Monday, August 5, 2013

CCSK Study - Domain 2: Governance & Enterprise Risk Management

As stated in the title, Domain 2 focuses on the issues of Governance and Enterprise Risk Management as it relates to the cloud.


  • Corporate Governance
    • is the set of processes, technologies, customs, policies, laws and institutions affecting the way an enterprise is directed, administered, or controlled
    • 5 basic principles
      • Auditing Supply Chains
      • Board and Management Structure and Process
      • Corporate responsibility and compliance
      • Financial transparency and information disclousure
      • Ownership structure and exercise of control rights
  • Enterprise Risk Management
    • is the process of measuring, managing and mitigating uncertainty or risk
    • Multiple methods to deal with risk
      • Avoidance
      • Reduction
      • Share / Insure
      • Accept
    • General goal: maximize value in line with risk appetite and strategy
    • Many benefits to cloud computing, however
      • Customers should view cloud service providers as supply chain security issues
      • Must evaluate providers incident management, disaster recovery policies, business continuity policies...
    • Companies should adopt an established risk framework
      • should use metrics to measure risk management
        • SCAP, CYBEX, GRC-XML
      • adopt risk centric viewpoint
      • framework should account for legal perspective across different jurisdictions
  • Recommendations
    •  Reinvest the cost savings from moving to the cloud into security
      • Detailed assessments
      • Application of Security Controls
      • Risk assessments, verifying provider capabilities, etc
    • Review security controls and vendor capabilities as part of DD
      • review for sufficiency, maturity, and consistency with the user's information security management processes
    • Ensure goverence processes and structures are agreed upon by both the tenant and provider
    • Security departments should be engaged as part of the SLAs
      • Ensure that security requirements are contractually enforceable
    • Define appropriate cloud security metrics
      • Really? Do these exist?
    • Consider the affect of cloud limitations on audit policies and assessments
      • may have to change the way audit is conducted
      • remember to contract requirements in
    • Risk management should include identification and valuation of assets, identificationa nd analysis of threats and vulnerabilities and their potential impact on assets, likelihoods of events/senarios, and management-approved risk levels
    • Take into account vendor risk
      • business sustainability, portability of data/applications,
This section essentially defines enterprise risk management and corporate governance.  In theory, all organizations should already be doing this at some level.  I think the important points here are to make sure the enterprise is aware that moving to the cloud means a loss of control over every aspect of the technical solution.  This means, in some cases, changing the way audits or testing is done to accommodate for the vendors preferences or limitations.  Further to this, you need to pay your lawyers and ensure that all requirements you have are stipulated in some form or another into the contract.  CSPs are basically an extension of the enterprise, much in the same way outsourcing is, but it basically has full control over the data you place in its possession.  I like the point about re-investing "savings" into increased security.  Ultimately, as you lose full control over an asset, you must increase your vigilance (detection tools) to ensure that your wishes as stipulated in a contract are being followed.  You can try and hide behind a contract, saying that it was the CSPs responsibility to do something, however in the courts you would have to prove that the CSP was negligent.  This may be harder than anticipated.