Domain 2 - Governance and Enterprise Risk Management Flashcards
For security professionals, cloud computing impacts four areas of governance and risk management. What are these?
- Governance
- Enterprise Risk Management
- Information Risk Management
- Information Security
This includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other
mechanisms for management.
Governance
This includes managing overall risk for the organization, aligned to the
organization’s governance and risk tolerance. Enterprise risk management includes all areas of
risk, not merely those concerned with technology.
Enterprise Risk Management
This covers managing the risk to information, including information
technology. Organizations face all sorts of risks, from financial to physical, and information is
only one of multiple assets an organization needs to manage.
Information Risk Management
Is the tools and practices to manage risk to information.
It isn’t the be-all and end-all of managing information risks; policies, contracts,
insurance, and other mechanisms also play a role (including physical security for non-digital
information). However, a—if not the—primary role of information security is to provide the
processes and controls to protect electronic information and the systems we use to access it.
Information Security
True or False - The primary issue to remember when governing cloud
computing is that an organization can never outsource responsibility for governance, even when using
external providers
True
Cloud computing changes the responsibilities and mechanisms for implementing and managing
governance. Responsibilities and mechanisms for governance are defined in the _____, as with any business relationship. It is also the primary tool of governance between a cloud provider and a
cloud customer. It is your only guarantee
of any level of service or commitment and is the primary tool to extend governance into business partners and providers.
Contracts
What are the 3 tools of Cloud Governance?
- Contracts
- Supplier (cloud provider) assessments
- Compliance reporting
These assessments are performed by the potential cloud
customer using available information and allowed processes/techniques. They combine
contractual and manual research with third-party attestations (legal statements often used
to communicate the results of an assessment or audit) and technical research. Can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers, and so on
Supplier Assessment
This includes all the documentation on a provider’s
internal (i.e. self) and external compliance assessments. They are the reports from audits
of controls, which an organization can perform themselves, a customer can perform on a
provider (although this usually isn’t an option in cloud), or have performed by a trusted third
party. Third-party audits and assessments are preferred since they provide independent
validation (assuming you trust the third party).
Compliance Reporting
Is an assurance program and documentation
registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus
Assessments Initiative Questionnaire. Some providers also disclose documentation for additional
certifications and assessments (including self-assessments).
Cloud Security Alliance Star Registry
_______ is the overall management of risk for an organization. As with
governance, the contract defines the roles and responsibilities for risk management between a
cloud provider and a cloud customer. And, as with governance, you can never outsource your
overall responsibility and accountability for risk management to an external provider.
Enterprise Risk Management (ERM)
This refers to the cloud provider accepts some responsibility for certain risks, and the
cloud customer is responsible for anything beyond that
Shared Responsibilities Model
True or False - The cloud user is ultimately responsible for ownership of the
risks; they only pass on some of the risk management to the cloud provide
True
True or False - ERM relies on good contracts and documentation to know where the division of responsibilities and
potential for untreated risk lie.
True
_______ is the amount of risk that the leadership and stakeholders of an organization are
willing to accept. I
Risk tolerance
In the majority of cases, This service model presents the most critical example of the need
for a negotiated contract
SaaS
True/False: In Public Deployment Model, Cloud customers have a reduced ability to govern operations in a public cloud since the provider is responsible for the management and governance of their infrastructure, employees, and everything else. The customers also
Public often have reduced ability to negotiate contracts, which impacts how they extend their governance model into the cloud.
True
Inflexible Contracts are a natural property of Multi-tenancy
True
True/False: In Private Cloud Deployment, although you will likely have more control over contractual terms, it’s still important to ensure they cover the needed governance mechanisms. It may only offer exactly what is in the contract, with everything else at extra cost. This must be considered and accounted for in negotiations, with clauses to guarantee that the platform itself remains up to date and competitive.
True
True/False: Since community clouds are a shared platform with multiple organizations, but are not public,
governance extends to the relationships with those members of the community, not just the
provider and the customer.
True
What are the risk management tools or processes to help form the foundation of managing risk in the cloud?
(Supplier Assessment)
- Request or acquire documentation.
- Review their security program and documentation.
- Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider
and yourself. (See the Domain 3: Legal for more.)
- Evaluate the contracted service in the context of your information assets.
- Separately evaluate the overall provider, such as finances/stability, reputation, and outsourcers.
(Periodically review audits)
- Don’t assume all services from a particular provider meet the same audit/assessment
standards. They can vary. - Periodic assessments should be scheduled and automated if possible.
_____ sets the groundwork for the cloud risk management program
Supplier Assesment
