WEBVTT 00:00:00.740 --> 00:00:04.820 Let's take a few minutes to review the primary points of 00:00:04.820 --> 00:00:06.970 legal, risk, and compliance domain. 00:00:07.180 --> 00:00:07.820 First, 00:00:07.830 --> 00:00:13.860 it's really important to pay attention to the exam content outline that 00:00:13.860 --> 00:00:19.670 shows that there are five main areas. Articulate legal requirements and 00:00:19.670 --> 00:00:24.060 unique risk within the cloud environment is the first of five areas 00:00:24.060 --> 00:00:27.660 that you need to know for the exam. Understand privacy issues. 00:00:27.660 --> 00:00:32.759 Understand audit process, methodologies, and required adaptations for a 00:00:32.759 --> 00:00:33.880 cloud environment. 00:00:33.890 --> 00:00:38.370 Understand implications of cloud to enterprise risk management. And 00:00:38.370 --> 00:00:42.820 understand outsourcing and contract design in the cloud. 00:00:42.830 --> 00:00:47.530 The key points to recall is make sure that whatever the law 00:00:47.540 --> 00:00:52.020 is in the place where you are consuming cloud services needs 00:00:52.020 --> 00:00:53.740 to be observed and followed. 00:00:53.750 --> 00:00:58.310 Also, risk management is not just being risk adverse, 00:00:58.320 --> 00:01:02.900 it's actually applying what the business focus is in the 00:01:02.900 --> 00:01:07.720 security practice. And when you want assurance for maintaining 00:01:07.730 --> 00:01:10.230 and consuming services in the cloud, 00:01:10.240 --> 00:01:13.550 you have to follow through with cloud audits. 00:01:13.560 --> 00:01:17.390 Sometimes it just means consuming the audit that's already been done 00:01:17.390 --> 00:01:21.890 for you. From a legal and regulatory requirements perspective, always 00:01:21.890 --> 00:01:24.740 know first what the global standards are, 00:01:24.750 --> 00:01:28.290 what kind of international law may have impact on what it 00:01:28.290 --> 00:01:30.030 is that you're trying to accomplish. 00:01:30.050 --> 00:01:33.140 You'll recall during the course, the International Court of 00:01:33.140 --> 00:01:36.610 Justice hears contentious proceedings and other types of 00:01:36.610 --> 00:01:38.850 hearings for international law. 00:01:38.940 --> 00:01:42.710 Regional standards is probably going to be the largest 00:01:42.710 --> 00:01:46.060 difference maker when it comes to what you need to adhere 00:01:46.060 --> 00:01:48.190 to in consuming cloud services, 00:01:48.200 --> 00:01:51.520 but you should also know about municipal standards as well. 00:01:51.520 --> 00:01:55.580 Where regulatory focuses on particular business practices, in 00:01:55.580 --> 00:01:57.810 particular industry verticals, 00:01:57.820 --> 00:02:03.120 law focuses on what is required of all citizens of a regime and visitors. 00:02:03.130 --> 00:02:03.740 In essence, 00:02:03.750 --> 00:02:08.240 you are visiting another location when you're consuming cloud services 00:02:08.250 --> 00:02:14.380 outside of the region where you are. Cloud risk management starts with 00:02:14.390 --> 00:02:16.980 understanding the separation between threats, 00:02:16.990 --> 00:02:19.550 threat agents, countermeasures, safeguards, 00:02:19.550 --> 00:02:22.080 controls, assets, impact, 00:02:22.090 --> 00:02:26.660 understanding these things are really important, and being able to make sure 00:02:26.670 --> 00:02:31.250 that you select the proper type of risk management framework for your 00:02:31.250 --> 00:02:37.620 consumption of the cloud. As an example, ISO 31000 is a cloud‑ready risk 00:02:37.630 --> 00:02:42.400 management framework. Quantitative and qualitative analysis, analysis, that 00:02:42.410 --> 00:02:48.910 are empirical versus something that is subjective in a qualitative way, both 00:02:48.910 --> 00:02:50.870 of these work well together. 00:02:50.880 --> 00:02:55.730 Qualitative helps to ensure that you are putting the right resources and the 00:02:55.730 --> 00:02:59.370 right focus and the right amount of threat in your environment. 00:02:59.380 --> 00:03:02.800 Then you can follow that up with quantitative. Remember 00:03:02.800 --> 00:03:07.330 the four aspects of risk treatment, the modification of risk, 00:03:07.330 --> 00:03:12.040 the sharing of risk, the avoidance of risk, and risk retention. 00:03:12.050 --> 00:03:16.750 All of these are driven by what the business wants to accomplish. 00:03:17.340 --> 00:03:22.010 Keep in mind, the greatest assurance that you can have in consuming 00:03:22.010 --> 00:03:25.930 cloud services that align with your business requirements is 00:03:25.930 --> 00:03:28.100 through an attestation or certification. 00:03:28.110 --> 00:03:32.670 Attestations follow the course of service organization control audits 1 00:03:32.670 --> 00:03:37.970 and 2, and type 2 and type 2, and certifications are plentiful in the 00:03:37.970 --> 00:03:45.390 cloud. Two noteworthy ones are ISO 27017 and 18 that are cloud designed 00:03:45.400 --> 00:03:48.750 certifications for protecting privacy. 00:03:49.340 --> 00:03:52.190 Cloud provider registries are also helpful in your 00:03:52.190 --> 00:03:54.860 selection criteria for cloud consumers. 00:03:54.870 --> 00:03:57.910 Remember EuroCloud, StarAudit, and also the STAR 00:03:57.910 --> 00:04:00.320 registry from Cloud Security Alliance. 00:04:00.740 --> 00:04:08.580 That ISO 27017 and 27018 are replicas of ISO 27001 00:04:08.590 --> 00:04:12.260 and 27002, except for the cloud. 00:04:12.560 --> 00:04:16.300 The acceptability of testing on a provider's platform should be 00:04:16.300 --> 00:04:20.260 investigated in the rules of engagement before you do test. 00:04:20.839 --> 00:04:21.570 Finally, 00:04:21.760 --> 00:04:26.310 be sure to take the self‑assessment questions that accompany 00:04:26.320 --> 00:04:29.170 the study guide at the end of this domain. 00:04:29.180 --> 00:04:34.620 Think about why one answer is going to be superior than another, and 00:04:34.630 --> 00:04:38.650 make sure to grab that study guide, as it is a good way of thinking 00:04:38.650 --> 00:04:42.130 about terminology through a series of questions. 00:04:42.140 --> 00:04:48.580 Also, make sure that you focus on the domain that is giving you the most 00:04:48.580 --> 00:04:53.550 difficulty now that you have reached the conclusion, this being the six of six 00:04:53.550 --> 00:04:57.680 domains. Wishing you the best in your exam endeavors!