CCSK Certification

1.  
2. The following are the key exam areas and concepts of the CCSK certification (this information is based on the Cloud Security Alliance CCSK FAQ):
3. CSA Guidance For Critical Areas of Focus in Cloud Computing V3.0 English
4.  
5. Domain 1: Cloud Computing Architectural Framework
6.  
7. NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service Models, Cloud Deployment Models)
8. Multi-Tenancy
9. CSA Cloud Reference Model
10. Jericho Cloud Cube Model
11. Cloud Security Reference Model
12. Cloud Service Brokers
13. Service Level Agreements
14.  
15. Domain 2: Governance and Enterprise Risk Management
16.  
17. Contractual Security Requirements
18. Enterprise and Information Risk Management
19. Third Party Management Recommendations
20. Supply chain examination
21. Use of Cost Savings for Cloud
22.  
23. Domain 3: Legal Issues: Contracts and Electronic Discovery
24.  
25. Consideration of cloud-related issues in three dimensions
26. eDiscovery considerations
27. Jurisdictions and data locations
28. Liability for activities of subcontractors
29. Due diligence responsibility
30. Federal Rules of Civil Procedure and electronically stored information
31. Metadata
32. Litigation hold
33.  
34. Domain 4: Compliance and Audit Management
35.  
36. Definition of Compliance
37. Right to audit
38. Compliance impact on cloud contracts
39. Audit scope and compliance scope
40. Compliance analysis requirements
41. Auditor requirements
42.  
43. Domain 5: Information Management and Data Security
44.  
45. Six phases of the Data Security Lifecycle and their key elements
46. Volume storage
47. Object storage
48. Logical vs physical locations of data
49. Three valid options for protecting data
50. Data Loss Prevention
51. Detection Data Migration to the Cloud
52. Encryption in IaaS, PaaS & SaaS
53. Database Activity Monitoring and File Activity Monitoring
54. Data Backup
55. Data Dispersion
56. Data Fragmentation
57.  
58. Domain 6: Interoperability and Portability
59.  
60. Definitions of Portability and Interoperability
61. Virtualization impacts on Portability and Interoperability
62. SAML and WS-Security
63. Size of Data Sets
64. Lock-In considerations by IaaS, PaaS & SaaS delivery models
65. Mitigating hardware compatibility issues
66.  
67. Domain 7: Traditional Security, Business Continuity, and Disaster Recovery
68.  
69. Four D’s of perimeter security
70. Cloud backup and disaster recovery services
71. Customer due diligence related to BCM/DR
72. Business Continuity Management/Disaster Recovery due diligence
73. Restoration Plan
74. Physical location of cloud provider
75.  
76. Domain 8: Data Center Operations
77.  
78. Relation to Cloud Controls Matrix
79. Queries run by data center operators
80. Technical aspects of a Provider’s data center operations customer should understand
81. Logging and report generation in multi-site clouds
82.  
83. Domain 9: Incident Response
84.  
85. Factor allowing for more efficient and effective containment and recovery in a cloud
86. Main data source for detection and analysis of an incident
87. Investigating and containing an incident in an Infrastructure as a Service environment
88. Reducing the occurrence of application level incidents
89. How often should incident response testing occur
90. Offline analysis of potential incidents
91.  
92. Domain 10: Application Security
93.  
94. identity, entitlement, and access management (IdEA)
95. SDLC impact and implications
96. Differences in S-P-I models
97. Consideration when performing a remote vulnerability test of a cloud-based application
98. Categories of security monitoring for applications
99. Entitlement matrix
100.  
101. Domain 11: Encryption and Key Management
102.  
103. Adequate encryption protection of data in the cloud
104. Key management best practices, location of keys, keys per user
105. Relationship to tokenization, masking, anonymization and cloud database controls
106.  
107. Domain 12: Identity, Entitlement, and Access Management
108.  
109. Relationship between identities and attributes
110. Identity Federation
111. Relationship between Policy Decision Point (PDP) and Policy Enforcement Point (PEP)
112. SAML and WS-Federation
113. Provisioning and authoritative sources
114.  
115. Domain 13: Virtualization
116.  
117. Security concerns for hypervisor architecture
118. VM guest hardening, blind spots, VM Sprawl, data comingling, instant-on gaps
119. In-Motion VM characteristics that can create a serious complexity for audits
120. How can virtual machine communications bypass network security controls
121. VM attack surfaces
122. Compartmentalization of VMs
123.  
124. Domain 14: Security as a Service
125.  
126. 10 categories
127. Barriers to developing full confidence in security as a service (SECaaS)
128. When deploying Security as a Service in a highly regulated industry or environment, what should both parties agree on in advance and include in the SLA
129. Logging and reporting implications
130. How can web security as a service be deployed
131. What measures do Security as a Service providers take to earn the trust of their customers
132.  
133. ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security
134.  
135. Isolation failure
136. Economic Denial of Service
137. Licensing Risks
138. VM hopping
139. Five key legal issues common across all scenarios
140. Top security risks in ENISA research
141. OVF
142. Underlying vulnerability in Loss of Governance
143. User provisioning vulnerability
144. Risk concerns of a cloud provider being acquired
145. Security benefits of cloud
146. Risks R.1 – R.35 and underlying vulnerabilities
147. Data controller vs data processor definitions
148. in Infrastructure as a Service (IaaS), who is responsible for guest systems monitoring
149.  
150. Applied Knowledge
151.  
152. Classify popular cloud providers into S-P-I model
153. Redundancy
154. Securing popular cloud services
155. Vulnerability assessment considerations
156. Practical encryption use cases