CCSK Domain Two Flashcards
What are the four main areas of cloud governance and risk management?
Governance, Enterprise Risk Management, Information Risk Management, Information Security
Whats included in governance ?
Governance includes policies, process, and internal controls that comprise how an organisation is run
Whats included in enterprise risk management ?
Enterprise Risk Management includes managing the overall risk for the organisation aligned to the the organisations risk tolerance
What is included in information risk management ?
Information Risk Management covers managing the risk to information and information technology
What is information security ?
Information Security is the tools and practices to manage risk information.
Can you outsource governance ?
No
What is a limitation on organisational governance with public cloud ?
Cloud providers have to create standardised services that are consistent across all customers. Governance models cant necessarily treat cloud providers the same way they would treat external service providers which typically customise their offerings including legal agreements for each client. This means that often the cloud customer has to adjust their own processes or close the gaps or accept the associated risks.
What are the three main tools of governance ?
Contracts, Supplier Assessments, Compliance Reporting
Describe the use of contracts as a tool of governance ?
Contracts : These are the primary tool of governance. The contract is your only guarantee of any level of service of service and commitment - assuming there is no breach of contract. Contracts are the primary tool to extend governance into business partners and providers
Describe the use of supplier assessments as a tool of governance ?
Supplier Assessments : These assessments are performed by the potential cloud customer using available information and allowed processes and techniques. They combine contractual and manual search with third party attestations.
Describe the use of compliance reporting as a tool of governance >
Compliance Reporting : Includes all the documentation on a providers internal and external compliance assessments. They are reports from audits of controls which the organisation can perform themselves, a customer can perform on a provider or have performed by a trusted third party.
Standards like SSAE 16 have a defined scope which includes what is assessed as well as which controls are assessed.
The Cloud Security Alliance STAR registry is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. Some providers also disclose documentation for additional certifications and assessments.
Describe the risk relationship between the cloud user and cloud provider ?
the cloud user is ultimately responsible for ownership of the risks , they only pass on some of the risk management to the provider.
Describe a crucial difference between governance and erm ?
Governance is almost always focussed on contracts risk management can delve deeper into the technology and process capabilities of the provider based on their documentation.
How does SaaS affect governance and risk ?
SaaS is the most critical need for a negotiated contract. Such a contract will protect the ability to govern or validate risk as it relates to data stored, processed and transmitted with and in the application. SaaS providers tend to cluster at either end of/the size/capability spectrum and the likelihood of a negotiated contract is much higher when dealing with a small SaaS provider. However small providers dont always operate at the necessary scale
How does PaaS affect governance and risk ?
he likelihood of a negotiated contract is lower here than in either of the other service models. Thats because the core driver for most PaaS is to deliver a single capability with high efficiency. PaaS is typically delivered with a rich API.
How does IaaS affect governance and risk ?
Represents the closest thing that the cloud comes to a traditional data centre. The vast majority of existing governance and risk management activities that organisations have already built and utilise are directly transferrable.
How does public cloud affect governance and risk ?
Cloud customers have a reduced ability to govern operations in a public cloud since the provider is responsible for the management and governance of their infrastructure, employees and everything else. The customers also have a reduced ability to negotiate contracts which impacts how they extend their governance model into the cloud. Inflexible contracts are a natural by product of multi tenancy: Providers cant necessarily adjust contracts and operations for each customer as everything runs off one set of resources, using one set of processes. Adapting for different customers increases costs.
How does private cloud affect governance and risk ?
If the private provider is a third party then governance will be similar to that of any outsourced provider. There will be shared responsibilities and obligations that are defined in the contract. Although you may have more control over the contractual terms they are usually scoped to cover only a minimum level of provision with anything over and above being an extra charge.
How does hybrid and community cloud affect governance and risk ?
The governance strategy must consider the minimum controls comprised of the Providers contract and the organisations internal governance agreements. In community cloud governance will stretch to the members of the community.
In supplier assessment what are the five main steps ?
Request and Acquire Documentation
Review Security Program and documentation
Review and legal, regulatory, contractual, jurisdictional requirements for both the provider and yourself
Evaluate contracted service
Evaluate provider in terms of finance, stability, reputation
What is the main task you should alway do in the cloud for governance
Run periodic scheduled automated audits on any foundational standards and documentation.
