(ISC)² CCSP

CCSP Domain #6: Legal, Risk and Compliance [updated 2022]

February 3, 2022 by Mosimilolu Odusanya

Successful candidates must understand the legal and compliance requirements that may impact cloud procurement, usage and security. The following topics are included in this domain, as per the “Official (ISC)2 Guide to the CCSP CBK.” This domain represents 13% of the CCSP certification exam. Earning the CCSP means the candidate has the right knowledge and skills to secure a cloud environment.

Domain 6 — Legal, Risk and Compliance

6.1 Articulating Legal Requirements and Unique Risks within the Cloud Environment

Candidates must understand legal requirements and unique risks presented by cloud computing architectures.

6.1.1 Conflicting International Legislation

Candidates must understand multiple sets of laws and regulations and the risks introduced by conflicting legislation across jurisdictions and countries. Conflicts may include copyright and intellectual property law, data breaches (and breach notification), international import/export laws etc.

6.1.2 Evaluation of Legal Risks Specific to Cloud Computing

Candidates will need to understand legal risks (e.g., data residency vs. data localization vs. data sovereignty) specific to cloud computing.

6.1.3 Legal Frameworks and Guidelines that affect Cloud Computing

Candidates will need to understand the various legal frameworks that may affect the cloud computing requirements they may maintain. Such framework includes:

  1. The Organization for Economic Cooperation and Development (OECD)
  2. Asia Pacific Economic Cooperation Privacy Framework (APEC)
  3. General Data Protection Regulation (GDPR)

6.1.4 Additional Legal Controls, Laws and Regulations

Candidates will need to understand other legal, contractual, compliance-driven and applicable controls, laws and regulations that may be applicable. They may include the following:

  1. Health Insurance Portability and Accountability Act (HIPAA)
  2. Payment Card Industry Data Security Standard (PCI DSS)
  3. Sarbanes-Oxley Act (SOX)
  4. National Institute of Standards and Technology (NIST 800-171)
  5. New York Department of Financial Services (NY-DFS) cybersecurity framework for the financial industry

6.2 Forensics and eDiscovery in the Cloud

Candidates will need to understand the following:

  1. The laws and regulations may apply to an organization and investigation while maintaining the chain of custody.
  2. Standards from various bodies such as the International organization for Standardization (ISO) / International Electrotechnical Commission (IEC) and the CSA are used in collecting digital evidence and conducting forensics investigations in cloud environments.
  3. How to manage a chain of custody from evidence collection to trial during any digital forensics investigation.
  4. The phases of digital evidence handling and the challenges associated with evidence collection in a cloud environment.

6.3 Understanding Privacy Issues

Candidates will need to understand privacy risks and issues cloud environments or technologies may pose.

6.3.1 Difference between Contractual and Regulated Private Data

Candidates will need to understand the difference between private contractual data (e.g., data collected as part of normal business operations) and regulated private data (e.g., personal identifiable information (PII), protected health information (PHI) and payment data).

6.3.2 Country-Specific Legislation Related to Private Data

Candidates will need to understand various privacy regulations about various jurisdictions (e.g., HIPAA — United States, GDPR — European Union etc.). Candidates will also need to understand jurisdictional differences/issues in the privacy regulations and address them.

6.4. Understanding Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

Candidates will need to understand the unique considerations, processes, and controls required to audit cloud environments.

6.4.1 Internal and External Audit Controls

Candidates will need to understand the importance of internal and external audits in meeting regulatory, contractual, security and privacy obligations.

6.4.2 Impact of Audit Requirements

Candidates will need to understand the impact and challenges of the ever-changing nature of a cloud environment and how it impacts an audit.

6.4.3 Identity Assurance Challenges of Virtualization and Cloud

Candidates will need to understand how to perform multiple layers of auditing (of both the hypervisor and the virtual machines) in a cloud environment to obtain assurance.

6.4.4 Types of Audit Reports

Candidates will need to understand the various types of audit reports that can describe the findings from an audit and the auditor’s opinion of the system examined. Examples of audit reports include:

  1. Service Organization Controls (SOC)
  2. Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) certification

6.4.5 Restrictions of Audit Scope Statements

Candidates will need to understand the audit scope restrictions on what an auditor may or may not audit.

6.4.6 Gap Analysis

Candidates will need to understand the impact of a gap analysis in identifying issues and gaps before an audit and against industry standards/frameworks.

6.4.7 Audit Planning

Candidates will need to understand the process required in planning for an audit to ensure financial reporting or compliance with a cloud environment.

6.4.8 Internal Information Security Management Systems

Candidates will need to understand how to design and implement an organization’s ISMS using an acceptable standard such as ISO 27001/2.

6.4.8 Internal Information Security Controls System

Candidates will need to understand the security controls used in managing information security to establish an ISMS.

6.4.9 Policies

Candidates will need to understand the various types of policies required in governing an organization’s people, processes and systems. There are various types of policies required:

  1. Organizational Policies
  2. Functional Policies
  3. Cloud Computing Policies

6.4.10 Identification and Involvement of Relevant Stakeholders

Candidates will need to understand how to identify relevant stakeholders that need to be involved in the decision process, key challenges faced in identifying the stakeholders and the governance challenges that may occur when moving to a cloud environment.

6.4.11 Specialized Compliance Requirements for Highly Regulated Industries

Candidates will need to understand the specialized compliance requirements for organizations in highly regulated industries such as healthcare, financial services and government organizations.

6.4.12 Impact of Distributed Information Technology Models

Candidates will need to understand distributed information technology models, common issues caused by these models, and mitigate the issues. 

6.5 Understand Implications of Cloud to Enterprise Risk Management

Candidates will need to understand the implications using and maintaining a cloud environment has on an organization’s risk management program and how to mitigate the risks.

6.5.1 Assess Providers Risk Management Programs

Candidates will need to understand how to assess cloud service providers’ risk management programs and align with an organization’s risk management objectives.

6.5.2 Differences Between Data Owner/Controller vs. Data Custodian/Processor

Candidates will need to understand the difference between data owners (data controllers) and data custodians (data processors).

6.5.3 Regulatory Transparency Requirements

Candidates must understand regulatory transparency requirements imposed on data controllers (and data processors) by various regulations. Examples of requirements include breach notifications, transparency requirements by SOX and the GDPR.

6.5.4 Risk Treatment

Candidates will need to understand how to evaluate an organization’s vulnerabilities and threats that might exploit these vulnerabilities and determine the likelihood and impact of such exploits.

6.5.5 Risk Frameworks

Candidates will need to understand the various risk frameworks that can manage risks in an organization. Examples of such frameworks include:

  1. ISO 31000:2018
  2. European Network and Information Security Agency (ENISA) assessment guides
  3. NIST 800-146

6.5.6 Metrics for Risk Management

Candidates will need to understand key cybersecurity metrics that can be tracked to present measurable data to relevant stakeholders.

6.5.7 Assessment of Risk Environment

Candidates will need to understand how to assess a risk environment to cover the cloud environment, vendors and services.

6.6 Understanding Outsourcing and Cloud Contract Design

Candidates will need to understand business requirements, key contractual provisions and potential contractual implications of outsourcing to the cloud.

6.6.1 Business Requirements

Candidates will need to understand key business requirements and how a cloud service provider helps to meet those requirements.

6.6.2 Vendor Management

Candidates will need to understand how to manage risks related to vendors and track service delivery via key performance indicators.

6.6.3 Contract Management

Candidates will need to understand how to manage contract negotiation, creation and execution. In addition, how to monitor contract terms, performance and violations of stated agreements.

6.6.4 Supply Chain Management

Candidates will need to understand to manage the supply chain, vendors, dependencies, points of failures etc.

How to prepare for the CCSP Exam

Studying the right material is very important. The official books and material recommended by the (ISC)2 to take the CCSP exam include:

  1. Official (ISC)² CCSP CBK Reference, Third Edition
  2. Official (ISC)² CCSP Study Guide
  3. Official (ISC)² CCSP practice tests
  4. Official CCSP study and practice tests apps
  5. Official (ISC)² CCSP flashcards 

 

Sources:

Posted: February 3, 2022
Author
Mosimilolu Odusanya
View Profile

Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.

Leave a Reply

Your email address will not be published.