Cloud Legal and Compliance Issues
Goals
- Evaluate cloud data storage architectures.
- Analyze data security strategies.
- Evaluate data discovery and classification technologies.
- Evaluate relevant jurisdictional data protections for personally identifiable information (PII).
- Evaluate data rights management.
- Critique security controls.
- Critique disaster recovery and business continuity management plans.
- Describe legal requirements and unique risks within the cloud environment.
- Describe privacy issues, including jurisdictional variation.
- Describe the audit process, methodologies, and required adaptations for a cloud environment.
- Describe the implications of cloud to enterprise risk management.
- Describe outsourcing and cloud contract design.
- Describe attributes of vendor management.
Legal Requirements and Unique Risks in the Cloud Environment
Analyzing a Law
U.S. Privacy and Security Laws
- Federal Risk and Authorization Management Program (FedRAMP)
- not a law
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH)
- Gramm–Leach–Bliley Act (GLBA)
- Scope
- Privacy Rule
- Safeguards Rule
- Sarbanes–Oxley Act (SOX)
- State Breach Notification Laws
- Defining data breaches
- Conditions for notification
- Data subject rights
International Laws
- General Data Protection Regulation (GDPR)
- Scope
- Personal data
- Data controllers
- Data processors
- Territorial jurisdiction
- Acts of processing
- Data Subject Rights
- Data Transfers
- Adequacy decisions
- Safe Harbor and US Privacy Shield
- Binding Corporate Rules
- Standard Contractual Clauses
- Other Transfer Mechanisms (derogations)
- Scope
Laws, Regulations, and Standards
- Payment Card Industry Data Security Standard (PCI DSS)
- NERC Critical Infrastructure Protection (CIP) Program