- The main two of the Certificate of Cloud Security Knowledge is Governance and Risk. One of the key risks addressed in this domain, is that of the supply chain. Corporate governance is the set processes, technologies, culture, and external mandates that affect the way in which an enterprise is directed and controlled. There are many models of governace but all adhere to five basic principles. Auditing supply chains, Board and management structure and the processes for managing the business, Corporate responsibility which includes compliance with obligations.
Financial Transparency and ownership structure and exercise of control rights. The focus of enterprise risk management is to protect the value of the enterprise for stakeholders. All enterprises face uncertainty and this offers both risks and opportunities. Enterprise risk management means identifying the risks and opportunities, managing the risks, and taking advantage of the opportunities within the risk appetite of the shareholders.
There are four key Risk Strategies. Avoidance, ceasing activities which are causing risk. Reduction, also known as mitigation, which is taking action to reduce risk exposure. Transferring or sharing the risk. For example, taking insurance. And accepting the risk, if it's within appetite. Cloud services should be dealt with in the same way as supply chain issues. And assured as third party services including understanding the risk associated with their own third party supply chain.
Assessment of third party providers should specifically target the provider's Incident Management, Business Continuity, and Disaster Recovery policies, processes and procedures. Specifically, contracts and SLA's should address communication of incidence information either manually or through automated systems. Protocols such as SCAMP, Cibecs, and GRC-XML can be used to automatically exchange security information. The CSA guideline make 16 recommendations regarding governance and risk and suggest that good governance starts with reinvesting some of the savings from using cloud to enhance the application and monitoring of security.
- Essential cloud concepts: infrastructure, deployment models, and more
- Defining trust models for clouds
- Identifying governance and risk
- Complying with legal and audit requirements
- Managing incident response
- Maximizing application security
- Managing encryption and keys
- Implementing virtualization
- Introducing SABSA and the cloud attribute taxonomy