CCSK Domain Two Flashcards

1
Q

What are the four main areas of cloud governance and risk management?

A

Governance, Enterprise Risk Management, Information Risk Management, Information Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Whats included in governance ?

A

Governance includes policies, process, and internal controls that comprise how an organisation is run

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Whats included in enterprise risk management ?

A

Enterprise Risk Management includes managing the overall risk for the organisation aligned to the the organisations risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is included in information risk management ?

A

Information Risk Management covers managing the risk to information and information technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is information security ?

A

Information Security is the tools and practices to manage risk information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can you outsource governance ?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a limitation on organisational governance with public cloud ?

A

Cloud providers have to create standardised services that are consistent across all customers. Governance models cant necessarily treat cloud providers the same way they would treat external service providers which typically customise their offerings including legal agreements for each client. This means that often the cloud customer has to adjust their own processes or close the gaps or accept the associated risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the three main tools of governance ?

A

Contracts, Supplier Assessments, Compliance Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe the use of contracts as a tool of governance ?

A

Contracts : These are the primary tool of governance. The contract is your only guarantee of any level of service of service and commitment - assuming there is no breach of contract. Contracts are the primary tool to extend governance into business partners and providers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the use of supplier assessments as a tool of governance ?

A

Supplier Assessments : These assessments are performed by the potential cloud customer using available information and allowed processes and techniques. They combine contractual and manual search with third party attestations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Describe the use of compliance reporting as a tool of governance >

A

Compliance Reporting : Includes all the documentation on a providers internal and external compliance assessments. They are reports from audits of controls which the organisation can perform themselves, a customer can perform on a provider or have performed by a trusted third party.

Standards like SSAE 16 have a defined scope which includes what is assessed as well as which controls are assessed.

The Cloud Security Alliance STAR registry is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. Some providers also disclose documentation for additional certifications and assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe the risk relationship between the cloud user and cloud provider ?

A

the cloud user is ultimately responsible for ownership of the risks , they only pass on some of the risk management to the provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe a crucial difference between governance and erm ?

A

Governance is almost always focussed on contracts risk management can delve deeper into the technology and process capabilities of the provider based on their documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does SaaS affect governance and risk ?

A

SaaS is the most critical need for a negotiated contract. Such a contract will protect the ability to govern or validate risk as it relates to data stored, processed and transmitted with and in the application. SaaS providers tend to cluster at either end of/the size/capability spectrum and the likelihood of a negotiated contract is much higher when dealing with a small SaaS provider. However small providers dont always operate at the necessary scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does PaaS affect governance and risk ?

A

he likelihood of a negotiated contract is lower here than in either of the other service models. Thats because the core driver for most PaaS is to deliver a single capability with high efficiency. PaaS is typically delivered with a rich API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does IaaS affect governance and risk ?

A

Represents the closest thing that the cloud comes to a traditional data centre. The vast majority of existing governance and risk management activities that organisations have already built and utilise are directly transferrable.

17
Q

How does public cloud affect governance and risk ?

A

Cloud customers have a reduced ability to govern operations in a public cloud since the provider is responsible for the management and governance of their infrastructure, employees and everything else. The customers also have a reduced ability to negotiate contracts which impacts how they extend their governance model into the cloud. Inflexible contracts are a natural by product of multi tenancy: Providers cant necessarily adjust contracts and operations for each customer as everything runs off one set of resources, using one set of processes. Adapting for different customers increases costs.

18
Q

How does private cloud affect governance and risk ?

A

If the private provider is a third party then governance will be similar to that of any outsourced provider. There will be shared responsibilities and obligations that are defined in the contract. Although you may have more control over the contractual terms they are usually scoped to cover only a minimum level of provision with anything over and above being an extra charge.

19
Q

How does hybrid and community cloud affect governance and risk ?

A

The governance strategy must consider the minimum controls comprised of the Providers contract and the organisations internal governance agreements. In community cloud governance will stretch to the members of the community.

20
Q

In supplier assessment what are the five main steps ?

A

Request and Acquire Documentation
Review Security Program and documentation
Review and legal, regulatory, contractual, jurisdictional requirements for both the provider and yourself
Evaluate contracted service
Evaluate provider in terms of finance, stability, reputation

21
Q

What is the main task you should alway do in the cloud for governance

A

Run periodic scheduled automated audits on any foundational standards and documentation.

22
Q
A