CCSP Domain 6 - Legal & Compliance

In this video we will cover:

• Privacy laws and regulations.

• Standards

  
  

In this video you will learn:

Privacy refers to the protection of personal data, a.k.a. personally identifiable information (PII). Protection of personal data is critical these days. PII includes:

• Your name,

• Phone Number,

• Biometric Information,

• Geolocation,

• Educational Information,

• professional Information etc.

ISO 27018 is for a public cloud provider which is a code of practice for the protection of personally identifiable information in public clouds acting as PII processors. Per the EU GDPR, processing data includes the storage of data therefore PII sitting within a cloud makes the cloud provider your PII processor.

We encourage you to learn more about Privacy laws and regulations Intro by watching this complete video. See you in the Next Video.

In this video we will cover:

• EU Directive 95/46 EC, EU Directive 2002/58/EC, and EU GDPR.

• GDPR Privacy Principles.

In this video you will learn:

All about GDPR and its requirements to protect personal data. All of the essential terms such as Data Controller and Data processor are covered in this section.

In this video we will cover:

• Other Privacy Laws From Around The World

• California Consumer Privacy Act (CCPA)

In this video you will learn:

There are a lot of privacy laws that (ISC)² thinks it would be good for you to know. It includes:

• Privacy Act Of 1988 - Australia,

• PIPEDA - Personal Information Protection and Electronic Data Act - Canada,

• Act on the Protection Of Personal Information - 2017 - Japan,

• Personal Data Protection Act No 25,326 - Argentina,

• Protection of Privacy Law 5741-1981 and

• Protection of privacy regulations (Data Security), 57777 - 2017 - Israel

There is also the APEC - Asia Pacific Economic Cooperation Privacy Framework. APEC has 21 member countries and there is a promotion of consistency of privacy protection.

The new California law, CCPA, has many aspects that seem very similar to EU GDPR. It is different though. Watch the language usage. CCPA includes:

• The right to know whether and what personal information has been collected,

• An individual can request businesses to delete their personal data,

• You can download the data to take elsewhere,

• You must opt out of the sale of your personal data,

• With the exception of minors who must opt into information selling, and

• You can exercise your right without being discriminated against.

Additional info you may find interesting to explore these ideas further:

Interesting site to browse.

https://www.dlapiperdataprotection.com/index.html

Here is another site for US specific laws by state.

https://www.itgovernanceusa.com/data-breach-notification-laws

We encourage you to learn more about Other Privacy Laws by watching this complete video. See you in the Next Video.

In this video we will cover:

• Privacy Management Framework (PMF)

• Privacy Maturity Model

In this video you will learn:

There are privacy management Frameworks that include Generally Accepted Privacy Principles (GAPP). There are nine basic components in Privacy Management Framework e.g., Management, Agreement, Collection, and Disposal.

There are different maturity models mentioned within CCSP and the AICPA/CICA Privacy Maturity Model (PMM) is one of them. AICPA is the American Institute for Certified Public Accountants and the CICA is the Canadian Institute of Chartered Accountants.

The AICPA/CICA PMM is based on Generally Accepted Privacy Principles GAPP and Carnegie Mellon’s Capability Maturity Model Integration CMMI.

The Privacy maturity Model has five maturity levels which are Ad Hoc, Repeatable, Defined, Managed, and Optimized. It is recommended that you are familiar with these levels.

We encourage you to learn more about Privacy Management Framework and Maturity Model by watching this complete video. See you in the Next Video.

In this video we will cover:

• FEDRAMP

• Stored Communications Act (SCA)

• CLOUD Act

  
  

In this video you will learn:

FedRAMP is also good to know for this test. FedRAMP stands for Federal US government Risk and Authorization Management Program. This is a standardized approach to cloud risk management and security for US Government agencies to follow.

The US Stored communications Act is for Service Providers. It limits and controls access to stored wire and electronic communications and transactional records. These records need to be retained long enough for law enforcement to do enough investigation into crimes to realize that they need to obtain records from the providers regarding cell phone locations, text messages, etc.

The purpose of the US CLOUD Act is to extend the US Government and law enforcement’s access to data stored across country borders. It is an extension of the Stored Communications Act (SCA).

We encourage you to learn more about FedRAMP and CLOUD Act by watching this complete video. See you in the Next Video.

In this video we will cover:

• A Contract Vs Law

  
  

In this video you will learn:

PCI-DSS is not a law or regulation, basically, it’s a contract. It establishes a requirement to meet the Data Security Standards developed by the Payments Cards Industry. PCI-DSS is a contractual agreement with the payment card company to be able to process card charges and it falls under civil or tort law.

We encourage you to learn more about Intro to PCI by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 1-3

  
  

In this video you will learn:

There are 12 requirements for PCI-DSS. It is highly recommended that you be familiar with the 12 requirements. You should know that building and maintaining a firewall is a part of PCI-DSS requirements, it is not necessary to remember that it is number one on the list though. The second one is: never use vendor-supplied default passwords or configurations. The third is you must protect stored cardholder data.

We encourage you to learn more about PCI Requirements 1-3 by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 4-6

  
  

In this video you will learn:

The fourth is that you must encrypt cardholder data when it is transmitted over a public network. The fifth is that you should use regularly updated antivirus protection. The sixth requirement is to develop and maintain secure systems and applications.

We encourage you to learn more about PCI Requirements 4-6 by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 7-12

  
  

In this video you will learn:

Seven - The next requirement is to restrict access to cardholder data on a need-to-know basis.

Eight - You should have a unique ID for all that have access to the cardholder data.

Nine - It is necessary to physically restrict access to cardholder data, which means the server that maintains the cardholder Information should be protected.

Ten - Track and monitor all network and cardholder data access.

Eleven - Also, you should be testing your security systems regularly.

Twelve - The last requirement is to maintain an information security policy.

We encourage you to learn more about PCI Requirements 7-12 by watching this complete video. See you in the Next Video.

In this video we will cover:

• ITAR & EAR

  
  

In this video you will learn:

EAR (Export Administration Regulations) is from the Department of Commerce and ITAR (International Traffic In Arms Regulations) is from the Department of State. Export and Import of most commercial items, especially dual-use goods is a concern in the EAR. Cryptography is considered a dual-use good because it is equally useful for both good and evil. While the export of defense-related articles and services falls under the ITAR. This would include things like robotics.

We encourage you to learn more about ITAR & EAR by watching this complete video. See you in the Next Video.

In this video we will cover:

• ICS

• NERC CIP

  
  

In this video you will learn:

Every country has laws regarding its national infrastructure. Protection of the national power grid is paramount. Connecting the systems that control the Programmable Logic Controllers (PLCs) to the internet in any manner requires protection.

NERC & CIP (North American Electric Reliability Corporation & Critical Infrastructure Protection) is a set of industry best practices. Energy and utility companies are heavily regulated. The bulk electric systems (BES) must be protected from cyber-attacks.

We encourage you to learn more about ICS by watching this complete video. See you in the Next Video.

In this video we will cover:

• Audit Methodologies

• Can We Audit A Public Cloud?

• SOC 1

• SOC 2

• Type 1 and 2

• SOC 3

  
  

In this video you will learn:

When you have to be in Compliance with something whether it's FEDRAMP, ISO documents, PCI-DSS, GDPR, or anything else, we need to do audits. When we think of Compliance we need to consider Laws, Regulations, Contracts, and Policies.

When you do an Audit it’s a very controlled process. There are audit standards which include SAS 70, SSAE 16/18, and ISAE 3400/3402.

At the end of the Audits, you always get reports and your auditor will tell you about the findings. A finding, which is something noted to be out of compliance, needs to be looked into. The reports are called SOC 1, SOC 2, and SOC 3.

AICPA is the source for SOC 1, SOC 2, and SOC 3. SOC 1 is relevant to the user’s financial statements.

SOC 2 is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls of a service organization relevant to five trust principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 3 is relevant to Security, Availability, Processing, Integrity, Confidentiality, or Privacy without the need for details. It is effectively a SOC 2 reduced to a simple confirmation from the auditor that they were there. It provides a seal of approval for the cloud provider with very little information about the environment provided.

We encourage you to learn more about Audits and SOC reports by watching this complete video. See you in the Next Video.

In this video we will cover:

• The GAP

In this video you will learn:

The gap in the gap analysis is between where you are and where you want to be. Where you want to be could be in Compliance with a Law, contract, or Policy.

We encourage you to learn more about Gap analysis by watching this complete video. See you in the Next Video.

In this video we will cover:

• CSA STAR

• CSA STAR Level 1

• CSA STAR Level 2

• CAIQ

• CCM

In this video you will learn:

CSA stands for Cloud Security Alliance while STAR stands for Security, Trust, Assurance, and Risk Program. As a customer, if you discover a new cloud provider a reasonable question to ask is: can we trust this cloud provider? The STAR registry is a central point to reference that has a lot of information about providers who have decided to register.

Within STAR there are three levels. Level one shows that the provider did a self-assessment. Level two means a 3rd party performed an audit of the cloud provider against ISO 27001, the CCM, or GDPR. Level three means that ongoing monitoring is being done.

CAIQ stands for Consensus Assessments Initiative Questionnaire. A standard template for Cloud Providers to document their security and Compliance Controls.

The CCM maps cyber security controls to laws, regulations, and standards. If there is a need to comply with multiple documents this matrix could make the work much easier.

We encourage you to learn more about CSA STAR and CCM by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Assessments / Analysis

In this video you will learn:

There are so many threats that could be realized. Which threats are ones we really need to prepare for? Which threat is the biggest? What would be the most costly? What is the most likely? To uncover those answers we do risk assessments and work towards the best solutions for our business.

Risk appetite is the first question to address. What is the CEO willing to consume in the pursuit of their business? Are they risk aggressive or risk-averse?

The risk profile is the risk organization can tolerate before it would cease to exist.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk appetite and risk profile by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Tolerance

In this video you will learn:

There is a tolerance around risk appetite. Risk tolerance can be used as an indicator of the status of risk. There is a level of tolerance that exists above and below what the CEO believes their risk appetite to be. There are times when they will be a little more risk aggressive and times when they are more risk-averse. That variation gives you risk tolerance.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk Tolerance by watching this complete video. See you in the Next Video.

In this video we will cover:

• Basics To Risk

In this video you will learn:

You should definitely be aware of the fundamental terms of risk management.

The first term is an asset. For example my iPhone.

The second thing is a threat. Some kind of harm can happen to the asset. It will impact confidentiality, integrity, and/or availability.

The next thing is the threat source. The threat source is the who or what that causes the threat to be exploited.

Vulnerability is that your phone is small and portable, making it easy to drop.

The impact is the extent of the damage caused by this threat being exploited.

The final point is attack/exploit. This is the actual exploitation. It takes this from a theoretical topic to real.

We encourage you to learn more about Basic Risk Terminology by watching this complete video. See you in the Next Video.

In this video we will cover:

• Quantitative Risk Assessment
  

In this video you will learn:

There are documents on how to do Risk Assessments. It includes ISO 31000 - Risk Assessment. ISO/IEC 27005 - Information Security Risk Management. There are some others highlighted in this video.

There are two risk assessment methods explained, one is Qualitative and the other is Quantitative risk assessment. In the Quantitative Method, the monetary impact of specific threat events is assessed. There are formulas to calculate the monetary impact.

If you are worried about a single loss, for e.g., you drop your phone and ran a car over it, that would mean your asset value is $1,000 and the exposure factor is 100%. The formula for Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF).

The Annual Rate of Occurrence (ARO) is how often this happens. When you combine the SLE with the ARO you now know the Annualized Loss Expectancy (ALE).

We have also highlighted some key points in this short video. We encourage you to learn more about Quantitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Qualitative Risk Assessment

In this video you will learn:

Qualitative risk assessments are a little bit easier. This is when you map the likelihood of an event happening to its expected impact. When you map dozens or hundreds of events you can then prioritize the events that you will prepare for.

If we are talking about the content of the phone again and the concern of dropping it and running it over with a car. The question is how likely is that and what would its impact be. No likely and not big are the basic answers to that.

We encourage you to learn more about Qualitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Reduction/ Mitigation

• Risk Transference

• Risk Avoidance

• Risk Acceptance

In this video you will learn:

After getting through quantitative and qualitative risk assessments the next question to address is “What should we do about it?” There are four choices. Reduce your risk, transfer your risk, avoid your risk and accept your risk.

Let’s start with avoidance. If it’s too risky, don’t do it. When a risk is determined to be too great that activity should not be started. If the business is already engaged, then it should be stopped.

Risk reduction is applying controls to minimize the likelihood or impact. For e.g, putting on masks to reduce the chance of getting covid.

Risk transference is involving someone else in the recovery if the risk is realized. For e.g., insurance. If you get sick with covid and you are in hospital then your insurance should cover those expenses.
The last one is risk acceptance, no matter what else is done in response to risk, there is always at least a chance a risk will occur and there will be an impact felt. That chance must be accepted by the appropriate party.

We have also highlighted some key points in this short video. We encourage you to learn more about Risk Response by watching this complete video. See you in the Next Video.