CCSP Domain 6: Legal and Compliance
The Certified Cloud Security Professional certification, or CCSP, is a certification hosted by the joint effort of (ISC)2 and the Cloud Security Alliance (CSA). This exciting credential is designed for cloud-based information security professionals and ensures that the certification holder has acquired the requisite skills, knowledge and abilities in cloud implementation, security design, controls, operations and compliance with applicable regulations.
The CCSP certification exam comprises six domains: Architectural Concepts and Design Requirements, Cloud Data Security, Cloud Platform and Infrastructure Security, Operations, Cloud Application Security and Legal and Compliance. This article will detail the Legal and Compliance domain of the CCSP exam and what candidates preparing for the CCSP certification can expect on the exam.
The Legal and Compliance domain of CCSP currently accounts for 12% of the material covered by the CCSP certification exam.
6.1 Understand Legal Requirements and Unique Risks within the Cloud Environment
International Legislation Conflicts
If anything can be said about the impact of cloud computing on the world, the legal and compliance portion of computing has definitely become more complex. Trans-border disputes have dramatically increased – disputes such as data breaches, violations of patents and intellectual property, copyright law, and so on. These disputes did exist before the implementation of cloud computing, but they have definitely become more widespread with amplified acuity. This increase in complexity comes by way of the flexible way that cloud computing can be configured and implemented to suit different needs. In other words, the simplicity of computing and storage provided by the cloud has led to a complexity of legal issues.
Below is a list of the possible sources of international legislation conflicts:
- Copyright law
- Intellectual property
- Breaches of data protection
- Violation of patents
- Privacy-related components
- Legislative requirements
Appraisal of Legal Risks Specific to Cloud Computing
The following list contains legislative items which may impact cloud environments:
- Legislative law
- State law
- Copyright law
- Piracy law
- Intellectual property rights
- Enforceable governmental request
- Privacy law
- Criminal law
- Tort law: Seeks victim compensation, shifts legal costs to those responsible, discourages risky, injurious, and careless behavior, vindicates legal rights
- Doctrine of the proper law
- Conflict of laws
Frameworks and Guidelines Relevant to Cloud Computing
The Organization for Economic Cooperation and Development (OECD) guidelines lay out privacy and security guidelines. The latest guidelines, adopted on September 9, 2013 establishes the following guidelines:
- National privacy strategies
- Data security breach notification
- Privacy management programs
Asia Pacific Economic Cooperation Privacy Framework (APEC): The goal of this framework is to promote consistency of approach to information privacy protection. This framework is based on nine principles:
- Preventing harm
- Collection limitation
- Use of personal information
- Integrity of personal information
- Security safeguards
- Access and correction
EU Data Protection Directive
In short, EU Directive 95/46/EC is intended to protect the data privacy rights of EU citizens. These guidelines focus on:
- The quality of data
- Legitimacy of data processing
- Special processing categories
- The data subject’s data access rights
- Which information is to be given to the data subject
- Data subject’s right to object to data processing
- Data processing confidentiality and security
- Notification of data processing (reporting to a supervisory authority)
The legal dynamic has changed, with the cloud service provider being a newly-added third party to the legal landscape. Law and regulation considerations to keep in mind are:
- PCI DSS
- Safe Harbor
- Sarbanes-Oxley Act (SOX)
- ISO/IEC 27050
- CSA guidance
- ISO/IEC 27037:2012
- ISO/IEC 27041:2014-01
- ISO-IEC 27042:2014-01
- ISO/IEC 27043
- ISO/IEC 27050-1
6.2 Understand Privacy Issues, Including Jurisdictional Variation
- Difference between regulated and contractual Personally Identifiable Information (PII)
- PII/data privacy related legislation (country-specific)
- Explain the differences between privacy, confidentiality, integrity and availability of information
6.3 Understand Audit Process, Methodologies and Required Adaptations for a Cloud Environment
Internal and External Audit Controls
- Internal audits should be used first
- Provides independent verification of effectiveness of cloud program
- Gives cloud risk exposure assurance to both the organization’s board and risk management department/officer
- External audits offer another method of auditing that focuses more on internal controls than on financial reporting
Impact of Requirement Programs by the Use of Cloud Services
The nature of cloud computing has made auditors reimagine how they audit. Auditors now have to ask:
- What universal population do we sample from?
- What are the sampling methods for this highly dynamic environment?
- How to tell if the virtualized server that you are auditing is the same as it was before?
Types of Audit Reports
Successful exam candidates will need to describe:
- SOC 1: Based on Statement on Standards for Attestation Engagements number 16 (SSAE 16)
- SOC 2
- SOC 3
- Agreed-upon procedures and cloud certifications (AUP): Based upon SSAE
Other major considerations that successful exam candidates will need to be able to explain are:
- Restrictions of audit scope statements
- Audit plan
- Gap analysis
- Standards requirements
- Security management system (internal information)
- Security controls system (internal information)
- Relevant stakeholders’ identification and involvement
- Distributed IT model impact, in light of diverse legal jurisdictions and geographical locations
- Compliance requirements specialized for highly-regulated industries
6.4 Understand Implications of Cloud to Enterprise Risk Management
CCSP exam candidates are required to fully explain the following:
- Access providers risk management
- The differences between data controller/owner versus data custodian/processor. For example: risk profile, responsibility, risk appetite
- Regulator transparency requirements provision
- Different risk frameworks
- Risk mitigation
- Risk management metrics
- Risk environment assessment, extending to vendor, service and ecosystem
6.5 Understand Outsourcing and Cloud Contract Design
As mentioned in a previous CCSP domain, the business requirements of the organization really will be the biggest driving factor to how cloud contract and network design will play out in practice. Therefore, the terms set out in the Service Level Agreement (SLA) are critical to computing.
The SLA should, at minimum, cover the following:
- Data security/privacy
- Logging and reporting
- Disaster recovery expectations
- Location of the data
- Data structure/format
- Data portability
- Problem identification and resolution
- Change-management process
- Dispute mediation process
- Exit strategy (including expectations that provider will ensure smooth transition)
SLAs need to include the following components:
- Uptime guarantees
- SLA penalties
- Penalty exclusions
Another important business requirements consideration is the Generally Accepted Privacy Principles, or GAPP. This AICPA standard describes in detail 74 privacy principles. 74 may seem like a lot to chew on, but chances are you will only encounter the 10 main principles. While you may see some of the other privacy principles on the exam, the main 10 are most likely to be covered. These include:
- Choice and consent
- Use, disposal, and retention
- Third party disclosure
- Security for privacy
- Monitoring and enforcement
If you are interested in learning about the rest of the GAPP privacy principles, they can be found here.
With the current cloud computing landscape being highly competitive, selecting the right cloud service provider is integral. This goal is stifled by the fact that in a few years many of the current CSP providers will cease operations due to competition and other factors. The most important factor is risk exposure
- Is the CSP an established technology provider?
- Is cloud service a core business of the CSP?
- Location of the provider
- Financial stability of the provider
- Is the CSP subject to any takeover bids or significant sale of its business units?
- Is the CSP outsourcing any aspect of its service to a third party?
- Are there any contingencies involved with the third-party dependencies?
- Is the company certified against/does it conform with relevant security and professional frameworks/standards?
- How will the provider satisfy relevant legal, regulatory and other compliance requirements?
- Where relevant, how does the CSP ensure ongoing integrity, confidentiality and availability of information assets if in the cloud environment?
- Are adequate disaster recovery/business continuity processes in place?
The aspects of contract management that candidates will be expected to explain are:
- Right to audit
- Access to cloud
- Access to data
6.6 Execute Vendor Management
Supply Chain Management
Supply Chain Risk
- Regular updates featuring clear and concise listings of all reliance and dependence on third parties joined with the key suppliers
- To reduce disruptions and outages to business processes, single point of failure that exist should be acted upon and challenged
- It is necessary for organizations to have a quick way to analyze contracts to determine risk
- Supply chain standard
- Uses PDCA as a continual improvement and enhancement life cycle
Studying for and passing your CCSP is going to take effort and dedication. You will be putting in the time to become expert in six domains of cloud security knowledge and prove that you know your material. But once you pass the exam and achieve that CCSP credential, you’ll be surprised how many doors may be opening to you. Cloud computing is on the cutting edge of the newest technology, and thanks to your cert, you’re going to be right there with it!
CCSP Certification Exam Outline, (ISC)2
Adam Gordon, “The Official (ISC)2 Guide to the CCSP CBK,” John Wiley & Sons, 2016