CCSK

Hello!

In 2.1.2 of the Security Guidance V4  of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets? 

Thanks :)

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------

Much of the risk in the cloud can be seen as data driven. When an enterprise shifts to cloud, often times they don't have a set governance model around data classification models. Based on the application (consider slack versus email) they may be more willing to accept that they can't control content through slack, and will only focus more on user email ingoing and outgoing. Slack could still be a risk, but the business knows that more sensitive material is probably being distributed via email, so their focus shifts towards that asset first. This would require firewall configurations and whitelisting, as well as logging for emails that may contain sensitive material or PII. 

It is important to understand a business impact assessment (BIA) in this scenario. Every piece of technology (both cloud and on-prem) should be taken into account and given a rating of most critical to least critical. A business will probably have a lower risk tolerance for the more critical infrastructure. 

Another example is government regulations in respect to regional location for a business. It may be acceptable enough for a business who solely uses basic cloud services (small business) to not have to worry about the risk with compliance regulations due to the attestation reports and controls that the cloud provider offers. This is where the shared responsibility model plays a critical role. 

Hope some of this helps. If you have further questions let me know.

------------------------------
Sean Heide
Research Analyst
CSA
------------------------------

Original Message:
Sent: Dec 11, 2020 11:13:18 AM
From: Jenna Morrison
Subject: Risk Tolerance: Acceptable Risks

Hello!

In 2.1.2 of the Security Guidance V4  of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets? 

Thanks :)

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------

Thank you for your detailed response, this helps!

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------

Original Message:
Sent: Dec 11, 2020 12:04:43 PM
From: Sean Heide
Subject: Risk Tolerance: Acceptable Risks

Much of the risk in the cloud can be seen as data driven. When an enterprise shifts to cloud, often times they don't have a set governance model around data classification models. Based on the application (consider slack versus email) they may be more willing to accept that they can't control content through slack, and will only focus more on user email ingoing and outgoing. Slack could still be a risk, but the business knows that more sensitive material is probably being distributed via email, so their focus shifts towards that asset first. This would require firewall configurations and whitelisting, as well as logging for emails that may contain sensitive material or PII.

It is important to understand a business impact assessment (BIA) in this scenario. Every piece of technology (both cloud and on-prem) should be taken into account and given a rating of most critical to least critical. A business will probably have a lower risk tolerance for the more critical infrastructure.

Another example is government regulations in respect to regional location for a business. It may be acceptable enough for a business who solely uses basic cloud services (small business) to not have to worry about the risk with compliance regulations due to the attestation reports and controls that the cloud provider offers. This is where the shared responsibility model plays a critical role.

Hope some of this helps. If you have further questions let me know.

------------------------------
Sean Heide
Research Analyst
CSA

Original Message:
Sent: Dec 11, 2020 11:13:18 AM
From: Jenna Morrison
Subject: Risk Tolerance: Acceptable Risks

Hello!

In 2.1.2 of the Security Guidance V4  of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets? 

Thanks :)

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------

Example:
Core banking system: low tolerance, lack of certifications unacceptable.
Hot new startup for marketing intelligence system: high tolerance, willing to accept that the company goes out of business.

Extreme examples, but I hope they make the point.

------------------------------
Peter HJ van Eijk
CCSK & CCAK trainer
https://www.clubcloudcomputing.com/
------------------------------

Original Message:
Sent: Dec 11, 2020 11:13:18 AM
From: Jenna Morrison
Subject: Risk Tolerance: Acceptable Risks

Hello!

In 2.1.2 of the Security Guidance V4  of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets? 

Thanks :)

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------

Thank you for these examples!

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------

Original Message:
Sent: Dec 14, 2020 08:46:57 AM
From: Peter HJ van Eijk
Subject: Risk Tolerance: Acceptable Risks

Example:
Core banking system: low tolerance, lack of certifications unacceptable.
Hot new startup for marketing intelligence system: high tolerance, willing to accept that the company goes out of business.

Extreme examples, but I hope they make the point.

------------------------------
Peter HJ van Eijk
CCSK & CCAK trainer
https://www.clubcloudcomputing.com/

Original Message:
Sent: Dec 11, 2020 11:13:18 AM
From: Jenna Morrison
Subject: Risk Tolerance: Acceptable Risks

Hello!

In 2.1.2 of the Security Guidance V4  of the CCSK training, they talk more about risk tolerance and how risk decisions should be based on the value and requirements of the assets involved. What would be some examples of acceptable risks for different types of assets? 

Thanks :)

------------------------------
Jenna Morrison
Training Department Intern
Cloud Security Alliance
------------------------------