investigators
4) Be convincing : the evidence should be clear and easy to understand (i.e. quoniam res ipsa loquitur)
5) Be admissible : evidence must be admissible and probative (material) to the case

Question 8

EU-U.S. Privacy Shield

Answer 8

This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the U.S. for commercial purposes.

Question 9

HIPAA

Answer 9

The Health Insurance Portability and Accountability Act (HIPAA) sets out the requirements of the U.S. Department of Health and Human Services to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employees.

Question 10

GLBA

Answer 10

The Gramm-Leach-Bliley Act (GLBA) is a federal law that controls the ways that financial institutions deal with the private information of individuals.

It is composed of three sections:

1) Financial privacy rule : regulates the collection and disclosure of financial data
2) Safeguards rule : states that firms must actively protect the financial data they hold
3) Pretexting provisions : prohibits access to the financial information of an individual under false pretenses

Question 11

ISO/IEC 27018:2019

Answer 11

Code of practice for the protection of personal data in the cloud.

The five principles of ISO/IEC 27018:2019 are:

1) Consent: a provider may not use customer data without express customer consent
2) Control: customers retain explicit control of how their data is used by the provider
3) Transparency: operations must be clearly documented for and described to the customer
4) Communication: breeches and other incidents must be disclosed in a timely manner with sufficient detail
5) Independent annual audit: adherence must be certified by a neutral party via audit

Question 12

GAPP

Answer 12

There are ten Generally Accepted Privacy Principles (GAPP) in this privacy framework:

1) Management: policy and procedures are documented and warranted (i.e. say what you do, do what you say)
2) Notice: the nature and management of gathered data is disclosed to the subject, partner, etc.
3) Choice and Consent: Consent is required and the choices available to the subject, partner, etc., are clearly articulated
4) Collection: data collected aligns with the limits established in 1-3, above
5) Use, Retention, and Disposal: are each documented and maintained in operations (i.e. say what you do, do what you say)
6) Access: the data subject may access / review the data you hold about them
7) Disclosure to Third Parties: is limited to 1-3, above
8) Security for privacy: data is protected
9) Quality: data is accurate and has integrity
10) Monitoring and enforcement: as it says on the tin… the system is watched and kept within the range of allowable security states

Question 13

Privacy Maturity Model

Answer 13

M1: ad hoc (i.e. repetition of outcomes is by chance)

M2: limited documentation and process (i.e. repeatable outcomes are possible but variance is likely)

M3: defined, the system works in a proscribed way (i.e. repeatable outcomes are most likely)

M4: managed, the system is monitored for performance and improvement (i.e. business continuity is applied)

M5: optimized, the system is designated ‘perfect’ for the environment – note this may be a system with 80% availability or one with 99.999% … ‘optimized’ mean ideal within the constraints required or desired by the firm

Question 14

Audit Planning

Answer 14

The stages of implementation are:

define audit objectives -> define audit scope -> refine audit processes from lessons learned -> fieldwork -> analysis -> reporting

Question 15

CSA STAR Level 1

Answer 15

Self-assessment against the Cloud Controls Matrix (CCM) or the Consensus Assessments Initiative Questionnaire (CAIQ) by the vendor.

Question 16

CSA STAR Level 2

Answer 16

This level allows outside certifications to be leveraged for heightened CSA assurance – i.e. similar to SOC II, Type 1.

Acceptable methods are:

1) Attestation via CSA and AICPA (an association of accountants), or,
2) via CSA and Chinese national standards, or,
3) certification via CSA and ISO 27001:2013.

Question 17

CSA STAR Level 3

Answer 17

Use of continuous monitoring (alla fedRAMP) of adherence to Cloud Controls Matrix (CCM) security processes and technologies.

^ this is the droid you are looking for if this cloud service is critical or highly important to your operations

Question 18

North American Electric Reliability Corporation / Critical Infrastructure Protection (NERC / CIP)

Answer 18

NERC / CIP protects the bulk powers system against cybersecurity compromises that could lead to mis-operation or instability.

Question 19

PCI DSS

Answer 19

The Payment Card Industry Data Security Standard (PCI DSS) stipulates the benchmark practices required to accept credit card payments.

The standards become more numerous and demanding as the number of credit card transactions increases (e.g. the standards are most strict for the highest volume transactors [ Tier 1 ]).

Question 20

Data Processor

Answer 20

A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller. There are situations where an entity can be a data controller, or a data processor, or both.

Question 21

Data Controller

Answer 21

The natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by national or community laws or regulations, the controller or the specific criteria for the nomination of the controller may be designated by national or community law.

Question 22

Processing (as regards data)

Answer 22

Operations that are performed upon personal data whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure,, or destruction.

Processing is made for specific purposes and scopes, for example, marketing, selling products, justice, the management of employer–employee work relationships, public administration, and health services.

Question 23

Personal data

Answer 23

Any information relating to an identified or identifiable natural person, such as sensitive/health data, biometric data, and telephone traffic data.

Question 24

Data Owner

Answer 24

Holds legal rights and complete control over data elements.

Question 25

Data Custodian

Answer 25

Responsible for the safe custody, transport, and storage of the data and implementation of business rules.

Question 26

Data Steward

Answer 26

Responsible for data content, context, and associated business rules.

Question 27

Data Subject

Answer 27

One who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (e.g., telephone number, IP address).

Question 28

Sarbanes–Oxley Act

Answer 28

The Sarbanes–Oxley Act of 2002 (often shortened to SOX) is legislation enacted in the United States to protect shareholders and the general public from accounting errors and fraudulent practices in an enterprise.

The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements.

Sarbanes–Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. There is nothing specified in the act itself, but the broad statements of legal requirements related to executives maintaining “internal controls” over financial data could be used to legally redress any breach of those controls.

Question 29

ISO rebranding of Avoid, Accept, Mitigate, and Transfer via ISO/IEC 27005:2018

Answer 29

Avoid > Avoidance: The activity or condition that precipitates the risk is avoided

Accept > Retention: Retaining the risk without further action

Mitigate > Modification: Course of action that implements controls that are technical, environmental, or cultural

Transfer > Sharing: The risk is shared with another party (e.g., could be contractual, sub-contractual, insurance of some type)

Question 30

Due care

Answer 30

“Due care” is a standard of behavior grounded in the concept of “reasonableness.” Did the actor exhibit a standard of behavior that is deemed by the law to be “reasonable,” i.e., would other individuals in the actor’s position act in a similar manner exhibiting an expected standard of due care?

Question 31

Due diligence

Answer 31

“Due diligence” is not a standard, but rather a mode of conduct. Did the actor do what is appropriate, reasonable, and expected in engaging in a certain activity?

Due diligence has several areas of application in corporate environments; it means a comprehensive appraisal of a business undertaken by a prospective buyer or investor, especially to establish its assets and liabilities and evaluate its commercial potential.

Question 32

ISO / IEC 27050

Answer 32

ISO 27050 strives to establish an internationally accepted standard for eDiscovery processes and best practices.

Question 33

SSAE 16

Answer 33

Standards for Attestation Engagement (SSAE) 16 replaced the SAS 70 in 2011 and was updated to SSAE 18 on 01 May 2017; this is the foundation for the Service Organization Control (SOC) reports series – e.g. SOC 1, SOC 2, and SOC 3.

These standards are widely used in the United States of America to help satisfy regulatory requirements such as SOX / Sarbanes-Oxley.

Question 34

ISAE

Answer 34

The International Auditing and Assurance Standards Board (ISAE) 3402 reports are very similar in nature and structure to SOC 2 reports (e.g. they also come in Type 1 [point in time assessment] and Type 2 [ six month review of design and operations]).

While SOC is largely used in the USA, ISAE is used internationally.

Question 35

ENISA, ISO / IEC 31000:2018, and NIST SP 800-146

Answer 35

These are different, commonly used, risk frameworks:

European Network and Information Security Agency (ENISA) published a general frameworks outlining 35 risks that an organization faces, as well as a “Top 8” list of risks based on their probability of realization.

ISO / IEC 31000:2018 is a non-certification standard for risk management from the perspectives of designing and implementing a risk management program.

NIST SP 800-146, “Cloud Computing Synopsis and Recommendations,” is a US federal framework similar to ENISA.