Week 12: Security Criteria - Selecting an External Cloud Provider Flashcards

1
Q

Simply stating that a CSP is compliant only amounts to ___

A

self-certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

___are organizational programs whose scope covers every aspect of policy through specific security controls and procedures

A

Information Security Management Systems (ISMS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ISO 27001 identifies several categories of security control objectives

A
Security Policy
Organization of Information Security 
Asset Management 
Human Resources 
Physical and Environmental Security 
Communications and Operations Management 
Access Control 
Systems Development and Maintenance 
Information Security Incident Management 
Business Continuity Management 
Compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Security Management Systems (ISMS) - Security Policy

A

The policy should be consistent with business objectives and meet business requirements, and it should comply with laws and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information Security Management Systems (ISMS) - Organization of Information Security

A

A management framework to implement security, assign security roles, and coordinate implementations across the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information Security Management Systems (ISMS) - Asset Management

A

Establishes responsibility for and protect an organization’s assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Information Security Management Systems (ISMS) - Human Resources

A

This includes all aspects of personnel, including contractors and third party users, as well as all phases of employment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information Security Management Systems (ISMS) - Physical and Environmental Security

A

This involves every aspect of ensuring a controlled and protected environment for information facilities and equipment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Information Security Management Systems (ISMS) - Communications and Operations Management

A

Defines responsibilities for information processing facilities and establishes procedures for their operation and control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Information Security Management Systems (ISMS) - Access Control

A

Controls access to information and ensures that controls meet organizational requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Information Security Management Systems (ISMS) - Systems Development and Maintenance

A

Identifies security requirements before starting the development process or any other aspect of implementation or acquisition
Verifies that applications and controls operate correctly and are appropriate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Information Security Management Systems (ISMS) - Information Security Incident Management

A

Reports security events, incidents, and weaknesses

Establishes formal processes and procedures for managing incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Information Security Management Systems (ISMS) - Business Continuity Management

A

Establishes and use a business continuity management process to counteract interruptions and protect critical processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information Security Management Systems (ISMS) - Compliance

A

Ensures compliance with legal and regulatory requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Obtaining accreditation is both time ___and ___

A

consuming

expensive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SAS70 (Statement on Auditing Standards No. 70), Type II

A

This certification focuses on a CSPs infrastructure, policies, and procedures to assure that it follows best practices in minimizing the risk of service disruption and to ensure security of data

17
Q

ISO 27001/2

A

More comprehensive than SAS70

18
Q

Cloud Security Alliance (CSA)

A

In 2010, CSA revealed an initial program for accreditation / certification oriented toward certifying competency in cloud security practices

19
Q

FISMA, FedRAMP, and NIST 800-53

A

U.S. federal government programs to measure security for federal IT systems

20
Q

Uptime Institute

A

“Provides education, publications, consulting, certifications, conferences and seminars, independent research, and thought leadership for the enterprise data center industry and for data center professionals”

21
Q

transparency

A

degree of visibility into security policy and operations that a CSP offers to its customers

Although customers should not expect a CSP to provided details on how security is implemented, they expect a CSP to be open and accountable about security practices

22
Q

What should be kept secret in CSP security includes

A

specific implementation details that could be exploited by a hacker

23
Q

Overall, risk can be broadly classified into three categories

A

Technical Risks
Policy and Legal Risks
Operational Risks

24
Q

Technical Risks

A

isolation failure, data interception, data leakage, and malicious probes

25
Q

Policy and Legal Risks

A

loss of governance, compliance failures, jurisdictional issues, subpoenas, and licensing issues

26
Q

Operational Risks

A

malicious insiders, errors and misconfigurations, bandwidth problems, social engineering, loss of backup data, physical security compromise, loss of encryption keys

27
Q

Disaster recovery not only includes natural events like earthquakes, fires, or tornadoes - It also includes how you recover from disasters caused by ___

A

human error

28
Q

Security Criteria

A
Security Policies
Security Staff Independence
Change Management
Upgrades and Patch Management 
Scans
Forensics
Incident Management 
Business Continuity
29
Q

It is easier to patch ___ and then copy customer components to a copy of that image

A

a golden image

30
Q

Security engineers need to have a primary responsibility of security, but not of ___, as the two roles can conflict

A

operations

This team is often called a Security Operations Center (SOC)

31
Q

The kind of ___ that are deployed along with the ___that comprises the cloud can be valuable information for customers

A

servers

foundational software

32
Q

The act of backing up the cloud might ___

A

compromise security

Is encryption used as backups are created?
When the backups are physically being moved to another location is there a chain of custody?
Are there any measures in place to insure that the data has not been tampered with during the move?

33
Q

Service Level Agreements (SLA) are a critical component of a public cloud’s ___

A

availability guarantees

34
Q

Elasticity

A

Make sure you understand how the cloud provider scales their cloud and balances load

How do they accommodate customer growth?
How load is shared among nodes, and how does that affect your adoption of the cloud with your particular application?

35
Q

In terms of security, it is important to understand the ___ of the public cloud provider for key personnel involved in the development and management of the cloud

A

hiring policies and procedures