Domain 6 Legal and Compliance

Question 1

FISMA

Answer 1

With any system that interacts with federal agencies in any way there are extensive requirements under FISMA for compliance with security controls required by the federal government

Question 2

eDiscovery in the Cloud

Answer 2

determined by contractual requirements between the cloud customer and the cloud provider as well as largely driven by the cloud model employed

Question 3

ISC/IEC 27050

Answer 3

Strives to establish an international accepted state for eDiscovery process and best practices

Question 4

Gramm-Leach-Blilley Act GLBA

Answer 4

• Focuses on PII as it relates financial institutions
• Institutions must provide all users and customers a written copy of their privacy policies and practices, including with whom and for what reasons their information may be shared

Question 5

Safe Harbor

Answer 5

• A way to bridge the gap between EU and USA privacy regulations
• Voluntary on behalf of the organization

Question 6

SOX

Answer 6

Regulates accounts and financial practices

Question 7

General Data Protection Regulation - GDPR

Answer 7

• Aims to strengthen and expand on personal and privacy protections
• Adds official restrictions on the exporting of data outside of the EU

Question 8

Directive 95/46 EC

Answer 8

declared data privacy a human right.

Question 9

Russia

Answer 9

Processing and storage of personal information or data on Russian citizens must be done from systems and databases that are physically located in Russia federation

Question 10

Privacy

Answer 10

• Use to be considered part of confidentiality

- related to an individual’s control over their own information and activities

Question 11

Cloud Control Matrix

Answer 11

• provides a detailed approach and framework for cloud customers with a focus on controls that are pertinent and applicable to a cloud environment.

Question 12

SSAE 16

Answer 12

• focused on auditing methods
• SOC reports
• Replaced SAS 70

Question 13

SOC 1

Answer 13

• internal controls as the relate to financial reporting
• Type 1 - policies and procedures at a point in time
• Type 2 - policies and procedures over a period in time (6 month minimum)

Question 14

SOC 2

Answer 14

• Meant to be internal
• Type 1 - report on the suitability of design and controls
• Type 2 - report on the effectiveness of the design and application of security controls

- 5 principles
.Availability
.Confidentiality
.Processing integrity
.Privacy
.Security

Question 15

SOC 3

Answer 15

Meant for external , general use.

Question 16

Audit Scope

Answer 16

• Statement of purpose
• Scope of audit
• Reasons and goals for audit
• Requirements for the audit
• Audit criteria for assessment
• Deliverables
• Classification of audit - sensitivity level

Question 17

AISudit steps

Answer 17

• Define the Scope
• Define Objectives
• Define Scope
• Conduct Audit
• Lesson Learned and Analysis

Question 18

ISO/IEC 27018

Answer 18

• International standard for privacy involving cloud computing

- Five Principles
. Communication
. Consent
. Control
. Transparency
. Independent yearly audit

Question 19

Generally Accepted Privacy Principles (GAPP)

Answer 19

• privacy standard focused on managing and preventing risks to privacy
• developed jointly with Canadian and American Accountants

Question 20

Cloud Contract Considerations

Answer 20

• Access to systems
• Backup and data recovery
• Data retention and disposal
• Definition
• Incident response
• Litigation
• Metrics
• Performance requirements
• Regulatory requirements
• Security requirements
• Termination