Domain 3 Knowledge Recap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> Let's summarize what we learned in this module.
00:01
Started off reviewing legal considerations
00:01
for data in the Cloud.
00:01
Knowing the key undertones of data privacy laws,
00:01
this includes things like data subject,
00:01
data processor, data controller,
00:01
using the collected data for
00:01
purposes communicated to the data subject.
00:01
Other things like the controller being
00:01
ultimately responsible for making sure
00:01
that the processors meet laws and
00:01
other regulations when handling the data.
00:01
We discussed the evaluating applicable data privacy laws
00:01
by asking the right questions.
00:01
Where is the data subject?
00:01
Where's the location of the data?
00:01
Where's the headquarters of the provider?
00:01
Where's the headquarters of the Cloud user?
00:01
Are there any other contractual
00:01
agreements that our own business has
00:01
that would affect how we use
00:01
the data and where we store the data?
00:01
On the exam, it's important you also understand
00:01
the relevant legal frameworks for data privacy.
00:01
You don't need to know all of them.
00:01
But it is important that you understand
00:01
the major ones in certain countries,
00:01
such as GDPR, HIPAA, COPPA.
00:01
Other common themes like not being able to transfer data
00:01
from one territory to
00:01
another territory if it has weaker laws.
00:01
Even the strong holding laws of
00:01
data sovereignty that exist in China and Russia.
00:01
After covering legal considerations,
00:01
we revisited contracts with Cloud service providers.
00:01
We talked about the importance
00:01
of understanding the terms and
00:01
conditions and privacy policies
00:01
of the different providers.
00:01
Ideally, before you sign any contract with them,
00:01
but you may have to continually
00:01
revisit and revise those,
00:01
especially in situations where
00:01
business users may have already signed engagements,
00:01
and you're playing catch-up.
00:01
It's also important that you understand
00:01
compliance can vary between services of
00:01
the same Cloud provider and even
00:01
between regions of the same Cloud provider.
00:01
It's important that you stay abreast
00:01
of new changes and services that
00:01
the Cloud provider offers and have
00:01
a recurring review process in place.
00:01
To top it off, you want to make
00:01
sure to watch those click-through
00:01
agreements and how they may affect
00:01
the contracts that you have with the Cloud provider.
00:01
Make sure your original contracts can't be
00:01
substantially altered by click
00:01
through agreements
00:01
that your users within the business who
00:01
may not be familiar with the contracts
00:01
and frankly may not be reading the agreements,
00:01
might just gloss over.
00:01
Keep in mind that the defense,
00:01
nobody reads those in the court of
00:01
law isn't really a good argument point.
00:01
Then we wrapped up talking about
00:01
electronic discovery as part
00:01
of the process of litigation.
00:01
It's very important that you know
00:01
the Cloud providers policies and obligations towards
00:01
its customers if they get
00:01
issued with an E-discovery subpoena.
00:01
The Cloud provider should be your ally in
00:01
this discovery process and not
00:01
just blindly turn things over,
00:01
you should get some notice.
00:01
In fact, there needs to be
00:01
some predefined rules of engagement
00:01
between you and the Cloud provider
00:01
just in case that situation happens,
00:01
get those figured out early and upfront.
00:01
Understand that there are
00:01
legal and technical requirements of e-discovery.
00:01
Only certain data may be within the scope of discovery.
00:01
For example, Cloud provider
00:01
specific data may not be attainable,
00:01
such as detailed logs of an incoming network traffic.
00:01
Also keep in mind that the Cloud provider may have
00:01
additional fees and costs to
00:01
retrieve the data that's needed in e-discovery.
00:01
That's another part of the upfront conversations you
00:01
want to make sure you have when you
00:01
are engaging with a Cloud provider.
00:01
Let's go through a few quiz questions that are akin to
00:01
the thing you're going to see on the CCSK exam.
00:01
When does a party excused from
00:01
presenting evidence in a court of law?
00:01
When it doesn't exist,
00:01
when it's too expensive to retrieve.
00:01
Never a party must always present
00:01
data when it's requested by a judge.
00:01
When it is not reasonably accessible.
00:01
There are few right answers on this.
00:01
When the data doesn't exist,
00:01
you will be excused from
00:01
presenting it to it just doesn't exist.
00:01
You can't fabricate it.
00:01
When it's too expensive to retrieve,
00:01
you're not going to be excused.
00:01
That's why it's important that the pre-discussion you
00:01
have in the Cloud provider talk about
00:01
the expense and costs if in the event of e-discovery.
00:01
If you do get stuck in civil litigation,
00:01
you're going to have to pay a lot of
00:01
attorneys fees and defense.
00:01
The last thing you want to have happened is
00:01
also get stuck with some extremely large bills
00:01
from the Cloud provider for the services that
00:01
they performed in aggregating
00:01
and retrieving the different information that
00:01
was needed for the electronic discovery process.
00:01
Number C, never, a party must always
00:01
present data when it's requested by a judge.
00:01
Well, there are certain circumstances
00:01
when that's not applicable,
00:01
so C is not correct.
00:01
Then finally, when it is not reasonably accessible,
00:01
so D would also be correct A and
00:01
D and not reasonably accessible for example,
00:01
if you had data that was stored
00:01
on a Cloud storage and that data was deleted.
00:01
If you use a Cloud providers storage services,
00:01
the underlying storage hardware is often pooled.
00:01
If you deleted the data on a single hard drive,
00:01
it's possible to examine the hard drive directly and
00:01
reallocate the bits that
00:01
determine the files which were deleted.
00:01
Using Cloud provider storage,
00:01
those files are spread across multiple disks and they're
00:01
probably commingled with other tenants data.
00:01
It just wouldn't be reasonable
00:01
to try and figure out and reassemble
00:01
files that were located on
00:01
a Cloud storage provider and then subsequently deleted.
00:01
That wraps it up for this video.
00:01
That wraps it up for domain 3.
00:01
I truly hope that you never do
00:01
get pulled into a civil litigation,
00:01
or any legal troubles.
00:01
But at least now you have a basis
00:01
of the information that's going to
00:01
be needed for the CCSK exam and if it really does happen,
00:01
at least, you know, some of the right questions
00:01
to ask and areas to look.
Up Next