Domain 2 - Governance and Enterprise Risk Management Flashcards
For security professionals, cloud computing impacts four areas of governance and risk management. What are these?
- Governance
- Enterprise Risk Management
- Information Risk Management
- Information Security
This includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other
mechanisms for management.
Governance
This includes managing overall risk for the organization, aligned to the
organization’s governance and risk tolerance. Enterprise risk management includes all areas of
risk, not merely those concerned with technology.
Enterprise Risk Management
This covers managing the risk to information, including information
technology. Organizations face all sorts of risks, from financial to physical, and information is
only one of multiple assets an organization needs to manage.
Information Risk Management
Is the tools and practices to manage risk to information.
It isn’t the be-all and end-all of managing information risks; policies, contracts,
insurance, and other mechanisms also play a role (including physical security for non-digital
information). However, a—if not the—primary role of information security is to provide the
processes and controls to protect electronic information and the systems we use to access it.
Information Security
True or False - The primary issue to remember when governing cloud
computing is that an organization can never outsource responsibility for governance, even when using
external providers
True
Cloud computing changes the responsibilities and mechanisms for implementing and managing
governance. Responsibilities and mechanisms for governance are defined in the _____, as with any business relationship. It is also the primary tool of governance between a cloud provider and a
cloud customer. It is your only guarantee
of any level of service or commitment and is the primary tool to extend governance into business partners and providers.
Contracts
What are the 3 tools of Cloud Governance?
- Contracts
- Supplier (cloud provider) assessments
- Compliance reporting
These assessments are performed by the potential cloud
customer using available information and allowed processes/techniques. They combine
contractual and manual research with third-party attestations (legal statements often used
to communicate the results of an assessment or audit) and technical research. Can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers, and so on
Supplier Assessment
This includes all the documentation on a provider’s
internal (i.e. self) and external compliance assessments. They are the reports from audits
of controls, which an organization can perform themselves, a customer can perform on a
provider (although this usually isn’t an option in cloud), or have performed by a trusted third
party. Third-party audits and assessments are preferred since they provide independent
validation (assuming you trust the third party).
Compliance Reporting
Is an assurance program and documentation
registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus
Assessments Initiative Questionnaire. Some providers also disclose documentation for additional
certifications and assessments (including self-assessments).
Cloud Security Alliance Star Registry
_______ is the overall management of risk for an organization. As with
governance, the contract defines the roles and responsibilities for risk management between a
cloud provider and a cloud customer. And, as with governance, you can never outsource your
overall responsibility and accountability for risk management to an external provider.
Enterprise Risk Management (ERM)
This refers to the cloud provider accepts some responsibility for certain risks, and the
cloud customer is responsible for anything beyond that
Shared Responsibilities Model
True or False - The cloud user is ultimately responsible for ownership of the
risks; they only pass on some of the risk management to the cloud provide
True
True or False - ERM relies on good contracts and documentation to know where the division of responsibilities and
potential for untreated risk lie.
True