CCSK Domain Two Flashcards
What are the four main areas of cloud governance and risk management?
Governance, Enterprise Risk Management, Information Risk Management, Information Security
Whats included in governance ?
Governance includes policies, process, and internal controls that comprise how an organisation is run
Whats included in enterprise risk management ?
Enterprise Risk Management includes managing the overall risk for the organisation aligned to the the organisations risk tolerance
What is included in information risk management ?
Information Risk Management covers managing the risk to information and information technology
What is information security ?
Information Security is the tools and practices to manage risk information.
Can you outsource governance ?
No
What is a limitation on organisational governance with public cloud ?
Cloud providers have to create standardised services that are consistent across all customers. Governance models cant necessarily treat cloud providers the same way they would treat external service providers which typically customise their offerings including legal agreements for each client. This means that often the cloud customer has to adjust their own processes or close the gaps or accept the associated risks.
What are the three main tools of governance ?
Contracts, Supplier Assessments, Compliance Reporting
Describe the use of contracts as a tool of governance ?
Contracts : These are the primary tool of governance. The contract is your only guarantee of any level of service of service and commitment - assuming there is no breach of contract. Contracts are the primary tool to extend governance into business partners and providers
Describe the use of supplier assessments as a tool of governance ?
Supplier Assessments : These assessments are performed by the potential cloud customer using available information and allowed processes and techniques. They combine contractual and manual search with third party attestations.
Describe the use of compliance reporting as a tool of governance >
Compliance Reporting : Includes all the documentation on a providers internal and external compliance assessments. They are reports from audits of controls which the organisation can perform themselves, a customer can perform on a provider or have performed by a trusted third party.
Standards like SSAE 16 have a defined scope which includes what is assessed as well as which controls are assessed.
The Cloud Security Alliance STAR registry is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. Some providers also disclose documentation for additional certifications and assessments.
Describe the risk relationship between the cloud user and cloud provider ?
the cloud user is ultimately responsible for ownership of the risks , they only pass on some of the risk management to the provider.
Describe a crucial difference between governance and erm ?
Governance is almost always focussed on contracts risk management can delve deeper into the technology and process capabilities of the provider based on their documentation.
How does SaaS affect governance and risk ?
SaaS is the most critical need for a negotiated contract. Such a contract will protect the ability to govern or validate risk as it relates to data stored, processed and transmitted with and in the application. SaaS providers tend to cluster at either end of/the size/capability spectrum and the likelihood of a negotiated contract is much higher when dealing with a small SaaS provider. However small providers dont always operate at the necessary scale
How does PaaS affect governance and risk ?
he likelihood of a negotiated contract is lower here than in either of the other service models. Thats because the core driver for most PaaS is to deliver a single capability with high efficiency. PaaS is typically delivered with a rich API.