Domain 4 - Compliance and Audit Management Flashcards
True/False: Organizations face new challenges as they migrate from traditional data centers to the cloud.
Delivering, measuring, and communicating compliance with a multitude of regulations across
multiple jurisdictions are among the largest of these challenges.
True
_______ validates awareness of and adherence to corporate obligations (e.g., corporate
social responsibility, ethics, applicable laws, regulations, contracts, strategies and policies).
Compliance
_______ are a key tool for proving (or disproving) compliance
Audits
________ is a tool of governance; it is how an organization assesses, remediates, and proves it is meeting these internal and external obligations
Compliance management
True/False: Customer is always ultimately responsible for their own compliance. These responsibilities are defined through contracts, audits/assessments, and specifics
of the compliance requirements.
True
With _________ the cloud provider’s infrastructure is out of scope for a customer’s compliance audit, but everything the customer configures and builds on top of the certified services is still within scope.
compliance inheritance
True/False: Not all features and services within a given cloud provider are necessarily compliant and certified/audited with respect to all regulations and standards. It is incumbent on the cloud provider to communicate
certifications and attestations clearly, and for customers to understand the scopes and limitations.
True
True/False:Audits and assessments are mechanisms to document compliance with internal or external
requirements (or identify deficiencies). Reporting needs to include a compliance determination, as
well as a list of identified issues, risks, and remediation recommendations.
True
An _______ is a legal statement from a third party, which can be used as their statement
of audit findings. it is a key tool when evaluating and working with cloud providers since
the cloud customer does not always get to perform their own assessments.
Attestation
________ includes the management of all activities related to audits and assessments,
such as determining requirements, scope, scheduling, and responsibilities.
Audit management
True/False:Multiple on-premises audits from large numbers
of cloud customers present clear logistical and security challenges, especially when the provider relies on
shared assets to create the resource pools.
True
True/False: Customers working with these cloud providers will have to rely more on third-party attestations rather than audits they perform themselves
True
Refers to Cloud Security Alliance central repository for providers to publicly release certifications and attestation documents.
CSA Star Registry
True/False: It’s important to remember that attestations and certifications are point-in-time activities. An
attestation is a statement of an “over a period of time” assessment and may not be valid at any
future point
True
______ are the logs, documentation, and
other materials needed for audits and
compliance; they are the evidence to support
compliance activities. Both providers and
customers have responsibilities for producing
and managing these.
Artifacts