Week 13: Evaluating Cloud Security - An Information Security Framework Flashcards
The framework defines a number of checklists of ___that span the range of activities that together support information security for cloud computing
The goal is to provide an __, which can be used to evaluate the security of a private, community, public, or hybrid cloud
evaluation criteria
organized set of tools
Evaluating the security of a ___ may best be done by managing the evaluation of the two or more cloud instances using one set of checklists per instance
hybrid cloud
The ___and ___of a cloud share responsibility for ensuring that security measures are in place and standards/procedures are followed
owner
operator
The ___ takes a similar approach in detailing security requirements for cloud implementations
Cloud Security Alliance Controls Matrix
A good starting point when you need to measure the presence and effectiveness of cloud security includes having a list of ___
required or recommended security controls
It is not enough that a security control is present
That control also needs to be effective
One can describe this as the ___
degree of trust (or assurance) that can be expected from these controls
Measuring the presence and/or effectiveness of security controls is largely what ___are intended to do
security evaluations
designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider
Cloud Controls Matrix (CCM)
focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency
Consensus Assessments Initiative Questionnaire
presents security guidance for a number of areas in cloud computing: architecture, governance, traditional security, virtualization
Security Guidance for Critical Areas of Focus in Cloud Computing
discusses the major identity management functions as they relate to cloud computing
Guidance for Identity & Access Management
leading the security guidance efforts in Europe, and has produced several publications
European Network and Information Security Agency (ENISA)
A set of assurance criteria addressing the risk of adopting cloud computing
Cloud Computing: Information Assurance Framework
A security policy defines the organization’s overall ___
security goals
Standards
Standards state mandatory actions that support the policy
Guidelines
provide guidance for implementation of standards
___for a cloud is a foundation of operational security
Personnel security
Checklist 1: Policy, Standards, & Guidelines
Has a security policy been clearly documented, approved, and represented to all concerned parties as representing the management’s intent?
Has the security policy had legal, privacy, and other governance review?
Has the security policy been augmented by security standards and/or guidelines?
Has the policy been augmented by a privacy policy?
Are the security and privacy policies, as well as standards and guidelines, consistent with industry standards (such as 27001, CoBIT, etc.)?