6:Legal and Compliance

6.1 Understand Legal Requirements and Unique Risks within the Cloud Environment

» International Legislation Conflicts
» Appraisal of Legal Risks Specific to Cloud Computing
» Legal Controls
» eDiscovery (e.g., ISO/IEC 27050, CSA Guidance)
» Forensics Requirements

6.2 Understand Privacy Issues, Including Jurisdictional Variation

» Difference between Contractual and Regulated PII
» Country-Specific Legislation Related to PII / Data Privacy
» Difference Among Confidentiality, Integrity, Availability, and Privacy

6.3 Understand Audit Process, Methodologies, and Required Adaptations for a Cloud Environment

» Internal and External Audit Controls
» Impact of Requirements Programs by the Use of Cloud 
» Assurance Challenges of Virtualization and Cloud
» Types of Audit Reports (e.g., SAS, SSAE, ISAE)
» Restrictions of Audit Scope Statements (e.g., SAS 70)
» Gap Analysis
» Audit Plan
» Standards Requirements (e.g., ISO/IEC 27018, GAPP)
» Internal Information Security Management System
» Internal information Security Controls System
» Policies
» Identification and Involvement of Relevant Stakeholders
» Specialized Compliance Requirements for Highly Regulated Industries
» Impact of Distributed IT Model (e.g., diverse geographical locations and crossing over legal jurisdictions

6.4 Understand Implications of Cloud to Enterprise Risk Management

» Access Providers Risk Management
» Difference between Data Owner/Controller vs.Data Custodian/Processor (e.g., risk profile, risk appetite, responsibility)
» Provision of Regulatory Transparency Requirements
» Risk Mitigation
» Different Risk Frameworks
» Metrics for Risk Management
» Assessment of Risk Environment (e.g., service,vendor, ecosystem)

6.5 Understand Outsourcing and Cloud Contract Design

» Business Requirements (e.g., SLA, GAAP)
» Vendor Management (e.g., selection, common certification framework)
» Contract Management (e.g., right to audit, metrics, definitions, termination, litigation, assurance, compliance, access to cloud/data)

6.6 Execute Vendor Management

» Supply-chain Management (e.g., ISO/IEC 27036)