This task will have you download the CSA Consensus Assessment Initiative form and
CSA Cloud Control Matrix. The CAIQ assessment form helps you ask questions that will
determine if a tool, service, or technology meets certain regulations and standards, and
the Cloud Control Matrix shows what controls align to various compliance standards.
1. Download the excel files through FSO that is attached in the lab assignment.
Deliverable: No deliverable for this task.
Task 2: Read the Cloud Security Alliance Consensus Assessment Initiative and Cloud
Control Matrix documents
Familiarizing yourself with the questions asked in the document and the standards they
address will help you ask intelligent questions about the security needs of a system.
1. Read the document and familiarize yourself with the compliance standards, laws,
and questions.
Deliverable: No deliverable for this task.
Task 3: Answer the below questions as part of your lab write up
This is the research portion of the lab. The below are a series of questions you need to
answer as part of the lab write-up. These are based on the Consensus Assessment
Initiative Document, the Cloud Control Matrix, and research you will need to do on
Google.
1. How many questions are on the Consensus Assessment Initiative document?
2. Why are the number of questions far fewer that what you may ask if you had to
cover each compliance standard individually?
3. How many control groups are there and what are they? (Hint: One is Human
Resources)
4. What compliance standards and laws are listed?
5. Which standard deals with systems containing credit card data?
6. Which law deals with protected health information?
7. When would you need to be FedRAMP certified?
8. What is Sarbanes-Oxley (SOX) compliance?
9. Who does SOX apply to?
10. Which compliance standard is most often used to address SOX?
11. What is Gramm Leach Bliley Act (GLBA)?
12. Who does GLBA apply to?
13. Which compliance standard is most often used to address GLBA?
14. What is NERC-CIP?
15. Who does NERC-CIP apply to?
16. What is the importance of CID AAC-03.1 to cloud computing?
17. Which portion(s) of CIA does CID DSI-03.1 impact?
18. If you have logical controls (technical controls) why is DCS-08.1 important?
19. Why is IVS-03.1 important for security services? (Hint: Man in the Middle and
Injection)
20. What is a good tool and standard to meet IVS-07.1? (Hint: You used then in Lab
2)
21. What laws and compliance standards should Bank of America be most concerned
with? Why?
22. What laws and compliance standards should Amazon be most concerned with?
Why?
23. What laws and compliance standards should American Airlines be most
concerned with? Why?
24. What laws and compliance standards should Progress Energy be most concerned
with? Why?
25. What laws and compliance standards should Walmart be most concerned with?
Why?
26. What laws and compliance standards should Lockheed Martin be most concerned
with? Why?
27. What laws and compliance standards should Twitter be most concerned with?
Why?
28. What laws and compliance standards should Darden be most concerned with?
Why?