Domain 2 - Governance and Enterprise Risk Management Flashcards

1
Q

What 4 areas of governance and risk management are impacted by cloud computing?

A
  1. Governance
  2. Enterprise Risk Management
  3. Information Risk Management
  4. Information Security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Governance?

A

Governance includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other mechanisms for management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Enterprise Risk Management?

A

Enterprise risk management includes managing overall risk for the organization, aligned to the organization’s governance and risk tolerance. Enterprise risk management includes all areas of risk, not merely those concerned with technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Information risk management?

A

Information risk management covers managing the risk to information, including information technology. Organizations face all sorts of risks, from nancial to physical, and information is only one of multiple assets an organization needs to manage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is information Security?

A

Information security is the tools and practices to manage risk to information. Information security isn’t the be-all and end-all of managing information risks; policies, contracts, insurance, and other mechanisms also play a role (including physical security for non-digital information). However, a—if not the—primary role of information security is to provide the processes and controls to protect electronic information and the systems we use to access it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Put the following in order of hierarchy.

ERM, IRM, InfoSec, Governance

A
  1. Governance is at the top.
  2. then Enterprise Risk Management
  3. then Information risk management
  4. Information security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the primary thing to remember when governing cloud computing?

A

The primary issue to remember when governing cloud computing is that an organization can never outsource responsibility for governance, even when using external providers. This is always true, cloud or not, but is useful to keep in mind when navigating cloud computing’s concepts of shared responsibility models.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

If it’s not in the contract what is the concern?

A

If the area of concern isn’t in the contract, there are no mechanisms available to enforce, and there is a governance gap.

Remember: Contracts defne the relationship between providers and customers and are the primary tool for customers to extend governance to their suppliers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are 3 tools of cloud governance?

A
  1. contracts
  2. Supplier (cloud provider) Assessments
  3. Compliance Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a Supplier (Cloud Provider ) Assessment?

A

These assessments are performed by the potential cloud customer using available information and allowed processes/techniques. They combine contractual and manual research with third-party attestations (legal statements often used
to communicate the results of an assessment or audit) and technical research. They are very similar to any supplier assessment and can include aspects like nancial viability, history, feature o erings, third-party attestations, feedback from peers, and so on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Compliance Reporting?

A

Compliance reporting includes all the documentation on a provider’s internal (i.e. self) and external compliance assessments. They are the reports from audits
of controls, which an organization can perform themselves, a customer can perform on a provider (although this usually isn’t an option in cloud), or have performed by a trusted third party. Third-party audits and assessments are preferred since they provide independent validation (assuming you trust the third party)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is critical to consider in reviewing assessments and audits?

A

Scope.

It’s critical to understand the scope, not just the standard used. Standards like the SSAE 16 have a de ned scope, which includes both what is assessed (e.g. which of the provider’s services) as well as which controls are assessed. A provider can thus “pass” an audit that doesn’t include any security controls, which isn’t overly useful for security and risk managers. Also consider the transitive trust required to treat a third-party assessment as equivalent to the activities that you might undertake when doing your own assessment. Not all audit rms (or auditors) are created equal and the experience, history, and quali cations of the rm should be included in your governance decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the STAR Registry?

A

The Cloud Security Alliance STAR Registry is an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. Some providers also disclose documentation for additional certi cations and assessments (including self-assessments).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Risk Management in the cloud based upon?

A

Risk management in cloud is based on the shared responsibilities model (which we most often discuss in reference to security). The cloud provider accepts some responsibility for certain risks, and the cloud customer is responsible for anything beyond that. This is especially evident as you evaluate di erences between the service models, where the provider manages more risks in SaaS and the consumer more in IaaS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Who is ultimately responsible for ownership of the risks?

A

the cloud user is ultimately responsible for ownership of the risks; they only pass on some of the risk management to the cloud provider. This holds true even Software
as a Service (SaaS)
Platform
as a Service (PaaS)
with a self-hosted private cloud; in those situations an organizational unit is passing on some of their risk management to the internal cloud provider instead of an external party, and internal SLAs and procedures replace external contracts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do you know where the division of responsibilities and untreated risk lie?

A

ERM relies on good contracts and documentation to know where the division of responsibilities and potential for untreated risk lie.

17
Q

What is risk tolerance?

A

Risk tolerance is the amount of risk that the leadership and stakeholders of an organization are willing to accept

18
Q

Which cloud service model relies most on a contract to manage risk?

A

SaaS

19
Q

What components of IaaS are most often over looked in terms of Risk?

A

The underlying orchestration and management layers.

20
Q

Are contracts more flexible in public or private clouds?

A

The are more flexible in private clouds. Public cloud providers have to account for multitenancy thus restricting how flexible they can be.

21
Q

Self-hosted private governance typically focused on what?

A

Internal SLA agreements.

22
Q

What are some advantages and disadvantages for cloud deployments in terms of risk.

A

There is less physical control over assets and their controls and processes. You don’t physically control the infrastructure or the provider’s internal processes.
• There is a greater reliance on contracts, audits, and assessments, as you lack day-to-day visibility or management.
• This creates an increased requirement for proactive management of relationship and adherence to contracts, which extends beyond the initial contract signing and audits. Cloud providers also constantly evolve their products and services to remain competitive and these ongoing innovations might exceed, strain, or not be covered by existing agreements and assessments.
• Cloud customers have a reduced need (and associated reduction in costs) to manage risks that the cloud provider accepts under the shared responsibility model. You haven’t outsourced accountability for managing the risk, but you can certainly outsource the management of some risks.

23
Q

Describe the supplier assessment process

A

The supplier assessment sets the groundwork for the cloud risk management program:
• Request or acquire documentation.
• Review their security program and documentation.
• Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider
and yourself. (See the Domain 3: Legal for more.)
• Evaluate the contracted service in the context of your information assets.
• Separately evaluate the overall provider, such as nances/stability, reputation, and outsourcers