Managing Cloud Security - D320

Managing Cloud Security - D320 Leave the first rating Students also studied Terms in this set (125) Western Governors UniversityD 320 Save

WGU D320/CCSP

133 terms laterskaterssPreview WGU Course C838 - Managing Clou...1,037 terms WieldyStone2 Preview D320 - Managing Cloud Security 701 terms SpaceChimpanzee Preview

D320 -

80 terms Bah International Standards Organization (ISO)is an international standards body composed of representatives from various standards organizations.ISO/IEC 27001Standard on managing Information Security. It includes requirements for establishing , implementing, maintaining, and continually improving information management.ISO/IEC 27002provides best practices on information security controls for those attempting to be ISO/IEC 27001.ISO/IEC 27017created to supplement ISO/IEC 27002 to provide additional security controls for the cloud.

ISO/IEC 27018:2014

ISO/IEC 27018:2019

IT Security techniques. Code of practice for protection of PII in public clouds.ISO/IEC 27034-1mandates a framework for application security within an organization.

ISO/IEC 28000:2007standard for ensuring security assurance in the supply chain.

ISO/IEC 31000:2009standard providing industry independent principles and guidelines on risk management.NISTNational Institute of Standards and Technology is an agency of the Department of Commerce whose mission is to promote innovation and industrial competitiveness. It also creates numerous standard and requirements for the DoD, Federal Government, and government contractors relating to Cyber security.

NIST SP 800-37Risk Management Framework using a life cycle approach for security and privacy.NIST SP 800-53provides security and privacy controls for information systems and organizations.NIST SP 800-92Guide to Computer Security Log Management ISO 27034There is only one ONF for an organization but potentially as many ANF's as applications.

• Application Normative Framework (ANF)
• Organizational Normative Framework (ONF)

ASHRAE - American Society of Heating, Refrigerating and Air-Conditioning Engineers is an American professional association seeking to advance heating, ventilation, air conditioning and refrigeration systems design and construction.Bibaan access control model designed to preserve data integrity. It has 3 goals.Maintain internal and external consistency; prevent unauthorized data modification even by authorized parties; prevent data modification by unauthorized individuals.Capability Maturity Model (CMM)is a development model where the maturity relates to the formality and optimization of processes. When applied to cloud security it would focus on those aspects as they relate to cloud security.Child Online Protection Act (COPA)An attempt to restrict access by minors to material defined as harmful to minors. A permanent injunction against the law in 2009.Cloud Access Security Brokers (CASBs)monitors network activity between users and cloud applications and enforces security policy and blocking malware.COBIT or Control Objectives for Information and Related Technologies is a framework for IT governance and management. Initially used to achieve compliance with Sarbanes-Oxley and focused on IT controls. Since 2019 the emphasis has shifted to information governance. It is focused on these 5 principles: 1: Meeting Stakeholder Needs; 2: Covering the Enterprise End-to-End; 3: Applying a Single Integrated Framework; 4: Enabling a Holistic Approach; and

5: Separating Governance from Management.

Common Criteria and the Evaluation Assurance Level (EAL) rating An EAL rating is assigned to an IT product after it has been evaluated by an independent lab. The level indicates the degree and type of testing with 1 the least and 7 the most. Common criteria contain 60 functional requirements in 11 classes and is an accepted standard among the military organizations of the US and many allies.Consensus Assessments Initiative Questionnaire (CAIQ) is an initiative of the Cloud Security Alliance to provide an industry-accepted documentation of security controls and as of 2020 is combined with the Cloud Controls Matrix. They can be used as evidence for entry to the CSA STAR registry.Digital Millennium Copyright Act (DMCA)and occasionally controversial act intended to align the US copyright act with the requirements of treaties and the World Intellectual Property Organization.

DLP -- Data Loss Preventionis ensured by a set of tools, procedures, and policy to ensure sensitive, proprietary, and PII is not lost or misused. It helps to provide compliance with numerous laws and compliance requirements by enforcing preventative and detective measures in the organization.ENISA - European Union Agency for Cybersecurity is a Cyber Security awareness association that provides support, information, and collaboration on security issues. They also publish a top x threats each year. The last few years they have included 15 threats each year.EU Data Directiveregulates the processing of PII in the EU. Since it is a directive, each country must pass the laws that establish how each country will enforce the directive. It includes the 7 principles governing the OECD's recommendations for protection of personal data.Eurocloud Star Audit Certification (ESAC)is nonprofit organization that maintains information security standards or best practices and provides assessments and certification of compliance.(ENISA)European Union Agency for Network and Information Security Family Education Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. It applies to all schools that receive funds under an applicable program of the U.S.Department of Education.Federal Information Processing Standard (FIPS) 140-2 is mandatory for all US government, military, contractors doing business with the government and regulated industries such as financial and health- care institutions. IT is being succeeded by FIPS 140-3. FIPS 140-2 has four levels with 1 being the lowest level of security through 4 as the highest. Testing under FIPS 140-

• is done by 23 accredited Cryptographic Module Testing laboratories.

Federal Information Systems Management Act (FISMA) is a US law that makes mandatory requirements for federal agencies to develop, document, and implement management cyber security.GDPR - General Data Protection Regulationgives individuals control over their personal data. It also simplified regulation by forcing all member states to comply with a single regulation.Generally Accepted Privacy Principles described by the

AICPA (GAPP)

were agreed upon by 23 countries in response to investors and regulators concerned about transparency, independence, and governance of the accounting industry. It was based on 24 principles in the areas of legal, institutional, and investment and risk.Gramm-Leach-Bliley Act (GLBA)requires companies that offer financial products or services to safeguard sensitive data about customers and inform the customers of those requirements.Health Insurance Portability and Accountability Act

(HIPAA)

modernized healthcare information and stipulated how PII kept by healthcare and healthcare insurance industries should be protected. The act was vague HITECHact motivated the implementation of electronic health records (HER) and the supporting technology. Some penalties for non-compliance of HIPAA were increased under HITEC, as well as establishing breach notification to impacted patients.

IDCA or International Data Center Authorityis attempting to be "the ultimate standardization, education, and certification body for the Application Ecosystem and its supporting digital infrastructure, helps deliver comprehensive, effective, up-to-date and uniquely innovative data compliance audits. The Application Ecosystem and digital infrastructure audits." Auditors certified by IDCA will engage with cloud providers to assess their compliance to IDCA Grade Levels.Internet Small Computer System Interface (iSCSI) is a storage networking standard used to link data storage to systems using the Internet Protocol (IP).Key risk indicators (KRI)critical predictors of risks or adverse events that can impact and organization.Lightweight Directory Access Protocol (LDAP)environment, each entry in a directory server is identified by a Distinguished name (DN) Mean time between failure (MTBF)is the predicted time between failures of a system during normal system operation. It applies only to unplanned maintenance and excludes scheduled maintenance, inspection, recalibration, or prevent parts replacement.Mean time to repair (MTTR)is the mean time it takes to repair a system. It includes both the repair time and testing time.NFPA (National Fire Protection Association)This is a nonprofit organization attempting to eliminate death, injury, property, and economic loss due to fire, electrical and related hazards.Open Web Application Security Project (OWASP) is a nonprofit organization working to improve the security of software. They are known for their top 10 most critical security concerns for web application security.Organization for Economic Cooperation and Development (OECD) produced 7 principals to govern the protection of data.

• Notice - data subjects should be given notice when their data is being collected
• Purpose - data should only be used for the purpose stated and not for any

other purposes

• Consent - data should not be disclose without the data subject's consent
• Security - collected data should be kept secure from any potential abuses
• Disclosure - data subjects should be informed as to who's collecting their data
• Access - data subjects should be allowed to access their data and make

corrections to inaccurate data

• Accountability—data subjects should have a method available to them to hold

data collectors accountable for not following the above principles.OSHAis a large regulatory agency of the United States Department of Labor that originally had federal visitorial powers to inspect and examine workplaces.Payment Card Industry Data Security Standard (PCI DSS) is an industry requirement that imposes on anyone who processes or accepts credit cards. The PCI can impose fines on violators if they fail to meet PCI DSS requirements. Depending on the size of the vendor, external, independent audits can be required in addition to higher requirements.