Welcome to CCSP Domain 6: Legal, Risk, and Compliance—the final frontier of cloud security. In this domain, we navigate the complex landscape where technology meets legislation and risk management. As cloud professionals, we're not just dealing with bits and bytes anymore; we're stepping into a world of contracts, regulations, and ethical considerations.
Domain 6 is all about understanding the legal requirements and unique risks in cloud environments. We'll explore everything from international data privacy laws to vendor management and audit processes. It's where we learn to speak the language of lawyers and risk managers, ensuring our cloud solutions aren't just technically sound, but legally compliant, risk-aware and aligned with the business.
Ready to become the bridge between cloud technology and corporate governance? Let's dive in!
6.1 Articulate legal requirements and unique risks within the cloud environment
Cloud security professionals must be able to articulate the legal requirements and risks that they face when using cloud services. If we don’t understand our requirements and risks, we cannot keep our organizations compliant and secure. Cloud environments introduce a variety of new legal requirements and risks that you need to be aware of. One of the main complications is that it’s now so easy to spread our systems and data across the world, but we still need to abide by the regulations of local, state, federal and other jurisdictions throughout the world.
Conflicting international legislation
If your organization operates internationally, has users from other countries, or uses cloud services that store or process data in other jurisdictions, you need to be exceptionally careful regarding your legal requirements. These issues have become far more complex in the era of cloud computing for a multitude of reasons, including that many organizations no longer store data on-premises, the ease of using international services, and the overall complexity of cloud environments.
Various countries and regions have their own sets of data protection laws and privacy regulations, and these can vary substantially. A good example is Europe’s General Data Protection Regulation (GDPR), which stipulates how organizations must process the data of EU residents, even if the company is based outside of the EU. Laws can even vary within countries.
Your organization is responsible for complying with the relevant laws in each jurisdiction that it operates, so it must engage appropriate legal counsel to ensure that it is meeting its obligations. This can be complicated because there is no ultimate international authority to mediate in situations where there are conflicts between the laws of various jurisdictions.
A non-exhaustive list of regulation you should be aware of includes:
We discuss more privacy-specific regulations in section 6.2. The table below covers several other legal concerns that you need to be aware of:
Conflicts of international law | Sometimes, various international laws can come into conflict with each other, such as the US CLOUD Act and the EU’s GDPR. |
Cross-border transfer restrictions (Trans-border data flow issues) | Some regulations forbid the transfer of data across geographical borders. |
Contractual obligations | In addition to regulatory requirements, your organization will also be subject to contractual obligations. As an example, your organization may have signed contracts that restrict how data can be collected, used, stored and shared. Failure to uphold contractual obligations can result in litigation or other penalties. |
Evaluation of legal risks specific to cloud computing
As we stated in the prior section, the technological shifts involved in cloud computing introduce a number of new legal risks. Cloud computing’s ability to cross borders can make it more difficult to meet compliance requirements. You need to be aware of where your systems, data and users are located, and you need to be in alignment with the relevant regulatory requirements in each jurisdiction. You also may need to prove that your organization is in compliance with the applicable regulatory regimes. In the following section, we discuss some of the frameworks that can help to simplify the process of complying with various international regulations.
Legal framework and guidelines
OECD (Organization for Economic Cooperation and Development) Privacy Guidelines
The basic principles of the OECD’s Privacy Guidelines:
Collection Limitation Principle | The collection of personal data should be limited and only obtained fairly and lawfully. Personal data collection should occur with the knowledge and consent of the data subject, where appropriate. |
Data Quality Principle | Personal data should be relevant, accurate, and complete, and it should be kept up to date. It should also be relevant to the purposes for which it is intended to be used. |
Purpose Specification Principle | The purposes for which personal data is collected should be clearly specified, no later than at the time of collection. The use of data should be limited to fulfilling these purposes. |
Use Limitation Principle | Personal data should only be used in line with the purposes for which it was initially collected. It should only be used for other purposes with the consent of the data subject or by authority of law. |
Security Safeguards Principle | Personal data should be guarded by reasonable security controls against risks like loss, unauthorized access, disclosure, destruction, use, or modification. This means that security controls must be put in place because privacy is unattainable without security. |
Openness Principle | The culture and policy of the organization collecting personal data should be one of openness, transparency, and honesty about how personal data is being used and in what context. There should be measures in place that readily establish whether personal data exists, what its nature is, the main use of the data, as well as the residence and identity of the data controller. |
Individual Participation Principle | Individuals should be able to confirm with a data controller whether or not the controller has data that relates to the individual. They should also have the right to have this data communicated to them:
An individual should be able to challenge data that relates to them. If the challenge is successful, the data should be amended, rectified, erased or completed. |
Accountability Principle | Data controllers should be accountable for complying with measures that implement the principles listed above. |
The Asia-Pacific Economic Cooperation (APEC) Privacy Framework
The APEC Privacy Framework contains nine principles:
Preventing harm | There should be protections in place that prevent the misuse of personal information. |
Notice | Personal information controllers (organizations that collect and use personal data) should have easily accessible statements about their practices and policies related to personal information. All reasonable steps should be taken to ensure that notice is provided before or at the time of collection |
Collection limitation | Personal information collection should be limited to only include information that is relevant to the purposes. |
Uses of personal information | Personal information should only be used to fulfill the purposes of the collection, except:
|
Choice | Individuals should have easily understandable, accessible, clear and affordable mechanisms for exercising choice regarding the collection, use or disclosure of their personal information. |
Integrity of personal information | Personal information should be up-to-date, complete and accurate. |
Security safeguards | Personal information should have appropriate protections against risks like loss, disclosure, unauthorized access, use, modification, destruction or other misuse. |
Access and correction | Individuals should have the option to:
|
Accountability | Personal information controllers should be accountable for complying with measures that implement the above-stated principles. |
eDiscovery
We discussed eDiscovery in Domain 5.4.
Forensics requirements
We discussed forensic requirements in Domain 5.4.
6.2 Understand privacy issues
NIST defines privacy as “The right of a party to maintain control over and confidentiality of information about itself.” Basically, privacy is about having control over the information that we share. Privacy is often seen as an individual right and it has been written into laws around the world. We use security controls to ensure individual privacy—if personal data isn’t secure, then we can’t guarantee its privacy.
Difference between contractual and regulated private (personal) data
Personal data
Sensitive data can be defined in different ways throughout the world. Below are the various categories of sensitive data types, like PII, PHI, and IP:
Personal data is any information that relates to a person. It includes obvious things like addresses, phone numbers and social security numbers, but many other pieces of data also qualify as personal data. Personal information (PI) and personally identifiable information (PII) essentially mean the same thing as personal data, but different jurisdictions sometimes use their own terms with slightly different meanings. Another important term is protected health information (PHI), which we will cover in our discussion on HIPAA in 6.3. You may also come across personal cardholder information (PCI), which is essentially just a term for credit card details.
By now, it should be clear that organizations are obliged to protect data in line with the privacy regulations of the jurisdictions in which they operate. This is referred to as “regulated personal data”. On top of this regulated data, your organization also needs to consider the legal obligations of its contracts. This is referred to as “contractual personal data.”
Abiding by privacy stipulations in contracts is absolutely critical. No organization is one hundred percent vertically integrated, so suppliers are essential. Since we have to rely on the services of third parties and often have to share our data with them, contract law plays a vital role in ensuring that we meet our obligations, even when we no longer have full control over our data.
Looking for some CCSP exam prep guidance and mentoring?
Learn about our personal CCSP mentoring
Country-specific legislation related to private data
Some of the most prominent privacy regulations from across the globe are:
Europe | The General Data Protection Regulation (GDPR):
|
The United States |
|
Canada |
|
China |
|
South Africa |
|
Argentina |
|
South Korea |
|
Australia |
|
Jurisdictional differences in data privacy
The flexibility and international nature of cloud services make them incredibly useful, but there are some drawbacks. One of the major ones is that different jurisdictions have varying data privacy regulations. If your company operates in multiple jurisdictions, or it has users in multiple jurisdictions, then it needs to be aware of which data privacy regulations apply. You need to be incredibly careful, because the flexibility of the cloud makes it easy to accidentally store data in ways that conflict with your obligations.
Standard privacy requirements
The following sections cover some of the more important privacy standards and regulations, such as ISO/IEC 27018, the Generally Accepted Privacy Principles (GAPP) and the General Data Protection Regulation (GDPR).
ISO/IEC 27018
ISO/IEC 27018 provides a code of practice for protecting personally identifiable information (PII) in public clouds. It is intended to be used in conjunction with security controls and objectives from ISO/IEC 27002.
GAPP (now known as the Privacy Management Framework)
The Generally Accepted Privacy Principles (GAPP) framework was renamed the Privacy Management Framework (PMF). It is designed to help management create privacy programs that address both risks and obligations while also facilitating opportunities. It features nine separate components to help organizations address privacy and their obligations.
Management | Organizations must define, document, communicate and assign both responsibility and accountability for privacy procedures and policies. |
Agreement, notice and communication | This component is about data subjects, their personal information and consent. It involves making formal agreements, providing notification, communicating and offering choices to data subjects. |
Collection and creation | Organizations should only collect and create personal information for the purposes outlined in their agreements with data subjects. |
Use, retention and disposal | Personal information should only be used in line with the purposes set out in formal agreements and notices, and only when the data subject has provided explicit (or implicit) consent. |
Access | Organizations should provide data subjects with access to their personal information if they request it. |
Disclosure to third parties | Personal information should only be disclosed to third parties for purposes identified in privacy agreements and privacy notices. |
Security for privacy | Personal information should be protected against unauthorized access, disclosure, alteration, removal and destruction. |
Data integrity and quality | Organizations should maintain accurate, relevant and complete personal information in line with the purposes set out in the notices. |
Monitoring and enforcement | Organizations are responsible for monitoring their own compliance with their privacy procedures and policies. |
The General Data Protection Regulation (GDPR)
One of the important premises of the GDPR is that data protection must be incorporated “…by design and by default”. This means that the design of any new activity or product must consider the data protection principles. The GDPR’s seven protection and accountability principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
The GDPR also contains eight privacy rights for data subjects. These are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
The EU-US Data Privacy Framework
In 2022, the European Union and the United States agreed to the EU-US Data Privacy Framework. This voluntary framework grants companies a way to transfer personal data from the EU to the US in a way that protects their privacy and is consistent with EU law. It provides new rights to EU individuals whose data is transferred to participating American companies. These rights include the right to delete or correct inaccurate data, and to obtain access to their data. The EU-US Data Privacy Framework acts as a replacement to the EU-US Privacy Shield and the International Safe Harbor Privacy Principles, both of which faced legal challenges.
The EU-US Data Privacy Framework
In the lower half of the diagram, the IPS is placed in line with the network traffic, because it has the capability to detect, prevent, and correct. As traffic comes into the network, it passes through the IPS. If a rule is triggered for malicious activity, the IPS can act and prevent the suspicious packets from traversing the rest of the network.
Privacy Impact Assessments (PIA)
Privacy impact assessments (PIAs) were introduced as a way to analyze the impacts that information systems will have on privacy. They involve looking at how information is handled and whether the process conforms to privacy requirements. PIAs are sometimes required as part of regulation, such as the US E-Government Act of 2002.
Privacy-level agreements (PLAs)
We’ve already discussed service level agreements (SLAs) in Domain 5.3. Privacy-level agreements (PLAs) are conceptually similar, but with a focus on privacy. Instead of focusing on the amount of uptime and other service details, PLAs are contracts that stipulate how another party must protect an organization’s data. They can contain restrictions on things like:
- The location of data.
- Whether data can be transferred.
- How data is processed.
- How data must be secured.
- The monitoring that must be in place.
- Data portability options.
- Data retention requirements.
- Rules surrounding data breaches, such as how notification must take place, and within what timeframe.
- Accountability requirements.
6.3 Understand audit process, methodologies, and required adaptations for a cloud environment
Not only do our systems need to be secure, but we need to be able to prove they are secure to regulators, customers and other stakeholders. Audits give us a methodical way to probe into our systems to determine their current security posture, highlight weaknesses that need to be addressed, provide solutions that can enhance our security moving forward, and to demonstrate our compliance. There are many different audit frameworks that we can use, depending on the context.
In the cloud, the CSA Cloud Controls Matrix (CCM), which we discussed in Domain 1.4, is tremendously valuable. The matrix includes guidance on best practices for each control, as well as mapping for major standards and frameworks such as:
- HIPAA
- FedRAMP
- ISO/IEC 27001
Internal and external audit controls
There are three types of audits that you need to be aware of:
- Internal audits – These audits are conducted by auditors from the organization on the organization’s processes.
- External audits – These audits are conducted by auditors from the organization on supplier processes.
- Third-party audits – These audits are conducted by independent auditors on supplier processes.
Impact of audit requirements
It’s important for us to understand how cloud environments can impact our audit requirements. The massive differences in architecture between cloud and traditional computing mean that we need to completely change our approach to auditing. Some aspects of auditing in traditional environments become far too complex in the cloud, so we need to find other methods to achieve our goals.
Identify assurance challenges of virtualization and cloud
One of the main assurance challenges that we find in clouds arises from the multitenant environment inherent in public clouds. The fact that cloud providers share their systems and resources across multiple tenants means that cloud customers cannot perform their own audits of public cloud providers. This is because allowing a customer’s auditors full access to the provider’s systems would risk the security and privacy of the other cloud customers sharing the public cloud. Instead of allowing each customer to conduct their own audits, we generally rely on third-party auditors to document the security posture of public cloud providers.
Auditing patch management is another major challenge in cloud environments because the population of systems is in constant flux. With things like immutable workloads, dynamic optimization, and VMs constantly spinning up and down, we run into substantial challenges. Immutable workloads also cause other problems when auditing patch management—you can’t patch them. Instead, you have to change the image.
Types of audit reports
The SSAE 18 standard defines three types of audit reports. These are known as System and Organization Controls (SOC) reports and they include:
- SOC 1 reports – These focus on financial reporting risks and controls.
- SOC 2 reports – These focus on what are known as the five trust principles: security, availability, confidentiality, processing integrity, and privacy. SOC 2 reports often contain a fair amount of confidential information about an organization and they should be protected from unauthorized disclosure. Because of this, you generally have to be an existing customer (or other relevant stakeholder) and sign an NDA before you can access a SOC 2 report. However, certain information contained within a SOC 2 report is valuable for potential customers to know. This is where SOC 3 reports can be helpful.
- SOC 3 reports – These are essentially stripped down and sanitized versions of SOC 2 reports. They are basically marketing tools that potential customers or interested parties can read to gain a basic understanding of a service provider’s controls and compliance.
As security professionals, SOC 2 reports are the most meaningful of the three. However, SOC 1 and 2 reports can also be divided into type 1 and type 2 reports. Note that type 1 and type 2 reports are subcategories of SOC 1 and SOC 2 reports. They are not the same as SOC 1 or SOC 2 reports.
Type 1 report | These focuses on the design of controls at a point in time. |
Type 2 report | A type 2 report examines not only the design of a control but also the operating effectiveness over a period of time. A type 2 report covers everything in a type 1 report and then goes deeper to confirm that controls are operating effectively. |
The variations in SOC reports are:
Restrictions of audit scope statements
Audit scope restrictions limit which functions and components are part of an audit. An audit scope statement is a document that formalizes what aspects the audit will cover, prior to engaging in the audit. They typically describe:
- The objectives of the audit
- The type of audit
- Limitations on the audit’s scope
- Deliverables
- Assessment requirements, criteria and ratings
Placing restrictions on the scope of an audit is important, especially for certain mission-critical components and production systems. We want to conduct our audits in a way that limits the risks to business operations. Some common audit scope restrictions include:
- When auditing can be conducted, such as the time of day.
- Which testing methods can be used.
- Which functions and components can be audited.
Gap analysis
Gap analysis involves looking for any gaps between an organization’s controls and its corporate policy, contractual requirements, or the appropriate standards, such as ISO/IEC 27001. It may involve a random sampling of controls or conducting a complete assessment. The auditor then compiles a report that includes any gaps they have found, recommendations to address them, as well as a rating that specifies the level of compliance with the standard being measured against.
Audit planning
For audits to be comprehensive, they must be planned ahead of time. An audit plan involves:
- Defining the audit objectives
- Defining the audit scope
- Improving processes from past audits.
Internal information security management system
An information security management system (ISMS) is a framework of procedures and policies for managing your organization’s security. One of the most important documents on ISMSs is ISO/IEC 27001. This standard covers the requirements for establishing and improving an ISMS. An ISO/IEC 27001 audit formally documents the state of an organization’s security and provides recommendations on aspects that should be addressed.
Internal information security controls system
ISO/IEC 27002 is a standard that complements ISO/IEC 27001. ISO/IEC 27001 covers the requirements for an ISMS, while ISO/IEC 27002 specifies the control objectives and best practices. It covers cryptography, human resource security, access control, incident response and more.
Another important standard is ISO/IEC 27017. This is a code of practice that adapts the information security controls from ISO/IEC 27002 for cloud services. ISO/IEC 27018 is another critical resource for those who work with clouds. It establishes a code of practice for protecting PII in public clouds.
Policies
Policies are documents that communicate management’s goals and objectives. The table highlights the differences between organizational and functional policies:
Organizational policy | An organizational policy states the objectives and activities of the whole organization. It serves to define the overall purpose. |
Functional policy | Functional policies are more specific, and they can address individual departments, aspects, or functions of the organization. Examples include privacy policies and password policies. |
Identification and involvement of relevant stakeholders
There are many different stakeholders involved in the audit process, and each of them have their own roles and responsibilities. Some of these roles are:
Senior management | Senior management sets the tone from the top. It promotes the audit process and provides support when needed. |
Audit committee | The audit committee is composed of board members and senior stakeholders. The committee provides oversight to the audit program. |
Security officer | The security officer advises on security-related risks that need to be evaluated in the audit program. |
Compliance manager | The compliance manager ensures compliance with applicable laws, regulations, standards, and company policy. |
Internal auditors | Internal auditors are company employees who provide assurance that internal corporate controls are operating effectively. |
External auditors | External auditors provide an independent and unbiased audit report. |
Specialized compliance requirements for highly-regulated industries
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
The North American Electric Reliability Corporation (NERC) is a nonprofit that oversees power systems across the US, Canada, and the Mexican state of Baja California. The Critical Infrastructure Protection (CIP) standard sets out security controls and other requirements for the bulk power system. However, it is no longer used.
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a US law that includes privacy and security stipulations for the healthcare industry. One major aspect of the law is its regulation of protected health information (PHI). This is personally identifiable information that is related to an individual’s health or healthcare. Due to the sensitivity of PHI, there are many requirements around organizations that collect or process it, as well as for organizations that process it on the behalf of others
Health Information Technology for Economic and Clinical Health (HITECH) Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act is an American law that was passed in 2009. Among its provisions are the promotion of electronic health records (EHRs) as well as bringing in new security and privacy regulations. These regulations include mandatory data breach notifications for entities regulated under HIPAA.
The Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a standard for organizations that handle credit cards and credit card information. The PCI DSS was created to increase controls around cardholder data and to reduce credit card fraud. The volume of transactions processed by a merchant helps determine the method used to validate compliance.
The CLOUD Act
The Clarifying Lawful Overseas Use of Data (CLOUD) Act clarifies earlier US laws and grants law enforcement a mechanism to request access to data stored both in the US and in other countries. The mechanism contains limitations on data requests, with safeguards that recognize the right of a provider to challenge requests, especially when the request conflicts with the laws of other countries.
Impact of distributed information technology (IT) model
We discussed these topics in 6.1. Conflicting international legislation.
6.4 Understand implications of cloud to enterprise risk management
We need to consider the risks of cloud computing from an enterprise risk management perspective in the same way that we would assess any other third-party service, product, acquisition or divestiture. As part of our corporate governance, we want to manage our cloud risks appropriately so that we can gain the benefits from the cloud, without causing compliance and corporate reputation problems that would ultimately subtract value from the organization.
Assess providers’ risk management programs
All major stakeholders should be involved in the decision-making process surrounding cloud endeavors. Our organizations need to ensure that potential cloud providers operate in a way that is consistent with our security, privacy and compliance needs. This involves assessing a potential cloud provider’s risk management program. We do this in a similar way to how we assess all third-party services, because each one can introduce new risks to an organization. We should take the following steps to effectively manage risks from third-party service providers:
- Understand the potential risks.
- Conduct due diligence before beginning the relationship.
- Have contracts in place that are based on our requirements.
- Have contingency plans for terminating the relationship.
- Continue due diligence throughout the relationship.
- Understand and effectively manage the relationship.
Applicable types of controls
There are a wide range of controls that we can use to limit risks to our organizations. We also want to ensure that our cloud providers use the appropriate controls for their services. The seven major types of controls are below:
Directive | Directive controls direct, confine, or control the actions of subjects to force or encourage compliance with security policies. |
Deterrent | Deterrent controls discourage violation of security policies. |
Preventive | Preventive controls can prevent undesired actions or events. |
Detective | Detective controls are designed to identify if an incident has occurred. |
Corrective | Corrective controls are used to minimize the negative impact of an incident. |
Recovery | Recovery controls are designed to recover a system or process and return it to normal operations following an incident. |
Compensating | Compensating controls are typically deployed in conjunction with other controls to aid in enforcement and support of the other controls. |
Categories of controls
Safeguards are proactive controls; they are put in place before an incident has occurred to deter or prevent it from manifesting. Safeguards include directive, deterrent, preventive, and compensating controls.
Countermeasures are reactive controls. They act after an incident has occurred and aim to detect and respond to it accordingly. Countermeasures include detective, corrective, and recovery controls.
Controls can be further classified in three main categories:
Administrative | Policies, procedures, baselines, and guidelines are all classified as administrative controls. Items like background checks, acceptable use policies, network policies, onboarding and offboarding policies, etc., fall into this category. |
Logical or technical | Logical or technical controls are often software-based controls. Firewalls, IDS/IPS, AV, anti-malware, proxies, and similar tools fall under the logical or technical security controls category. |
Physical | Physical controls are controls in the physical world. Doors, fences, gates, bollards, mantraps, and guards all fall under the physical security controls category. |
Aspects of controls: functional and assurance
A good security control should always include two aspects: the functional aspect and the assurance aspect, as shown in both the image and the table.
Functional | Assurance |
---|---|
Controls should perform the functions that they were designed to address. For example, a firewall should be filtering traffic between different subnets. | Controls should have mechanisms that prove that they are functioning properly on an ongoing basis. This is often accomplished through testing, assessments, logging, monitoring, etc. |
Selecting controls
When selecting appropriate security controls, there’s a tendency to select the most expensive and top-performing solutions in an effort to provide the maximum level of security to an environment. However, this approach often isn’t cost effective. When deciding on whether to implement a security control, we should evaluate it against criteria such as:
- Alignment to organizational goals and objectives – Does the control help the organization achieve its goals and objectives, or is the control an impediment?
- Cost-effectiveness – Can the cost of the control be justified?
- Complete control – Are preventive, detective and corrective controls in place? These should be the minimum.
- Functional and assurance – Does the control meet both functional and assurance requirements?
Continuous improvement
The landscape covered by the risk management process is constantly changing—new assets are added, old assets are retired, new threats and vulnerabilities are identified, the potential impacts change, etc. The same applies to our cloud providers. This makes risk management a continuous process that is both arduous and time-consuming, but absolutely essential. A security-focused version of the Deming cycle, also known as plan-do-check-act (PDCA), is shown in the figure below, while the steps are defined in the table. It outlines the cyclical nature of many processes in security, including risk management.
Plan | Determine which controls to implement based on the risks that have been identified. |
Do | Implement the controls. |
Check | Monitor the controls and document their assurance—prove that the controls are operating effectively. |
Act (or adjust) | Take additional actions as necessary. The monitoring from the check step should help you identify actions to take. This leads back around to the planning step. |
Methodologies
Risk management terms
Below contains a list of core terms used in risk management and how they fit together:
Threat agent | An entity that has the potential to cause damage to an asset, such as an external attacker or a disgruntled employee. |
Threat | Any potential danger that can result in harm to an organization or asset. |
Attack | Any attempted harmful action that exploits a vulnerability. |
Vulnerability | A weakness in an asset or a control that could be exploited. |
Risk | Significant exposure to a threat or vulnerability (a weakness that exists in an architecture, process, function, technology, or asset). |
Asset | Anything that is valued by the organization. |
Exposure/impact | Negative consequences to an asset if the risk is realized (e.g., loss of life, reputational damage, downtime, etc.). |
Countermeasures and safeguards | Controls implemented to limit risks and mitigate their potential impacts. Countermeasures are generally seen as reactive while safeguards are proactive. |
Residual risk | The risk that remains after controls have been implemented. |
The figure below shows how all the terms mentioned in the table interconnect.
Asset valuation
Two different forms of analysis can be used to rank the assets of the organization from most to least valuable: qualitative analysis and quantitative analysis. Their main characteristics are:
Qualitative analysis | Quantitative analysis |
---|---|
|
|
|
|
|
|
Threat and vulnerability identification
Risks involve three major components:
- Asset – Anything of value to the organization.
- Threat – Any potential danger that can cause damage to an asset. Threats include things like hacking, earthquakes, ransomware, social engineering, denial-of-service attacks, etc.
- Vulnerability – A weakness in an asset or a control that could be exploited by a threat. Examples include open ports with vulnerable services, lack of network segregation, lack of patching, etc.
To fully understand the risk for a given asset, we must assess the probability and impact of a threat. The impact is whatever negative consequences there may be to the asset or organization if an incident occurs. Finally, the probability is the likelihood of a given threat materializing. The figure below summarizes how these components fit together and how they can be used to identify the risks to a given asset.
Difference between data owner/controller vs. data custodian/processor
There are many different roles in relation to data, and each of these roles have their own responsibilities. One of the most central roles is the data owner. Data owners are the individuals that create or procure the data and work with it on a regular basis. They are ultimately accountable for the asset (such as data) and its protection. Assets must be owned by someone, and owners are accountable for making sure that controls are in place to protect assets.
Owners can delegate responsibility for an asset, but they always remain accountable for the protection of the asset. In other words, accountability cannot be delegated to anyone else.
Below are the various roles and responsibilities relating to data protection within an organization.
Data owner or data controller | A data owner or controller is accountable for the protection of data, holds the legal rights to the data, and defines the policies related to the data. |
Data processor | A data processor is responsible for processing data on behalf of the owner or controller. |
Data custodian | A data custodian has technical responsibility for data. |
Data steward | A data steward has business responsibility for data, such as the metadata definition, data quality, governance, compliance, etc. |
Data subject | An identifiable individual to whom personal data pertains. |
Regulatory transparency requirements
Breach notifications
There are laws in various jurisdictions that require organizations to provide notification if they have been breached. Below lists some of the most commonly known breach notification laws:
The European Union |
|
The United States |
|
The Sarbanes-Oxley (SOX) Act
The Sarbanes–Oxley (SOX) Act was introduced in the wake of the financial fraud at Enron. Better controls were needed to prevent similar incidents from happening. The US Congress enacted SOX to limit financial fraud by public companies and thereby protect the financial interests of shareholders.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a set of data protection rules that apply to all EU member states. As we mentioned above, personal data breaches must be reported within seventy-two hours unless it is unlikely for the breach to pose a risk to the freedoms or rights of people.
Risk treatment (i.e., avoid, mitigate, transfer, share, acceptance)
After the risk analysis process, security should implement the most cost-effective treatments. The right approach depends on the value of the asset and the type of risk identified in the previous steps. The image below shows the ways that risk can be managed, using a diving board as an example.
- To avoid risk means to choose to stop doing whatever exposes the asset to risk.
- To transfer risk means to place the risk on another party, usually an insurance company.
- Sharing risk is similar to transferring risk and can be considered a subcomponent. It involves only shifting a portion of the liability or responsibility to another organization, rather than the entire load.
- To mitigate risk means to implement controls that reduce the risk to an acceptable level. Risk can never be eliminated or reduced to zero. However, it can be reduced enough that residual risk (the risk that remains after controls have been put in place) can be accepted or transferred.
- To accept risk simply means taking no further action to mitigate, transfer, share or avoid risk. This commonly happens when the cost of the control exceeds the value of the asset.
Different risk frameworks
Some of the most popular risk management frameworks are:
NIST SP 800-37 (RMF) | This guide describes the risk management framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. |
ISO 31000 | ISO 31000 is a family of standards relating to risk management. The scope of ISO 31000 is to provide best practice structures and guidance to all organizations concerned with risk management. |
COSO Enterprise Risk Management (ERM) | The COSO ERM provides a definition of essential enterprise risk management components, reviews important principles and concepts, and provides direction and guidance for enterprise risk management. |
ISACA Risk IT Framework | ISACA’s Risk IT Framework contains guidelines and practices for risk optimization, security, and business value. The latest version places greater emphasis on cybersecurity and aligns with the latest version of COBIT. |
NIST SP 800-37
Understanding the RMF is critical, as it underpins just about every facet of operational security governance within an organization. The seven steps of SP 800-37 are:
- Prepare to execute the RMF
- Categorize information systems
- Select security controls
- Implement security controls
- Assess security controls
- Authorize the information system and controls
- Monitor the security posture of the information system
Metrics for risk management
Once controls have been decided upon and implemented, it’s important to understand how well they’re working. One of the best ways to do this is through metrics.
Different metrics will be valuable to different audiences. For example, senior management will be more interested in big picture metrics, while the facilities operations team is more likely to be interested in detailed metrics that apply directly to their everyday work. Once you have identified the risk metrics that matter to your audience, you can measure the critical risks and assess them according to a scorecard. For certain audiences, a simple representation of the risk level will be sufficient to communicate the risks that they should pay the most attention to. We often use risk categories such as:
- Minimal
- Low
- Moderate
- High
- Maximum or critical
Assessment of risk environment
When using the cloud, we need to also assess the risk environment of third-party vendors and services. If our organization is going to rely on a third-party vendor, then we need to understand what risks they bring to our organization. If the risks are too high, we may decide to seek out another solution instead. We can also implement measures to mitigate the risks, transfer the risks, or simply accept them.
6.5 Understand outsourcing and cloud contract design
Outsourcing is a central part of the cloud. When we sign up to a cloud provider, we are outsourcing some aspect of our business to the provider so that we can focus on our core business instead. The cloud is complicated, and outsourcing means that we are ceding some of our control and responsibility to the provider. However, our organization still remains accountable. Because our organization still retains accountability, we must ensure that the service from a cloud provider is able to meet our organization’s obligations, and that these requirements are clearly stipulated in the contracts.
Defining and documenting your organization’s requirements and risks
The first step is to engage with all relevant stakeholders to determine what our requirements are, as well as the risks that a potential vendor could introduce.
Vendor assessment
When choosing a vendor, your organization should look for an established and reputable organization. It is often best to choose a provider that has a lot of experience in the service your organization wishes to acquire.
Your organization should also ensure that a potential vendor is able to handle your organization’s needs, and that it can meet all of your organization’s security, privacy and compliance requirements. Key things to watch out for are portability and interoperability with other services. You do not want your organization to face vendor lock-in, which occurs when it is too costly and difficult to move to a new provider.
Business requirements (e.g., service-level agreement (SLA), master service agreement (MSA), statement of work (SOW))
There are a variety of contracts that can be signed between a service provider and a customer:
Master service agreement (MSA) | A master service agreement (MSA) is a contract that stipulates the relationship between a service provider and a customer. MSAs are foundational documents between the two parties, and they set out the framework for a long-term business relationship. |
Statement of work (SOW) | An MSA sets out the general terms for a long-term relationship between the two parties, while a statement of work (SOW) is a project-based contract. An SOW sets out the details for a specific project between the service provider and the customer. SOWs are governed by the MSA. Having an MSA that sets out the general terms of the business relationship makes it easier and less costly to enter into SOWs for individual projects. |
Service level agreement (SLA) | Service level agreements are contracts signed between providers and customers. They stipulate the levels of service that must be met. |
Service level requirements (SLR) | These documents specify the requirements for a given system. They can form the basis of an SLA. |
Service level objectives (SLO) | These are objectives that are agreed upon between a provider and a customer. They set out performance targets over a period of time. SLOs are generally subcomponents of SLAs. |
Non-disclosure agreement (NDA) | A non-disclosure agreement (NDA) is a contract that places restrictions on what information a party is legally allowed to disclose to others. |
Cloud service agreement (CSA) | CSAs are a set of documents that outline the agreement between a customer and its cloud service provider. |
Acceptable use policy (AUP) | An acceptable use policy stipulates a provider’s rules for how a customer must use its service. |
Vendor management
Once your organization has chosen a vendor and signed the contract, it must manage the vendor relationship for its duration. A key part of vendor management is to monitor the vendor to ensure that it is fulfilling its obligations as specified in the contracts. One component involves monitoring that service levels are being provided at the rates specified in the SLA.
Another important vendor management concept is software escrow. Let’s say that your organization wishes to use software from a vendor, but it is concerned that the vendor may abandon the code or go out of business. One way that your organization can mitigate the risk is to enter into a software escrow agreement with the vendor and a neutral third party. The software vendor periodically sends the source code to the neutral third party for safe keeping. If the software vendor violates the terms of the agreement, such as by going bankrupt or abandoning the code, the neutral third party can then release the code to your organization.
Contract management
When entering a contract with a new provider, your organization’s contract management process is critical. You need to ensure that the provider can meet your organization’s needs and obligations, and that both parties have a clear understanding of where their responsibilities lie. The contracts should include a range of clauses that cover the important aspects of the business relationship. Some common areas for contracts to cover include:
- The right to audit
- Metrics
- Definitions
- Termination
- Litigation
- Assurance
- Compliance
- Access to cloud data
- Cyber risk insurance
Supply-chain management
One of the most important series of standards for supply-chain management is ISO/IEC 27036. It includes four different documents that provide implementation guidance for applying the controls from ISO/IEC 27002 to supplier relationships.
Another important document is ISO/IEC 28000. ISO/IEC 28000 focuses on the requirements for security management systems, including the important aspects of supply-chain security assurance.
CCSP Domain 6 key takeaways
6.1 Articulate legal requirements and unique risks within the cloud environment
Conflicting international legislation
Legal framework and guidelines
eDiscovery
Forensics requirements
6.2 Understand privacy issues
Difference between contractual and regulated private data
Country-specific legislation related to private data