Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CCSP - 2022 > CCSP Book Chapter 2: Design Requirements > Flashcards

CCSP Book Chapter 2: Design Requirements Flashcards

1
Q

Business Requirements Analysis - for proper risk analysis, we need to know the following

  1. Inventory of Assets
  2. Valuation of each Asset
  3. A determination of critical paths, processes, and assets
  4. A clear understanding of risk appetite
A
  1. Inventory of Assets - assets can be tangible (HW, buildings, cars, personnel) or intangible (Intellectual Property, public perception, etc); inventory of assets is the first step, we need to know what there is in order to protect it; Methods include surveys, interviews, audits, etc;
  2. Valuation of each Asset - need to know value so we know how much money to spend in protecting those assets; AKA Business Impact Analysis (BIA); determine the value, usually in terms of money or it can be priority/rank, customer perception, etc. We also need to determine what it would cost the organization if we lost that asset (temporarily or permanently), cost to repair/replace, and alternate methods if asset is lost; There are various ways to assign cost, i.e. through insured value, replacement cost, etc; usually data owner determines the value of their data, however there is risk b/c they tend to overvalue; ask anyone whose department is the most important and they will say theirs is.
  3. A determination of critical paths, processes, and assets - determined by senior mgmt; criticality determines the assets the organization cannot operate or exist without; includes determining Single Points of Failure (SPOF); methods to deal with SPOFs include redundancy, alternative processes, cross-training personnel, backing up data, load balancing; benefit of cloud is there are no SPOFs due to robust and resilient service; NOTE: all SPOFs are part of critical aspects, but not all critical aspects are SPOFs; Examples!! (Tangible - cars in a car business) (Intangible - intellectual property of music in music company) (Processes - fast food restaurant cash registers fail) (Data Paths - international shipping line cannot match orders to cargo carriers) (Personnel - surgeon cannot operate there no surgery can take place)
  4. A clear understanding of risk appetite - it is the amount of risk that an organization finds acceptable; Risk is the likelihood an impact will occur; risk can be reduced but never eliminated; organizations can accept risk which allow operations to continue; organizations can accept higher risk for most things except risk to health and human safety; organizations must adhere to industry standards for health and human safety otherwise it is unethical; few exceptions such as military
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

4 ways to address risk

A
  1. Avoidance - risk is too high and there are no compensating methods to put in place; not really a method for handling risk; the risk is above the organization’s risk appetite
  2. Acceptance - the risk falls within organizations risk appetite and therefore the organization can continue operations without any additional efforts
  3. Transference - paying someone to accept the risk, at a lower cost then the potential impact; i.e. INSURANCE. This risk is usually low probability with a high impact like hurricane
  4. Mitigation - decreasing the likelihood and/or impact of risk through countermeasures; when reducing the risk to the organization’s risk appetite, the leftover risk is called RESIDUAL RISK;
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Considerations for each cloud service - determining boundaries for a traditional environment is much easier then a cloud environment

  1. IaaS
  2. PaaS
  3. SaaS
  4. General Considerations for all 3
A
  1. IaaS - customers entrust CSP with the acquisition process; customers may not monitor traffic, network, or install sensors or monitoring equipment if CSP does not allow; this makes auditing difficult; customer is still able to gather event logs for OS and applications; Highly advisable the customer has early communication with regulators and CSP prior to migration to figure out constraints and requirements
  2. PaaS - customers lose further control as the CSP is responsible for the HW and now the OS
  3. SaaS - CSP has control of the environment including the SW; Customer only controls the data; in comparison to a legacy environment, the cloud customer has taken the roles and responsibilities of what a common user would have in a legacy environment (few admin rights, few privileged accounts, and few permissions/responsibilities)
  4. General Considerations for IPS - customer is giving up an essential form of control: physical access; this is a huge risk b/c anyone who can physically access the data center can take the data with or without permission; customer can reduce risk by ensuring CSP does strict BG checks, continuous monitoring of personnel access, extreme physical security measures, encryption of data processed, and assignment of contractual liability to the CSP (keep in mind LEGAL liability is always with the customer); Residual (or leftover) risk always remains with losing physical access even with controls in place;
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Design Principles for Protecting Sensitive Data

  1. Hardening Devices
  2. Encryption
  3. Layered Defenses
A
  1. Hardening Devices - similar to traditional environment where devices in DMZ (public facing and connects to outside world) need to be hardened (i.e. Remove guest accounts, close unused ports, no default PWs, strong PW policy, admin accounts secured and logged, unnecessary services disabled, physical access limited and controlled, systems patched); Customers should also consider putting the same measures as if users were BYOD (i.e. anti-malware SW, remote wipe/lock, strong access control like 2FA, VPN, DLP, containerization)
  2. Encryption - encrypt data at rest (backups, long term storage, snapshots of virtualized instances, etc), secure sanitization, secure sessions, and ensure integrity and confidentiality of data in transit
  3. Layered Defenses - aka Defense in Depth; multiple layer of defense; i.e. for CSP - Strong personnel controls like background checks, strong technical controls like encryption, event logging, access control, strong physical controls; for Customer - training, contractual enforcement of policy requirements, use of encryption and logical isolation for BYOD, strong remote access control methods including 2FA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  • Administrative Control
  • Technical Control
  • Physical Control
A
  • Administrative Control - i.e. a Process
  • Technical Control - i.e. Keystroke logging unless done for malicious reasons which will be considered an attack. i.e. Biometric authentication, Firewall
  • Physical Control - i.e. door lock
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

CCSP - 2022 (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions