Domain 2: Governance and Enterprise Risk Management

Question 1

In a hierarchy of organizational priority, which of the following is the least influential?
A. governance
B. enterprise risk management
C. information risk management
D. information security

Answer 1

Answer: D
See page 28 of the Cloud Security Alliance (CSA) Security Guidance v4.

Question 2

Which of the following is impossible to outsource?
A. information technology management
B. responsibility for governance
C. financial management
D. audit review

Answer 2

Answer: B
Every organization is responsible for its own governance. See page 28 of the Cloud Security Alliance (CSA) Security Guidance v4.
Organizations can, and often do, outsource the business functions listed in the other answers.

Question 3

Cloud providers try to manage costs and enable capabilities by __________.
A. leveraging economies of scale
B. arbitrating contract breaches
C. facilitating customer service
D. enhancing public perception

Answer 3

Answer: A
According to the Cloud Security Alliance (CSA) Security Guidance v4 (page 28), cloud providers try to leverage economies of scale for these purposes.
The other answers may, in fact, be things that cloud providers also do, but A is the correct answer according to the Guidance.

Question 4

Two ways a cloud customer can address governance gaps in the contract include __________ and __________ [select two].
A. refuse service
B. adjust internal processes
C. accept risks
D. appeal to regulators

Answer 4

Answer: B and C
See page 29 of the Cloud Security Alliance (CSA) Security Guidance v4.

Question 5

What is the customer’s only guarantee of any level of service or commitment from the provider?
A. due diligence
B. the contract
C. regulatory supervision
D. physical force

Answer 5

Answer: B
According to the Cloud Security Alliance (CSA) Security Guidance v4 (page 29), the contract is the only guarantee of service and commitment (aside from legal action).

Question 6

When reviewing external assessments and audits of a potential cloud provider, it is critical that the customer understands the __________.
A. current rate of inflation
B. type of hypervisor currently in use at the cloud data center
C. competitive market
D. scope of the assessment/audit

Answer 6

Answer: D
The customer should know what the assessment/audit actually reviewed, not just which standard was used as the basis for the review. See page 30 of the Cloud Security Alliance (CSA) Security Guidance v4.
The inflation rate is a measure of the soundness of a particular currency, and doesn’t really have anything to do with audits of cloud providers. The type of hypervisor the provider uses isn’t particularly pertinent, as long as the assessment/audit determined whether the appropriate controls were used to secure it (and that those controls are functioning properly). Knowledge of the market isn’t critical when reviewing an assessment/audit.

Question 7

Which of the following is not typically considered when determining whether a particular auditor/audit firm is trustworthy?
A. past performance
B. number of auditors involved
C. accreditation/credentials/certification
D. reputation

Answer 7

Answer: B
The size of the audit effort (or audit provider) is not typically indicative of whether the audit is meaningful and trustworthy.
All the other answers are, in fact, reasons to trust a particular auditor/firm. See page 30 of the Cloud Security Alliance (CSA) Security Guidance v4.

Question 8

Which of the following is an assurance program for cloud customers to review assessments of various cloud providers?
A. the CSA Cloud Controls Matrix (CCM)
B. the CSA Security, Trust, and Risk (STAR) Registry
C. the CSA Consensus Assessments Initiative Questionnaire (CAIQ)
D. the CSA Oblique Inference Program (OIP)

Answer 8

Answer: B
The CSA Security, Trust, and Risk program registry is a centralized collection of cloud provider assessments. (See page 30 of the Cloud Security Alliance (CSA) Security Guidance v4.
The CCM and CAIQ are assessment tools used by providers to create content for the STAR Registry. There is no OIP, which I made up.

Question 9

Which of the following best describes the way risk is managed in the cloud?
A. the Bell-LaPadula Model
B. covert channel
C. the shared responsibilities model
D. total outsource of risk management

Answer 9

Answer: C
Risk management in the cloud is often described as a shared responsibilities model; the provider is responsible for managing certain risks, while the customer is responsible for others. (See page 30 of the Cloud Security Alliance (CSA) Security Guidance v4.)
The Bell-LaPadula model is an access control model. A covert channel is an attack method for observing target activity. Risk management cannot be totally outsourced.

Question 10

Enterprise risk management in the cloud often depends on __________ and __________ [select two].
A. documentation
B. financial equity
C. public interest
D. good contracts
E. physical distance

Answer 10

Answer: A and D
The Cloud Security Alliance (CSA) Security Guidance v4 (page 30) specifically notes that good contracts and documentation (from the provider) are essential to enterprise risk management in the cloud.
Neither an equity stake, public interest, nor physical distance of the parties significantly affect risk management.

Question 11

Who determines the amount of risk tolerance an organization should have?
A. regulators
B. senior management
C. cloud providers
D. government officials

Answer 11

Answer: B
Senior management of each organization will determine the risk tolerance (also referred to as “risk appetite” or “risk threshold”) of a particular organization. (See page 31 of the Cloud Security Alliance (CSA) Security Guidance v4.)

Question 12

Which common cloud service model typically requires a well-negotiated contract between the provider and customer?
A. IaaS
B. PaaS
C. SaaS
D. BaaS

Answer 12

Answer: C
According to the Cloud Security Alliance (CSA) Security Guidance v4 (page 31), SaaS demonstrates the most critical need for a negotiated contract.
IaaS and PaaS models also require contracts, but those models allow the customer some control of the environment. “BaaS” is not a typical cloud computing model (as defined by NIST/ISO).

Question 13

SaaS providers are typically either __________or __________ companies.
A. very large or very small
B. domestic or foreign
C. technological or administrative
D. inflated or conflated

Answer 13

Answer: A
According to the Cloud Security Alliance (CSA) Security Guidance v4 (page 31), SaaS providers usually are located at each end of the size spectrum.
“Domestic or foreign” literally includes every company on the planet. “Technological or administrative” describes two of the three common types of security controls. “Inflated or conflated” are meaningless words in this context.

Question 14

Which common cloud service model is the nearest approximation of a traditional data center?
A. IaaS
B. PaaS
C. SaaS
D. QaaS

Answer 14

Answer: A
According to the Cloud Security Alliance (CSA) Security Guidance v4 (page 32), IaaS is the closest approximation of a traditional data center.
QaaS is not a typical service model type, according to the NIST/ISO definition of cloud computing.

Question 15

What causes the inflexibility of contracts in the public cloud deployment model?
A. hypervisors
B. regulators
C. inversion
D. multitenancy

Answer 15

Answer: D
Because the public cloud serves many different customers, it would be unrealistic for cloud providers to offer unique contracts for every customer (see page 32 of the Cloud Security Alliance (CSA) Security Guidance v4).
Hypervisors and regulators have little to no bearing on whether customers can negotiate cloud contracts. “Inversion” is a meaningless term in this context.

Question 16

When using a hybrid cloud model, the customer must ensure that the __________ spans both environments.
A. physical network
B. interface mesh
C. observance criteria
D. governance

Answer 16

Answer: D
Governance for an IT enterprise that extends over multiple environments must cover each environment. See page 33 of the Cloud Security Alliance (CSA) Security Guidance v4).
The physical network, by definition, will not extend into the cloud. The other terms are meaningless in this context.

Question 17

Which of the following is a significant factor of enterprise risk in a public cloud environment?
A. elevated exposure to intellectual property
B. regulators inspect cloud resources faster
C. less physical access to infrastructure
D. increased electrical power usage

Answer 17

Answer: C
Cloud customers will have less physical access to the IT environment in a public cloud deployment; this reduces risk management options. See page 33 of the Cloud Security Alliance (CSA) Security Guidance v4.
Cloud usage does not affect how much intellectual property an organization deal with. Regulators are not especially hindered or aided in the efforts whether they are reviewing a cloud-based or on-prem environment. Typically, cloud deployments use less electricity, in aggregate, than the sum total of all cloud users (if the cloud users were instead using traditional IT environments).

Question 18

Cloud providers are constantly updating and upgrading the technology and processes in their data centers, in order to enhance product delivery, customer needs, and profitability. This affects customers’ enterprise risk management, because it will require __________.
A. joint approval of all actions
B. increased customer engagement to ensure adherence to contracts (beyond the initial contract signing)
C. additional use of contract staff
D. more personal devices used to interact with the cloud environment

Answer 18

Answer: B
According to page 33 of the Cloud Security Alliance (CSA) Security Guidance v4, technological and process evolution in cloud data centers requires additional customer focus on contract and relationship management.
Cloud providers will evolve data centers without customer input, so A is incorrect. Cloud customers may use employees or contractors regardless of the composition of cloud data centers, so C is incorrect. Cloud users may or may not use personal devices; this is not affected by the technology inside the data center; D is incorrect.

Question 19

Which of the following is true about enterprise risk management in the cloud?
A. customers can transfer privacy risk to providers
B. customers can transfer risk management to providers
C. providers can transfer privacy risk to customers
D. providers can accept risk on behalf of customers

Answer 19

Answer: B
See pages 33-34 of the Cloud Security Alliance (CSA) Security Guidance v4. The cloud provider may manage some risks for the cloud customer.
The risk itself cannot be outsourced, nor can the responsibility for managing the risk; this is true for risks due to privacy or any other source. A is incorrect. Providers should not transfer risk to customers, nor accept risk on customers’ behalf; C and D are incorrect.

Question 20

Which of the following is not an option for managing risk?
A. avoid
B. articulate
C. transfer
D. accept

Answer 20

Answer: B
Articulation is not a typical method for handling risk; the word is not related to any meaningful activity in our industry, and is only a distractor in this question.
Risk avoidance, transfer, and acceptance are all common industry practices for managing risk. See page 34 of the Cloud Security Alliance (CSA) Security Guidance v4. It is worth noting that there is a typo in the Guidance here: the word “tenant” is used instead of “tenet.” This can be confusing, because we typically talk about the cloud as a “multitenant environment,” where a tenant is a customer. But the word should be “tenet” in this usage, which means “fundamental premise.”

Question 21

Put the supplier assessment process in the correct order.
A. Review their security program and documentation.
B. Request or acquire documentation.
C. Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider and yourself.
D. Separately evaluate the overall provider, such as finances/stability, reputation, and outsourcers.
E. Evaluate the contracted service in the context of your information assets.

Answer 21

Answer: B, A, C, E, D
See page 34 of the Cloud Security Alliance (CSA) Security Guidance v4.

Question 22

Which mechanism is most often used to transfer risk?
A. regulation
B. governance
C. insurance
D. postulation

Answer 22

Answer: C
Insurance is a form of risk transfer. See page 35 of the Cloud Security Alliance (CSA) Security Guidance v4.
Regulation often increases risk. Governance describes how an organization will manage risk. Postulation has no meaning in this context.

Question 23

Which of the following is not a best practice for cloud customers?
A. periodically review supplier assessments/audits to ensure they are up to date
B. don’t assume that multiple services offered by a provider all meet the same standard
C. automate reviews whenever possible
D. renegotiate contracts after every review

Answer 23

Answer: D
The CSA does not suggest that customers renegotiate contract terms after each supplier review, but all the other options are recommended as good practices. (see page 34 of the Cloud Security Alliance (CSA) Security Guidance v4).

Question 24

After controls are applied to a particular risk, the remaining risk is called “_______ risk.”
A. inflammatory
B. inherent
C. transferred
D. residual

Answer 24

Answer: D
The CSA does not suggest that customers renegotiate contract terms after each supplier review, but all the other options are recommended as good practices. (see page 34 of the Cloud Security Alliance (CSA) Security Guidance v4).

Question 25

Which of the following untrue/incorrect about cloud service contracts?
A. the customer should review contracts before entering agreements with cloud providers
B. if the customer is not allowed to negotiate contract terms (for instance, with a major public cloud provider), the customer should not use that provider
C. even if the customer cannot negotiate contract terms (for instance, with a major provider of public cloud services), that provider might still be useful, and the customer might still use that provider
D. customers can use additional controls (such as encryption or monitoring) to address specific risks

Answer 25

Answer: B
Some contracts cannot be negotiated, and are offered without possibility of modification (such as many Terms Of Service for online providers); this should not disqualify those providers as potentially useful. See page 34 of the Cloud Security Alliance (CSA) Security Guidance v4.
All the other options are true/correct, according to the Guidance.