Chapter 2 – Design Requirements Flashcards
Business Requirements Analysis
inventory of all assets; valuation of each asset (BIA, data owners determine value; head of department); determination of critical paths (made by senior management; SPOFs), processes, and assets; clear understanding of risk appetite (set by senior management)
SPOFs (Single Points of Failure) methods
Quantitative, Qualitative, and Risk
Quantitative Risk Assessment
use specific numerical values such as 1,2, and 3; employ a set of methods, principles, or rules for assessing risk
Qualitative Risk Assessment
use nonnumerical categories that are relative in nature; high, medium, and low; employ a set of methods, principles, or rules for assessing risk
Risk
likelihood an impact will be realized; can be reduced, never eliminated; orgs can accept a level of risk that allows operations to continue in a successful manner; legal and defensible to accept risks higher than the norm/greater than your competitors (except risk to health and human safety, must be addressed to industry standard/regulatory scheme)
four main ways to address risk
Avoidance, Acceptance, Transference, Mitigation, and Residual Risk.
Security Considerations for Cloud IaaS
customer has the most responsibility and authority; provider is responsible for building, land, connectivity, power, and hardware assets; makes auditing difficult because they cannot set up network monitoring for policy and regulatory compliance, but customers can collect and review event logs from the software (OS too)
Security Considerations for Cloud PaaS
same as IaaS but provider controls the OSs; customer can still monitor and review software events because the programs running on the OS belongs to them
Security Considerations for Cloud SaaS
customer only supplies and process data; security controls are limited because provider supplies all needs of customer
