Key exam areas and concepts

Key exam areas and concepts

CSA Guidance for Critical Areas of Focus in Cloud Computing V3.0 English

Domain 1: Cloud Computing Architectural Framework

  • NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service Models, Cloud Deployment Models) Multi-Tenancy
  • Cloud Reference Model
  • Jericho Cloud Cube Model
  • Cloud Security Reference Model
  • Cloud Service Brokers

Domain 2: Governance and Enterprise Risk Management

  • Contractual Security Requirements
  • Enterprise and Information Risk Management
  • Third Party Management Recommendations

Domain 3: Legal issues: Contracts and Electronic Discovery

  • Cloud versus outsourcing
  • Three dimensions of legal issues
  • Contract enforceability
  • eDiscovery considerations
  • Jurisdictions and data locations

Domain 4: Compliance and Audit Management

  • Compliance impact on cloud contracts
  • SAS 70 Type II / SSAE 16
  • ISO 27001/27002
  • Compliance analysis requirements
  • Auditor requirements

Domain 5: Information Management and Data Security

  • Six phases of the Data Security Lifecycle and their key elements
  • Data Remanence
  • Data Commingling
  • Data Backup
  • Data Discovery
  • Data Aggregation

Domain 6: Interoperability and Portability

  • Key Portability Objectives of S-P-I
  • Lock-In risk mitigation techniques by cloud delivery model

Domain 7: Traditional Security, Business Continuity, and Disaster Recovery

  • Insider Abuse
  • Business Continuity Management/Disaster Recovery due diligence
  • Provider employee considerations

Domain 8: Data Centre Operations

  • Provider selection
  • Resource sharing
  • Patch management
  • Technical support

Domain 9: Incident Response

  • Recommended provider tools and capabilities
  • Response trade-offs
  • Questionable provider offerings

Domain 10: Application Security

  • SDLC impact and implications
  • Differences in S-P-I models
  • Managing Application Security

Domain 11: Encryption and Key Management

  • Key management best practices
  • Key management standards
  • Encryption practices in S-P-I models

Domain 12: Identity, Entitlement, and Access Management

  • Identity Federation
  • Authorisation
  • Access Control
  • Provisioning

Domain 13: Virtualization

  • Virtual Machine security features
  • VM attack surfaces
  • Compartmentalisation of VMs

Domain 14: Security as a Service

  • Types of security as a service
  • Advantages and concerns of security as a service

ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security

  • Security benefits of cloud
  • Risks R.1 – R.35 and underlying vulnerabilities
  • Information assurance framework
  • Division of liabilities
  • Key legal issues

Applied Knowledge

  • Classify popular cloud providers into S-P-I model
  • Redundancy
  • Securing popular cloud services
  • Vulnerability assessment considerations
  • Practical encryption use cases

Media Partners

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies.