Study sets, textbooks, questions
Upgrade to remove ads
Official (ISC)² CCSP - Chapter 2: Cloud Governance - Legal Risk, and Compliance Domain
Terms in this set (43)
Agent of the government
A private citizen becomes an agent of the government when they perform an act that the government would need a warrant for, such as a search and seizure. Under those circumstances, the citizen must follow the same rules as the government.
Minimum requirements, especially regarding security as a minimum level.
Cloud Controls Matrix (CCM)
Lists and categorizes the domains and controls, along with which elements and components are relevant per the controls. This framework enables cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
Conflict of law
The field of law that resolves the jurisdiction of states or nations with laws that are not in agreement with other states or nations, either domestically or internationally.
The body of law that relates to crime. It proscribes conduct perceived as threatening, harmful, or otherwise endangering to the property, health, safety, and moral welfare of people. Most criminal law is established by statute, which is to say that the laws are enacted by a legislature.
Multiple laws and regulations restrict or do not allow for information to be transferred across borders or to locations where the level of privacy or data protection is deemed to be weaker than their current requirements.
CSA Security, Trust and Assurance Registry (STAR)
The provider will have assessments and certifications that provide differing levels of assurance about the cloud controls they maintain. For instance, some providers have only completed a self-assessment, while others have completed a third-party certification based upon Information Security Management System ISO 27001. Still other organizations have completed a third-party attestation of their cloud controls based upon Service Organization's System in a SOC 2 Report.
Implied or explicit right to decide what treatment, care, or disposition (embargo or movement) a nation or state can determine on data by means of its laws.
Doctrine of plain view
In some U.S. states, a law enforcement officer may seize evidence without a search warrant if they can see it without making entry to where the evidence resides. This applies in digital forensic searches because it is necessary to perform various kinds of searches on digital evidence that may reveal evidence of a crime not noted in the warrant.
"Due care" is a standard of behavior grounded in the concept of "reasonableness." Did the actor exhibit a standard of behavior that is deemed by the law to be "reasonable," i.e., would other individuals in the actor's position act in a similar manner exhibiting an expected standard of due care?
"Due diligence" is not a standard, but rather a mode of conduct. Did the actor do what is appropriate, reasonable, and expected in engaging in a certain activity?
European Economic Area (EEA)
The EEA includes EU countries and also Iceland, Liechtenstein, and Norway. It allows them to be part of the EU's single market.
Switzerland is neither an EU nor EEA member, but is part of the single market—this means Swiss nationals have the same rights to live and work in the UK as other EEA nationals.
European Union (EU)
An economic and political union of 28 countries. It operates an internal (or single) market that allows free movement of goods, capital, services and people between member states.
As of March 2019 these countries include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Electronic discovery (also called e-discovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.
EU Data Protection Directive 95/46 EC
Directive 95/46 EC focuses on the protection of individuals regarding the processing of personal data and on the free movement of such data.
EU General Data Protection Regulation 2016
Introduces many significant changes for data processors and controllers. The following may be considered some of the more significant changes: the concept of consent, transfers abroad, the right to be forgotten, establishment of the role of the "data protection officer," access requests, home state regulation, and increased sanctions.
Many countries support a formal process whereby one country transfers a suspected or convicted criminal to another country.
Generally Accepted Privacy Principles (GAPP)
The AICPA describes 74 privacy principles in detail. These serve as a framework for organizations to use to manage privacy risk.
Gramm-Leach-Bliley Act (GLBA)
Also known as the Financial Modernization Act of 1999, GLBA is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
Statements that aren't designed for enforcement, but principles that can assist in accomplishing objectives.
Harmonization of law
Specifically, in relation to the European Union, harmonization of law (or simply "harmonization") is the process of creating common standards across the internal market.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Adopts national standards in the United States for electronic health care transactions and national identifiers for providers, health plans, and employers. Protected health information can be stored via cloud computing under HIPAA.
The term given to the rules that govern relations between countries.
This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards.
The "code of practice" provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002:2013, in the cloud computing context.
The first international "code of practice" that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002:2013 and provides implementation guidance on ISO/IEC 27002:2013 controls applicable to public cloud personally identifiable information (PII).
ISO/IEC 27050 consists of six major components across the discovery phase of a law suit, with an emphasis on the discovery of electronically stored information (ESI).
A guidance standard not intended for certification purposes, implementing it does not address specific or legal requirements related to risk assessments, risk reviews, and overall risk management.
The practical authority granted to a legal body to administer justice within a defined area of responsibility.
Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a legal hold to ensure the preservation of relevant documents.
NIST SP 800-37r2
This publication details the NIST Risk Management Framework, a process for managing security and privacy risk. Integrates the Risk Management Framework (RMF) into the system development lifecycle (SDLC) Provides processes (tasks) for each of the six steps in the RMF at the system level.
NIST SP 800-53r4
A standard to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.
The Privacy Act 1988 (Privacy Act) is an Australian law that regulates the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal information, and access to and correction of that information.
General high-level statement that prescribes actions and consequences for organizational members.
The methods and instructions on how to maintain or accomplish the directives of the policy.
Sarbanes-Oxley Act (SOX)
U.S. legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise.
Service Organization Controls 1 (SOC 1)
Reports on controls at a service organization relevant to user entities' internal control over financial reporting. Used to provide information to the auditor in order to enable risk assessment.
Service Organization Controls 2 (SOC 2)
Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. Used to provide management and specified entities with information.
Service Organization Controls 3 (SOC 3)
Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. Used to provide information for general use by any interested party.
Implementable selections of tools, technology, hardware, and software.
The subpoena is deemed issued by an officer of the court and must be obeyed in much the same manner as a warrant.
A body of rights, obligations, and remedies that sets out reliefs for persons suffering harm because of the wrongful acts of others.
Trust Services Principles and Criteria (TSP)
An auditing system whereby various criterion areas are evaluated along with controls within an organization.
Authorization issued by a magistrate or other official allowing a constable or other officer to search or seize property, arrest a person, or perform some other specified act.
Sets found in the same folder
Official (ISC)² CCSP - Chapter 1: Cloud Concepts,…
Official (ISC)² CCSP - Chapter 3: Cloud Data Secur…
Official (ISC)² CCSP - Chapter 6: Cloud Security O…
Official (ISC)² CCSP - Chapter 4: Cloud Platform a…
Sets with similar terms
CISSP DOMAIN 1 SECURITY AND RISK MANAGEMENT
Other sets by this creator
Chapter 8: Maturing Risk Management
Chapter 7: Incident Detection and Response
Chapter 6: Cloud and Wireless Security
Chapter 5: Network and Communications Security
Other Quizlet sets
Psych test chp. 6
Drugs for Lung Cancer
Practice Questions for Cognition Test #3
How do we Know these Things?
Although the cases filed in the interest of changing the way we fund schools have had mixed results, some cases have had interesting and positive outcomes. One of these is
invalid forms (fallacies) of the hypothetical syllogism:Denying the antecedent
Who first highlighted the importance of central tendency?