DOMAIN 2 - TOOLS OF CLOUD GOVERNANCE

Question 1

The primary tool to extend governance into
business partners and providers.

Answer 1

Contracts

Question 2

performed by the potential cloud customer using available information and allowed processes/techniques. They combine
contractual and manual research with third-party attestations (legal statements often used
to communicate the results of an assessment or audit) and technical research. They are very
similar to any supplier assessment and can include aspects like financial viability, history,
feature offerings, third-party attestations, feedback from peers, and so on.

Answer 2

Supplier (cloud provider) Assessments

Question 3

includes all the documentation on a provider’s internal (i.e. self) and external compliance assessments. They are the reports from audits of controls, which an organization can perform themselves, a customer can perform on a provider (although this usually isn’t an option in cloud), or have performed by a trusted third
party. Third-party audits and assessments are preferred since they provide independent validation (assuming you trust the third party).

Answer 3

Compliance reporting

Question 4

Standards like the _________ have a defined
scope, which includes both what is assessed (e.g. which of the provider’s services) as well as which controls are assessed.

Answer 4

SSAE 16

Question 5

an assurance program and documentation registry for cloud provider assessments based on the CSA Cloud Controls Matrix and Consensus

Answer 5

CLOUD SECURITY ALLIANCE STAR REGISTRY