CCSK-Combined Flashcards
What are the five essential characteristics of cloud computing as defined by NIST?
Broad Network AccessRapid ElasticityMeasured ServiceOn-Demand Self ServiceResource Pooling
The level of attention and scrutiny paid to enterprise risk assessments should be directly related to what?
The value at risk
In the majority of data protection laws, when the data is transferred to a third party custodian, who is ultimately responsible for the security of the data?
The Data Controller
What is the most important reason for knowing where the cloud service provider will host the data?
So that it can address the specific restrictions that foreign data protection laws may impose.
What are the six phases of the data security lifecycle?
CreateStoreUseShareArchiveDestroy
Why is the size of data sets a consideration in portability between cloud service providers?
The sheer size of data may cause an interruption of service during a transition, or a longer transition period than anticipated.
What are the four D’s of perimeter security?
DeterDetectDelayDeny
In which type of environment is it impractical to allow the customer to conduct their own audit, making it important that the data center operators are required to provide auditing for the customers?
In multiñtenant environments the operator or provider cannot normally accommodate visits by every customer to conduct an audit.
What measures could be taken by the cloud service provider (CSP) that might reduce the occurrence of application level incidents?
SaaS providers that generate extensive customerñspecific application logs and provide secure storage as well as analysis facilities will ease the IR burden on the customer.
How should an SDLC be modified to address application security in a Cloud Computing environment?
Organizations must adopt best practices for development, either by having a good blend of processes, tools, and technologies of their own or adopting one of the maturity models.
What is the most significant reason that customers are advised to maintain inñhouse key management?
To be able to prove that all data has been deleted from the public cloud environment when exiting that environment.
What two types of information will cause additional regulatory issues for all organizations if held as an aspect of an Identity?
PII ñ Personal Identifiable InformationSPI ñ Sensitive Personal Information
Why do blind spots occur in a virtualized environment, where networkñbased security controls may not be able to monitor certain types of traffic?
Virtual machines may communicate with each other over a hardware backplane, rather than a network.
When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA?
Agreement on the metrics defining the service level required to achieve regulatory objectives
Economic Denial of Service (EDOS), refers to…
The destruction of economic resources; the worst case scenario would be bankruptcy of the customer or a serious economic impact
How does SaaS alleviate much of the consumer’s direct operational responsibility?
The provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data.
In Europe, name the group that has enacted data protection laws and the principles on which they follow.
The European Economic Area (EEA) Member States follow principles set forth in the 1995 European Union (EU) Data Protective Directive and the 2002 ePrivacy Directive as amended in 2009.
What is the minimum that U.S. state laws require when using a Cloud Service Provider?
Written contract with the service provider with reasonable security measures.
What must be included between an organization and a Cloud Service Provider when the organization has contractual obligations to protect the personal information of their clients, contacts or employees, to ensure that the data are not used for secondary use and are not disclosed to third parties?
The organization must ensure contractually that it will have the continued ability to meet the promises and commitments that it made in its privacy notice(s) or other contracts.
What is a clickñwrap agreement?
A nonñnegotiated contract
How does an organization respond to the evolving nature of the cloud environment?
Periodic monitoring, testing, and evaluation of the services.
What must a U.S. litigant provide during eñdiscovery?
All documents that pertain to the case whether favorable to its case or the other litigant’s case.
What is ESI?
Electronically Stored Information
What are four considerations for a cloud customer to understand in reference to regulatory compliance?
ñ Crossñborder or multiñjurisdictionñ Assignment of compliance responsibilities including the CSP’s providersñ CSP capability to show complianceñ Relationship between all parties including customer, CSP, auditors and CSP’s providers