Domain 6: Legal, Risk and Compliance Cartes | Quizlet

Agent of the government

A private citizen takes on this role when they perform an act that the government would need a warrant for, such as a search and seizure. Under those circumstances, the citizen must follow the same rules as the government.

Australian National Privacy Act of 1988

Regulates the handling of personal information about individuals within the country of Australia. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information.

Baseline

Minimum requirements, especially regarding security as a minimum level.

Cloud Controls Matrix (CCM)

Lists and categorizes the domains and controls, along with which elements and components are relevant per the controls. This framework enables cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.

Conflict of law

The field of law that resolves the jurisdiction of states or nations with laws that are not in agreement with other states or nations, either domestically or internationally.

Criminal law

The body of law that relates to crime. It proscribes conduct perceived as threatening, harmful, or otherwise endangering to the property, health, safety, and moral welfare of people. Most criminal law is established by statute, which is to say that the laws are enacted by a legislature.

Cross-border data transfers

Multiple laws and regulations restrict or do not allow for information to be transferred across borders or to locations where the level of privacy or data protection is deemed to be weaker than their current requirements.

Data sovereignty

The implied or explicit right to decide what treatment, care, or disposition (embargo or movement) a nation or state can determine on data by means of its laws.

Doctrine of plain view

In some U.S. states, a law enforcement officer may seize evidence without a search warrant if they can see it without making entry to where the evidence resides. This applies in digital forensic searches because it is necessary to perform various kinds of searches on digital evidence that may reveal evidence of a crime not noted in the warrant.

Due care

A standard of behavior grounded in the concept of "reasonableness." Did the actor exhibit a standard of behavior that is deemed by the law to be "reasonable," i.e., would other individuals in the actor's position act in a similar manner exhibiting an expected standard of due care?

Due diligence

The act of investigating and understanding the risks a company faces. When used in information security, it means the actions taken to ensure that policies are being properly applied and that controls are effective.

Electronic discovery (e-discovery)

Any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.

European Union (EU)

An economic and political union of 27 countries. It operates an internal (or single) market that allows free movement of goods, capital, services and people between member states.

EU Data Protection Directive 95/46 EC

Focuses on the protection of individuals regarding the processing of personal data and on the free movement of such data. Prohibits the transfer of personal data to non-EU countries that do not meet adequate standards for privacy protection.

Extradition

A formal process whereby one country transfers a suspected or convicted criminal to another country.

General Data Protection Regulation

Taking effect in 2018 throughout the EU, this introduced many significant changes for data processors and controllers. The following may be considered some of the more significant changes: the concept of consent, transfers abroad, the right to be forgotten, establishment of the role of the "data protection officer," access requests, home state regulation, and increased sanctions.

Generally Accepted Privacy Principles (GAPP)

The AICPA describes 74 of these in detail. These serve as a framework for organizations to use to manage privacy risk.

Gramm-Leach-Bliley Act (GLBA)

Also known as the Financial Modernization Act of 1999, this is a federal law enacted in the United States to control how financial institutions deal with the private information of individuals.

Guidelines

Statements that are not designed for enforcement, but principles that can assist in accomplishing objectives.

Harmonization of law

Specifically, in relation to the European Union, the process of creating common standards across the internal market.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Adopts national standards in the United States for electronic healthcare transactions and national identifiers for providers, health plans, and employers. Protected health information can be stored via cloud computing under this regulation.

International law

The term given to the rules that govern relations between countries.

ISO/IEC 27018:2019

The first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002:2013 and provides implementation guidance on ISO/IEC 27002:2013 controls applicable to public cloud personally identifiable information (PII).

ISO/IEC 27050

Defines the major components across the discovery phase of a lawsuit, with an emphasis on the discovery of electronically stored information (ESI).

ISO/IEC 31000:2018

An overarching standard that details the components of risk management as well as the responsibilities an organization has for conducting the elements of risk management.

Jurisdiction

The practical authority granted to a legal body to administer justice within a defined area of responsibility.

Legal hold

Instructions not to delete electronically stored information or discard paper documents that may be pertinent to a new or existing case.

MITRE Privacy Maturity Model

A privacy evaluation tool created by the nonprofit MITRE Corp.

NIST SP 800-37

This publication provides a good example framework for implementing risk management concepts. It describes the Risk Management Framework (RMF), a process for managing security and privacy risk, and offers guidelines on applying the RMF to information systems.

NIST Special Publication 800-53

A standard to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.

Policies

General high-level statements that prescribe actions and consequences for organizational members. These guide the overall governance of an organization and require both penalties as well as senior management sponsorship to be effective.

Privacy impact assessment (PIA)

An analysis of how information is handled to ensure it conforms to applicable legal, regulatory, and policy requirements regarding privacy.

Privacy Level Agreement (PLA)

Similar in concept to a Service Level Agreement (SLA) in that it defines roles and responsibilities as well as clearly defining service commitments for the protection of privacy information between a service provider and consumer.

Privacy maturity model

A recognized means by which organizations can measure their progress against established benchmarks.

Procedures

The methods and instructions on how to maintain or accomplish the directives of the policy.

Sarbanes-Oxley Act (SOX)

U.S. legislation enacted to protect shareholders and the public from accounting errors and fraudulent practices.

Service Level Agreement (SLA)

A legal agreement that fully defines roles and responsibilities between a service provider and consumer, including details of the service offered, the cost of the service, how it will be measured, how to determine whether the service is properly delivered, and any consequences attached to nonperformance.

System and Organization Controls 1 (SOC 1)

Reports on controls at a service organization relevant to user entities' internal control over financial reporting. Used to provide information to the auditor to enable risk assessment.

System and Organization Controls 2 (SOC 2)

Reports on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy. Used to provide management and specified entities with information.

System and Organization Controls 3 (SOC 3)

A publicly available summary of the SOC 2 report. Used to provide information for general use by any interested party.

Subpoena

A demand issued by an attorney that must be obeyed in much the same manner as a warrant.

Tort law

A body of rights, obligations, and remedies that sets out reliefs for persons suffering harm because of the wrongful acts of others.

Trust Services Principles

Also known as Trust Services Criteria. An auditing system whereby various criterion areas are evaluated along with controls within an organization.

Warrant

Authorization issued by a magistrate or other official allowing a law enforcement officer to search or seize property, arrest a person or perform some other specified act.