Domain 3 Knowledge Recap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 59 minutes
Video Transcription
Let's summarize what we learned in this module.
Started off reviewing legal considerations for data in the cloud.
So knowing the key undertones of data privacy laws. This includes things like data subject data processor data controller
using the collected data for purposes communicated to the data subject.
Other things like the controller being ultimately responsible for making sure that the processors meet laws and other regulations when handling the data. And we discussed evaluating applicability data privacy laws by asking the right questions. Where is the data subject? Where is the location of the data? Where is the headquarters of the provider? Where is the headquarters of the cloud user?
Are there any other contractual agreements that our own business has that would affect
how we use the data and where we store the data
on the exam? It's important you also understand the relevant legal frameworks for data privacy. You don't need to know all of them, but it is important that you understand the major ones and certain countries such as GDP are HIPPA Copa. Other common themes, like not being able to transfer data from one territory
to another territory if it has weaker laws,
even the strong holding laws of data sovereignty that exist in China and Russia.
And after covering legal considerations, we revisited contracts with cloud service providers. We talked about the importance of understanding the terms and conditions and privacy policies of the different providers ideally, before you sign any contracts with them. But you may have to continually revisit and revise those,
especially in situations where business users may have already
signed engagements in your playing catch up.
It's also important that you understand compliance. Convey vary between services of the same cloud provider and even between regions of the same cloud provider. So it's important that you stay abreast of new changes and services that the cloud provider offers and have a recurring review process in place.
To top it off, you want to make sure to watch those click through agreements and how they may affect the contracts that you have with the cloud provider. Make sure your original contracts can't be substantially altered by click through agreements that your users within the business who may not be familiar with the contracts
and, frankly, may not be reading the agreements might just gloss over.
Keep in mind that the defense. Nobody reads those in the court of law isn't really a good argument point.
And then we wrapped up talking about Elektronik Discovery as part of the process of litigation. It's very important that you know the cloud providers, policies and obligations towards its customers. If they get issued with an e discovery subpoena,
the cloud providers should be your ally in this discovery process and not just blindly turned things over. You should get some sort of notice. In fact, there needs to be some pre defined rules of engagement between you and the cloud provider. Just in case that situation happens, get those figured out early enough front. Understand
that there are legal and technical requirements of the discovery.
So only certain data, maybe within the scope of discovery. For example, cloud provider specific data may not be attainable, such as detailed logs of an incoming network. Traffic. Also keep in mind that the cloud provider may have additional fees and costs to retrieve the data that's needed any discovery.
So that's another part
of the upfront conversations you want to make sure you have when you are engaging with a cloud provider.
Let's go through a few quiz questions that are akin to the kind of thing you're going to see on the sea. CSK exam.
When is a party excused from presenting evidence in a court of law
when it doesn't exist
when it's too expensive to retrieve? Never. A party must always present data when it's requested by a judge when it is not reasonably accessible.
There a few right answers on this. When the data doesn't exist, you'll be excused from presenting it. It just doesn't exist. You you can't fabricate it
when it's too expensive to retrieve. You're not going to be excused. That's why it's important that the pre discussions you have of the cloud provider talk about the expense and costs. If and in the event of e discovery.
If you do get Stuck Inlet civil litigation, you're gonna have to pay a lot of attorneys fees and defense. So the last thing you want to happen is also gets stuck with some extremely large bills from the cloud provider for the services that they performed in aggregating in retrieving the different information that was needed for the Elektronik discovery process.
Never see never a party must always present data when it's requested by a judge. Well, there are certain circumstances when that's not applicable, so C is not correct.
And then, finally, when it is not reasonably accessible so D would also be correct A and D and not reasonably accessible. For example, if you had data that was stored on a cloud storage and that data was deleted if you use the cloud providers stored services,
the underlying storage hardware is often pooled.
If you deleted the data on a single hard drive, it's possible to examine the hard drive directly and reallocate the bits that determine the files, which were deleted using cloud provider storage. Those files are spread across multiple disks, and they're probably co mingled with other tenants data. So it just wouldn't be reasonable to try and figure out and reassemble files
that were located on cloud storage provider
and then subsequently deleted. So that wraps it up for this video that wraps it up for domain three. I truly hope that you never do get pulled into a civil litigation or any sort of legal troubles, but at least now you have a basis of the information that's gonna be needed for the ccs k exam. And if it really does happen, at least you know some of the right questions to ask
in areas toe look.
Up Next
Certificate of Cloud Security Knowledge (CCSK)

This course prepares you to take the Certificate of Cloud Security Knowledge (CCSK) certification by covering material included in the exam. It explains how the exam can be taken and how CCSK certification process works.

Instructed By