• Online, Self-Paced
Course Description

Alongside the development and uptake of cloud services, comes a developing regulatory framework that compels cloud service providers to protect data and to secure the privacy, integrity, and confidentiality of client data and data assets. This course covers various topics associated with legal and compliance issues with cloud services which are governed within a regulatory framework. The course addresses investigative measures and techniques associated with crime investigation, including eDiscovery and forensic data management. The course also touches on privacy, auditing, and reporting as it applies to cloud technology and services including SAS, SSAE, and ISAE. In this course, you will also learn about risk management, outsourcing, and vendor/provider assessment with particular attention to certifications, access provider audit data, and data ownership issues. The course covers the essential topics for the ISC2's Certified Cloud Security Professional examination – Domain 6 requirements.

Learning Objectives

Legal Requirements and Risks

  • start the course
  • describe areas of legislative conflict with respect to cloud-hosted services
  • appraise legal risks associated with the provision of cloud services
  • describe how to apply control policy with respect to legal requirements
  • define eDiscovery and its impact on cloud service provision, requirements, and responsibilities
  • define the legislative requirement related to forensic data management

 

Personally Identifiable Information (PII)

  • define PII, outline the difference between contractual and regulated PII, and describe the differences between confidentiality, integrity, availability, and privacy
  • describe the international variations that apply to PII and data privacy

 

Auditing Cloud Services

  • define audit operations and auditor tasks with reference to cloud computing services, and outline distributed service issues with respect to auditing
  • describe audit requirements, scope, and reporting as they apply to cloud services
  • outline challenges associated with auditing the virtualized infrastructure of a cloud-based service
  • define audit reporting against a background of prevailing standards, and outline audit scope and audit regulation requirements with respect to highly regulated industries
  • define gap analysis and audit planning with reference to cloud service auditing
  • describe the deployment of Internal Information Security Management (ISMS) and Security Control Systems (ISCS) - ISO 27000 Series
  • describe the deployment of ISMS and ISCS with reference to ISO, ITIL, and NIST

 

Enterprise Risk Management

  • describe issues with obtaining details of a CSP's risk management data
  • describe issues surrounding the importance of data ownership and define interrelationships between owner and custodian regarding responsibility
  • outline measures to mitigate risk
  • outline the integration of information security and risk management activities into a formal framework
  • outline the metrics that quantify and measure the extent of a risk associated with cloud service elements and components
  • define key areas of focus for risk assessment, including supplier, vendors, services, and so on

 

Outsourcing Cloud

  • describe business requirements with reference to the Service Level Agreement, GAAP guidelines, and standards
  • describe the vendor and provider vetting process with reference to certifications, audit and event reporting, accreditations, and so on

 

Vendor Management

  • describe the deployment of supply-chain management in the context of cloud services

 

Practice: Cloud Service – Legal and Compliance

  • detail current legislation relating to PII and define a number of widely adopted auditing compliance frameworks and report types; outline available auditing standards and frameworks, describe ISMS and applicable standards and guidance, and detail a number of cloud service adoption risks; and finally, outline some detail on available cloud service-related risk management frameworks

 

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.