as I mentioned earlier. Liability is always a concern for senior management. We want to make sure that we're in compliance with laws and regulations. But we also want to make sure that we're protecting company assets as we should. We don't want to be on the wrong end of a civil suit with our stockholders,
you know, suing us for failing to use Duke here and due diligence.
We want to make sure that we do the right thing. We follow our professional responsibility. So a handful of terms here I've already mentioned these and earlier slides, but just to get you caught up when we talk about data privacy, we're protecting the confidentiality of information. Think everybody knows that.
But again, the idea that certain types of data
and it's up to us to secure data based on those privacy policies, personally identifiable information, personal financial information, personal health care information, we have the legal responsibility based on different laws and regulations to protect that information. Okay,
audit determines compliance. Are we in compliance or out of compliance? The way you know is that you ought it. Okay. And that compliance could be internal compliance or extra compliance. But RV and compliance is audit.
Don't confuse that with what we talk about later.
Are we in compliance is auditing. Will it work? We have to test.
So am I following policy? You ought to know that.
But his policy effective. Then you've really got a test. Okay, All right. Due diligence and do care. We said
due diligence is the research Duke. Here is the action
survivor to ask you in matters regarding culpable negligence, which is more significant
for culpable negligence. Meaning it's your fault,
which is more significant due diligence or do care.
It's great, whatever you know. But if you don't act on that, then you could be found negligent.
All right, and then service level agreements. I wish I had a dime for every time I say S l. A's or service level agreements in this class. I wish I had a dime for every time it shows up on the test and for some former capacity. So, you know, again the commitment from the cloud service provider, we take nothing for granted,
and that service level agreement has to be reviewed
now with data proper privacy terms, and these will come up
and the first term is the data subject, and that's the entity that's referenced in relation to the data. So when we talk about P I ay, Kelly's P II Kelly's the data subject,
you know, and some types of data can stand alone. His p i I Some have to be combined like a name and an address. Ultimately, the idea is with P I I it can lead to contact an individual. But
the entity that the data describes is causing the data subject
a, um, personal data. We just talked about processing. So the data processor, you know, when we're talking about processing, it's we're performing operations on the data.
We're collecting it, recording it, organizing it, storing it. We're working with the data.
So when we talk about the data processor on your questions on the exam assumed the cloud service provider is the data processor,
right? We entrust them with the data. That's where the data is stored. In most instances. Okay, we would be the controllers. The controller you can essentially,
you can essentially use with data over where the data owner
we have the ultimate accountability we have the legal responsibility, we are liable. So
customer owner, controller, that's us on the exam is how I would assume it. Unless I tell you differently, of course. And we have the ultimate liability.
processors, the cloud service provider
we hear the customer of the cloud service provider
could be called. The controllers
could be called the data owners.
All right, watch for those terms
now with compliance. Like we said, Gotta follow local laws and regulations. A big part of compliance is due care and due diligence.
Nothing really profound on this slide. Just kind of the ideas
and then another definition or just a little extended about due diligence and do care. But just go back to symbol.
Diligence is research, action or care is action. If you care, you will act. That's maybe a good way to remember
service level agreements
again. S. L. A's service level agreements, service level agreements, service level agreements. This is a legally binding contract between you and the Cloud service provider.
This is where the level of service is formally again and legally defined
could be based on performance. You could talk about things like availability band with you know whatever's in there is in there, But ultimately, unless it's in the contract, you can't assume it. So every cloud service provider has different service level agreements.
Keep in mind also that I could put
anything I want into a service level. A break I can promise you the moon. But what makes the service level agreement valuable is the verification from 1/3 party,
right? So in addition to saying what's in the contract,
What sort of assurance do I have that what's in the contracts? What's really happening?
And from an audit perspective, we really want that to be 1/3 party audit. And I think I may have mentioned earlier the Star registry. This could come up, but it stands for security Trust, An alliance registry
star registry ultimately, um,
verifies or, you know, examines the service level agreement of cloud service providers versus their actual actions and provides them with an assessment off. Do they follow their S L A. So there's that third party audit that becomes so essential