5. Cloud information Governance domains - DONE

Question 1

What is the definition of information/data governance?

Answer 1

CSA - “Ensuring the use of data and information complies with organizational policies, standards and strategy—including regulatory, contractual, and business objectives.”

*NIST - “A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision-making parameters related to the data produced or managed by the enterprise.”

Question 2

As covered in the NIST definition, information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance, all of which must be in place to ensure that data is secured appropriately:

List them

Answer 2

*Ownership and custodianship
*Information classification
*Information management policies
*Location and jurisdiction policies
*Authorizations
*Contractual controls
*Security controls

Question 3

information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance

Describe Ownership and custodianship

Answer 3

*Ownership and custodianship - Your company is always legally accountable if anything happens to data that you are in control of.

Question 4

information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance

Describe Information classification

Answer 4

*Information classification - Classification can serve as decision criteria as to where data can and should be stored and processed. From a cloud perspective, this classification may determine whether or not the information can be stored in the cloud. You may not have used information classification systems in the past, but this is the basis upon which all future cloud-based information governance decisions should depend.

Question 5

As covered in the NIST definition, information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance, all of which must be in place to ensure that data is secured appropriately:

Describe Information management policies

Answer 5

This directive control states how data and information should be managed. As available controls can widely vary based on SPI tiers (SaaS, PaaS, IaaS) and the providers themselves, acceptable service models and controls made available by the provider for the different classifications used in your organization should be considered. For instance, if you require encryption of data at rest and your SaaS provider doesn’t offer it, you should find a different provider for such data.

Question 6

As covered in the NIST definition, information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance, all of which must be in place to ensure that data is secured appropriately:

Describe Location and jurisdiction policies

Answer 6

As you know, the cloud can be global, and different jurisdictions have different requirements. Any geographical considerations must be part of your information governance. This can be addressed as part of your information management policies or as a stand-alone policy, but acceptable locations and jurisdictions must be addressed by your organization.

Question 7

As covered in the NIST definition, information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance, all of which must be in place to ensure that data is secured appropriately:

Describe Authorizations

Answer 7

This covers who is allowed to access certain information and/or data and how the concepts of least privilege and segregation of duties are addressed. The concept of authorizations doesn’t change for cloud-based systems compared to traditional data centers, but the importance of authorizations is much greater in a cloud environment, because, in some cases, authorizations may be the only control exposed to you by a provider and you will not be able to rely on physical controls as a form of compensating control (for example, for data accessible only from inside the building).

Question 8

As covered in the NIST definition, information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance, all of which must be in place to ensure that data is secured appropriately:

Describe Contractual controls

Answer 8

These are your company’s only legal tools to ensure that appropriate governance requirements are implemented and followed by the cloud provider.

Question 9

As covered in the NIST definition, information governance consists of a series of processes to manage data formally throughout the enterprise. The processes involved are broken down into the following domains of information governance, all of which must be in place to ensure that data is secured appropriately:

Describe Security controls

Answer 9

These tools are required to implement data governance. Controls exposed to customers, and how these controls are configured, will vary based on the provider and potentially the service you are consuming

Question 10

What is the data security lifecycle?

Answer 10

The data security lifecycle is a CSA modelling tool that is based on the common IM lifecycle, but the CSA tool focuses on security aspects and locations throughout the various stages of creation through the ultimate disposal of the lifecycle.

You must understand that this lifecycle is meant to be a high-level framework. The goal here is to use the lifecycle to understand controls that should be implemented to stop a possible security breach from happening. It is not meant to be applied to every bit of data throughout your organization, because, quite frankly, that would drive everyone off the deep end.

Question 11

“There are six stages in the data security lifecycle:

Answer 11

*Create - Data is created or existing content is modified.
*Store - Data is committed to some form of storage repository.
*Use - Data is viewed, processed, or otherwise used in some way. This doesn’t include data modification, because that’s jumping back to the creation of a new file.
*Share - Data is made available to other parties.
*Archive - The data’s useful life is over, but it may be kept to address regulatory or legal requirements, for example.
*Destroy - Data is deleted from storage.”

Question 12

Data (be it structured or unstructured) doesn’t go through all the phases in order, nor does it need to go through all the stages.

give an example:

Answer 12

For example, you can create a document and share it with others, who make changes. After the changes have been made, a new file has basically been created. Using this example, you can easily see how data can jump back and forth between the stages.

Question 13

What are some possible controls for each phase of the data security lifecycle

Answer 13

Question 14

crypto shedding is in the delete phase of the data security lifecycle. why is it important?

Answer 14

It is essentially impossible to be certain that data in a cloud is actually deleted when you press the DELETE key. If your risk tolerance requires that you have certainty that data can never be retrieved once deleted, you can implement crypto shredding.

Question 15

what is crypto shedding?

Answer 15

In theory, crypto shredding is the process of storing encrypted data with an encryption key and then simply deleting the data and the encryption key that was used to encrypt the data in the first place. I’m sure you can see the complexity involved with all of these data keys being generated, tracked, and destroyed. It’s great in theory, but basically impossible in real life.

Question 16

since crypto shedding is impossible, what is an alternative?

Answer 16

To that end, you’re going to have to look at the provider’s documentation to understand how a cloud service provider sanitizes data once it’s deleted (aka disk wiping). In most cases, you’ll find they may “zeroize” the data, meaning they overwrite the bits that were used with a bunch of zeros before it is released back into the storage resource pool. The number of times they do this (called passes) however, is likely limited and may not meet your organization’s media sanitization policy

Question 17

How should locations determine how yo store data?

Answer 17

When considering locations, you must think not only about where the data resides (in the cloud or in a traditional data center) but also where the access device is located (local or remote). As you can easily imagine, data stored in a cloud environment can be easily created and used from anywhere in the world if there are no controls in place to stop this from happening. Data stored in a data center today might be in a cloud environment tomorrow, and vice versa.

Perhaps you have a requirement stating that all data held in the cloud must be encrypted at rest, but data in your own data center doesn’t have that requirement. Take that initial requirement a step further: Does this now mean that data should not be used in the cloud as well? After all, data needs to be unencrypted to be processed (until homomorphic encryption becomes a viable technology). This means that you now have different controls based on the location of the data, which means you have multiple data security lifecycles. Now see what I mean about needing to keep the discussion at a high level?

Question 18

“You simply have two things to consider regarding these entitlements:”

Answer 18

“Who is accessing the data, and how do they access it? If you don’t want someone or something (an actor) to do something (a function) with data, you need to apply a control to stop it from happening.

Question 19

what functions are possible in this data security lifecycle?

Answer 19

“*Accessing the data You need to access a data set to read, update, use, share, archive, and destroy data.
*Processing the data This involves being able to transact, or work with, the data—for example, updating a client record or“performing a business transaction.
*Storing the data Finally, you need the ability to store data if you’re going to commit it to storage.”

Question 20

When associating a function to an actor, which of the following is used to restrict a list of possible actions down to allowed actions?

Answer 20

A control restricts a list of possible actions down to allowed actions

The table shows one way to list the possibilities, which the user then maps to controls

Answer 21

“As a result of the location change, the business decision was made that data would be available to anyone only as read-only access and would not be updatable. Same data, different location, which leads us to having multiple data security lifecycles.”

Question 22

what is the main aim of the data security lifecycle?

Answer 22

The main goal of the data security lifecycle as far as the CCSK exam goes is not to know every possible control to limit every possible action by any possible actor on every possible data set (or the validity of doing so!). The goal for the exam is to understand that you have basic functions that map to phases of the data lifecycle. Based on the location of the data or the access device (that’s the key for the exam!), you may have different data security lifecycles

Question 23

what factors should be considered about the data specifically due to regulatory, contractual and other jurisdictional issues?

Answer 23

Logical and physical locations of data

Data is accessed and stored in multiple locations, each with its own lifecycle