diff --git a/doc/arch-design-draft/source/legal-requirements.rst b/doc/arch-design-draft/source/legal-requirements.rst
index d98875144f..a8d8946ee1 100644
--- a/doc/arch-design-draft/source/legal-requirements.rst
+++ b/doc/arch-design-draft/source/legal-requirements.rst
@@ -4,12 +4,17 @@
 Legal requirements
 ==================
 
-Most countries have legislative and regulatory requirements governing
-the storage and management of data in cloud environments. This is particularly
-relevant for public, community and hybrid cloud models, to ensure data privacy
-and protection for organizations using a third party cloud provider.
+Using remote resources for collection, processing, storage,
+and retrieval provides potential benefits to businesses.
+With the rapid growth of data within organizations, businesses
+need to be proactive about their data storage strategies from
+a compliance point of view.
 
-.. TODO Elaborate and refine this section later.
+Most countries have legislative and regulatory requirements governing
+the storage and management of data in cloud environments. This is
+particularly relevant for public, community and hybrid cloud models,
+to ensure data privacy and protection for organizations using a
+third party cloud provider.
 
 Common areas of regulation include:
 
@@ -23,11 +28,66 @@ Common areas of regulation include:
   information needing to reside in certain locations due to
   regulatory issues - and more importantly, cannot reside in
   other locations for the same reason.
+* Data location policies ensuring that the services deployed
+  to the cloud are used according to laws and regulations in place
+  for the employees, foreign subsidiaries, or third parties.
+* Disaster recovery policies ensuring regular data backups and
+  relocation of cloud applications to another supplier in scenarios
+  where a provider may go out of business, or their data center could
+  become inoperable.
+* Security breach policies governing the ways to notify individuals
+  through cloud provider's systems or other means if their personal
+  data gets compromised in any way.
+* Industry standards policy governing additional requirements on what
+  type of cardholder data may or may not be stored and how it is to
+  be protected.
 
-Examples of such legal frameworks include the
-`data protection framework <http://ec.europa.eu/justice/data-protection/>`_
-of the European Union, and the requirements of the
+This is an example of such legal frameworks:
+
+Data storage regulations in Europe are currently driven by provisions of
+the `Data protection framework <http://ec.europa.eu/justice/data-protection/>`_.
 `Financial Industry Regulatory Authority
-<http://www.finra.org/Industry/Regulation/FINRARules/>`_
-in the United States.
-Consult a local regulatory body for more information.
+<http://www.finra.org/Industry/Regulation/FINRARules/>`_ works on this in
+the United States.
+
+Privacy and security are spread over different industry-specific laws and
+regulations:
+
+* Health Insurance Portability and Accountability Act (HIPAA)
+* Gramm-Leach-Bliley Act (GLBA)
+* Payment Card Industry Data Security Standard (PCI DSS)
+* Family Educational Rights and Privacy Act (FERPA)
+
+Cloud security architecture
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+An efficient cloud security architecture should recognize the issues
+that arise with security management. The security management addresses
+these issues with security controls. Cloud security controls are put
+in place to safeguard any weaknesses in the system and reduce the
+effect of an attack.
+
+The following are different types of security controls.
+See also `NIST Special Publication 800-53
+<https://web.nvd.nist.gov/view/800-53/home>`_.
+
+Deterrent controls:
+ Typically reduce the threat level by informing potential attackers
+ that there will be adverse consequences for them if they proceed.
+
+Preventive controls:
+ Strengthen the system against incidents, generally by reducing
+ if not actually eliminating vulnerabilities.
+
+Detective controls:
+ Intended to detect and react appropriately to any incidents
+ that occur. System and network security monitoring, including
+ intrusion detection and prevention arrangements, are typically
+ employed to detect attacks on cloud systems and the supporting
+ communications infrastructure.
+
+Corrective controls:
+ Reduce the consequences of an incident, normally by limiting
+ the damage. They come into effect during or after an incident.
+ Restoring system backups in order to rebuild a compromised
+ system is an example of a corrective control.