Certified Cloud Security Professional (CCSP): Legal, Risk, and Compliance Competency (Intermediate Level)

  • 30m
  • 30 questions
The Legal, Risk, and Compliance Competency (Intermediate Level) benchmark measures your knowledge of legal, risk, and compliance cloud computing concepts. You will be evaluated on your recognition of relevant laws and regulations, risk assessments and management, compliance frameworks and standards, auditing and assessments, and privacy and data protection. A learner who scores high on this benchmark demonstrates competency in many areas of the legal, risk, and compliance discipline and has had some working exposure to the CCSP legal, risk, and compliance aspects of cloud computing.

Topics covered

  • compare business requirements in a service-level agreement (SLA), a master service agreement (MSA), and a statement of work (SOW)
  • compare cloud vulnerabilities, threats, and attacks
  • compare multi-factor authentication mechanisms
  • compare risk mitigation strategies
  • compare specialized compliance requirements for highly-regulated industries including NERC/CIP, HIPAA/HITECH, and PCI
  • compare standard privacy requirements including ISO/IEC 27018, Generally Accepted Privacy Principles (GAPP), and General Data Protection Regulation (GDPR)
  • define a cloud access security broker
  • define a managed security service provider
  • define gap analysis and internal information security management systems
  • define identity providers
  • define the four categories of risk treatment
  • describe conflicting international legislation
  • describe federated identity
  • describe PIAs
  • describe single sign-on (SSO)
  • describe supply-chain management as defined by ISO/IEC 27036
  • describe the differences between contractual and regulated private data, define protected health information (PHI), personally identifiable information (PII), and outline country-specific legislation related to private data and jurisdictional differences in data privacy
  • describe the impact of the distributed IT model including diverse geographical locations and crossing over legal jurisdictions
  • describe various cloud audit controls and reports along with their impact, including the Statement on Standards for Attestation Engagements (SSAE), the Service Organization Control (SOC), and the International Standard on Assurance Engagements (ISAE)
  • explain organizational, functional, and cloud computing policies, and the involvement of relevant stakeholders
  • explain vendor management concepts including vendor assessments, vendor lock-in risks, vendor viability, and escrow
  • identify a design resilient cloud environment
  • identify cloud provider risk management and assessment programs including an overview of the CSA Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and metrics for risk management using CCM domains
  • outline forensics and eDiscovery, including ISO/IEC 27050 and Cloud Security Alliance (CSA) guidance
  • outline regulatory transparency requirements, including breach notification, Sarbanes-Oxley (SOX), and GDPR
  • outline risk assessment in the cloud infrastructure including identification and analysis
  • recognize key aspects of environmental design including heating, ventilation, and Air Conditioning (HVAC) and multi-vendor pathway connectivity
  • recognize key aspects of physical design including location and whether to buy or build
  • recognize the logical design of a cloud data center including tenant partitioning and access control
  • use secrets management