Domain 5: Information Governance

Question 1

Which of the following is not one of the typical governance domains related to cloud computing?
A. information classification
B. pre-emptive litigation policies
C. information management policies
D. location and jurisdiction policies

Answer 1

Answer: B
All the other responses are typical governance domains affected by cloud computing. See page 62 of the CSA Cloud Security Guidance v4.

Question 2

Which of the following is not one of the typical governance domains related to cloud computing?
A. authorizations
B. ownership
C. fealty
D. privacy

Answer 2

Answer: C
All the other responses are typical governance domains affected by cloud computing. See page 62 of the CSA Cloud Security Guidance v4.

Question 3

Which of the following is not one of the typical governance domains related to cloud computing?
A. contractual controls
B. privacy
C. security controls
D. ambiguity

Answer 3

Answer: D
All the other responses are typical governance domains affected by cloud computing. See page 62 of the CSA Cloud Security Guidance v4.

Question 4

Put the Phases of the Data Security Lifecycle in the proper order.
A. Share
B. Destroy
C. Create
D. Use
E. Archive
F. Store

Answer 4

Answer: C, F, D, A, E, B
See page 63 of the CSA Cloud Security Guidance v4.

Question 5

Which of the following is not considered a typical Function in the Data Security Lifecycle?
A. read
B. write
C. process
D. store

Answer 5

Answer: B
“Write” would be considered an aspect of “process.” See page 65 of the CSA Cloud Security Guidance v4.

Question 6

Who is typically responsible for applying the proper security controls in the Create phase of the Data Security Lifecycle?
A. the data subject
B. regulators
C. the data owner
D. the data processor

Answer 6

Answer: C
Typically, the data owner will be the entity creating/collecting the original dataset, and will therefore be in charge of assigning security controls. See page 63 of the CSA Cloud Security Guidance v4.
The subject, regulators, and processor are typically not responsible for the Create phase.

Question 7

Which Phase of the Data Security Lifecycle occurs nearly simultaneously with the Create phase?
A. Share
B. Use
C. Store
D. Archive

Answer 7

Answer: C
The Store phase occurs as soon as data is entered in electronic format; for the majority of data created today, this will be the moment the data is collected or created, which is the Create phase. The other phases may occur later, or may not occur at all. See page 63 of the CSA Cloud Security Guidance v4.

Question 8

The action of cryptoshredding probably takes place in the __________ phase of the Data Security Lifecycle.
A. Create
B. Share
C. Archive
D. Destroy

Answer 8

Answer: D
Cryptoshredding is the practice of using encryption to securely sanitize a data space; this would be at the end of the Lifecycle, in the Destroy phase. See page 63 of the CSA Cloud Security Guidance v4.

Question 9

Backups may be considered part of the __________ phase of the Data Security Lifecycle.
A. Create
B. Use
C. Archive
D. Destroy

Answer 9

Answer: C
In the Archive phase, data is removed from the production environment but still kept in storage. This is an excellent description of backups. See page 63 of the CSA Cloud Security Guidance v4.

Question 10

In order to extend organizational governance into the cloud, it is advised to use __________ and __________ controls. [select two]
A. physical
B. notional
C. reprisal
D. contractual
E. security
F. voluntary
G. expensive

Answer 10

Answer: D, E
The customer’s interests may be protected through favorable contract terms or through the use of the customer’s own security controls. See page 66 of the CSA Cloud Security Guidance v4.
The customer will not typically be allowed to implement physical security controls in the cloud environment. Notional or voluntary controls would not be effective. “Reprisal controls” are not a common industry term, and is only used here as a distractor. Controls do not need to be expensive to be effective.

Question 11

Before migrating to a cloud environment, the customer may have to __________.
A. updating organizational policy to allow third-party management of data
B. secure funding from a lending institution
C. open the decision to a mandatory public comment period
D. request a cloud license from the ICANN (Internet Corporation for Assigned Names and Numbers)

Answer 11

Answer: A
There is a significant likelihood that an organization that previously only maintained data in a traditional environment does not already have proper governance/policy for the involvement of third parties. Because cloud computing requires third-party management of data, the organizational will have to modify existing governance/policy to reflect the change. See page 66 of the CSA Cloud Security Guidance v4.
Cloud migration does not typically require significant initial investment, so securing additional funding is not a usually pre-migration activity. Most organizations do not require public permission for operational business decisions. ICANN does not offer “cloud licenses.”

Question 12

Which of the following can be used to model data handling and controls?
A. the CSA Cloud Controls Matrix (CCM)
B. the Data Security Lifecycle
C. the CSA Consensus Assessments Initiative Questionnaire (CAIQ)
D. NIST (National Institute of Standards and Technology) Special Publication 800-37

Answer 12

Answer: B
This is the intended purpose of the Data Security Lifecycle. See page 66 of the CSA Cloud Security Guidance v4.
The CCM is used to verify security compliance across multiple standards/regulations. The CAIQ is used to report/assess a given environment’s controls satisfy requirements. NIST SP 800-37 is the Risk Management Framework (RMF).

Question 13

Which of the following is not considered an “actor,” according to the CSA Cloud Security Guidance v4?
A. a person
B. a device
C. a system/process
D. an application

Answer 13

Answer: B
According to the CSA Cloud Security Guidance v4 (page 65), a device is not considered an actor.

Question 14

An email may be considered part of the __________ phase of the Data Security Lifecycle.
A. Create
B. Store
C. Share
D. Use

Answer 14

Answer: C
Data transmitted from one user to another is considered an aspect of the Share phase. See page 63 of the CSA Cloud Security Guidance v4.

Question 15

Which of the following is true about the Data Security Lifecycle?
A. It is mandated for all cloud providers by the International Organization for Standardization (ISO
B. Not all data goes through all phases
C. US federal government agencies are required to use it, according to NIST regulations
D. It is strictly a contractual agreement

Answer 15

Answer: B
The Data Security Lifecycle is not strictly applicable to every process in every organization; it is a tool that may be useful for modeling data handling and security controls. See page 63 of the CSA Cloud Security Guidance v4.

Question 16

Which aspect of data governance extends an organization’s requirements to a third party, such as a cloud provider?
A. privacy
B. nonrepudiation
C. contractual controls
D. enhancement

Answer 16

Answer: C
The contract is the means by which an organization can impose governance requirements on external parties, such as the cloud customer/provider relationship. See page 62 of the CSA Cloud Security Guidance v4.

Question 17

Who is the data owner, in a cloud computing relationship?
A. the cloud customer
B. the cloud provider
C. the auditor
D. the data subject

Answer 17

Answer: A
The cloud customer retains ownership of data entrusted to it, even if the data is sent to/processed/stored in the cloud by a cloud provider. See page 62 of the CSA Cloud Security Guidance v4.

Question 18

Which organizational entity is probably most suited for understand jurisdictional compliance requirements?
A. the security office
B. the information technology (IT) department
C. senior management
D. the legal department

Answer 18

Answer: D
Attorneys will be best situated to understand legal implications of the operating in multiple jurisdictions. See page 62 of the CSA Cloud Security Guidance v4.

Question 19

Information governance includes the __________ and __________ used to ensure data is handled in accordance to organizational controls and requirements. [select two]
A. vendors
B. security controls
C. corporate structures
D. licensing fees
E. impartial observers
F. reasonable person

Answer 19

Answer: B and C
See page 60 of the CSA Cloud Security Guidance v4.

Question 20

According to the CSA Cloud Security Guidance v4, what is the definition of information/data governance?
A. applying the highest possible degree of security to an environment
B. ensuring the use of data and information complies with organizational policies, standards and strategy—including regulatory, contractual, and business objectives
C. providing the greatest customer care
D. complying the absolute most regulatory and legal requirements across the greatest number of jurisdictions

Answer 20

Answer: B
This is the definition included on page 60 of the CSA Cloud Security Guidance v4.