CCSP: Domain 5 - Vendor Management

Question 1

What are the steps in the vendor management lifecycle? (4)

Answer 1

1. vendor selection
2. onboarding
3. maintenance
4. offboarding

Question 2

What are the common clauses and sections found in cloud service agreements? (8)

Answer 2

1. definition of terms
2. performance metrics and remedies
3. data ownership
4. compliance obligations
5. assurance
6. indemnification
7. termination
8. litigation

Question 3

Why does a contract need definition of terms?

Answer 3

it has to be clear what do the used terms mean; e.g. what exactly is meant by outage?

Question 4

What are Service Level Management practices?

Answer 4

cloud customer monitoring vendor’s compliance with SLAs

Question 5

What should a contract specify, when it comes to data ownership?

Answer 5

customer retains any data that it uses in the cloud service

Question 6

What do cloud vendor compliance obligations entail in a contract?

Answer 6

the contract needs to include all the compliance regulations and laws that the cloud customer is subject to and therefore cloud provider needs to be too

Question 7

What does assurance entail in cloud contracts?

Answer 7

ability to implement assurance measures that allow to verify, that the vendor is living up to its obligations under the contract

Question 8

What does litigation need to cover in contracts?

Answer 8

the jurisdiction of the litigation

Question 9

What does scoping mean in the context of engaging and selecting cloud vendor?

Answer 9

term used for only including departments or units impacted by the cloud engagement

Question 10

When choosing a CSP, it is important to evaluate several factors to understand the risk. What are the questions that need to be asked?

Answer 10

1. Is the provider subject to takeover or acquisition?
2. How financially stable is the provider?
3. In what legal jurisdictions are the provider’s offices located?
4. Are there outstanding lawsuits against the provider?
5. What pricing protections are in place for services contracted?
6. How will a provider satisfy any regulatory or legal compliance requiremetns?
7. What does failover, backup and recovery look like for a provider?

Question 11

What framework is provided by CSA to evaluate risk in CSPs?

Answer 11

CSA STAR (Security, Trust, Assurance, Risk)

Question 12

What does the CSA STAR (Security, Trust, Assurance, Risk) contain?

Answer 12

evaluations of cloud services against the CSA’s cloud control matrix (CCM)

Question 13

What kind of assessments can be used with CSA STAR (Security, Trust, Assurance, Risk)?

Answer 13

self-assessment or third-party assessment; affects the level of assurance (self - low, 3rd party - high)

Question 14

What wieght does the CSA STAR (Security, Trust, Assurance, Risk) have?

Answer 14

lightweight, lower assurance cetification for the CSPs that use it

Question 15

What is island hopping attack?

Answer 15

attack on an organization through a compromised vendor

Question 16

Vendor management overlaps with what practices?

Answer 16

Supply Chain Risk Management (SCRM)

Question 17

Vendor management includes activities related to what type of risks?

Answer 17

operational