What are the three generally accepted service models of cloud computing?
A. Infrastructure as a Service (IaaS), Disaster Recovery as a Service (DRaaS), and Platform
as a Service (PaaS)
B. Platform as a Service (PaaS), Security as a Service (SECaaS), and Infrastructure as a
Service (IaaS)
C. Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service
(IaaS)
D. Desktop as a Service (DaaS), Platform as a Service (PaaS), and Infrastructure as a Service
(IaaS)
Platform as a Service (PaaS)
A way for customers to rent hardware, operating systems, storage, and network capacity over the
Internet from a cloud service provider.
The cloud computing concept of providing a computing platform and software solution stack a
virtual or cloud-based service. Essentially, it is the concept of paying for a service that provides
all the aspects of a platform (i. e. , operating system and complete solution package).
Cloud OS
A phrase frequently used in place of Platform as a Service (PaaS) to denote an association to
cloud computing.
Infrastructure as a service (IaaS)
Computer infrastructure, typically computer, storage and networking services, being delivered as
a service. IaaS is popular in the data center where software and servers are purchased as a fully
outsourced service and usually billed on usage and how much of the resource is used.
Infrastructure A cloud computing concept that can provide not just on-demand operating
as a Service solutions but complete outsourcing of IT infrastructure.
(IaaS)
Apache CloudStack
An open-source cloud computing and infrastructure as a service (IaaS) platform developed to
help make creating, deploying, and managing cloud services easier by providing a complete
"stack" of features and components for cloud environments.
Eucalyptus
An open source cloud computing and Infrastructure as a Service (IaaS) platform for enabling
private clouds.
Software as a Service (SaaS)
A distributed model where software applications are hosted by a vendor or cloud service
provider and made available to customers over network resources.
Software as a service (SaaS)
A software delivery method that provides access to software and its functions remotely as a webbased service. SaaS allows organizations to access business functionality at a cost typically less
than paying for licensed applications since SaaS pricing is based on a monthly fee.
Software as a A cloud computing concept that provides on-demand online access to specific
Service
software applications or suites without the need for local installation.
(SaaS)
Cloud computing accounting software
Accounting software that is hosted on remote servers. It provides accounting capabilities to
businesses in a fashion similar to the software as a service (SaaS) business model. Data is sent
into the cloud, where it is processed and returned to the user.
Identity as a A third-party service that provides identity and access management. IDaaS
Service or
effectively provides SSO for the cloud and is especially useful when internal
Identity and clients access cloud-based Software as a Service (SaaS) applications.
Access as a
Service
(IDaaS)
Here are my quick notes on CISSP Chapter 1 Security and Risk Management. :
1. CIA Triad — C: Confidentiality I: Integrity A: Availability
2. The first priority of Information security: To support the mission of the organization
3. Judgment based on risk tolerance, cost, and benefit
4. Role of a security professional is that of a risk advisor and not a decision-maker
5. Planning horizon: Strategic>Tactical>Operational goals
6. Confidentiality: Prevent unauthorized disclosure
7. Threats against confidentiality: Social Engineering, Media Reuse, Eavesdropping
8. Integrity: Detect modification of information
9. Availability: Provide timely access to resources
10. Best practices to protect the CIA triad: Separation of Duties (SoD), Mandatory vacation, Job
rotation, Least privilege, Need to know, Dual control
11. Defense in depth: aka layered defense
12. Three main types of controls: Technical (logical), Administrative and Physical
13. Risk — Find cost-effective solution, reduce risk to an acceptable level (rarely can we
eliminate risk)
14. Safeguards are proactive, countermeasures are reactive.
15. Assets: Anything of value to the company; Vulnerability: A weakness — absence of a
safeguard; Threat: Something that could pose loss to all or part of an asset; Threat agent: The one
who carries out the attack; Risk: The probability of the threat materializing; Controls: Technical
(logical), administrative or physical protections — safeguards or countermeasures
16. Hardening of a system: To reduce vulnerabilities in a system
17. Risk Management is a process of identifying, analyzing, assessing, mitigating or transferring
risk. The main goal is to reduce the impact of a risk
18. Risk Assessment (Identify and evaluate assets; identify vulnerabilities and threats); Risk
Analysis (qualitative and quantitative); Risk Mitigation (Reduce, transfer or accept/reject risk);
Risk Monitoring
19. Risk assessment: Identification and valuation of assets is the first step in risk assessment
20. Risk analysis: Determining a value for a risk; Risk value = Probability * Impact (in $)
21. Qualitative analysis is subjective and judgment based (probability and impact matrix);
Quantitative analysis is objective and numbers-driven
22. Business decisions are usually made based on quantitative analysis
23. Quantitative analysis: AV (Asset Value), EF (Exposure Factor), ARO (Annual Rate of
Occurrence)
24. Single Loss Expectancy (SLE) = AV * EF
25. Annual Loss Expectancy (ALE) = ARO * SLE
26. Cost of control should be the same or less than the potential of loss
27. Security governance is the set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s
resources are used responsibly.
28. Security blueprints(e.g. COBIT, COSO, ITIL, etc.) are used for reaching security governance
29. COBIT: Control Objectives for Information and related Technology; COSO: Committee Of
Sponsoring Organizations
30. ITIL: Information Technology Infrastructure Library — De facto standard for best practices
for IT Service Management
31. OCTAVE: Operationally Critical Threat, Asset and Vulnerability Evaluation
32. Plan (Establish ISMS) > Do (Implement and operate the ISMS) > Check (Monitor and
review ISMS) > Act (Maintain and improve ISMS)
33. Senior Management (CEO, CIO, CISO) is ultimately responsible for security within an
organization
34. Due Diligence: Continuously monitoring an organization’s practices to ensure they are
meeting/exceeding the security requirements
35. Due Care: Ensuring that best practices are implemented and followed. Following up due
diligence with action
36. Prudent man rule: Acting responsibly and cautiously like a prudent man
37. Best Practices: Organizations are aligned with the favored practices within an organization
38. An organizational security policy is mandatory — its a high level statement from the
management
39. Issue specific policy (functional policy) — Stance on employee issues, AUP (Acceptable Use
Policy), Email, Privacy etc.
40. System specific policy — Approved software lists, use of firewalls, IDS, scanners etc.
41. Drivers — Laws, regulations and best practices
42. Management’s Security Statement — Contains program or Organizational policy
43. Management’s security directives — Functional (Issue and System specific) policies
44. Standards — Are mandatory, created to support policy, while providing more specifics. It
reinforces policy and provides direction, can be internal or external
45. Procedures — Are mandatory, they give step by step directives on how to accomplish an end
result. Procedures details the how-to of meeting the policy, standards and guidelines
46. Guidelines — are not mandatory and are suggestive in nature. They are recommended
actions and guides to users. “Best practices”
47. Baselines — are mandatory. Baselines are minimum acceptable security configurations for a
system or a process
48. Steering committee: Defines risks, objectives and approaches
49. Data owners: classify data; Data Custodian: Day to day maintenance of data
50. ISO’s responsibilities include:

Providing C-I-A for all information assets

Communication of risk to senior management

Recommend best practices to influence policies, standards, procedures and
guidelines
51. Due care: setting a policy; due diligence: enforcing that policy
52. Legal liability is a legally recognized obligation — A standard exists that outlines the
conduct expected of a company to protect others from unreasonable risks
53. Proximate causation: fault can actually be proven to be a direct result of one’s action or
inaction
54. Types of laws: Criminal, Civil, Regulatory and Intellectual Property
55. Felonies: More serious; Misdemeanours: Less serious of the two
56. Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent to Civil law as well
as Administrative law
57. Administrative law: Defines standards of performance and regulates conducts for specific
industry like banking, energy and health care
58. Intellectual Property law: to protect products of the mind
59. What is a trade secret? Must provide competitive value, must be protected from unauthorized
use or disclosure, should be proprietary to a company and important for survival
60. Copyright: Copyright protection lasts for the lifetime of the author plus 70 years or 75 years
for corporations; work does not need to be published or registered to be protected. Protects the
expression of the resource instead of the resource itself
61. Trademark — protects from stealing another company’s look and feel which includes word,
name, symbol, sound, shape, color or combination
62. Patents — valid for 17–20 years, provides protection to those who have legal ownership of
an invention. Patent is the strongest form of protection of an invention
63. Forms of attack on intellectual property:

Piracy

Copyright infringement

Counterfeiting: Imitating fraudulently

Cybersquatting: The practice of registering names, specially well known companies
as internet domains, in the hope of selling them at a profit

Typosquatting: target users who incorrectly type an address (like Gooogle.com vs
Google.com)
64. In many countries, the import of cryptographic tools with strong encryption requires a copy
of the private keys to be handed over to law enforcement
65. REP: Reasonable Expectation of Privacy — Get an employee waiver by signature on policies
etc.
66. HIPAA: Health Insurance Portability and Accountability Act — It applies to health insurers
and health providers, health care clearinghouses (claim processing agencies)
67. HIPAA covered entities must disclose security breaches regarding personal information
68. GLBA — Gramm Leach Bliley Financial Services Modernization Act — This act requires
financial agencies to better protect customer’s PII
69. PCI DSS — Payment Card Industry Data Security Standard — PCI DSS is not a legal
mandate. Payment card industry self regulates its own security standards. It applies to any
business worldwide that transmits, processes or stores payment card transactions to conduct
business with customers. PCI DSS compliance is enforced by the payment card vendor (Visa,
Mastercard etc.)
70. Six core principles of PCI DSS:

Build and maintain a secure network

Protect cardholder data

Maintain a vulnerability management program.

Implement strong access control measures

Regularly monitor and test the networks

Maintain an information security policy
71. Many states have passed disclosure laws that legally require organizations to publicly
disclose security breaches that might compromise personal data. It allows individuals to take
corrective actions. It also serves as an additional motivation for organizations to protect customer
data.
72. Auditing is the objective evaluation of controls and policies to ensure that they are being
implemented and are effective.
73. Internal auditors should not report to the head of the business unit, but rather to legal or
human resources, someone who doesn’t have a direct stake in results
74. People are often the weakest link is securing information. The goal of knowledge transfer is
to modify employee behavior
75. Business Continuity Planning (BCP): Focuses on sustaining operations and protecting the
viability of the business following a disaster, until normal business conditions can be restored.
BCP includes DRP. BCP is long term focused.
76. Disaster Recovery Planning: The goal is to minimize the effects of a disaster and to take the
necessary steps to ensure that the resources, personnel, and business processes are able to resume
operations in a timely manner. DRP deals with the immediate aftermath of the disaster. DRP is
IT and short term focused.
77. A contingency plan is focused on residual risks.
78. Potential risks > Risk assessment > Identified risks > Security controls > Residual risks >
Contingency plan
79. Order of priorities for a company:

Life safety is the number 1 priority.

Reputation is the second most important asset of an organization.
80. Categories of disruptions include non-disaster, emergency/crisis, disaster, catastrophe
81. Anyone can declare an emergency but only the BCP coordinator can declare a disaster.
82. BCP sub-plan includes: Protect, Recover and Sustain.
83. BCP addresses all business processes, not just mission-critical.
84. Protect: Crisis communications plan and Occupant Emergency Plan
85. Recover: Business Recovery Plan (BRP), Disaster Recovery Plan (DRP), IT Contingency
Plan and Cyber Incident Response Plan
86. Sustain: Continuity of Response Plan (COOP)
87. Senior Executive Management provides consistent support and final approval of plans,
setting the business continuity policies, prioritizing business-critical functions, allocation of
sufficient resources and personnel, providing oversight and approving the BCP, directing and
reviewing test results and ensuring the maintenance of the current plan
88. Senior functional management: Develop and document maintenance and strategy, identify
business-critical systems, monitor the progress of plan development and execution, ensure
periodic tests and create the various teams necessary to execute the plans
89. BCP Steering Committee: Conducts BIA (Business Impact Assessment), it coordinates with
department reps and develops analysis group
90. There are 3 main BCP teams: Rescue, Recovery, and Salvage.
91. 7 Phases of a Business Continuity Plan:

Project initiation

Business Impact Analysis

Recovery Strategy

Plan design and develop

Implementation

Testing

Maintenance
92. Business Impact Analysis: Identifies and prioritizes all business processes based on
criticality.
93. BIA focuses on criticality (downtime) vs importance (relevance). Eg. Auditing department is
important but not critical.
94. Recovery Point Objective (RPO) vs Recovery Time Objective (RTO)
95. Results from Business Impact Analysis (BIA) contains all business processes and assets and
not just those considered critical.
96. BIA results are used to create recovery plans.
97. When preventive controls don’t work, recovery strategies are necessary.
98. There are 4 types of recoveries: Facility, Hardware and Software, Personnel and Data
recovery.
99. Technology recovery is dependent on good configuration management documentation.
100. Personnel recovery: Identify essential personnel, entire staff is not always necessary to
move into recovery operations.
101. Eliminate single points of failure in staffing and ensure backups are properly trained.
102. Database backups:

Disk shadowing: Mirroring technology — updating one or more copies of data at the
same time. Data saved to two media types for redundancy.

Electronic vaulting: a copy of the modified file is sent to a remote location where an
original backup is stored.

Remote Journaling: Moves the journal or transaction log to a remote location, not
the actual files.
103. The copies of the Business Continuity Plan should be kept in multiple locations. Both
electronic and paper copies should be kept.
104. BCP should be distributed to only those who need to know. Most employees will only see a
small portion of the plan.
105. Implementation: 3 phases following a disruption:

Notification/Activation: Notifying the recovery personnel and performing a damage
assessment

Recovery phase/failover: actions taken by the recovery teams to restore IT
operations at an alternate site or using contingency capabilities

Reconstitution/failback: Actions taken to return the system to normal operating
conditions — performed by salvage team.
106. BCP testing should happen once a year or as a result of a major change — the purpose of
testing is to improve the response and never to find a fault. Testing happens before the
implementation of a plan to ensure the effectiveness and accuracy of the plan.
107. Types of tests:

Checklist test: Copies of plan distributed to different departments which is reviewed
by functional managers

Structured walkthrough/tabletop test: representatives from each department go over
the plan

Simulation test: Going through a disaster scenario, continues up to the actual
relocation to an offsite facility

Parallel test: Systems moved to an alternate site, and processing takes place there

Full-Interruption test: Original site shut down, all of the processing moved to the
offsite facility
108. IAAA: Identification, Authentication, Authorization, and Accountability