Chapter5 Flashcards
1. According to the Cloud Security Alliance (CSA), which of the following domains deals with privacy and regulatory requirements as well as security breach disclosure law? A. compliance and audit B. legal and electronic discovery C. data center operations D. virtualization
B. legal and electronic discovery
- According to the Cloud Security Alliance (CSA), which of the following domains deals with the identification and control of data in the cloud?
A. information lifecycle management
B. portability and interoperability
C. application security
D. traditional security, business continuity and disaster recovery
A. information lifecycle management
- According to the Cloud Security Alliance (CSA), which of the following domains deals with the issues encountered when extending an organization’s identity into the cloud?
A. incident response, notification and remediation
B. application security
C. identity and access management
D. legal and electronic discovery
C. identity and access management
4. According to the Cloud Security Alliance (CSA), which of the following domains looks at the ability to move data/services from one provider to another. A. identity and access management B. encryption and key management C. application security D. portability and interoperability
D. portability and interoperability
- Which of the following is a governance recommendation for organizations considering cloud computing?
A. Metrics for determining performance and efficacy should be established before moving into the cloud.
B. Collaborative governance structures between customers and providers should be identified as necessary.
C. A portion of the savings from cloud computing should be invested into auditing the security of the service provider.
D. All of the above.
D. All of the above.
- Which of the following statements regarding governance in cloud computing is NOT true?
A. Security metrics and standards should be included in service level agreements and contracts.
B. Both customers and providers should develop robust governance if an infrastructure as service (IaaS) model is being used.
C. Deployment models define accountability and expectations of users and providers.
D. Provider’s information security controls should be risk-based.
B. Both customers and providers should develop robust governance if an
infrastructure as service (IaaS) model is being used.
With many cloud computing deployments, which of the following plays a large role in risk management? A. contract requirements B. service level agreements C. provider documentation D. all of the above
D. all of the above
8. Certain cloud service providers may restrict which of the following? A. penetration testing B. access to audit logs C. vulnerability assessments D. all of the above
D. all of the above
The risk management approach for organizations moving to the cloud should include all of the following, EXCEPT:
A. development of risk treatment plans with a universal response option
B. identification and analysis of threats and vulnerabilities
C. identification and valuation of assets
D. outcomes of risk treatment plans included in service agreements
A. development of risk treatment plans with a universal response option
Aligning exposure to risk and capability of managing it with the risk tolerance of the data owner is referred to as: A. information treatment planning B. information risk management C. information lifecycle management D. information development design
B. information risk management
The primary means of decision support for information technology resources is: A. information lifecycle management B. information risk management C. risk comparison management D. both A and B
B. information risk management
. Information risk decisions are informed by which of the following data? A. information usage B. security controls C. access controls D. all of the above
D. all of the above
When utilizing SaaS (software as a service), the majority of information is provided by: A. the user B. the service provider C. the organization D. the governance body
B. the service provider
14. Information transparency is built into the contact language when using: A. software as a service B. platform as a service C. infrastructure as a service D. both A and C
C. infrastructure as a service
15. The ability to deploy and gather information from controls is important when using: A. software as a service B. platform as a service C. infrastructure as a service D. all of the above
B. platform as a service
- Which of the following statements is NOT true of third party management practices?
A. Clients should view cloud services and security as supply chain security issues.
B. Assessments of third party service providers should only focus on incident management, disaster recovery and business continuity processes.
C. A comprehensive assessment should be made of the provider’s information security governance, risk management and compliance practices.
D. Both A and C
B. Assessments of third party service providers should only focus on incident
management, disaster recovery and business continuity processes.
17. A comprehensive analysis of legal issues related to cloud computing includes consideration of all the following dimensions, EXCEPT: A. contratual B. operational C. functional D. jurisdictional
B. operational
18. Which of the following legal dimensions involves determining the cloud functions/services have legal implications for stakeholders? A. obligational B. operational C. foundational D. functional
D. functional
19. Which of the following legal dimensions involves how governments administer laws/regulations that impact cloud computing stakeholders? A. jurisdictional B. legislational C. regulatory D. compliance
A. jurisdictional
20. Which of the following legal dimensions involves the contract structures and enforcement mechanisms for addressing/managing legal issues in cloud computing? A. jurisdictional B. compliance C. contractual D. documentation
C. contractual
21. Cloud computing is distinguishable from traditional outsourcing in: A. two ways B. three ways C. four ways D. more than four ways
B. three ways
- Cloud computing is distinguishable from traditional outsourcing in all of the following ways, EXCEPT:
A. time of service
B. anonymity of location(s) of servers
C. anonymity of clients/users
D. anonymity of service provider’s identity
C. anonymity of clients/users
- International legislative and administrative compliance requirements has led to increased collaboration between:
A. lawyers and policy makers
B. technology professionals and lawyers
C. service providers and clients/users
D. end users and technology professionals
B. technology professionals and lawyers
Which of the following is NOT a legal recommendation for cloud computing?
A. Data in the custody of service providers is under an indirect guardianship than when they are in the hands of their original owner.
B. Components of duty of care of a client include: pre-contract due diligence, contract term negotiation and post-contract monitoring.
C. Expected as well as unexpected terminations of relationship between client and service provider ought to be planned for.
D. Service providers should ensure that their information systems can preserve data as authentic and reliable.
A. Data in the custody of service providers is under an indirect guardianship than when they are in the hands of their original owner.
