Note : Some of the information on the course assessment has been collated from the CSA website. There may be updates or changes from time to time, which we will endeavour to do, on our website as well. For the most up to date information however, especially on examination related information, please visit the FAQs on the CSA website.

Questions covered below include :-

• How much are the Examination Fees?
• What is the process to apply to take the Examination?
• How is the Examination conducted - Method, Number of Questions, Format?
• When and how are the Examination results announced?
• Where does the Examination need to be taken?
• What body of knowledge does the Examination test you on?
• Is there an expiry period to the CCSK certification?
• Are there Continuing Professional Education (CPE) credits for the CCSK that can be applied to other certifications held?
• What are the CCSK Key Examination Concepts?

How much are the Examination Fees?

The examination fee is USD295.00. There is no expiration date for the examination tokens purchased. Therefore, you may purchase the test token in 2011 and take the exam in 2012 if you like.

Discount available - There is an option to get a discount on the examination fee payable. If you decide to take the course listed and decide that you will take the exam immediately thereafter, you may be eligible to pay only USD150 for this examination fee. This will only apply if you decide to register with us, for both the course and the examination simultaneously. Payment for both the course fee and examination fee will need to be made at least 14 days prior to the course dates for this discount to apply.

If you need more time to decide when to sign up for this course or are unsure if you will take the exam or plan to decide at a later point on taking the exam, you will be liable to pay the full examination fee of USD295.00. This discount pertains specifically to this course only.

What is the process to apply to take the Examination?

The Examination Fees are to be purchased via Flipside. The monies will be transferred to the Cloud Security Alliance (CSA) together with your details and you will be given the test token thereafter. Once you receive your test token, you validate your email address and code on the CSA website when you are ready to take the Examination. When the Examination Fees are paid, be sure to provide us your full name together with an active email address for communication purposes. This will be used to forward your test token.

How is the Examination conducted - Method, Number of Questions, Format?

• The exam is web-based and consists of multiple choice questions examining your individual competency in key cloud security issues
• There are 50 questions and it is a timed examination (must be completed within 60 minutes) without interruption.
• It is not possible to pause the exam, stop the exam or take the exam at a later time once you've started.
• Pass mark is 80% ie you must get 40 out of 50 questions correct to pass the test and obtain the certificate.

When and how are the Examination results announced?

The results are available immediately on completion of the examination. You will then be able to print your certificate immediately off the website.

Where does the Examination need to be taken?

• You can take the Examination anywhere around the world. The exam is an online examination taken directly at the Cloud Security Alliance (CSA) website.
• You can take the Examination at any place that has a computer and an internet connection.
• There is no necessity to schedule your test in advance.

What body of knowledge does the Examination test you on?

The body of knowledge tested is The CSA Guidance V2.1, English language version and ENISA’s report “Cloud Computing: Benefits, Risks and Recommendations for Information Security”.

• CSA Guidance
• ENISA
• CCSK Study Guide.

70% of the questions are based on the CSA Guidance whereas 20% of the questions are based on the ENISA report and 10% of the questions are applied knowledge questions related to the best practices in both documents. The very best way to prepare for the CCSK examination is to thoroughly read and understand these two documents. (Source : https://cloudsecurityalliance.org/CCSK-prep.pdf)

Is there an expiry period to the CCSK certification?
No. The CCSK does not expire. However, it will be given a version number equating it to a specific body of knowledge.

It is likely that updated exams will be required as the body of knowledge changes. In principle, CSA will provide free access to a new exam that was introduced within 12 months of a user obtaining certification based on the older exam and provide discounts for others exceeding 12 months.

Are there Continuing Professional Education (CPE) credits for the CCSK that can be applied to other certifications held?
According to the CSA, yes, there are other certifying bodies who will provide CPE credits for the one hour to take the CCSK test and the other hours required to study for the test.

What are the CCSK Key Examination Concepts?
(Source : https://cloudsecurityalliance.org/CCSK-prep.pdf)

CSA Guidance For Critical Areas of Focus in Cloud Computing V2.1 English

Domain 1
NIST Definition of Cloud Computing (Essential Characteristics, Cloud Service Models, Cloud Deployment Models)
Multi-Tenancy
Cloud Reference Model
Jericho Cloud Cube Model
Cloud Security Reference Model
Cloud Service Brokers

Domain 2
Contractual Security Requirements
Enterprise and Information Risk Management
Third Party Management Recommendations

Domain 3
Cloud versus outsourcing
Three dimensions of legal issues
Contract enforceability
eDiscovery considerations
Jurisdictions and data locations

Domain 4
Compliance impact on cloud contracts
SAS 70 Type II
ISO 27001/27002
Compliance analysis requirements
Auditor requirements

Domain 5
Six phases of the Data Security Lifecycle and their key elements
Data Remanence
Data Commingling
Data Backup
Data Discovery
Data Aggregation

Domain 6
Key Portability Objectives of S-P-I
Lock-In risk mitigation techniques by cloud delivery model

Domain 7
Insider Abuse
Business Continuity Management/Disaster Recovery due diligence
Provider employee considerations

Domain 8
Provider selection
Resource sharing
Patch management
Technical support

Domain 9
Recommended provider tools and capabilities
Response tradeoffs
Questionable provider offerings

Domain 10
SDLC impact and implications
Differences in S-P-I models

Domain 11
Key management best practices
Key management standards
Encryption practices in S-P-I models

Domain 12
Identity Federation
Authorization
Access Control
Provisioning

Domain 13
Virtual Machine security features
VM attack surfaces
Compartmentalization of VMs

ENISA Cloud Computing: Benefits, Risks and Recommendations for Information Security
Security benefits of cloud
Risks R.1 – R.35 and underlying vulnerabilities
Information assurance framework
Division of liabilities
Key legal issues

Applied Knowledge
Classify popular cloud providers into S-P-I model
Redundancy
Securing popular cloud services
Vulnerability assessment considerations
Practical encryption use cases