Domain 5: Information Governance Flashcards
Which of the following is not one of the typical governance domains related to cloud computing?
A. information classification
B. pre-emptive litigation policies
C. information management policies
D. location and jurisdiction policies
Answer: B
All the other responses are typical governance domains affected by cloud computing. See page 62 of the CSA Cloud Security Guidance v4.
Which of the following is not one of the typical governance domains related to cloud computing?
A. authorizations
B. ownership
C. fealty
D. privacy
Answer: C
All the other responses are typical governance domains affected by cloud computing. See page 62 of the CSA Cloud Security Guidance v4.
Which of the following is not one of the typical governance domains related to cloud computing?
A. contractual controls
B. privacy
C. security controls
D. ambiguity
Answer: D
All the other responses are typical governance domains affected by cloud computing. See page 62 of the CSA Cloud Security Guidance v4.
Put the Phases of the Data Security Lifecycle in the proper order.
A. Share
B. Destroy
C. Create
D. Use
E. Archive
F. Store
Answer: C, F, D, A, E, B
See page 63 of the CSA Cloud Security Guidance v4.
Which of the following is not considered a typical Function in the Data Security Lifecycle?
A. read
B. write
C. process
D. store
Answer: B
“Write” would be considered an aspect of “process.” See page 65 of the CSA Cloud Security Guidance v4.
Who is typically responsible for applying the proper security controls in the Create phase of the Data Security Lifecycle?
A. the data subject
B. regulators
C. the data owner
D. the data processor
Answer: C
Typically, the data owner will be the entity creating/collecting the original dataset, and will therefore be in charge of assigning security controls. See page 63 of the CSA Cloud Security Guidance v4.
The subject, regulators, and processor are typically not responsible for the Create phase.
Which Phase of the Data Security Lifecycle occurs nearly simultaneously with the Create phase?
A. Share
B. Use
C. Store
D. Archive
Answer: C
The Store phase occurs as soon as data is entered in electronic format; for the majority of data created today, this will be the moment the data is collected or created, which is the Create phase. The other phases may occur later, or may not occur at all. See page 63 of the CSA Cloud Security Guidance v4.
The action of cryptoshredding probably takes place in the __________ phase of the Data Security Lifecycle.
A. Create
B. Share
C. Archive
D. Destroy
Answer: D
Cryptoshredding is the practice of using encryption to securely sanitize a data space; this would be at the end of the Lifecycle, in the Destroy phase. See page 63 of the CSA Cloud Security Guidance v4.
Backups may be considered part of the __________ phase of the Data Security Lifecycle.
A. Create
B. Use
C. Archive
D. Destroy
Answer: C
In the Archive phase, data is removed from the production environment but still kept in storage. This is an excellent description of backups. See page 63 of the CSA Cloud Security Guidance v4.
In order to extend organizational governance into the cloud, it is advised to use __________ and __________ controls. [select two]
A. physical
B. notional
C. reprisal
D. contractual
E. security
F. voluntary
G. expensive
Answer: D, E
The customer’s interests may be protected through favorable contract terms or through the use of the customer’s own security controls. See page 66 of the CSA Cloud Security Guidance v4.
The customer will not typically be allowed to implement physical security controls in the cloud environment. Notional or voluntary controls would not be effective. “Reprisal controls” are not a common industry term, and is only used here as a distractor. Controls do not need to be expensive to be effective.
Before migrating to a cloud environment, the customer may have to __________.
A. updating organizational policy to allow third-party management of data
B. secure funding from a lending institution
C. open the decision to a mandatory public comment period
D. request a cloud license from the ICANN (Internet Corporation for Assigned Names and Numbers)
Answer: A
There is a significant likelihood that an organization that previously only maintained data in a traditional environment does not already have proper governance/policy for the involvement of third parties. Because cloud computing requires third-party management of data, the organizational will have to modify existing governance/policy to reflect the change. See page 66 of the CSA Cloud Security Guidance v4.
Cloud migration does not typically require significant initial investment, so securing additional funding is not a usually pre-migration activity. Most organizations do not require public permission for operational business decisions. ICANN does not offer “cloud licenses.”
Which of the following can be used to model data handling and controls?
A. the CSA Cloud Controls Matrix (CCM)
B. the Data Security Lifecycle
C. the CSA Consensus Assessments Initiative Questionnaire (CAIQ)
D. NIST (National Institute of Standards and Technology) Special Publication 800-37
Answer: B
This is the intended purpose of the Data Security Lifecycle. See page 66 of the CSA Cloud Security Guidance v4.
The CCM is used to verify security compliance across multiple standards/regulations. The CAIQ is used to report/assess a given environment’s controls satisfy requirements. NIST SP 800-37 is the Risk Management Framework (RMF).
Which of the following is not considered an “actor,” according to the CSA Cloud Security Guidance v4?
A. a person
B. a device
C. a system/process
D. an application
Answer: B
According to the CSA Cloud Security Guidance v4 (page 65), a device is not considered an actor.
An email may be considered part of the __________ phase of the Data Security Lifecycle.
A. Create
B. Store
C. Share
D. Use
Answer: C
Data transmitted from one user to another is considered an aspect of the Share phase. See page 63 of the CSA Cloud Security Guidance v4.
Which of the following is true about the Data Security Lifecycle?
A. It is mandated for all cloud providers by the International Organization for Standardization (ISO
B. Not all data goes through all phases
C. US federal government agencies are required to use it, according to NIST regulations
D. It is strictly a contractual agreement
Answer: B
The Data Security Lifecycle is not strictly applicable to every process in every organization; it is a tool that may be useful for modeling data handling and security controls. See page 63 of the CSA Cloud Security Guidance v4.