Domain 6 - Legal, Risk and Compliance

Question 1

What are the privacy and security guidelines recommended by OECD?

Answer 1

1. Collection limitation principle - consent from subject, limit what you collect
2. Data quality principle - accurate, complete, up to date
3. Purpose specification - specify purpose, use data only for that purpose
4. Use limitation - Do not use or disclose without consent of data subject
5. Security safeguard - reasonable security safeguards
6. Openness - policies and practices should be freely disclosed
7. Individual participation - individual right to know what data about them is collected
8. Accountability principle - data controller is accountable for compliance.

Question 2

In GDPR, what are the data controller and data processor roles?

Answer 2

• Data Controller - determines the purpose and means of processing data
• Data Processor - body responsible for processing the data on behalf of the controller.

DCs and DPs have differing levels of responsibility under GDPR.

Question 3

What are the different types of obligations a CCSP should be aware of?

Answer 3

1. Statutory requirements - required by law -e.g. HIPPA, SOX, GLBA
2. Regulatory Requirements - rules by a regulatory body; may also be required by law (e.g. GDPR is a regulation in law issued by the European Parliament)
3. Contracts - agreements between private parties enforced via courts. - e.g. PCI/DSS

Question 4

What are they key components of a contract between CSC and CSP for data protection?

Answer 4

1. Scope of data processing - e.g. CSPs cannot use data collected from consumer for interface design
2. Subcontractors - CSP must disclose
3. Deletion of data - how CSP will delete data
4. Data security controls
5. Physical location of data
6. Return or surrender of data - when relationship ends
7. Audits

Question 5

What are the principles that the ISO 27018 verify?

Answer 5

1. Consent
2. Control- customers shall have explicit control over their data
3. Transparency - CSPs must reveal subcontractors, data location
4. Communication - incidents should be communicated to customers.
5. Audit - CSPs must subject themselves to 3P audits

Question 6

What are the differences between the SOC 1 to 3 reports?

Answer 6

SOC 1 - Focus on financial controls
SOC 2 - Type 1 and Type 2 reports - focus on security, availability, processing integrity, confidentiality and privacy controls
SOC 3 - less detailed than SOC2 - meant for general users. freely distributed. no sensitive details.

Question 7

What’s the difference between SOC2 Type 1 and SOC2 Type 2 reports?

Answer 7

• SOC2 Type 1 verifies the suitability of the design of controls for achieving the control objectives at a specific point in time.
• SOC2 Type 2 verifies the operating effectiveness of the controls over a given period of time.

Question 8

What is the SSAE and ISAE?

Answer 8

SSAE - Statement on Standards for Attestation Engagement; It is an audit standard based on which Auditors issue SOC reports. SSAE18 is the latest version. Produced by the AICPA.

ISAE - International Standards for Attestation Engagement - international version of the SSAE.

Question 9

What are the levels in CSA’s STAR certification?

Answer 9

STAR = Security Trust Assurance and Risk
Level 1 - Self-assessment - complementary offering
Level 2 - 3rd party assessment; collboration between AICPA anc CSA (SOC2 engagement)
Level 3 - continuous monitoring through automated processes. CSA still defining certification.

Question 10

What is an ISMS?

Answer 10

Information Security Management System
A systematic approach to information security
Designed to protect and manage an organization’s information assets.
People, processes and technology

Question 11

What are the benefits of an ISMS?

Answer 11

• Security of data in multiple forms - paper, digital
• Cyberattacks - resilience to cyber attacks as organizations are better prepared.
• Central Information Management - prevents shadow systems and easy management of security
• Risk management - codified set of process reduce operational risk and increase security.

Question 12

What the five components of NIST’s cybersecurity Framework?

Answer 12

1. Identify
2. Protect
3. Detect
4. Response
5. Recover

Mnemonic: In Public, Drink Reasonably and Responsibly.

Question 13

What are the different categories of policies in an organization?

Answer 13

• Organizational policies - designed to communicate values, and views of the organization
• Functional policies - how employees can make use of systems and data - e.g. Email use policy, Password policy, data classification policy, vuln. management policy
• Cloud Computing Policy - how employees may use the cloud (Remote Access, Encryption, Incident Response).

Question 14

In the US, what are the two main export control laws?

Answer 14

• ITAR & Export Administration Regulations
• ITAR focuses on defense articles and services. ITAR controlled items are listed in the USML (US Munitions List)
• EAR covers restriction on the commercial/dual-use items. The relevant list is the CCL (Comms Control List).

Question 15

ISO Standards - Most Important Ones

Answer 15

• ISO 27001 & 27002 - Info. Sec Management System
• ISO 27017 - Cloud Specific Controls
• ISO 27018 - Personal Data Protection/PII
• ISO27034 - Application Security
• ISO 27701 - Privacy Information Management
• ISO 20000 - IT Service Management
• ISO 15408 - Common Criteria/EAL