Domain 2 - Governance and Enterprise Risk Management Flashcards

1
Q

For security professionals, cloud computing impacts four areas of governance and risk management. What are these?

A
  • Governance
  • Enterprise Risk Management
  • Information Risk Management
  • Information Security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

This includes the policy, process, and internal controls that comprise how an organization is run. Everything from the structures and policies to the leadership and other
mechanisms for management.

A

Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This includes managing overall risk for the organization, aligned to the
organization’s governance and risk tolerance. Enterprise risk management includes all areas of
risk, not merely those concerned with technology.

A

Enterprise Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

This covers managing the risk to information, including information
technology. Organizations face all sorts of risks, from financial to physical, and information is
only one of multiple assets an organization needs to manage.

A

Information Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Is the tools and practices to manage risk to information.
It isn’t the be-all and end-all of managing information risks; policies, contracts,
insurance, and other mechanisms also play a role (including physical security for non-digital
information). However, a—if not the—primary role of information security is to provide the
processes and controls to protect electronic information and the systems we use to access it.

A

Information Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False - The primary issue to remember when governing cloud
computing is that an organization can never outsource responsibility for governance, even when using
external providers

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cloud computing changes the responsibilities and mechanisms for implementing and managing
governance. Responsibilities and mechanisms for governance are defined in the _____, as with any business relationship. It is also the primary tool of governance between a cloud provider and a
cloud customer. It is your only guarantee
of any level of service or commitment and is the primary tool to extend governance into business partners and providers.

A

Contracts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 tools of Cloud Governance?

A
  • Contracts
  • Supplier (cloud provider) assessments
  • Compliance reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

These assessments are performed by the potential cloud
customer using available information and allowed processes/techniques. They combine
contractual and manual research with third-party attestations (legal statements often used
to communicate the results of an assessment or audit) and technical research. Can include aspects like financial viability, history, feature offerings, third-party attestations, feedback from peers, and so on

A

Supplier Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This includes all the documentation on a provider’s
internal (i.e. self) and external compliance assessments. They are the reports from audits
of controls, which an organization can perform themselves, a customer can perform on a
provider (although this usually isn’t an option in cloud), or have performed by a trusted third
party. Third-party audits and assessments are preferred since they provide independent
validation (assuming you trust the third party).

A

Compliance Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Is an assurance program and documentation
registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus
Assessments Initiative Questionnaire. Some providers also disclose documentation for additional
certifications and assessments (including self-assessments).

A

Cloud Security Alliance Star Registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

_______ is the overall management of risk for an organization. As with
governance, the contract defines the roles and responsibilities for risk management between a
cloud provider and a cloud customer. And, as with governance, you can never outsource your
overall responsibility and accountability for risk management to an external provider.

A

Enterprise Risk Management (ERM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This refers to the cloud provider accepts some responsibility for certain risks, and the
cloud customer is responsible for anything beyond that

A

Shared Responsibilities Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

True or False - The cloud user is ultimately responsible for ownership of the
risks; they only pass on some of the risk management to the cloud provide

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False - ERM relies on good contracts and documentation to know where the division of responsibilities and
potential for untreated risk lie.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

_______ is the amount of risk that the leadership and stakeholders of an organization are
willing to accept. I

A

Risk tolerance

17
Q

In the majority of cases, This service model presents the most critical example of the need
for a negotiated contract

A

SaaS

18
Q

True/False: In Public Deployment Model, Cloud customers have a reduced ability to govern operations in a public cloud since the provider is responsible for the management and governance of their infrastructure, employees, and everything else. The customers also
Public often have reduced ability to negotiate contracts, which impacts how they extend their governance model into the cloud.

A

True

19
Q

Inflexible Contracts are a natural property of Multi-tenancy

A

True

20
Q

True/False: In Private Cloud Deployment, although you will likely have more control over contractual terms, it’s still important to ensure they cover the needed governance mechanisms. It may only offer exactly what is in the contract, with everything else at extra cost. This must be considered and accounted for in negotiations, with clauses to guarantee that the platform itself remains up to date and competitive.

A

True

21
Q

True/False: Since community clouds are a shared platform with multiple organizations, but are not public,
governance extends to the relationships with those members of the community, not just the
provider and the customer.

A

True

22
Q

What are the risk management tools or processes to help form the foundation of managing risk in the cloud?

A

(Supplier Assessment)
- Request or acquire documentation.
- Review their security program and documentation.
- Review any legal, regulatory, contractual, and jurisdictional requirements for both the provider
and yourself. (See the Domain 3: Legal for more.)

  • Evaluate the contracted service in the context of your information assets.
  • Separately evaluate the overall provider, such as finances/stability, reputation, and outsourcers.

(Periodically review audits)

  • Don’t assume all services from a particular provider meet the same audit/assessment
    standards. They can vary.
  • Periodic assessments should be scheduled and automated if possible.
23
Q

_____ sets the groundwork for the cloud risk management program

A

Supplier Assesment