CCSP Cloud Guardians - Avalonian Memex

# CCSP Cloud Guardians ![rw-book-cover](https://m.media-amazon.com/images/I/71chjvsHeuS._SY160.jpg) ## Metadata - Author: [[Gwen Bettwy]] - Full Title: CCSP Cloud Guardians - Category: #books ## Highlights - You cannot use ISO/IEC 27001 to build a security program without knowing security controls first. The process of learning security controls is the process of learning ISO/IEC 27002 Alternatively NIST SP 800-53 is also a list of all security controls similar to ISO/IEC 27002 ([Location 229](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=229)) - ISO/IEC 27000 is an overview and glossary ISO/IEC 27002 contains a list of all security terms/tools/technologies (you could think of this as being similar to sitting through a CISSP class and all of the topics covered) ISO/IEC 27001 is the tool to create the ISMS. It is also perfect for auditing and certifying an organization and their security program ([Location 247](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=247)) - WINE works on MAC OS to allow for Windows applications to be run there. ([Location 289](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=289)) - ISO/IEC 15408 – Common Criteria – Evaluation criteria for IT security ([Location 345](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=345)) - Structured data is something like a database. Each record within a table can be connected (RDBMS) to another record in another table. This data works best in block storage. Unstructured data is data that does not have any relationship to each other. This type of data would be something like an email, an invoice, a word document, a picture, etc. This type of data is best stored in object storage. ([Location 462](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=462)) - Capability Maturity Model ISO/IEC 21827 ([Location 564](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=564)) - Ephemeral storage is temporary. It exists as long as the VM is running. ([Location 679](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=679)) - If an incident occurred once… Single loss expectancy (SLE) = Asset value (AV)* Exposure Factor (EF) How many times does this occur a year? Annual rate of occurrence (ARO) Therefore, the annual cost is Annualized Loss Expectancy (ALE) = SLE * ARO Qualitative ([Location 736](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=736)) - ISO 28000 – Specification for Security Management Systems for the Supply Chain ISO 27036 – Information Security for Supplier Relationships ([Location 958](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=958)) - ISO/IEC 27034 – Security Techniques – application security ISO/IEC 27034 states that it ‘provides guidance to assist organizations in integrating security into the processes used for managing their applications’ Organization Normative Framework (ONF) – Allows an organization to define its application best practices Application Security Management Process (ASMP) – The process allows the organization to develop the ANF from the ONF Application Normative Framework (ANF) – Assists the organization to develop the plan for the best practices from the ONF that will be used for a specific application ([Location 1059](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1059)) - Tier 1 – Basic Capacity Dedicated IT space Dedicated cooling UPS and Generator for power outages ([Location 1092](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1092)) - Tier 3 – Concurrently maintainable Tier 2 plus: Equipment maintenance does not require shutdown ([Location 1099](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1099)) - ITIL/ISO/IEC 20000 This is all about IT Service Management. ([Location 1144](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1144)) - encrypt the data and destroy the key. Perhaps a second time with a different algorithm. Maybe even a third time depending on level of sensitivity. It should also be in the contract for the cloud provider to do the same when service is cancelled. ([Location 1202](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1202)) - Business Impact Assessment (BIA) Quantitative Risk Assessment - This is the calculation of the cost of an incident to the business. SLE = AV * EF ARO = # of times/year(s) ALE = SLE * ARO Qualitative Risk Assessment - This is the process of ranking and prioritizing incidents so as to determine what must be protected against. Maximum Tolerable Downtime (MTD) – the maximum amount of time a system can be offline Recovery Time Objective (RTO) – the time that a corporation has to do the actual work of recovery Recovery Point Objective (RPO) – the point in the past the last known good backup was created. It is expressed in a unit of time. It is the amount of data that can be lost. ([Location 1231](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1231)) - Checklist/Desk Check – confirm details have been added to the document Structure walk-through/Tabletop – talk through a scenario Simulation – emulate a fail over, e.g. a fire drill Parallel - bring the alternate cloud environment up to a functional level while the business remains functional on the production network (cloud or not) Full Interruption ([Location 1263](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1263)) - Stored Communications Act US Law for Internet Service Providers ([Location 1278](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1278)) - CLOUD Act (Clarifying Lawful Overseas Use of Data) The purpose is to improve the US governments/law enforcements access to data stored across borders ([Location 1282](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1282)) - ISO/IEC 27018 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors ([Location 1285](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1285)) - The American Institute of Certified Public Accountants with the Canadian Institute of Chartered Accountants with help from ISACA created a Maturity Model based on the GAPP. ([Location 1324](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1324)) - Level 1 – more than 6 million transactions a year ([Location 1344](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1344)) - SAS 70 – Old and outdated, but the beginning of the story SSAE 16/18 – 16 is being replaced by 18 ISAE 3402/3400 – International equivalent of the AICPA SSAE 16/18 ([Location 1356](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1356)) - SOC 1 – From AICPA the ‘CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements. (AICPA, 2019) Type I - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls Type II - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls and operating effectiveness SOC 2 – These reports are ‘intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Type I - management’s description of a system and the suitability of the design Type II - management’s description of a system and the suitability of the design and operating effectiveness of controls SOC 3 - These reports meet the needs of users who need assurance controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy without need for the details. General use reports and can be freely distributed ([Location 1361](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1361)) - ISO/IEC 27037 – Guidelines for identification, collection, acquisition and preservation of digital evidence ISO/IEC 27041 – Guidance on assuring suitability and adequacy of incident investigation method ISO/IEC 27042 – Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043 – Incident investigation principles and processes ISO/IEC 27050 – Code of practice for electronic discovery (E-Discovery) ([Location 1408](https://readwise.io/to_kindle?action=open&asin=B08WPFF25F&location=1408))