| Foreword |
|
xix | |
| Introduction |
|
xxi | |
| Domain 1 Architectural Concepts And Design Requirements Domain |
|
1 | (80) |
|
|
|
3 | (4) |
|
Drivers for Cloud Computing |
|
|
4 | (1) |
|
Security/Risks and Benefits |
|
|
5 | (2) |
|
Cloud Computing Definitions |
|
|
7 | (5) |
|
|
|
12 | (1) |
|
Key Cloud Computing Characteristics |
|
|
13 | (2) |
|
Cloud Transition Scenario |
|
|
15 | (1) |
|
|
|
16 | (1) |
|
Cloud Computing Activities |
|
|
17 | (1) |
|
|
|
18 | (6) |
|
Infrastructure as a Service (IaaS) |
|
|
18 | (2) |
|
Platform as a Service (PaaS) |
|
|
20 | (2) |
|
Software as a Service (SaaS) |
|
|
22 | (2) |
|
|
|
24 | (2) |
|
|
|
24 | (1) |
|
|
|
24 | (1) |
|
|
|
25 | (1) |
|
The Community Cloud Model |
|
|
26 | (1) |
|
Cloud Cross-Cutting Aspects |
|
|
26 | (7) |
|
|
|
26 | (2) |
|
Key Principles of an Enterprise Architecture |
|
|
28 | (1) |
|
The NIST Cloud Technology Roadmap |
|
|
29 | (4) |
|
Network Security and Perimeter |
|
|
33 | (1) |
|
|
|
34 | (4) |
|
|
|
34 | (2) |
|
|
|
36 | (2) |
|
|
|
38 | (3) |
|
Provisioning and De-Provisioning |
|
|
38 | (1) |
|
Centralized Directory Services |
|
|
39 | (1) |
|
Privileged User Management |
|
|
39 | (1) |
|
Authorization and Access Management |
|
|
40 | (1) |
|
Data and Media Sanitization |
|
|
41 | (2) |
|
|
|
41 | (1) |
|
|
|
42 | (1) |
|
|
|
42 | (1) |
|
|
|
43 | (1) |
|
|
|
43 | (1) |
|
|
|
44 | (1) |
|
|
|
44 | (5) |
|
|
|
45 | (1) |
|
|
|
45 | (1) |
|
Account or Service Traffic Hijacking |
|
|
46 | (1) |
|
Insecure Interfaces and APIs |
|
|
46 | (1) |
|
|
|
47 | (1) |
|
|
|
47 | (1) |
|
|
|
47 | (1) |
|
Insufficient Due Diligence |
|
|
48 | (1) |
|
Shared Technology Vulnerabilities |
|
|
48 | (1) |
|
Security Considerations for Different Cloud Categories |
|
|
49 | (6) |
|
Infrastructure as a Services (IaaS) Security |
|
|
49 | (3) |
|
Platform as a Service (PaaS) Security |
|
|
52 | (1) |
|
Software as a Service (SaaS) Security |
|
|
53 | (2) |
|
Open Web Application Security Project (OWASP) Top Ten Security Threats |
|
|
55 | (2) |
|
Cloud Secure Data Lifecycle |
|
|
57 | (1) |
|
Information/Data Governance Types |
|
|
58 | (1) |
|
Business Continuity/Disaster Recovery Planning |
|
|
58 | (3) |
|
Business Continuity Elements |
|
|
59 | (1) |
|
|
|
59 | (1) |
|
|
|
60 | (1) |
|
|
|
61 | (2) |
|
Certification Against Criteria |
|
|
63 | (6) |
|
System/Subsystem Product Certification |
|
|
69 | (4) |
|
|
|
73 | (1) |
|
|
|
74 | (4) |
|
|
|
78 | (3) |
| Domain 2 Cloud Data Security Domain |
|
81 | (76) |
|
|
|
83 | (1) |
|
The Cloud Data Lifecycle Phases |
|
|
84 | (2) |
|
Location and Access of Data |
|
|
86 | (1) |
|
|
|
86 | (1) |
|
|
|
86 | (1) |
|
Functions, Actors, and Controls of the Data |
|
|
86 | (3) |
|
|
|
87 | (1) |
|
|
|
88 | (1) |
|
|
|
88 | (1) |
|
|
|
89 | (1) |
|
Cloud Services, Products, and Solutions |
|
|
89 | (1) |
|
|
|
90 | (4) |
|
Infrastructure as a Service (IaaS) |
|
|
90 | (1) |
|
Platform as a Service (PaaS) |
|
|
91 | (1) |
|
Software as a Service (SaaS) |
|
|
92 | (1) |
|
|
|
93 | (1) |
|
Technologies Available to Address Threats |
|
|
94 | (1) |
|
Relevant Data Security Technologies |
|
|
94 | (15) |
|
Data Dispersion in Cloud Storage |
|
|
95 | (1) |
|
Data Loss Prevention (DLP) |
|
|
95 | (3) |
|
|
|
98 | (7) |
|
Masking, Obfuscation, Anonymization, and Tokenization |
|
|
105 | (4) |
|
Application of Security Strategy Technologies |
|
|
109 | (1) |
|
|
|
110 | (1) |
|
|
|
110 | (1) |
|
|
|
111 | (1) |
|
|
|
111 | (4) |
|
Data Discovery Approaches |
|
|
112 | (1) |
|
Different Data Discovery Techniques |
|
|
112 | (1) |
|
|
|
113 | (1) |
|
Challenges with Data Discovery in the Cloud |
|
|
114 | (1) |
|
|
|
115 | (2) |
|
Data Classification Categories |
|
|
116 | (1) |
|
Challenges with CloudData |
|
|
116 | (1) |
|
|
|
117 | (2) |
|
Global P&DP Laws in the United States |
|
|
117 | (1) |
|
Global P&DP Laws in the European Union (EU) |
|
|
118 | (1) |
|
|
|
119 | (1) |
|
Differences Between Jurisdiction and Applicable Law |
|
|
119 | (1) |
|
Essential Requirements in P&DP Laws |
|
|
119 | (1) |
|
Typical Meanings for Common Privacy Terms |
|
|
119 | (1) |
|
Privacy Roles for Customers and Service Providers |
|
|
120 | (1) |
|
Responsibility Depending on the Type of Cloud Services |
|
|
121 | (2) |
|
Implementation of Data Discovery |
|
|
123 | (1) |
|
Classification of Discovered Sensitive Data |
|
|
124 | (3) |
|
Mapping and Definition of Controls |
|
|
127 | (1) |
|
Privacy Level Agreement (PLA) |
|
|
128 | (1) |
|
PLAs vs. Essential P&DP Requirements Activity |
|
|
128 | (4) |
|
Application of Defined Controls for Personally Identifiable Information (PII) |
|
|
132 | (6) |
|
Cloud Security Alliance Cloud Controls Matrix (CCM) |
|
|
133 | (3) |
|
Management Control for Privacy and Data Protection Measures |
|
|
136 | (2) |
|
Data Rights Management Objectives |
|
|
138 | (2) |
|
|
|
138 | (1) |
|
|
|
139 | (1) |
|
|
|
140 | (4) |
|
|
|
140 | (1) |
|
Data-Deletion Procedures and Mechanisms |
|
|
141 | (2) |
|
Data Archiving Procedures and Mechanisms |
|
|
143 | (1) |
|
|
|
144 | (6) |
|
|
|
144 | (2) |
|
Identifying Event Attribute Requirements |
|
|
146 | (2) |
|
Storage and Analysis of Data Events |
|
|
148 | (1) |
|
Security and Information Event Management (SIEM) |
|
|
148 | (2) |
|
Supporting Continuous Operations |
|
|
150 | (1) |
|
Chain of Custody and Non-Repudiation |
|
|
151 | (1) |
|
|
|
152 | (1) |
|
|
|
152 | (3) |
|
|
|
155 | (2) |
| Domain 3 Cloud Platform And Infrastructure Security Domain |
|
157 | (52) |
|
|
|
159 | (2) |
|
The Physical Environment of the Cloud Infrastructure |
|
|
159 | (1) |
|
|
|
160 | (1) |
|
Network and Communications in the Cloud |
|
|
161 | (2) |
|
|
|
162 | (1) |
|
Software Defined Networking (SDN) |
|
|
162 | (1) |
|
The Compute Parameters of a Cloud Server |
|
|
163 | (3) |
|
|
|
164 | (1) |
|
|
|
164 | (1) |
|
|
|
164 | (2) |
|
Storage Issues in the Cloud |
|
|
166 | (2) |
|
|
|
166 | (1) |
|
|
|
167 | (1) |
|
Management of Cloud Computing Risks |
|
|
168 | (4) |
|
|
|
169 | (3) |
|
|
|
172 | (1) |
|
Countermeasure Strategies Across the Cloud |
|
|
172 | (3) |
|
|
|
173 | (1) |
|
|
|
173 | (1) |
|
|
|
174 | (1) |
|
Physical and Environmental Protections |
|
|
175 | (1) |
|
|
|
175 | (1) |
|
|
|
175 | (1) |
|
Protecting Datacenter Facilities |
|
|
175 | (1) |
|
System and Communication Protections |
|
|
176 | (2) |
|
Automation of Configuration |
|
|
177 | (1) |
|
Responsibilities of Protecting the Cloud System |
|
|
177 | (1) |
|
Following the Data Lifecycle |
|
|
178 | (1) |
|
Virtualization Systems Controls |
|
|
178 | (2) |
|
Managing Identification, Authentication, and Authorization in the Cloud Infrastructure |
|
|
180 | (4) |
|
|
|
181 | (1) |
|
|
|
181 | (1) |
|
|
|
181 | (1) |
|
|
|
181 | (1) |
|
Managing Identity and Access Management |
|
|
182 | (1) |
|
|
|
182 | (1) |
|
|
|
182 | (1) |
|
The Access Control Decision-Making Process |
|
|
183 | (1) |
|
|
|
184 | (2) |
|
The Cloud Security Alliance Cloud Controls Matrix |
|
|
185 | (1) |
|
Cloud Computing Audit Characteristics |
|
|
185 | (1) |
|
Using a Virtual Machine (VM) |
|
|
186 | (1) |
|
Understanding the Cloud Environment Related to BCDR |
|
|
186 | (3) |
|
On-Premise, Cloud as BCDR |
|
|
186 | (1) |
|
Cloud Consumer, Primary Provider BCDR |
|
|
187 | (1) |
|
Cloud Consumer, Alternative Provider BCDR |
|
|
187 | (1) |
|
|
|
188 | (1) |
|
Relevant Cloud Infrastructure Characteristics |
|
|
188 | (1) |
|
Understanding the Business Requirements Related to BCDR |
|
|
189 | (2) |
|
Understanding the BCDR Risks |
|
|
191 | (1) |
|
BCDR Risks Requiring Protection |
|
|
191 | (1) |
|
|
|
191 | (1) |
|
Potential Concerns About the BCDR Scenarios |
|
|
192 | (1) |
|
|
|
192 | (4) |
|
|
|
193 | (1) |
|
|
|
194 | (1) |
|
Functionality Replication |
|
|
195 | (1) |
|
Planning, Preparing, and Provisioning |
|
|
195 | (1) |
|
|
|
195 | (1) |
|
|
|
196 | (1) |
|
|
|
196 | (8) |
|
The Scope of the BCDR Plan |
|
|
196 | (1) |
|
Gathering Requirements and Context |
|
|
196 | (1) |
|
|
|
197 | (1) |
|
|
|
197 | (1) |
|
|
|
198 | (1) |
|
Other Plan Considerations |
|
|
198 | (1) |
|
Planning, Exercising, Assessing, and Maintaining the Plan |
|
|
199 | (2) |
|
|
|
201 | (3) |
|
Testing and Acceptance to Production |
|
|
204 | (1) |
|
|
|
204 | (1) |
|
|
|
205 | (2) |
|
|
|
207 | (2) |
| Domain 4 Cloud Application Security |
|
209 | (36) |
|
|
|
211 | (1) |
|
Determining Data Sensitivity and Importance |
|
|
212 | (1) |
|
Understanding the Application Programming Interfaces (APIs) |
|
|
212 | (1) |
|
Common Pitfalls of Cloud Security Application Deployment |
|
|
213 | (4) |
|
On-Premise Does Not Always Transfer (and Vice Versa) |
|
|
214 | (1) |
|
Not All Apps Are "Cloud-Ready" |
|
|
214 | (1) |
|
Lack of Training and Awareness |
|
|
215 | (1) |
|
Documentation and Guidelines (or Lack Thereof) |
|
|
215 | (1) |
|
Complexities of Integration |
|
|
215 | (1) |
|
|
|
216 | (1) |
|
Awareness of Encryption Dependencies |
|
|
217 | (1) |
|
Understanding the Software Development Lifecycle (SDLC) Process for a Cloud Environment |
|
|
217 | (2) |
|
|
|
218 | (1) |
|
|
|
219 | (1) |
|
Assessing Common Vulnerabilities |
|
|
219 | (3) |
|
|
|
222 | (2) |
|
|
|
224 | (2) |
|
|
|
224 | (1) |
|
Approved Application Programming Interfaces (APIs) |
|
|
225 | (1) |
|
Software Supply Chain (API) Management |
|
|
225 | (1) |
|
Securing Open Source Software |
|
|
226 | (1) |
|
Identity and Access Management (IAM) |
|
|
226 | (1) |
|
|
|
227 | (1) |
|
|
|
227 | (1) |
|
Federated Identity Management |
|
|
227 | (2) |
|
|
|
228 | (1) |
|
Federated Identity Providers |
|
|
229 | (1) |
|
Federated Single Sign-on (SSO) |
|
|
229 | (1) |
|
Multi-Factor Authentication |
|
|
229 | (1) |
|
Supplemental Security Devices |
|
|
230 | (1) |
|
|
|
231 | (1) |
|
|
|
232 | (1) |
|
|
|
232 | (1) |
|
|
|
233 | (1) |
|
Application Virtualization |
|
|
233 | (1) |
|
Cloud-Based Functional Data |
|
|
234 | (1) |
|
Cloud-Secure Development Lifecycle |
|
|
235 | (3) |
|
|
|
236 | (1) |
|
Organizational Normative Framework (ONF) |
|
|
236 | (1) |
|
Application Normative Framework (ANF) |
|
|
237 | (1) |
|
Application Security Management Process (ASMP) |
|
|
237 | (1) |
|
Application Security Testing |
|
|
238 | (3) |
|
Static Application Security Testing (SAST) |
|
|
238 | (1) |
|
Dynamic Application Security Testing (DAST) |
|
|
239 | (1) |
|
Runtime Application Self Protection (RASP) |
|
|
239 | (1) |
|
Vulnerability Assessments and Penetration Testing |
|
|
239 | (1) |
|
|
|
240 | (1) |
|
Open Web Application Security Project (OWASP) Recommendations |
|
|
240 | (1) |
|
|
|
241 | (1) |
|
|
|
241 | (2) |
|
|
|
243 | (2) |
| Domain 5 Operations Domain |
|
245 | (124) |
|
|
|
247 | (1) |
|
Modern Datacenters and Cloud Service Offerings |
|
|
247 | (1) |
|
Factors That Impact Datacenter Design |
|
|
247 | (11) |
|
|
|
248 | (2) |
|
|
|
250 | (3) |
|
Environmental Design Considerations |
|
|
253 | (4) |
|
Multi-Vendor Pathway Connectivity (MVPC) |
|
|
257 | (1) |
|
Implementing Physical Infrastructure for Cloud Environments |
|
|
257 | (1) |
|
|
|
258 | (1) |
|
Secure Configuration of Hardware: Specific Requirements |
|
|
259 | (5) |
|
Best Practices for Servers |
|
|
259 | (1) |
|
Best Practices for Storage Controllers |
|
|
260 | (2) |
|
Network Controllers Best Practices |
|
|
262 | (1) |
|
Virtual Switches Best Practices |
|
|
263 | (1) |
|
Installation and Configuration of Virtualization Management Tools for the Host |
|
|
264 | (6) |
|
|
|
265 | (1) |
|
Running a Physical Infrastructure for Cloud Environments |
|
|
265 | (4) |
|
Configuring Access Control and Secure KVM |
|
|
269 | (1) |
|
Securing the Network Configuration |
|
|
270 | (4) |
|
|
|
270 | (1) |
|
|
|
270 | (1) |
|
Using Transport Layer Security (TLS) |
|
|
271 | (1) |
|
Using Domain Name System (DNS) |
|
|
272 | (1) |
|
Using Internet Protocol Security (IPSec) |
|
|
273 | (1) |
|
Identifying and Understanding Server Threats |
|
|
274 | (1) |
|
|
|
275 | (2) |
|
|
|
277 | (1) |
|
|
|
277 | (1) |
|
Distributed Resource Scheduling (DRS)/Compute Resource Scheduling |
|
|
277 | (1) |
|
Accounting for Dynamic Operation |
|
|
278 | (1) |
|
|
|
279 | (1) |
|
Clustered Storage Architectures |
|
|
279 | (1) |
|
|
|
279 | (1) |
|
|
|
280 | (1) |
|
Providing High Availability on the Cloud |
|
|
280 | (1) |
|
Measuring System Availability |
|
|
280 | (1) |
|
Achieving High Availability |
|
|
281 | (1) |
|
The Physical Infrastructure for Cloud Environments |
|
|
281 | (2) |
|
Configuring Access Control for Remote Access |
|
|
283 | (2) |
|
Performing Patch Management |
|
|
285 | (4) |
|
The Patch Management Process |
|
|
286 | (1) |
|
|
|
286 | (1) |
|
Challenges of Patch Management |
|
|
287 | (2) |
|
|
|
289 | (2) |
|
|
|
289 | (1) |
|
|
|
289 | (1) |
|
Redundant System Architecture |
|
|
290 | (1) |
|
|
|
290 | (1) |
|
Backing Up and Restoring the Host Configuration |
|
|
291 | (1) |
|
Implementing Network Security Controls: Defense in Depth |
|
|
292 | (8) |
|
|
|
292 | (1) |
|
|
|
293 | (2) |
|
|
|
295 | (1) |
|
Conducting Vulnerability Assessments |
|
|
296 | (1) |
|
Log Capture and Log Management |
|
|
297 | (2) |
|
Using Security Information and Event Management (SIEM) |
|
|
299 | (1) |
|
Developing a Management Plan |
|
|
300 | (2) |
|
|
|
301 | (1) |
|
|
|
301 | (1) |
|
Building a Logical Infrastructure for Cloud Environments |
|
|
302 | (2) |
|
|
|
302 | (1) |
|
|
|
302 | (1) |
|
Secure Configuration of Hardware-Specific Requirements |
|
|
303 | (1) |
|
Running a Logical Infrastructure for Cloud Environments |
|
|
304 | (3) |
|
Building a Secure Network Configuration |
|
|
304 | (1) |
|
OS Hardening via Application Baseline |
|
|
305 | (2) |
|
Availability of a Guest OS |
|
|
307 | (1) |
|
Managing the Logical Infrastructure for Cloud Environments |
|
|
307 | (3) |
|
Access Control for Remote Access |
|
|
308 | (1) |
|
OS Baseline Compliance Monitoring and Remediation |
|
|
309 | (1) |
|
Backing Up and Restoring the Guest OS Configuration |
|
|
309 | (1) |
|
Implementation of Network Security Controls |
|
|
310 | (2) |
|
|
|
310 | (1) |
|
Management Plan Implementation Through the Management Plane |
|
|
311 | (1) |
|
Ensuring Compliance with Regulations and Controls |
|
|
311 | (1) |
|
Using an IT Service Management (ITSM) Solution |
|
|
312 | (1) |
|
Considerations for Shadow IT |
|
|
312 | (1) |
|
|
|
313 | (14) |
|
Information Security Management |
|
|
314 | (1) |
|
|
|
314 | (1) |
|
|
|
315 | (4) |
|
|
|
319 | (3) |
|
|
|
322 | (1) |
|
Release and Deployment Management |
|
|
322 | (1) |
|
|
|
323 | (1) |
|
|
|
324 | (1) |
|
|
|
324 | (1) |
|
Business Continuity Management |
|
|
324 | (1) |
|
Continual Service Improvement (CSI) Management |
|
|
325 | (1) |
|
How Management Processes Relate to Each Other |
|
|
325 | (2) |
|
Incorporating Management Processes |
|
|
327 | (1) |
|
Managing Risk in Logical and Physical Infrastructures |
|
|
327 | (1) |
|
The Risk-Management Process Overview |
|
|
328 | (16) |
|
|
|
328 | (1) |
|
|
|
329 | (9) |
|
|
|
338 | (6) |
|
|
|
344 | (1) |
|
Understanding the Collection and Preservation of Digital Evidence |
|
|
344 | (11) |
|
Cloud Forensics Challenges |
|
|
345 | (1) |
|
Data Access within Service Models |
|
|
346 | (1) |
|
|
|
347 | (1) |
|
Proper Methodologies for Forensic Collection of Data |
|
|
347 | (6) |
|
|
|
353 | (2) |
|
|
|
355 | (1) |
|
Managing Communications with Relevant Parties |
|
|
355 | (4) |
|
|
|
355 | (1) |
|
Communicating with Vendors/Partners |
|
|
356 | (1) |
|
Communicating with Customers |
|
|
357 | (1) |
|
Communicating with Regulators |
|
|
358 | (1) |
|
Communicating with Other Stakeholders |
|
|
359 | (1) |
|
Wrap Up: Data Breach Example |
|
|
359 | (1) |
|
|
|
359 | (1) |
|
|
|
360 | (5) |
|
|
|
365 | (4) |
| Domain 6 Legal And Compliance Domain |
|
369 | (80) |
|
|
|
371 | (1) |
|
International Legislation Conflicts |
|
|
371 | (1) |
|
|
|
372 | (2) |
|
Frameworks and Guidelines Relevant to Cloud Computing |
|
|
374 | (4) |
|
Organization for Economic Cooperation and Development (OECD)-Privacy & Security Guidelines |
|
|
374 | (1) |
|
Asia Pacific Economic Cooperation (APEC) Privacy Framework |
|
|
375 | (1) |
|
EU Data Protection Directive |
|
|
375 | (3) |
|
General Data Protection Regulation |
|
|
378 | (1) |
|
|
|
378 | (1) |
|
Beyond Frameworks and Guidelines |
|
|
378 | (1) |
|
Common Legal Requirements |
|
|
378 | (2) |
|
Legal Controls and Cloud Providers |
|
|
380 | (1) |
|
|
|
381 | (2) |
|
|
|
381 | (1) |
|
Considerations and Responsibilities of eDiscovery |
|
|
382 | (1) |
|
|
|
382 | (1) |
|
Conducting eDiscovery Investigations |
|
|
383 | (1) |
|
Cloud Forensics and ISO/IEC 27050-1 |
|
|
383 | (1) |
|
Protecting Personal Information in the Cloud |
|
|
384 | (14) |
|
Differentiating Between Contractual and Regulated Personally Identifiable Information (PII) |
|
|
385 | (4) |
|
Country-Specific Legislation and Regulations Related to PII/Data Privacy/Data Protection |
|
|
389 | (9) |
|
|
|
398 | (12) |
|
Internal and External Audits |
|
|
399 | (1) |
|
|
|
400 | (2) |
|
Impact of Requirement Programs by the Use of Cloud Services |
|
|
402 | (1) |
|
Assuring Challenges of the Cloud and Virtualization |
|
|
402 | (2) |
|
|
|
404 | (1) |
|
|
|
404 | (3) |
|
|
|
407 | (1) |
|
|
|
407 | (3) |
|
Standard Privacy Requirements (150/IEC 27018) |
|
|
410 | (1) |
|
Generally Accepted Privacy Principles (GAPP) |
|
|
410 | (1) |
|
Internal Information Security Management System (ISMS) |
|
|
411 | (3) |
|
|
|
412 | (1) |
|
Internal Information Security Controls System: ISO 27001:2013 Domains |
|
|
412 | (1) |
|
Repeatability and Standardization |
|
|
413 | (1) |
|
|
|
414 | (2) |
|
|
|
414 | (1) |
|
|
|
415 | (1) |
|
|
|
415 | (1) |
|
|
|
416 | (1) |
|
Identifying and Involving the Relevant Stakeholders |
|
|
416 | (3) |
|
Stakeholder Identification Challenges |
|
|
417 | (1) |
|
|
|
417 | (1) |
|
Communication Coordination |
|
|
418 | (1) |
|
Impact of Distributed IT Models |
|
|
419 | (3) |
|
Communications/Clear Understanding |
|
|
419 | (1) |
|
Coordination/Management of Activities |
|
|
420 | (1) |
|
Governance of Processes/Activities |
|
|
420 | (1) |
|
|
|
421 | (1) |
|
|
|
421 | (1) |
|
Understanding the Implications of the Cloud to Enterprise Risk Management |
|
|
422 | (7) |
|
|
|
423 | (1) |
|
|
|
423 | (1) |
|
Difference Between Data Owner/Controller and Data Custodian/Processor |
|
|
423 | (1) |
|
Service Level Agreement (SLA) |
|
|
424 | (5) |
|
|
|
429 | (3) |
|
|
|
429 | (1) |
|
Different Risk Frameworks |
|
|
430 | (2) |
|
Understanding Outsourcing and Contract Design |
|
|
432 | (1) |
|
|
|
432 | (1) |
|
|
|
433 | (3) |
|
Understanding Your Risk Exposure |
|
|
433 | (1) |
|
Accountability of Compliance |
|
|
434 | (1) |
|
Common Criteria Assurance Framework |
|
|
434 | (1) |
|
CSA Security, Trust, and Assurance Registry (STAR) |
|
|
435 | (1) |
|
Cloud Computing Certification: CCSL and CCSM |
|
|
436 | (1) |
|
|
|
437 | (4) |
|
Importance of Identifying Challenges Early |
|
|
438 | (1) |
|
|
|
438 | (3) |
|
|
|
441 | (2) |
|
|
|
441 | (1) |
|
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) |
|
|
442 | (1) |
|
The ISO 28000:2007 Supply Chain Standard |
|
|
442 | (1) |
|
|
|
443 | (1) |
|
|
|
444 | (2) |
|
|
|
446 | (3) |
| Appendix A: Answers To Review Questions |
|
449 | (52) |
|
Domain 1 Architectural Concepts and Design Requirements |
|
|
449 | (10) |
|
Domain 2 Cloud Data Security |
|
|
459 | (10) |
|
Domain 3 Cloud Platform and Infrastructure Security |
|
|
469 | (6) |
|
Domain 4 Cloud Application Security |
|
|
475 | (4) |
|
|
|
479 | (13) |
|
Domain 6 Legal and Compliance Issues |
|
|
492 | (7) |
|
|
|
499 | (2) |
| Appendix B: Glossary |
|
501 | (10) |
| Appendix C: Helpful Resources And Links |
|
511 | (24) |
| Index |
|
535 | |
