Domain 2 - Governance and Enterprise Risk Management Flashcards
What 4 areas of governance and risk management are impacted by cloud computing?
- Governance
- Enterprise Risk Management
- Information Risk Management
- Information Security
What is Governance?
Governance includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management.
What is Enterprise Risk Management?
Enterprise risk management includes managing overall risk for the organization, aligned to the organization’s governance and risk tolerance. Enterprise risk management includes all areas of risk, not merely those concerned with technology.
What is Information risk management?
Information risk management covers managing the risk to information, including information technology. Organizations face all sorts of risks, from nancial to physical, and information is only one of multiple assets an organization needs to manage.
What is information Security?
Information security is the tools and practices to manage risk to information. Information security isn’t the be-all and end-all of managing information risks; policies, contracts, insurance, and other mechanisms also play a role (including physical security for non-digital information). However, a—if not the—primary role of information security is to provide the processes and controls to protect electronic information and the systems we use to access it.
Put the following in order of hierarchy.
ERM, IRM, InfoSec, Governance
- Governance is at the top.
- then Enterprise Risk Management
- then Information risk management
- Information security
What is the primary thing to remember when governing cloud computing?
The primary issue to remember when governing cloud computing is that an organization can never outsource responsibility for governance, even when using external providers. This is always true, cloud or not, but is useful to keep in mind when navigating cloud computing’s concepts of shared responsibility models.
If it’s not in the contract what is the concern?
If the area of concern isn’t in the contract, there are no mechanisms available to enforce, and there is a governance gap.
Remember: Contracts defne the relationship between providers and customers and are the primary tool for customers to extend governance to their suppliers.
What are 3 tools of cloud governance?
- contracts
- Supplier (cloud provider) Assessments
- Compliance Reporting
What is a Supplier (Cloud Provider ) Assessment?
These assessments are performed by the potential cloud customer using available information and allowed processes/techniques. They combine contractual and manual research with third-party attestations (legal statements often used
to communicate the results of an assessment or audit) and technical research. They are very similar to any supplier assessment and can include aspects like nancial viability, history, feature o erings, third-party attestations, feedback from peers, and so on
What is Compliance Reporting?
Compliance reporting includes all the documentation on a provider’s internal (i.e. self) and external compliance assessments. They are the reports from audits
of controls, which an organization can perform themselves, a customer can perform on a provider (although this usually isn’t an option in cloud), or have performed by a trusted third party. Third-party audits and assessments are preferred since they provide independent validation (assuming you trust the third party)
What is critical to consider in reviewing assessments and audits?
Scope.
It’s critical to understand the scope, not just the standard used. Standards like the SSAE 16 have a de ned scope, which includes both what is assessed (e.g. which of the provider’s services) as well as which controls are assessed. A provider can thus “pass” an audit that doesn’t include any security controls, which isn’t overly useful for security and risk managers. Also consider the transitive trust required to treat a third-party assessment as equivalent to the activities that you might undertake when doing your own assessment. Not all audit rms (or auditors) are created equal and the experience, history, and quali cations of the rm should be included in your governance decisions
What is the STAR Registry?
The Cloud Security Alliance STAR Registry is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. Some providers also disclose documentation for additional certi cations and assessments (including self-assessments).
What is Risk Management in the cloud based upon?
Risk management in cloud is based on the shared responsibilities model (which we most often discuss in reference to security). The cloud provider accepts some responsibility for certain risks, and the cloud customer is responsible for anything beyond that. This is especially evident as you evaluate di erences between the service models, where the provider manages more risks in SaaS and the consumer more in IaaS
Who is ultimately responsible for ownership of the risks?
the cloud user is ultimately responsible for ownership of the risks; they only pass on some of the risk management to the cloud provider. This holds true even Software
as a Service (SaaS)
Platform
as a Service (PaaS)
with a self-hosted private cloud; in those situations an organizational unit is passing on some of their risk management to the internal cloud provider instead of an external party, and internal SLAs and procedures replace external contracts.