6.1 Understand Legal Requirements and Unique Risks within the Cloud Environment
» International Legislation Conflicts
» Appraisal of Legal Risks Specific to Cloud Computing
» Legal Controls
» eDiscovery (e.g., ISO/IEC 27050, CSA Guidance)
» Forensics Requirements
6.2 Understand Privacy Issues, Including Jurisdictional Variation
» Difference between Contractual and Regulated PII
» Country-Specific Legislation Related to PII / Data Privacy
» Difference Among Confidentiality, Integrity, Availability, and Privacy
6.3 Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment
» Internal and External Audit Controls
» Impact of Requirements Programs by the Use of Cloud
» Assurance Challenges of Virtualization and Cloud
» Types of Audit Reports (e.g., SAS, SSAE, ISAE)
» Restrictions of Audit Scope Statements (e.g., SAS 70)
» Gap Analysis
» Audit Plan
» Standards Requirements (e.g., ISO/IEC 27018, GAPP)
» Internal Information Security Management System
» Internal information Security Controls System
» Policies
» Identification and Involvement of Relevant Stakeholders
» Specialized Compliance Requirements for Highly Regulated Industries
» Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal jurisdictions
6.4 Understand Implications of Cloud to Enterprise Risk Management
» Access Providers Risk Management
» Difference between Data Owner/Controller vs.Data Custodian/Processor (e.g., risk profile, risk appetite, responsibility)
» Provision of Regulatory Transparency Requirements
» Risk Mitigation
» Different Risk Frameworks
» Metrics for Risk Management
» Assessment of Risk Environment (e.g., service,vendor, ecosystem)
6.5 Understand Outsourcing and Cloud Contract Design
» Business Requirements (e.g., SLA, GAAP)
» Vendor Management (e.g., selection, common certification framework)
» Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data)
6.6 Execute Vendor Management
» Supply-chain Management (e.g., ISO/IEC 27036)