2. Governance and Enterprise risk management - DONE

Question 1

What is governance?

Answer 1

Includes the policy, process, and internal controls that direct how an organization is run; it includes everything from structures and policies to leadership and other mechanisms for management. You can consider governance as assigning directive controls. The policies to be implemented will often be built from the corporate mission statement and will address the laws, regulations, and standards faced by a company that must be followed in order to continue operations. Governance relies on the compliance function to ensure that directives are being followed throughout the enterprise

Question 2

What is enterprise risk management?

Answer 2

Includes managing overall risk for the organization, aligned with the organization’s governance and risk tolerance. Enterprise risk management (ERM) includes all areas of risk, not merely those concerned with technology.

Question 3

What is information risk security?

Answer 3

Addresses managing risk to information, including information technology (IT). Organizations face all sorts of risks, from financial to physical, and information is only one of multiple assets an organization needs to manage. If you work in IT, you are likely most acquainted with this area of risk management.

Question 4

What is information security?

Answer 4

Includes the tools and practices used to manage risk to information. Information security isn’t the be-all and end-all of managing information risks; policies, contracts, insurance, and other mechanisms also have roles to play (including physical security for nondigital information). However, a—if not the—primary role of information security is to provide the processes and controls required to protect electronic information and the systems we use to access it.

Question 5

What is the only time governance won’t be altered by the cloud?

Answer 5

the only time that governance won’t be altered as a result of using the cloud is a scenario in which your own people have implemented automation and orchestration software in your own data centre and your company fully manages it like any other system in your data centre today.

Question 6

What is the primary issue to remember about governing cloud computing?

Answer 6

although an organization can outsource responsibility (authority over actions) for governance, a company can never outsource liability, even when using external providers. As such, the organization will always retain accountability (liability for actions, or lack of actions) if anything goes wrong. This is always true, with or without the cloud

Question 7

With some cloud providers having more than a million customers, it is simply impossible for providers to give every customer everything they need from the contract, service level agreement, and security control perspectives.

What is the solution?

Answer 7

providers will supply customers with extremely standardized services (including contracts and service level agreements) that are consistent for all customers.

Question 8

Governance models cannot necessarily treat cloud providers the same way they’d treat dedicated external service providers, such as co-location or web hosting providers, which typically customize their offerings, including custom contracts, background screening of employees, and legal agreements, for each client.

so how can we go about choosing a cloud provider?

Answer 8

The contract between the customer and the provider will identify the responsibilities and mechanisms for governance; the customer needs to understand both and identify any process gaps. If a gap is identified, the customer needs to adjust their own processes to close the gap or accept the associated risks.

Governance gaps don’t necessarily exclude using the provider. If you excluded every provider that didn’t completely address everything you needed, you’d find yourself unable to use any provider. Identifying gaps and addressing them is the CSA way to address governance challenges.

Question 9

Describe the following tool of governance:

Contracts

Answer 9

The contract is the number one tool of governance. The legally binding contract agreement is your only “guarantee” of any level of service or commitment. Simply put, if it’s not in the contract, it doesn’t exist.

If the provider breaks the terms of the contract or doesn’t fulfil the terms of a service level agreement, you’re looking at a legal dispute.

contracts define the relationship between providers and customers, and they are the primary tool for customers to extend governance to their suppliers.

Question 10

What does a contract include?

Answer 10

Terms and Conditions - This is the main document that describes aspects of the service, how customer data will be used, termination clauses, warranties, applicable laws etc.

Acceptable Use Policy - This states what you can and cannot do when consuming the service.

Services Terms - This contains service-specific contractual agreements by the provider.

Service Level Agreements - This details items such as availability uptime commitments and penalties for not meeting those commitments. Quite often, the penalties to the provider for failing to meet monthly service level agreements (such as 99.9 per cent availability) take the form of extra service credits—and the customer usually needs to submit a claim and show evidence of unavailability.

Clauses Based on Your Subscription and/or Renewal - These would be specific legal agreements based on your particular subscription. With cloud services, the commitments from a provider to the customer are largely based on the customer’s subscription level. Consider an extreme example: a free version of a product may have clauses that state that the provider can access your usage data, while the paid version doesn’t allow the provider to access your data.

Question 11

Describe the following tool of governance:

Cloud provider assessments

Answer 11

Assessment is part of the due diligence a customer must perform in advance of using a cloud provider. The assessment should leverage all available information, ranging from contract reviews to provider-supplied audit reports and reviews of technical documentation of the system. Technical assessments may be limited by the provider (for example, no physical access because of security concerns).

How the provider supplies technical documentation is up to them: they may post detailed information online, or they may make it available only in person at their offices for your review.

Aside from a technology perspective, most supplier assessments are performed as part of a cloud provider’s assessment. Assessed items generally include financial viability, history, feature offerings, third-party attestations, feedback from peers, and so on.

Question 12

Describe the following tool of governance:

Compliance Reporting

Answer 12

Two simple words summarize this governance tool—standards and scope.

Leading cloud providers will spend vast sums of money to ensure that they can promote compliance with a wide multitude of standards.

All of the standards have one issue in common, the scope of the engagement. Take, for example, the scope of the ISO/IEC audit could be only the IT department. Where does that leave you if you’re looking for a cloud provider with the ISO/IEC certification that you want to use to make your provider selection decisions? It leads you to understand that “merely being “certified” doesn’t mean anything if the service you are consuming is not within the scope of the audit.

Question 13

What are some popular standards that providers often promote:

Answer 13

*NIST 800-53 - This control set is part of the bigger NIST Risk Management Framework. If you work for a government agency, this is likely the control set that you are most familiar with.
*FedRAMP - The Federal Risk and Authorization Management Program tailors the NIST 800-53 control set for cloud services. Providers must be FedRAMP authorized (known as an Authority to Operate, or ATO) to offer their services to the US government.
*ISO/IEC 27017 - The “code of practice for information security controls based on ISO/IEC 27002 for cloud services” standard is essentially the control set from ISO 27002, tailored for cloud services.
*COBIT - The Control Objectives for Information and Related Technology (yeesh!) is a governance and risk management framework owned by ISACA. its focus is on enterprise governance and management of IT, not just security. it’s brought up in the guidance and it’s a mapping in the CCM.
*PCI - The Payment Card Industry and its Data Security Standard (DSS) is a very popular industry standard because of penalties associated with noncompliance. Just a note on this one: A provider being “PCI compliant” does not mean your applications are automatically “PCI compliant.” This is a perfect example of the shared responsibility of all cloud models, and you will need to assess your applications if they are part of the PCI cardholder data environment.
*HIPAA - The Health Insurance Portability and Accountability Act is US public law that requires data privacy and security provisions for safeguarding medical information. It is not cloud-specific, but it does apply to the cloud if medical information is stored in a cloud environment.”

Question 14

What is System and Organization Controls (SOC)

Answer 14

“is used by the vast majority of service providers to report on controls at a service organization. The SOC report is generated by an independent CPA and is available from the provider via a nondisclosure agreement (NDA). Although multiple report types are available (SOC 1, SOC 2, SOC 3), these “reports are based on the AICPA Statements on Standards for Attestation Engagements 18 (SSAE 18) (previously SSAE 16) standard.

providers aren’t forced to use a standard like SOC reporting or ISO to supply third-party assessment of controls. They could offer you a self-assessment they created that is based on a standard such as the CCM and CAIQ or they may even allow potential clients to perform their own audits—but this is rare

Question 15

What are the different levels of SOC

Answer 15

*SOC 1 This SOC report is used for Internal Control over Financial Reporting (ICFR) and is used for entities that audit financial statements.
*SOC 2 This SOC report is titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.” It deals with ensuring that controls at an organization are relevant for security, availability, and processing integrity of systems.
*SOC 3 This publicly available high-level SOC report contains a statement from an independent CPA that a SOC engagement was performed, plus the high-level result of the assessment (for example, it could indicate that the vendor statement of security controls in place is accurate).

Question 16

What are the two different types of SOC reports?

Answer 16

*Type 1 A point-in-time look at the design of the controls
*Type 2 An inspection of the operating effectiveness of the controls

As you can see, you’ll probably want to receive and review the Type 2 report because it actually tests the controls in question. The bottom line here is that as a security professional, you want to get access to a provider’s SOC 2, Type 2, report. It will offer great detail into the security controls in place, tests performed, and test results.”

Question 17

Why should you always review a SOC report?

Answer 17

Do not assume that a provider simply having a SOC report is sufficient to prove the provider’s due diligence. Even a legitimate SOC report can refer to practices and assessments that you perceive as unacceptable risks. You always need to review the SOC report.

Question 18

Why is it important for auditors to have a CCSK?

Answer 18

consider the auditors themselves. If they do not have knowledge of cloud environments, this can lead to false findings and all kinds of issues, especially in cloud-native applications that can implement controls that would be completely foreign to an auditor who is unfamiliar with new control approaches in a serverless environment, for example. The CSA recommends that you work with auditors who possess knowledge of the cloud—and there’s no better way for an auditor to demonstrate knowledge of the cloud than by holding a CCSK designation!

Question 19

The difference between enterprise risk management and information risk management

Answer 19

“enterprise risk management (ERM) is the overall management of risk for an organization, and information risk management (IRM) is focused on information and information systems. Both of these functions are related to the governance function, as governance ultimately determines acceptable risk to the organization as a whole.”

Question 20

How does moving to the cloud affect risk tolerance?

Answer 20

Remember that moving to the cloud doesn’t change your risk tolerance; it just changes how risk is managed.

Question 21

How does using Saas as a service model model change governance and risk management?

Answer 21

SaaS is essentially renting access to a turnkey application that is supplied by the provider. Providers in the SaaS space range in size from very small to very large. Given the wide spectrum of vendors, it is critical that you ensure that a potential SaaS vendor is a proper fit for your company, because you are essentially outsourcing everything from the facilities up to the application itself, which places most responsibility for security on the provider.

Another consideration is that your SaaS provider may very well in turn be outsourcing to a Platform as a Service (PaaS) or an Infrastructure as a Service (IaaS) vendor. This establishes not just a third party, but fourth and possibly fifth parties as part of your outsourcing chain. If this is the case, you will need to determine which vendors are involved and assess those environments as well.

The more functionality the supplier provides, the more they will be responsible for all facets of information security.

Question 22

How does using Paas as a service model model change governance and risk management?

Answer 22

“The responsibility shift tilts more toward the customer with PaaS compared to SaaS. You have more capability to configure security within the product you are building on top of a shared platform that the provider fully manages. An example of this would be implementing encryption within an application built on a shared PaaS platform. In this scenario, information risk management and information security are focused primarily on the platform being procured and, of course, the application itself. Given that PaaS is breaking up the IT stack in novel ways, it is important that you review in detail how the contract provisions map to required controls and control opportunities”

According to the CSA Guidance, the likelihood of a fully negotiated contract is lower with PaaS than with either of the other service models. That’s because the core driver for most PaaS providers is to deliver a single capability with very high efficiency.

Question 23

How does using Iaas as a service model model change governance and risk management?

Answer 23

this service model results in the customer having the most responsibility to configure controls, be they supplied by the provider (such as logging) or implemented by the customer (such as host-based firewalls in an instance).

The issue with governance and risk management lies in the orchestration and management layers supplied by the provider. As most IaaS is built on virtualization technology, the provider’s selection and configuration of the hypervisor and its subsequent ability to isolate workloads properly is completely out of your control. The only thing you can do about addressing potential isolation failure is to understand how the provider mitigates this possibility and make an informed decision in advance of using that provider. As you will likely have no access to audit these controls yourself, this becomes a document review exercise, assuming the provider is transparent with their processes.

Question 24

How does using the public cloud as a deployment model change governance and risk management?

Answer 24

Public Cloud This model is very straightforward. A third party owns and manages the infrastructure, and the facilities are located outside of your data centre. Employees of the provider and possibly unknown subcontractors they engage manage everything. Fellow tenants are untrusted, as anyone with a credit card and a dream can run workloads alongside your workloads, possibly on the same hardware.”

Remember that the provider (such as PaaS and SaaS) you have a contract with may be outsourcing some facilities to yet another party”

Question 25

How does using the private cloud as a deployment model change governance and risk management?

“EXAM TIPIf you are asked a question about governance in a private cloud, pay attention to who owns and manages the infrastructure. An outsourced private cloud can incur much more change than insourced.”

Answer 25

Governance in a private cloud boils down to one very simple question: which party owns and manages the private cloud? You could call a provider and have them spin up and manage a private cloud for you, or you could have your people install the private cloud automation and orchestration software to turn your data center into a “private cloud.” In the event that your company owns and operates the private cloud, nothing changes. If, on the other hand, you have outsourced the build and management of your private cloud, you have a hosted private cloud, and you have to treat the relationship as you would any other third-party relationship. It will, however, be different from governance of a public cloud, because you are dealing with a one-to-one type of relationship. Just as you would with any other supplier contract, you have to make sure your provider is contractually obligated to do everything you want in advance. If you request something and the provider is not obligated to supply that service, you will likely face the dreaded “change order” charges as you would with any other supplier today.”

Question 26

How does using the private cloud as a deployment model change governance and risk management?

“Inflexible contracts are a natural property of multitenancy.”

Answer 26

“With the hybrid and community cloud deployment models, you have two areas of focus for governance activities: internal and the cloud. With hybrid clouds, the governance strategy must consider the minimum common set of controls that make up the cloud service provider’s contract and the organization’s internal governance agreements. In both hybrid and community models, the cloud user is either connecting two cloud environments or a cloud environment and a data centre.
For community clouds specifically, governance extends to the relationships with those organizations that are part of the community that share the cloud, not just the provider and the customer. This includes community membership relations and financial relationships, as well as how to respond when a member leaves the community.

Question 27

There are advantages and disadvantages to managing enterprise risk for the cloud deployment models presented in this chapter. These factors are, as you would expect, more pronounced for a public cloud and a hosted private cloud:

Answer 27

Disadvantages
*You have less physical control over assets and their controls and processes. You don’t physically control the infrastructure or the provider’s internal processes.
*You have a greater reliance on contracts, audits, and assessments, as you lack day-to-day visibility or management.
*You lack direct control. This creates an increased requirement for proactive management of the relationship and adherence to contracts, which extends beyond the initial contract signing and audits. Cloud providers also constantly evolve their products and services to remain competitive, and these ongoing innovations may exceed, strain, or not be covered by existing agreements and assessments.

Advantage
*Cloud customers have a reduced need (and an associated reduction in costs) to manage risks that the cloud provider addresses under the shared responsibility model. You haven’t outsourced accountability for managing the risk, but you can certainly outsource the management of some risks.”

Question 28

The European Network and Information Security Agency (ENISA) has published a “Cloud Computing Risk Assessment” document to assist with the assessment of risks in a cloud environment.

You are dealing with two types of risk management when you assess the cloud. these are:

Answer 28

the risk associated with the use of third-party cloud service providers

the risk associated with the implementation of your systems in the cloud.

The fundamental aspects of risk management (covered earlier in the chapter) don’t change as a result of the cloud. The framework, processes, and tools for all aspects of governance, risk, and compliance (GRC) that you use today can and should be applied to a cloud environment. The biggest change to your GRC program as a result of adopting cloud services will rest in your initial and continued assessment of service providers.

Question 29

The initial supplier assessment sets the groundwork for the cloud risk management program. What are the following steps?

Answer 29

1.Request or acquire documentation.
2.Review the provider’s security program and documentation.
3.Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider and your organization.
4.Evaluate the contracted service in the context of your information assets.
5.Separately evaluate the overall provider, such as its finances/stability, reputation, and outsourcers.

Question 30

What should you consider for vendor risk assessment?

Answer 30

*Don’t assume all services from a particular provider meet the same audit/assessment standards. You will have to assess the latest audit/assessment reports and determine whether a service you are considering was in scope and tested or not.
*Periodic assessments should be scheduled and automated if possible.

Question 31

“What risk must be mitigated by a customer?”

Answer 31

risk accepted by the provider

Question 32

Pat is looking for an industry-standard set of controls that are cloud-specific. What can Pat select controls from to create a baseline risk assessment process?

Answer 32

the CCM

ISO 27001,NIST RMF, COBIT” - they aren’t cloud-specific