9 hours 59 minutes
So let's recap what we learned about domain four.
We started off reviewing the basics of compliance and audits. We talked about the GRC disciplined and we learned that audits air key tool for proving or disproving compliance.
We proceeded to review the specifics of how compliance and audits are affected when you're working in the cloud.
This included the concept of compliance inheritance and passed through audits.
And we also honed in on the importance of staying informed of changes to the cloud providers, compliance by service and geography or jurisdiction. Cloud customers should evaluated providers third party at test stations and certifications to support their compliance obligations.
And Romy completed that. We talked about the audit management process,
a key point being compliance audit and assurances should be continuous for both customers and providers. Compliance is not a one and done activity. It is an ongoing way of operating.
And then we close it out, reviewing some of the popular standards and compliance certifications.
Let's take a few quiz questions to close out this module. What is true about an attestation?
It's a legal statement from 1/3 party.
It's a testimony in the court of law.
It can only be performed by a legal official
or it is another term for audit. Only one of these is correct.
So an affidavit is a written statement of facts sworn to and signed by somebody being deposed before a notary public or some other authority having the power to witness an oath. That's a mouthful. And attestation is not quite an affidavit. However, it is a legal statement in writing from 1/3 party.
Attestation is not a testimony in the court of law.
Individuals other than illegal official can perform at stations.
In the event of a successful audit, an attestation would be provided by the auditor saying the cloud provider is compliant pursuant to whichever regulations that the audit was performed for
moving on When evaluating the cloud Providers Audit report, what should you pay particular attention to?
Whether there are not the auditor has their CCS K
services and jurisdiction of the audit,
the date of the audit report or the auditors conclusion.
All of these are things you want to play attention to, but what of these is the most important? You're gonna get questions like this on the exam where you have to make a judgment call.
So let's walk through the potential answers, and I'll highlight the correct one,
whether or not the auditor has their seat. CSK, that that's something we've talked about. And it's something that that definitely makes sense when the auditor is auditing a cloud provider, so they're familiar with the nuances of working in the cloud. However, that's not going to be. The most important thing be is services and jurisdiction of the audit.
Honestly, that is going to be the most important thing
if the audit does not pertain to some or all of the services that you're using are interested in, and it's not applicable to the jurisdiction that you're using it in than the audit report itself doesn't really apply to you, and it's really not worth spending your time. Continuing to read the date of the audit is important. You don't want to really old audit.
And then, of course, the auditors conclusion is also going to be very important.
But of these be describes the area that you want to pay the most attention to in an audit report,
and that wraps it up for this module and the domain for discussion. Go get yourself a glass of water and return so we can continue with domain five