CISSP PRACTICE QUESTIONS – 20210616

Effective CISSP Questions

You are evaluating cloud service providers to migrate the on-premises ERP system to the cloud and considering shared responsibility between various service models. Which of the following best describes the principle you are exercising in the evaluation process? (Wentz QOTD)
A. Due diligence
B. Trust but verify
C. Defense in depth
D. Acceptable use policy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Due diligence.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

The Cloud Computing Conceptual Reference Model (credit: NIST)
The Cloud Computing Conceptual Reference Model (credit: NIST)

Due diligence is the “process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management.” (ISO 20400:2017)

The core concept of due diligence is about making informed decisions. A decision should be made based on sufficient information and justifications. If a decision-maker can’t do so, he or she doesn’t exercise due diligence. 

Shared Responsibility Model

Shared Responsibility Model
AWS Shared Responsibility Model
AWS Shared Responsibility Model
Azure Shared Responsibility Model
Azure Shared Responsibility Model

Trust, but verify

The principle of “Trust, but verify” is borrowed from the political arena. However, when it comes to security, people may use it inconsistently. For example, some may argue “trust, but verify” is not enough; instead, we should never trust but always verify like “Zero Trust.” On the contrary, some other people consider trust is essential, and it is earned after frequent verification. Therefore, they align “trust, but verify” with “Zero Trust.”

If we have subscribed to cloud services provisioned by a cloud service provider after thoughtful evaluation, we trust the services and the provider. However, we have to keep verifying those services and the provider. Reviewing SOC reports is one of the verification activities. Since we are still in the process of evaluating cloud services and shared responsibility, we are exercising due diligence and don’t trust them yet.

Netflix is a good example of exercising the “trust, but verify” principle. As a customer of AWS, it trusts AWS but uses “Chaos Monkey” to verify AWS’s cloud services constantly and randomly.

Netflix was one of the first places to make overall chaos engineering popular several years ago with a tool they called Chaos Monkey. It was designed to test the company’s Amazon Web Services infrastructure by constantly – and randomly – shutting down various production servers. This always-on feature is important because no single event will do enough damage or provide enough insight to harden your systems or find the weakest points in your infrastructure. 

Source: RSA

Defense in Depth

Defense in depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnelproceduraltechnical and physical security for the duration of the system’s life cycle.

Source: Wikipedia

Defense in depth is appropriate when designing controls and grouping them into layers to protect information assets.

Reference


您正在評估雲服務提供商(CSP)以將自家的(on-premises)ERP系統遷移到雲端,並考慮各種服務模型(service model)之間的責任分擔(shared responsibility)。 以下哪一項最能描述您在評估過程中運用的原則?(Wentz QOTD)
A. Due diligence
B. Trust but verify
C. Defense in depth
D. Acceptable use policy


Leave a Reply