Reference Models

Question 1

What are the (5) Cloud Reference Model standards?

Reference Models … (5)

Answer 1

NIST Cloud Compute Ref
IBM Cloud Ref Architecture
ISO/IEDC 17789:2014 Ref Architecture
Open Group Cloud Eco Sys Ref Model
Microsoft Private Cloud Ref Model

Question 2

InfoSec IS Mgmt includes (5) CIANA

Answer 2

Confidentiality – Encrypt/hide info for unauthorized access
Integrity – Protect from modification/deletion
Availability – Accessible to authorized users
Non-Repudiation – Cant deny actions
Authentication – Prove identity to access

Question 3

Security Mgmt means?

___ & ____ for securing Mgmt

Answer 3

Policy & Procedures for securing & mgmt

Question 4

Security Mgmt = (3)
_____ Mgmt
Security _________
_____

Answer 4

RISK MGMT
SECURITY Assessmt
Calculated Return on Investmt (ROI)

Question 5

Finish the equation: RISK = (3)

Risk = ____ X ____ X _____

Answer 5

RISK = Asset x Threat x Vulnerability

Question 6

What is an example of Threat? (4)

Answer 6

Angry Employee, Hacker, Malware, Rogue Software

Question 7

What is an example of Vulnerability? (5)

Answer 7

SW bugs, Broken process, Bad Cntl, HW malfunction, Human error

Question 8

What is example of Risk: (5)

Answer 8

Fin loss, privacy loss, reputation damage, legal penalties, Business disruption

Question 9

When you hear Security Assessment, you should think of this word?

Answer 9

AUDIT!

Question 10

How do you address a Security GAP? (3) choices

Answer 10

1. (DENY) Cancel Project
2. (Allocate) necessary resources to correct sec gaps
3. (Accept) RISK

Question 11

What are (6) Data Sec Standards?

Answer 11

ISO 27001 – (FISMA) Establish, implement maintain ISMS
ISO 27017 – (Cloud Security) IT Sec/IS Cntl for Cloud
customers and providers
ISO 27018 – (PII) Protection in Cloud –How to protect PII
(PII – Cloud)
ISO 27036 – (Info Risk of Goods/Svcs – Cloud)Supplier
relationships – Overview, Requirements,
ICT Supply chain, Sec, Cloud Svcs
NIST 800-144 (NIST) Guidelines Sec / Privacy in Public
Cloud (NIST Sec/Policy – Cloud)
PCI-DSS – (Payment card Industry) – Data Sec Std- Sec
Assessment Procedure / Cloud Guidelines (Paymt
card Cloud Stds)

Question 12

Name the (6) Data Standards:
ISO 27001 
ISO 27017 
ISO 27018
ISO 27036
NIST 800-144
PCI-DSS

Answer 12

ISO 27001 FISMA
ISO 27017 IT Sec / IS Control Cloud Customer/providers
ISO 27018 PII - Cloud
ISO 27036 Supplier relationships in Cloud, Svc, Risk
NIST 800-144 NIST Sec / Policy Cloud
PCI-DSS Paymt card Cloud standards and guidelines

Question 13

What are the International Data Protections? (3) categories

Answer 13

1. EU – US Privacy Shield – protects Europeans basic
   right when data is transferred to US
2. USA Patriot ACT – US Law
   FISA Foreign Intel Survellience Act
   ECPA Electronic Communication Privacy Act
   Money Laundering Control Act
   Bank Secrecy Act
   Immigration National Act
3. PRISM surveillance data mining program used by
   NSA / British Govt

Question 14

Is Safe Harbor applicable to cloud svc provider agreements?

Answer 14

Yes. Safe Harbor & Commission’s adequacy decision apply to such agreements that involve the transfer of personal data from the EU to org established in US

Question 15

What is SAFE HARBOR?

EU – US.

Answer 15

European Commission Directive on Data Protection. Oct 1998. Prohibits transfer of personal data to non-European Union countries that don’t meet the (EU) European Union adequacy standard for privacy protection. US & EU share goal. Must join program to participate!