DOMAIN 4 -COMPLIANCE IMPACT ON CLOUD CONTRACTS, COMPLIANCE SCOPE Flashcards
_______ validates awareness of and adherence to corporate obligations (e.g., corporate social responsibility, ethics, applicable laws, regulations, contracts, strategies and policies).
Compliance
_______ are a key tool for proving (or disproving) compliance
Audits
________ is a tool of governance; it is how an organization assesses, remediates, and proves it is meeting these internal and external obligations.
Compliance management
_________, in particular, typically have strong implications for information technology and its
governance, especially in terms of monitoring, management, protection, and disclosure
Regulations
________ are thus an important tool to assure compliance, and evaluation and testing of these controls is a core activity for security professionals
Security controls
As with security, compliance in the cloud is a ______ model.
shared responsibility
the customer is always ultimately responsible for their own ________.
compliance
Cloud customers, particularly in ________, must rely more on third-party attestations of the provider to understand their compliance alignment and gaps.
public cloud
Many cloud providers are certified for various regulations and industry requirements, such as PCI
DSS, SOC1, SOC2, HIPAA, best practices/frameworks like CSA CCM, and global/regional regulations like the EU GDPR. These are sometimes referred to as _______audits.
pass-through
A pass-through audit is a form of ______
compliance inheritance
compliance inheritance. In this model all or some of the cloud provider’s ________ undergo an audit to a compliance standard. The provider takes responsibility for the costs and maintenance of these certifications.
infrastructure and services
It is still the responsibility of the customer to build _____ applications and services on the cloud
compliant
This means the provider’s infrastructure/services are not within scope of a customer’s ________. But everything the customer builds themselves is still within scope.
audit/ assessment
Not all features and services within a given cloud provider are necessarily compliant and ______ with respect to all regulations and standards.
certified/audited